Clearview AI's client list leaks.
Clearview AI, a controversial company that scrapes billions of images from the internet and uses facial recognition to match people to their photos, disclosed that an intruder had gained access to its entire list of clients, the Daily Beast reports. The data that were accessed included the number of user accounts each customer had, as well as how many searches each of them had carried out. The company said the intruder didn't access clients' search histories, which Mashable points out could have had much more serious implications.
On Thursday, BuzzFeed published details gleaned from leaked internal company documents which showed that Clearview's clients include about 2,900 organizations across twenty-seven countries. While the company maintains that it only works with law enforcement, a number of private companies appeared in its list of customers, including Macy's, Kohl’s, Walmart, and the NBA. Some of these companies and law enforcement agencies were apparently unaware that their employees had used the app, and most of them only used free trials. Home Depot, for example, appears in Clearview's logs as having conducted nearly one-hundred searches from five accounts, but the company told BuzzFeed it didn't use the service. Likewise, the Raleigh Police Department in North Carolina suspended its contract with Clearview and prohibited its officers from using the app after the company declined to allow a full audit, but Raleigh police officers continued making use of the app by way of free trials.
One of Clearview's attorneys, Tor Ekeland, told BuzzFeed that "[t]here are numerous inaccuracies in this illegally obtained information. As there is an ongoing Federal investigation, we have no further comment." Responding to queries about the data breach, Ekeland told the Daily Beast in a statement, "Security is Clearview's top priority. Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security."
South Carolina's Democratic primary is underway.
The next primary election in the US is South Carolina’s, which is being held today. The voting there, unlike the Democratic caucus in Iowa, will be run by state election officials, and not by the political parties themselves. The Washington Post reports that state officials are confident that everything will go well, quoting the State Election Commission’s director of public information Chris Whitmire as saying, "It’s not just apples and oranges, it's apples and something else comparing a state-run primary to a caucus." According to the Post, both the state election commission and the state's Democratic party are monitoring social media for disinformation, and they "have a hotline set up to Facebook, Twitter and other social media companies if they spot anything wrong." South Carolina Democratic Party chair Trav Robertson said the party has a "room full of millennials" to assist with finding posts that share false information.
The primary will use touch-screen voting machines that produce a paper ballot, and traditional paper ballots are on hand in case anything goes wrong with the machines. Politico notes that these voting machines are thought to be more secure than their paperless counterparts, but security experts say a simple paper ballot would still be ideal. The machines print a piece of paper indicating the voter's selection, both as text and as a barcode. This piece of paper is used as the official ballot, and the vote tabulators will scan the barcode to count the votes. The concern is that the machines could theoretically be hacked to print a different candidate's barcode without altering the text. During a recount, the barcodes could be checked against the text, but a hacker could technically alter the text as well. In this case, the change would only be detected if the voters themselves checked their ballots before handing them in (and Politico points out that many people fail to do this).
Whitmire told Politico that the state has already taken these risks into account, and voters are specifically told to verify that their paper ballots are accurate.
Ryuk attack led to pipeline shutdown.
The US Coast Guard confirmed to Energywire that the ransomware attack against a gas compression station described by CISA last week was the same event the Coast Guard warned about in December. A Coast Guard spokesperson told the publication that "[t]he Coast Guard and CISA reports cover different perspectives of the same Ryuk ransomware attack. The Coast Guard issued its safety alert from the maritime perspective and CISA's focused on the energy sector." Dragos suspected as much based on the information in the CISA alert.
FireEye believes this represents a broader trend among ransomware operators. In a blog post published Monday, the company noted that LockerGoga, MegaCortex, Maze, and SNAKEHOSE (known to other companies as EKANS or SNAKE) are all deploying a very similar list of processes to kill. This list contains some OT-related processes among more than a thousand IT-related processes, and it seems that all of these ransomware strains obtained the list from the same unknown source. FireEye notes that even if the list is a result of "the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems." The researchers expect this trend to continue, since ransomware operators naturally seek to disrupt the most critical processes they can find.
Iran-linked groups carry on with espionage.
Dell Secureworks says Iranian government-linked threat actors continued conducting their normal cyberespionage activities before and after Quds Force commander Major General Soleimani was killed in a US drone strike. The researchers believe a group they track as COBALT ULSTER (also known as MuddyWater, Seedworm, TEMP.Zagros, and Static Kitten) carried out several spearphishing campaigns between mid-2019 and mid-January 2020 which targeted "governmental organizations in Turkey, Jordan, Iraq, as well as global intergovernmental organizations and unknown entities in Georgia and Azerbaijan."
The researchers conclude that this activity is typical for nation-state hacking groups, so organizations shouldn't "conflate ongoing espionage operations with a retaliatory response." They also note, however, that a cyber retaliation for Soleimani's death may still be in the works.
Chrome update disarms AZORult.
Researchers at KELA say the Genesis Store, a leading cybercrime marketplace, suffers from crippling supply chain troubles after an update to Chrome 80 earlier this month hamstrung the AZORult information-stealing malware. KELA found that about 90% of Genesis's stolen browser data comes from AZORult users, even though the malware is no longer being maintained by its developers.
On February 4th, Chrome and other Chromium-based browsers began storing locally saved passwords in a different format using AES-256 encryption. Since AZORult isn't coded to retrieve data in this format and probably won't receive any more updates, the malware is now essentially ineffective against Chromium browsers. ZDNet doesn't believe Genesis will suffer long-term effects since other malware strains have already adapted to the Chrome update, but AZORult's time in the sun appears to have ended.
Satellite cybersecurity is an increasing concern.
An essay in Undark argues that commercial satellites are distressingly vulnerable to supply-chain-based attacks. William Akoto believes that in the absence of regulation, companies will cut costs and rush production, increasing the likelihood of introducing vulnerabilities into their products. He concludes that "Given the traditionally slow pace of congressional action, a multi-stakeholder approach involving public-private cooperation may be warranted to ensure cybersecurity standards."
Google has patched a vulnerability in Chrome that was being exploited in the wild, Threatpost notes. The flaw is a type-confusion vulnerability (CVE-2020-6418), but further details are being held back until a majority of users have applied the patch.
Crime and punishment.
Reuters reports that Julian Assange's lawyer Mark Summers on Tuesday attempted to counter the notion that his client's publication of classified material put lives at risk. Summers told Woolwich Crown Court in London that Mr. Assange tried to contact the White House and then-Secretary-of-State Hillary Clinton just before the material obtained from then-US-army-specialist Bradley Manning became public. The State Department, according to Summers, told Assange to call back "in a couple of hours."
A Ukrainian citizen who worked for Microsoft was convicted of eighteen Federal felonies after stealing $10 million in digital currency from Microsoft's online sales platform, GeekWire reports. The man created test accounts on the platform and gave himself gift cards, which he then sold online. He'll be sentenced in US District Court on June 1st.
Vice notes that the Philippines has issued a warrant for the arrest of 8chan founder Frederick Brennan after 8chan's current owner, Jim Watkins, sued Brennan for cyber libel, which is a criminal offense in the Philippines. Brennan had posted tweets suggesting that Watkins was senile. Both men live in the Philippines, but Brennan is currently in the US. It's worth mentioning, as the Verge points out, that Brennan turned against the widely reviled site after multiple mass shooters posted their manifestos on it.
Indiana's supreme court ruled that a suspected meth dealer can't be charged with theft for removing an unmarked GPS tracker that the police had covertly stuck to his car, Naked Security reports. The police obtained warrants to search the suspect's home and his father's barn for the device after it stopped transmitting the suspect's location, and there they found drugs and a handgun along with the missing GPS tracker. This evidence must now be suppressed, however, since the initial search warrant was deemed invalid. Chief Justice Loretta Rush stated that "To find a fair probability of unauthorized control here, we would need to conclude that Hoosiers don’t have the authority to remove unknown, unmarked objects from their personal vehicles."
ZDNet reports that a police department in Stuart, Florida lost evidence against six suspected drug dealers due to a ransomware attack, forcing the police to drop the cases.
Courts and torts.
Reuters reports that the US Federal Communications Commission plans to propose fines totaling $200 million for AT&T, Sprint, T-Mobile, and Verizon over the telecom companies' sale of customer location data to third parties. Reuters doesn't specify the amount of the fine each company could face, but says T-Mobile is looking at the largest fine.
Policies, procurements, and agency equities.
Motherboard, via a Freedom of Information Act request, obtained some redacted documents from US Cyber Command which outline the rationale behind the agency's decisions to publicly disclose malware samples used by adversary nation states. One of the documents states that "sharing such information will continue as part of the command's overall Persistent Engagement Strategy. Posting malware to [VirusTotal] and Tweeting to bring attention and awareness supports this strategy by putting pressure on malicious cyber actors, disrupting their efforts while supporting the National Defense and Department of Defense Cyber strategies to strengthen partnerships." Other partially redacted sections indicate that the strategy is meant to help cybersecurity companies quickly detect the malware samples with antivirus products to increase attrition in adversaries' hacking operations, and to improve the accuracy of attribution when the private sector tracks nation-state hacking campaigns.
CrowdStrike co-founder Dmitri Alperovitch said at RSAC 2020 that the US government's strategy of indicting Chinese government hackers seems to be working. Alperovitch pointed out that the threat actors associated with China's Ministry of State Security (including Comment Panda, Stone Panda, and Gothic Panda) each appeared to have ceased activity following an indictment by the US Justice Department. He acknowledged that the actors may have retooled and resurfaced as new groups, but he noted that Chinese APTs seem to be affected by indictments in a way that Russian, Iranian, and North Korean groups are not.
The European Union joined the US, the UK, Australia, and Georgia in condemning the coordinated cyberattacks launched against Georgian websites last October, Eurasia Review reports. In a press release, High Representative of the European Union for Foreign Affairs and Security Policy Josep Borrell stated that "We are concerned about the increase of irresponsible and destabilising behaviour in cyberspace and will continue to address the challenges that cyberspace poses both internally as well as to our foreign and security policy."
The European Union is also considering applying cyber sanctions to groups linked to China and Russia, according to the South China Morning Post.
The Washington Post looks at sentiment in the US Justice Department and concludes Justice "has essentially given up hope" of convincing tech companies to voluntarily come up with ways to give law enforcement access to encrypted data. The Department may now seek legislation to compel such access.
The New York Times believes that the Justice Department Inspector General's criticism of 2016’s Operation Crossfire Hurricane makes it likely that the Foreign Intelligence Surveillance Act will be significantly revised when key provisions expire in mid-March.
Fortunes of commerce.
Huawei remains open to exclusively licensing 5G technology to a single US firm to create an American competitor, CNBC reports. Huawei's CEO Ren Zhengfei told CNBC in September 2019 that the company was willing to license its source code, hardware, software, and manufacturing knowledge to a US company, saying that "After getting a license, they will be able to take our technology to compete with markets around the world."
Facebook has cancelled its major F8 developer conference over coronavirus concerns, CNET reports.
Congressional staff speaking at RSAC 2020 said the Senate Committee on Homeland Security and Government Affairs is looking for legislation that could streamline the government's hiring process for cybersecurity-related jobs, Nextgov reports.
Cisco is beginning a new round of layoffs, the Wall Street Journal reports. The company didn't say how many jobs would be cut or which areas would be impacted.
Mergers and acquisitions.
McAfee is acquiring Catonsville, Maryland-based browser isolation provider Light Point Security. The terms of the deal weren't disclosed.
Emirati telecommunications provider Etisalat has acquired Help AG, a cybersecurity company that was founded in Germany in 1995 and moved its headquarters to Dubai in 2018, according to Gulf Business.
Investments and exits.
Atlanta, Georgia-based privacy management software provider OneTrust has raised $210 million in a Series B round led by Coatue and Insight Partners. The company received $200 million in Series A funding in July 2019, and the new funding brings its valuation to $2.7 billion.
San Jose, California-based network monitoring company cPacket Networks received $15 million in funding from Morgan Stanley Expansion Capital.
And security innovation.
San Jose, California-based privacy compliance automation company SECURITI.ai was named the winner of the RSAC Innovation Sandbox, Infosecurity Magazine reports. Master of ceremonies Dr. Hugh Thompson called this year's field "maybe the strongest we've ever seen." The other nine finalists were San Francisco-based security management and compliance company AppOmni, Palo Alto-based code security startup BluBracket, San Francisco-based employee risk management firm Elevate Security, Pennsylvania-based cybersecurity automation company ForAllSecure, Maryland-based phishing prevention company Inky, Newport Beach, California-based cloud identity protection provider Obsidian Security, San Francisco-based application security management company Sqreen, Fremont, California-based formjacking prevention provider Tala Security, and Israeli code security company Vulcan Cyber.
For more business news, check out this week's CyberWire Pro Business Briefing, newly available for subscribers.