The CyberWire Daily Podcast 5.21.18
Ep 603 | 5.21.18

DPRK's Sun Team works from three apps in Google Play. PII for sale in Zheijiang. SPEI theft. Jihadist content in social media. SEA charges. DDoS-for-hire sentencing. ZipperDown bug.


Dave Bittner: [00:00:01:01] Hi everybody, a quick announcement before today's show. The CyberWire is presenting our fifth annual Women in Cybersecurity reception this fall at the New International Spy Museum in Washington, DC. We've got some great sponsors lined up including Northrop Grumman, Cylance, VMware, Delta Risk, and SecureStrux. We'd love to add your organization's name to that list. Go to to learn all about our Women in Cybersecurity reception and to see how you can show your support by becoming a sponsor. That's We hope to see you there.

Dave Bittner: [00:00:41:22] The Sun Team rises in Red Dawn. Much PII, mostly out of Japan, appears in the black-market stall of a poorly reviewed vendor. The Mexican bank raid seems to have started with a small brokerage and spread from there. Facebook and Google+ continue to be infested with jihadist inspiration. More charges for alleged Syrian Electronic Army hoods. A man gets 15 years for, among other things, DDoSing former employees. And mobile app users? XYZ.

Dave Bittner: [00:01:17:14] And now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operation and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence.

Dave Bittner: [00:01:40:24] Validate it, prioritize it, and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions. With ThreatConnect, your team works as a single cohesive unit reinforced by a global community of peers.

Dave Bittner: [00:02:12:19] To register for a free ThreatConnect account or learn more, visit That's to learn more. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:36:03] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 21st, 2018.

Dave Bittner: [00:02:48:03] McAfee researchers are tracking the Sun Team, a DPRK threat group operating a mobile malware campaign, "Red Dawn," against North Korean defectors. They're using Google Play and Facebook to spy under the guise of beta applications. Three bad apps have been found, "Food Ingredients Info" for the health conscious out there and two bogus security apps, "Fact AppLock" and "AppLock Free" for the rest of you. The initial, quiet infection is via the Play store. The larger, noisier spread is through contagion by Facebook.

Dave Bittner: [00:03:24:16] FireEye's iSIGHT unit has found a great deal of Japanese personally identifiable information for sale in a Chinese black-market, apparently culled for the most part from earlier big breaches. The material seems genuine enough, and it comes mostly from Japanese databases. Who is the vendor selling this stuff? FireEye speculates, "speculates," they say that it's an individual living somewhere in China's Zhejiang province. Whoever it is seems to have been in business underground since 2013. The criminal vendor gets low grades from the black market's equivalent of Yelp, and yes, black market buyers do rate their vendors. There are a lot of complaints that buyers don't get what they expected when they ponied up. One good bit of advice is to avoid reusing passwords. Exploitation of compromised, reused credentials seems to be the biggest danger here.

Dave Bittner: [00:04:20:03] Inquiry into the recent rash of unauthorized transfers from Mexican bank accounts continues. The Bank of Mexico says that, while its investigation of a series of criminal raids on the Interbanking Electronic Payment System (SPEI) is still in progress, they've concluded that the initial attack came through a small brokerage house. Losses in the theft are estimated to have come to some 300,000,000 Mexican pesos, a bit more than US $15,000,000. Bank of Mexico Governor Alejandro Díaz de León has said that three banks, a broker, and a credit union were affected, but he declined to name the institutions involved.

Dave Bittner: [00:05:00:18] Facebook continues to struggle with content moderation. Terrorist imagery and propaganda is one category the company has expressed a desire to purge but Facebook has met with indifferent success. The Global Intellectual Property Enforcement Center and the Digital Citizens Alliance say it's easy to find jihadist exhortations and imagery of unbelievers' executions. You just have to know which hashtags to follow.

Dave Bittner: [00:05:27:03] Also, while in many respects forgotten, Google+ isn't gone, and it has become a popular channel for jihadist inspiration.

Dave Bittner: [00:05:36:09] Two alleged members of the Syrian Electronic Army, Ahmad 'Umar Agha, 24, "The Pro" and Firas Dardar, 29, "The Shadow," now face 11 US Federal counts of conspiracy to commit computer fraud, conspiracy to commit wire fraud, and aggravated identity theft. Both men remain at large. They were principally phishers. They successfully targeted employees at the Washington Post, CNN, the Associated Press, National Public Radio, the Onion, Human Rights Watch, NASA, Microsoft and the Executive Office of the President. Among their capers were tweets from a hijacked AP Twitter account that falsely claimed the US President had been injured in a bombing.

Dave Bittner: [00:06:21:12] One of their co-conspirators, Peter Romar pleaded guilty in 2016 and was sentenced to time served.

Dave Bittner: [00:06:28:20] The new charges, SecurityWeek notes, come as the five-year statute of limitations on their original 2014 charges is approaching its expiration date.

Dave Bittner: [00:06:39:03] Tokyo police have concluded their investigation of a May 2015 breach of the Japan Pension Service in which an attack exposed 1,250,000 items of personal information. The investigation is over, not because they got their hacker, but rather because the statute of limitations has expired.

Dave Bittner: [00:06:57:20] This has us wondering. Two statute-of-limitations stories in one week. What is the statute of limitations for cyber crime? Does it differ by severity of crime? It clearly differs by jurisdiction. So how long do you have to stay on the lam, hypothetically speaking, before you're beyond the reach of the long arm of the law? We're asking for a friend.

Dave Bittner: [00:07:20:04] Let us say right up front that said friend is not one John Kelsey Gammell of New Mexico, who pleaded guilty back in January to a count of conspiracy to cause damage to a protected computer. He is said by prosecutors to have hired various booter services, DDoS for hire, to hit former employers, competitors, and public services. People he had a grudge against. A partial list of his victims includes Washburn Computer Group, the Minnesota State Courts, Dakota County Technical College, Minneapolis Community and Technical College, the Hennepin County Sheriff’s Office, which suggests that, while he may have been from New Mexico, his interests were up in Minnesota and the Dakotas.

Dave Bittner: [00:08:02:23] The judge gave him 15 years. Stiff, but he wasn't a first offender. He'd had an earlier felony conviction on his record, and in addition to the hacking charge, he went away for two counts of being a felon in possession of a firearm.

Dave Bittner: [00:08:18:17] Friday is GDPR implementation day, and we'll remind you of this daily. Today's story involves the cost of compliance. It's driven a few online games out of business, like Loadout and Super Monday Night Combat, and some others at least out of Europe, like Ragnarok Online. The cost of either rewriting or shifting to a new platform have been proving prohibitive. So they bid farewell in a twilight of the gamers.

Dave Bittner: [00:08:46:16] And, finally, there's a new frontrunner in names-for-vulnerabilities marketing sweeps. This one, discovered and named by the jailbreakers at Pangu Lab, is called "ZipperDown." Pangu's report is a little vague on details, but they think for sure that it's "a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected apps." They think a lot of mobile apps are probably vulnerable, but sandboxing in iOS and Android are probably a good defense against it. Still, here we are mentioning it. And why? Because Pangu called it "ZipperDown" is why. Sure, it's vulnerability research, kids, but don't fool yourself. It's also commerce.

Dave Bittner: [00:09:38:01] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics.

Dave Bittner: [00:10:08:18] VMware's White Paper on A Comprehensive Approach To Security Across The Digital Workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do your enterprise security, And we thank VMware for sponsoring our show.

Dave Bittner: [00:10:39:10] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben welcome back. We had an interesting story come by, this was from WRAL TV station in Raleigh, North Carolina and they were talking about the police managing to piece together a crime using some information from Google. Fill us in what's going on here.

Ben Yelin: [00:11:04:03] So the city of Raleigh has been actually securing warrants from a court down in North Carolina to collect the location data of any device that was in a given location when a crime was committed. So they actually provided an example of one of those warrants in the article, and they'll give GPS coordinates. So within GPS coordinates X and Y, which devices were there, what are their phone numbers, who do those phones belong to? They can either rule people out or in as how they committed the crime. That presents obviously a lot of legal issues and potentially some major privacy violations.

Dave Bittner: [00:11:39:22] Yeah.

Ben Yelin: [00:11:40:12] Now in terms of the legal side, the city of Raleigh is actually on relatively strong legal grounds because they got a warrant. If they had just gone to Google and requested this information, and had Google complied voluntarily or even if they had sought some sort of subpoena, that I think might have created more legal difficulty. They did get a warrant, there was somebody from the judicial branch who actually approved this search and that's going to give it a little bit more legal credibility.

Dave Bittner: [00:12:10:00] It seems broad to me.

Ben Yelin: [00:12:12:06] Extremely broad. So you're absolutely right about that. The purpose of the Fourth Amendment is to have this sort of particularity so the warrant, per the language of the Fourth Amendment, identifies what is to be searched, who is to be searched, with some level of particularity. This is the exact opposite of that, right? It's not search whether individual X was in a given area at this particular time. It's searching that area to determine which individuals, which devices were contained within that area. And I think that could potentially run afoul of the particularity requirement.

Ben Yelin: [00:12:45:09] I think what the government would say is that you sort of relinquish your reasonable expectation of privacy in your location when you use your smartphone device. You have to know that your smartphone whether you're using a Google maps app or whether you're trying to make a phone call, is going to be able to obtain your location, whether it's through GPS tracking, whether it's just the cell phone tower that pings your phone, and because you know that, at least the traditional view of the law, you have forfeited your expectation of privacy in that information.

Dave Bittner: [00:13:16:22] Right.

Ben Yelin: [00:13:17:12] What some of the privacy advocates said in this article, and which I think is a really important point, is that outlook might be outdated because we don't really have a choice. Just because we use a device that literally every person uses and every person basically needs for their job, their familial engagements, their political and religious affiliations, just because we have that device, that means that we're forfeiting our right to privacy and that the government can determine whether we were in a particular location at a particular time? That really rubs me the wrong way and I think it would really rub a lot of the American public the wrong way.

Ben Yelin: [00:13:54:01] So while I think because they obtained a warrant they're on, you know, higher legal ground than they otherwise would be, I think there are significant ethical dilemmas and privacy dilemmas that come with this decision.

Dave Bittner: [00:14:06:14] And how do you suppose it'll play out from here?

Ben Yelin: [00:14:09:05] Well, the issue is somebody has to have standing to challenge this in court, so so far in the instances that the article mentions where this technology was employed, only one person has been arrested. So what has to happen is that person will go through the criminal process. If they're convicted and that conviction is based on this evidence, I think they have a reasonable ground to challenge the conviction. They could say some county judge approved a warrant for an overbroad search that runs foul of the Fourth Amendment and that could be a very strong basis for appeal. And that would go first to the North Carolina Intermediate Court, potentially up to the North Carolina Supreme Court.

Ben Yelin: [00:14:47:00] I think this is-- even though the issue is slightly different, we'll get a reasonable view on how the Supreme Court sees this when they come down with their Carpenter V United States decision which should come down sometime this spring about whether you have a reasonable expectation of privacy in your cell site location information. So that should give us at least some guidance as to how the Supreme Court of the United States sees this issue.

Dave Bittner: [00:15:11:12] Alright, well, we'll keep an eye on it. Ben Yelin, as always, thanks for joining us.

Ben Yelin: [00:15:14:19] Thank you.

Dave Bittner: [00:15:19:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:15:39:15] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:15:48:11] Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Huh. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed, and check out the Recorded Future podcast which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:16:17:02] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.