The CyberWire Daily Podcast 1.22.20
Ep 1008 | 1.22.20

The UN takes up a case of spyware; it’s linked to an extrajudicial killing. Glenn Greenwald indicted on hacking charges in Brazil. NetWire and StarsLord are back.


Dave Bittner: [00:00:04] U.N. rapporteurs say that the Saudi crown prince was probably involved in the installation of spyware on Amazon founder Jeff Bezos' personal phone. Brazilian prosecutors have indicted Glenn Greenwald, co-founder of The Intercept, on hacking charges. IBM describes a renewed NetWire campaign. And Microsoft says Starslord is back, too. And in cyberspace, there's nothing new on the U.S.-Iranian front. 

Dave Bittner: [00:00:38]  And now a word from our sponsor, KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking the time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. But don't panic. The good folks at KnowBe4 have an exclusive webinar, where you can find out why data backups, even offline backups, won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to and learn more about this exclusive webinar. That's And we thank KnowBe4 for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 22, 2020. 

Dave Bittner: [00:02:14]  Two investigations dominate today's news. The first involves the compromise of a phone, the second the indictment of a journalist. 

Dave Bittner: [00:02:23]  To take up the phone compromise first, Amazon chief and Washington Post owner Jeff Bezos is reported to have had his phone hacked in May of 2018 by Saudi operators. The Guardian reports that Mr. Bezos' phone was compromised after contact with Saudi Crown Prince Mohammed bin Salman. The hacking took place some five months before the killing of Jamal Khashoggi on October 2, 2018. Mr. Khashoggi had been a critic of the Saudi government and a columnist for the Post. The crown prince is widely suspected of involvement with the killing, with sources as varied as the U.S. special rapporteur on extrajudicial killings and the U.S. Central Intelligence Agency reaching that conclusion. The special rapporteur announced the conclusion publicly last summer. The CIA's conclusion hasn't been formally announced but has been widely reported. 

Dave Bittner: [00:03:16]  The details of the compromise in The Guardian's report are as follows. On May 1 of 2018, after an otherwise friendly chat session between the crown prince and Mr. Bezos, Mr. Bezos received a WhatsApp message from what appeared to be the crown prince's private account. That message carried a malware payload. Shortly after the installation of the payload, a large quantity of data were exfiltrated from Mr. Bezos' device. 

Dave Bittner: [00:03:42]  Where does the evidence come from? According to The Wall Street Journal, Mr. Bezos contracted with Washington-based FTI Consulting for a forensic audit of his phone. FTI concluded with medium to high confidence that data began leaving the device shortly after it received a video file from the WhatsApp account linked to the crown prince and that such data exfiltration continued for months. FTI Consulting would not comment on the story to the Journal, which cites a person familiar with the matter as its source. The Saudi Embassy in Washington tweeted that the hacking claims were absurd and has demanded an investigation so that all the facts may come out. An investigation is what the U.N. officials who apparently saw the FTI Consulting report wants, too. 

Dave Bittner: [00:04:28]  The Wall Street Journal reports this morning that the U.N.'s special rapporteurs on extrajudicial killings and freedom of expression this morning said, quote, "Mr. Bezos was subjected to intrusive surveillance via hacking of his phone as a result of actions attributable to the WhatsApp account used by Crown Prince Mohammed bin Salman," end quote. Those two officials were involved because of the circumstances of Khashoggi's killing and because of Khashoggi's work as a journalist. The rapporteurs go on to add that, quote, "a single photograph is texted to Mr. Bezos from the crown prince's WhatsApp account, along with a sardonic caption. It is an image of a woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly," end quote. The source of the kingdom's interest in Mr. Bezos is widely reported as stemming from his ownership of The Washington Post and the Post's employment of Mr. Khashoggi, who had been an irritant to Saudi authorities. 

Dave Bittner: [00:05:28]  One of the public passages in the ill-willed dispute between Bezos and the kingdom may be seen in Mr. Bezos' February 7, 2019, blog post entitled "No Thank You, Mr. Pecker," in which he explained his disinclination to accede to what he characterized as pressure from David Pecker, chief of the National Enquirer's corporate parent AMI, to call off Post investigations of the Khashoggi killing and other matters discreditable to the kingdom of Saudi Arabia. 

Dave Bittner: [00:05:56]  What the malicious payload on Mr. Bezos' phone actually was is unknown, but the rapporteurs speculate that it may have been NSO Group's intercept tool Pegasus. The grounds for this seem so far to be largely circumstantial, based on Pegasus' known performance and distribution, and by reports of it being distributed via WhatsApp. 

Dave Bittner: [00:06:17]  Cisco Duo recently released the latest version of their State of the Auth Report, which tracks how users are adopting modern authentication methods. Sean Frazier is advisory CISO for Federal at Cisco Duo. 

Sean Frazier: [00:06:31]  So I think the biggest things are there's an uptick in awareness and usage of multifactor. And I think that that's kind of due to a few different reasons. One is I think a lot of users in their personal lives are being required to use multifactor authentication. Now if you log in to a bank account or you log in to Facebook or eBay or pretty much everything - anything you use online, you're almost either required or strongly encouraged to use multifactor. So I think that's helping create more awareness, and certainly more awareness in the enterprise. 

Sean Frazier: [00:07:02]  And I think the enterprise side is kind of coming at it from that perspective as well. They're kind of saying, OK, for enterprise applications, we're going to require you to use multifactor for these things and not just allow you to use username and password. So we see the both of these things, from awareness to usage, trending up. So they're not quite doubled from last year, but they're pretty close. 

Dave Bittner: [00:07:22]  Yeah. Let's go through together what you all saw in terms of the types of multifactor that are most popular and how that's trending. What did you find there? 

Sean Frazier: [00:07:31]  So I think we still see the - one of the predominant methods of multifactor being SMS-based or, you know, kind of one-time passcode over an SMS channel. We started to see folks kind of move away from that for obvious reasons. If you look at kind of the NIST guidance around passwords and authentication, they actually have recommended people not use SMS-based authentication just because of the ability for someone to take control of that channel. 

Dave Bittner: [00:07:57]  Yeah. Let's dig into that. I mean, one of the things you highlight here in the report is the importance of your email account. 

Sean Frazier: [00:08:04]  Yeah, absolutely. I mean, that can - that tends to be the kind of the nucleus of everything that people do. If you - if you're doing, you know, a password reset or you're doing some kind of account reset, a lot of times, that's coming back to your email. That's, you know, that's going to be, you know, part and parcel with everything else you're doing in your email account. 

Sean Frazier: [00:08:20]  And if someone has hijacked your email account, which is not super simple but not a terribly difficult thing to do, they have access to everything. You know, they can go pretend to be you, you know, do a password reset, bypass the multifactor authentication, get that reset done to your email by just saying the fact that I - you know, I don't have that device anymore. I don't have that phone number anymore, so I need to, you know - and the banks want to - and other account holders or account creators want to be able to provide this ease of use to users in the self-service because it helps them, too. And by virtue of that, if you're not protecting the email account, you're wide open. 

Dave Bittner: [00:08:51]  Where do you suppose we're headed here? Are we getting to the point where users are willing to accept that multifactor is just part of the deal - that if you want to use some of these services, it's going to be required? 

Sean Frazier: [00:09:04]  I think so. I think more so, that will happen over time. Again, I think that, you know, we've lived in this password life for, you know, over 20 years. We've only really seen multifactor authentication become prevalent in our personal lives in the last couple of years. So it's really only been, like, the last - really, last - better last part of that. 

Sean Frazier: [00:09:21]  So I still think we have a couple more years to go before we've gotten to the point where it's widely accepted. I think, you know, part of that is us, meaning us software developers, developing things that are super easy to use, because, again, we don't want to add too much friction on top of what users have to do already. It's not going to be a silver bullet in the short term. But I think longer-term, I do see light at the end of the tunnel for actually getting away from the password life. 

Dave Bittner: [00:09:43]  That's Sean Frazier from Cisco Duo on their latest State of the Auth Report. 

Dave Bittner: [00:09:49]  Brazilian federal prosecutors on Tuesday unsealed charges against Glenn Greenwald, co-founder of The Intercept and best known for publishing Edward Snowden's leaks. The New York Times reports that Mr. Greenwald's role in publishing cellphone messages that embarrassed prosecutors and an anti-corruption task force is at issue. Prosecutors say that he played a clear role in facilitating the commission of a crime by being in contact with people who obtained the messages and recommended that they cover their tracks. Greenwald himself brackets his case with Julian Assange's and claims both indictments represent an attack on journalism. Few others see it this way. Mr. Assange is generally regarded as having worked actively to facilitate hacking, whereas Greenwald merely advised sources on how to remain anonymous. The Electronic Frontier Foundation, the ACLU and other observers have objected to the charges, which they see as a threat to legitimate journalism. Mr. Greenwald has been critical of the Brazilian government and is a controversial figure in that country. 

Dave Bittner: [00:10:53]  There have been some announcements with respect to new threats, or perhaps familiar threats now renewed. IBM's X-Force researchers have found a new phishing campaign that uses fake business emails that deliver variants of the NetWire remote access Trojan. NetWire first emerged in 2012. This particular campaign looks like the work of criminals out for financial gain. 

Dave Bittner: [00:11:16]  And there's another malware strain that's been around for some time - sLoad, also known as Starslord, not to be confused with the "Guardians of the Galaxy" hero. SLoad is a dropper, malware that can be used as the first stage in an attack to deliver further malicious code that actually accomplishes the criminals' goals - information theft, credential theft, theft, theft, or maybe even theft. Microsoft exposed the sLoad gang's methods last month, ZDNet reports, but the gang has adapted and is now busily using sLoad 2.0. 

Dave Bittner: [00:11:51]  And finally, we haven't forgotten the prospect of U.S.-Iranian conflict in cyberspace. Such concerns persist, as NPR and others have noted. But so far, the kittens haven't been yowling or the eagles screaming - at least not publicly. 

Dave Bittner: [00:12:10]  And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at That's And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:13:10]  And joining me once again is Ben Yelin. He is the program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security. He is also my co-host on the "Caveat" podcast. Ben, always great to have you back. 

Ben Yelin: [00:13:23]  Thank you, Dave. 

Dave Bittner: [00:13:25]  We've got a fun privacy story here this week. This is a story from Motherboard, and the title is "This Secretive Surveillance Company is Selling Cops Cameras Hidden in Gravestones," written by Joseph Cox. What's going on here, Ben? 

Ben Yelin: [00:13:42]  I just - I can't get enough of this story. It's so good in so many ways. 

Dave Bittner: [00:13:47]  (Laughter) Yeah, OK. 

Ben Yelin: [00:13:47]  There is a surveillance vendor who works with many U.S. government agencies - all of your three-letter agencies... 

Dave Bittner: [00:13:53]  Right. 

Ben Yelin: [00:13:54]  ...FBI, DEA and ICE. 

Dave Bittner: [00:13:55]  OK. 

Ben Yelin: [00:13:56]  And they - there were marketing materials that were leaked to Vice and Motherboard indicating some of the spying capabilities that this company has. One of those spying capabilities was to put a hidden camera or a hidden recording device inside of a tombstone. Another one was a camera inside a baby car seat. And a third one was a surveillance device in a vacuum cleaner. All of these are beyond bizarre just because they're almost like - it almost seems like it was created from some sort of comedy bit and not for a legitimate surveillance purpose. 

Dave Bittner: [00:14:34]  Yeah. 

Ben Yelin: [00:14:35]  But to make it better, you couldn't make up a shadier-sounding group. Nothing against this Special Services Group, which is the vendor behind these products, but their logo is the floating eye in the pyramid logo... 

Dave Bittner: [00:14:49]  Oh (laughter). 

Ben Yelin: [00:14:49]  ...Which I don't know if you've seen - what was that movie where there was, like, a whole conspiracy about how the backside of our U.S. dollars... 

Dave Bittner: [00:14:58]  Yeah. 

Ben Yelin: [00:14:58]  ...Which contain that pyramid, were some sort of hidden signal for something? 

Dave Bittner: [00:15:01]  Right, right. 

Ben Yelin: [00:15:02]  It's escaping me at the moment. But the fact that they have these rather absurd surveillance devices in some of the most bizarre places imaginable, they have this name and they have this logo, it's just sort of the full package of... 

Dave Bittner: [00:15:18]  So this is... 

Ben Yelin: [00:15:19]  ...Surveillance insanity. 

Dave Bittner: [00:15:20]  This is tickling your funny bone from many different directions. 

Ben Yelin: [00:15:23]  It is. 

Dave Bittner: [00:15:23]  Yeah (laughter). 

Ben Yelin: [00:15:23]  Now, obviously, there's a serious side because... 

Dave Bittner: [00:15:25]  Yeah. 

Ben Yelin: [00:15:26]  ...Like many other secret recording devices, this is part of the pervasiveness of our surveillance state. 

Dave Bittner: [00:15:32]  OK. Let me play devil's advocate here because I guess... 

Ben Yelin: [00:15:36]  Good role to play. Now you're the lawyer. 

Dave Bittner: [00:15:38]  Yeah, and I don't know what to - yeah, playing devil's advocate in a cemetery. I don't know. But the first thing that came to mind for me in a situation like this is an episode of "The Sopranos," you know, right? You've got a bunch of mobsters, somebody who's been whacked. 

Ben Yelin: [00:15:54]  (Vocalizing). 

Dave Bittner: [00:15:55]  How are you going to surveil and see who was there and what they said? And, you know - I don't know - Johnny Dollar got dropped. So I could see this being a useful thing for law enforcement. It's going to blend in. Is it absurd? Yeah, but I guess - I mean, the history of surveillance and the FBI and the CIA is chock-full of clever ways in which to hide recording devices, so. 

Ben Yelin: [00:16:24]  Yeah. I think, actually, the position you present is entirely reasonable. 

Dave Bittner: [00:16:29]  Yeah. 

Ben Yelin: [00:16:29]  You know, I'm sure a lot of the places we've - law enforcement has placed recording devices probably seemed ridiculous when they were first proposed. The vendor is probably introducing this product in response to some sort of demand because there aren't a lot of people who go to cemeteries at night for legitimate reasons. It's probably a place where people gather to engage in illicit conduct. And there, you would have law enforcement justification for putting recording devices there. 

Ben Yelin: [00:16:59]  You can certainly think of a million different reasons why you'd want to have a recording device on a child's car seat... 

Dave Bittner: [00:17:05]  Yeah, yeah. 

Ben Yelin: [00:17:05]  ...Especially if you were engaged in some sort of tracking of a potential child predator or, you know, you had some individualized suspicion about a parent or something. I mean, you could certainly imagine what law enforcement's interests would be. It's just, you know, when you put it in the terms of they're putting recording devices in our gravestones, it just sounds like something that the crazy person on the street would make up as part of a - yeah... 

Dave Bittner: [00:17:28]  Right, right, right. Yeah. I see... 

Ben Yelin: [00:17:30]  ...A crazed rant, yeah. 

Dave Bittner: [00:17:32]  Well, I think, also, I think it speaks to that general creepiness of are there no spaces that are, in this case, literally sacred? 

Ben Yelin: [00:17:44]  Literally sacred, yeah. 

Dave Bittner: [00:17:45]  Yeah, yeah, yeah. 

Ben Yelin: [00:17:46]  Now, you know, I think our most sacred place is our home. Our home is our castle. Our next most sacred place probably would be our gravestone. It is our... 

Dave Bittner: [00:17:58]  Maybe a house of worship. 

Ben Yelin: [00:17:59]  A house of worship, which, certainly, surveillance has taken place within houses of worship. 

Dave Bittner: [00:18:04]  Right, right. 

Ben Yelin: [00:18:04]  I think that's a given. But, yeah, I mean, this is certainly up there on one of the places that we like to - that is sacred to us. 

Dave Bittner: [00:18:12]  Yeah. 

Ben Yelin: [00:18:12]  It's a place where people have a lot of private moments. 

Dave Bittner: [00:18:14]  Right. 

Ben Yelin: [00:18:15]  So even though there might be legitimate law enforcement purposes, I mean, imagine visiting Grandma's tombstone and somebody recording that very intimate, private moment when you're there and you're grieving. 

Dave Bittner: [00:18:26]  Yeah. 

Ben Yelin: [00:18:27]  You know, it's just - part of it is that the vendor here is just sort of hilariously cavalier about the whole thing. So they released part of their advertisements. And it's almost as if they're advertising, like, a smart refrigerator or something how enthusiastic they are about it. 

Dave Bittner: [00:18:44]  Right. 

Ben Yelin: [00:18:44]  Our newest video concealment offering, which has the ability to conduct remote surveillance operations from cemeteries. 

Dave Bittner: [00:18:50]  Yeah. So maybe a little tone-deaf... 

Ben Yelin: [00:18:53]  It is. 

Dave Bittner: [00:18:53]  ...By your estimation. 

Ben Yelin: [00:18:54]  The all-inclusive system can be deployed for approximately two days with the included battery, and it is fully portable and can be moved from location to location as necessary. Yeah, it's - it seems overly enthusiastic. 

Dave Bittner: [00:19:10]  Yeah. All right. Well, the article is titled "This Secretive Surveillance Company is Selling Cops Hidden Cameras in Gravestones." It's on Motherboard via Vice. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:22]  Thank you. 

Dave Bittner: [00:19:28]  And that's the CyberWire. For links to all of today's stories, check out our daily news brief at 

Dave Bittner: [00:19:34]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:46]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.