The CyberWire Daily Podcast 2.11.19
Ep 778 | 2.11.19

Cryptojackers gone wild. Attempted hack of Australia’s Parliament investigated. Huawei security concerns continue. Russia tests Internet autarky. Prosecutors investigate alleged blackmail.


Dave Bittner: [00:00:00] Hey, everybody, just a quick reminder that if you'd like to show your support for the CyberWire podcast, you can do so in a number of ways. Of course, you can go on over to our Patreon page. That's and become a supporter there. The other great thing you could do is go over to iTunes and leave us a review. That's a great way to help people find our show, find out what we're all about. We do appreciate it. Thanks.

Dave Bittner: [00:00:24] Clipper malware is ejected from Google Play. A different cryptojacker is kicking its competitors out of infected machines. Australian authorities continue to investigate the attempted hack of parliament with Chinese intelligence services as the prime suspects. How do you solve a problem like Huawei? Russia prepares to test its ability to disconnect from the internet in the event of war. And prosecutors investigate alleged blackmail by below-the-belt selfie.

Dave Bittner: [00:00:58] It's time to take a moment to tell you about our sponsor Recorded Future. They help security teams make more confident decisions faster. Recorded Future's technology automates broad collection and analysis of cyberthreat data and delivers the rich, external context you need to understand alerts and emerging threats. With real-time threat intelligence from Recorded Future, security teams respond to threats 63 percent faster and find undetected threats 10 times quicker. Recorded Future integrates with the security products you already use making the intelligence you need accessible and relevant. Use it to improve your security operations, incident response, vulnerability management and much more. If you're facing challenges like the cybersecurity skills shortage or more alerts than your team can handle, consider Recorded Future threat intelligence. To get started, go to and sign up to receive free threat intelligence updates from Recorded Future. The insights are timely, solid and always on the money. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:06] The CyberWire podcast is made possible in part by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at

Dave Bittner: [00:02:28] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 11, 2019. Clipper malware, the kind of malicious code that copies and exfiltrates the contents of a clipboard, has been found in the Google Play store. ESET blogs that it's discovered a strain of the malware, which it tracks as Android/Clipper.C, impersonating MetaMask. MetaMask is a legitimate app that allows a user to run Ethereum DApps in a browser without the necessity of operating a full Ethereum node.

Dave Bittner: [00:03:03] The clipper malware targets Ethereum users. It copies their wallet address from a clipboard, which is usually where such addresses are kept since they're complicated and effectively impossible to remember otherwise. The malware attempts to steal alt currency credentials. And it also replaces the wallet address in the user's clipboard with an address that leads to the attacker's own wallet. Google removed the bogus app after ESET reported the infestation on February 1.

Dave Bittner: [00:03:32] There's another relatively new altcoin threat out there, too. Trend Micro warns that the XMR-stak Cryptonight cryptocurrency miner is not only active in the wild - specifically in the Linux ecosystem - but that this particular cryptojacker is deeply anti-competitive from a black market point of view. It looks for competing coin miners and other Linux malware on the systems it infects and then disables them, the better to hog the victim's processing resources for itself.

Dave Bittner: [00:04:02] Chinese intelligence services remain prime suspects in the Australian parliament hack, the Australian Broadcasting Corporation says. The attempt, which is regarded as having been largely unsuccessful, remains under investigation. Suspicion of the Chinese government is based largely on form, a combination of a priori probability and the tactical similarities between this most recent incident and earlier attacks that had been attributed to China.

Dave Bittner: [00:04:29] This doesn't, of course, amount to more than circumstantial evidence. And forensic investigation will take some time. Industry reaction has followed, for the most part, a line of, see. We keep telling you no one is immune. And here we go again. The Chinese Embassy in Canberra has yet to comment, but one can reasonably expect the customary denials.

Dave Bittner: [00:04:51] Opinion among the Five Eyes and many of their allies continues to run strongly against Chinese device manufacturers and especially against Huawei, whose industry leadership and market penetration make it particularly worrisome as a potential security threat. U.S. President Trump is widely expected to sign an executive order that would effectively constitute a broad ban on Chinese manufacturers from participating in U.S. mobile networks.

Dave Bittner: [00:05:18] Fortune and others report that the executive order may come as early as this week. Such an executive order has been discussed openly at least since the last week in December. U.S. Secretary of State Pompeo will take up Huawei with Eastern European governments during an upcoming tour.

Dave Bittner: [00:05:36] The University of California, Berkeley has announced its intent to further restrict research collaboration with Huawei. But in many places - notably the EU and Australia - attempts to wall off Huawei from participation in R&D products have proven more porous than official rhetoric might lead one to believe. For its part, Huawei continues to say it's baffled by the suspicions it faces. But in a continuing charm offensive, the company also says it's open to supervision by the European Union.

Dave Bittner: [00:06:07] Microsoft Security Response Center said at the BlueHat conference in Israel last week that risks from delaying one of its patches by even 30 days are now lower than the risk of being hit by a zero-day. Zero-days are also now much more likely to be used in highly targeted attacks than they are in mass public campaigns. These developments reflect a shift in attacker culture, approach and capability.

Dave Bittner: [00:06:32] Microsoft also credits its own improved product security with responsibility for the change. It's harder to weaponize a patched bug now than it used to be. And the company also thinks that a better set of defaults - firewall on and so forth - have helped, too. Redmond did add that you'll still get hit if you disregard patching for too long - that is, eventually, the skids will get around to you.

Dave Bittner: [00:06:57] Russia will proceed with a test of the autarchic internet its proposed Digital Economy National Program mandates. ZDNet calls it a plan to disconnect from the internet, which, in a way, it is. But in fairness, it also seems a measure designed to give the country's online infrastructure the resilience to cope with full on cyberwarfare. No date has been announced, but the test is expected to be complete before April. The beginning of April is the deadline for comment on the Duma's proposed law.

Dave Bittner: [00:07:28] U.S. federal prosecutors are looking into allegations the National Enquirer attempted to blackmail Amazon founder Jeff Bezos. The Enquirer strongly denies that what it did amounted to blackmail, although the emails Mr. Bezos released in his blog late last week do appear to contain the sort of quid pro quo associated with blackmail. Stop the properties you own, like The Washington Post, from doing certain things and the below-the-belt selfies we've got need never see the light of day. The text of the emails, in some respects, reminds one of a nondisclosure agreement. But, of course, the communication from an attorney would be likely to fall into that genre.

Dave Bittner: [00:08:08] Saudi Arabia, which had been mentioned in press speculation as having played a role in the matter, presumably because it resented The Washington Post's coverage of Jamal Khashoggi's murder, said over the weekend that it had nothing to do with the Enquirer's emails and knows nothing of the affair. So how did Mr. Pecker's Enquirer get Mr. Bezos' below-the-belt selfies?

Dave Bittner: [00:08:29] Speculation about presidential operatives or the wheels within wheels of the deep state is always attractive to those who frequent this 18th-century coffeehouse we call the internet. But getting a hold of an emailed selfie isn't really all that mysterioso. As a Security Boulevard blog post from Errata Security very reasonably points out, there are lots of ways an enterprising sleaze hound can lay their virtual if grubby hands on these sorts of things.

Dave Bittner: [00:08:56] Well, hey. You might object. Surely, a new-economy billionaire like Mr. Bezos would have solid security, right? Well, sure. Maybe. But as Errata's post observes, such selfies usually have recipients. And maybe they're not so secure. Just ask Carlos Danger, we might add. And it's relatively easy to get into someone's email with a credential stuffing attack, especially if they, as so many of us do, reuse passwords. Get a hit from collections number one through five and Bob's your uncle.

Dave Bittner: [00:09:32] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:10:40] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, great to have you back. We had an article come by. This is from the Naked Security blog over on Sophos. And Lisa Vaas wrote this. This is about politicians blocking social media users and whether or not they're violating the First Amendment. I remember when President Trump came into office, there was a dust-up over this if - whether or not he was allowed, basically, to block people on Twitter. Well, what's going on here?

Ben Yelin: [00:11:11] Yeah. This is just a fascinating issue. So the First Amendment gives us the right to petition our government for redress of grievances. And what that means in plain English is we get to yell at politicians and tell them that what they're doing is wrong, and tell them what they should be doing. Traditionally, that's been done by calling one's member of Congress, sending letters to the White House.

Ben Yelin: [00:11:34] Obviously, things have changed in the digital age. So what this case was about was the article just calls for a bureaucrat. But it's a government official in the state of Virginia who had a personal page or a personal Facebook profile as well as a profile representing the agency that she worked for, which was the Board of Supervisors in Loudoun County, Va.

Ben Yelin: [00:11:58] A member of the public, basically, an old adversary of this bureaucrat, had written a series of complaints on this person's public Facebook page. And this member of the Board of Supervisors blocked that individual from commenting further. Now, she did end up unblocking him, so to speak. So he was actually only blocked for a relatively limited amount of time. But what the court held is that this is a violation of one's First Amendment right to petition their government.

Ben Yelin: [00:12:30] And the idea is that there's this distinction between a public forum and a private forum. So obviously, the law wouldn't allow us to go to a politician's dinner party and yell at them for voting on - one way on a piece of legislation. But when we're in a public forum or when they're performing the duties of their office, that's when that First Amendment right is applicable.

Ben Yelin: [00:12:53] So that's the distinction that courts have really drawn, whether this is a private, personal social media profile you use to conduct a person's, you know, personal affairs versus an official government page. And what the court held here is that this was an official government page - was a Facebook page representing this member of the board of supervisors. It had official government's announcements on it. That was the evidence that they had that this was an official use or a public forum.

Ben Yelin: [00:13:24] Of course, you know, the elephant in the room here is the president's use of the block button on Twitter as it relates to his personal Twitter account, @realdonaldtrump. So he argued unsuccessfully in a New York district court that his @realdonaldtrump Twitter account was a private account representing him personally. It was not an official government account, and therefore, he had the right to block individual users. And the court, I think correctly in that case, held that the way his Twitter account has evolved since his presidency began - it really is a public forum, and it's hard to argue against that.

Ben Yelin: [00:14:04] I mean, he's made personnel announcements from the @realdonaldtrump Twitter account. He's announced some very serious policy changes like, we're withdrawing from Syria - all different types of very public declarations that have taken place on his personal Twitter account. You know, and that distinguishes him from previous presidents. Like, obviously Barack Obama had a official White House Twitter account and his own personal Twitter account. But he did not use his personal Twitter account to make public policy proclamations.

Ben Yelin: [00:14:36] The 2nd Circuit - the Court of Appeals in New York is going to hear that Trump Twitter case, and we'll see if they take some guidance from this Virginia case. I mean, I think for the president's Twitter account, it's pretty clear-cut. He, through his actions, strongly indicates that the @realdonaldtrump Twitter account is a public forum. It's a place where he makes announcements about public policy, government decisions, appointments. And blocking individual users from being able to access that content, I think, is pretty much a per se violation of the First Amendment.

Dave Bittner: [00:15:12] Now, help me understand. It seems to me like there's a civility issue here. If I go to my congressman's office and I stand outside the door and I yell and scream and spew profanities and insults, isn't it within their right to eventually remove me?

Ben Yelin: [00:15:31] Yes. So there are time, place and manner restrictions that are acceptable under the First Amendment. Some of that - although this isn't universally applied - but some of that can include harassing language, obscenities, et cetera. And I think that's one of the things that President Trump has tried to argue as it relates to his Twitter account - that people are posting obscenities, offensive language. As it applies to private individuals, that's really a no-brainer. As it applies to public officials, the First Amendment is extremely strong.

Ben Yelin: [00:16:04] There are some ideas - political ideas - that cannot properly be expressed without the use of obscenities. It reminds me of one of my favorite First Amendment cases where an individual named Cohen - in the case of Cohen v. California - wore a sweatshirt to a public court proceeding that said [expletive] the draft.

Ben Yelin: [00:16:24] So the rules of the California court said you could not wear clothes with any obscenities within the courtroom. And the Supreme Court said that's a violation of the First Amendment because there's no other way to express that exact sentiment. Saying I strongly dislike the military draft or screw the draft is very different than the word that he actually used.

Ben Yelin: [00:16:47] So there are Twitter terms of service about harassment. And there are certainly time, place and manner restrictions about, you know, screaming and yelling at members of Congress. The First Amendment presents a very, very high bar. And I think standard obscenities, if it truly is a public forum, is not something that can be restricted consistent with the First Amendment. We want to have a robust marketplace of ideas.

Ben Yelin: [00:17:12] That's what our most cherished Supreme Court justices have written about as it relates to the First Amendment. And if I want to express my opinion very strongly about the president's actions in response to what is pretty clearly, to me, to be a public forum, a place where he conducts the business of our government, then the First Amendment protects that interest very, very strongly.

Dave Bittner: [00:17:39] All right. It's fascinating to see it play out, as always. Ben Yelin, thanks for joining us.

Ben Yelin: [00:17:45] Absolutely. Thank you.

Dave Bittner: [00:17:50] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security, HAH. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:18:31] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.