Internet blackout in Belarus. Papua New Guinea’s insecure National Data Centre. Chrome and CSP rule bypass. Zoom gets sued in DC. Patch Tuesday. Go Spartans.
Dave Bittner: Belarus shuts down its internet after its incumbent president's surprising, perhaps implausible - no, really implausible - landslide reelection. Papua New Guinea undergoes buyer's remorse over that Huawei-built National Data Centre it sprung for a couple years ago. Versions of Chrome are found susceptible to CSP rule bypass. Zoom is taken to court over encryption. We got some Patch Tuesday notes. Ben Yelin looks at mobile surveillance in a Baltimore criminal case. Our guest is Alex Guirakhoo from Digital Shadows with a look at dark web travel agencies. And card-skimmers hit a university's online store.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 11, 2020.
Dave Bittner: In the aftermath of a contested election that saw longtime incumbent president Alexander Lukashenko return to office with a nominal 80% of the vote, Belarus has apparently shut down most internet access in the country, Vice reports. Twitter said yesterday that its service had been blocked in the country, and others reported that many other services had also been disrupted, including a number of virtual private networks that, left undisturbed, could have enabled users to bypass service interdictions.
Dave Bittner: The New York Times said yesterday that the U.S. had condemned the elections as fraudulent, neither free nor fair and deplored the internet shutdowns. President Lukashenko's principal opponent Svetlana Tikhanovskaya has rejected the election and urged resistance to President Lukashenko. U.S. Secretary of State Pompeo said in a statement, quote, "we strongly condemn ongoing violence against protesters and the detention of opposing supporters, as well as the use of internet shutdowns to hinder the ability of the Belarusian people to share information about the election and the demonstrations," end quote.
Dave Bittner: A report prepared at the request of Papua New Guinea's National Cyber Security Centre by an investigator contracted by Australia's Department of Foreign Affairs and Trade concluded that Papua's National Data Centre is insecure, Computing reports. Huawei built and staffed the National Data Centre in 2018. Computing's account suggests careless implementation.
Dave Bittner: The report read, in part, core switches are not behind firewalls. This means remote access would not be detected by security settings within the appliances. The firewalls themselves were also a problem. They were beyond their 2016 end of life by the time the center came online. The Australian Financial Review is harshly direct in its assessment. The center was built to spy, the paper says, with the weaknesses constituting, from the contractor's point of view, anyway, features and not bugs.
Dave Bittner: Other countries, especially Australia, which shares some long-haul telecommunications infrastructure with Papua, had at the time warned against bringing in Huawei to build the National Data Centre, but such concerns were dismissed. Papua New Guinea's Minister of State Investment William Duma said that since his country didn't have enemies, the government wasn't worried about security concerns that surround the use of Huawei equipment in telecommunications infrastructure. The view that Papua has no enemies may not be perfectly true, but it's about as true as such a claim can be in this vale of tears. But it seems that sentiment may have shifted in Port Moresby, as the Papuan government has asked for Australian assistance in bucking up the country's security. Australia is thinking about it.
Dave Bittner: Security firm PerimeterX says it's found a zero-day that affected Chromium-based browsers and permitted attacks to bypass browser enforcement of CSP rules. The vulnerability existed in Chrome versions 73 through 83. It's reckoned a medium-severity vulnerability. But it was so widespread, affecting Mac, Windows and Android systems, that it presented a considerable risk to user data.
Dave Bittner: According to The Washington Post, Zoom is being sued by the group Consumer Watchdog, which alleges that the company misled consumers about the quality of encryption the service provided. The company had, the suit alleges, misleadingly claimed to offer end-to-end encryption, when, in fact, it provided only the less rigorous Transport Layer Security.
Dave Bittner: The lawsuit was filed late yesterday in Washington, D.C., Superior Court, thereby taking advantage of a local statute that permits not-for-profit organizations to bring suits on behalf of consumers. In most states, such lawsuits would have to either be class-action suits or suits brought by the state's attorney general. It covers people who used Zoom for personal, social online connection as opposed to business purposes. It might include distance learning users, but that's not immediately clear. The plaintiffs seek up to $1,500 for every instance in which a D.C. resident used Zoom for nonbusiness purposes. The plaintiffs also want an explanation of Zoom's suspected closeness to Chinese law, since so many of its operations were conducted in places where Beijing's writ ran.
Dave Bittner: The notion of using a travel agent may seem a bit old-fashioned in this world of online booking, not to mention that at the moment, thanks to the pandemic, nobody's really going anywhere. But there is no doubt that for a lot of people, travel agents provide real value. But were you aware that there are travel agents on the dark web? Our U.K. correspondent Carole Theriault has the story.
Carole Theriault: So today, we're going to take the pulse of the travel industry. Let's see if we can figure out how cybercriminals have been impacting that area, both before the pandemic and now. We are checking in with Alex Guirakhoo. He is a threat research team lead at Digital Shadows. Now, way back in February, Digital Shadows put out research about how cybercriminals had been disrupting the travel industry.
Carole Theriault: Alex, can you give us a few highlights on that research?
Alex Guirakhoo: Yeah, Carole. Thanks for having me on. So back in February, we conducted some research into the ways in which cybercriminals were targeting the travel and tourism sector on various cybercriminal platforms. And we found that on some cybercriminal forums - both English and Russian language - there were these, what we like to call dark web travel agents that were advertising these services to get people really, really discounted luxury travel.
Carole Theriault: So, like, something that would cost me, like, a few thousand was suddenly available for a few hundred, that sort of savings?
Alex Guirakhoo: Exactly. So just like you would go talk to a regular travel agent, they would say that they could get you these big discounts, typically between 30% to 50% off retail value.
Carole Theriault: Are they trying to entice customers to purchase from them, and the way they're doing that is offering cut-price deals? And they're able to fund these deals because they're using stolen flyer points that they're turning into some kind of cash in order to fund that.
Alex Guirakhoo: Yeah. Or they're using the stolen credit cards themselves. So from the buyer perspective, you don't have to go to a cybercriminal marketplace and purchase a stolen credit card and run that risk yourself. Instead, you can go via these travel agents, and then they'll hold that risk for you. And all you have to do is tell them, hey, I want a trip here. This is when I want the trip. Can you get me a deal on this? And they'll do all that in the background, and then there you go. You have a extremely cheap trip.
Carole Theriault: Wow, OK. As a customer of these guys, do I know that I'm doing something a little bit dodgy, or does it all look bona fide to me?
Alex Guirakhoo: So the way that they advertise this, they use a lot of flashy banners. They advertise a lot on different cybercriminal forums. They also have dedicated channels on various messaging services. So even if you don't have access to a cybercriminal forum, say if you knew this person through a friend who had done something similar, they'd just give you the phone number and you'd message them yourself. And so that means you don't actually have to go to the cybercriminal forums, which definitely opens it up to a lot more people than it would otherwise.
Carole Theriault: Whoa, OK. So you discovered all this back in February. There's tons more stuff that you guys found out - leave that to listeners to go and read on your website. But, of course, then corona happened - right? - which meant...
Alex Guirakhoo: Right.
Carole Theriault: ...Loads and loads of flights were grounded. How did that impact their business model?
Alex Guirakhoo: So for a lot of the major travel agents that we saw on these cybercriminal forums, a lot of times, they would get their customers to take pictures of themselves, you know, in the background of a luxurious hotel or on a flight to show that their services had actually worked. And so we noticed that following various lockdowns because of the pandemic, these posts had stopped or they strongly decreased. So it's definitely had an impact on these people that target the travel industry.
Carole Theriault: OK.
Alex Guirakhoo: And - yeah. And in general, we've seen various approaches being taken by these vendors. So some have decided to stay silent and not bother to post new advertisements at all. So ones that were previously prolific, they've fallen quiet during this period, whereas some others have looked to alternative ways to target the travel industry...
Carole Theriault: OK.
Alex Guirakhoo: ...Reminding people that, you know, even though you can't travel internationally, you may still be able to travel within your own country and kind of adapting to the way the pandemic has affected it in that way.
Carole Theriault: Haven't you always wanted to stay at the Hilton in your very own state?
Alex Guirakhoo: That's exactly it.
Carole Theriault: Do you have advice for people like me? Is this something that I would have to go look for? Or could I happen to get phished into one of these and be suckered in because the deal was so good?
Alex Guirakhoo: So I think a lot of it comes down to trusting your gut instinct. If you see a deal that's advertised that is, you know, crazy - 50% to 60% off - if something seems off, then it's very likely that it is. And that goes back to, you know, making sure that you only do your purchases on legitimate, trusted websites.
Carole Theriault: I mean, that's really - that's a hard piece of advice to take, though, as well because you think of all these, you know, dedicated, hardworking startups that are trying to do really good things out there. And it's - the reputation angle is very difficult for them, right? That's a big ceiling to go through from becoming a startup to a trusted company.
Alex Guirakhoo: Exactly.
Carole Theriault: Well, thank you very, very much. Listeners, if you want to hear more about this, there's tons of information, as I said earlier, on the Digital Shadows website. So just go to their blog. And, Alex, thank you so much for speaking with us today.
Alex Guirakhoo: Thank you so much, Carole. Thanks for having me on.
Carole Theriault: This is Carole Theriault for the CyberWire Daily.
Dave Bittner: Our thanks to Carole Theriault for bringing us that story.
Dave Bittner: Today, of course, is Patch Tuesday. Adobe's fixes are already out, and they address 26 vulnerabilities, 11 of them rated critical in Adobe Acrobat, Reader and Lightroom.
Dave Bittner: Citrix fixed five vulnerabilities that affect versions of Citrix Endpoint Management on-premise instances. This product is also known as XenMobile Server. Citrix advises users to apply the patches as soon as possible. Although the company says it's seen no evidence of exploitation in the wild, attacks taking advantage of unpatched systems are probably only a matter of time.
Dave Bittner: And Microsoft's updates for August are also out. As expected, they prominently address vulnerabilities in Windows 10. If you're still using Windows 7, which you really should think about not doing, you're out of luck. That version is now beyond the reach of support, unless, of course, you've paid for the extended security updates that will keep Windows 7 bucketing along for a couple more years.
Dave Bittner: And, finally, attention, all you Spartans - Michigan State version. Your university yesterday disclosed that it had sustained a data breach. In this case, it was an online card-skimmer that hit the university store. Michigan State said in a statement that about 2,600 shoppers who bought at that store between October 19 of last year and this past June 26 had their credit cards exposed.
Dave Bittner: The university said yesterday, quote, "the university began notifying all potentially affected individuals of the breach today. It is offering them free credit monitoring and identity protection and making recommendations to further protect their information from exposure," end quote.
Dave Bittner: The university's security team has remediated the problem, and presumably it's now safe to shop again. And we noted when we checked out the site that the summer sale is still in progress, so you got that going for you, alumni.
Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, good to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: Interesting story we're going to cover today. This is from the Baltimore Sun, written by Jessica Anderson. It's titled "Baltimore City, County Police Make Arrest in Rape Cases, Search for Additional Victims." Now, obviously, the subject matter here is terrible. What caught my eye about this and the reason I think it merits our discussion here is that the process that the police and law enforcement went through to capture this alleged rapist is really a grab bag of various types of surveillance technologies. Take us through what's going on here, Ben.
Ben Yelin: Sure. So this is somebody who is an alleged serial rapist. The first victim was identified in an area in Baltimore County, near the Cromwell Valley area at a high school parking lot. She had just been through a traumatic experience, flagged down a passerby in a car and got into that car and called the police to report this rape and where it had taken place.
Ben Yelin: A second rape with an additional victim was alleged to have occurred in a completely different area of Baltimore County in the Dundalk area. And basically, the same thing happened. This person flagged down a passerby, called the police to report the rape. And because the modus operandi was relatively similar between the two cases, law enforcement started to try to put the pieces together and realized that they had a serial rapist that they were trying to apprehend.
Ben Yelin: So the way they were able to obtain data is they found evidence from a speed camera that this suspect's vehicle - their silver Oldsmobile had entered the parking lot of Loch Raven High School, which is the high school where the first event was alleged to have occurred. They obtained evidence from a camera at a city gas station where the first victim was picked up. And, you know, they got some other forensic evidence from the school parking lot.
Ben Yelin: The other very interesting surveillance technique they used is geofencing. So the detectives obtained a search warrant signed by a judge to compel Google to give them information on all of the account users in the area of the high school parking lot during the time of this alleged crime. And that search - and Google complied with a subpoena. And that search identified only one user, and that user was the suspect in this case. It was later traced to Mr. Saunders, the man who has now been apprehended.
Dave Bittner: Yeah, and it was an additional subpoena that they said then went to T-Mobile, the mobile provider, to get the records associated with that number that Google had tracked.
Ben Yelin: Yes, and they were able to identify that it was the suspect who owned that mobile device.
Ben Yelin: So, you know, this is very strong detective work here. And, obviously, these are heinous alleged crimes, and a lot of really groundbreaking and well-executed police work was done here to apprehend the suspect, making use of the digital tools at our disposal - geofencing being able to trace somebody's cellphone and the use of public surveillance, things like the camera in the school parking lot and a separate camera at a city gas station. And when you piece that video footage together with geofencing, you know, it is - it becomes a very effective way to solve a case like this.
Dave Bittner: One of the reasons I wanted to highlight this on our show is that when you and I talk about these sorts of things, the capabilities of these kinds of surveillance, I think it's very easy for us to kind of sniff at them and say, you know, it's too much. It's - we have, you know, all of the, I think, the appropriate civil liberties concerns. In this case, you've got a combination of all these surveillance things and could be used to solve some terrible crimes.
Ben Yelin: Yeah. I mean, I think that's important for us always to remember, is, you know, you never want to have a system of surveillance where you inadvertently collect information from innocent people. You know, and I think that's a theme of what we've talked about on this podcast and on the "Caveat" podcast, is when the tools become too intrusive and broad and encompass unnecessary amounts of collection and information, then it really can violate people's civil liberties.
Ben Yelin: But the other side of that equation is we have somebody here who's a serial rapist, who potentially would threaten other victims, and law enforcement was able to apprehend this individual because of these technological tools. So the tools really can be used for both good and evil. And I think that's appropriate for us to recognize the circumstances when they are used for something that's good, for something that's valuable.
Dave Bittner: Yeah. All right, well, again, it's from the Baltimore Sun, written by Jessica Anderson. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.