Dave Bittner: [00:00:03] An Amazon-style fulfillment model for the criminal-to-criminal market. Criminals have Facebook groups, too, and lots of friends - friends here being a term of art. Xiaomi patches man-in-the-middle problems in its phones. Defense firms organize a supply chain security task force. Congress would like FEMA to explain its privacy incident. Alleged card skimmers are arrested on other charges in Mexico. The U.S. State Department's Rob Strayer joins us to talk international negotiations about 5G security. And Mr. Assange remains in Ecuador's London embassy, at least for now.
Dave Bittner: [00:00:43] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free, no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 5, 2019. There's a great deal of reporting on the criminal underground, and it's no longer surprising to see the ways in which criminal markets resemble legitimate markets. Earlier this week, for example, researchers at security firm Bromium described a collection of servers thought to be run by the masters of the Necurs botnet. Dark Reading calls the criminal operation an Amazon-style fulfillment model. Bromium says the servers belong to bulletproof hosting providers owned by FranTech Solutions. Many of those servers are located in the U.S. state of Nevada.
Dave Bittner: [00:02:28] This particular operation uses over a dozen U.S.-based servers that host 10 malware families, distributing them for the most part in mass-marketing phishing campaigns. Some of the malware families are familiar; the Dridex banking Trojan, GandCrab ransomware and the Neutrino exploit kit are among them. Bromium believes it sees evidence of three distinct threat actors. One is responsible for email and hosting, and the other two operate the malware itself.
Dave Bittner: [00:02:59] Researchers at Cisco Talos report this morning that criminal groups are working openly on Facebook connecting, trading and cooperating. Their activity isn't hidden but rather quite overt. Some of the groups have been operating for as long as eight years, in the process attracting tens of thousands of members. Cisco Talos says they've been able to track 74 criminal groups operating in this more or less open fashion. The members of the groups promised to do what Talos calls an array of questionable cyber dirty deeds. Those would include delivering spamming tools and services, selling and trading stolen pay card information and stealing and selling account credentials. The group's membership, in the aggregate, Talos estimates at 385,000.
Dave Bittner: [00:03:45] Check Point yesterday announced its discovery of a man-in-the-middle vulnerability in a security application that comes pre-installed with Xiaomi phones. Check Point disclosed the issue responsibly, and Xiaomi has patched the problem.
Dave Bittner: [00:03:59] The U.S. Defense Industrial Base Sector Coordinating Council announced today that it had chartered a new group to work on ways of thwarting threats to the supply chain. The Supply Chain Cybersecurity Industrial Task Force is an example of the sort of sector coordinating council U.S. policy for protection of critical infrastructure encourages. The five founding members of the task force are familiar names, big defense integrators all - BAE Systems, Boeing, Lockheed Martin, Northrop Grumman and Raytheon. Their initial focus will be on advanced persistent threat tactics - that is, the ways in which nation-states attempt to compromise networks, devices and supply chains - on enhancing oversight and accountability and on establishing enduring industry-government partnerships.
Dave Bittner: [00:04:46] The U.S. House Committee on Science, Space and Technology has asked the Federal Emergency Management Agency - that's FEMA - to explain how FEMA lost control of disaster victims' private information. The members want FEMA to explain how the whole thing happened, what effect the incident had on the victims and what exactly FEMA intends to do to prevent a recurrence.
Dave Bittner: [00:05:08] Reuters reports that some of the evidence the U.S. collected against Huawei's CFO, Meng Wanzhou, was gathered under Foreign Intelligence Surveillance Act warrants. Charged by the U.S. with sanctions violations, Ms. Meng is in Canada fighting extradition.
Dave Bittner: [00:05:24] KrebsOnSecurity reports that the alleged head of a Romanian ATM-skimming gang has been arrested in Mexico. The police who picked the gentleman and alleged Confederate up in Cancun didn't reveal their names, but Krebs thinks they're Florian "The Shark" Tudor and his sometime colleague Nicholae Cosmin. The beef in Cancun over - was - an illegal firearm and $26,000 in Mexican and U.S. currency the pair had no particularly good explanation for having in their possession. The two are believed by Romanian and U.S. investigators to be strong-arming ATM technicians into installing skimmers into ATMs around Mexican tourist spots like, for example, Cancun.
Dave Bittner: [00:06:06] WikiLeaks has been tweeting that Ecuador is getting ready to show Julian Assange the door, inviting him to depart that country's London embassy. Mr. Assange could be back on the street in hours to days, if the Twitter feed is to be believed. Mr. Assange's lawyers maintain his eviction would contravene international law, and that Ecuador is only doing it because they're embarrassed by WikiLeaks' release of documents that purport to show corrupt knuckling-under to American pressure - and other stuff. Ecuador's Foreign Ministry says that rumors of expulsion are old and insulting to boot, but that Mr. Assange has been a bit of a pest - in violation of protocol, as they put it. For its part, the U.K. Foreign Ministry says, hey, Mr. Assange is a free man and can come and go as he pleases.
Dave Bittner: [00:07:00] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need To Know About Security, Orchestration, Automation And Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:08:16] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. Interesting story came by from Motherboard; the title is "Dozens of Cities Have Secretly Experimented with Predictive Policing Software." This sounds to me like something out of a movie. What are we talking about here?
Ben Yelin: [00:08:37] So this is done through a company called PredPol, or actually, a software called PredPol, I should say. PredPol stand for predictive policing; it does sound rather Orwellian. And it is in use, we've - we found out based on this Motherboard article, in major cities across the country; some big ones like Atlanta, Ga., some medium-sized ones, Modesto and Merced, Calif., and some smaller-sized ones - South Jordan, Utah. How it works is it gives police data, based on previous crime and arrest reports, as to the likeliness that a crime is going to be committed in a particular geographical area, and they now have the technology to limit that area to a 500-by-500 foot section of a city, which is, you know, relatively small. I don't know what the size of your house is (laughter), but...
Dave Bittner: [00:09:28] Yeah.
Ben Yelin: [00:09:28] That would probably, you know, be the length and width of an average house.
Dave Bittner: [00:09:33] Yeah. I mean, a city block, for sure.
Ben Yelin: [00:09:34] So obviously, this presents major civil liberties concerns, particularly because of the inputs. The data that goes in to these predictive policing softwares isn't unbiased, isn't generated by a computer; it's based on past police reports that themselves have been subject to all sorts of biases - racial biases, geographical biases. And if that's the data that's being fed into this predictive tool, then the data coming out will also reflect that bias. You know, you understand it from a law enforcement perspective because, at least the way they see it, if there is a particular city block or a particular area that has seen high-crime activity in the past...
Dave Bittner: [00:10:17] Right.
Ben Yelin: [00:10:18] ...It's more likely that you're going to see high-crime activity in the future.
Dave Bittner: [00:10:21] That's the part that I'm not clear on because I can certainly see the police department getting together and saying, all right, everybody, you know, we know that, you know, New Year's Eve down by the docks is always a hotspot, so we're going to send some more officers over there that time and place. And I don't think anybody has a problem with that.
Ben Yelin: [00:10:40] Right. And I think to the extent that that's how it's used, I think that would be acceptable. I think predictors of policing for sort of broad trends - knowing the neighborhoods that are particularly high-crime might have a beneficial use, without some of these civil liberties drawbacks. When you get really granular, down to the city-block level, then you worry about individuals who have been subject to the biases of past reporting now being on constant watch and possibly being subject to false arrests, undue prosecution, just because they happen to be located in an area that's previously been subject to police reports.
Ben Yelin: [00:11:24] And you know, I think organizations like the Electronic Frontier Foundation, who've come out strongly against these types of software, those are the concerns that they've expressed, that if the inputs are not free from bias, then certainly the outputs are going to be not free from bias. I think this is your classic balancing of how much we want to protect civil liberties of individuals who happen to live in these areas of high crime - obviously, they're going to be disproportionately poor and disproportionately minority groups. So you're balancing that interest against the interest of public safety. You know, I think that's a really tough balance to strike.
Dave Bittner: [00:12:04] You end up with some kind of a feedback loop, perhaps.
Ben Yelin: [00:12:07] Absolutely, and then that gets fed into future reports. It also could perpetuate, you know, the reputations of various neighborhoods, and that in turn could lead to more crime in the future. So I think it might actually, as you say, have that feedback loop.
Dave Bittner: [00:12:24] All right. Well, it's interesting technology. Ben Yelin, thanks for joining us.
Ben Yelin: [00:12:28] Thank you.
Dave Bittner: [00:12:33] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Are log-in credentials compromised? Is that encrypted traffic malicious? Is an attacker accessing sensitive company data? Security teams need to answer questions like these every day, but without complete visibility inside your network, your investigation could take hours or even weeks, and that's assuming you were able to detect potential threats in the first place. ExtraHop helps enterprise security teams rise above the noise of their complex attack surfaces with complete visibility, real-time threat detection powered by machine learning and guided investigations into late-stage attacks. Check out their interactive demo and be the Blue Team at extrahop.com/cyber. That's extrahop.com/cyber. And we think ExtraHop for sponsoring our show.
Dave Bittner: [00:13:33] My guest today is Rob Strayer. He's deputy assistant secretary at the U.S. State Department for Cyber and International Communications Policy. He heads up a team of diplomats and public servants developing Internet and cybersecurity policy and leading negotiations with foreign governments worldwide. One of the issues at the top of mind these days is the imminent rollout of 5G technology.
Robert Strayer: [00:13:56] So we're talking to a number of countries about how very important it is that we consider security and adopting a risk-based security framework, as telecom operators in their countries implement 5G infrastructure. And in particular, we've asked them to focus on the supply chain security issue as well as part of that overall risk-based assessment of the infrastructure. We're particularly focused to and talking about how we have a concern about the ability of a government to influence vendors within a country to either disrupt communications to alter the integrity of the data or to conduct espionage through the 5G infrastructure if it's not made secure and done with the truly trustworthy vendors.
Dave Bittner: [00:14:48] And specifically, we're talking about Huawei here and the efforts to keep some of Huawei's equipment out of the build-outs for 5G around the world.
Robert Strayer: [00:14:58] Right. Well, I would say that, you know, our focus is on a sort of country-agnostic framework that we say - you know, that relationship between a government and the companies within that country, if it's governed by a relationship where there's not strong rule-of-law presence and companies are subject to extrajudicial mandates, where they cannot go to court and say that, we are governed by a statute and laws that require us to protect citizens' rights to operate in ways that are above board, then we think there are substantial concerns potentially with the vendor. Huawei, currently in the legal regime in China, would fit that categorization, in our view. That is correct.
Dave Bittner: [00:15:39] And so why the concern over the 5G build-out, specifically?
Robert Strayer: [00:15:43] As part of our discussions about the need to have security-related 5G, unlike 4G where most of the focus has been on just the availability of communications and availability of being able to use applications largely through our smartphones, you know, 5G will be completely transformative in the amount of and types of applications that will be made available through the 5G infrastructure, with its very high throughput rates and very low latency. So of course that includes telemedicine, automated manufacturing and all of the "internet of things" world that we know will be empowered.
Robert Strayer: [00:16:20] So the stakes that - related to 5G couldn't be higher, in the sense of all the sort of vital applications that we will be relying on it for become that much more critical and would put all of us and our sort of collective security interests at risk and our collective economic interests much more at risk, if they could be disrupted or the data that's flowing over those systems disrupted through a cyber means.
Dave Bittner: [00:16:45] And how successful are you, as you travel around the globe, getting other nations on board?
Robert Strayer: [00:16:51] You know, if you looked a year ago, we had, I think, a very nascent understanding of what 5G was going to be about, what 5G is going to develop into, and certainly, there was not an appreciation of the potential security risks related to the availability of the applications to the integrity of the data and to potential espionage related - that could occur through 5G networks. So as we've done a vigorous campaign around the world to talk to governments about our concerns, as well as to talking to the private sector. I've not heard a country or - and see within a country not acknowledge that there is a 5G security concern that they're now focused on. So I think we've had a great success in raising that awareness.
Dave Bittner: [00:17:35] And where does the U.S. stand in terms of its ability to lead right now when it comes to the global conversation on cybersecurity?
Robert Strayer: [00:17:43] I think we're in a great position. Our secretary of state, Secretary Pompeo, has been very engaged in raising this issue with his counterparts around the globe. We have a number of ambassadors that are talking to their host governments about the issue. We've got diplomats in posts around the world who are articulate about the digital economy and cybersecurity portfolios that they have. They sort of amplify the work that we're doing here in Washington on a continuous basis with the host governments.
Robert Strayer: [00:18:11] And you know, in the last few weeks, we've seen announcements by Germany talking about - announcing they're going to have stronger standards for 5G security. We've seen the European Union both through a resolution in their Parliament and then a council decision that resulted in a recommendation by the European Union Commission just this week on improving supply chain security related to 5G, and the European Union in fact said that they need to look at the legal system of that - of third countries where the vendors are located.
Dave Bittner: [00:18:41] And as you look forward, what are the biggest challenges that you see the State Department facing when it comes to cybersecurity?
Robert Strayer: [00:18:48] You know, there's a constant need for us to be able to articulate our vision for a stable cyberspace, which includes the importance of the applicability of international law to cyberspace, that it applies in cyberactivities just as it does in the physical world, and that countries should not be able to act in ways that undermine independence of other countries or what we call violate the principle of non-intervention, which would be obviously implicated when you interfere with the elections of another country. It's also important we just keep talking about these norms of responsible state behavior and what they mean.
Robert Strayer: [00:19:21] There's a reality that some countries are going to see it in their interest to act in ways that use cyber as an asymmetric tool that advance their interests but of course violate these norms of responsible state behavior. So we need to educate other countries about the importance of these norms and how we need to work together to hold accountable those states that would act contrary to those norms. There's tremendous legitimacy, when we act together, to attribute and eventually bring consequences to bear against nations that act contrary to those norms of responsible state behavior.
Dave Bittner: [00:19:52] That's Rob Strayer, deputy assistant secretary at the U.S. State Department for Cyber and International Communications Policy.
Dave Bittner: [00:20:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.