The CyberWire Daily Podcast 5.20.19
Ep 847 | 5.20.19

Huawei agonistes. Hacktivism is way down. New EU sanctions regime. Facebook goes after more coordinated inauthenticity. Salesforce still fixing its fix. OGuser hacked.


Dave Bittner: [00:00:00] Hi, everybody, Dave here. Just a quick reminder that if you are only listening to the CyberWire podcast, there's more to the story. You should visit our website, and check out our CyberWire daily news brief. You can have it delivered to your email every day. Go to, and check it out there. It's our daily news brief. Take a look. Thanks.

Dave Bittner: [00:00:22] Huawei is on the U.S. Entity List, and U.S. exporters have been quick to notice. Security concerns are now expected to shift to the undersea cable market. Hacktivism seems to have gone into eclipse. The EU enacts a sanctions regime to deter election hacking. Facebook shutters inauthentic accounts targeting African politics. Salesforce is restoring service after an unhappy upgrade. The OGuser forum has been hacked. And don't worry about a hacker draft.

Dave Bittner: [00:00:58] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have log-in credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day. But without complete visibility inside your network, your investigation could take hours or even weeks. And that's assuming you are able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning, and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at, or be the blue team in the interactive demo. That's And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:54] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 20, 2019.

Dave Bittner: [00:02:02] Huawei is now on the U.S. Entity List, which means that U.S. companies will need a special license from the Bureau of Industry and Security to do business with them. Another of U.S. chip companies, including Qualcomm and Intel, have stopped deliveries of chips to Huawei. Huawei anticipated this rainy day, and the company has stockpiled a year's worth of U.S. goods necessary to sustain production.

Dave Bittner: [00:02:26] The stockpiling would make most sense if Huawei is betting that U.S. sanctions will be relatively short-lived, as they were in the case of ZTE's near-death experience in 2018, when the company was pulled back from the brink by a U.S. agreement to levy a big fine, extract some promises, and call it bygones. But it remains to be seen whether Huawei's tenure on the Entity List will be a short-term trade negotiation ploy or something more enduring.

Dave Bittner: [00:02:53] Equally or more serious consequences are expected from Google's weekend suspension of Huawei's Android license. Huawei immediately loses access to Android updates, and new versions of its devices will no longer have access to Gmail or the Play Store. The loss of these licenses will not be mitigated by stockpiling, and recall that the Android ecosystem is very important to Huawei.

Dave Bittner: [00:03:18] Huawei has been active in public, denouncing the sanctions as one would expect and arguing that the U.S. needs Huawei as much as Huawei needs the Americans. The company points out that it's a big customer of U.S. tech firms, including those that have just cut Shenzhen off.

Dave Bittner: [00:03:34] For all these difficulties, Huawei hasn't been idle in another market where it's likely to bang up against security issues. The company sees its near-term future in the undersea cable market, and it's either laying or upgrading some 100 such cables. It's worth noting that a proposed Huawei cable to the Solomon Islands brought the company into an early open conflict with Australia. Last June, it was decided that Huawei wouldn't get the business, and that was due to Australian objections and some Australian competition. It was that cable incident that stiffened the Australian government's security concerns about Huawei.

Dave Bittner: [00:04:12] Of the three traditional groupings of threat actors - criminals, hacktivists and nation states - one, hacktivists, seems to have gone into eclipse. IBM's X-Force looked at hacktivist actions that were credibly disclosed and publicly reported and in which, quote, "a specific group claimed responsibility for the incident and where there is quantifiable damage to the victim," end quote. They found a nearly 95% drop in such attacks since 2015. In fact, none have taken place in 2019.

Dave Bittner: [00:04:42] X-Force is inclined to think this is more quiescence than disappearance and that hacktivism could reappear under the right conditions. But there seems to be trends that make this unlikely. More effective law enforcement, the arrest of some hacktivist leaders and a lack of consensus about the causes hacktivists ought to take up are obstacles to a resurgence. The third observation is particularly interesting. Hacktivist groups tend to be both anarchic and governed by consensus, which creates a natural tension. As causes drift or expand, consensus tends to dissipate.

Dave Bittner: [00:05:18] The city of Baltimore continues to struggle through the ransomware infestation it sustained recently. The CyberWire's Tamika Smith has an update.

Tamika Smith: [00:05:26] Baltimore City government is the latest to be hit by a ransomware attack. They joined Atlanta, Orange County in North Carolina and Washington County in Pennsylvania among the municipalities to be hit in the past a year and a half, crippling phone systems, hospital records and any documents of value, all for mostly one cause - get paid. Roughly $3.6 million is what victims reported loss to the FBI last year. That tally was created by the Internet Crimes Complaint Center.

Adam Lawson: [00:05:57] So that's an interesting number. Ransomware, I think for any incident response company or threat research company or the FBI, it's a very difficult problem to scope.

Tamika Smith: [00:06:11] Special Agent Adam Lawson works with the FBI's Cyber Division in the Major Cyber Crimes Unit. He explains that the IC3 report only shows what is submitted to their center. He says they know that number is significantly higher.

Adam Lawson: [00:06:26] You know, that does not take into account loss of business, wages, file - files, getting new equipment. It doesn't take into account any third-party remediation services hired by a victim.

Tamika Smith: [00:06:43] Ransomware attacks are costly and cripple basic services. On WBAL's TV 11, Baltimore-area resident Daris Johnson and his family were preparing to celebrate the purchase of a new home - not any longer. Now all they can do is wait.


Daris Johnson: [00:06:58] ...Our loan and getting our loan locked - our rate locked in. It's just so many things that are up in the air right now that we don't know what's going to happen with all of it.

Tamika Smith: [00:07:07] This time, local officials confirm the ransomware strain was RobinHood. Early reports say this is a dangerous new strain of Hidden Tear ransomware being sent by an unknown hacker collective. Attacks like the one on Baltimore City are growing increasingly common. FBI Special Agent Lawson says it's affecting the public and private sectors.

Adam Lawson: [00:07:26] Right now we're seeing a larger number of companies or city governments, municipalities, things like that - we're seeing larger numbers in that arena of victims. And we're also seeing higher ransom demands of those victims.

Tamika Smith: [00:07:46] After a ransomware attack, it could take weeks or months to rebuild a system. Ben Yelin, who is a regular on the CyberWire, says prevention needs to be the first step.

Ben Yelin: [00:07:55] First off all, I should say that most of the work in preventing damage from a ransomware attack, unfortunately for Baltimore City, comes before the attack hits. And that's having continuity of operations plans so that you know exactly how you can resume your essential functions.

Tamika Smith: [00:08:12] He's a senior law and policy analyst at the University of Maryland for health and homeland security. He says prevention can be creative, too.

Ben Yelin: [00:08:20] If the absolute worst comes to pass, in that you have a crippling ransomware attack where the network goes down for an extended period of time, you even have a plan to devolve some of your agency's functions to another institution.

Tamika Smith: [00:08:33] Baltimore officials and the FBI are being cautious about how they're working to resolve this ransomware attack. One thing remains clear. They have a choice to make - pay the ransom, or restore the systems from a backup or from scratch. In the meantime, pressure is mounting for residents like Daris Johnson and his family, who depend on the city services.

Tamika Smith: [00:08:53] This is becoming a new reality for cities and municipalities around the country. They're bracing themselves for a cyberwar against the New Age criminal - technologically savvy and boundaryless. For the CyberWire, I'm Tamika Smith.

Dave Bittner: [00:09:09] And joining me now in studio is Tamika Smith. Tamika, welcome, and - so bring us up to date. First of all, how long has Baltimore been dealing with this ransomware attack?

Tamika Smith: [00:09:19] May 7 is the first day that officials basically came out and said they were going to shut down the services. And this word came from Mayor Bernard Young.

Dave Bittner: [00:09:29] And so where do things stand now? What's up and running, and what's not?

Tamika Smith: [00:09:33] Now, here's what's interesting. Many of the services were impacted, including real estate services, health care services and even something as small as being able to pay a water bill. As of right now, the city is being able to do limited services when it comes to real estate. And the real estate industry is helping along with this push. Right now anyone buying a home in Baltimore can obtain certificates showing that there are no liens on properties so that they would be able to get insurance on their homes.

Dave Bittner: [00:10:03] Now, Baltimore has been keeping information pretty close to the vest throughout this. Have they opened up any? Any word on how they're planning on dealing with this? Are they going to pay the ransom? Are they restoring from backups? Anything coming out of the city?

Tamika Smith: [00:10:16] During the weekend, there was some word that the mayor may be buckling down a little bit to pay the ransom, but nothing official. As of right now, the FBI is mum on how they want to move forward, and that's totally understandable.

Dave Bittner: [00:10:30] All right. Tamika Smith, thanks for joining us.

Dave Bittner: [00:10:33] At the end of last week, the European Union enacted a sweeping sanctions regime that it hopes will impose serious and swift consequences on organizations or individuals found responsible for cyberattacks against the EU and its allies. The penalties are principally travel bans and asset freezes. The EU hopes the measure will have some deterrent effect against any who would interfere with this week's elections, which conclude this Sunday.

Dave Bittner: [00:10:59] Facebook has shut down accounts allegedly run by Israeli political marketing firm Archimedes Group for coordinated inauthenticity. A total of 65 Facebook accounts, 161 pages, 23 groups, 12 events and four Instagram accounts were closed. The operation has apparently been going on for some time beneath whatever radar is being used in Menlo Park. Facebook says more than $800,000 has been spent on advertising associated with these accounts since 2012. That's about $114,000 a year, since we have a calculator and you might not, especially if you're listening while you're driving.

Dave Bittner: [00:11:37] Targets were in various African nations, and the goal was evidently political manipulation. A number of the pages taken down supported or denigrated particular candidates and parties, misrepresented themselves as new organizations or posted material claiming to have leaked from various political actors. The Archimedes Group seems to be a hired gun in all of this. The inauthenticity was detected in the usual ways - implausible geolocation, linguistic goofs and so on.

Dave Bittner: [00:12:07] A script error in Salesforce's Pardot service affected customers beginning Friday. Service is currently under restoration. An upgrade changed Salesforce's production environment in such a fashion to break permission settings in customer accounts. So, for example, any employee in a given company might have both read and write access to documents the company did not intend for such wide distribution.

Dave Bittner: [00:12:33] OGusers, a popular forum that, despite its bland self-description, traded digital contraband, was hacked by other criminals. The data taken are said to include usernames, MD5-hashed passwords, emails, IP addresses, source code, website data and private messages. How does the site describe itself? As a community-driven online marketplace forum of virtual goods. We host a marketplace for OG gamer-tags, Instagram accounts, Kik and much more. That's how they wrote it.

Dave Bittner: [00:13:04] A lot of the community's drivers would appear to be gamers and low-level skids out for a quick buck and some virtual street cred. KrebsOnSecurity describes them simply as an account hijacking forum.

Dave Bittner: [00:13:17] Scare headlines in CSO and elsewhere suggest that the U.S. Selective Service System - that is, the draft, gone since 1973 - might someday return. One presumed goal of a revived draft would be to enable the U.S. military to conscript hackers. But hackers, we wouldn't sweat this one. The Orioles are likely to contend for a pennant this year than you are to receive greetings from the president.

Dave Bittner: [00:13:41] Cyber services are the sort of thing that the government contracts for. And anyway, think about it. It's relatively easy for a sergeant to keep an eye on three or so unwilling conscripts to make sure they don't foul up while they're cleaning the grease trap at the mess hall. Keeping an eye on the sort of creative incompetence a disaffected coder might bring is another matter altogether.

Dave Bittner: [00:14:03] But if you've decided you really must devote worry to this because you've decided to overlook more probable disasters, like contracting cobalt beer syndrome at Granny's Fourth of July picnic, or an asteroid strike, or being selected by the grey aliens for your superior genetic potential - or you're simply a Country Joe and the Fish reenactor or a member of an Arlo Guthrie cover band - and we understand there are a lot of you out there - why, then, book your ticket to Canada before it's too late. Just make sure the expiration date is something around the end of the 22nd century.

Dave Bittner: [00:14:41] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:15:54] And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. I saw an article come by from The Record, and this was about researchers at University of Waterloo who are working on an app that would help protect people's privacy at the border. What are they working on here?

Jonathan Katz: [00:16:16] Well, people are concerned about reporters or other people who may have important files on their laptop or on their phones that they don't want other people to gain access to, including border security officials. And of course, you can try to encrypt the data on your laptop or on your phone. But then there's the concern that when you're stopped at the border and they identify these encrypted files on your device, they may ask you for the password or the key that's needed to unlock that device.

Jonathan Katz: [00:16:41] And so people have been trying to come up with different sort of solutions that would address this potential event. And so what these researchers have proposed is an idea where you would essentially use a password or use a cryptographic key to encrypt your files, but then you wouldn't even know the key yourself. You would basically send it either to another individual or some set of individuals who would all need to be compromised in order to get access to your device. And even if these border officials were to ask you for the password, you fundamentally would not be able to give it to them because you don't know it yourself.

Dave Bittner: [00:17:12] Yeah, and one of the interesting things about this that caught my eye was that it seemed as though you can sort of split up the password among a group of people, and you would need a certain number of them to be able to unlock your information.

Jonathan Katz: [00:17:25] That's right. This is a basic idea called threshold cryptography that has been researched actually for a couple of decades. But now these researchers are trying to put it into practice and use it for protecting encrypted files on people's devices.

Dave Bittner: [00:17:38] So it's a compelling case here. Are there any drawbacks?

Jonathan Katz: [00:17:41] Well, I think that I've seen some other approaches that try to hide the presence of encrypted files on someone's device altogether. And I think that can be potentially a better approach because the issue with this one is that even though it's true that you won't be able to give up the password and so the border officials will not be able to get access to your files, they will become suspicious, right? They will observe that you have these encrypted files on your device. They're going to know that you're refusing to give up your password. That's very likely to make them detain you and potentially then investigate you further and try to understand why it is that you're not giving up the information about these files.

Dave Bittner: [00:18:15] Right.

Jonathan Katz: [00:18:15] So I'm a little bit suspicious overall about how well this will play out in practice and how many people would be willing then to be detained rather than either give up the files or come up with some other mechanism for dealing with it.

Dave Bittner: [00:18:25] Yeah, it's interesting. You're also sort of bringing your friends into this, or your colleagues, as well that could - I don't know - cause a headache for them.

Jonathan Katz: [00:18:35] Yeah. Well, there was an interesting comment in the article. They were saying that this is for people who would rather not get - essentially rather not give up their files than give up the password after being tortured. Now, you know, the funny - or I shouldn't say funny - but the thing about that is if you're being tortured, you might actually prefer to give up your password rather than tell them, well, I don't have it; just continue torturing me, right? (Laughter). So it's, you know, like I said, there are some physical assumptions, you know, assumptions that they're making about the real world and about how people prefer to operate in the real world that may not be true for most people.

Dave Bittner: [00:19:06] Yeah. No, it's an interesting edge case, I suppose. All right, well, as always, Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:19:13] Thanks, always a pleasure.

Dave Bittner: [00:19:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:31] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.