Cyber tensions and cyberwar. China’s influence ops against Taiwan apparently backfire. Maze gang goes for doxing. SIM swapping. FBI promises FISA Court it will do better.
Dave Bittner: [00:00:00] Hey, everybody. Dave here. We here at the CyberWire are excited to announce our new subscription program, CyberWire Pro. That'll be coming out in early 2020. For those whose interests and responsibilities lead them to be concerned with cybersecurity, CyberWire Pro is an independent news service you can depend on to stay informed and to save you time. This offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. And you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about the CyberWire Pro release at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:48] The FBI reiterates prudent consensus warnings about a heightened probability of cyberattacks from Iran. But so far, nothing beyond credential-spraying battlespace preparation has come to notice. The US Congress mulls the definition of act of war in cyberspace. Taiwan's president is reelected amid signs that Chinese influence operations backfired on Beijing. The Maze gang doxes a victim. SIM-swapping enters a new phase. And the FBI promises the FISA Court it will do better.
Dave Bittner: [00:01:25] And now a word from our sponsor, PrivacyGuard. By now, you might've heard of the scary stats of how many times identity theft happens and of data breaches happening to big companies - companies that you might've done business with. But PrivacyGuard members can have more peace of mind. PrivacyGuard takes privacy personal. Protecting your privacy means protecting the integrity of your name, your reputation and your identity. PrivacyGuard is a comprehensive, personalized privacy protection service that helps protect you from identity theft. PrivacyGuard's public and dark web scanning will keep an eye on your private information. Plus, with PrivacyGuard's 24/7 triple-bureau credit monitoring, you can be alerted if a certain change to your credit score occurs, which could be an indication of identity theft. Your identity and privacy belong to you. PrivacyGuard works to help keep it that way. To learn more, go to privacyguard.com. That's privacyguard.com. And we thank PrivacyGuard for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:57] Coming to you today on assignment in Seattle, Washington, I'm Dave Bittner with your CyberWire summary for Monday, January 13, 2020. The US FBI warned again of a heightened likelihood of Iranian cyberattacks, according to CyberScoop. The bureau points to increased reconnaissance and scanning but also notes sensibly that scanning from an Iranian IP address is not necessarily hostile nor necessarily an indicator of an attack. The bureau's warning is consistent with conventional wisdom. A Washington Post poll of security industry leaders reports the same concerns.
Dave Bittner: [00:03:34] Beyond last week's minor website defacement by sympathetic hacktivists, however, active attacks have yet to materialize. Forbes suggests that Iran is, for the moment, on the back foot. Protests in that country currently preoccupy its security forces, Reuters reports, with the immediate cause of the street demonstrations being the shootdown of Ukraine International Airlines Flight 752 on January 8, for which Tehran acknowledged responsibility Saturday. The shootdown appears to have been a case of mistaken identity. The protesters may have been fired on with lethal ammunition in addition to the riot gas Iranian authorities say they used, but it's best to regard some of the images coming from Tehran with caution. Such images have been altered in the past. For all that, it does seem clear that the Flight 752 shootdown has become a rallying point for widespread dissent.
Dave Bittner: [00:04:29] The most worrisome Iranian activity from the US point of view remains the password-spraying attempts against North American utility networks, on which Ars Technica has a brief update. The password-spraying campaign that the Magnallium group has conducted over the past year may seem noisy and indiscriminate, even sloppy, as researchers at security firm Dragos tell Ars Technica. But in this respect, nation-state hacking is more like the NFL than it is the college football polls. There are no style points. And the sort of work done by Magnallium is, indeed, a good way, Dragos said, quote, "to build up relatively quickly and cheaply multiple points of access that can be extended into follow-on activity at a point of their choosing," end quote. Microsoft and FireEye have tracked similar activity by Magnallium. It's worth noting again that Dragos, as a matter of company policy, doesn't attribute threat groups like Magnallium to specific nation-states. But the consensus is that Magnallium and allied groups are, indeed, working for Tehran and that they're up to more serious activity than was on display in last week's jejune hacktivist vandalism of lightly defended sites.
Dave Bittner: [00:05:40] The US Congress appears to be making heavy weather of rules of conflict in cyberspace. The Hill suggests that Congress is particularly concerned with determining what counts as an act of cyberwar. This question, indeed, doesn't have a clearly agreed-upon answer. Some hostile activity in cyberspace seems clearly to fall short of an act of war. Most intelligence collection, however unwelcome it may be, falls short, for example. Some have drawn a line at the production of physical damage. But again, such damage would have to be significant. Others draw the line at loss of life. But the answer remains unclear, and Congress is mulling this over.
Dave Bittner: [00:06:20] An eleventh-hour surge of Chinese propaganda and disinformation fell short of determining the results of Taiwan's presidential elections this Saturday. The New York Times reports that Tsai Ing-wen won reelection on the strength of support for continued independence, suggesting that Beijing's influence campaign may well have backfired. President Tsai's reelection has been considered a long shot as recently as a few months ago. It appears that the example of repression Beijing has offered to Hong Kong both dispelled thoughts that a one state, two systems arrangement might be possible. The mainland has not given up on recovering what it continues to regard as a breakaway province and has reacted to the election results with warnings that reunification is inevitable.
Dave Bittner: [00:07:06] Malwarebytes has found that a legitimate site collecting donations on behalf of relief efforts for those affected by Australia's brushfires has been infected with Magecart skimming software. The same script has also affected a large number of other e-commerce sites.
Dave Bittner: [00:07:21] The Maze ransomware operators continue the new trend in which extortionists steal data before they encrypt it - the better to dox victims who decline to pay the ransom. Southwire, a Georgia metal manufacturer, not only declined to pay but brought a troublesome lawsuit against people it was able to connect to a Maze news site operated out of Ireland. The injunctions they obtained put a spoke in Maze's wheels briefly, but the hoods are back up and operating out of a Russian hacker forum where they've posted over 14 gigabytes of what they claim are files stolen from Southwire. The Maze gang puts it this way, in somewhat more idiomatic English than we used to see from the Shadow Brokers. Quote, "but now our website is back. But not only that. Because of Southwire actions, we will now start sharing their private information with you. This only 10% of their information, and we will publish the next 10% of the information each week until they agree to negotiate. Use this information in any nefarious ways that you want," end quote.
Dave Bittner: [00:08:24] Bleeping Computer, which is willing to chat with these types, asked the gang for clarification and received only a reiteration of the initial post with this explanation - quote, "in retaliation, we have something more interesting," end quote. And here, they insert a smiling wink punctuational emoji to show they mean business, and then go on to say, "but retaliation doesn't come if they begin negotiate with us." They declined to elaborate on what counts as more interesting. Did we mention that our sympathies are entirely with Southwire? They are.
Dave Bittner: [00:08:59] SIM-swapping appears to have entered an escalatory phase. Motherboard reports that at least AT&T, T-Mobile and Sprint have been affected by recent RDP attacks that enabled hackers to SIM-swap individual users. Most cases of SIM-swapping had been accomplished by corrupting telco employees to do the swapping. This is different. It still depends on social engineering, but in this case, the employees are innocent dupes, not co-conspirators.
Dave Bittner: [00:09:28] And finally, the US FBI responded to the court overseeing the Foreign Intelligence Surveillance Act with a chastened acknowledgment that it needed to and henceforth would do better in handling requests it makes of the FISA Court to conduct surveillance of US citizens. The court had starchily requested an explanation of improprieties in the bureau's filings to wiretap Carter Page, a onetime adviser to then presidential candidate Trump. As The New York Times notes, the Justice Department's inspector general found that the FBI had cherry-picked and misstated evidence they submitted to secure the wiretap. The FISA Court was not pleased.
Dave Bittner: [00:10:12] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business' security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single-sign-on password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics, such as fingerprint or face, deliver a passwordless login experience for your employees while securing every password and use through enterprise password management and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, visit lastpass.com. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:11:38] And joining me once again is Ben Yelin. He's the program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security. He's also my co-host on the "Caveat" podcast, which if you have not yet checked out, what are you waiting for?
Ben Yelin: [00:11:51] Subscribe today.
Dave Bittner: [00:11:51] (Laughter) Ben, always great to have you back. This is an interesting story, I think, that caught both of our attention.
Ben Yelin: [00:12:00] Oh, yeah.
Dave Bittner: [00:12:00] This is from The Washington Post, written by Drew Harwell. This is "Colleges Are Turning Students' Phones Into Surveillance Machines, Tracking the Locations of Hundreds of Thousands." What's going on here?
Ben Yelin: [00:12:12] So this was a real eye-opener for me. So the opening anecdote is about this IT professor at Syracuse who has placed seven small Bluetooth beacons around the auditorium in which he teaches his class. And when students enter the auditorium, their phones ping those Bluetooth devices, and that's the way they register the attendance, and they can get extra credit for registering their attendance in that way. And then, of course, the stick to that carrot is if they're not there, then the professor is going to know because their phone hasn't pinged.
Ben Yelin: [00:12:43] And this gets to a broader trend in colleges across the country about tracking students through their smartphones, through their devices. There have been companies who have come up with systems in which the administration and various professors can track students' college experience - how often they're going to the library, whether they're missing meals at the dining hall, things that are somewhat personal. And when they talked in this article to school administrators, you know, school administrators would defend this type of surveillance by saying this is to protect the integrity of our student body. It's to identify students who are potentially at risk and not...
Dave Bittner: [00:13:26] At risk of what?
Ben Yelin: [00:13:28] So if they're, you know, never coming out of their dorm, you could potentially identify anxiety, depression and potentially...
Dave Bittner: [00:13:33] OK.
Ben Yelin: [00:13:34] ...You know, suicide.
Dave Bittner: [00:13:35] Right.
Ben Yelin: [00:13:36] If they're not showing up at the dining hall, you know, and that's the only food option, you know, that's something that could be eye-opening to an administrator or his or her parents. If they're getting failing grades and they're not showing up to class and not showing up to the library to study, then that's certainly eye-opening as well. So you can understand why, you know, from an administrator's perspective and even from a, you know, perhaps overbearing parent's perspective, this could be useful. The reason it sticks out to me is if this gets broader, if this goes beyond the limited number of universities mentioned in this article, kids are not going be able to be kids at college just because everything is going to be tracked. And, you know, I just think you have to weigh the benefits of being able to identify risk among students with, you know, the chilling effect this would have on kids being able to learn proactively, to sort of be themselves, discover themselves. So I think you have to take all of that into consideration.
Dave Bittner: [00:14:39] Yeah. I can imagine - I remember a friend of mine - one of my roommates, actually, in college - was a vocal music major. So he was a singer. And as part of that, he had private one-on-one voice lessons in the music department. And he'd had a late night out. And he'd canceled his class, his one-on-one voice lessons. And he happened to be standing in the lobby of the music building and mentioned to one of his friends, oh, my gosh, I'm so exhausted. I was out late drinking last night. You know, I just overdid it - and looked over his shoulder. And there was his professor.
Ben Yelin: [00:15:15] Yes.
Dave Bittner: [00:15:17] Right. The cat was out of the bag - looking down upon him. He revealed, you know, the true reason why he wasn't able to go to his lesson. I tell that story because I wonder now, could that professor look up, you know - hey, Joey, you know, you weren't in your dorm last night until 2 a.m. Where were you? And you weren't in the library - you know, that sort of thing.
Ben Yelin: [00:15:42] Yeah. I mean, I think that's an absolute danger. One thing that particularly is concerning about this is it's generally not an option for students as to whether to comply because they might have to download these applications to enroll in certain classes. And that's, you know, this anecdote that started at Syracuse University. That's the case there. It's a requirement of attending the course. So, you know, it'd be one thing if you were able to opt out, although even then, the act of opting out of the surveillance could perhaps itself be seen as sort of suspicious...
Dave Bittner: [00:16:13] Right.
Ben Yelin: [00:16:14] ...And increasing a person's risk.
Dave Bittner: [00:16:15] And you wouldn't be - for example, couldn't use the university's Wi-Fi, which is a...
Ben Yelin: [00:16:20] Yeah, you're going to want to use that.
Dave Bittner: [00:16:21] Yeah.
Ben Yelin: [00:16:21] Yeah.
Dave Bittner: [00:16:21] Yeah.
Ben Yelin: [00:16:22] You know, especially if you want to do schoolwork on campus. It doesn't allow people to make the type of mistakes that we have all made in college if you take this tracking to its logical conclusion. And it - you know, I think as somebody who's quoted in this article says, it just kind of pervades a powerlessness on behalf of students - that they don't really have much agency. They're constantly being watched. And it - just the surveillance itself sort of implies that students can't be trusted to actually show up and do their work, which probably has, you know, an impact on the students themselves. I will say another interesting element about this is it was created - the application that they reference here was created for tracking student athletes. And you realize why this was the concern. The person who developed the app was a college basketball coach. And for eligibility reasons and, you know, all other sorts of reasons...
Dave Bittner: [00:17:18] Right.
Ben Yelin: [00:17:19] ...For coaches to know that their players are attending classes.
Dave Bittner: [00:17:21] They have a lot at stake with a - there's a big investment the university has made in a student athlete, potentially.
Ben Yelin: [00:17:27] Exactly.
Dave Bittner: [00:17:28] Yeah.
Ben Yelin: [00:17:28] Exactly. So, you know, I can understand it in that context of - I would say the same risk factors apply, you know? We're not letting the athletes take responsibility for their own lives. And instead, we're deciding to monitor them. But I can certainly understand when the school has invested so much in the student.
Dave Bittner: [00:17:46] You know, two things about this - one, it strikes me that this is a case of, just because we can doesn't mean we should.
Ben Yelin: [00:17:53] Absolutely. Yeah, this is probably the best case of that that...
Dave Bittner: [00:17:55] Yeah.
Ben Yelin: [00:17:56] ...We've talked about.
Dave Bittner: [00:17:57] And the other one is that I'm really resisting the urge to say, back in my day, we didn't...
Ben Yelin: [00:18:02] Walked barefoot up and down the hill...
Dave Bittner: [00:18:04] (Laughter) That's right.
Ben Yelin: [00:18:04] ...In the snow to my class.
Dave Bittner: [00:18:06] That's right - in the pre-internet days of college, back when things were awesome and we did what we wanted to, and our parents had no idea.
Ben Yelin: [00:18:16] Yeah, exactly.
Dave Bittner: [00:18:17] (Laughter).
Ben Yelin: [00:18:17] And, you know, I could legitimately tell my parents I was in the library to 2 a.m. last...
Dave Bittner: [00:18:21] Right.
Ben Yelin: [00:18:22] ...Night when I was playing "Mario Kart," you know...
Dave Bittner: [00:18:24] Yeah.
Ben Yelin: [00:18:25] ...In my dorm room. And you know what? Like, people end up having very successful lives, even when not going to the library till 2 in the morning.
Dave Bittner: [00:18:34] Right.
Ben Yelin: [00:18:34] And so to use that, you know, to identify a risk score for a student at a college just strikes me as something that should give us some pause. But you know, I do think this was a fascinating article. It's something that we're going to have to track because it said in the article it's logged something like 1.5 pings from student devices across the country at over 40 separate schools. So it's getting more and more prevalent. The application is called SpotterEDU. Yeah, this is certainly a story I think you and I are going to be following in the future.
Dave Bittner: [00:19:08] Yeah. Well, it's from The Washington Post. It's titled "Colleges Are Turning Students' Phones Into Surveillance Machines, Tracking the Locations of Hundreds of Thousands." Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:18] Thank you.
Dave Bittner: [00:19:23] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:19:30] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company the leading insider threat management platform. Learn more at observeit.com
Dave Bittner: [00:19:41] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.