Vigilantes and hacktivists. Point-of-sale malware source code leaks. Malicious extensions and apps. US Federal indictments: spying and hacking. Robo-caller gets record fine.

Dave Bittner: [00:00:03:20] Vigilantes visit ZooPark, and the lights go out, voluntarily, on some Georgia hacktivists. Treasure Hunter source code is posted to a criminal forum. Malicious Chrome extensions and malicious Android photo-editing apps. GandCrab ransomware served by compromised legitimate sites. News on Russian influence ops and concerns about a resumption of Iranian hacking. An ex-CIA officer has been charged with espionage. A hobby hacker's been indicted on Federal charges and the FCC hits a robo-caller with a record fine.

Dave Bittner: [00:00:42:05] And now a word from our sponsor, LookingGlass Cyber Solutions. An open letter from the malicious botnet on your network.

Botnet: [00:00:52:09] So, here we are, it's just you and me at this godforsaken hour. You're looking right at me too, I'm on the second monitor to the left. Had you seen me you would have realized I compromised computers in your organization and they work for me now. Even if you had spotted me your current process is too slow to catch me. You update your network rule sets once a week. I'll be in Cabo by then, working on my tan. I love getting to know your company by the way, your financial data, personal records. I've got a piece of unsolicited advice for you. Check out what Lookingglass Cyber Solutions is doing. They've got some kick-butt technology that fends off cyber threats like me, data breaches, ransomware and stolen credentials in real time. Be a hero with the LookingGlass ScoutShield Threat Intelligence Gateway. See the video at LookingGlasscyber.com.

Dave Bittner: [00:02:00:13] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 11th, 2018.

Dave Bittner: [00:02:12:18] We begin with some notes on hacktivists and vigilantes. To take up the vigilantes first, one such avenging netizen has decided to take on the ZooPark surveillance group Kaspersky discovered operating in the Middle East. The vigilante has released a good tranche of what he or she discovered, sending it on to Motherboard in the expectation of striking a blow against ZooPark's continuing ability to operate quietly against its victims. The vigilante also tempts fate with a lot of coldly disparaging remarks about the folly of code reuse. Any attacker who would reuse code so freely, the vigilante suggests, is a skid without skillz.

Dave Bittner: [00:02:55:16] The other group we might mention is the crew of hacktivists who opposed the US State of Georgia's proposed computer security bill by defacing various sites in the Peach State. The proposed law, State Bill 315, was vetoed Tuesday by Governor Nathan Deal. The hacktivists have said, in effect, mission accomplished, and they will no longer do any more digital strong-arming. It's good they're stopping, but they've set an unfortunate example. The proposed bill was sufficiently ill-conceived that widespread rational argument from the security industry and elsewhere would probably have been all the opposition the Governor needed.

Dave Bittner: [00:03:33:14] There's no indication that Governor Deal was moved by fear of the hacktivists. He was probably moved by concerns about criminalizing legitimate white-hat work, and by the possible difficulty of avoiding widespread unintended consequences should enterprises too vigorously avail themselves of the bill's hack-back provisions. As the Governor said in the statement accompanying the veto, "Certain components of the legislation have led to concerns regarding national security implications and other potential ramifications. Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so."

Dave Bittner: [00:04:16:21] Researchers at security firm Flashpoint have found that the source code for the TreasureHunter point-of-sale malware has leaked online. The source code was posted to a Russian-language criminal forum. The family to which TreasureHunter belongs has been operating in the wild since 2014. TreasureHunter is installed, SecurityWeek reports, using weak credentials.The crooks get through a Windows-based server to the point-of-sale terminal, where they install TreasureHunter. They create a registry key to run the malware at startup.

Dave Bittner: [00:04:49:04] From that point TreasureHunter scans processes running on the victim's system, identifies paycard data, and reports that data back to its command-and-control servers. It's not known why the source code was posted, but this is known: when malware source code leaks, one can expect a surge in criminal activity using that code to follow soon. Flashpoint found the leak in March and since then have been working with Cisco's Talos group to find ways of disrupting the anticipated surge.

Dave Bittner: [00:05:19:19] Malicious Chrome extensions continue their cryptojacking success. Radware has found seven malicious extensions in the official Chrome Web Store. The infection chain began with links pushed by Facebook. These led to a bogus YouTube page that invited installation of the bad extensions. Once infected, the victim machines were subjected to one or more of the following: bot herding, cryptojacking, click-fraud or credential harvesting. Google has expelled the extensions, but the method is likely to be used again.

Dave Bittner: [00:05:53:11] Another official Google store has also had infestations to deal with. Malicious photo editor apps have been found in Google Play. Security firm Sophos has found 25 bad apps that entered the Play store in March and April. They carry ad-fraud malware. Crooks monetize infected devices by getting them to click, as it were, on background ads without the user's knowledge or interaction. The ads have all been reported to Google and should be gone from the walled garden of the Play store.

Dave Bittner: [00:06:24:17] Researchers at Cisco's' Talos unit have found GandCrab ransomware lurking in a variety of legitimate but compromised websites. Two of the examples Talos gives are, according to Threatpost, a courier service in India, and a WordPress site for an herbal medicine vendor. What the compromised sites tend to have in common are default credentials and MySQL vulnerabilities. So good digital hygiene is important not only for your enterprise, but for cyber public health as well.

Dave Bittner: [00:06:55:23] Kaspersky has found 17 critical vulnerabilities in the widely used Open Platform Communications Unified Automation protocol - that's OPC UA. OPC UA is widely used by developers working in the industrial Internet-of-Things.

Dave Bittner: [00:07:12:16] Release of Russian Facebook ads shows how the troll farms refined their messaging and used it opportunistically to damage the credibility of US institutions during the last Presidential election.

Dave Bittner: [00:07:25:10] A former CIA officer has been charged with spying for China. Jerry Chun Shing Lee, a former case officer with human intelligence responsibilities, worked for the CIA from 1994 to 2007. According to reports by NBC News and the New York Times, he's thought to have provided Chinese security services with information they used to roll up US covert operations in China.

Dave Bittner: [00:07:51:22] In Los Angeles, an alleged hacker has been indicted for illegally accessing and defacing military, government, and business websites. The alleged hacker, Billy Ribeiro Anderson, who used the handles Anderson Albuquerque and AlfabetoVirtual, is thought to have hacked as a hobby. Should the prosecution have their way with him, we must remember that he's considered innocent until proven guilty, Mr. Anderson may need a new hobby to occupy himself during his sabbatical at Club Fed.

Dave Bittner: [00:08:23:24] Researchers show there's a dog whistle for Siri, Alexa, and Google's Assistant. A study at the University of California, Berkeley, has shown it's possible to embed commands a human wouldn't notice in songs. When played in the presence of the AIs, the AIs hear them, but you don't. And now we wait for all the objections from audiophiles that yes, indeed, they can hear sounds only dogs can hear, and that unlike the rest of you squares, they can easily tell an unobtrusive command from digital noise. So talk amongst yourselves please... quietly.

Dave Bittner: [00:08:57:06] Industry experts are, almost as a group, pointing to Iran, talking about Iranian cyber reprisal for US withdrawal from the nuclear agreement as a done deal. So if you bet on form, bet on Tehran's cyber contractors getting busy in a network near you.

Dave Bittner: [00:09:15:16] And finally, in a good-news/bad-news story, the US Federal Communications Commission has handed a robo-caller with a record fine; $120 million. That's the good news. The bad news is that it's just one robo-caller. As FCC commissioner Jessica Rosenworcel said, in the course of a statement applauding the fine, "Let’s be honest. Going after a single bad actor is emptying the ocean with a teaspoon."

Dave Bittner: [00:09:48:12] Now a moment to tell you about our sponsor, ObserveIT. It's 2018 - traditional data laws prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:10:54:20] And I'm pleased to be joined, once again, by Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, welcome back. We saw an article come by from Help Net Security and it was called "Why cryptography is much harder than software engineers think," and I thought this was right up your alley. First of all, do you agree? Is cryptography much harder than software engineers think?

Jonathan Katz: [00:11:17:12] Well I don't really know what software engineers think about, but I think it's definitely, it definitely is very tricky and I think one of the things in particular, is that software engineers just aren't used to thinking in general about implementing security-critical or cryptographic software and so shortcuts that might, might take, or efficiency improvements that you might apply to general code might actually render a security-critical algorithm insecure.

Dave Bittner: [00:11:44:21] Oh, can you give us an example?

Jonathan Katz: [00:11:46:12] Well in this article they were talking about a vulnerability that was discovered about six months ago called ROCA and what that vulnerability was based on was the generation of primes, or the RSA algorithm. So some of the listeners may know that the RSA algorithm fundamentally works by having the owner's party generate two random primes and then multiplying them together to get a modulus, and the hard problem for an attacker would be taking that modulus and then finding what the original primes were.

Jonathan Katz: [00:12:16:07] There, there's been a whole sequence of techniques developed and recommendations actually issued for how to go about generating those primes, because they need to be large, they have to be a certain size, they should be unpredictable and they, there are other properties they need to satisfy as well, and so there's a whole literature about how to do that securely. It seems that what happened was that people who were implementing the software for generating those primes ended up taking some shortcuts in order to try to make the process more efficient, and those shortcuts led to the software generating primes, for which it was then easy for an attacker to factor the resulting modulus. So basically, by taking these shortcuts and not following the recommended practices they were making the software insecure.

Dave Bittner: [00:12:59:06] I see. Now, as a professor, the students that you deal with, how do you impart these lessons to them?

Jonathan Katz: [00:13:07:10] Yeah, it's definitely a challenge. So first of all I always tell students that they need to implement things exactly as specified. They shouldn't be designing their own crypto, and they shouldn't be trying to optimize algorithms that are recommended. Then what I also do is try to illustrate to them, throughout the course, what can go wrong when they don't follow that advice. So what, what I usually do is give examples, like this one, showing them what can go wrong in the real world when people do take shortcuts, when people don't follow the recommendations, and hopefully, you know, after a semester's worth of that, they get the idea that it's really dangerous to modify things on their own.

Dave Bittner: [00:13:43:00] That's a good lesson. All right, Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:13:46:13] Thank you.

Dave Bittner: [00:13:51:20] And now a moment to tell you about our sponsor, (ISC)². Join the sharpest minds in cyber and information security at the 2018 (ISC)² Security Congress in New Orleans. On October 8th through the 10th the eighth annual Security Congress will unite more than 2000 industry colleagues for over 100 educational and thought leadership sessions. Attendees leave security congress enriched and enabled to excel at protecting their organizations. Maximize the experience with an all-access pass. Daily podcast listeners get $50 off your all access pass registration with code Cyber50. Save your seat at congress.isc2.org. That's congress.isc2.org, and we thank (ISC)² for sponsoring our show.

Dave Bittner: [00:14:51:23] My guest today is Cyrus Farivar. He's the senior business editor at Ars Technica and author of the book The Internet of Elsewhere, about the history of the Internet and the effects it's had on different countries around the world. He joins us to discuss his new book, Habeas Data: Privacy Vs. the Rise of Surveillance Tech.

Cyrus Farivar: [00:15:11:17] So it's interesting to remember that the United States Constitution does not recognize an affirmative right to privacy. If you read our founding documents from the 18th century, you won't find the word "privacy" anywhere in there. You will find the word "privacy" in the California State Constitution - it's in Article 1, section 1. It guarantees privacy as an affirmative right to Californians. The word "privacy" also appears in a number of other State Constitutions, but that's very much not the norm. Over the last 200-plus years of our history there has built up a standard of what we think of as privacy, typically around the Fourth Amendment, which protects against unreasonable searches and seizures, privacy with respect to the government. The Fourth Amendment, of course, only protects the citizens against the actions of the government. It doesn't protect, you know, individuals like you and me from the actions of Facebook or Google or any other company.

Cyrus Farivar: [00:16:09:21] When we're talking about government surveillance in the modern era really we have to go all the way back to the 1960s - and there was a famous Supreme Court case called the United States versus Katz - that involved the prosecution of a guy who was gambling in Los Angeles in 1965. Specifically, he would go to these phone booths, on Sunset Boulevard in Hollywood, and he would all his East Coast bookies and he would bet on college basketball games, and he did this so much that he drew the attention of the FBI and also of the Los Angeles Police Department. So they started investigating him and they figured out, you know, which phone booths he liked to go to and they ended up putting microphones and a recording device on top of the phone booth that he liked to use - and this is a crucial distinction that the fact that they put it on top rather than inside the phone booth, or attempted to wiretap the phone booth or anything like that.

Cyrus Farivar: [00:17:04:23] The legal standard at that time really turned on a question of trespass, on physical trespass into kind of an enclosed space, like a house or a phone booth or a car or an office or something like that. Law enforcement thought that they were totally within their right to go right up to the edge, right up to the physical edge of the phone booth and put this microphone on top. Charles Katz ended up challenging this case and it went all the way up to the Supreme Court and in the end the Supreme Court ruled, in a five to three vote, that that was not okay, that law enforcement had overstepped their bounds by, by doing that. In that decision there's this phrase that sort of continues to resonate with us today, that is a "reasonable expectation of privacy." So when courts today are looking at whether or not a particular technology is okay, this is a standard that they turn to. You know, is there a "reasonable expectation of privacy" in, you know, X or Y, Z's situation?"

Dave Bittner: [00:18:01:20] You know, having gone through the process of writing this book, of doing the research, gathering the data, and putting, you know, pen to paper, what are the take-homes for you and what do you hope people get out of reading the book?

Cyrus Farivar: [00:18:13:04] What I hope people get out of reading the book is just having a better appreciation for what kinds of technology is already in existence in America. This is not like, you know, a far-off future - this is now. Today, in Oakland, California, the city where I live, all police officers wear body cameras for instance - and maybe in the city where you live too. In lots of major cities around America this is increasingly becoming the norm. Police now have license-plate readers; police now have drones. Very soon, police will have body-worn cameras that have facial recognition capability. So imagine something even more sophisticated than a license plate, or something that can not only capture license plates but they can capture people's faces, and guess what, there already is a database of all of our faces.

Cyrus Farivar: [00:19:04:06] The DNV and the Department of State if you have a driver's license or a passport, a government agency already has a very high quality picture of your face. You may not be bothered by these kinds of things - you may say, "Well, you know, I'm just a regular law-abiding citizen, I don't really care if the police have a picture of my face or a picture of my license plate," but I think a lot of us, you know, are maybe a little bit troubled by that and may not realize that, as of now, a lot of these technologies that might feel invasive are currently legal. So I hope that people come to realize what exists right now and also what exists, you know, in your own city.

Cyrus Farivar: [00:19:44:22] If you don't know if your local police department has license plate, radios or drones or, you know, any of these other tools, I would suggest that you file a public records request with your police department, ask them and they, hopefully, will tell you. You know, it's easy to file a public records request - anybody can do it; you don't have to be a journalist, you don't have to be a lawyer. So find out what exists in your local community. You might be really surprised. You might not know, for instance, that your city has however many drones or however many other types of surveillance tools. So I want people to kind of be conscious of what exists in their own communities and ask these kinds of questions. Also, I want, not just regular citizens to be aware, but I want, you know, local lawmakers, city council members, county supervisors, police chiefs, and people who are in positions of authority to be aware of of what's going on and how it's being used.

Cyrus Farivar: [00:20:42:18] In Oakland, the city council is considering a new measure, that probably will pass, that will impose, for the first time, a community control over surveillance technology in Oakland. A number of other California cities have already passed measures like this: Berkeley and Davis, California, which is near Sacramento, and a number of other communities around America are considering similar measures as well. So, if this issue concerns you, I would suggest that you try to find out whether there are efforts, like in Oakland, in your area, to see if your city council or your county or your community is interested or is actively pursuing such measures because what I've learned is that changing Federal laws and national laws and waiting for the Supreme Court to halt a particular practice can take years or decades, if it ever happens at all. But, you know, it's a lot easier to change things locally, right, or perhaps even at your state level.

Cyrus Farivar: [00:21:44:12] I'm hopeful that, that with some of the efforts by some of the more privacy- minded activists and lawyers and other organizers around the country, especially here in California, that, hopefully, we can come up with more sensible policies that, as you say, can strike the balance between the needs of law enforcement without kind of impinging on civil rights and civil liberties.

Dave Bittner: [00:22:07:13] That's author, Cyrus Farivar. His new book, Habeas Data, is available now. We've got an extended version of my interview with Cyrus Farivar on our Patreon page at patreon.com/thecyberwire.

Dave Bittner: [00:22:25:14] And that's The CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit Cylance.com, and Cylance is not just a sponsor, we actually use their products to help protect our systems here at The CyberWire, and thanks to our supporting sponsor, VMWare, creators of workspace ONE intelligence. Learn more at wmware.com.

Dave Bittner: [00:22:53:07] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:23:03:05] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.