The CyberWire Daily Podcast 6.16.20
Ep 1110 | 6.16.20
Cyberespionage and counterespionage. The DDoS that never was. A very strange case of cyberstalking. And leaky niche dating sites.
Transcript

Dave Bittner: What does Beijing want to know about US presidential campaigns? A redacted version of the CIA's inquiry into the WikiLeaks Vault 7 material is out. That DDoS attack you read about on Twitter? Never happened. Former eBay employees face federal charges of conspiracy to commit cyberstalking and witness tampering. Ben Yelin explains a judge refusing to sign off on a potential Facebook facial recognition settlement. Our guest is Randy Vanderhoof from the Secure Technology Alliance on mobile driver's licenses. And where would you store niche dating app material? In a misconfigured AWS S3 bucket. Where else?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 16, 2020.

Dave Bittner: We've got two stories of espionage today. In the first, the Voice of America reports that Chinese intelligence services are collecting against the US presidential campaign of presumptive Democratic nominee Joe Biden. What are they after? Position papers, apparently. The campaign appears not to have been compromised, and the operation appears to be part of a longstanding effort aimed at developing a picture of US presidential candidates' attitudes and likely policies toward the People's Republic. Google's Threat Analysis Group, cited by the Voice of America, has been tracking the espionage for weeks. FireEye attributes the effort to APT31, also known as Hurricane Panda or Stone Panda.

Dave Bittner: The other story involves the partial declassification of the October 2017 report by the CIA's WikiLeaks Task Force that was formed to investigate how the leak site came to obtain the material it published as Vault 7. According to The Washington Post, the heavily redacted report found that the CIA was focused on developing offensive cyber tools, but that it neglected basic security measures and sound practice. The report's provenance is interesting. It came to the post from Senator Wyden, Democrat of Oregon, who received it in his capacity as a member of the Senate Intelligence Committee. The senator got it from the Justice Department, which has it because it figures into the trial of Joshua Schulte, who's been charged with passing the Vault 7 material to WikiLeaks. Mr. Schulte's attorneys claim that the report shows that the CIA security was in this respect so slipshod that any one of hundreds of people could have given Vault 7 to Mr. Assange's organization. 

Dave Bittner: The CIA has said that it does indeed take network security seriously, but beyond that had little to say. A former intelligence official speaking anonymously told The Post that he disagreed with the conclusion that the CIA's enterprise systems were carelessly secured, that, to the contrary, Langley had secured its enterprise systems to a gold standard. But the enterprise systems and the mission systems were two separate things. And while security was emphasized, the source told The Post that the operators who ran the mission network thought there was better auditing, more insight into the network than, in fact, there was. There was a mismatch of expectations between the operators and those who administered and maintained the network. 

Dave Bittner: Did you hear that the US was under a major DDoS attack? It's been all over Twitter, you know. Anonymous, with its cosplayer's customary overstatement, has claimed that the United States is under crippling distributed denial-of-service attack, and a lot of others have been tweeting, retweeting and otherwise sharing their thoughts on the matter. And, as is usually the case, those thoughts run along the lines of, well, the Martians have landed, and the man is out to get you. But as Cloudflare and others have pointed out, it's not true. There was no DDoS. Sure, T-Mobile had a rocky upgrade yesterday that impeded calls and texts, although CNET says data for the most part continued to flow, albeit with certain outages reported. 

Dave Bittner: The people tweeting as Anonymous didn't claim the DDoS for themselves, saying instead that it was probably China because of stuff going on around the Korean demilitarized zone. The attack map eye candy tweeted in the anarchist collective's non-name appears to put the center of the campaign somewhere between Omaha and Des Moines, which could maybe be why we missed it here in Baltimore. But we think Forbes, TechCrunch, and Computing have it right. There was no DDoS. And those maps with all the lines arching across the globe, don't take them too seriously. 

Dave Bittner: Imagine not having to carry a wallet and instead having all of your payment information, medical insurance cards and even your driver's license stored on your mobile device. Convenient, yes. Secure, possibly, depending on how it's implemented. And as they say, the devil is in the details. Several US states are underway with plans to make mobile versions of driver's licenses available to their citizens who prefer them. Randy Vanderhoof is executive director of the Secure Technology Alliance, and he offers these insights. 

Randy Vanderhoof: Most people in the US over the age of 18 get a driver's license from their state, primarily to prove their privilege to drive. But most people don't use that driver's license that often for that purpose but instead use the driver's license as a form of identity so that people can prove their age if they're entering an age-restricted establishment or prove their address or their identity if they're opening a bank account or cashing a check or accessing a secure facility. Having a mobile version of this identity offers a lot more convenience as well as security as well as functionality because the digital version of that physical driver's license can be transmitted electronically to someone who can then read that information and authenticate it and then have an electronic record of the transaction, which is something that is not commonly available by just presenting a physical driver's license. 

Dave Bittner: Now, in this scenario, how does a mobile driver's license verify that I'm who I say I am? 

Randy Vanderhoof: So in the mobile version, there would be a digital image of the person so that you can match the driver's license credential with the person that's presenting it. And then there could be a set of options that the person holding the phone would be able to select as to what other information do you want shared. And then you could bring up your age eligibility, or you could bring up your address if that was what was required. And then the establishment that's proving my identity can read that information electronically. And so there's a higher level of trust because the information that's shared electronically can be digitally secured. 

Randy Vanderhoof: And then there's an auto trail or a record that the establishment then has. So if there was a question after the fact, whether or not that establishment actually checked for my identity, they can go back to their electronic record and show the information that they got at the point of when that digital driver's license was presented. 

Dave Bittner: That's Randy Vanderhoof from the Secure Technology Alliance. 

Dave Bittner: The US attorney for the District of Massachusetts has charged six former eBay employees with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses in an unusually nasty and dimwitted case of cyberstalking. They are alleged to have harassed and doxxed a Natick, Mass., couple who ran an e-commerce blog and newsletter, EcommerceBytes, that sometimes posted critical reviews of eBay. The harassment included anonymous and disturbing deliveries - a bloody pig mask, a book on mourning a spouse's death, live cockroaches, nasty pornography apparently intentionally misdelivered to a neighbor's house, a fetal pig and so on. It even involved physical visits to the victims' home disrupted by the Natick police who subsequently asked eBay what was going on. 

Dave Bittner: The six defendants, all of whom eBay fired last September after an internal investigation prompted by the Natick PD, included some senior and middle managers. The U.S. attorney's office says the defendants were, until eBay parted ways with them, the senior director of safety and security, the director of global resiliency, senior manager of global intelligence, the manager of eBay's global intelligence center, a contractor who worked as an intelligence analyst in the GIC, a senior manager of special operations for eBay's global security team. 

Dave Bittner: It's a very strange story in which a well-resourced Fortune 500 company decided to go after two small-town online journalists with strong-arm tactics out of a cheap detective novel or a bad TV crime show. In what passed for cunning among the planners, they intended to escalate the pressure then send one of their number to visit the victims in Natick, appearing as an eBay hero sympathetically prepared to help them get out from under all the harassment. This would generate goodwill toward eBay and favorable stories on the victims' blog. So a win-win, right? Well, no. But see what we mean about a lousy script? 

Dave Bittner: And finally, Carlos Danger, call your office. VpnMentor is reporting that researchers discovered that hundreds of thousands of users of niche dating and hookup apps had their personal information exposed - 20,439,462 files totaling 845 gigabytes and including such photos - many of them described as graphic and explicit - screenshots of private chats and financial transactions, some audio and a bit of personally identifiable information. The apps appear to have shared a developer. More importantly, they shared an AWS S3 bucket. And guess what. That bucket was exposed to the internet. If we thought any of you needed it, we'd close with a meditation on Kant's transcendental principle of publicity as one formulation of the categorical imperative. But in case any of your friends ask you, here's a quick gloss. If you don't want that stuff to turn up on the pages of WIRED, don't put it online. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland's Center for Health and Homeland Security. He is also my co-host on the "Caveat" podcast. Ben, always great to have you back. Interesting story from Courthouse News Service, and it's titled "Judge Won’t Sign Off on $550 Million Facebook Facial Data Settlement." What's going on here? 

Ben Yelin: So this has been a case that's been tied up in our court system for about five years now. A group of plaintiffs initiated a class-action suit under Illinois' Biometric Information Privacy Act of 2008. Yes, federal courts can hear cases on state laws for all you civil procedure nerds out there. 

Dave Bittner: (Laughter). 

Ben Yelin: And the case claims that Facebook started mapping users' faces for its photo tag function without properly notifying the users. So recently, Facebook and the class of plaintiffs came to a settlement for $550 million, which is below - you know, for each plaintiff, that's below what one would get for a single violation if you read the Illinois statute literally. And so the judge in this case - a federal district court judge - is questioning the terms of the settlement, which is very unusual. Judges are usually very deferential to parties who decide to settle. You know, it makes their lives easier. It keeps cases out of court. So even if they have to sign off on a settlement, you know, they'll usually trust whatever agreement the parties have come to. 

Ben Yelin: In this case, the district court judge is saying, in his opinion, these penalties - the penalty that Facebook is going to pay to these plaintiffs is just simply not large enough. The statute requires far greater penalties, and it's not going to be enough of a disincentive for Facebook to change its behavior and give proper warning before it engages in things like mapping users' faces. So you know, I think Facebook is probably freaking out right now. They thought they had this case settled. 

Dave Bittner: (Laughter). 

Ben Yelin: You know, they came to an agreement with this class of plaintiffs, and now the case is reopened. And the judge is asking each party for additional information. 

Dave Bittner: Interesting. 

Ben Yelin: So the case has kind of been resurrected, and it'll be interesting to see what the future proceedings hold. 

Dave Bittner: Yeah. I mean, looking at some of the details here, that Illinois statute apparently uses a benchmark of $5,000 per violation. And according to this article, in the settlement, everyone would receive between $150 to $300, which if you do the math, turns out to about 1.25% of the maximum that people could get. And the judge is saying that, essentially, a 98.75% discount off of the recommended violation isn't going to cut it. 

Ben Yelin: Yeah, it's rare that you see 98.75% discounts out there. 

Dave Bittner: (Laughter). 

Ben Yelin: You know, even in the age of Groupon, I - you rarely see, you know, 98% off. Yeah, I mean, it's pretty extreme. There are a couple of things that are worth noting about that. One is it's very likely that the plaintiffs thought this litigation is going to be so costly, could go on for such a long time, it might be in our best interest to just cut it off now, take the settlement that we can get and move on. And both parties also said in some of their filings that they expected a judge - you know, if there was a civil judgment for this class of plaintiffs, they'd expect that the amount of damages owed would be reduced anyway so we might as well keep this case out of court. 

Ben Yelin: What this judge is saying is that's not persuasive because even if a judge or jury were to reduce the amount of damages, it's very unlikely that they would reduce them by a number as drastic as 98%. And you know, I think he certainly has a point there. And he also, you know - another thing this judge said is Facebook still hasn't explained how this problem is going to be dealt with going forward. How is Facebook going to handle class members' facial geometry data after the settlement is finalized? 

Dave Bittner: Oh. 

Ben Yelin: And so the judge still wants, you know, some clear answers on that. So I think the judge is saying to both parties, this does not look like a fair and equitable agreement right now. 

Dave Bittner: Wow. 

Ben Yelin: This does not look like a problem that's going to be solved, so that's why he's taking this rather rare step of opening the case up. 

Dave Bittner: And so what happens now? Do both groups go back to the drawing board? Where does it go? 

Ben Yelin: Yeah. So the judge has ordered attorneys for each party to address the concerns laid out in the judge's memo. And the judge basically said, I'm not signing off on a settlement. It's very possible if, you know, you, the parties, don't adequately address my concerns, that we're going to actually have a civil jury trial. And in that case, Facebook is most likely going to owe a heck of a lot more than 1.25% of the potential damages. You know, I think it's possible that the plaintiffs will use this as - this judge's memo as leverage and say, all right, the judge thought 500 million was too small. Why don't - let's go, you know, 2 billion, 3 billion. 

Dave Bittner: Pretty soon, we're talking about real money. 

Ben Yelin: Real money - exactly. 

Ben Yelin: (Laughter). 

Ben Yelin: And you know, maybe the judge will sign off on that, but none of us have to go to court and go through the very difficult process of a long civil jury trial. And you know, I think that's - we could still very well see a settlement in this case. It's just... 

Dave Bittner: Right. 

Ben Yelin: ...Going to be different than the settlement that has already been agreed upon by the two parties. 

Dave Bittner: Yeah, yeah - very interesting indeed. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.