Dave Bittner: Blue Leaks dumps stolen police files online. A report of spyware delivered via network injection. COVID-19 apps and databases are reported to have indifferent privacy safeguards. And there's been one big recent leak. India and Australia are both on alert for Chinese cyberattacks. Our own Rick Howard on intelligence operations. It's Cybersecurity Canon week. Our guest is Todd Fitzgerald, author of "CISO COMPASS." And New Zealand piles on in the case of a Russian altcoin baron.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 22, 2020.
Dave Bittner: Distributed Denial of Secrets, a group described variously as hacktivist and as an alternative to WikiLeaks, has posted 10 years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more. The files are available, KrebsOnSecurity reports, in a searchable database. The National Fusion Center Association in an internal June 20 assessment confirmed that the data were, indeed, valid and that the files in the leak were compiled between August 1996 through June 19, 2020, which covers almost 16 more years than the 10 DDoSecrets claimed in their tweeted communique. The data include names, email addresses, phone numbers, PDF documents, images and large number of text, video, CSV and zip files. The NFCA said in its internal alert, additionally, the data dump contains emails and associated attachments.
Dave Bittner: Our initial analysis revealed that some of these files contain highly sensitive information, such as ACH routing numbers, international bank account numbers and other financial data, as well as personally identifiable information and images of suspects listed in requests for information and other law enforcement and government agency reports. The incident appears to be a case of damage inflicted through a third party. NCFA (ph) believes the data were probably taken from Netsential, a contractor widely used by state fusion centers, by a threat actor who used compromised Netsential credentials to facilitate data exfiltration. The data are thought unlikely to contain much, if any, information about police misconduct. But they will probably include a great deal that organized crime will find interesting and useful, including information about protected witnesses, investigations and so on.
Dave Bittner: Moroccan journalist Omar Radi's phone was infected with spyware in a network injection attack that Amnesty International says looks like an application of NSO Group intercept technology. Amnesty says it had seen the technique, which requires the attacker to either use a rogue cell tower, like a stingray, or to exploit access to the mobile carrier's internal infrastructure, used against at least one other Moroccan journalist. Amnesty's report says, quote, "whereas previous techniques relied to some extent on tricking the user into taking an action, network injections allow for the automatic and invisible redirection of targets' browsers and apps to malicious sites under the attacker's control, most likely unknown to the victim. These will rapidly leverage software vulnerabilities in order to compromise and infect the device," end quote. Amnesty believes the spyware installed was NSO Group's Pegasus. The group notes with displeasure that the incident with Radi's phone occurred just some three days after NSO Group announced a new policy designed to control abuse of its lawful intercept technology by authoritarian regimes.
Dave Bittner: Researchers at Guardsquare conclude that many of the contact-tracing apps being deployed by governments fall short in terms of privacy safeguards. They examined 17 Android apps used in 17 different countries and found that most lacked root detection, name obfuscation, string encryption, emulator detection, asset and resource encryption or class encryption. Only 1 of the 17 was fully obfuscated and encrypted. The International Digital Accountability Council, while acknowledging that most of the contact-tracing apps were developed with the best intentions, found that eight apps they studied tend to overshare data with third parties. Some of that sharing is with companies like Branch, Crashlytics and Facebook and seems intended, The Washington Post notes, to optimize performance. Other sharing is less obviously related to performance optimization. The symptom-logging apps Kencor COVID-19 and Care19, as well as the smart thermometer app Kinsa, seem to be sharing data of the sort normally used for marketing.
Dave Bittner: And there's been one significant breach of PII from a COVID-19 test database maintained by the Indonesian government. An unknown hacker going by the name Database Shopping is selling personally identifiable information of Indonesians who've been tested for COVID-19. The data are being offered on the Raid Forum. AsiaOne reports that the information leaked from a government database and that more than 200,000 individuals are affected.
Dave Bittner: India remains jittery over the prospect of Chinese cyberattacks, ET CIO reports. Police sources tell the outlet that last week saw a surge in Chinese attacks against public and private infrastructure in India. More are expected. The attacks have tended to fall into two categories. One is redirection of traffic through China, where it can be analyzed for information of intelligence value. The other is the familiar blunt instrument of the distributed denial-of-service attack. Trak.in reports that some of the attacks have afflicted rail transport in India. Sources tell the outlet that both Chinese operators and Pakistani threat groups APT36, also known as Mythic Leopard, were involved.
Dave Bittner: And judging from stories in the Australian Financial Review and elsewhere, Australia remains in high dudgeon over Chinese government hacking. There is still some uncertainty over the origins and extent of the hacking, especially given Prime Minister Morrison's refusal last week to offer an official attribution. But essentially everyone who's commented on the wave of cyber-espionage and distributed denial of service sees it as China's work - everyone, of course, except the Chinese government, which has said it's shocked - shocked - to learn that hacking is going on and that it had nothing to do with it. The US has joined Australia in its outrage. Secretary of State Pompeo denounced Chinese cyber operations, especially the attack on Parliament House, as coercive.
Dave Bittner: And finally, New Zealand has weighed in on the case of Russian altcoin baron Alexander Vinnik, freezing $140 million of Mr. Vinnik's funds, Radio New Zealand reports. Mr. Vinnik, currently in French custody on fraud charges, also faces twenty-one US charges that range, according to The Moscow Times, from identity theft and facilitating drug trafficking to money laundering. He's also wanted in Russia on lesser fraud charges.
Dave Bittner: Mr. Vinnik's troubles with law enforcement actually began in Greece, where he was snapped up while on holiday at the northern Greek tourist resort of Halkidiki. The Russians, Americans and French all wanted a piece of him, but France will get the first bite. There must be a lesson here for big-time criminals. If vacation you must, check out the extradition treaties enforced at your destination. Club Med could get you a stay in Club Fed.
Dave Bittner: And joining the program once again is our own Rick Howard, the CyberWire's chief analyst and chief security officer. Rick, great to have you back.
Rick Howard: Thank you, sir.
Dave Bittner: I wanted to touch base with you today on a couple of things - first of all, a little preview of your "CSO Perspectives" podcast. We're talking intelligence operations this week.
Rick Howard: Yeah. We've been creating a cybersecurity strategy over the last eight or nine weeks about what kind of things should you have in place. And we did talk about cyberthreat intelligence this week. And you know, Dave, I've been a cyber intelligence guy my whole career. I've done it in the military, and I've done it in the commercial space. And when you think about what any kind of infosec program needs - OK, if you know you're trying to stop known adversaries out there, how do you find out what the bad guys do? Well, you need a cyberthreat intelligence team to kind of put that together for you.
Dave Bittner: And how do you decide if you're a big enough organization to have your own team or to contract that out with somebody else?
Rick Howard: You know, that's a real big question 'cause, you know, if you do it right, I mean, you could spend a lot of money on an intelligence team. I know my previous job, you know, we had a giant threat intelligence team, lots of resources. And you know, hey, most people don't have that. If you're small- to medium-sized company, you know, how do you leverage the cyberthreat intelligence to improve your program?
Rick Howard: And there's ways to do that. Right? What you should do is seek vendors. When you have your own security stack, seek vendors that agree with your philosophy. If you're trying to put prevention controls in place for every known adversary along the intrusion kill chain, seek a vendor who already is doing that. You know, they already resource big cyber intelligence groups, so find those that do that for you. Right? And then find those vendors, also, that kind of collaborate with other vendors so that they don't have to do it all themselves. So my point is that even if you are a very small organization, you could tap into the whole thing and get it done for you.
Dave Bittner: What is your take on the difference between, say, just information and actual intelligence?
Rick Howard: Yeah. I had that discussion a lot with a bunch of intel teams. You know, a lot of people get lost in the mud. They just kind of review blogs and read white papers and things, and they just kind of collect that information. But you're not really an intelligence shop unless you can provide possible decisions for leadership. OK? The reason you're collecting it is so they can make a decision. And it's really interesting because a lot of the functions that a cyberthreat analyst does is very similar to a newspaper reporter. You know, they collect information, they synthesize it, and they tell people about what they know. A cyberthreat intel analyst does all of those things. OK? But the very next thing he does, though, is he tells the boss, here are three things you can do with that information. And that's the difference.
Dave Bittner: All right. Well, the podcast is "CSO Perspectives." It is part of CyberWire Pro. You can find that, of course, on our website thecyberwire.com.
Dave Bittner: The other thing I wanted to touch base with you on is the Cybersecurity Canon. Now, this is something you and I talked about many times before you joined us here at the CyberWire - back when you were still at Palo Alto Networks. It's a real passion project for you.
Rick Howard: Yeah. We started doing it about six years ago. We set it up like the Rock & Roll Hall of Fame for the purpose of identifying cybersecurity books because if you wanted to read something new this year and you went out to Amazon and you looked up cybersecurity books, you would get about 3,000 books to choose from. So how do you decide which ones to do? So what we did is we set up a committee of outside practitioners. And they read the books, and they made recommendations about which books the entire community should read. So we've been doing it now for about six years. There's about 500 books that have been reviewed, and the committee has recommended over 30 for the Hall of Fame. So if you're going to start anywhere, I would start there in the Hall of Fame books.
Dave Bittner: Well, and this week, we're celebrating the Cybersecurity Canon. You're interviewing some authors all week long. Who do we have today?
Rick Howard: Well, what we're doing is - we've had to modify the Hall of Fame awards ceremony, OK? This season is the 2019-2020 season. The committee has selected the new authors for winning or being inducted into the Hall of Fame. And so the modification is that we're going to interview the winning authors one book a day in the entire week, and we're - it's kind of like our Shark Week. It's the Cybersecurity Canon week for the CyberWire. So I'm looking forward to all those interviews, and so this will be the official announcement of the winners for that season.
Dave Bittner: All right. Well, we're starting off with your interview with Todd Fitzgerald. Let's have a listen.
Rick Howard: The CyberWire is celebrating the Cybersecurity Canon Project this week. It is in its sixth year, identifying the must-read books for all network defenders. This week, the Canon Committee announced the Hall of Fame inductees for the 2019-2020 season, and I am pleased to have on the show one of the winning authors for his book called "CISO Compass: Navigating Cybersecurity Leadership Challenges With Insights From Pioneers." Todd Fitzgerald, welcome to the show.
Todd Fitzgerald: Well, thank you very much. Thanks for having me.
Rick Howard: So why'd you write the book?
Todd Fitzgerald: Well, you know, I was looking at the industry. And I've been a CISO for a long time, and I didn't see any reference that you could go to that would be a road map for CISOs. You know, we go to conferences. We talk about all the issues. But where is all this stuff? And so I wanted to put together a roadmap for CISOs that was comprehensive enough that would also not be theoretical, that would be based on practical experience.
Todd Fitzgerald: And so I put the book together, but I also didn't want it just to be Todd Fitzgerald's view of the world. And so I invited 75 other CISOs to write a one-page gray box to talk about an experience. So think of it like a job interview where you go into the job interview and they say, you know, tell me about a situation, you know, that you had a major challenge. And what did you do about it, and what was the result? And what were the lessons learned? What would you do differently next time? And so I challenged some of our top CISOs in the country and cybersecurity leaders to write those gray boxes about a security issue, and then I infused those into the book, into the road map. And so it's a very comprehensive text that gives you actually about 80 different perspectives on security but not just a book that smashed together 80 different perspectives. It actually weaves the story for the CISO to follow.
Rick Howard: So because of the pandemic, this interview is kind of a proxy for your acceptance speech of a Canon Hall of Fame Award. Any last words on - along those lines?
Todd Fitzgerald: Receiving the award is just an awesome honor and something I never expected. And when you write a book - and this is my fourth book, and I'm part of about a dozen other books, and I have been writing for quite a while. And when you write something, you want it to sell, but it's never about wanting to sell a lot of books. It's about - you want to write something that people see as valuable and something that people can use to make their lives better. And that was really my passion behind it. I didn't - because this wasn't my first book, I didn't just want to write a book to get published. I wanted to write a book that people really wanted, and I was so happy to see that so many people have benefited from it.
Todd Fitzgerald: And it's quite an honor to have this award. You know, it would have been great to have the ceremony and do all of that. But I certainly understand our lives have significantly changed, and it's really nice that you're doing this and awarding the award. That's - it means a lot to me.
Rick Howard: The book is "CISO Compass: Navigating Cybersecurity Leadership Challenges With Insights From Pioneers." It is now officially inducted into the Cybersecurity Hall of Fame. Congratulations, Todd, and thanks for being on the show.
Todd Fitzgerald: Well, thank you very much. It's really been a privilege to serve the CISO community, and I'm extremely excited about it.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you more informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.