The CyberWire Daily Podcast 10.4.21
Ep 1431 | 10.4.21

Privacy and the Pandora Papers. Flubot’s scare tactics. Exploiting an account recovery system. Conti warns victims not to talk to the press. An international meeting on cybercrime? A ransomware bust.


Dave Bittner: The Pandora Papers leak erstwhile private financial transactions by the rich and well-connected. Flubot is using itself to scare victims into installing Flubot. Coinbase thieves exploited account recovery systems to obtain 2FA credentials. The U.S. plans to convene an international conference on fighting cybercrime. Conti warns its victims not to talk to reporters. Andrea Little Limbago from Interos on modeling cyber risk. Carole Theriault has thoughts on facial recognition software. And a ransomware bust in Ukraine leads us to ask, why Capri Sun?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 4, 2021. 

Dave Bittner: First, a quick note on a developing story. Facebook, Instagram and WhatsApp are all experiencing outages. The Associated Press is calling the situation a worldwide outage. The appearance is that Facebook withdrew DNS routes, but the cause of the outage is unclear. Much initial speculation suggests that it's an accident, not an attack. 

Dave Bittner: Facebook tweeted, quote, "we're aware that some people are having trouble accessing our apps and products. We're working to get things back to normal as quickly as possible, and we apologize for any inconvenience," end quote. 

Dave Bittner: As we say, the story is still developing, and we'll be following it as it continues to unfold. 

Dave Bittner: The Pandora Papers, a 2.94 terabyte leak of financial data about rulers, oligarchs, billionaires and other prominent people, has been obtained and published by the International Consortium of Investigative Journalists - the ICIJ for short. 

Dave Bittner: Quote, "millions of leaked documents and the biggest journalism partnership in history have uncovered financial secrets of 35 current and former world leaders, more than 330 politicians and public officials in 91 countries and territories and a global lineup of fugitives, con artists and murderers," end quote. 

Dave Bittner: The partners in the investigation included 150 news outlets. A small selection of that list of partners includes The Washington Post, the BBC, The Guardian, Radio France, the Indian Express, Zimbabwe's The Standard, Morocco's Le Desk and Ecuador's diario El Universo. 

Dave Bittner: The take, which itself derives from multiple sources, noses out the single-source Panama Papers, which had previously stood atop the leaderboard of leaks involving the lifestyles of the rich and famous. The papers were obtained from 14 distinct financial services and law firms. 

Dave Bittner: The ICIJ characterized the leak as providing, quote, "a sweeping look at an industry that helps the world's ultra-wealthy, powerful government officials and other elites conceal trillions of dollars from tax authorities, prosecutors and others," end quote. 

Dave Bittner: There's nothing necessarily illegal about the shifting of funds. As the ICIJ itself points out, such transactions are not against the law in many - perhaps most - jurisdictions. The problem the ICIJ sees is that an elaborate system has grown up to shield the well-connected from burdens others bear and to do so without much, if any, public scrutiny. Some U.S. states have enacted financial privacy laws that make them attractive locations for the kind of activity the report details, most prominently, the ICIJ quotes sources telling it, South Dakota, Delaware, Nevada and Alaska. 

Dave Bittner: Three hundred thirty-six politicians are mentioned in dispatches. Ukraine leads with 38. Russia places second with 19. The Guardian says that a spokesman for Russian President Putin has dismissed the material in the Pandora Papers as unsubstantiated. 

Dave Bittner: Flubot's operators are running a scareware campaign designed to get victims to install the malware. The come-on, CERT NZ warns, is itself a warning against Flubot. Quote, "the installation page for Flubot has changed to look like a warning page. If you see this page, close the page immediately, and do not click install security update," end quote. 

Dave Bittner: Flubot, BleepingComputer explains, depends heavily on social engineering to gain access to and eventually what amounts to complete control over an Android device and its user's data. 

Dave Bittner: Coinbase accounts use two-factor authentication, but attackers were able to access and steal from some 6,000 users, Infosecurity Magazine reports. The thieves obtained email addresses, password and phone number from some other sources, and then, Coinbase's disclosure explains, were able to exploit a weakness in Coinbase's account recovery system to get a second factor authentication code via SMS. 

Dave Bittner: Late Friday, prompted by a nasty wave of recent ransomware privateering and the arrival of Cybersecurity Awareness Month, U.S. President Biden announced plans to convene a discussion among some 30 countries where they might arrive at a joint, coordinated response to cybercrime. Which nations in particular the U.S. intends to invite to the table hasn't yet been announced. 

Dave Bittner: The relevant section of the statement says, quote, "we are also partnering closely with nations around the world on these shared threats, including our NATO allies and G-7 partners. This month, the United States will bring together 30 countries to accelerate our cooperation in combatting cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency and engaging on these issues diplomatically. We are building a coalition of nations to advocate for and invest in trusted 5G technology and to better secure our supply chains. And we are bringing the full strength of our capabilities to disrupt malicious cyberactivity, including managing both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence," end quote. 

Dave Bittner: The president concludes his whole-of-nation appeal by commending digital hygiene to the citizens, urging all Americans to lock our digital doors and urging tech companies to build technologies securely by design. 

Dave Bittner: The Conti ransomware gang really doesn't want its victims engaging the media. The gang has threatened to dump the data they've stolen should they get wind of a target's talking to reporters, The Record says. It's not a surprising move. Given the cynical positioning ransomware gangs have engaged in to depict themselves as something akin to a recovery service or a pen testing operation, it seems natural that they should attempt to enforce a gangland version of a nondisclosure agreement. 

Dave Bittner: The gang's statement on their policy is worth quoting in its entirety. From The Record, first, "if we see a clear indication of our negotiations being sent to the media, we will terminate the negotiations and dump all the files on our blog. We are the best team, and you can Google what estimated revenue we have. This became possible only due to our outstanding reputation. Thus, if we need to sacrifice another 10 million to cut the negotiations but protect our name, don't doubt. We will do so," end quote. 

Dave Bittner: Note the advertorial best team and Google it if you don't believe them and outstanding reputation. 

Dave Bittner: Second, here's what happens if you do talk to someone - quote, "if we see our chats in public, we will also dump your files. If this happens after the ransom is already paid by the target who shared our chats, we will dump somebody else's files as retaliation. We will not care if you directly shared our chats with the media, researchers or if they extracted it from VirusTotal after you uploaded our samples there. Since the security firms who share chats via their pocket journalists have no concept responsibility, therefore, we will assign responsibility to the target who is in the chat. We are not advocating collective responsibility via collective punishment, but if this is the only option, we will do so," end quote. 

Dave Bittner: Well, contempt for the contemptible. May Conti's success and high reputation be rewarded with matched sets of bracelets, courtesy of whatever jurisdiction eventually snaps them up. 

Dave Bittner: And finally, the Ukrainian National Police, with cooperation from their international partners Europol, the French National Gendarmerie and the United States Federal Bureau of Investigation, made two arrests in a ransomware case. The two gentlemen of alleged crime were arrested last week in Kyiv. Ukrainian police said that the two were responsible for ransomware attacks on more than a hundred foreign companies. Europol declined to name what gang, if any, the two men were affiliated with. The investigation is still ongoing, and Europol has no wish to tip anyone's hand. 

Dave Bittner: Photographs of the alleged criminals' den of crime are remarkably unprepossessing. There are boxes of U.S. $100 bills - Benjamin Franklin's picture easily recognizable - and a simple table supporting what looks like a gamer's desktop, a red dragon motif on the front and a neonesque decoration on the side. A keyboard, microphone and headphones is next to the workstation proper - musical keyboard, that is. Poised atop the desktop are three Capri Sun juice pouches. We don't know about you, but to us, nothing says I am a case of arrested development living in my parents' basement than a stash of Capri Sun. A serious crook would be drinking instant coffee. 

Dave Bittner: How do you feel about facial recognition? Your answer to that question could fall amongst a broad spectrum of feelings and conclusions - security tool or privacy nightmare or something else? Our U.K. correspondent Carole Theriault has been pondering facial recognition, and she offers these thoughts. 

Carole Theriault: Today, I want to talk about facial recognition, or faceprints. 

Carole Theriault: Now, first, facial recognition is definitely big business. In 2018, the facial recognition market was $4 billion, but it's predicted to grow to $10 billion in four years' time, by 2025. 

Carole Theriault: So what exactly is facial recognition? Technopedia defines facial recognition as a biometric software application capable of uniquely identifying or verifying a person by comparing and analyzing patterns based on a person's facial contours. So simply put, everyone has a unique facial structure, and this software is able to analyze features to identify who you are. 

Carole Theriault: Panda Security described how facial recognition worked in four simple steps. Step one is detect a face. Amongst all the other noise, it needs to be able to say, oh, I see a face in the same way that your smartphone might try and detect a face when you're taking a portrait. 

Carole Theriault: Second is facial analysis. So the photo is captured and analyzed, looking for all the tiny points of difference in your face that makes it unique from anybody else's. Then all that information needs to be crunched and turned into data, and that data - this code - is what is the faceprint. Once the faceprint has been converted, it can be used to find a match in a database of other faceprints. 

Carole Theriault: Now, of course, some of us are pushing for increased use of this technology. Particularly following a pandemic, isn't it nice not to have to touch things that other people are touching all the time? It's been used to authenticate students in schools. It's been used in airlines like Delta and JetBlue to identify passengers. It's been used in grocery stores and bars to make sure that people are old enough to buy alcohol. It's also been used to stop shoplifting. It's been used by the authorities to try and identify suspects. And let us not forget the thousands upon thousands upon thousands of apps that collect biometric data directly from your device. 

Carole Theriault: But here are a few things to consider. How long are they planning to hold on to all this data? How are they going to use it in the future? Remember, this is not a number that can be changed. This is your face. And unless you get drastic plastic surgery, you will be able to be identified at any time. 

Carole Theriault: Think about it. This technology is not just in the hands of professionals that have signed an oath of conduct. How much ethics training do you think the technicians are being given by companies out there with this tech? 

Carole Theriault: So until the regulators catch up with the technology, I'd respectfully suggest that we be mindful of tagging pictures in social and online, of using apps that collect biometric data and just check the IoT devices like your TV or your home assistant or your computer are not collecting and storing this information without your full consent. Note that you may have actually agreed to it in the tiny terms and conditions. You can always go and check those. In short, look after your privacy by looking after your face. 

Carole Theriault: This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is the vice president of research and analysis at Interos. Andrea, it's always great to have you back. I wanted to touch today on this whole concept of being able to model cyber risk and get some of your insights on that. What can you share with us today? 

Andrea Little Limbago: Yeah, thanks, Dave. It's always fun to have these conversations with you. I've been thinking about cyber risk. I think, you know, very much so, it's one of those areas where we're still stuck in some of these frameworks from previous eras that works well enough, but, you know, as the world's evolving very, very quickly and as technologies are evolving, we're starting to realize that what we were doing before is necessary, but not necessarily sufficient for what - where we need to be going to be prepared for cyber risk going forward. 

Andrea Little Limbago: And so a lot of the core, you know, facets that we still rely on - you know, multifactor authentication, encryption and sort of some of the - what we consider the basics of cyber hygiene - 100% are essential. And in many cases, we still haven't actually cracked the nut on ensuring, you know, companies are following some of those best practices. But the same time, what we still really rely on are a lot of self-assessments, which makes it hard. I mean, you know, if you're grading yourself, we're all going to be doing great, you know, some - not all the time, but that's, you know, generally how it goes. 

Andrea Little Limbago: And then you also - the alternate look at it is leveraging technology and machine learning and basically being able to, you know, leverage some of those concepts to see what's exposed online and so forth. And where - you know, it's nice seeing some of, you know, the evolution in that area. 

Andrea Little Limbago: But, you know, both areas where we really need to start focusing even more so is starting to get into building out the foundation so we can have some of those actual firm-level assessments being a little bit more independent. And even some of the independent evaluations aren't always independent, right? And then on the machine learning side, really starting to take advantage of that and combine the two. 

Andrea Little Limbago: But I'll tell you, even on top of that, that's sort of the - you know, where we've gone so far. But then, you know, incorporating other kinds of concepts, such as, you know, what industry are the various companies in? Where are they located? 

Andrea Little Limbago: And what we haven't done a great job is really honing in almost on the threat model at an even higher level than just the firm, seeing where they sit within the world. 

Dave Bittner: Are we at the point where we have enough data to successfully model these sorts of things? Can the machine learning systems - do they have enough that we're - we can be confident that what we're getting out of them is a certain degree of reliable? 

Andrea Little Limbago: Yeah, that's a great question 'cause that's what we - you know, and I'll be the first one to not say machine learning solves every problem because we see that, I think, too much when we used to walk around the conference floors, you know? 

Dave Bittner: Yeah. 

Andrea Little Limbago: Push the button. 

Dave Bittner: (Laughter). 

Andrea Little Limbago: I think that - (laughter) I think, you know, we're getting there. At a minimum it can help provide some additional insights. And, you know, cybersecurity is just such an interesting area where we're really overwhelmed with the amount of data that is available for analysis. But at the same time, we're very data poor because we don't have access to the right data and have a very hard time sort of filtering out and getting to what we need to know and what we need to get to as fast as possible. So there's a lot of room for advancement there. 

Andrea Little Limbago: But even at a higher level, leveraging some aspects of data analytics and technology, we can get to the point where we do know, you know, either based on the whole range of vendor reports that are out there, like, providing a lot of useful information as far as certain industries, or you're looking at, you know, some analysis as far as at the country level, where certain - for instance, yeah, there was a good report earlier this year on Brazil. And basically, the ransomware that was really prevalent in Brazil wasn't the same that was prevalent elsewhere. 

Andrea Little Limbago: And so if we start thinking about, you know, looking beyond just saying everything's the same everywhere and making it more nuanced, saying, OK, you know, within this country, within this industry, your firm is going to be more likely to be exposed to, you know, these kind of risks - and we don't really look at it that way. And that's where you have - as a - from a social science perspective, those are the areas that I'd want to augment on top of what we were already doing and really thinking about, you know, customizing that threat model based on, you know, where they're situated as well. 

Andrea Little Limbago: And that's where there's a lot of room, you know, to do some interesting work, both by leveraging the data of a lot of vendors that have, you know, have already been out there doing that, but also just doing our own analyses to look at - you know, even, you know, in VirusTotal, as far as you're aware of some of the - you know, what's getting populated there and where's it coming from. Then when you start thinking about how you're tuning your end point detection and so forth, those kind of security tools, you may want to have them targeted much more so on what - you know, what kind of attacks you're going to be getting in certain locations. 

Andrea Little Limbago: And so there's a lot of interesting work, I think, that's starting up in that area and a lot more to be done if we really sort of open the aperture of how we think about cyber risk. 

Dave Bittner: So this sort of thing could provide you with insights on where to place your limited resources, be they financial or human resources. Those sorts of things give you a better idea of perhaps where your actual risk lies. 

Andrea Little Limbago: Yeah. No, that's exactly. And that's - you know, the goal should be for any of these kind of risk models that are made are to help really under-resourced companies figure out how to best use the minimal resources they have. And so the more that we can move from, cover everything from everywhere all the time, to really focusing on, here's what you're more likely to see; here's how frequently it's most likely going to be; here's the vectors they're more likely to be using and customizing it in that way, you know, the better off we're going to be thinking about cyber risk. 

Andrea Little Limbago: And even, you know, taking it a step further and not just looking at, you know, your own headquarters, but, you know, where are the rest of your - your larger footprint across the globe as well? 'Cause those are the vector - those are the entryways as well into your system, into your network. 

Dave Bittner: Yeah. All right, well, interesting stuff. Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: All right. Thanks so much. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.