The CyberWire Daily Podcast 6.2.20
Ep 1100 | 6.2.20
Current forms of hacktivism, misinformation, and disinformation. More recommendations from the Cyberspace Solarium. Fraud accompanies Test and Trace.
Transcript

Dave Bittner: If you're interested in space and communication, such as technology, policy, business and operations, take a look at the Cosmic AES Signals & Space. Produced in partnership with the CyberWire, Signals & Space offers a monthly overview of news in this sector. Check it out at cosmicaes.com/tech-news. That's cosmicaes.com/tech-news. 

Dave Bittner: Unrest accompanied by misinformation, disinformation and Anonymous theater. Booter hacktivism. Extremist inauthenticity. The Cyberspace Solarium Commission releases its white paper on the pandemic's lessons for cybersecurity. Joe Carrigan unpacks Casio executing a DMCA takedown on a hardware hack. Our guest is Herb Stapleton from the FBI on the 20-year anniversary of the IC3. And the U.K.'s test and trace system is expected to be accompanied by a wave of fraud. Actually, that fraud has already begun. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 2, 2020. 

Dave Bittner: Unrest over the death by asphyxiation of George Floyd while he was in police custody continues, and it's attended online by various forms of hacktivism and influence operations. Minnesota's Governor Walz characterized the distributed denial-of-service attacks against state services as very sophisticated. The Hill quotes him as adding, quote, "that's not somebody sitting in their basement," end quote. But it very well could've been the work of proverbial basement dwellers. As StateScoop and others point out, distributed denial-of-service attacks are commodity attacks. They can be hired for less than $20. 

Dave Bittner: The state's CIO Tarek Tomes told Minnesota Public Radio that, quote, "these DDoS attacks are not new to us. We see DDoS attacks on a monthly basis, one to two that vary in frequency and capability," end quote. The rate of the attacks are unprecedented, he said. The attacks are a new form of protest, he said, and that they couldn't be attributed to any one single actor. There are commonly multiple actors, some domestic and some overseas. The state expects more DDoS over the coming days. 

Dave Bittner: Anonymous has also resurfaced during the Minnesota-centered unrest, although distinguishing the real Anonymous - insofar as an anarchist collective can be said to have a real enduring identity - is, as Motherboard notes, difficult. Anyone can claim to represent Anonymous. It's perhaps significant that a lot of the chatter nominally from Anonymous is amplified through K-pop social media fan accounts. Both the Washington Post and CyberScoop dismiss the claimed Anonymous operations as derivative fizzles, either an attempt to regain relevance or the work of wannabes and reenactors. 

Dave Bittner: Anonymous, or more precisely, people saying they're acting in the name of Anonymous, have for years overpromised and underdelivered. The videos posted in the name of Anonymous are appropriately menacing, but they seem to generally have been more cosplayer than superhero. So far, the material they claim to have stolen from police sites seems to be old, recycled stuff from publicly known breaches, much of it up on Have I Been Pwned. 

Dave Bittner: There's also inauthenticity in the chatter related to the unrest, some from foreign intelligence services and some from rival extremists flying false flags, NBC reports. Racial fissures in American society have long been favorite points of attack for foreign, especially Russian, disinformation campaigns. And while there have been calls from antifa urging the extremist group's followers to regard the National Guard as easy targets (again, as reported by Minnesota Public Radio) there have also been spoofed antifa messages attributed by Twitter to the white supremacist fringe group Identity Evropa. Thus, reprehensible dresses up as reprehensible. 

Dave Bittner: There has also been some fairly wild chatter about social media blackouts in, for example, Washington, DC. These have been easily debunked by reporters on the ground, but not before, as The Washington Post reports, much misinformation was tweeted under the hashtag #DCblackout. 

Dave Bittner: The FBI is celebrating 20 years of running their IC3, the Internet Crime Complaint Center. Time sure does fly when you're fighting bad guys. And joining us with reflections on this milestone is FBI cyber division sector chief Herb Stapleton. 

Herb Stapleton: Twenty years ago, you know, we're talking about the late '90s into the turn of the century - into the turn of the 21st century. And really, at that time, internet usage among consumers and the general public was really on the rise. Particularly, that was a time when email had really increased into sort of normal use throughout society. And so one of the things that arose in the context of this increased utilization of the internet for transacting both personal and professional business were internet frauds or scams, and they became quite prolific in the early 2000s. You know, they typically looked like what we would call advance-fee scams now, where someone, you know, sent an email to an unsuspecting victim, saying, if you send me, you know, X amount of dollars, you'll get a million dollars in return, which was, of course, a scam all along. So that was really the genesis of the IC3 were those - that propagation of internet frauds in the early 2000s as internet usage rose. 

Dave Bittner: And take us through, I mean, the past two decades. What's the evolution been like? How has the FBI adjusted to the changes we've seen in the adoption of, well, so many things shifting online? 

Herb Stapleton: Well, you know, the IC3 complaints are really a great record - historical record of how cybercrime has evolved over the years. You know, we've gone from those types of advance-fee scams or romance scams that we saw in the really early days of the IC3, but what we have seen evolve is more complex scams, more sophisticated scams or computer intrusions, like business email compromise, where a victim's email is actually taken over, or things like ransomware, you know, actual deliveries of malware. And all those things are captured in the complaints of the IC3 over the course of the years and have been, you know, the way that the FBI is able to get information from the public so that we can take action to try to protect the citizens of the US. 

Dave Bittner: So the IC3 has been around for 20 years. Do you have any thoughts on what the next 20 years might look like? What does the future hold for the Internet Crime Complaint Center? 

Herb Stapleton: Well, the Internet Crime Complaint Center, you know, has become, really, a cornerstone of the FBI's cyber investigative efforts. And so I think we'll continue to see it grow in importance. I think over the course of the next 20 years, what we'll see is just an increase in the kind of partnerships that the Internet Crime Complaint Center is engaged in and, you know, working more with private sector entities, working more with other government agencies as we all try to work together in a whole of society effort to combat cybercrime. I think the other thing is that I don't anticipate over the course of the next 20 years that there's going to be a reduction in cybercrime activity. I think we're going to continue to see high levels of complaints related to this type of criminal activity. And so as a result, the IC3 is going to continue to occupy a critical space within the FBI's cybercrime efforts. 

Dave Bittner: That's Herb Stapleton from the FBI. 

Dave Bittner: The US Cyberspace Solarium Commission this morning issued a white paper on lessons learned about cybersecurity from the COVID-19 pandemic. For the most part, those lessons reinforce the commission's policy recommendations, but they also see interesting analogies between a pandemic and a major cyberattack. They're both global crises that call for a whole of nation response. Both call for an environment that makes it possible for solutions to emerge. And in both cases, prevention and preestablished relationships are better than deterrence and response. 

Dave Bittner: In particular, the commissioners think establishment of a national cyber director is more clearly indicated than ever. They call upon Congress to send digitization grants to state, territorial, tribal and local governments and to do so as part of COVID-19 relief packages. They urge planning for continuity of the economy, and they repeat the recommendation that the nation work toward building societal resilience to disinformation. 

Dave Bittner: The solarium commissioners also include four new recommendations. First, they urge Congress to pass an Internet of Things security law. Second, they recommend increasing support to not-for-profit organizations that help law enforcement agencies' efforts to combat cybercrime and support victims. Third, they advocate establishing a Social Media Data and Threat Analysis Center. And finally, they urge increasing nongovernmental capacity to identify and counter foreign disinformation and influence campaigns. 

Dave Bittner: Speaking of the pandemic, it's continuing to provide the bait for phishing campaigns. In the UK, the NHS's Test and Trace system will soon be contacting people who may have been exposed to COVID-19 in an effort to forestall a second wave of infection. The National Health Service says that if you're called, you will not be asked to provide any passwords, bank account details or PIN numbers, nor will you be asked to download anything. But, Infosecurity Magazine points out, the Test and Trace callers may ask for a full name, date of birth, sex, NHS number, home postcode and house number, telephone number and email address. And that's a nice beginning for subsequent spearphishing and identity fraud, so people should expect the scams to begin. 

Dave Bittner: Since junk phone calls now seem to constitute about the same fraction of calls that junk mail does in your mailbox, it's not surprising to read in the Register that such attempts are already in progress. It's easy to spoof SMS and caller line identification, and you can't rely on those as indications that call is genuine. And links in an SMS message purporting to take you to a COVID-19 alert, follow them at your own peril. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story came by. This is covered by Gizmodo, among other places. And it's about a hardware hacker who had modified a Casio calculator and, in doing so, caught the attention of Casio, who put out a takedown notice. What's going on here, Joe? 

Joe Carrigan: Right. So this is actually from reclaimthenet.org. And Casio has filed a DMCA complaint, a Digital Millennium Copyright Act complaint, against the user who hacked their calculator to connect to the internet, OK? So basically, what they're alleging in the complaint is - there's actually an organization called REACT - R-E-A-C-T - that works for several large companies that goes out and finds copyright infringements and then contacts places where they think copyright infringements have happened. And they wrote to GitHub, which is where he was storing all of his code, and took the repository down. 

Dave Bittner: Yeah. 

Joe Carrigan: There's a link to his YouTube video. They have gotten a takedown notice for that video. You can't see the video anymore. But the Gizmodo article is still up, and the Gizmodo article's from earlier in May, and it talks about what this guy actually did. And what he did was he added a very small OLED display, which is just a nice-looking, cheap display that you can put in. He noticed that it was about the same size as the solar panel in the calculator. So he removed the solar panel, then he put in this OLED display. And then for a power source, he replaced the solar power with a battery. And then he added a - what's called an ESP8266 Wi-Fi module. Now, an ESP8266 is a very small microcontroller that's actually very powerful, and it has a full TCP/IP stack in it, right? And it also has a Wi-Fi connector or Wi-Fi circuits in it - Wi-Fi chip. So you can connect this device to the internet. It's like an Internet of Things development platform. Think of it like an Arduino with a built-in Wi-Fi capability. And, in fact, you can actually use the Arduino Studio to program this device. So... 

Dave Bittner: OK. 

Joe Carrigan:  ...He has added this hardware. He has added a battery. He has added an OLED display. And he's put all the code to run on the ESP8266. Now, Gizmodo points out that this could be used for cheating in classrooms. When a student comes in with a calculator, if they don't notice that this calculator has been hacked - the proctor doesn't notice the calculator's been hacked, then it can be used to surf the internet and get answers, which is a valid point. 

Joe Carrigan: But what's really concerning here is that Casio and REACT have just issued a blanket takedown order, saying - and this is a quote from the Reclaim The Net article - "the code the repository contains is proprietary and not to be publicly published. The hosted content is a direct literal copy of our client's work. I hereby summon you to takedown" - yada, yada, yada. I don't see how that's possible. I really don't see how that's possible for the code this guy wrote to work on an OLED screen. And what he essentially did was install an ESP8266 into a calculator - into the case of a calculator. It doesn't look to me like he's actually downloaded or changed any of the code or even pulled the code off the calculator. And there is a picture on here of the soldering connections. The only modification looks like he's made to the circuit board of the calculator is to wire the battery into the power supply of the calculator. Now, I can't be sure of that because I can't look at the code and see what's going on because it's all been taken down. I can't even look at the video... 

Dave Bittner: Right, right, right. 

Joe Carrigan: ...He posted because that's been taken down. But I really... 

Dave Bittner: Right. 

Joe Carrigan: ...Think this looks to me, if what I'm saying is what has happened, and it probably is - that he put an OLED screen into a calculator form factor, replaced the power source and dropped in a microcontroller that has Wi-Fi connectivity. If he did that, then Casio is not being completely honest here. 

Dave Bittner: It's an interesting point because I think a lot of folks point out that the Digital Millennium Copyright Act really is weighted towards the folks claiming to have the copyrights. I mean... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, all they have to do is basically put in a takedown notice and, as happened here, stuff gets taken down. You can reply. You can challenge that. 

Joe Carrigan: Yep. 

Dave Bittner: But there's really no penalty to the people who put up a false takedown notice. 

Joe Carrigan: And there should be a penalty for that. You know, there - Casio is not going to face any backlash for this. The worst-case scenario for Casio is that this thing comes back on, and that's not even a worst-case scenario for them because this guy is not pirating their code, it looks like. It looks, from what I'm seeing, he is just modifying a case. And there's huge debate that goes on in this. When I buy a calculator, do I have the right to open it up and cut a hole in the case or change the modification? I believe I do, that this becomes my property and I get to do whatever I want with it. And I'm disappointed to see Casio react this way. I would like to see penalties for companies that do this. 

Dave Bittner: Yeah, yeah. Well, it - lots of people think it's an area that's ripe for reform. So this is an interesting case here, a fun one to look at as well. I love these little hardware hacks. 

Joe Carrigan: Yeah, they're awesome. I have a couple of these ESP8266s that I bought, and I've actually never pulled them out. But maybe I will pull them out. 

Dave Bittner: (Laughter) All right. All right, well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.