In today's podcast we follow the progress of anti-banking DDoS hacktivism Operation Icarus. The Panama Papers are released in the form of a searchable database. Some apparently big compromises look a bit recycled. Victims' willingness to pay keeps the ransomware black market primed. Investor disappointment depresses security company valuations. We talk with the University of Maryland's Ben Yelin about how law lags technological advance, and GCHQ says don't be too quick to change passwords.
Dave Bittner: [00:00:03:10] Operation Icarus spreads to banks outside the Greek-speaking world. The Panama Papers are about to be released. Last week's big email compromise appears to have been less than met the eye. Willingness to pay keeps the ransomware criminal market strong. Last week's results give investors in cyber security companies a case of cold feet. And wait, GCHQ says, "don't be so fast to change your passwords."
Dave Bittner: [00:00:29:03] This CyberWire podcast is brought to you by Recorded Future, the real-time threat intelligence company whose patented web intelligence engine continuously analyses the entire web, to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at recordedfuture.com/intel.
Dave Bittner: [00:00:52:19] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 9th, 2016.
Dave Bittner: [00:00:58:09] Anonymous persists with its colleagues in Ghost Squad with Operation Icarus. The campaign to punish the world financial system for what the hacktivists describe as "crimes against humanity" began in Greece then hit Cyprus, and now has moved up the Adriatic to Bosnia. Out to the English Channel to a Central American beachhead in Panama and into Africa by way of Kenya. The hacktivists' principle tool continues to be denial of service.
Dave Bittner: [00:01:24:14] The International Consortium of Investigative Journalists, the ICIJ, which has been accumulating and leaking the Panama Papers to the Suddeutsche Zeitung and other outlets, has made a searchable database of those papers available online this afternoon. Personal information, thought potentially valuable to criminals, or unduly injurious to individual's privacy, will be redacted or otherwise rendered inaccessible, the ICIJ says.
Dave Bittner: [00:01:51:04] The Panama Papers were obtained by someone using the pseudonym, John Doe, whose manifesto appears on the ICIJ site. John Doe's identity is unknown, at least to the wider world, and is being protected in the interest of John Doe's safety. His manifesto includes a call for transparency wrapped in familiar, progressive tropes about capitalism's shortcomings. Transparency has indeed found some resonance among policy elites. 300 of what The Telegraph calls "the world's most senior economists," hailing from some 30 countries, have signed a letter to world leaders decrying tax havens as serving "no economic purpose."
Dave Bittner: [00:02:28:12] The full database was revealed at 2:00 pm Eastern Daylight Time today, we expect a massive denial of service condition to begin around 1:45 and so it apparently has. We hope the ICIJ has signed up for a lot of surge bandwidth, we'll follow up tomorrow.
Dave Bittner: [00:02:43:17] The industry press has settled down over last week's splashy announcement of 270 million plus email credentials up for sale on the black market. What Hold Security said from the outset has sunk in, this wasn't one big data breach but a collection of a number of old leaks pulled together by a Russian malchick who wanted a buck and a little social media love. So, no need to hop to it and change all your passwords asap, but one good reminder does emerge from the sound and fury; if you reuse the same password everywhere it would probably be a good idea to stop.
Dave Bittner: [00:03:16:12] Although pushed out of the headlines a bit by DDoS and doxxing, ransomware and other forms of online extortion continue to threaten internet users. A Kaspersky study points out the agility of ransomware with 2,896 new variants observed during the first quarter of 2016. This represents a rise of about 14% over the previous quarter. Willingness to pay appears to have made a powerful contribution to the rise of this criminal market.
Dave Bittner: [00:03:42:15] The cyber war against ISIS has been noteworthy recently for the openness with which the US has discussed its operations and objectives. But it turned coy late Friday as Colonel Steve Warren, spokesman for the Operation Inherent Resolve, the overarching name for US action against ISIS, took to Reddit with an ask me anything session. He was asked about cyber operations, and the answer he gave was a riff on the old Fight Club movie: "The first rule of cyber operations? We never talk about cyber operations. The second rule of cyber operations? Never talk about cyber operations."
Dave Bittner: [00:04:16:14] In an apparent move to distance itself from suspicion of collaboration with security agencies, Twitter has told Dataminr, the social media analytics startup in which Twitter holds a 5% stake, to stop making its near real time social media data available to the US Intelligence Community.
Dave Bittner: [00:04:33:16] This arms length relationship is likely to continue at least until the relevant law is more settled. We spoke with the University of Maryland's, Ben Yelin, about how law tends to lag technology, we'll hear from him after the break.
Dave Bittner: [00:04:46:06] Last week's results reported from the security sector disappointed investors, and sector bellwethers FireEye, Imperva and CyberArk share prices took a corresponding hit. Analysts wait to see whether this represents a temporary setback, a correction or a secular trend.
Dave Bittner: [00:05:01:18] Finally, if you were among the many who changed your password in haste last week because of the malchick's sale of 270 million miscellaneous email credentials and stuff, maybe you did so prematurely. Over in the UK, GCHQ's Communications Electronics Security Group pointed out that changing passwords can have a downside, "it's one of those counterintuitive security scenarios, the more often users are forced to change passwords the greater the overall vulnerability to attack," the agency said. "Most password policies insist that we have to keep changing them, and when forced to change one the chances are that the new password will be similar to the old one, attackers can exploit this. New passwords are also more likely to be forgotten, and this carries the productivity cost of users being locked out. CESG now recommends that organizations do not force regular password expiry."
Dave Bittner: [00:05:53:17] So there you have it. And Russia today republished CESG's advice with approval. But wait a minute, a British intelligence service and a PR arm of the Russian government agree on password advice? As one of our friends in a tinfoil hat tells us, "of course they do."
Dave Bittner: [00:06:14:05] This CyberWire podcast is brought to you by Recorded Future, the real-time threat intelligence company whose patented web intelligence engine continuously analyses the entire web to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at recordedfuture.com/intel.
Dave Bittner: [00:06:39:14] Benjamin Yelin is a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security, one of our academic and research partners. Ben, when it comes to our privacy and our digital devices, I think it's interesting to note that our mobile devices have a different status than other things we might be carrying on our person.
Benjamin Yelin: [00:06:56:21] Yes it does. So there was this landmark Supreme Court case a couple of years ago, Riley v California, in which the police incident to arrest tried to search the digital contents of Mr. Riley's cell phone, and the Supreme Court held that you cannot have a warrantless search and seizure of the digital contents of a cell phone during an arrest. So this is different than, say, a knife that you have on your body, that can be used as evidence because it was part of a search incident to arrest. I think this goes to the broader point that the Supreme Court is struggling with how to adapt to new technology, I think they have recognized, in this case and in other cases, that, because of how much information is on our cell phone, how much personal information is on our cell phone, there is a reason to have enhanced privacy protections under the constitution; it's not just a physical device that's in our pocket, it's a device that has private and revealing information about us. So, unless there was some sort of razor blade attached to the cell phone, it's not something that can be seized as something that was searched incident to an arrest.
Dave Bittner: [00:08:06:14] What can the government compel me to do? Can they make me reveal my password? Can they make me reveal where a particular file is located on my PC?
Benjamin Yelin: [00:08:15:08] Sure. They can compel you to do that, but they do have to get a warrant, which means that they need some sort of probable cause that you're committing a crime. That is different than searches or seizures of physical items that can be taken from you even if you're stopped, say, for having a defective brake light or for speeding in traffic, so it is a heightened standard. If you are committing a crime and the government does have probable cause that you're committing a crime they probably will be able to compel you to unlock your phone, to reveal information on your phone, but it is a heightened standard.
Dave Bittner: [00:08:52:11] Ben Yelin, thanks for joining us. And if you have any questions for Ben or any of our academic and research partners you can send them in to firstname.lastname@example.org.
Dave Bittner: [00:09:04:03] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make The CyberWire possible. If you'd like to place your product, service or solution in front of people who want it, you'll find few better places to do that than The CyberWire. Visit thecyberwire.com/sponsors to find out how to sponsor our podcast or daily news brief. The CyberWire is produced by Pratt Street Media, the editor is John Petrik, I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance.