The CyberWire Daily Podcast 6.3.19
Ep 856 | 6.3.19

Recovery from network congestion. GandCrab to close. BlackSquid drops XMRig. BlueKeep patching lags. Crypto for criminals trial. Antitrust investigation of Google. “Persistence of Chaos” sold.


Dave Bittner: [00:00:00] Hi, everybody. Dave here with a quick note to kindly request that if you have not already done so, please be sure to check out our Research Saturday show. Each week, I speak with cybersecurity investigators and analysts about their latest research. It's in the same feed as the daily podcast. And, of course, you can also find it on our website, It's Research Saturday. We hope you'll give it a try. Thanks.

Dave Bittner: [00:00:26] Google's cloud services recover from network congestion. GandCrab's proprietors say they're retiring rich at the end of the month. BlackSquid delivers the XMRig Monero miner. Updates on the Baltimore ransomware incident. Too many machines have not yet been patched against BlueKeep. A CEO has been sentenced for providing criminals crypto. The U.S. Justice Department is said to be preparing an antitrust investigation of Google, and "The Persistence of Chaos" has been sold for $1.3 million.

Dave Bittner: [00:01:04] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of cyberattacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:05] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at

Dave Bittner: [00:02:20] From the CyberWire studios at DataTribe, I'm David Bittner with your CyberWire summary for Monday, June 3, 2019. Google's cloud suffered worldwide outages yesterday. These are now fixed and seem to have amounted to a nuisance as opposed to a disaster, but observers point out that the incident suggests that any cloud may not be as reliable as its users typically assume. And, if you'll forgive us a tangent, we can't help wondering if the cloud isn't bulletproof would be a mixed metaphor. On the one hand, no cloud would deflect a bullet, so the metaphor would be a lousy one. On the other hand, a cloud's bulletproof in the sense that you could shoot bullets through it all day and not harm the cloud, so maybe that metaphor is OK after all.

Dave Bittner: [00:03:07] All good things come to an end. The criminal proprietors of GandCrab ransomware say they've made enough money - $2.5 billion, if they are to be believed - and that they plan to call it a day and retire at the end of June to enjoy a well-deserved retirement. They advise hold-out victims to act now and pay up soon, which isn't necessarily good advice, of course, since it's not exactly what the lawyers would call an admission against interest. GandCrab appeared in January 2018 and quickly became a black market leader. The GandCrab gang can't resist a little crowing. They said, we have now proven that, by doing evil deeds, retribution does not come. Well, not yet, but retribution can reach you in retirement and on the lam.

Dave Bittner: [00:03:53] Trend Micro describes BlackSquid, a criminal campaign that distributes the XMRig miner. For now, the campaign is after Monero cryptocurrency, but there is no reason to think its approach can't and won't be used to drop other payloads in the future. BlackSquid is interestingly complex. It appears to make use of at least eight distinct exploits, several of them well-known and, in principle, patched.

Dave Bittner: [00:04:18] NSA denied, in discussions with Maryland Representative Ruppersberger, that the agency's tools had anything to do with the Baltimore ransomware attack. In particular, NSA said it had no evidence that the EternalBlue vulnerability played a role in the incident. Some have read this as a non-denial denial - for example, The Washington Post - but the general sentiment seems to be that Baltimore is far more sinning than sinned against.

Dave Bittner: [00:04:46] More than two weeks ago, Microsoft urged every affected user to patch against the BlueKeep vulnerability, but patching hasn't gone as quickly as might have hoped. Around 900,000 machines are thought to still be vulnerable. Someone's out there scanning for those machines. Researchers at GreyNoise have observed scans from Tor exit nodes - that's from the exit nodes, not of the exit nodes, as we think we might have misspoken last Tuesday. The danger is still out there. Let all apply the lessons Baltimore learned the hard way and patch.

Dave Bittner: [00:05:20] The U.S. Justice Department has begun preparing an antitrust case against Google, according to multiple sources. An earlier investigation by the Federal Trade Commission, whose responsibility in such matters overlaps that of the Justice Department, looked bad for Mountain View, but ultimately, Google emerged in 2013 essentially unscathed, and of course, quite intact. The current investigation is said to be in its preliminary phases, with justices and the FTC sorting out the equities.

Dave Bittner: [00:05:49] Apple kicked off their worldwide developer conference earlier today, showing off new hardware and software and services. An area that Apple likes to emphasize is privacy, but just how much does Apple's crowing align with reality? The CyberWire's Tamika Smith has this report.

Tamika Smith: [00:06:07] Now we turn our attention to a new article that looks into the secret life of your phone. As you would expect, various apps that you enjoy using - whether to purchase food or smart TVs - are tracking your activity, but to what degree? Here to talk more about this is Geoffrey Fowler. He's a tech columnist for The Washington Post. Thanks for joining the program, Geoffrey.

Geoffrey Fowler: [00:06:27] You bet.

Tamika Smith: [00:06:28] So you conducted a privacy investigation into your own phone and published the findings in a recent article you wrote called, "It's the Middle of the Night. Do You Know Who Your Phone Is Talking To?" What did you discover?

Geoffrey Fowler: [00:06:39] I found my phone is talking to lots of companies that I have never heard of, and in some cases, sending them a lot of really personal information about me. So basically what I did is I, with the help of a company called Disconnect and their CTO, who used to work for the NSA - his name is Patrick Jackson - we ran this experiment on my phone and hooked it into a system that tracked all of the incoming and outgoing data. And we did this while I was sleeping every night. I would wake up in the morning, and I would look at that traffic and see what was being sent.

Geoffrey Fowler: [00:07:10] Now, some of it was encrypted, but a lot of it wasn't. And for the stuff that wasn't, I was just shocked to see the names of some of these companies that were receiving my personal data that I had not installed on my phone myself. Turns out they were tracker companies that had been embedded in these apps that I had installed on my phone, you know, used for a wide variety of purposes, everything from analytics to marketing to who knows what because you really couldn't tell.

Tamika Smith: [00:07:36] So one of the highlights in your article - it mentions privacy policies and what they're really used for. How does this tie into these app trackers?

Geoffrey Fowler: [00:07:45] Yeah. So you know, when you talk with Apple or even some of these companies about it, they say, well, listen; if you installed this app on your phone, you have essentially agreed to the privacy policy of these companies. First of all, most people do not look at the privacy policies for apps.

Tamika Smith: [00:08:01] Right.

Geoffrey Fowler: [00:08:01] And even if you do, they're extremely vague on this topic about sharing your personal data with third parties. And in some cases - or at least one case, an app called Citizen - I found that they were sharing data in a way that violated their own policy. They said they wouldn't send personally identifiable information out to trackers or other third parties, and they were.

Tamika Smith: [00:08:21] This activity seems to be abusing Apple's background refresh functionality in the iOS. Is there any indication that Apple could clamp down on this?

Geoffrey Fowler: [00:08:30] I think there's a number of things that Apple could do here. So first of all, just a reminder, Apple is the company that heavily markets the privacy of the iPhone as a reason to buy one. It put out a billboard at CES earlier this year that said, what happens on your iPhone stays on your iPhone. And my experiment certainly showed that that is not the case.

Geoffrey Fowler: [00:08:47] What could Apple do here? Partially, it could be about restricting what kinds of activity is allowed to happen in the background. By default, apps turned on, they're allowed to refresh in the background on their own. But I think that's only part of the problem. These apps are also sharing our data with third-party tracker companies during the day, too, right? If you open that app in the middle of the day, you don't really have much transparency into what is being shared.

Geoffrey Fowler: [00:09:12] So I think one thing Apple should do is force these companies to be more transparent about what they're up to. I mean, GDPR caused a lot of websites to have to flag when they use cookies, and so maybe apps should have to do the same thing. You might think twice, for example, about using DoorDash if every time you opened it up you got a message saying, just a reminder, we're using nine different trackers to track you in all these different ways. Is that cool? And then you could say yes or no.

Tamika Smith: [00:09:40] What about your experiment surprised you?

Geoffrey Fowler: [00:09:44] I think that it was happening on an iPhone. I'm a tech columnist for the Post. I'm aware that there's this whole data economy out there. But Apple has done a very good job of making a lot of us believe it thinks differently when it comes to privacy and it goes out of its way to protect us. But it seems like they really have a big blind spot when it comes to the App Store that they curate. There's a lot of activity happening there that only took me a week of looking under the covers to find stuff that violated privacy policies, violated their terms. And are they really doing enough to check these apps on our behalf?

Tamika Smith: [00:10:17] Now some people think this is a case of app developers hiding excessive sharing permissions in the end-user license agreement. What's your thought on that?

Geoffrey Fowler: [00:10:25] Well, definitely, apps are taking as much data as they can. And they're getting away with it. Apple does give you controls as a user to limit, you know, oh, you don't necessarily have to show your - share your exact location with an app, or you don't have to share your contacts. And those are all good things that people should spend more time thinking about. But the truth is most people just click yes on whatever the apps ask for, and then they get it. And so that's a big hole that we're all falling into.

Tamika Smith: [00:10:55] Thank you so much, Geoffrey. We'll definitely be tracking what's happening with these apps. And we'd love to have you back on the show to talk more about it.

Geoffrey Fowler: [00:11:02] You bet.

Tamika Smith: [00:11:02] That's Geoffrey Fowler. He's a tech columnist for The Washington Post. He wrote an article, "It's the Middle of the Night. Do You Know Who Your Phone is Talking to?" You can read the full article on their website.

Dave Bittner: [00:11:17] The CEO of Phantom Secure, Vincent Ramos, was sentenced last Tuesday in a U.S. federal court to nine years in prison and also told to forfeit some $80 million in stuff he'd accumulated - homes, gold coins, cryptocurrency, things like that. Mr. Ramos has copped a guilty plea to charges connected with selling encrypted BlackBerry phones to a variety of bad actors, including the Sinaloa drug cartel and the Australian chapters of the Hells Angels. The Angels are said to have used the phones to coordinate several murders. The AP calls the Phantom phones gutted, uncrackable smartphones that, for a subscription, could send encrypted text messages through a secure network based in Panama and Hong Kong. They could also be wiped remotely should the users feel the heat breathing down their neck.

Dave Bittner: [00:12:06] The U.S. case was prosecuted in a San Diego court, but the investigation was a joint U.S.-Canadian-Australian one. Mr. Ramos is Canadian and a resident of Greater Vancouver. The case is interesting in that it apparently represents the first case in which someone has been convicted of providing encrypted devices to criminal organizations. We should point out that Phantom Secure is not to be confused with Phantom Cyber, the entirely legitimate company that gained visibility in the RSA Conference Innovation Sandbox and was subsequently acquired in April of 2018 by Splunk.

Dave Bittner: [00:12:42] And, hey, check it out. "The Persistence of Chaos," a Samsung NC10 laptop infested with six - count them - six bits of malware - WannaCry, BlackEnergy, ILOVEYOU, Mydoom, Sobig and Dark Tequila - is now off the market. It sold for $1.3 million. If that sounds pricey for an 11-year-old and very dirty laptop, well, dang it, it's art, you philistine, you square, you, you, Chromebook user, you. Forgive us. Art does have the power to move us, doesn't it? And the unnamed person who parted with $1.3 million to own it is now the owner of a genuine, 100% certificated work of art. After all, did Duchamp disinfect "Fountain" with Lysol before displaying it? We have it on good authority that the answer is no. But artist Guo O Dong, or more probably his adult sponsors over at security firm Deep Instinct, wanted to play it safe. Seems kind of a shame.

Dave Bittner: [00:13:44] Toronto's National Post, which has assumed a very straight-faced pose - which may or may not be ironic - with respect to its reporting on the transaction, says that Mr. Gua first achieved minor eclat in the art world by a performance piece in 2017 in which he rode a Segway around Brooklyn while leading or being led by a hipster on a leash. We looked up images of the work, called "Hipster on a Leash," and we're sorry to report that, for one, the hipster hardly seems to qualify as a hipster because his shorts, sunglasses and short-sleeved shirt look a lot more like routine New York tourist apparel. So we're reluctantly calling BS on the whole hipster thing, which is dragsville if hipsters actually even exist. The only thing that would improve this story would be if we found out that it was, in fact, Baltimore City that purchased "The Persistence of Chaos" with VapersCoin. But alas, that's just wishful thinking.

Dave Bittner: [00:14:44] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:15:54] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.

Joe Carrigan: [00:16:03] Hi, Dave.

Dave Bittner: [00:16:04] I had an article come by from Forbes. This is written by Kate O'Flaherty, and the title is "Google Just Gave 2 Billion Chrome Users a Reason to Switch to Firefox." Let's dig in behind that headline here and what's going on.

Joe Carrigan: [00:16:18] So Google is working on a proposal called manifest version 3, or V3. And this is how plug-ins will work with the Chrome browser, and they're planning to restrict modern ad-blocking through Chrome extensions.

Dave Bittner: [00:16:31] OK.

Joe Carrigan: [00:16:32] So there's a part of their API that's going to be deprecated in the next iteration of this manifest 3 that will stop these calls that allow ads to be blocked...

Dave Bittner: [00:16:43] OK.

Joe Carrigan: [00:16:43] ...Without getting too technical.

Dave Bittner: [00:16:45] Right. OK. This seems like something no one's asking for, except maybe the ad folks, I suppose.

Joe Carrigan: [00:16:50] Right. Yeah. Well, it's interesting because there's been a lot of backlash from this from the Google user community. Nobody wants this. You know, if you want an ad blocker, you should be able to use it. Google says you'll still be able to use ad blockers, but it won't use the same API calls. It'll use a different API call that makes it less efficient and probably not as effective. There's the other issue here - that for enterprise users of Chrome, you will still have access to this API. This is presumably - 9to5Google says this is presumably to allow the development of custom Chrome extensions that might not block ads, but it will still allow the same kind of features that would let you block ads. Right? So I find it interesting that Google is allowing customers that pay it to use it but not allowing the general public to use it. You know, people like you and me - I don't pay to use Chrome. What is also interesting is that Google is - or Alphabet, rather, is a very large owner of advertising services.

Dave Bittner: [00:17:50] Sure.

Joe Carrigan: [00:17:50] Right? I think this represents a genuine conflict of interest here - that they're not acting in the public's best interest with regard to the Chrome browser. You know, I think - you own AdSense and AdWords, and they also own the Chrome browser, which has a 62% market share, which is the most popular browser on the market - obviously. If they have 62%, nobody else has more.

Dave Bittner: [00:18:11] Yeah.

Joe Carrigan: [00:18:12] They have more than all the others combined.

Dave Bittner: [00:18:13] OK.

Joe Carrigan: [00:18:13] So if you have that kind of pull and you disable ad blocking so that your ad networks and other ad networks can now be more profitable, I don't know that that represents what I would consider to be fully ethical business practices.

Dave Bittner: [00:18:28] You know, for me, the issue I have here is not so much being shown ads.

Joe Carrigan: [00:18:33] Right.

Dave Bittner: [00:18:33] I think it's a fair deal. Allow me to read your content for free...

Joe Carrigan: [00:18:36] Yep.

Dave Bittner: [00:18:37] ...And I will look at an ad.

Joe Carrigan: [00:18:39] Sure.

Dave Bittner: [00:18:39] But the problem I have is all of the tracking.

Joe Carrigan: [00:18:41] All the tracking that goes on is pretty insidious.

Dave Bittner: [00:18:43] Right. So if there were some happy medium here where you can still show me the ad, you can still get credit for - this ad was shown to someone...

Joe Carrigan: [00:18:53] Right.

Dave Bittner: [00:18:53] ...But not take all of my information back to those people and tell them who I am, where I was and what I had for breakfast this morning...

Joe Carrigan: [00:18:59] Right.

Dave Bittner: [00:19:00] ...Then I think we're OK, but...

Joe Carrigan: [00:19:02] Well, Google said in a statement to 9to5Google that Chrome supports the use and development of ad blockers. We're actively working with the developer community to get feedback and iterate on the design of a privacy-preserving content filtering system that limits the amount of sensitive browser data that is shared with third parties. So it sounds like that's what Google or Alphabet thinks they're doing. But I don't know if - or at least that's what they want you to think they're doing.

Dave Bittner: [00:19:29] (Laughter) Right. Right.

Joe Carrigan: [00:19:29] But I don't know if this is the best way to go about it.

Dave Bittner: [00:19:31] All right. Well, we'll see what the market chooses, right?

Joe Carrigan: [00:19:34] Yeah, that's right. Yes. That's what's going to happen. I think - I don't know. Will Google see a loss of market share because of this? I predict they don't.

Dave Bittner: [00:19:44] Yeah.

Joe Carrigan: [00:19:44] I predict they don't. The Chrome browser is a good browser. It works very well.

Dave Bittner: [00:19:50] I suspect you're right.

Joe Carrigan: [00:19:51] Yeah, I don't think they'll see an impact from this.

Dave Bittner: [00:19:54] All right. Well, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:19:56] My pleasure.

Dave Bittner: [00:20:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:20:14] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.