The CyberWire Daily Podcast 1.16.19
Ep 761 | 1.16.19

SEC, DoJ, issue civil and criminal complaints against EDGAR hackers. Lazarus Group in Chile? Iran’s Ashiyane Forum. Cryptomix ransomware. Money laundering through Fortnite. Fake WaPo edition.

Transcript

Dave Bittner: [00:00:03] The SEC and the Department of Justice go after EDGAR hackers for securities fraud. Flashpoint sees the Lazarus Group in an attack on Chile's Redbanc. Recorded Future shares notes on Iran's Ashiyane Forum. CryptoMix Ransomware is being distributed by fraudulent charitable appeals. Organized gangs are using "Fortnite" in-game currency for money laundering. And a slickly done bogus edition of The Washington Post was being handed out in D.C. this morning.

Dave Bittner: [00:00:38] I'd like to take a moment to thank our sponsor Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyberthreats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both. You decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, you're invited to attend an upcoming webinar on Tuesday, January 29 at noon Eastern time. Visit scs.georgetown.edu/cyberwire to RSVP. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.

Dave Bittner: [00:01:38] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 16, 2018. The U.S. Securities and Exchange Commission has entered a civil complaint against nine defendants in connection with the 2016 hack of the SEC's EDGAR reporting system. The alleged hackers are a global lot, hailing from Ukraine, Russia and California.

Dave Bittner: [00:02:03]The SEC says the defendants made about $4.1 million through illicit trading in non-public information. That's a lot more than they made with legitimate trading. The SEC points out that the hackers turned their attention to EDGAR after previously seeking, with some success, to gain early access to public relations news release outlets, where companies commonly stage announcements for release. Even a brief period of unauthorized access can be exploited to gain a trading advantage.

Dave Bittner: [00:02:35] In a parallel action, the U.S. Justice Department indicted two gentlemen from Kiev, both also named in the SEC's action, on 16 counts of securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud and computer fraud. The two conspirators, we note with sadness, are in their mid-20s.

Dave Bittner: [00:02:58] Researchers at security firm Flashpoint have found the Lazarus Group's tracks in last month's attack in Chile's Redbanc. It was a social engineering attack with job-offering phish bait. The Lazarus Group is widely associated with the North Korean government. There's always the possibility of code sharing or criminal false flags. But the operation seems consistent with much of Pyongyang's financially motivated hacking.

Dave Bittner: [00:03:25] Recorded Future's intelligence service, the Insikt Group, this morning published a report on the Ashiyane Forum, a large and growing Iranian security forum that's playing an increasingly important role in Iran's burgeoning cyber-offensive capabilities. Its influence, Recorded Future notes, will be seen not only in operations carried out at the direction of the Islamic Republic but in the criminal underground as well. Security firm Coveware is outlining an unusually cruel and repellent CryptoMix Ransomware campaign.

Dave Bittner: [00:03:57] This one spreads by emails representing themselves as coming from a charity devoted to helping children who suffer from cancer. Charity is bogus, but the children used as phish bait are all too real. Coveware says, quote, "the ransom notes go so far as to include the names, diagnosis and even pictures of young children that the ransom payment will support. The information appears to be lifted from crowdfunding websites and local news stories that raise genuine awareness and funds for a specific child's treatment," end quote. May the social engineers behind the current CryptoMix infestations receive their legal comeuppance - good hunting to law enforcement agencies.

Dave Bittner: [00:04:42] Email continues to be an attractive target for bad actors, thanks, in part, to its ubiquity and antiquity. Kevin O'Brien is CEO and co-founder of GreatHorn, an email security company. And he thinks it's time to rethink our approach to email protection.

Kevin O’Brien: [00:04:59]You're dealing with a system that's 47 years old, that has been used for pretty much every business purpose imaginable. And so it is also one of the primary ways in which most cyberattacks begin.

Dave Bittner: [00:05:12] So what do you propose here? Is it a matter of training the users to detect these things or do we need to stop them from getting to them in the first place?

Kevin O’Brien: [00:05:22]It's a little bit of everything. But training is a compliance move, right? And security is not compliance, and vice versa. It is important that a business invests in security or in its training. But you put your finger on something very interesting in asking the question the way that you did. You said, do we need to stop them from getting to users in the first place? And the answer is, we can't. And that idea that we will establish a perimeter and utilize it to keep bad things out is a notion that, for the most part, the cybersecurity industry has moved past in every other permutation of security technology. We don't talk about perimeter security when we think about investing in a cloud access security broker technology - a CASB.

Kevin O’Brien: [00:06:09]We still have this outdated idea that a binary system that says, that's bad; don't deliver it, but let it through, is sufficient. It isn't, and that's where the opportunity lies for organizations to take a email security lifecycle philosophical shift approach and say, we're going to change the paradigm.

Kevin O’Brien: [00:06:29]We're going to look at email and think about - sure, some pre-delivery stuff where we can block the known bad emails from reaching users. But we're going to integrate into our security posture incident response, rapid remediation and purposeful security for email, not try to take network technologies and gateway approaches to a system that no longer works that way because we're not running network devices or email any longer.

Dave Bittner: [00:06:56] So describe to me in this scenario, what would happen? If a bad email made it into my inbox and I click the link, what happens next?

Kevin O’Brien: [00:07:06]The risks are that an attacker says, I'm going to go after the CyberWire podcast. And I'm going to listen to their guests and say, oh, they're speaking with this guy named Kevin O'Brien. So my attack will impersonate Kevin O'Brien and say, oh, we've got this podcast coming up. I have some notes to share with you before we get into the podcast recording.

Kevin O’Brien: [00:07:26]They send you a link to a WordPress site that they compromised a week ago but they haven't done anything with yet. They then deploy a phishing kit to it 15 minutes after you get the message because that link was safe when it was originally received by you. It went to - I don't know - somebody's blog. And that deployed phishing kit isn't made active until after it's reached your inbox.

Kevin O’Brien: [00:07:50]There is no ability to say, that's a bad email. It wasn't bad until it was weaponized later. The answer here is a heuristic approach, which says, if we were to categorize all the mail that the CyberWire podcast team receives, how many of those messages from this fictional Kevin O'Brien come from address A? And now you've gotten a message from Kevin O'Brien. Is it really from that same sending address? This URL you just received, is it amazon.com or is it a fairly unusual WordPress site? And if we plot that against a huge corpus of data of many podcasters in this scenario that we're playing out, how many of them have gotten a link like this one? Is this unusual? And if it's statistically unusual, it's not the case that it's bad. It's just unusual.

Kevin O’Brien: [00:08:41]But we can now start to layer in additional security so that when you do click on it, maybe we run it in our browser isolation mode. Maybe we don't let you directly interact with it. If it's asking you for your credentials, people are smart enough to say, this looks like a credential theft attack. And we're not going to let you go and put those credentials into that site. But here's the workflow that you can speak to your team if you think this is legitimate. We can use those same concepts, different implementation, for things like links and emails. And that's, I think, where the future starts to go. This is how you start to modernize email security.

Dave Bittner: [00:09:16] That's Kevin O'Brien from GreatHorn. If you really must play "Fortnite," Check Point recommends enabling two-factor authentication on your account. There's account hijacking afoot, much of it enabled by dodgy sites promising ways of accumulating V-Bucks, in-game currency, at a discount. European Union Anti-Corruption warns that "Fortnite" with its V-Bucks is growing increasingly popular with organized crime as a money laundering medium. So don't - don't - buy in-game currency at a discount. You're helping criminals. Consider satisfying your urge to trade for the wherewithal to buy loot boxes by doing the "Fortnite" dance instead. It will be better for your health, too. Put down that controller and dance.

Dave Bittner: [00:10:04] There's been much concern lately about deepfakes and the threat they could pose to news media, organizations and, really, all kinds of people. There's been a relatively shallow but nonetheless pretty slick fake in circulation around Washington this morning. The Washington Post warned a little before 8 this morning local time that phony print editions of the paper announcing President Trump's resignation were being circulated around Washington. The announcement came via Twitter, posted by The Post's PR department. The screamer headline in the false edition reads simply "Unpresidented." The Post also tweeted that they think there may have been imposter websites established.

Dave Bittner: [00:10:45] Comments on The Post's tweet are surprisingly unsympathetic. A few of them remarked, in effect, that you'll be able to recognize any bogus site by its not being sequestered behind a paywall. One asked the twitter account to hold up a copy of today's times so that we'll know it's really you. They didn't say whether it was The Washington, New York, London or Los Angeles Times. The Hill says that activists are handing out copies of the bogus paper at numerous locations around the capital. The Post itself is pointing to a Facebook video Code Pink posted to its site, showing the left-oriented group's founder passing out the papers.

Dave Bittner: [00:11:23] The progressive advocacy group Move On, according to the Hill, says that it wasn't responsible for the fake but that it approved. Those who like the fake - and a quick look at reaction suggests to us that journalists aren't generally fans, at least not so far. They point to the edition's date, which is May 1 of this year, as enough to flag it as satire. So it's not really fake news or propaganda or any of the other forms of information operations that have been so widely excoriated in recent months, says them. Just satire - right?

Dave Bittner: [00:11:58] Whoever put the issue together had a pretty good grasp of The Post's visual style and either a respectable staff or a whole lot of time on their hands or both. They also had access to a good four-color press. And those things aren't exactly available at the checkout line in your local Royal Farms. Sure, they're a more easily obtained piece of infrastructure than, say, one of the turbines used in electrical power plants. And they're not just lying around in some untraceable form. We think it's safe to predict this bit of news. Expect there to be litigation. And that's no fake.

Dave Bittner: [00:12:33] Finally, we close with a brief notice of farewell to one of the last of the Second World War's Code Talkers. The Navajo Nation has announced the passing of Alfred K. Newman in New Mexico over the weekend. Mr. Newman, who died at the age of 94, served in the 1st Battalion, 21st Regiment of the 3rd Marine Division between 1943 and 1945. Our condolences to his family, and our thanks for his service - semper fi.

Dave Bittner: [00:13:08] And now a word from our sponsor Virtru. Virtru is a data privacy company that protects your organization's data wherever it goes. Using a data-centric security approach, Virtru brings persistent protection and control to the platforms where your data is stored and shared, including Microsoft Office 365 and Google G suite. Now, I know what you're thinking. What makes this different from any other data protection tool? Well, have you ever tried to protect data from inside your perimeter? It's hard, but Virtru makes it easy by not only encrypting at the data object level but also by giving you the ability to track where your data is shared. Revoke access, maintain audit visibility and host your own keys. So you don't have to trust third-party services to keep your data safe. Virtru helps protect thousands of companies data, including HBO, WeWork and The Associated Press. And for a limited time, they're providing our listeners a free copy of Forrester's 14-page report on the future of data security and privacy. Get your copy at virtru.com/cyberwire. That's virtru.com - virtru.com/cyberwire. And we thank Virtru for sponsoring our show.

Dave Bittner: [00:14:33] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. We had an article come by recently. This is from Forbes, written by Thomas Brewster. And it was titled "Feds Can't Force You to Unlock Your iPhone With Finger or Face, a Judge Rules." What's the latest here?

Ben Yelin: [00:14:53] Yeah, so it's really a fascinating set of legal decisions. This was a ruling from a California judge. My native California always seems to produce some of the most notable digital privacy rulings, and here we are again. And that judge ruled that law enforcement cannot force an individual to unlock their iPhone using facial recognition, using fingerprints, et cetera.

Ben Yelin: [00:15:17] And the justification was that this is a violation of the Fifth Amendment right against self-incrimination. Now, where I think this gets complicated is that the Fifth Amendment traditionally has only applied to testimonial evidence. So, for example, you can't be forced to testify against yourself at trial. That would be a very clear Fifth Amendment violation.

Ben Yelin: [00:15:41] However, that doesn't apply to other types of evidence, like, for example, presenting yourself as part of a police lineup. You don't have a Fifth Amendment right against self-incrimination when it comes to that. So we've had this sort of nebulous, unclear set of judicial decisions. There's been sort of an argument as to whether facial recognition falls under that testimonial evidence or whether it falls under more, like, a police lineup, where you're not actually testifying. You're simply just showing your face and seeing if somebody can recognize it.

Ben Yelin: [00:16:17] The reason this is complicated as it relates to digital devices is previous courts have ruled that entering in your passcode or using a thumbprint does count as testimonial evidence for the purposes of the Fifth Amendment. Facial recognition, in terms of its ability to unlock an iPhone, does the - performs the exact same function as a thumbprint and entering a passcode. So there's really no practical difference.

Ben Yelin: [00:16:42] I think what this judge was saying is since there is no practical difference, why should there be a legal distinction between facial recognition and one of the other methods used to unlock a device? And I think that's compelling. I think facial recognition as a means to unlock a phone more closely hews to testimonial evidence because it's, you know, revealing something personal about oneself. You know, all of the data that is stored on a person's smartphone or device, rather than a means to just recognize somebody, which is, I think, what the previous case is about, police lineups were about - this court case has gone against some previous rulings.

Ben Yelin: [00:17:27] We discussed on article that came out in September where a judge allowed the federal government to force somebody to unlock their phone using facial recognition. I think what that indicates is there is going to be a real circuit split among our judicial circuits. And this is a very unsettled question because it kind of falls in between two areas of Fifth Amendment jurisprudence.

Dave Bittner: [00:17:52] So where does it go from here? First of all, how does this affect the entire nation? Does this apply nationwide? And then do you suppose this will make its way to the Supreme Court?

Ben Yelin: [00:18:03] I think it's possible it makes its way to the Supreme Court. There's no nationwide applicability to this decision. It's not like there was a nationwide injunction. This is not binding precedent on any of the other circuits outside the 9th Circuit, where it was decided in the Northern District of California. It's certainly persuasive to some other judges that might be considering these cases.

Ben Yelin: [00:18:25] This is something that's going to become more and more ubiquitous. There are a lot of cases where there's going to be very compelling evidence contained on personal devices. And that means, you know, especially as the iPhone X becomes one of the most prominent cell phones on the market and future editions of the iPhone - perhaps other devices use facial recognition as a tool to unlock the phone - you're going to get a lot of cases where that's the only ticket for law enforcement to get access to that data.

Ben Yelin: [00:18:56] I think there's indication that this case is going to get appealed. That would go to the 9th Circuit Court of Appeals. And I think it's definitely the type of case that you could see at the Supreme Court just because it's straddling two different lines of cases dealing with the right against self-incrimination. It's compelling to me, at least, that there's - since there's no practical distinction between using a thumbprint or using a passcode to unlock a device between simply showing your face, you know, that leads me to believe that there should be no legal distinction, as well. And I think that's something we'll have to see the Supreme Court wrestle with.

Dave Bittner: [00:19:35] All right. Well, we will keep an eye on it. Time will tell, of course. Ben Yelin, thanks for joining us.

Ben Yelin: [00:19:40] Thank you.

Dave Bittner: [00:19:45] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.