A 2018 Presidential finding authorized the CIA to conduct a broad range of offensive cyber ops. Data breaches and ransomware incidents. Sloppy VPNs. SEC warns, and China woofs.
Dave Bittner: A 2018 presidential finding authorized extensive CIA cyber operations against Russia, China, Iran and North Korea. Wattpad may have been breached. The SEC asks its registrants to take steps to protect themselves against ransomware. A free VPN's databases are found exposed. Joe Carrigan on privacy versus security on Android devices. Our guest is Chris Deluzio from Pitt Cyber on election security. And Beijing woofs in the direction of London over the U.K.'s Huawei ban.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 15, 2020.
Dave Bittner: A 2018 presidential finding authorized the U.S. Central Intelligence Agency to conduct offensive cyber operations against a range of foreign targets, according to a story running exclusively in Yahoo. Iran, Russia, China and North Korea figured prominently on the target list, unnamed former government officials said. The activities authorized extended beyond intelligence collection to include actively disruptive measures and influence operations. The finding was sufficiently broad to encompass organizations credibly believed to be acting on behalf of or in cooperation with hostile intelligence services.
Dave Bittner: The active measures the CIA was authorized to take included actions against financial institutions, kinetic effects against infrastructure and hack-and-dump operations in which documents are taken and posted when and where they could be expected to influence opinion.
Dave Bittner: The people speaking on background for the story told the reporters that Langley had been, to some extent, divided on the advisability of offensive cyber operations but that the CIA had sought such authority for years, going back at least two administrations. They had expected both Presidents Bush and Obama to sign a relevant finding, but neither did. They had not expected such a finding from President Trump and were pleased when it was signed - or more than pleased. One of the unnamed former officials told Yahoo's reporters, quote, "people were doing backflips in the hallways," end quote.
Dave Bittner: Former CIA general counsel Robert Eatinger, who did speak on the record, had no knowledge of the 2018 finding. But he did confirm that there had, for some time, been two camps at Langley - those who saw restraint in cyberspace as prudent and valuable and others who sought authority for more offensive cyber operations. Yahoo says that neither the CIA nor the National Security Council responded to their questions.
Dave Bittner: Bleeping Computer reports that popular storytelling site Wattpad may have been hacked for a 270-million-record database. The information, formerly for sale, is now being offered for free in various hacker sites. Its authenticity is under investigation, and Wattpad has brought in security assistance to help it run down what the incident actually amounts to.
Dave Bittner: Researchers at Comparitech say they've found that Hong Kong-based VPN provider UFO VPN left a database of user logs and API access records exposed online without passwords or any other form of authentication to protect it.
Dave Bittner: VpnMentor says it found an even more extensive exposure. It wasn't just UFO VPN, but six other brands as well - FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN. They all appear to share a common developer. The data vpnMentor says it found exposed include PII of some 20 million users, and it runs to such items as email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID and other technical details. The seven apps advertise themselves as both free and no-log - no-log meaning that they didn't collect any personal information, but that seems not to be true.
Dave Bittner: The seven apps are connected in a number of ways. Their branding tends to be similar, and several of them promise military-grade security. We're not sure, either, what military-grade means, but it probably doesn't extend to leaving an Elasticsearch server flapping in the virtual breeze. VpnMentor thinks they're all white-labeled versions of the same product. In any case, they used the same Elasticsearch server. They're hosted on the same assets. And they use a single recipient for payment - Dreamfii HK Limited. VpnMentor says there are a lot of excellent free VPNs out there, but in the case of these seven, you apparently get what you pay for.
Dave Bittner: The U.S. elections will be here before you know it. Oh, heck. Let's see here. Hey, Siri.
Dave Bittner: How long till the U.S. elections?
Siri: It's 111 days until then.
Dave Bittner: Whew. OK.
Dave Bittner: Chris Deluzio is policy director at the University of Pittsburgh's Institute for Cyber Law, Policy, and Security, also known as Pitt Cyber. He joins us with insights from their recent report titled "Ensuring Safe Elections."
Chris Deluzio: Well, I think the situation in the world right now, where we're confronting a public health crisis and we and many states are dealing with primary elections and across the country have a general election in November that includes the election of the president, all members of the House of Representatives, many senators, many state officials, presents a very unique set of challenges. And many of the solutions to those challenges require a serious infusion of resources largely to the states and, to be really precise, to local officials of the county or, in some places, city or town level. And without those new resources - and, really, that ought to come from the federal government, given the national scope of what we're confronting - we fear that election officials, who are, again, predominantly local and state folks, won't be equipped to protect our democracy and ensure that voters are able to vote safely and securely come November.
Dave Bittner: What is the spectrum that you see going from state to state? Are there states that are much better off, ahead of the pack when it comes to these sorts of things and others that need to catch up?
Chris Deluzio: Well, I think states that already are doing vote by mail as a primary method of voting are, of course, well-suited to give people the best chance to vote safely during a public health crisis. But then there are a whole lot of states that aren't the five that primarily vote by mail that also offer no-excuse absentee voting or no-excuse mail voting. And so they're, you know, also in a good position.
Chris Deluzio: But, of course, the devil's in the details. Are those states affirmatively sending applications or ballots? States that have things like automatic voter registration, where you're capturing updates to people's addresses if they interact with a government agency - say, the DMV, for example - those states have likely cleaner and more accurate voter registration lists and thus can make a pivot or transition to a mail voting system perhaps more quickly. And so they're in a better position. And that's a growing number of states but not the majority yet.
Dave Bittner: Why not shift to things like voting online? Why the emphasis on voting by mail?
Chris Deluzio: Well, the unfortunate truth is that online voting just is not secure and ready for prime time. There's, frankly, consensus among computer science experts and others who have studied online voting and show that the unique challenges of an election where voters have to be - their votes are anonymous that online voting presents too many risks and the hacking - in particular, vulnerabilities are too substantial to overcome.
Chris Deluzio: So it's not a viable option for secure elections, and so we have to instead look at what we - what technologies and options we have. And those really are to adapt our current voting system, which is a mix in the states of voting in person and voting by mail, to the public health crisis. And for most states, that means expanding the ways in which voters can safely vote from home while also making sure we have good, reliable and safe options for voters to vote in person who may need to.
Dave Bittner: That's Chris Deluzio from Pitt Cyber.
Dave Bittner: The U.S. Securities and Exchange Commission has issued a ransomware warning to its registrants, which include broker-dealers, investment advisers and investment companies. The SEC's Office of Compliance Inspections and Examinations refers the registrants to applicable CISA alerts - the Dridex strain is particularly called out - and suggests that they pay particular attention to incident response and resiliency policies, procedures and plans, awareness and training programs, vulnerability scanning and patch management, access management and perimeter security.
Dave Bittner: CNBC, which has been watching Chinese state media closely, says that Beijing is advising itself through those media to retaliate in a public and painful way for Britain's ill-founded decision to boot Huawei from the U.K.'s 5G infrastructure. The state-run Global Times put it this way, waving both carrot and stick. Quote, "it's necessary for China to retaliate against U.K. Otherwise, wouldn't we be too easy to bully? Such retaliation should be public and painful for the U.K.," the paper wrote, thus the stick. And here's the carrot - quote, "but it's unnecessary to turn it into a China-U.K. confrontation. The U.K. is not the U.S., nor Australia, nor Canada. It's a relative weak link in the Five Eyes. In the long run, the U.K. has no reason to turn against China with the Hong Kong issue fading out," end quote.
Dave Bittner: So, London, wise up. You're not as important as the U.S., Australia or Canada - maybe a Northern Hemispheric New Zealand. So the carrots there - we don't want no trouble, but they're actually kind of whacking Her Majesty's Government with it. Hong Kong's old news, London, and you've lost that one anyway. So wise up and do business with Shenzhen. We paraphrase, of course.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting article came by. This is from the folks over at Android Central online website, written by Jerry Hildebrand. And the title is "Security Isn't Privacy, and You Can Have One Without the Other."
Joe Carrigan: Yep.
Dave Bittner: It's a titillating title there, Joe. What's your take on this article?
Joe Carrigan: I like this article a lot. It is - it embodies everything I like about Android and everything I dislike about it.
Dave Bittner: (Laughter).
Joe Carrigan: And Jerry makes a good point here - that Android is one of the most secure operating systems ever. And the reason it's the most secure - one of the most secure operating systems ever is because it's open source. It has a lot of eyes - eyeballs looking at the code. There are people looking for exploits, and when they find the exploits, they sell them to Google, who then patch the exploits - or vulnerabilities, rather, not the exploits.
Joe Carrigan: And Google does a very good job of keeping this operating system secure because it is so integral to their business model, right?
Dave Bittner: Right.
Joe Carrigan: They need to make sure that, by secure, that only the intended people have access to the device.
Dave Bittner: Yeah.
Joe Carrigan: Now, that's where privacy comes in...
Dave Bittner: (Laughter).
Joe Carrigan: ...Because one of those intended people is Google. And Jerry points out in this article that you are making an economic decision to trade your data to Google. And he makes a point that Google doesn't sell your data to third-party providers, but they use that data to build a profile of you that is remarkably accurate. And...
Dave Bittner: (Laughter) Right. I was going to say it may be a distinction without a difference in this case, perhaps.
Joe Carrigan: Well, I don't think - I think it's more of a distinction - I think there's more of a difference. Yeah, they're going to - you know, they can break down their demographics like we've never had the opportunity in the history of - in human history to break down demographics like this before, right?
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: And target ads at such a group of people that are interested in a particular - that we almost - that we get the highest return on the advertising dollars that we possibly can, right?
Dave Bittner: OK.
Joe Carrigan: So from the business standpoint, it's a really good proposition. The question is, do you, as an Android user, want to be targeted with that level of specificity? And if not, maybe you make a different selection.
Dave Bittner: Yeah.
Joe Carrigan: Maybe you make a different decision.
Dave Bittner: No, Jerry makes some good points here. I mean, you look at apps like Google Photos, which is something that I use.
Joe Carrigan: Right.
Dave Bittner: And boy the functionality of that is - it's great. It really is an enhancement over other photo apps that I've used - to be able to just go in and do a plain text search for anything - you know, dogs in the snow - boom - all of my...
Joe Carrigan: Right. All the pictures of your dog in the snow.
Dave Bittner: ...Pictures of dogs in the snow come up (laughter). Right. Right. It's wonderful. But like you said, the tradeoff there is that you're - I'm giving them access to those photos to do machine learning training and all the different sort of things that they want to do with them.
Joe Carrigan: Yeah.
Dave Bittner: But I've made the decision that it's worth it.
Joe Carrigan: Right. Exactly. And that's really the important thing, is we have to make that decision consciously, right?
Dave Bittner: Yeah.
Joe Carrigan: And a lot of us don't do that. A lot of us just go, oh, cool, and it's free? Yeah, kind of.
Dave Bittner: (Laughter).
Joe Carrigan: It's kind of free. You're paying for it with your behavior and your personality and your location and your likes and your dislikes.
Dave Bittner: Well, and I think also an important point here is that this is OK as long as there's another choice. In other words, if Google were the only game in town, if they're - really there - if they had a true monopoly and Android was the only mobile operating system that had any meaningful market share...
Joe Carrigan: Right.
Dave Bittner: Well, I think we'd have a different value equation there, and perhaps Google would operate differently because they wouldn't have the competitive pressures that they have now to not go too far.
Joe Carrigan: Yeah. Yeah, maybe they would sell your data at that point.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Because that would be incredibly lucrative. And when I say sell your data, I mean actually take the data that they've built about you and transfer that to a third party for money, not sell your data like, I'm going to sell advertising to Dave because the advertiser wants specifically to reach Dave and people like Dave.
Dave Bittner: Right. It's interesting to me - this article points out this notion that security isn't privacy. And I think that's an important point because I think that's something a lot of folks overlook. They kind of group the two things together.
Joe Carrigan: Yeah.
Dave Bittner: And I think it's important to have a distinction in your mind that they're not the same thing.
Joe Carrigan: I agree 100% That is a very important distinction that we all need to be aware of. Like I said earlier, security is - I want to make sure who can access the device is an authorized user. I want to make sure that they can't do anything remotely to get access to it. These are the kind of things we think about as security. Privacy is - nobody knows my data but me.
Dave Bittner: Right. Right.
Joe Carrigan: And that is not what you're getting when you're getting an Android phone.
Dave Bittner: Yeah. Yeah, and it's possible to have your privacy compromised securely.
Joe Carrigan: Yes, absolutely.
Dave Bittner: Right. Right. Well, again, the article is "Security Isn't Privacy, and You Can Have One Without the Other." It's over on Android Central. Joe Carrigan, thanks for joining us.
Joe Carrigan: My pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.