The CyberWire Daily Podcast 4.25.19
Ep 830 | 4.25.19

Pledging allegiance to ISIS, and then going forth to kill. Adware in Google Play. Context-aware phishbait. Facebook and the FTC. Server crash or exit scam?

Transcript

Dave Bittner: [00:00:00] So it's my understanding that today is Take Your Kid to Work Day.

Jack Bittner: [00:00:03] Yes, it is.

Dave Bittner: [00:00:04] So, Jack, do you want to co-host the podcast?

Jack Bittner: [00:00:08] Yeah, I would love to.

Dave Bittner: [00:00:09] Let's do it.

Jack Bittner: [00:00:10] All right.

Dave Bittner: [00:00:14] Sri Lanka's investigation of the Easter massacres continues with some ISIS videos surfacing. Apps with aggressive adware are found in Google Play. Context-aware phish bait may be bringing the Qbot banking Trojan to an email thread near you.

Jack Bittner: [00:00:28] Facebook seems to think that the FTC is about to hit hard and sets money aside for a rainy day.

Dave Bittner: [00:00:34] And the Wall Street Market, a contraband souk on the dark web, may be engaged in an exit scam.

Dave Bittner: [00:00:47] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email. And every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:57] From the CyberWire studios at DataTribe, I'm Dave Bittner.

Jack Bittner: [00:02:00] And I'm Jack Bittner with your CyberWire summary for Thursday, April 25, 2019.

Dave Bittner: [00:02:07] Sri Lanka's investigation into the Easter massacre continues, as does the national state of emergency. The jihadists seem to have achieved one victory in addition to the murders they intended. The Catholic Church in Sri Lanka will suspend all services until the government can secure them. There is video out online of figures allegedly associated with the bombing pledging allegiance to ISIS. Sri Lankan authorities continue to investigate not only the bombing itself - and apparently, there was an additional bomb found that failed to be detonated - but also the issue of how they could have overlooked their own warnings of an impending jihadist action. How the attacks came to be coordinated will be an important piece of the puzzle. The Easter massacres do indeed appear to have been carefully arranged by a group of perpetrators. This isn't a case of pure inspiration of some radicalized soul deciding to strike a blow of, say, the pack at a mock howling in the hope of being heard by a lone wolf. In any case, investigation continues as authorities in neighboring South Asia countries look to their own intelligence about this class of threat.

Dave Bittner: [00:03:14] Security firm Avast has found some aggressive adware apps in Google Play. They're, for the most part, lifestyle apps. And they've achieved some 30 million downloads. Some of the apps in question are Pro Piczoo, Photo Blur Studio, Mov-tracker, Magic Cut Out and Pro Photo Eraser. They've been reported, and many are now gone. They were not only serving a lot of pop-ups, which is irritating in itself. But in doing so, they were also loading some potentially unwanted programs and draining phone batteries.

Dave Bittner: [00:03:46] Researchers at JASK are describing some context-aware phishing that distributes the Qbot banking malware. The payload is carried by an email that appears to be a reply to messages in one of the victim's existing email threads. So don't assume that just because the email came in with a reply to something Betty in HR or Bob in finance emailed you a couple of days ago that it must be legit. Think before you click.

Dave Bittner: [00:04:12] The Federal Trade Commission is increasingly looking at personal sanctions for Facebook's CEO Mark Zuckerberg. The FTC is investigating the company to see if it violated a 2011 consent decree with the commission in which the social network agreed, among other things, to both notify users and get their explicit permission when information about them is shared in any way that exceeds the privacy settings the users have established. The latest investigation was opened in 2018, shortly after the Cambridge Analytica scandal broke. Regulators are examining Mr. Zuckerberg's past statements on privacy to determine if he can be held personally responsible for a breach of this agreement. The thought of fining Mr. Zuckerberg himself has also gained support from some lawmakers, with Senator Richard Blumenthal saying such a measure would send a powerful message to business leaders across the country.

Dave Bittner: [00:05:03] Facebook's recent record of privacy mishaps is having an impact on its reputation. A Threatpost poll found that 75% of security professionals expressed some degree of mistrust in the company. Such mistrust extends to related philanthropic and educational endeavors. An online learning platform called Summit, which was funded by Zuckerberg and his wife and developed by Facebook engineers, is facing growing resistance in schools across the country from students, parents and teachers who say the technology leads to health problems stemming from too much screen time and isolation from peers. But, so far, anyway, mistrust hasn't resulted in declining revenue.

Dave Bittner: [00:05:44] Let's turn to our in-studio analyst on this Take Your Kid to Work Day. What effect is all this having on Facebook as a business, Jack? You know all about Facebook.

Jack Bittner: [00:05:53] I do, even though I prefer Instagram, which, as you know, is a Facebook property. Well, Dad, Facebook told its investors yesterday that it was setting aside 3 billion - and that's billion with a capital B - against the likelihood that the Federal Trade Commission's investigation of data abuse would go against the company. So the house of Zuckerberg seems to think that the FTC is not going to let them skate, and so they've priced in the cost of the next consent decree. People think the settlement could rise as high as 5 billion - and that's 5 billion with a big, big B. But for all that, Facebook's stock prices hasn't suffered. It's even gone up because the company is reporting good revenue numbers. So, Dad, I think this shows how much money is sloshing around in Silicon Valley. It's like they found $3 billion that fell out of their pockets when they were sitting on their couch or something.

Dave Bittner: [00:06:48] If Facebook is hit with penalties in the $3-to-$5 billion range, that will exceed, by two orders of magnitude, the old record the FTC set back in 2012, when it levied a $22.5 million fine against Google for an earlier set of privacy issues.

Dave Bittner: [00:07:05] When it comes to protecting their enterprises, many organizations have come to the conclusion that detection isn't enough, and they need to implement threat hunting to seek out bad actors in their networks. Jason Mical is from Devo, a company that provides data analytics. And he advocates not only being able to hunt through your network, but being able to move through time as well.

Jason Mical: [00:07:26] If you look at the statistics of cyber breaches and what they call dwell time - dwell time is, you know, how long is this threat actually in an environment before it gets detected? Unfortunately, those dwell time statistics are still astronomically high. Even though we've got the sharing going on, we've got all of, you know, this latest and greatest technology that's available to the industry, the dwell time gets higher and higher and higher for me. So I'm sitting here to where it could be a month before I am aware that this threat was even inside my organization.

Jason Mical: [00:08:03] That's why it's critical to have the capability to ingest the threat intelligence, arm your technologies with it for real time, but also have a solution in place that enables you to go back in time in a large scope - not just 30 days, not just, you know, three weeks or whatever. I need to have a solution, a centralized or enterprise-type log management solution, to where I can keep all of my cyber data, all of my data in a centralized location for a year - right? - to where I could say, no matter what information that gets provided to me, I could immediately arm that - my solution with this intelligence and go back a year ago to see, has there ever been any traces of this threat in my organization?

Dave Bittner: [00:08:56] So forgive me - perhaps a - an awkward or a simplistic metaphor here - but I'm kind of imagining, you know, if I have a - the lobby of my building, and I come into work one day, and I notice that, you know, someone has stolen a painting off the wall, and I'm not sure when they did it, the first thing I would do is go to my security cameras and rewind and see when somebody came and took that painting off the wall. Is that the sort of thing you're talking about here, with the ability to go back in time and see when things happened?

Jason Mical: [00:09:27] It absolutely is. So, you know, I love that scenario you just brought up because it's very applicable to the cyber world as well because that's why there's technologies out there that do packet capture, as they call them - so it records all the activity that is happening on the network. Also, you know, very stringent logging capabilities - so anything that's happening on the endpoints or in the systems, it's being logged and saved and historically retained.

Jason Mical: [00:09:55] So yes, if, from a physical environment, you know, someone stole that painting, I'm going to go and look at all my CCTV cameras and hit the rewind button and see who walked in the door, who actually went into that part of the room, who touched the painting, and where did they go out - you know, what door did they leave it with? I mean, we have that same kind of thing in the cyber world. We have our doors - right? - whether it's our firewalls that are the locks on the doors, the packet captures and the - you know, the surveillance systems. I mean, they're - the data's there. What - so if you're looking at it from a physical or a virtual type of environment, the approach is exactly the same. It's just, do you have the tools in place to accomplish the goal?

Dave Bittner: [00:10:41] And then I suppose part of it is dialing in how much storage you want to throw at this situation, how far back you want to be able to go back.

Jason Mical: [00:10:50] Exactly. So that's obviously a - the critical business decision that always has to be looked at was, how important is this data to me? How long do I need to retain these specific data? Some data you might want to keep longer than the others. Some organizations, depending on what their roles and responsibilities are, by regulatory or legal requirements, they have to keep things, you know, for certain time periods, just to - you know, to be legal and compliant. So it all - it - yes, it all depends on what your business is, what your models are, and what regulatory requirements you have in your organization.

Dave Bittner: [00:11:26] That's Jason Mical from Devo.

Dave Bittner: [00:11:30] Honor among thieves? Proverbially, there is none. And so the proprietors of the dark web contraband market Wall Street Market seem to have scampered. Infosecurity Magazine and others are calling it an exit scam. Here's what raised people's eyebrows. An official moderator of the Wall Street Market posted a notice saying that a server crash had made it impossible - for a while, anyway - to synchronize blockchains and wallets, but that they were working on it.

Dave Bittner: [00:11:58] Here's what the moderator said - quote, "due to this incident, we were forced to send crypto assets manually to the waiting list bitcoin wallet, as we have to wait for this process to complete so that coins can be sent to the appropriate matching escrow wallet. Our technical advisers said that the platform will soon shift to the maintenance mode in order to prevent sending more bitcoins, and they estimated the synchronization process to be successfully completed yesterday," end quote.

Dave Bittner: [00:12:25] Many disgruntled traders are woofing about this on Reddit and Dread, Dread being a dark web service a lot like Reddit. They think Wall Street Market is about to vamoose with the coin they picked up when the old Dream Market closed. Jack, what do you think?

Jack Bittner: [00:12:39] Dad, I think it sounds like hocus-pocus misdirection to distract people while these guys bubble away all the altcoin and then hit the road.

Dave Bittner: [00:12:48] So you're not buying the server crash excuse, Jack?

Jack Bittner: [00:12:51] Nope. It's like when old people like you were my age, and they said, the dog ate my homework.

Dave Bittner: [00:12:56] You don't say that anymore?

Jack Bittner: [00:12:58] Nope. Now we say, the algorithm erased it - kind of like a server crash or a bad dog.

Dave Bittner: [00:13:09] I'd like to take a moment to thank our sponsor, Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyber threats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus, or through a combination of both. You decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, visit scs.georgetown.edu/cyberwire. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.

Dave Bittner: [00:14:08] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. Time to revisit a story that you and I have chatted about before. This is about the NSA. And they're saying, publicly this time, that it may be time to drop their phone surveillance program. Bring us up to date here.

Ben Yelin: [00:14:30] So the Call Detail Records program, the extent of it was uncovered in the 2013 Edward Snowden disclosures. We found out that most domestic phone carriers were routinely submitting the call detail records - so the metadata phone calls - to the National Security Agency. Obviously, it was a huge scandal. Congress, in response to the scandal, reformed the program so that the data now is retained within those telecommunications companies, although the government can request it from the FISA court.

Ben Yelin: [00:15:02] But even with that reform, there have been questions raised, both in Congress and in the Trump and Obama administrations, about both the efficacy of the program and its legality and constitutionality. Due to those concerns, the NSA took the remarkable step yesterday of recommending that the Call Detail Records program be shut down. This doesn't necessarily mean it will shut down. It's ultimately the choice of the president. He is in charge of the executive branch. But to have this recommendation from the very agency that was carrying out the program is hugely significant and a major win for advocates of civil liberties and opponents of electronic surveillance.

Dave Bittner: [00:15:44] Now, we've heard rumblings that this might be coming for the past few months here. Ultimately, what's going on? Why does NSA determine that this may not be worth the effort?

Ben Yelin: [00:15:55] Well, for one, they were exposing themselves to significant legal liability. Although the Supreme Court has not weighed in on this issue, lower courts, at various points over the past several years, have determined that the program not only does not comply with the original authorizing statute - Section 215 of the USA Patriot Act - but it also presents significant constitutional concerns because we have a right against unreasonable searches and seizures. The government generally does not have any - at least, as the program existed prior to the reform, did not have any suspicion prior to collecting those phone calls. So that was a major Fourth Amendment concern.

Ben Yelin: [00:16:32] So the government didn't want to get into a situation where the program was shut down. We were not adequately prepared for a court-mandated shutdown, and it caused a disruption. I think the more responsible way to do it is to anticipate the legal problem and shut the program down gradually. The other big issues are efficacy and compliance. On the efficacy side, pretty much everybody who's reviewed this program has determined that it really has not been an effective counterterrorism tool, particularly as technology has changed. Quite frankly, terrorists aren't really making phone calls anymore. They're using encrypted applications. So it's just not that effective of a tool.

Ben Yelin: [00:17:13] And then, compliance-wise, there were these news stories last year about how the NSA admitted to collecting millions of records that they were not authorized to correct. They were forced to purge those records to comply with the law. And that was obviously a major blemish on the program. So you have those three issues - the legal liability, the efficacy and the compliance. And when you combine those, it's just not worth it for the National Security Agency to continue the program.

Dave Bittner: [00:17:41] Now, what about members of Congress? I saw a report that recently, Senator Richard Burr from North Carolina - he's the Republican chairman of the Senate Intelligence Committee - he seemed to still be lending some support to this program.

Ben Yelin: [00:17:55] Yeah. There is a lot of institutional support, particularly from Republicans in Congress and certain members of the intelligence apparatus. I mean, Dan Coats is the National Intelligence director. He's been supportive of this program in the past. We've seen in other contexts outside of surveillance, even when a department itself says a program isn't necessary, Congress is the ultimate arbiter. I mean, I can't tell you how many times the Defense Department has told Congress, we don't need any more of this type of, you know, military bomber. We have enough.

Dave Bittner: [00:18:25] Right.

Ben Yelin: [00:18:26] It's just not worth it to provide funding. And for whatever reason, Congress is like, no, we're going to give you the money anyway. That certainly happens with surveillance programs. The NSA is an agency that's beholden to both the executive branch and the legislative branch.

Ben Yelin: [00:18:42] The one thing that works in the favor of those who are opposed to this program is that the reform package, the USA Freedom Act that passed in 2015, is due to expire at the end of this year. So there is this natural leverage point for opponents of the program to say, why should we reauthorize this in Congress if the NSA itself is telling us that this program's unnecessary and ineffective, and it should be shut down?

Ben Yelin: [00:19:08] If it was just about maintaining the status quo, and there wasn't this leverage point, then I think the views of Congress would matter more. Will there be sufficient congressional majorities to extend this now that the NSA has recommended ending the program? I tend to doubt it, especially in the House of Representatives, which is, as you know, controlled by Democrats.

Dave Bittner: [00:19:28] All right. Well, time will tell. I guess we'll see how the White House weighs in and ultimately, how it lands - but certainly an interesting development. Ben Yelin, thanks for joining us.

Ben Yelin: [00:19:38] Thank you.

Jack Bittner: [00:19:43] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Jack Bittner: [00:19:53] Thanks to all our sponsors for making the CyberWire possible.

Dave Bittner: [00:19:56] Especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:04] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner.

Jack Bittner: [00:20:25] And I'm Jack Bittner. Thanks for listening.

Dave Bittner: [00:20:37] Nice job. How do you think you did?

Jack Bittner: [00:20:38] I think I did pretty well.

Dave Bittner: [00:20:39] Yeah, was fun. You enjoying Take Your Kid to Work Day?

Jack Bittner: [00:20:43] I am enjoying it.

Dave Bittner: [00:20:44] All right. Well, you're welcome back anytime.

Jack Bittner: [00:20:46] I know I am.

Dave Bittner: [00:20:46] (Laughter).