Dave Bittner: [00:00:03] Julian Assange remains in British custody. Hearings on the U.S. extradition warrant are expected to begin next month. The U.S. indictment revives discussion of the Computer Fraud and Abuse Act under which Mr. Assange was charged. Some notes on why Ecuador decided to revoke the WikiLeaks leader's asylum - notes on Dragonblood. Eric O’Neill joins us. He's author of the book "Gray Day: My Undercover Mission to Expose America's First Cyber Spy." And we're at the end of tax season, but the dark web markets are still hawking 1040s and W-2s.
Dave Bittner: [00:00:43] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95 percent faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough; a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:40] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 12, 2019.
Dave Bittner: [00:01:48] As Julian Assange, the face of WikiLeaks, begins his efforts to resist extradition to the U.S., observers comment on the charge he faces, which is, essentially, conspiracy to hack into a non-compliant computer in violation of the Computer Fraud and Abuse Act. Mr Assange, the U.S. maintains, offered to help the then-U.S. Army Specialist Manning crack passwords to gain access to classified files. He's not charged with espionage or with possession of classified material.
Dave Bittner: [00:02:19] Those sympathetic to Mr. Assange, like Edward Snowden, WikiLeaks itself and Britain's shadow home secretary Diane Abbott, see the indictment as a way of railroading him, especially since the offer to help then-Specialist Manning break into government systems seems more an act of stumblebum hubris than the sinister act of a criminal mastermind. It apparently didn't succeed. And it apparently wasn't repeated, but it did happen.
Dave Bittner: [00:02:46] As The Washington Post notes, many security experts have long thought the Computer Fraud and Abuse Act outmoded and overly broad. But the prosecution would not appear taken by itself to represent a threat to journalists' First Amendment rights. Besides, as former NSA Associate General Counsel April Doss told Quartz, that kind of hacking isn't a journalistic best practice. Many agree with her and see conspiring to break into a computer in search of files as analogous to conspiring to break into someone's house in search of files. It's early, of course, to guess how Mr. Assange's legal affairs will play out. He will be sentenced for yesterday's bail-jumping conviction at some time in the future. And his extradition hearing is set to begin next month.
Dave Bittner: [00:03:32] A bit more has emerged on why Ecuador decided to revoke Mr. Assange's asylum. That asylum was granted seven years ago by Ecuador's previous government, regarded as having been significantly farther left than the current administration. The present government has been unhappy with Mr. Assange's continuing involvement with Wikileaks from within the confines of their London embassy. They also say that he had become an increasingly difficult guest. More seriously and controversially, Ecuador's government says their guest was engaged with others online and connected to Russian intelligence services in attempts to destabilize that government. Mr. Assange and WikiLeaks have long been regarded as Russia-friendly. That's, of course, no crime. But the optics, as they say, aren't good.
Dave Bittner: [00:04:19] The U.S. prosecution, if it occurs, will be particularly interesting in three ways. First, the government is widely expected to be interested in adding more charges to the one already in the indictment. Speculation to this effect is particularly common in the British press. The Times of London writes about Mr. Assange facing decades in prison. They know that a single count of violating the Computer Fraud and Abuse Act would carry a sentence of, at most, five years, but they expect other counts to be added. Whether the federal prosecutors do so remains to be seen.
Dave Bittner: [00:04:52] Second, how the government handles this prosecution without running afoul of the First Amendment will be worth watching. So far, they seem to be working hard to avoid this. Third, the political implications of whatever may come out in court are unpredictable and, probably, at this stage, unknowable. But there's much cross-cutting speculation and mutually incompatible hope circulating at the moment.
Dave Bittner: [00:05:16] University researchers Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University and KU Leuven report that secure Wi-Fi protocol WPA3's SAE handshake may be susceptible to the same kind of exploitation as its predecessor, WPA2, was. One of the problems lies in the transition mode designed to ensure backward compatibility with the older protocol. They're calling the five vulnerabilities Dragonblood because they're related to the protocol's Dragonfly handshake.
Dave Bittner: [00:05:49] We heard from WatchGuard Technologies’ Ryan Orsi, the security company's director of product management. He would like people to understand that WPA3 represents an improvement over WPA2 but that it's not proof against a number of known Wi-Fi threats. Dragonblood vulnerabilities mostly affect those devices that were released with WPA3 support, and he says that manufacturers are currently getting patches out for those. How would attackers use Dragonblood? Orsi says the most probable approach would be through an evil twin access point or a rogue access point.
Dave Bittner: [00:06:23] The terms perhaps require some clarification. An evil twin access point is one established by an attacker to give the appearance of legitimate Wi-Fi access, but that, in fact, is there for eavesdropping and other illegitimate purposes. A rogue access point is one established within a network but unofficially without the administrator's permission. Rogues may be well-intentioned but misguided forms of shadow IT.
Dave Bittner: [00:06:49] Carbon Black continues to track the maturation of the dark web's black market and tax fraud and identity theft tools. They're increasingly commodified and cheaper than ever. Here are some of the things they found - hoods are trading W-2s and 1040 forms. These are, we note for our international audience, U.S. reports of wages and tax filing forms respectively. And they're also offering what Carbon Black calls how-to guides for illicitly cashing out tax returns - a kind of tax fraud for dummies. W-2s and 1040s fetch between half a buck and a dollar. Other info, an identity thief or other bunco artists might find interesting things like names, Social Security numbers and birth dates. These things can be had for between 19 cents and $62. The study is dispiriting, to say the least. Another form of petty crime with low barriers to entry afflicts the law-abiding who simply wish to leave peaceful quiet lives. As Carbon Black notes, listings include previous years' W-2 forms, form 1040 information and social security numbers, among other information, indicating that cyber criminals are not just looking to make a quick buck but also trying to steal a person's financial future.
Dave Bittner: [00:08:03] And this reminds us. Monday is April 15, tax day in these United States. And as they say in Secaucus, forget about it. We'd better get those returns in the mail, right?
Dave Bittner: [00:08:19] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:09:27] And joining me once again is Ben Yelin. He's the senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. Interesting story I came by from WIRED. This is, "Should Cops Use Family Tree Forensics?" Maryland, which is our home state, isn't so sure. What's going on here?
Ben Yelin: [00:09:45] Yeah, so there's a bill currently pending in front of the House of Delegates in Annapolis here in Maryland. And that bill would prohibit law enforcement from searching DNA databases collected through some of these public websites like ancestry.com and 23andMe. People voluntarily will submit their DNA to these websites. They are aware that this information is going into a public database, even if they're not aware that most law enforcement agencies across the country, in fact, has access to these databases to match them up against the DNA of suspected criminals. And we've seen some very high-profile cold cases that have been resolved based on data submitted through ancestry.com and 23andMe. People innocently trying to track their genealogy end up causing the downfall of some of their distant relatives.
Ben Yelin: [00:10:36] There is this case in California, I think, like, a 40-year cold case where they were able to identify the killer because his DNA was linked to someone who was doing genealogy research through 23andMe. What this bill and Maryland would do would be to prohibit our law enforcement agencies from searching those databases in an effort to solve unsolved crimes.
Dave Bittner: [00:11:02] And why? What's the concern?
Ben Yelin: [00:11:04] It's born out of privacy and civil liberties concerns. Individuals who are submitting the data are doing so with the understanding that they are doing some genealogical research and not that they're potentially subjecting their distant relatives to arrest. And it is a suspicionless search for those who have been arrested. The government didn't get any kind of warrant to conduct a search of the suspect's DNA. They were able to obtain it without any sort of judicial authorization.
Ben Yelin: [00:11:39] Now, the caveat to that is the only reason a suspect's DNA is in the system is because the DNA was obtained at the scene of the crime or in connection with the crime. For the purpose of making arrests, obviously, if somebody's DNA is in the scene of the crime or is part of a criminal investigation, they're going to be suspects in the crime. That certainly would be probable cause to justify an arrest, but the information that would have led to that arrest is obtained without any sort of judicial authorization, which in reality can be the source of law enforcement abuse if it's not checked by a warrant issued by a neutral magistrate. It has been legal in Maryland since 2008 to conduct these searches of these databases.
Ben Yelin: [00:12:26] Delegate Sydnor, who is a Baltimore delegate, son of law enforcement, so somebody who has a personal connection to the law enforcement community, is also a civil liberties advocate. And he has proposed this piece of legislation to take that tool away from law enforcement. And that would force law enforcement to use different tactics to try and solve some of these cold cases.
Ben Yelin: [00:12:51] Really, it's a values judgment. Are we more interested in having a database of DNA submitted voluntarily and DNA that has been made public to help solve crimes? Or is it more important to not have warrantless access to this bevy of information, information that was not volunteered by the person who's going to be facing the consequences?
Ben Yelin: [00:13:15] So you can see analogues in the physical world. And that's probably where courts get guidance from these issues. There was a famous case of - who was the big mafia guy who was arrested for tax fraud?
Dave Bittner: [00:13:28] Oh, Al Capone?
Ben Yelin: [00:13:30] Al Capone, yeah. I'm pretty sure it was Al Capone who - they were wiretapping somebody that he was talking to, but not wiretapping him. But he incriminated himself in that conversation. And as a result, he was put under arrest. And the Supreme Court held that you don't have a reasonable expectation of privacy when you are communicating with other people even if you're the person who is not subject of surveillance. By putting information out there publicly, it's in the public domain. And it's accessible to law enforcement. You know, I think that has some close analogues to people submitting DNA, having it be public, having it be something that law enforcement has access to.
Dave Bittner: [00:14:13] Yeah. No, it's interesting. Changing times for sure.
Ben Yelin: [00:14:17] Absolutely.
Dave Bittner: [00:14:18] All right. Ben Yelin, thanks for joining us.
Ben Yelin: [00:14:20] Thank you.
Dave Bittner: [00:14:26] And now a word from our sponsor, HackEDU. Are you looking to reduce vulnerabilities in your software? Security teams are turning to HackEDU to help them shift left and be more proactive in reducing vulnerabilities in software. HackEDU offers interactive security development training to help software developers lower the risk of vulnerabilities in code. Developers improve their ability to write secure software, boost their understanding of how software systems are hacked, and decrease the time to solve security-related problems. In addition, HackEDU's training helps meet PCI, HIPAA, ISO and NIST compliance requirements. Unlike other offerings, HackEDU uses real applications, real tools and real coding exercises to teach both offensive and defensive security, developers online and on demand. HackEDU's training approach has been shown to be more effective and more engaging than defensive training alone. HackEDU is proven to train developers. Visit hackedu.io/cyberwire and try HackEDU's SQL injection lesson free. Again, that's hackedu.io/cyberwire to try a free lesson. And we thank HackEDU for sponsoring today's show.
Dave Bittner: [00:15:53] Eric O’Neill is a former FBI counterintelligence and counterterrorism operative and founder of the Georgetown Group, a security and investigative firm, as well as national security strategist for Carbon Black. In his book "Gray Day: My Undercover Mission to Expose America's First Cyber Spy," Eric O’Neill shares the fascinating and sometimes harrowing tale of his experience being assigned to help expose Robert Hanssen, the FBI's most notorious mole. In 2001, Hanssen pleaded guilty to multiple charges of espionage for sharing classified information with the Soviet Union and Russia over the course of over two decades.
Dave Bittner: [00:16:33] My full interview with Eric O’Neill will be released this Sunday. Here's a preview of our conversation.
Eric O’Neill: [00:16:41] I wasn't prepared to investigate a spy in this manner. You know, during my entire time in the FBI, all those years, I was what's called an FBI ghost. So I was an undercover operative. I pursued terrorists and spies primarily around the Washington, D.C., area. And most of my role was to surveil and investigate targets that we suspected or knew were spies or terrorists.
Eric O’Neill: [00:17:08] And suddenly, my supervisor shows up on my house unannounced - this is the first chapter of the book - and asked me if I know a guy named Robert Hanssen. And I say no, I hadn't investigated him. And he said, good, because we want you to go undercover and investigate him. And I said, why did you have to come out here on a Sunday to tell me that? That's what I do. And he said, we don't want you to ghost him, Eric. We want you to work undercover in an office we're going to build for him in FBI headquarters. And we want you to go undercover as yourself.
Eric O’Neill: [00:17:40] For me to do this kind of role for a non-agent, I mean, I had a badge. And I had credentials. The only difference between the ghost and the agents are we don't make arrests. And we're typically not armed because it's hard to conduct surveillance when you're armed. But the problem was they couldn't find an agent who had the combination of knowledge of counterintelligence and spy-hunting, which I had from my years on the street as a ghost, and the ability to turn a computer on and understand what was happening. And I just happened to meet both of those qualifications because what we were doing is we were putting Hanssen in charge of a new section in the FBI that was built just for him was called the Information Assurance security team. It was built to examine the FBI's computerization efforts, the security behind them and build information security for the FBI. This was 2000, 2001. Today, we would call that cybersecurity.
Eric O’Neill: [00:18:39] So follow me here. They took the biggest spy in U.S. history, the first cyber spy in U.S. history and put him in charge of building cybersecurity for the FBI. And the only other person he put in the room with him to keep him from giving up these secrets and catch him in the act was a 26-year-old ghost who they pulled off the street and threw into a role that I wasn't prepared for and had to learn on the job.
Dave Bittner: [00:19:05] Eric O’Neill worked as Robert Hanssen's assistant and quickly learned to navigate Hanssen's quirky and sometimes volatile personality. In time, O’Neill saw a potential avenue for collecting evidence of Hanssen spying.
Eric O’Neill: [00:19:18] He kept a PalmPilot. And yes, I am bringing everybody back into technology. But the PalmPilot, a digital - a personal data assistant, a PDA, one of the original ones. And this was a Palm III, so it was this big clunky thing. And he kept his entire life calendared on that thing. And when I asked him about it, he said, I've written the encryption on this myself. Even these idiots - and these are his words, not mine - at the FBI couldn't crack it on their best day. I mean, wow. Come on.
Eric O’Neill: [00:19:47] So I looked at him, and I said, all right, well - and in my mind, I was thinking, we need to get this away from him. The problem was he kept it in his left back pocket because it was so precious to him. He never pulled it out of his pocket until he slid it in its bag next to his desk, and only when he was sitting down. So that's tough. I mean, how do you distract someone and get it away with enough time?
Eric O’Neill: [00:20:10] So we had to come up with this crazy plan to separate him from the PalmPilot with enough time for a tech team to copy it and allow me to put it back before he knew it was gone. So we had to physically remove it from him in a - using what we call a pretext, or in FBI speak, some shenanigans to get him away from it - sufficient time for me to get it down, copy it and get it back. So what we did is we used everything we learned about him in the investigation. He has massive, massive narcissism, which meant that he had no respect for anyone above him in seniority or in authority. He didn't like to be interrupted. And he really liked to shoot.
Eric O’Neill: [00:20:52] So we had an assistant director and a special agent named Rich Garcia, who is the only other person on the ninth floor who knew about this investigation. The two of them walk in, right? The ADIC, the assistant director, was read into the case just for this operation. And they come in unannounced when Hanssen was sitting down - that was important - slap $20 on his desk and say, you and us, downstairs, rifle range right now - $20 I beat you, right? He tried to say no, and the assistant director said, this is not a request.
Eric O’Neill: [00:21:24] So he's mad, and he walks out after them grumbling with his gun and his ear protection and eye protection and all the stuff you need to go down all the way to the subbasement and shoot. And for the first time, he breaks his routine and doesn't grab that PalmPilot. So I was really excited. I get a page saying he's in pocket shooting. So I run to his bag, open all four pockets. They're all identical. Pull out the PalmPilot. And I find a data card and a floppy disk. All that stuff has data, right? Grabbed it all, ran down three flights of steps, handed it off to a tech team using this program called Norton Ghost. So you can literally see the bar going across as they're copying this encrypted data.
Dave Bittner: [00:22:03] (Laughter) This is a walk down memory lane, yeah.
Eric O’Neill: [00:22:04] Oh, yeah. Yeah. You know, like, watching the bar like 20 percent, 21 percent.
Dave Bittner: [00:22:09] Right. Right.
Eric O’Neill: [00:22:09] And I'm dancing around. I'm so nervous. And I'm so stressed out, they throw me out of the room. So now I'm standing in the hall, and I get another page. And I look. And it says, out of pocket, coming to you. So, you know, I knocked on the door. I was, like, very polite. Hey, guys, I'm going to need that - the PalmPilot and the floppy disk and the data card. I need it now. And they're like, oh, we're almost done. Don't worry. I said, you don't understand. He's armed and I'm not. He's angry. I need to be there before him. They got it. It took a little while. I knew I had about nine minutes if the guy ran. He probably wasn't going to run up to the office, but he was going to hurry.
Eric O’Neill: [00:22:45] And I got it. I ran up three flights of steps. I slammed the big door to the skiff behind me, which saved me. I ran into his office. It was a little separate office, you know, off of my main pit area office, got to his desk, knelt down before. It felt like I won - and realized I have three devices, four pockets and no idea which pocket I was supposed to put things into - total rookie mistake. I sat there trying to figure out how I was going to remember. And I was stressed. And the more you - the more stressed you get, the worse you recall. And as I'm trying to figure this out, I hear him come through the door.
Dave Bittner: [00:23:24] The rest of the story and my complete interview with Eric O’Neill can be heard this Sunday on a CyberWire special edition. It'll show up in your podcast feed and on our website, thecyberwire.com.
Dave Bittner: [00:23:40] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIt, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:23:51] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Our staff writer is Tim Nodar. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.