The CyberWire Daily Podcast 6.8.21
Ep 1349 | 6.8.21

FBI claws back a lot of the ransom DarkSide collected. An international dragnet uses an encrypted chat app to pull in more than 800 suspects. Navistar discloses a cyber incident.


Dave Bittner: The FBI seized a large portion of the funds DarkSide obtained from its extortion of Colonial Pipeline. An international sweep stings more than 800 suspected criminals who were caught while using an encrypted chat app law enforcement was listening in on. CISA advises users to update their VMware instances. A new phishing campaign distributes Agent Tesla. Ben Yelin examines renewed controversy surrounding Clearview AI. Our guest is Aimee George Leary from Booz Allen on the challenging intersection of secure spaces and work from home. And a major truck maker discloses a cyber incident.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 8, 2021. 

Dave Bittner: The U.S. FBI yesterday seized 63.7 bitcoins currently valued at approximately $2.3 million. As the Justice Department primly puts it, the funds allegedly represent the proceeds of a May 8 ransom payment to the DarkSide gang in their course of their extortion of Colonial Pipeline. The recovered money amounts to a significant fraction of the 75 bitcoins, or $4.4 million, Colonial paid. The seizure warrant gives in a suitably redacted form the FBI's tracking of the wallets through which the funds passed. The money was seized when it reached a wallet for which the bureau held the key, which suggests that the feds were leaning forward in the foxhole on this one. The Justice Department explained, quote, "As alleged in the supporting affidavit by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address for which the FBI has the private key, or the rough equivalent of a password, needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes," end quote. 

Dave Bittner: There's also some credible speculation reported in Ars Technica that Colonial paid not to gain access to the flawed and essentially worthless decryptor the gang offered, but rather to aid the FBI in its work against DarkSide. Deputy Attorney General Lisa O. Monaco made a point of thanking Colonial Pipeline in her public statement about the case. Quote, "Following the money remains one of the most basic yet powerful tools we have. Ransom payments are the fuel that propels the digital extortion engine. And today's announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today's announcements also demonstrate the value of early notification to law enforcement. We thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide," end quote. 

Dave Bittner: There's been considerable discussion of cryptocurrency as a key enabler of the ransomware economy, and much of that has centered on the possibility of tighter regulation, perhaps quite restrictive, of alt-coin in general. The FBI's action against DarkSide suggests an alternative approach to taking away some of the online criminals' essential tools. 

Dave Bittner: Another law enforcement action, this one both international and collaborative, has resulted in the arrest of some 800 suspects and the seizure of drugs, cash, firearms and other goods. Europol says, quote, "The U.S. Federal Bureau of Investigation, the Dutch National Police and the Swedish Police Authority, in cooperation with the U.S. Drug Enforcement Administration and 16 other countries, have carried out, with the support of Europol, one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities," end quote. The operation, variously called Trojan Shield and Ironside, had its origins with the Australian Federal Police and the FBI. It used technical tools the AFP developed to run on top of the encrypted chat platform Anom, which the U.S. FBI began operating after it took down Phantom Secure in 2018. 

Dave Bittner: Commissioner Kershaw of the AFP called it a world-first operation to bring to justice the organized crime gangs harming our communities with drugs, guns and violence. The criminals, like everyone else transacting sensitive business, appreciate encryption. The AFP summarized the operation as follows. Quote, "For almost three years, the AFP and the FBI have monitored criminals' encrypted communications over a dedicated encrypted communications platform. The AFP built a capability that allowed law enforcement to access, decrypt and read communications on the platform. The AFP and FBI were able to capture all the data sent between devices using the platform," end quote. Authorities in the Netherlands, Sweden and New Zealand also commented on their roles in the sweep. 

Dave Bittner: The Central Unit of the Netherlands police says it contributed by developing high-quality technological tools and making them available to the other participating countries, thus enabling the analysis and interpretation of the millions of messages gathered. The head of intelligence for the Swedish police acknowledged the FBI's role. Quote, "Thanks to valuable intelligence that the FBI has shared with us, we have been able to arrest a significant number of leading actors within the violent crime and drug networks in Sweden," end quote. And the New Zealand police cited international cooperation as essential to stopping contemporary organized crime, so much of which is transnational. 

Dave Bittner: So how do you get hundreds of dangerous hoods, who presumably have at least a rudimentary level of net-savvy caution, to start yacking their business to one another over a chat app that includes the FBI and the AFP as quiet listeners? You do it through an influencer, of course, since this is, after all, the 21st century. 

Dave Bittner: The BBC says criminals were gulled into using the app by one Hakan Ayik, a fugitive and alleged drug kingpin who served as an unwitting Judas goat. They got him to use it, and the others followed suit because it seemed like a good idea at the time. Mr. Ayik, who the Australian papers call the Facebook gangster, lived large and wasn't shy about posting selfies of his shirtless, tattooed, scowling self, looking for all the world like a prison gang leader we've seen on those endless reruns of "Law & Order" we've been bingeing on during the pandemic. Police are suggesting, with a straight-faced schadenfreude worthy of Detective Briscoe, that it would be to Mr. Ayik's advantage if he were to turn himself in because the authorities will treat him better than the criminals he influenced. Europol says we should expect a lot more arrests in the near future. 

Dave Bittner: It's not, of course, all success today. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has warned that a VMware vulnerability is being actively exploited in the wild and that users should update their software immediately. 

Dave Bittner: Fortinet reports that it's found a new variant of Agent Tesla in circulation, being distributed by a phishing campaign that steals Bitcoin addresses and other personal information from infected devices. 

Dave Bittner: And for all of law enforcement's recent successes, ransomware and other attacks continue. U.S. truck-maker Navistar disclosed yesterday in a Form 8-K that it learned of a credible potential cybersecurity threat to its information technology system on May 20. On the 31 of that month, it received a claim that certain data had been extracted from the company's IT system. It's engaged in investigation and remediation and has notified law enforcement. Navistar says its operations have remained largely unaffected. 

Dave Bittner: In the shift to working from home that many of us experienced during the global pandemic, one group of workers faced with specific challenges are those working in secure environments - folks with security clearances who have to show up in person. As convenient as it might be, it's simply not practical to convert that spare bedroom or walk-in closet into a skiff. 

Dave Bittner: Aimee George Leary is an executive vice president at Booz Allen, and she joins us with insights on how she and her colleagues have faced these challenges head-on. 

Aimee George Leary: Security-cleared individuals, you know, are essential workers. And they come from many backgrounds - military backgrounds, which, you know, face even greater challenges than our remote colleagues and really shouldn't miss out on this sort of flexible work. But - and, you know, we've put some focus, for sure, on creating flexible security-cleared environments and flexible nonsecure - you know, for our non-secured employees as well and really focusing on, you know, job satisfaction and performance across the year. 

Aimee George Leary: At the start of the pandemic, you know, we put away - or re-prioritized, I should say - about a hundred million dollars towards employee support and resilience. And that took on everything from job support, you know, around testing protocols, telework equipment to dependent care support, and - you know, even, you know, for parents and children, helping others - wellness, work flexibility and just general support in general because, you know, we didn't know, you know, how long this was going to last, what the requirements or needs of our employee population was going to be. So we really, you know, had to scramble there at the beginning to say, you know, how could we take something, re-prioritize it and put in place things that would address the diverse needs of our diverse population? 

Dave Bittner: Have you seen any shifts in expectations from employees? You know, are they looking for different arrangements within offices, you know, more private spaces, not - you know, things like open bullpens? Are people requesting, you know, adjustments, having been through everything we've been through in the last year? 

Aimee George Leary: You know, I think so. You know, one of the first steps for really creating, you know, a flexible environment is making sure that we foster an environment where our employees feel empowered to communicate what they want and what they need professionally and personally. So we did a lot with our leaders, reaching out to all of our employees and, you know, making sure we understood what their circumstances were, what their challenges were and how we could help and that those - that our leaders stay connected - right? - through various ways, you know, whether it be just personal conversations, visits to the SCIF, for example. But, you know, again, if they feel comfortable communicating and working with their leaders, you know, we can all, you know, lean in and help, whether it be, again, like I said, a flex schedule or modified hours, some kind of hybrid schedule or whatever that looks like. 

Aimee George Leary: We're also, you know, working with our clients - right? - to come up with a different delivery model. You know, for example, you know, a team might have a designated on-site team, which are then supported by remote team members, right? So some of the work, for example, in this secure environment, you know, where you're working with classified information - take some of the work and do the nonclassified work or use notional data outside and then hand it off to the team working inside - right? - to then apply and integrate the solution into that environment, right? So we're doing some things like that, which we're having some success with as well. 

Dave Bittner: That's Aimee George Leary from Booz Allen. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. But more important than that, he's my co-host over on the "Caveat" podcast, which if you have not yet checked out, what are you waiting for? Hello, Ben. 

Ben Yelin: Hello, Dave. What an introduction. Thank you. 

Dave Bittner: (Laughter) Thank you. Well, you know, you've earned it. So my story I want to talk about this week comes from the BBC, and it's... 

Ben Yelin: The beebs (ph), as they call it. 

Dave Bittner: The beebs, as the kids are calling it today. And it's titled "Legality of Collecting Faces Online Challenged." Looks like some folks are targeting Clearview AI. What's going on here, Ben? 

Ben Yelin: So we've talked about Clearview AI on this podcast and on the "Caveat" podcast. It's used by a lot of law enforcement agencies in the United States. It's this robust facial recognition technology where Clearview scrapes images from social media sites, makes those available to law enforcement agencies. And they have contracts with law enforcement agencies all across the United States. They do not have contracts with any entities in the European Union, and that's what plays into this story. 

Ben Yelin: So five individuals across the European Union are challenging the methods of collecting photos and selling them to private firms and law enforcement under GDPR. Under GDPR, any European citizen can ask the company if their faces are in their database, and they can request that that biometric data no longer be included in any searches. So what Clearview AI has said in response to this challenge is that they not only don't have any contracts with EU law enforcement, but any time they have received one of these requests, they've complied with the terms of GDPR and removed these faces from the database. And they've also mentioned, I think not inaccurately, that not only the U.S. government, but other governments have found this sort of image scraping to be a very effective law enforcement tool. And so I think that was a large part of their response to this. 

Ben Yelin: They've not only faced challenges in the European Union, the U.K. and Australia. Data regulators in both of those countries have launched a probe into Clearview AI. The ACLU is pursuing a lawsuit against them in Illinois. The new California CCPA law means that users in that state can opt out of having their data sold. We're still in kind of the infancy of people getting outraged at Clearview AI. It was only a year ago that there was an expose in The New York Times on what exactly it was doing. 

Dave Bittner: Right. 

Ben Yelin: And I think we're going to see many more of these types of challenges going forward. 

Dave Bittner: Yeah. You know, what this reminds me of is - and I think one of the things that you don't often think about when it comes to facial recognition software in particular is how you can be tagged in the background of other people's photos. 

Ben Yelin: Right. 

Dave Bittner: So, you know, I - my family goes to Disney World, right? And we're minding our own business, having fun, riding Space Mountain. And some other family is taking a picture of their family. We happen to be walking by in the background. Well, technologies like Clearview can recognize us, tag us in a photo that we did not take. We did not know we... 

Ben Yelin: Right, you didn't consent to being a party in that photo at all. Yeah. 

Dave Bittner: Right. Right. It's just an accidental, you know, sort of drive-by photo that we got - that we were in. And yet, by using someone else's photo, you can precisely tag where we were, when we were 'cause - you know, take the metadata from the photo, GPS, all that sort of stuff and accidentally get dragged into this web of information gathering. 

Ben Yelin: Yeah. I mean, I think what's fundamentally at issue here is who owns all of the images of us that happen to be put online, especially through methods where, you know, we did not consent to them being put online. When you post a photo to Facebook, you know, you've read the EULA. You're complying with all of the mumbo jumbo in that, you know, hundred-page document that you've certainly looked over. 

Dave Bittner: Right. 

Ben Yelin: And I'm sure there's something in there about what you can do with - what, you know, Facebook and law enforcement can do with the data that you've uploaded. But if you are just in the background of a picture, you certainly didn't consent to that. And it's still being used as part of this database and being sold to law enforcement across the country without really any sort of robust government oversight. And even though that's, you know, mostly a United States phenomenon at this point, I think it's become an international question, particularly when we talk about EU citizens who've had their photos taken and sent to law enforcement agencies in the United States. So you have some of those cross-jurisdictional issues. 

Ben Yelin: And I think it's important that regulators in all countries - in the EU, in the United States - sort of clarify once and for all this basic question of, can you - without any authorization, can Clearview AI capture these photos of unsuspecting citizens? And, you know, just because this image is online, does it mean it can be appropriated by Clearview and sold to your garden-variety law enforcement agency? So I think those are very important questions that have to be answered. And, you know, I think we're going to start to see a developing body of law on this, as there are more and more of these challenges across different countries. 

Dave Bittner: Let me ask you sort of a nitpicky privacy question here. I mean, so you and I often talk about the expectation of privacy in a... 

Ben Yelin: Yes. 

Dave Bittner: ...Public place - right? - and that there is no expectation of privacy in a public place. We can take a picture, and that's what that is. And so back to my example of, say, Disney World or let's even say a national park, you know, something that's not private land. That's one thing. What if I'm at a party? What if we're at a friend's house, private property, someone's home, not out in public, and someone else takes a picture, and I'm in the background of that picture? They upload that picture. I don't know I was in the background of that picture. Now I get scraped and tagged. Any difference here? 

Ben Yelin: There are a couple of perspectives you have to think about here. There's the policy and ethical perspective, which is we don't - you know, I think most people would not want, as a policy, pictures where somebody is in the background to be available online and sold to law enforcement agencies. From a Fourth Amendment perspective, you know, think about the two-part test here. Are you exhibiting a subjective expectation of privacy? Not really, if you're at a party in somebody else's house. And is that privacy something society is prepared to recognize as reasonable? Again, you know, you are willingly out at somebody else's house. It's not your own house. 

Dave Bittner: Right. 

Ben Yelin: You're at a party with a large gathering of people. That does diminish your expectation of privacy from a Fourth Amendment perspective. 

Dave Bittner: Not unreasonable to think folks would be taking photos at a party. 

Ben Yelin: Exactly. Exactly. Now, if they're peering into your home and taking photos, that's a separate issue... 

Dave Bittner: (Laughter). 

Ben Yelin: ...When you're trying to conceal yourself and maintain your privacy. But again, you know, I don't think the Fourth Amendment should be the be-all and end-all for the policy questions here, which is, should we allow Clearview AI to collect all of this data and sell it to law enforcement? That's kind of separate from the issue of whether it passes constitutional muster. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.