Tracking the impresario behind Collection#1. OceanLotus and a new downloader. CookieMiner malware afflicts Macs. Huawei’ prospects. Influence ops. Extortion by bluff.

Dave Bittner: [00:00:03] Collection #1 looks like the work of an aggregator who goes by the name of C0rpz. OceanLotus is working on a new downloader. CookieMiner malware is poking around in Macs. Huawei continues to receive harsh security scrutiny internationally, even as it seeks to position itself as a 5G leader. Russian influencers begin to attend to Venezuela. And if someone says they've got a video of you looking at things you shouldn't, they probably don't.

Dave Bittner: [00:00:37] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:40] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 4, 2019.

Dave Bittner: [00:01:48] Security firm Recorded Future has been looking into Collection #1, as well as Collections #2-5, and its researchers believe they have a line on the individual responsible for Collection #1. It appears to be a cybercriminal known by the nom-de-hack C0rpz. There are other names out there who've hawked Collection #1 for sale in various dark-web markets. The one who calls himself Clorox is a poseur, not the person who pulled the material together. The one who goes by Sanix is a reseller who bought the data dump and is now offering it to others. ZDNet points out that Mr. C0rpz, like Clorox and Sanix, is probably at most an aggregator, not a hacker who accomplished the breaches in the first place.

Dave Bittner: [00:02:33] The Collections have, by all appearances, been pulled from past data exposures, and there's little new there. These data dumps are useful reminders of the importance of good digital hygiene, and they should inspire people not to reuse passwords and to change passwords that may have been exposed. But they're not grounds for panic. Those who continue to reuse passwords that they established several years ago can expect to receive the attentions of criminals conducting credential-stuffing attacks.

Dave Bittner: [00:03:03] Suggestions last week that there would be a demand-side push against users of Webstresser after supply-side action against the booter service seemed to be borne out. Krebs on Security reports that Europol is preparing to bring legal action against 250 users of the shuttered DDoS-for-hire service. U.S. authorities have also noted that hiring a service like Webstresser would typically also constitute a violation of U.S. law.

Dave Bittner: [00:03:31] Palo Alto Networks' Unit 42 reports that the Vietnamese threat group OceanLotus - that's APT32 - has deployed a new downloader, KerrDown. It's typically distributed either through a malicious macro in a Microsoft Office document or by a RAR activity with some DLL side-loading.

Dave Bittner: [00:03:51] Security firm Malwarebytes is tracking a new strain of malware. They call it CookieMiner. It steals browser cookies associated with various online wallet services and cryptocurrency websites. It can also pick up, as Bleeping Computer reports, passwords, texts and credit card credentials, particularly any stored locally in either Safari or Chrome browsers. Palo Alto's Unit 42 has also been tracking CookieMiner. The researchers there list some of the cryptocurrency exchanges the malware's interested in - Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any website that uses the word blockchain in its domain name. CookieMiner affects Macs, like the possibly related DarthMiner and LamePyre malware strains identified last December. CookieMiner uses the Empire backdoor to establish persistence and command-and-control channels.

Dave Bittner: [00:04:48] Huawei receives harsher scrutiny as a potential security risk in both Canada and the U.K. In the U.K., as The Times of London reports, the discussion is mixed, with recriminations over the government's alleged failure to take warnings from various defense experts of Huawei-enabled espionage seriously when it received them six years ago. The Telegraph is also reporting that the soon-to-be-released annual report from the U.K.'s Huawei Cyber Security Evaluation Center - that's a working group within GCHQ's National Cyber Security Center - will be highly critical of the telecom equipment manufacturer's ability or willingness to address the security concerns the center raised last year.

Dave Bittner: [00:05:29] Huawei has committed to spending about $2 billion to allay the concerns that earlier report raised. But, says The Telegraph, sources in a position to know say that the reality of their effort has fallen far short of the promises. In Canada, any prospective role Huawei away may play in that nation's 5G network remains a matter of public debate, and the company's CFO remains in or around Vancouver, awaiting the outcome of proceedings that would extradite her to face criminal charges in the U.S. It's an open question whether the company's early advantage in 5G technology will enable it to ride out the international backlash over security.

Dave Bittner: [00:06:10] On the one hand, Huawei's devices have a reputation for low cost and solid performance. And the company is an influential player on standard-setting bodies that will have a lot to say about the shape 5G technology will assume. On the other hand, if the Five Eyes' suspicion of the company continues, as they seem likely to do, that participation and influence may not translate into commercial viability, let alone market dominance.

Dave Bittner: [00:06:37] If the Russian media mouthpiece RT is any indication, Moscow's information campaign concerning Venezuela would seem to have begun. The outlet warns that U.S. military intervention may be imminent and would be easy for the U.S. to undertake. Interference in Venezuelan internal affairs would grossly violate international law, says Mr. Putin, because countries shouldn't fool around in other countries' internal affairs. Yet somehow, one doubts this means President Maduro's bodyguard of green men is likely to be repatriated to spend their Vopper (ph) coins in the Arbat any time soon. We do hope that Venezuela's suffering is soon alleviated, but be wary of how the conflict is treated in social media over the coming weeks.

Dave Bittner: [00:07:25] Finally, there's a new wave of extortion attempts that's been running since the middle of last month. The victims receive an email saying that the emailer - you don't know me, as the extortionists invariably introduce themselves - has caught the recipient using an adult content site, and they have webcam video of such use and that they'll release that webcam video to friends, family, colleagues, employer and so on if they're not promptly compensated in Bitcoin. This is a case in which a little bit of knowledge can be dangerous.

Dave Bittner: [00:07:56] The extortionists say they've got the victims' passwords from a data breach. Well, there've been a lot of those, haven't there? After all, there's Collection #1, Collection #2 and so on. Who's to say they don't have those passwords? And who knows what they now have access to, or so thinks the nervous victim. But remember, the guilty flee where no man pursueth. It's a pure scam. They've probably got nothing. If you get one of those emails, delete it and get on with life.

Dave Bittner: [00:08:30] And now a word from our sponsor, KnowBe4. You know, email is still the No. 1 attack vector the bad guys use, with a whopping 91 percent of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer, Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways to watch the webinar. That's knowbe4.com/10ways, and we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:09:45] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks, and he also heads up Unit 42, which is their threat intelligence team. Rick, great to have you back. We recently had some news coming out of Australia - some new legislation there. Can you bring us up to date? What's going on?

Rick Howard: [00:10:03] Yeah, Australia's House of Representatives passed a telecommunications assistance and access bill for 2018. It's also known as the anti-encryption bill. They did it at the beginning of December. And if the upper house votes in support early in 2019, which it is expected to do, law enforcement with the proper warrant could force companies like Google, Facebook, WhatsApp, Signal and other tech giants to help them access encrypted communications. And if they don't, these companies could face massive financial penalties.

Dave Bittner: [00:10:35] So where do you stand on this? Are you for this or against this?

Rick Howard: [00:10:39] Well, let me just say that I am sympathetic to the law enforcement problem not just in Australia but all around the world. You know, Newsweek reported last year that half of all internet traffic is encrypted, and that stat will likely go up over time. And within the encryption apps like WhatsApp and Signal, criminals and other ne'er-do-wells can block their communication traffic from prying eyes with ease.

Rick Howard: [00:11:00] The Australians and, indeed, all the Western law enforcement agencies claim they need this capability for national security - that it is an essential tool to fight serious offences such as crime, terrorist attacks, drug trafficking, smuggling and sexual exploitation of children. I don't disagree. Nobody wants to hamstring our law enforcement organizations by allowing the internet to go dark on them.

Dave Bittner: [00:11:22] Yeah, but, obviously, this bumps up against privacy concerns.

Rick Howard: [00:11:26] Exactly. I get that question everywhere I go. So here's a couple things that come to mind. Do we want our governments to have this kind of power when the average citizen has no mechanism to check for potential abuse of it other than a note from our leader saying, trust us, we're here to help, right? Do we want that, right? Or do we want our governments to mandate that we give them that power when even the tech giants don't know for sure how anything they might do to accommodate law enforcement might weaken the privacy of even the average citizen?

Dave Bittner: [00:11:53] All right, but where's the happy medium here? I mean, how do we choose? Do we prioritize privacy over security?

Rick Howard: [00:12:00] Not at all. Listen, in the U.S., in the preamble to the Constitution, it says, to establish justice and secure the blessings of liberty. And most constitutional scholars say that although the Constitution does not say that privacy is a right explicitly, that last bit about blessings of liberty is about our right to privacy. But the Fourth Amendment does say that the people should be secured against unreasonable searches and seizures.

Rick Howard: [00:12:26] The point is this; in the U.S., privacy does not trump security. The two ideas are in tension with each other, either by design or by luck. The U.S. Founding Fathers neither - gave neither idea dominion over the other. They're supposed to be in balance.

Dave Bittner: [00:12:42] Yeah. I mean, it strikes me that people sort of take sides with this. And they have very almost tribal positions when it comes to which side of this they choose to be on.

Rick Howard: [00:12:54] Yeah. And it's worth noting that we've been here before, right? So back in the early 1990s, the U.S. was having this debate for the first time. Diffie and Hellman published their famous key exchange paper back in 1975. And the RSA boys - Rivest, Shamir, and Adleman - published their famous encryption paper in 1978.

Rick Howard: [00:13:12] This was a giant milestone, by the way. Before Diffie and Hellman and the RSA team, encryption was purely a government function. But by 1986, the RSA company had started selling encryption software to the commercial space. And by 1991, Phil Zimmermann had released his PGP - Pretty Good Privacy - software to the world for free.

Rick Howard: [00:13:33] The NSA panicked because they thought they were losing a rich source of intelligence and convinced the Clinton administration to mandate the inclusion of something called the Clipper chip into all computers. Now...

Dave Bittner: [00:13:45] Right. Yeah, I remember that.

Rick Howard: [00:13:46] You remember this debate.

Dave Bittner: [00:13:47] Yeah, yeah.

Rick Howard: [00:13:48] Now, the Clipper chip was going to provide encryption services to the masses, but the catch was that it would also keep the encryption keys for all citizens in escrow in case the government needed to break the encryption for law enforcement and intelligence purposes. Now, this scheme failed for lots of reasons. And if you want to learn about the details, check out Steven Levy's book called "Crypto." He chronicles the entire process, and the Cybersecurity Canon project inducted his book into the hall of fame two years ago.

Dave Bittner: [00:14:16] Steven Levy's one of my favorite authors.

Rick Howard: [00:14:18] I know. He's just fantastic. He actually came out to the ceremony and gave a great speech. He's fantastic. But here we are again in 2018 with Western governments seeking a way to break encryption inside of commercial products. The Aussie approach is this anti-encryption bill, and it seeks to place security as more important than privacy. It isn't, but it seeks to pull the conversation to that side.

Rick Howard: [00:14:40] The question for the privacy advocates is this - what would you want in return for giving the government this kind of power? What kind of rules would you want in place to make sure the government cannot abuse this power or did not unknowingly weaken the privacy of the general citizen? Now, I got a couple of thoughts here, Dave.

Dave Bittner: [00:14:57] Rick, you always have thoughts.

(LAUGHTER)

Rick Howard: [00:15:00] It seems to me, too, that this debate - we never hear from the other side - right? - about what would we want? It's always - on each side, it's, no, or, yes. It has to be one. It's a complete thing. And how about a little compromise here? So if I was going to offer a compromise, there'd be two things I'd want to consider, right?

Rick Howard: [00:15:16] First, I'd want complete transparency of the process - right? - regular publication of how many times it was - the law was used, for what kind of crimes and how many times that having access actually resulted in a conviction of a criminal or the prevention of a terrorist attack. I'm not looking for classified information here. I'm just looking for stats and metrics that shows that the program is working. This all should be public knowledge.

Rick Howard: [00:15:42] And the second thing is I want this built into the law - a regular reassessment of the program. Let's say we build a law with a regular reassessment by lawmakers, call it every 10 years, where they look at the stats with the purpose to determine that neither security or privacy is more powerful than the other, that the system is as designed, does not break the average citizen's privacy, nor does it keep law enforcement in the dark. I think with these two ideas, we can get out from in-between this, you know, debate on both sides where nobody is budging an inch.

Dave Bittner: [00:16:13] Well, I admire your optimism on it. I can't say that I feel as hopeful as you do that we can find that happy place in-between. It seems like folks are pretty well dug in, but certainly thought-provoking. And as always, Rick Howard, thanks for joining us.

Rick Howard: [00:16:30] Thank you, sir.

Dave Bittner: [00:16:35] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:17:16] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.