The CyberWire Daily Podcast 10.6.20
Ep 1188 | 10.6.20

New, Mirai-based threat in the wild. PLA told to steer clear of US election stories. Big data in small spreadsheets. John McAfee arrested. A hackable marital (or something) aid.

Transcript

Dave Bittner: A spyware version of Mirai has been detected in the wild. The People's Liberation Army is told by its government to lighten up on U.S. election stories. Centripetal wins a major patent lawsuit. Excel is not a big data tool. John McAfee is arrested on U.S. tax charges. Our guest is Roger Barranco from Akamai on tracking increased DDoS attacks. Ben Yelin on a case involving warrants for Wi-Fi location data. And an aid to chastity is found to be hackable.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 6, 2020. 

Dave Bittner: Threatpost reports that 360 Netlab researchers have found a version of Mirai botnet malware Ttint in the wild operating against Tenda routers. Ttint has both remote access Trojan and spyware functionality. 

Dave Bittner: Information operators in China's People's Liberation Army have been told to go easy on stories about the U.S. election, the South China Morning Post reports. This seems less an irenic gesture than it does a ratcheting up of central control over a campaign that could run in directions not necessarily to the Chinese Communist Party's advantage. 

Dave Bittner: Centripetal Networks has won a large judgment in its patent infringement case against Cisco. The United States District Court for the Eastern District of Virginia found in favor of Centripetal and ordered the defendant to pay, according to Bloomberg, $1.9 billion to the security firm. A press release from Herndon, Va.-based Centripetal calls the award the largest of its kind issued by a U.S. court. 

Dave Bittner: Have you noticed a big surge in the number of COVID-19 cases reported over across the pond in the mother country? So have a lot of people in England. But that's actually an IT issue as opposed to a clinical one. 

Dave Bittner: A spike in English COVID-19 cases may be due not to infection, but to bureaucratic misunderstanding of Office 365. Public Health England said it had corrected a technical issue in the data load process by which officials shared positive test results. 

Dave Bittner: Public Health England isn't saying much more, but according to the Independent, Prime Minister Johnson has been forthcoming in ascribing the glitch to a failure to appreciate that Microsoft Excel spreadsheets have limits in the number of rows and columns they can handle, so the data was truncated. Excel is a useful product, but it's not intended to be a big data tool. 

Dave Bittner: The U.S. Justice Department has indicted security pioneer and inveterate bad boy John McAfee on ten counts related to income tax evasion. CoinDesk reports that Spanish police have arrested him pursuant to a U.S. request and that he presumably faces extradition proceedings. Unpleasant as this all is, it's not the end of his legal problems, unfortunately. 

Dave Bittner: The U.S. Securities and Exchange Commission has also filed a civil complaint against Mr. McAfee in connection with his involvement in pumping alt-coin offerings. The commission alleges that he, as the SEC puts it, leveraged his fame to make more than $23.1 million in undisclosed compensation by recommending at least seven initial coin offerings, or ICOs, to his Twitter followers. The ICOs at issue involved the offer and sale of digital asset securities, and McAfee's recommendations were materially false and misleading for several reasons. 

Dave Bittner: The specific improprieties the SEC alleges are interesting. First, he didn't disclose that his promotion of the ICOs was compensated by the companies issuing the securities. The SEC calls this unlawful touting, for which he made around $23.2 million, which he is said to have kept quiet about not only to prospective investors, but to the Internal Revenue Service as well. The SEC also says he lied to investors when they directly asked him if he were being compensated for his endorsement. 

Dave Bittner: Second, Mr. McAfee is said to have falsely claimed to be either an investor or a technical adviser to the issuers, which suggested to prospective investors that he'd checked the issuing companies out and that his recommendation was well-informed impartial investment advice. 

Dave Bittner: Third, after a blogger exposed what was going on, Mr. McAfee sought to cash out a large number of virtually worthless securities from the ICOs he had previously touted. He allegedly did so by encouraging investors to buy while he himself was trying to dump his holdings. 

Dave Bittner: Finally, he's said to have engaged in what the SEC calls scalping, which involves accumulating large amounts of the digital asset security and touting it on Twitter without disclosing his intent to sell it. 

Dave Bittner: The SEC wants to disgorge, as they put it, the millions he made and to enjoin Mr. McAfee from doing the same in the future. 

Dave Bittner: So don't do likewise. 

Dave Bittner: We should also note that while Mr. McAfee founded the company that still bears his name, he's had no connection with it for a couple of decades. 

Dave Bittner: Finally, have you considered a network-connected marital aid? Of course not. Neither have we. But someone apparently has. 

Dave Bittner: TechCrunch reports that a digital smart male chastity appliance - and we hesitate here because it's not entirely clear whether this would be a chastity enforcer or a device that promises some form of gratification, and we confess we're generally unfamiliar with the sector as a whole - a smart male chastity appliance is apparently hackable. Pen Test Partners said the device in question, the Qiui Cellmate internet-connected chastity lock, which the manufacturer says is the world's first app-controlled chastity device, could have allowed anyone to remotely and permanently lock in the user's membrum virile. 

Dave Bittner: The ominously named Cellmate is lockable and unlockable via an app, because of course it is. And, unfortunately, said app was at one point unprotected by a password, so any interested party wouldn't need so much as an open sesame to take charge. 

Dave Bittner: Anyhoo, Pen Test Partners contacted the manufacturer, who said they'd installed some password functionality, but alas, they also left the original unprotected access open. We'll spare you the jolly back-and-forth that has surrounded the discovery of this particular vulnerability, but suffice it to say that not only is the app in question easily accessed, but there's no override either. 

Dave Bittner: The manufacturer told TechCrunch they were working on a fix, but four deadlines have come and gone, and no fix is in. They're a small shop, the manufacturer pleaded in its defense, saying that every time they fixed something, they broke something else. 

Dave Bittner: People familiar with the technology - and again, we're not - say that absent an override, it appears that only the careful - and we stress careful - use of bolt cutters or a lateral grinder will free a trapped user. 

Dave Bittner: It seems to us that all the reporting has buried the lede. The Cellmate has actual users? Yikes. Who knew? But there you go. In case you're asking for a friend, bring your bolt cutters. A wire-cutting plier won't cut it - or so we've been told. 

Dave Bittner: Researchers at Akamai have been tracking how DDoS attacks continue to get bigger and, in some cases, more sophisticated, showing that they are still a weapon of choice for threat actors. Roger Barranco is vice president of global security operations at Akamai. 

Roger Barranco: If it was maybe this time last year, I would've reported that things are, you know, always increasing, but nothing really exciting going on. And then towards the beginning of this year, I expected to see a big spike because of all the COVID-related items, and we really didn't see anything directly tied to COVID. But, oh, my goodness, the last, I'd say, four months, the activity has been huge. 

Roger Barranco: So two attacks were certainly in the record-breaking range, one being 1.44 terabits in size. The other, which is truly a record that I'm aware of, was 809 million packets per second. 

Roger Barranco: From that day, there's been quite a bit of activity. We've seen a big spike in attacks over 100 gig in size. And the number of attacks is really spiking up, also. And there seems to be a newfound interest with DDoS because quite a bit of extortion-related activity going on, also. 

Dave Bittner: Can you dig into that a little bit? I mean, what sort of things are you tracking in terms of what's behind these attacks? 

Roger Barranco: Yeah. So, you know, typically, we haven't been able to tie it back to a specific threat actor. It seems like a lot of different actors out there. And what's happening is these extortion-type letters are going out to different verticals, and they're asking - no surprise - for Bitcoin to be paid out. 

Roger Barranco: I think the thing that is interesting is that they seem to be going vertical by vertical. So they would go first to - no surprise - banking. After that, the, you know, airlines and hoteling industries. And they're just going vertical by vertical, rolling these threats out, which does indicate, you know, a fair amount of coordination. 

Dave Bittner: And where do we stand in terms of the botnets themselves? I mean, do they just continue to grow in size and capability? 

Roger Barranco: So that's a really good question. So we haven't seen anything radically new from a vector perspective. So we've seen some newer vectors, but nothing radically new. So the world's largest DDoS that I'm aware of was actually a reflection - CLDAP reflection attack handled by AWS. That was 2.3 terabits in size and from a bit per second. The 1.44 terabit attack that was handled by Akamai had nine different vectors in there. So they're mixing it up where the Akamai one with nine vectors, the AWS one - huge with one vector - right? - one massive punch with that. 

Roger Barranco: Now, interestingly enough, the Akamai one actually had a higher packet rate than the AWS one. So they're nuanced. And then clearly, the largest from a packet per second, that was definitely, like you said before, bot-related and the 809 million-packet-per-second one. And that clearly shows that because there's so much IoT out there available, that these tools have greater access to more devices to launch attacks than they've ever had in the past. And it's easier to launch a very large attack. 

Dave Bittner: That's Roger Barranco from Akamai. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast, which if you have not yet checked out, what are you waiting for? 

Ben Yelin: Seriously, people. 

Dave Bittner: Check it out. Right, Ben? (Laughter) It's a good show. 

Ben Yelin: Subscribe to this awesome podcast. 

Dave Bittner: There you go. There you go. 

Dave Bittner: So, Ben, we've got an interesting story this week. This is from NBC News. It's from Jon Schuppe and Cyrus Farivar, who've I've spoken to on the CyberWire before. It's titled "Police Need Warrant to Obtain Wi-Fi Location Data, Privacy Activists Argue." Give us the background here. What's going on? 

Ben Yelin: So it's a fascinating case. It emanates from an incident that took place in 2017 where a member of this college's football team - and it's Moravian College in Pennsylvania - held up somebody in a dorm room at gunpoint to extract money and a jar of marijuana. And part of the evidence used to obtain a conviction of this individual was that he was logged on to the campus Wi-Fi system. 

Ben Yelin: Now, there was no authorization for law enforcement from a judge. There was no warrant issued here to obtain that identifying information to confirm that he was part of - that he was logged on to campus Wi-Fi. That was all obtained using an administrative subpoena. 

Ben Yelin: So this defendant, a guy by the name of Dunkins, is appealing his conviction that this is a violation of his Fourth Amendment rights. And he's being joined by some of the major groups out there who advocate for digital privacy, including the Electronic Frontier Foundation and the American Civil Liberties Union. 

Ben Yelin: What he is saying is that - what this defendant is saying is that this search violates his right to privacy. It is a violation of the Fourth Amendment. His attorneys and some of these outside groups are analogizing this case to Carpenter v. United States, which I know we've talked about on this podcast and on our own podcast, where the Supreme Court held that a warrant is required for cell site location information that tracks a person's movement over time. 

Ben Yelin: What the prosecutors are saying is that this is not analogous to Carpenter. This is not a case where they're tracking one individual's movements in multiple locations through an extended time period, but rather they were seeing which individuals were at a given location at a particular time. 

Ben Yelin: And they're also claiming that Mr. Dunkins did not have a reasonable expectation of privacy when he connected to that Wi-Fi network. And one of the reasons they say that is in order to get campus Wi-Fi, you have to sign those terms of service, which says that you don't have... 

Dave Bittner: Busted by a EULA (laughter). 

Ben Yelin: You're always going to get busted by those EULAs. 

Ben Yelin: And that explicitly says, you know, in so many words, be cautious, my friend. By logging on to this Wi-Fi, nothing you do here is private. We can see exactly what you're doing. You've relinquished your expectation of privacy. And if we happen to turn that over to the police, that's your problem. 

Ben Yelin: I happen to think in this case that the prosecutors have a stronger argument in terms of where case law has been on the Fourth Amendment. The reason I think that this is different from Carpenter is, you know, as the prosecutors are saying here, we're not talking about the type of pervasive, ongoing, involuntary surveillance that we saw when we're talking about cell site location information. 

Ben Yelin: You know, a person really doesn't have a choice as to whether to use a cellphone. And because cellphones are constantly pinging towers to make sure that they're getting service, this process sort of happens involuntarily. You know, nobody presses a button where they say, I agree to share my location at every, you know, every single second that they're carrying around their cellphone. 

Dave Bittner: Right. 

Ben Yelin: Here, this individual pretty clearly, in my view, relinquished their reasonable expectation of privacy when they signed that EULA, despite... 

Dave Bittner: That he most assuredly did not read. 

Ben Yelin: Oh, of course he didn't read it, but it's largely still enforceable. 

Dave Bittner: Right. 

Ben Yelin: And so I don't think that that is the same type of broad, deep and pervasive surveillance that the court feared in coming up with the Carpenter decision. 

Ben Yelin: So that's my perspective. It's a fascinating case. And I suspect, you know, this is the type of case that potentially could inch its way up our court system and perhaps merits Supreme Court consideration, you know, if it's something where we see a split among judicial circuits. 

Dave Bittner: All right. Well, it's an interesting one for sure. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The CyberWire - it's what's for dinner. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.