Caution in the Play store. EU power consortium’s business systems hacked. Cablegate--a look back. Schulte trial ends in minor convictions, but a hung jury on major counts. The cyber underworld.
Dave Bittner: [00:00:04] Google removes from the Play Store an app nominally designed to track COVID-19 infections. An EU power distribution consortium says its business systems were hacked. An assessment of Cablegate has been declassified. Ex-CIA employee Schulte's trial for disclosing classified information ends in a hung jury. The alleged proprietor of a criminal market is arrested. Crooks hack rival crooks. More U.S. primaries are held today. And a case of identity theft in North Carolina.
Dave Bittner: [00:00:40] And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 10, 2020.
Dave Bittner: [00:02:00] Google has removed an app, AC19, from the Play Store. Developed on behalf of the Iranian government and deployed in Tehran, AC19 is described as an app that tracks COVID-19 coronavirus infections. Four things made Google skittish about AC19. First, it collects user geolocation data. Second, it was developed by Smart Land Strategy. Third, its description appeared to claim that it could test people for COVID-19, which, of course, is impossible for a simple Android app to do. And fourth, it has to do with the coronavirus, and there's been so much misinformation and disinformation disseminated on that topic that Google is wary of anything purporting to have to do with COVID-19.
Dave Bittner: [00:02:45] Smart Land Strategy has, indeed, been involved in creating other apps for the Iranian government, notably the Telegram clones Gold Telegram and Hotgram. Both of those were ejected from the Play Store last spring on the grounds that they were suspected of secretly collecting user information, apparently on behalf of Iranian intelligence and security services.
Dave Bittner: [00:03:06] But AC19 may be innocent, at least in general. ZDNet cites an ESET researcher to the effect that he found no signs of malicious activity on the app's part. It requests user location data in the same overt way many other innocent Android apps do. And, in any case, the location of an infected person is a reasonable bit of public health data. Some Iranian dissidents who asked to remain anonymous for their own safety did tell ZDNet that they thought Tehran was playing a long game here - get people to download a tracking app during a period of crisis that the users would be inclined to leave in place even after the crisis has passed. In the short run, however, it's not clear that AC19 is anything other than what it claims to be. The app is still available in third-party stores, but it won't test anyone for COVID-19 or anything else.
Dave Bittner: [00:03:58] The European Network of Transmission System Operators for Electricity - that's ENTSO-E - which coordinates European electrical power markets, disclosed that it suffered a successful cyber intrusion into its business systems. CyberScoop says power generation and distribution are unaffected by the incident. ENTSO-E's office network isn't connected to any operational or control system, and so, barring a successful pivot into an ENTSO-E member's control network, this should remain a business system compromise.
Dave Bittner: [00:04:30] The National Security Archive has released U.S. Cyber Command's declassified assessment of the damage done by the 2010 WikiLeaks publication of sensitive State Department cables. The National Security Archive summarizes the report as "suggesting that illegal release of classified State Department cables in 2010 led to a period in which the U.S. government was hindered in its ability to track the activities of at least one of the most sophisticated APTs operating on the geopolitical stage," end quote. Thus, the assessment by the fusion group assigned to investigate is that Cablegate, as it was called at the time, tipped off an adversary on how well the U.S. was able to monitor one of its cyber operational groups. The identity of that nation-state is redacted in the declassified material, but it's generally believed to have been China.
Dave Bittner: [00:05:22] The trial of former CIA employee Joshua Schulte on charges connected to WikiLeaks' Vault 7 ended in New York yesterday with convictions on the minor counts of perjury and contempt but with a hung jury on the eight far more serious charges of improperly disclosing classified information. The jurors could not agree that the government met its burden of proof, and presiding Judge Paul Crotty declared a mistrial. The Washington Post says the government will, in all likelihood, seek a retrial. A conference scheduled for March 26 is expected to outline the next steps.
Dave Bittner: [00:05:57] U.S. authorities have arrested Kirill Victorovich Firsov in charges related to his alleged operation of the Deer.io black market, ZDNet reports. The FBI picked up Mr. Firsov at New York's Kennedy Airport this past Saturday. He's charged with two counts relating to aiding and abetting fraud through the site, which has been in operation since 2013. The indictment affords an interesting look into the criminal economy. Deer.io sells access to storefronts on its platform, and those storefronts are generally used to offer the sort of wares criminal hackers sell - compromised or stolen credentials, personally identifiable material used for identity theft, hacking services and so on. On March 4, the FBI made a buy of about 1,100 gamer accounts from one of Deer.io's storefronts, confirmed their illegal provenance and so obtained their warrant. The bureau says it's found no legitimate businesses operating in Deer.io.
Dave Bittner: [00:06:58] The platform is hosted in Russia, which makes one wonder why Mr. Firsov was so incautious as to travel through JFK. A Deer.io admin believed to be Mr. Firsov explained the business to ZDNet back in 2016 - quote, "Deer.io works according to the laws of the Russian Federation. Our clients can create shops that do not violate the laws of the Russian Federation. We block shops that sell drugs or stolen bank accounts. We will also block any shop if requested by Roskomnadzor or the competent authorities of the Russian Federation," end quote.
Dave Bittner: [00:07:34] Elsewhere in the underworld, Cybereason researchers have observed criminals hacking criminals, infecting rivals' hacking tools with njRAT, leading many writing about the topic to return to the gods of the copybook headings and so remark that there is no honor among thieves.
Dave Bittner: [00:07:52] Threat intelligence firm Recorded Future recently published their list of top vulnerabilities they tracked in 2019. Kathleen Kuczma is a sales engineer at Recorded Future, and she joins us with their findings.
Kathleen Kuczma: [00:08:05] This report was first created five years ago, so this is the fifth annual version of the annual top exploited vulnerability report. And it was first created because there is the gap between which vulnerabilities are listed as critical versus which ones are actually actively being exploited on the dark web and on underground forums. And based on Recorded Future's collection in those areas, Recorded Future thought that we can shed some light and help security practitioners know exactly which vulnerabilities they should patch based on weaponization.
Dave Bittner: [00:08:41] Well, take us through some of the key findings here. What were some of the insights that you were able to bring to the table?
Kathleen Kuczma: [00:08:47] Some of the key findings of this year's report is that for a third straight year, Microsoft was the technology most impacted by these vulnerabilities. So 8 of the top 10 exploited vulnerabilities were impacting Microsoft products, similar to 2018's report. And there are a few different reasons why Microsoft itself might be a bigger target. One of those is because of how prolific Microsoft products still are throughout a variety of enterprise and government employers, whether that's federal, state or local governments. So Microsoft still continues to be a large target for these cybercriminals.
Dave Bittner: [00:09:29] Were there any particular surprises that came out of this year's version of the report, anything that bubbled up that you didn't expect?
Kathleen Kuczma: [00:09:36] One of the biggest surprises of this year's report compared to other years is that there was a large number of vulnerabilities that were repeated from the prior year. This goes hand in hand with there only being one vulnerability from the 2019 calendar year that was exploited enough to be included in the top 10. And this was surprising because in past years, we've typically had at least three or four vulnerabilities from that particular calendar year included. And I believe - or Recorded Future believes one of the main reasons why there were so many repeated vulnerabilities is because of the number of new exploit kits continues to dwindle. So because of the number of exploit kits continuing to decrease, there are less reasons to include new vulnerabilities in those exploit kits, and this has helped contribute - at least why Recorded Future thinks that there are not as many 2019 vulnerabilities included in that top exploited category.
Dave Bittner: [00:10:40] What are your recommendations based on the information you gathered here? What are you suggesting people do to help protect themselves?
Kathleen Kuczma: [00:10:48] One of the main things that people and companies can do to protect themselves from these vulnerabilities is to enable automated patching whenever possible. There are many researchers across Microsoft and Adobe as well who are working on what are those vulnerabilities that are new and helping them with the patching cycle - so enabling automated patching whenever possible. But then, for those vulnerabilities that, say, can't be automatically patched or there's a reason they can't be, maybe because of the technology itself that the automated patch would be impacting, that's when using threat intelligence to learn of these vulnerabilities that are left, which ones are the most weaponized. These are the ones that we should impact and are the ones that we should patch. That's where threat intelligence can come in and help prioritize those critical vulnerabilities that patching teams cannot keep up with.
Dave Bittner: [00:11:47] That's Kathleen Kuczma from Recorded Future.
Dave Bittner: [00:11:51] Another test of U.S. election security comes today as five states - Idaho, Michigan, Mississippi, Missouri and Washington - hold primaries and one - North Dakota - holds a firehouse caucus. NBC has a summary as well as an explanation of what a firehouse caucus is. It's more like a primary than the sort of caucus recently held with dismal effect in Iowa. People go to a polling place, like maybe the local firehouse, to vote, but the voting is run by the political party and not by state and local election officials.
Dave Bittner: [00:12:24] Finally, to return to crime, a poor guy in North Carolina had his identity stolen by an unknown creep who used it to create a PayPal account and use it to subscribe to a database of leaked personal information, which the unknown creep then used to pretend to be country singer Kenny Chesney. The false Chesney then contacted various women in the hope of luring them into sending him - or perhaps her - racy photographs. What success the creep had is unclear from the Daily Beast's account, but the arbitrariness of the initial identity theft is unsettling. The victim was initially a person of interest to the FBI, which confiscated his devices for two weeks before returning them upon realizing that they had the wrong guy. The victim, an innocent math teacher, told the Beast that, quote, "it could've been anyone who got my information from an envelope or anybody who ever had my name and address," end quote. And that is just creepy.
Dave Bittner: [00:13:29] It's time to take a moment to tell you about our sponsor Recorded Future. They help security teams make more confident decisions faster. Recorded Future's technology automates broad collection and analysis of cyberthreat data and delivers the rich external context you need to understand alerts and emerging threats. With real-time threat intelligence from Recorded Future, security teams respond to threats 63% faster and find undetected threats 10 times quicker. Recorded Future integrates with the security products you already use, making the intelligence you need accessible and relevant. Use it to improve your security operations, incident response, vulnerability management and more. If you're facing challenges like the cybersecurity skills shortage or more alerts than your team can handle, consider Recorded Future threat intelligence. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And it's on the money. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:14:39] And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast. Ben, great to have you back.
Ben Yelin: [00:14:48] Good to be back with you, Dave.
Dave Bittner: [00:14:49] We have been following with great interest the ongoing saga of Clearview AI, the company that scraped, by many counts, billions of images from the web. And this story just keeps on getting more and more interesting. What's the latest here?
Ben Yelin: [00:15:06] So we found out - and I'm reading this from a Daily Beast article, but it was really all over the internet - that this facial recognition company, Clearview AI, suffered a very significant data breach, which exposed its entire client list. And there were, like all data breaches - you know, maybe compare this to Ashley Madison. This is not necessarily a client list that you want to be a part of. It included many local police departments, state police, Department of Homeland Security, et cetera. You know, we don't really have any information as to who perpetuated the attack. The company is saying that security is, of course, their top priority.
Dave Bittner: [00:15:44] Of course.
Ben Yelin: [00:15:45] Data patches are part of life. Servers warrant access. They patch the flaw, et cetera, et cetera. But it comes at a very perilous time for Clearview AI. They were the subject of this recent expose by The New York Times, which reported that they're scraping 3 billion images from the internet from most popular social media sites.
Dave Bittner: [00:16:07] Right.
Ben Yelin: [00:16:07] And, you know, we talked about that article. There were some follow-up articles. There were interviews with the founder of Clearview AI. And this just sort of adds on to this very difficult period and will certainly bring more bad publicity not just for suffering the breach but from having the list of clients come out.
Dave Bittner: [00:16:26] I've seen some follow-up on this story saying that, sort of as you say, some of the agencies who may be doing business with Clearview aren't very happy that their names are out there.
Ben Yelin: [00:16:40] Yeah. I mean, it's bad timing for them, too, because we're still sort of in the early stages of this controversy. I mean, most people didn't know that Clearview AI had existed. Even people who are, you know, up to date on these types of issues didn't know that this company had existed until a couple of months ago. And, you know, I think it's not only bad publicity, you know, for the private companies that contract with them; it could be bad for the bottom line.
Dave Bittner: [00:17:04] Right.
Ben Yelin: [00:17:04] But, you know, for police departments that have wrought relationships with particular communities, you know, it might be eye-opening to their constituents to see that they are contracting with a company that's been publicly revealed to be scraping images from the internet and using that technology to identify criminal suspects. So, you know, from these organizations that have been breached, from their perspective, I can see why this is so frustrating that, you know, they're going to have to - the same bad publicity that's coming the way of Clearview AI is going to come to them because they are one of the clients.
Dave Bittner: [00:17:39] So at a moment when Clearview already has a spotlight shining bright on them, this really doesn't help their case.
Ben Yelin: [00:17:47] It certainly does not. And, you know, this is exactly the development that Clearview didn't want to happen for a couple of reasons. One, you know, as a company that is scraping this information, you don't want anything to call into question your security and privacy practices as a company. And I think that's why a spokesman for the company was so quick to try to mitigate public relations damage here. I think they would be particularly sensitive to the fact that their data - whatever data was breached, and here, it's just a client list - that there are vulnerabilities because, as we know, you know, when you have 3 billion images, it's only a matter of time. If somebody is able to infiltrate your client list, they might be able to get ahold of some of those images.
Dave Bittner: [00:18:29] Yeah.
Ben Yelin: [00:18:30] So certainly, it's something that should deeply concern Clearview AI. I sort of noticed just in the general social media community there was, like, a schadenfreude, you know, because Clearview AI had exposed private images of so many people. And now, you know, there's sort of been comeuppance now...
Dave Bittner: [00:18:49] Right.
Ben Yelin: [00:18:49] ...That some of their information...
Dave Bittner: [00:18:50] Right.
Ben Yelin: [00:18:50] ...Has been stolen...
Dave Bittner: [00:18:51] Turnabout is fair play, yeah.
Ben Yelin: [00:18:52] ...Which I can certainly understand that perspective.
Dave Bittner: [00:18:55] Yeah. All right. Well, as we said at the outset, their saga continues, and I suppose there's more to come.
Ben Yelin: [00:19:01] I'm sure we'll be talking about Clearview AI into perpetuity.
Dave Bittner: [00:19:05] (Laughter) All right. Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:07] Thank you.
Dave Bittner: [00:19:13] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing, too.
Dave Bittner: [00:19:23] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:34] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.