Britain decides to let Huawei into its 5G infrastructure, just a little bit, anyway. Citizen Lab reports on its investigation of Saudi use of Pegasus spyware against journalists. Avast is again collecting user data and sharing anonymized data with a subsidiary for sale to business customers. Some Data Privacy Day thoughts on agreeing to terms and conditions, with reflections on the first systematic look at End User License Agreements, found in the final chapter of Plato’s Republic. Joe Carrigan from JHU ISI on evolving ransomware business models. Guest is Dr. Christopher Pierson from BLACKCLOAK with insights on the alleged Bezos phone hack and the vulnerabilities of high-profile individuals.
Dave Bittner: [00:00:04] Britain decides to let Huawei into its 5G infrastructure - just a little bit, anyway. Citizen Lab reports on its investigation of Saudi use of Pegasus spyware against journalists. Avast is again collecting user data and sharing anonymized data with a subsidiary for sale to business customers. Some Data Privacy Day thoughts on agreeing to terms and conditions, with reflections on the first systematic look at end-user license agreements found in the final chapter of Plato's "Republic."
Dave Bittner: [00:00:40] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email. And every day, you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:06] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 28, 2020.
Dave Bittner: [00:02:14] Computing reports that the British government has reached a compromise on Huawei - let the vendor in to 5G's noncore peripheral parts, but no farther. It seems to be an attempt to thread the needle between the telecom industry, which wants inexpensive, reliable kit and the ability to deploy 5G infrastructure quickly, and, on the other hand, security hawks in the U.K. and among the U.K.'s Five Eyes alliance, especially the U.S. and Australia. How satisfactory all parties will find the compromise and how effectively the British government will be able to vet hardware and segment its infrastructure remains to be seen.
Dave Bittner: [00:02:53] The University of Toronto's Citizen Lab reports its conclusions that a New York Times journalist, Ben Hubbard, was hit with Pegasus spyware in June of 2018. The vector was a text message that contained a hyperlink to a site associated with a Pegasus operator Citizen Lab calls KINGDOM and which the lab says is connected to Saudi Arabia. Other KINGDOM targets included Saudi dissidents and an Amnesty International staffer. The SMS message the journalist received included a link that represented itself as a story of interest in Arab News with the title "Ben Hubbard and the Story of the Saudi Royal Family." At the time, the domain used, arabnews365[.]com, was part of the Pegasus infrastructure used by the KINGDOM operators.
Dave Bittner: [00:03:42] The report attracts interest, coming as it does amid the ongoing discussion of investigation of the alleged, circumstantially supported installation of some form of spyware on an iPhone X belonging to Amazon founder and Washington Post owner Jeff Bezos. But Citizen Lab says it sees no overlap between the incidents it's reporting and the incident involving Bezos' phone. It does see the incident as representing a disturbing pattern in which authoritarian states use lawful intercept tools for surveillance of journalists in particular but also for surveillance of dissidents.
Dave Bittner: [00:04:19] The story of Jeff Bezos' iPhone possibly being compromised is still developing, so we checked in with Dr. Christopher Pierson, CEO of BlackCloak, a firm that specializes in the online protection of high-profile and high-value individuals, for some perspective.
Christopher Pierson: [00:04:36] I think we're at a point in time where we still don't know enough information, quite honestly. There's some indication that they may have been passed on from one person to one person to media outlets and inappropriately shared or leaked. And there are other indications of huge amounts of data being exfiltrated from a device from the most recent forensic report that we've all looked at. Probably both of them are true to some extent.
Christopher Pierson: [00:05:02] But, you know, there are a lot of questions there. I don't know that the forensic report has answered everything in terms of - right? - didn't have full and complete unfettered access to the device and the encryption key and all the materials on there. So it's really, unfortunately, incomplete. And I think there is a lot more that needs to be uncovered in terms of things that were forwarded and may have been shared inappropriately. But I think all of those are still in play before we can have a full and complete picture of what actually, really happened and led to the leaks.
Dave Bittner: [00:05:32] Now, this sort of thing is well within your lane, you and your team at BlackCloak, who - you're in the business of protecting high-value targets like this. Is there any sense for even just the basic plausibility of this? There's speculation that perhaps he clicked on a link and that enabled them - you know, the bad guys to have access to his phone. Are these things even plausible?
Christopher Pierson: [00:05:56] Absolutely. I mean, as you know, that's all we protect is high-profile, high-net-worth individuals. There are so-called, quote-unquote, "intercept tools" that are available to intelligence agencies globally that are meant for surveillance, meant for purposes that are good - right? - not meant for evil purposes. But those always (unintelligible) in the minds of the persons that hold and possess and wield that power. So it is absolutely 100% possible and has happened that countries, intelligence agencies behind countries, are able to go ahead and surveil - target and surveil individuals through these intercept tools. And in some cases, you have to click; in other cases, you actually don't. You literally don't have to do anything. And there is no device that is impenetrable to these types of tools. They all exist based off of zero day exploits and other very deep-knowledge type of exploits of the devices.
Dave Bittner: [00:06:55] Now, when you're going about protecting someone like this, if someone in a high-value situation, you know, a high-profile person - is this a matter of a defense in depth approach where I'm thinking that, you know, perhaps there could have been some detection that the data was being exfiltrated and detecting that stream? I mean, what sort of things do you put in place to protect someone who may be a target like this?
Christopher Pierson: [00:07:25] Yeah, that's a great question. A lot of this starts on the front end in terms of education, advice and guidance, concierge assistance, questioning. All of this starts there with a - should you bring your mobile device, essentially your entire life, your digital life, your computer with you to places that may be more apt to surveil you on those devices, take those devices while they're in your hotel room and implant technology that would be invisible for you to be able to see or find onto those devices? You know, what types of preparations do you have there? So there's - a big part of this is kind of the preflight, if you will. What do you do beforehand - education and training - to decrease the attack service?
Christopher Pierson: [00:08:06] And then it really comes down to - right? - basics of protection. But it's not just protecting the device. You have to go ahead - I mean, BlackCloak's tagline is protect your digital life. And it kind of rings true here. It's not one thing that you need to do. You have to protect the whole digital life. That means protecting, you know, not just one individual, but the family around them, the family unit around them, their home, all their devices, their online accounts, changing methodology in terms of using passwords saves, dual-factor authentication. It's the whole package.
Dave Bittner: [00:08:35] How much does this trickle down to folks like you and me? Is - I imagine that a lot of people out there who might think, well, a person like Jeff Bezos, sure, he's a target, but this probably isn't something that I need to worry about.
Christopher Pierson: [00:08:48] Every single person, in some form or fashion, that is connected the internet is a target. If you're not patching your devices, these are automated scanners. They don't need to figure out what information you have and hold. All you have to do is encrypt it and ask for ransom. If you pay, then they know that it was worth the amount of money that they were requesting in terms of that information. So cybercrime is really indiscriminate in a lot of cases.
Christopher Pierson: [00:09:10] But for those persons that are in the high net worth, high profile, high visibility - you know, politicians, sports stars, celebrities. I think we had a number of teams, NFL teams and, I think, players that were even attacked last night in terms of Twitter accounts being taken over. I mean, look; these people are in the news. They're in the know. They're high-profile. They need better and different protection. But everyone - right? - is going to be a target for cybercrime these days and needs to take those basic precautions on their devices and in their digital lives as well.
Dave Bittner: [00:09:43] That's Dr. Christopher Pierson from BlackCloak.
Dave Bittner: [00:09:47] A joint inquiry by Motherboard and PCMag disclosed that marketing intelligence firm Jumpshot was selling anonymized user data to companies who found it valuable for various marketing purposes. The Prague-based security firm Avast owns a majority stake in Jumpshot. Motherboard and PCMag concluded that Avast's free antivirus software collects data on behalf of Jumpshot, which then provided the information to its customers.
Dave Bittner: [00:10:15] There are a range of marketing and business intelligence use cases for anonymized histories of users' internet browsing. Avast explained one of them to Forbes back in December - quote, "typical customers would be, for example, investors who would be interested in how online companies are doing in terms of their new campaigns," end quote. The sales pitch Motherboard writes was every search, every click, every buy on every site. Some very large companies bought data from Jumpshot, among them, according to Motherboard, Home Depot, Google, Microsoft, Pepsi and McKinsey.
Dave Bittner: [00:10:50] Some, perhaps most, users are unaware that their data are being sold. They were given the opportunity to opt in to such collection, although it's unclear how obvious the scope of the collection was to them. It's notoriously difficult to get consent to collection that retrospectively looks like informed consent once stories like this come to light. Although the data Avast collected were anonymized before Jumpshot passed them to its own customers, those data are also sufficiently rich to offer some prospect of deanonymization. In any case, it's a bad look for the company, whose browser extensions were removed from Mozilla, Google and Opera stores in December over similar data collection. Avast stopped collecting via extensions, Motherboard reported last month, but the company appears to have shifted to collecting via its antivirus software. Avast is seeking to make a fresh start, offering users of its product a chance to opt out of the collection, but some remain unmollified. PCMag writes that U.S. Senator Warner, Democrat of Virginia, has asked the Federal Trade Commission to increase enforcement actions against such sale of customer data.
Dave Bittner: [00:12:01] As it happens, these stories come up on Data Privacy Day, or as they call it across the pond, Data Protection Day. And we wish you the joy of the season, of course, but suggest that you consider what role we may have as individuals in protecting our own data. Ordinary cyber hygiene, of course, is important. And we won't spend much time on that today. It might be worth thinking again about the importance of reading privacy policies before you just click through them. Yeah, we know - blah, blah, blah, blah, blah. Sure, now take me to those saucy videos you promised, the stock tips and the apps that will keep me young forever.
Dave Bittner: [00:12:35] USA Today observes Data Privacy Day by pointing out that you and me, too, friends, are all too ready to do just that. Deloitte found in 2017 that more than 90% of users don't really bother reading the fine print, which always, always, always taketh away. And a more recent experiment by proprivacy.com says it's even worse. They asked internet users to take a survey as part of a market research study, and they offered a $1 reward. The survey asked those who took it to agree to the terms and conditions, and then it tracked how many people actually clicked through to read them. Of the hundred people in the study, only 19 actually clicked over to the terms and conditions page. And of those 19, apparently only one of them read the lengthy text closely enough to realize that among other things, accepting the terms would give their mom access to their browser history and would give the survey takers the right to name the participant's first-born child and would give drone access to the airspace over their house. Or maybe the other 18 did notice, but they were just cool with the matriarchal audits, crowdsourced child naming and domestic Open Skies policies. Bear these results in mind when you think about Avast's data collection. And if you're in the business of writing privacy policies, consider striving for clarity. You've got to reach a pretty inattentive audience. But it may be worth it.
Dave Bittner: [00:14:01] But if you won't believe USA Today, maybe you'll believe Plato, whose Republic ends with an account of the biggest EULA of them all, where souls between lives get to choose the life they'd lead next. The greedy and the hasty don't look beyond the first benefit and choose, for example, to become tyrants able to gratify every avaricious and lustful impulse, but don't read far enough to notice that they're also choosing to commit crimes that will merit hideous punishment in the next round of the afterlife. The one soul who took its time and read the whole thing, the soul of Odysseus, chose a quiet, peaceful life and left well-satisfied. Being flogged around the Aegean for twenty years by vengeful gods will help you wise up – or nowadays, so will getting all those emails from your app's friends and partners just on those topics your app thinks you'll find interesting. So happy Data Privacy Day.
Dave Bittner: [00:15:00] And now a word from our sponsor, PlexTrac. PlexTrac is the purple teaming platform that enables red teams to report security issues and blue teams to remediate them through a single web-based interface. PlexTrac offers public, private cloud and on-premise deployment options. You can learn more and request a demo at plextrac.com/demo. That's plextrac.com/demo. And we thank PlexTrac for sponsoring our show.
Dave Bittner: [00:15:40] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: [00:15:48] Hi, Dave.
Dave Bittner: [00:15:49] We wanted to discuss today some interesting evolutions...
Joe Carrigan: [00:15:53] Yes.
Dave Bittner: [00:15:54] ...That we're tracking when it comes to ransomware and the business models that the scammers are using.
Joe Carrigan: [00:16:02] Right. I'm fascinated by the business models and the economics of the underground economy.
Dave Bittner: [00:16:06] Yeah, take us through what you're tracking here.
Joe Carrigan: [00:16:08] So a couple months ago, you and I talked. And there was the speculation that there was going to be ransomware coupled with blackmail for releasing documents, right? And I said that that wasn't going to be a successful business model.
Dave Bittner: [00:16:23] OK.
Joe Carrigan: [00:16:23] Right?
Dave Bittner: [00:16:23] Because?
Joe Carrigan: [00:16:24] Because the model I envisioned was you get your files encrypted and stolen, right? But you don't know they've been stolen. You just know they've been encrypted.
Dave Bittner: [00:16:33] Yeah.
Joe Carrigan: [00:16:33] So you pay the ransom for having them decrypted, right?
Dave Bittner: [00:16:37] Right.
Joe Carrigan: [00:16:37] Which is valuable to you.
Dave Bittner: [00:16:38] Right.
Joe Carrigan: [00:16:38] And then the criminals come back. And they say, OK, well, now we're going to release the documents if you don't give us more money, right? At that point in time, I said that nobody's going to agree to that because there's really nothing that stops them from asking you for more money over and over and over again, right? But what has happened is they are now essentially giving you the two-for-one option, right? They've increased the incentive. So now, when you get your files encrypted, the ransomware notice or the ransomware negotiation says, also, if you don't pay the ransom, we will release your files.
Dave Bittner: [00:17:13] Yeah.
Joe Carrigan: [00:17:13] Right? That changes the value proposition dramatically, right? Now I get two benefits from paying the ransom. So if my files get encrypted and the person says, I won't release them if you pay the ransom, I won't make them public if you pay the ransom, then the incentive for me is to pay the ransom has gone up while the cost has remained the same.
Dave Bittner: [00:17:36] It also seems to me like, at the outset, that they're putting a little more pressure on you because...
Joe Carrigan: [00:17:41] Right.
Dave Bittner: [00:17:41] ...Not - it's the time issue of not only getting your files back, which...
Joe Carrigan: [00:17:47] Right.
Dave Bittner: [00:17:47] ...You could say, well, hey, you know, no problem. I've got good backups.
Joe Carrigan: [00:17:51] Yep.
Dave Bittner: [00:17:51] So go pound sand.
Joe Carrigan: [00:17:53] Right.
Dave Bittner: [00:17:53] But if they say, oh, no, no, no - that's great that you have your adorable backups. But we're going to start releasing these files publicly.
Joe Carrigan: [00:18:01] Right.
Dave Bittner: [00:18:02] And that would - you'd hate to have that happen.
Joe Carrigan: [00:18:03] Yes. And you can decrypt in place, which will be a lot faster than restoring from backups as well - right? - theoretically. My point still stands though, I think, that if - let's say that I scam you out of - or I lock up your files and steal them.
Dave Bittner: [00:18:17] Yeah.
Joe Carrigan: [00:18:17] And I say, Dave, it's a hundred dollars for you to decrypt them. And if you don't decrypt, them, I'm going to release them to the public. So you say, OK, Joe, here's a hundred dollars.
Dave Bittner: [00:18:25] Yeah.
Joe Carrigan: [00:18:25] Right? And I decrypt them. And I don't release them. Then I say, Dave, I need another hundred dollars or I'm going go ahead and release them. And you said, hey, we had a deal, right?
Dave Bittner: [00:18:32] Yeah.
Joe Carrigan: [00:18:33] And I said, well, the deal's changed. What's your...
Dave Bittner: [00:18:35] I'm altering the deal.
Joe Carrigan: [00:18:36] Right. What's your - I'm altering...
Joe Carrigan: [00:18:39] Got to get that "Star Wars" reference in, right?
Dave Bittner: [00:18:40] Yeah, yeah.
Joe Carrigan: [00:18:42] So the incentive for you to pay that second ransom demand is a lot lower because if you pay me - let's say you give me another hundred dollars. There's nothing to stop me from coming back in another week and going, you know what? In order to keep these files secret, I'm just going to need a hundred dollars from you on a weekly basis.
Dave Bittner: [00:18:56] Yeah.
Joe Carrigan: [00:18:57] Right?
Dave Bittner: [00:18:57] Yeah.
Joe Carrigan: [00:18:57] And at that point in time, the value - it's the law of diminishing return takes over.
Dave Bittner: [00:19:02] But don't you think that some of the - that the threat of having things released publicly would be compelling to some people?
Joe Carrigan: [00:19:09] Yeah, that's correct. It really depends on the contents of the material, right? But there's nothing to stop somebody from, first off, telling you that they haven't released the information and then on the back end selling it to somebody else, right? You have no control over the data anymore.
Dave Bittner: [00:19:26] Right.
Joe Carrigan: [00:19:26] Right? It's much like the Snowden leaks. This data is now public domain.
Dave Bittner: [00:19:32] Yeah.
Joe Carrigan: [00:19:32] It's out there. And there's nothing you can do to stop it.
Dave Bittner: [00:19:35] Right. So I guess it's a matter of cutting your losses...
Joe Carrigan: [00:19:38] Right.
Dave Bittner: [00:19:39] ...And not getting into a sunk cost fallacy, that sort of thing.
Joe Carrigan: [00:19:42] Exactly.
Dave Bittner: [00:19:43] Yeah.
Joe Carrigan: [00:19:43] Exactly.
Dave Bittner: [00:19:44] Yeah. All right. Well, boy, these things continue to evolve, don't they?
Joe Carrigan: [00:19:50] Dave, it's going to get worse. That's my prediction.
Dave Bittner: [00:19:54] (Laughter) And on that sunny note, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:57] My pleasure.
Dave Bittner: [00:20:02] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:20:08] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:20] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
PlexTrac is the Purple Teaming Platform that enables Red Teams to report security issues and Blue Teams to remediate them through a single web-based interface. PlexTrac offers public/private cloud and on premise deployment options. To learn more, visit plextrac.com.