Dave Bittner: Protest groups sustain DDoS attacks, too. Old-school denial of service afflicts police radio networks in Chicago; they're being jammed with talk, music and other noise. Influencers and wannabes continue to use unrest as an occasion for online branding. The Sodinokibi gang is selling data stolen in ransomware attacks. And Maze seems to be establishing a criminal cartel. Is email to voting what shadow IT is to the enterprise? Ben Yelin describes a federal case involving police screenshots of a suspect's phone as evidence. Our guest is Steve Durbin from the Information Security Forum on their "Threat Horizon 2022" report. And cybercrime for dummies.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 3, 2020.
Dave Bittner: Forbes reports that Cloudflare has observed significant distributed denial-of-service attacks against various protest and civil rights groups during unrest over the death of George Floyd. Like the denial-of-service attacks against some state of Minnesota sites, the attacks on the groups weren't beyond the mitigation capabilities of Cloudflare and other providers of DDoS countermeasures. They're also further evidence that DDoS is now a thoroughly commodified attack technique.
Dave Bittner: Does jamming and intrusion into radio networks count as a cyber incident? Given the convergence of cyber and electronic attack, it's close enough to bear mention. And so other, more conventional forms of interference are also in evidence. The Sun-Times says the Chicago Police Department's radios have been jammed during responses to protests and rioting over the weekend. The jamming took the form of music, yelling slogans, anything to disrupt police communication. The content came from all over the political map, with anti-cop music predominating but with plenty of anti-protester remarks in the mix. A lot of the jamming seems to have been done for the lulz. There's a YouTube video the Sun-Times describes in which two clowns are heard laughing while they listen to police scanner feed of an officer trying to arrange transportation of prisoners while music - the two skids think it's Serbian music, which in Chicago is a possibility - blasts over the police net.
Dave Bittner: So again, distress constitutes an occasion for amusement. It's also an occasion for branding. Reuters reports on the reappearance of Anonymous during the current US unrest, and the news service characterizes it as the revival of a brand by hackers and hucksters, which is probably a useful way of understanding the operation of an anarchist collective. Another class of online actors, influencers, is also actively engaged in brand building. A number of these are drawing criticism, according to The Telegraph, for showing up at protests for photo-ops.
Dave Bittner: Ars Technica reports that REvil, the ransomware gang also known as Sodinokibi, opened bidding yesterday on their cynically named site the Happy Blog for two tranches of confidential data stolen in the course of attacks on two separate companies. Some of the data are business information. Other data for sale include personal information, like scanned driver's licenses.
Dave Bittner: This represents an ongoing development in the history of ransomware. First, begin by encrypting files, thereby denying them to the victim. But this has limited potential. Once the targets realize the threat and start taking the precaution of routinely backing up their data, ransomware drops to the level of a nuisance. Second came data theft. The extortionists exfiltrated data and threatened to dox the victims by releasing sensitive or embarrassing information if the victim didn't pay the ransom by the deadline. This threat to dox is a way of achieving leverage over the victim, increasing the pressure to pay. And now, in the third phase, the extortionists simply add another revenue stream. They'll not just release the victim's files but sell them in the criminal-to-criminal underground markets.
Dave Bittner: Steve Durbin is managing director of the Information Security Forum based in London. He joins us to discuss "Threat Horizon 2022," the ISF's latest annual report, which highlights the major threats that organizations can expect to face over the next two years.
Steve Durbin: It's an annual report that we produce that really tries to look forward two years. We've been doing it now for probably about the best part of 10 or 11 years, and so we've built up quite an amount of credibility in this particular space at forecasting some of the real themes that businesses need to be aware of in order that they can better prepare themselves going forward.
Dave Bittner: Well, let's go through the report together. What are some of the key findings this year?
Steve Durbin: Yeah. Well, we tend to break the report into themes. And three themes this year - one is about invasive technology. Another is really focusing in on infrastructure, the fact that there is neglected infrastructure, as we refer to it, out there that we believe has the real potential to cripple or at least hugely disrupt operations. And then the third theme, which I think is very, very topical and will stay with us for some time to come, which is all-around trust. And it's really around what we believe is a crisis of trust that is going to undermine digital business going forward. So those are the three themes, and then we build on particular threats inside each of those themes.
Dave Bittner: Well, let's go through them together one at a time.
Steve Durbin: Sure. I mean, I think if we kick off with that invasive technology that I referred to there, this is really about new technology. So this is about it really invading pretty much every element of daily life, you know? We're thinking here of sensors. We're thinking of cameras. We're thinking of devices in the home, offices, factories, public spaces but pretty much everywhere. The first one that we pull out is around augmented attacks that really look at reality and distort it. This is about attackers being able to gain access to sensitive information. I think that's the real issue in this one.
Dave Bittner: How about the other two themes?
Steve Durbin: Yeah, the second one, which I think is pretty topical today as well, actually, is around behavioral analytics. And we do believe that that is going to trigger what we refer to as a consumer backlash. So this is all to do with a multiplicity of devices that are out there that are sensing, that are watching, that are then being used to develop behavioral analytics. And the concern that we have in this space is that increasingly, if that is not being done in a very transparent fashion and a very ethical fashion, then we're going to see something of a backlash from consumers. And we're going to see intensifying scrutiny from regulators, too, as the practice is deemed perhaps to be invasive and unethical.
Dave Bittner: And then the third one deals with trust.
Steve Durbin: Yeah, that's right. The third theme really looks into trust in a great deal of detail. We're all dependent upon technology, but we're somewhat dependent upon the integrity of the technology, the confidentiality of the data that is being shared. So plenty in that particular area around trust, which I think is something that we'll be focusing on for some time to come, frankly.
Dave Bittner: That's Steve Durbin from the ISF.
Dave Bittner: Another development has been observed, this one attributable to a known innovator in the underworld. The gang behind Maze ransomware last November pioneered the now-routine criminal practice of stealing data to gain leverage against their victims. BleepingComputer reports that Maze is now leading the formation of a cartel that would enable ransomware gangs to cooperate and share information. That this is happening may be seen in the appearance on the Maze leak site of files taken from an architectural firm. These files, however, weren't taken by Maze, but rather by LockBit, a different ransomware-as-a-service operation.
Dave Bittner: BleepingComputer, which is often remarkably successful in getting criminals at large to return their emails, contacted Maze and received an explanation of what's up - quote, "in a few days, another group will emerge on our news website. We all see in this cooperation the way leading to mutual beneficial outcome for both actor groups and companies. Even more, they use not only our platform to post the data of companies but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business," end quote. Dave Bittner: It's not clear how or even whether money is changing hands. Maze declined to answer a question asking whether they would receive a cut of LockBit's take. They couldn't share the details, maybe because, hey, they're proprietary. In any case, Maze led the way in moving extortion from simple ransomware to a combination of ransomware and doxxing. It may now be leading the way in cartelization.
Dave Bittner: Primary voting in the US proceeded this week, but difficulties in distributing and collecting postal ballots prompted some jurisdictions, including the District of Columbia, to move toward potentially risky workarounds, like voting by email, according to The Washington Post.
Dave Bittner: And finally, what are people doing while socially distanced and sheltering at home? Apparently, many are considering a career in cybercrime. CyberNews thinks a lot of searching for how to hack information indicates widespread interest in a walk on the dark side. The searches include such terms as hacking course, ethical hacking course, how to get on the dark web, how to scam, learn hacking and things like that. We hope these are all budding infosec professionals, perhaps a fresh influx of independent researchers or pen testers. But people being people, we suspect all too many of them may have crime on the mind.
Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, but more importantly, my co-host on the "Caveat" podcast. Ben, always great to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: On this week's "Caveat," you and I covered a fascinating case, and I want to share it with our CyberWire audience as well. This is a story from Ars Technica, written by Kate Cox. The title is "Just Turning Your Phone On Qualifies as Searching It, Court Rules." Boy, this is an interesting one. Can you unpack it for us?
Ben Yelin: It really is a fascinating case. So it is a federal case, but the incident happened in Washington state about a year ago. A criminal suspect was indicted on a bunch of charges, robbery and assault. Suspect was using a smartphone. When that suspect was arrested, one of the arresting officers hit the power button on that person's device to bring up that phone's lock screen. Now, the officer didn't do anything with that lock screen, but he or she must have seen something that was suspicious. As the federal government was investigating this case - it is a federal case - the FBI turned on the phone to take a photograph - a screenshot of that phone's lock screen. And that lock screen seemed to display the name Streezy, which it appears to me from reading the story was an alias for this criminal suspect. And that was key evidence used in the conviction.
Ben Yelin: So the criminal defendant sought to suppress this evidence, saying that both the police officers - the arresting officers and the FBI violated this defendant's Fourth Amendment rights by simply turning on the phone and taking a screenshot of that lock screen. And the judge actually agreed with the criminal suspect, at least as it relates to the FBI taking that screenshot of the lock screen. There are additional questions about the arresting officer. It's generally legal to search somebody incident to arrest. So that's something that's going to be adjudicated in a future proceeding. But the FBI, when it turned on the phone and took that screenshot of the lock screen, that qualifies as a search under the Fourth Amendment and, therefore, necessitates a warrant. Because no warrant was issued in this case, at least on those grounds, the conviction would have to be overturned.
Ben Yelin: So the rationale here is particularly fascinating, and I'll give just a very short history. Prior to the 1960s, it used to be that there would be no Fourth Amendment violation unless there was a physical trespass on somebody's property, whether that was their real property or their stuff, which in legal parlance is effects. That's actually the language in the Fourth Amendment. In the '60s, that standard changed. There was no longer a focus on a physical trespass into somebody's property. Instead, the focus turned to whether there was a violation of somebody's reasonable expectation of privacy. In 2012, the Supreme Court reconsidered each of those doctrines and decided that both of those doctrines would actually suffice for a Fourth Amendment search. In other words, you could establish a Fourth Amendment search either by establishing that the government violated somebody's reasonable expectation of privacy or that there was a physical intrusion into somebody's stuff, somebody's device in this case.
Ben Yelin: What the judge here says is we need not answer the question of whether this violates the defendant's reasonable expectation of privacy because what we have here is actually a physical trespass. The FBI physically took the device, pressed those two buttons to take a screenshot. That is a trespass on that person's property, and that in and of itself qualifies for a Fourth Amendment search and, therefore, a warrant should have been issued. So it's really a fascinating case, and it'll be interesting to see whether this logic adopted nationwide in other similar cases.
Dave Bittner: What do you make of this? What is your take on it? I mean, it is fascinating to me. I have to say I would not have expected a ruling like this.
Ben Yelin: Yeah. So this case is very analogous to the 2012 case I referenced, and that's the Jones case. And in that case, the government - or law enforcement had placed a GPS tracking device under the hood of a suspect's car. And the majority of the Supreme Court held that that was a search simply because law enforcement trespassed on that suspect's vehicle. What Justice Alito said in his concurrence in that case is the act of physically attaching that GPS device is completely insignificant as it relates to the question of personal privacy. The real privacy question is what happens after that device is physically attached, and that's the tracking. That's tracking an individual's location.
Ben Yelin: So my thinking of it is, you know, the question on whether somebody's fundamental rights are violated as it relates to their personal integrity, their personal privacy, generally, in the digital age will not turn on whether there has been a simple physical trespass. So, you know, in my view, that shouldn't be the determining factor as to whether there has been a Fourth Amendment search. It should relate more to, you know, a number of things, including how intrusive this particular method of searching is. You know, you could make a case that this individual actually did not have a reasonable expectation of privacy in their lock screen because it's something that a person generally shows publicly. If you put your phone out on a table, if it falls out of your pocket, that's going to be something that anybody could see. That, to me, would've been a fine justification instead of using this more, I would say, arcane, 19th century physical trespass doctrine to make the decision in this case.
Dave Bittner: That's fascinating. All right, well, Ben Yelin, as always, thanks for joining us. And if you want to hear more about this case, Ben and I spend a good deal more time on it over on the "Caveat" podcast. So if you have not yet checked that out, now would be an excellent chance for you to do that. So please do so. Ben, always a pleasure. Thanks for joining us.
Ben Yelin: Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.