The CyberWire Daily Podcast 6.9.17
Ep 367 | 6.9.17

Comey's testimony calls Russian election influence operations massive and ongoing. New Android malware. Malicious hyperlinks infect with a mouse-over. Data privacy issues.

Transcript

Dave Bittner: [00:00:01:03] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:12] Whatever else former FBI Director Comey told the Senate, one thing is clear - he's convinced the Russians are fully committed to influence operations and that they'll be back. More on disinformation and hacking in Qatar. Fresh malware surfaces on the Android ecosystem. Mousing over a malicious hyperlink can now be an infection vector. The GDPR and some thoughts on the distinctions among anonymity, privacy and security.

Dave Bittner: [00:00:44:00] Time to take a moment to share some research from our sponsor, Cylance. They've been looking at ransomware as a service, that's RaaS, and they found that something old is new again. It's NemeS1S, spelled capital N-e-m-e, capital S, numeral one, capital S. This malicious code can be purchased in the crook to crook black market and it reduces the average skid's barrier entry into the ransomware game to essentially zero. It appeared in the wild this past January and it's been advertising itself as new but, no, the binaries it generates are oldies but baddies from the long familiar PadCrypt family. PadCrypt betrays itself by its behavior under dynamic analysis. So don't pay ransom, instead get protected. Visit cylance.com/blog and check out the threat spotlight paper on NemeS1S, capital N-e-m-e, capital S, numeral one, capital S. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:49:15] Major funding for the CyberWire is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 9th, 2017.

Dave Bittner: [00:01:58:21] Former FBI Director Comey's testimony yesterday before the US Senate Intelligence Committee has proved something of a Rorschach test for media observers. As WIRED's headline writers put it, "James Comey said exactly what you wanted him to say." There's indeed much on which partisans on both sides may fasten, and fasten they have.

Dave Bittner: [00:02:19:11] So we leave these dueling narratives to sort themselves out and turn to something less ambiguous, Russian influence operations during the US Presidential elections. Comey said, "There was a massive effort to target government and near-governmental agencies, like non-profits." The former FBI Director said he became aware of the campaigns in 2015, which would be around the time Cozy Bear began its quiet snuffling at US political networks, and long before Fancy Bear barged noisily into the Democratic National Committee's servers. There were, Comey said, "hundreds of entities" targeted, so the operations were not confined to the DNC.

Dave Bittner: [00:02:57:18] Much commentary has talked up the novelty of the operation, representing election influence as something new under the sun. But of course it's not and Comey was quite clear on that point, describing such operations as representing long-standing Russian practice. "They'll be back," he noted.

Dave Bittner: [00:03:14:15] To summarize some recent Russian operations, post-November, they appear to have taken a swipe at President Macron's campaign in France and possibly at the snap elections Prime Minister May called in the UK. The UK case is interesting in that there seems to have been some organized sock-puppetry in Twitter mobilized in the interest of Labor leader, Corbyn. Influence efforts in France seem to have had little effect. Whatever took place in the UK was overshadowed by terrorism and ongoing controversy over Brexit. Prime Minister May's Tories lost seats but she will still seek to form a government.

Dave Bittner: [00:03:50:08] Another influence operation does seem to have had significant effect, this one aimed at discrediting Qatar's government with hoaxed communications expressing support for Zionism and Iran's Shi'ite Islamic Republic. The US FBI, which is assisting with the investigation, thinks the Russians indeed are already back as former Director Comey predicted. In this case there's a progression from doxing to disinformation, fake news, and this represents an escalation in an ongoing information war.

Dave Bittner: [00:04:22:15] More problems arise within the Android ecosystem to trouble enterprise users. Zscaler reports a malicious Android package representing itself as a cleaning app from Google, "Ks cleaner." It secures admin rights on infected devices and uses them to display ads, download other apps and so forth and Kaspersky has found rooting malware "DVmap" hiding behind a simple puzzle game, "Colorblock." Google has ejected this one from the Play Store.

Dave Bittner: [00:04:51:18] Various security companies report seeing new malware "Zusy" in spam campaigns. Its payload is delivered in a malicious PowerPoint file that infects users who mouse over links in the presentation. Many researchers warn that this represents a new and insidious infection vector. You needn't click to catch this virus. Just position the cursor over the malicious hyperlink and, bam, you're caught.

Dave Bittner: [00:05:16:22] Popular cryptocurrency exchange BTC-E has been sustaining distributed denial-of-service attacks since this Monday. Users are unhappy and the exchange can't be happy either. Such exchanges depend on high availability for their survival in the market.

Dave Bittner: [00:05:33:09] There's now less than a year before the European Union's General Data Privacy Regulation or GDPR takes full effect. It will have effect far beyond the EU and enterprises worldwide are working fitfully to prepare themselves.

Dave Bittner: [00:05:46:06] We received comments from security firm Ntrepid's Lance Cottrell in an email. Tracking, he argues, is here to stay because collecting user data drives the Internet economy. Innovation in data collecting will continue its see-saw competition with law and regulation. Cottrell said, "The GDPR is focused on notice, consent, control and security. Websites need to let users know what is being collected. Users must opt-in to having their data collected and stored. They have a right to have their information deleted and to take it to another website. Finally, businesses have an obligation to protect the data they collect."

Dave Bittner: [00:06:23:22] We'll see stricter breach reporting requirements, he believes, and users will have a right to ask that their data be deleted, but he thinks not many people will take the trouble to ask that they be forgotten. The main effect users will see are notices that the websites they visit are collecting all kinds of information. You can agree or you can get off the site.

Dave Bittner: [00:06:44:19] A lot of vendors are enhancing the privacy features of their products but there are distinctions to be made here among privacy, anonymity and security. Ntrepid's Cottrell would like to remind everyone that these changes won't necessarily make you more secure. He notes, for example, that the intelligence tracking prevention capability Apple's Safari browser boasts will help with privacy but it's far short of giving you anonymous surfing. "It should reduce the creepy experience of seeing a product you looked at in an online store stalking you across the entire web."

Dave Bittner: [00:07:16:19] So maybe less creepy but not at all anonymous. The Internet still knows it's you, even if it's not always showing you ads for veterinary products to help care for your pet wombat. You just had to post pictures of Sammy the pet wombat on all your social media accounts, didn't you? After all, Sammy is just too cute to keep to yourself.

Dave Bittner: [00:07:40:22] Here's a quick note about our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self-awareness and sent the Terminator back to take care of business? But that's science fiction and not even very plausible science fiction, but the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all. They're here today and E8's white paper available at e8security.com/cyberwire can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at e8security.com/cyberwire. We thank E8 for sponsoring our show.

Dave Bittner: [00:08:33:08] Joining me again once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. A story came by on the Miami Herald about Florida pushing towards being able to go after people who use Bitcoin, having them face money laundering charges. What do we need to know about this?

Ben Yelin: [00:08:52:10] Before this law was considered, and it has been passed by both houses before the state legislature, people using Bitcoin for nefarious activities, for drugs or prostitution were not subject to prosecution under state money laundering laws because under Florida state law Bitcoin didn't qualify as money under the legal definition. If this bill were to pass, it would bring into parity the definition of money. So if somebody used a Bitcoin to procure drugs or some other sort of illegal services, they would be subject to prosecution for money laundering. I think it's an effort to modernize our laws to recognize that these online currencies can function as actual currency.

Dave Bittner: [00:09:44:06] There's some push back on this. I saw there was a gentleman named Charles Evans who's an economist, and a virtual currency expert said that, "before long we're going to see coat checks, tickets to Disney World and discount coupons regulated as money in Florida." What's your take on that?

Ben Yelin: [00:10:00:05] Yeah, so there's a potential slippery slope argument. I think what that professor has argued is that Bitcoin isn't actually money. It's not protected by the Federal Reserve. It's not issued as a currency. It's more like a piece of property, like any sort of valuable piece of property, that can be traded for anything else. I think that's a, a valid viewpoint. I think, when somebody makes a slippery slope argument, I'm always suspicious because in most cases we don't actually follow the slope. I don't think there's going to be any effort at the state legislature to arrest people for selling coat checks and tickets to Disney World. I think the reason it makes sense for Bitcoin is it really does serve as a currency replacement, as opposed to any sort of piece of tangible property which may, in limited circumstances, fill in for currency but it doesn't to the same degree as Bitcoin does. I mean, there are millions of transactions online where Bitcoin is the means of exchange, and I think the state of Florida is recognizing that the laws have to conform to that reality.

Dave Bittner: [00:11:09:10] So, let's say Florida enacts this law, would other states be expected to follow?

Ben Yelin: [00:11:15:01] I think Florida might be the first in a long line of states who seek to remedy this problem, but what a criminal statute for money laundering is trying to prevent is the sale of goods and services that society has deemed undesirable or illegal. If we are not able to prosecute because the currency used is an online currency instead of an actual Federal Reserve issued currency, I think the purpose of our money laundering laws wouldn't be fulfilled in the same way, so I think it's important for other states to look at what Florida is doing and potentially modernize their laws to bring these Bitcoin type online currencies into the legal framework.

Dave Bittner: [00:12:00:18] Ben Yelin, as always, thanks for joining us.

Dave Bittner: [00:12:07:18] And now a moment to tell you about sponsor, ObserveIT. We hear about all sorts of threats and spectacular tales of hacking that grab people's attention but what about the threat that every organization faces that goes unnoticed - the insider threat? Insider theft of sensitive data is already the occasion of some of the biggest business litigation of the 21st century. Whether the insider is malicious, or just mistaken, they can take your business down before you know what's hit you. If proprietary data walking out the door or vendors accidentally taking down critical systems keep you up at night, take a look at ObserveIT's free guide, "Quick Wins for Reducing Insider Threat," at observeit.com/cyberwire. Their mission is to help you identify and eliminate the insider threat by knowing what your people are doing in real time. Check out observeit.com/cyberwire to learn more about managing insider risk today. We thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:11:18] My guest today is Will Ackerly. He's the founder of Virtru, a security company that specializes in privacy and data security. He joins us today to discuss recent changes in the ways Internet service providers can handle your private data, changing privacy regulations in the EU, and the notion of their being a right to be forgotten online.

Will Ackerly: [00:13:31:07] There's been a lot of uncertainty about the future in the United States, clearly with how ISPs are going to be regulated moving forward. Can they sell your data? Can they do whatever they want with it? And then, in Europe, with GDPR coming into force in 2018, a lot of questions about how that's going to have an impact on companies really everywhere, in terms of enforcing the obligations that they have. GDPR in particular has a section around the right to be forgotten where, if an individual wants they can say not only, "Hey, I want my data back for portability," but rather, "I don't want you to have my data anymore," and have guarantees around that. So I think it's becoming a lot more thought about by companies, by law makers and individuals.

Dave Bittner: [00:14:18:21] How is it shaking out? We see some of the large companies who sort of take the side on the privacy as a priority, and then obviously some of the other large providers say, "No, we're going to use as much data as possible to be able to sell ads to you, or be able to customize our presentation of the things we present to you." Is there any sense for which direction winning out in that tension between them?

Will Ackerly: [00:14:46:08] Yeah, I think the natural market dynamics, over the last decade or so has been working really in the favor of the large companies that are gathering our data and monetizing its scale. The Economist had two articles really where they said that data, this century, is what oil was for the last century. That really bears out, if you look at companies with incredibly large market caps. Facebook is one where in a sense, like, your data is what gives them value. European law and lawmakers have said, as law makers, there's a very large market, they have an opportunity that they're seizing upon to say, look, where market forces might not be working in favor of consumers, where consumers might think they don't have a choice, or they're not feeling necessarily the consequences at an individual level, or what have you, there is some momentum in that direction. I think there is a huge opportunity to demonstrate that from a technical standpoint it is possible to take that law and memorialize it in a way where individuals, regardless of what may happen tomorrow, will have a persistent control over their data.

Dave Bittner: [00:16:03:00] These large service providers are international companies so how will the restrictions in Europe affect their processes? How they handle privacy here in the United States? Is it going to be easier for them to adopt one standard, so that they don't have to worry about data flying back and forth, or inadvertently finding itself overseas?

Will Ackerly: [00:16:24:20] I think, generally the way companies we've seen are doing this is, if they have a requirement that has any value elsewhere, they're going to deploy it across their entire infrastructure. It also is just from a cost saving standpoint where you don't want to have to maintain two separate frameworks. So you have really what amounts to a high water mark, in a lot of cases. And so you have in a sense trickle-down effects where they put the work in. The NRE is done, right? That non-recurring engineering cost to solve the problem in one place means that much higher likelihood it'll be used elsewhere. So I'm optimistic. There are a lot of companies that I've talked to who are excited about the opportunity actually to put control very aggressively back into the hands of the individual. There are some companies that say, look, this is impractical. This is too short of a time frame and are really, really pushing back. But I do see some people leaning forward and saying, no, this is really going to be good for the individual.

Dave Bittner: [00:17:29:12] Swinging back to the notion of the right to be forgotten, with so much data being stored in the cloud and other places, how can a service provider guarantee to an individual that a piece of data has actually been deleted? I think about the distributed nature of storing all that data, and even that it's duplicated and backed up and locked away places. How can that promise be trusted?

Will Ackerly: [00:17:59:09] Yeah, that's a great question. In a lot of cases, you're still going to have to trust the providers with your data. There are cases where we can move that ball forward and you can have actual confidence because the data that you submit into the cloud can start its life encrypted. If you take cloud storage or even email for instance, you can encrypt the files that you share and the emails that you send in a way where your providers never have access to begin with. So those can start their life in a way where they don't have access and it's in a sense already forgotten. You can start from that position and say, okay, from that point, I can then affirmatively make choices around under what conditions that data can get unlocked, and provide additional value and insight. But where your data, even it's backed up on tape or copied globally, if that data's encrypted with a key that you control, if you delete that key, then you can have a cryptographic guarantee that all of those copies are inaccessible. There are caveats obviously in terms of if someone else has already unlocked it, you know, what sort of strength of protection is there in terms of the obligation not to store that key somewhere, but there are techniques out there.

Dave Bittner: [00:19:18:08] Our thanks to Will Ackerly from Virtru for joining us today.

Dave Bittner: [00:19:26:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you through their use of artificial intelligence, check out cylance.com.

Dave Bittner: [00:19:40:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend, everybody. See you back here on Monday. Thanks for listening.