The CyberWire Daily Podcast 12.17.19
Ep 991 | 12.17.19
Ransomware updates. Lazarus Group’s new Trojan. IoT insecurity. Exploiting older versions of WhatsApp. Mr. Assange’s extradition. Door kick in IP beef. Someone naughty’s still running XP.
Play
Play
Transcript

Dave Bittner: [00:00:00] Hey, everybody - Dave here with some exciting news. We are pleased to announce our new subscription program CyberWire Pro. It's launching early in 2020. For cybersecurity professionals and others who want to stay abreast of our rapidly evolving industry, CyberWire Pro is a premium news service that will save you time as it keeps you informed. You can learn more and sign up to get launch updates at thecyberwire.com/pro. That's thecyberwire.com/pro. Do check it out. Thanks. 

Dave Bittner: [00:00:33]  Updates on the ransomware attacks in Florida and Louisiana. North Korea's Lazarus Group adopts a new Trojan as it shows signs of pivoting into the Linux ecosystem. Insufficient entropy and IoT key generation. Older versions of WhatsApp are vulnerable to exploitation. The state of Julian Assange's extradition to the U.S. Hey, this is Moscow. Where'd you think you were, Iowa? And guess who's still running Windows XP. 

Dave Bittner: [00:01:06]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at isi.jhu.edu, and click on 6th Annual Cybersecurity Conference for Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at isi.jhu.edu. Click on the 6th Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:16]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 17, 2019. The city of Pensacola, Fla., continues to recover from the ransomware attack it sustained earlier this month. The mayor is short on details but says things are going well, WUWF reports. The city has, according to the Pensacola News Journal, hired Deloitte to figure out exactly what damage was done. So while matters may not be as rosy as the mayor suggests, the city seems to be seeking appropriate help. It appears that the particular ransomware strain involved in the Pensacola incident was Maze. The hoods behind Maze represent a new school of extortion. They recently dumped a list of victims who refused to pay the ransom, along with samples of their file names. This is intended as a form of naming and shaming, and thus a way of ratcheting up the pressure to pay. Interestingly, Pensacola does not figure among the latest list of their victims, BankInfoSecurity reports. 

Dave Bittner: [00:03:20]  In Louisiana, as New Orleans continues its recovery from a Ryuk ransomware attack, a similar incident hits Baton Rouge Community College, The Advocate reports. It's unclear what, if any, relationship there may be between the New Orleans and the Baton Rouge incidents. But the attack on the community college is the latest in what amounts to a wave of ransomware strikes against schools and colleges. 

Dave Bittner: [00:03:43]  ZDNet, citing NetLab 360, says that North Korea's Lazarus Group has begun using the Dacls Trojan as it pivots from a concentration on Windows targets into the Linux ecosystem. The move probably augurs more expensive targeting by Lazarus Group, which has recently concluded business agreements to obtain technical support from organized cybercriminal groups. Keyfactor warns that encryption weaknesses in RSA keys could leave large numbers of IoT devices vulnerable to exploitation. The weaknesses arise from poor entropy. That is inadequate randomness in key generation. 

Dave Bittner: [00:04:20]  Check Point urges WhatsApp users to update to the latest version of the app. Their researchers have found that attackers could hit older versions and permanently delete chats as well as work other mischief. Julian Assange is expected to argue during his upcoming extradition hearings that during the period he enjoyed asylum holed up in Ecuador's London Embassy, he was illegally monitored and that the data collected in such personal surveillance was sold to the U.S. CIA. This, he is thought likely to maintain, is evidence that he won't be able to receive a fair trial in the U.S., where he faces multiple charges of violating the Espionage Act, The Guardian reports. Mr. Assange is currently in British custody. 

Dave Bittner: [00:05:05]  The allegations that someone sold Mr. Assange to the CIA is currently being investigated by Spain's Audiencia Nacional, the country's national court. A Spanish court is interested in the case because a Spanish company, Undercover Global SL, provided security for the Ecuadorian Embassy and reports in Spanish newspaper El País allege that Undercover Global provided audio and video surveillance to the CIA, including surveillance of meetings Mr. Assange held inside the embassy with his lawyers and supporters. The court is investigating whether these constitute violations of privacy and legal privilege. 

Dave Bittner: [00:05:44]  U.K. extradition laws are relatively friendly to U.S. requests, and vice versa, but they do allow for a prejudice exemption that protects people from extradition for their political opinions. It seems likely that Mr. Assange's team will assert that exception. The continuing deployment and ramp up to 5G mobile device connectivity has the attention of security professionals around the world. There are technical issues as well as geopolitical issues. We checked in with former U.S. secretary of Homeland Security and current head of the Chertoff Group, Michael Chertoff, for his thoughts on the 5G transition. 

Michael Chertoff: [00:06:22]  5G has a tremendous amount of potential, and it is going to be the enabler for the true expansion of what people call the internet of things. That's where, you know, your refrigerator, your baby camera, your car - everything is wirelessly connected. But that puts an even greater premium on security because if you're in an autonomous or semi-autonomous vehicle and, all of a sudden, the 5G connection is shut off, you get into an auto accident. If you're running your critical infrastructure on 5G and it gets shut off, all of a sudden, that goes dark. So more than ever, given the number of devices that are going to be part of this network, we need to build security by design when we architect the hardware and software. 

Michael Chertoff: [00:07:14]  And that's been the subject of a good deal of discussion because right now, Chinese companies like Huawei and ZTE are ahead of most Western companies in terms of their ability to build and install hardware and software for 5G at the scale you would need for it to be really operational. And that raises questions about whether giving Chinese companies that kind of commanding position in the infrastructure of the technology would not only create the opportunity to engage in theft of data, but could also allow the Chinese, in some circumstances, to actually dial back or turn down the effectiveness of the networks. 

Dave Bittner: [00:08:00]  Where do you come down on that? Where do you suppose we should be when it comes to restricting companies like Huawei and ZTE? 

Michael Chertoff: [00:08:07]  I think this is a legitimate, serious national security concern. Now, I'm putting to one side issues about trade balances, which are kind of trade issues, and I'm talking strictly about national security. What I would not want to see is a situation where China could compromise our data, could steal our data, or worst, actually shut off our ability to operate our 5G networks if we were to get into a conflict or an adversarial situation. 

Dave Bittner: [00:08:40]  What alternatives are available to us? Would we need to be concerned that by not using Chinese providers, we might fall behind? 

Michael Chertoff: [00:08:49]  There are three Western companies using the term in kind of a loose sense that do have infrastructure providers that could scale and match Huawei and ZTE. It's Ericsson and Nokia, which are in Scandinavia, and Samsung, which is in Korea. 

Dave Bittner: [00:09:08]  We're confident that those companies could get up to production in the scale and the speed at which we would need? 

Michael Chertoff: [00:09:14]  Well, there's a challenge in that, and it's twofold. One is I don't think you're yet at the scale that we would need, although they could get there. But the second issue is - and this is a complaint I've heard from people in the U.S. and outside - they're more expensive because the Chinese government, essentially, directly and indirectly subsidize their companies in terms of promoting 5G scalability, first of all, in China, and that means the cost per unit has decreased. Ericsson and Nokia don't get that kind of help from their governments. 

Michael Chertoff: [00:09:50]  So part of what we need to start to think about, as we do with respect, for example, to military infrastructure, is whether we need to have a joint effort by Western like-minded nations to build a hospitable market for 5G investment so that these companies will begin to increase the tempo of their production because the profitability will be there for them. 

Dave Bittner: [00:10:16]  Where do you suppose we are when it comes to that balance between security and privacy? I'm thinking about technologies like facial recognition and some of those things that are on the horizon. 

Michael Chertoff: [00:10:27]  Facial recognition can be valuable. It's, for example, useful when you try to open up your phone, and your face appears and the phone opens up. The question is what happens with the data? And I think, increasingly, we need to think about the issue of privacy not just in terms of what gets collected, but how the data's controlled. There may be uses for facial recognition that are perfectly appropriate, but you want to make sure they don't migrate over to something that would be very inappropriate or threatening. You might want to have facial recognition, for example, to get you access into your apartment or into your place of business, but you wouldn't necessarily want that to be transmitted to the government and be used as a way of surveilling what you do out on the street every single minute of the day. 

Michael Chertoff: [00:11:18]  So this is about making sure that there is a degree of control over data that's generated so that people aren't put in an all-or-nothing situation where either they don't participate at all on these internet activities or they wind up basically surrendering their private interests to commercial interests or government. 

Dave Bittner: [00:11:42]  What is your sense of how well we're doing as a nation in response to these threats? Are we in a situation where we're nimble enough to respond to them? 

Michael Chertoff: [00:11:51]  I think we are slowly awakening to some of the challenges we've talked about on privacy, on balancing security with encryption, on disinformation campaigns. So you're beginning to see legislation being passed in some of the states. Congress is beginning to propose things. But I will acknowledge that we've been somewhat slow off the mark, and it took a pretty dramatic set of events, like, for example, what happened in the 2016 election, for people to wake up and say, we better get on top of this problem. 

Dave Bittner: [00:12:25]  That's Michael Chertoff from The Chertoff Group. 

Dave Bittner: [00:12:29]  The founders of NGINX, a subsidiary of Seattle-based F5 Network, which acquired the Russian-born company this past March, are complaining about the raid Russian police conducted against their homes in the early hours of last Thursday. It was over a copyright beef. Rambler Group, which operates a popular search engine in Russia, claims that it's the rightful owner of NGINX's web server code. One of NGINX's founders, Igor Sysoev, was formerly employed by Rambler. Sysoev and his co-founder, Maxim Konovalov, says they intend to stay in Russia and fight for their IP. There's been a fair amount of publicly expressed sympathy for the two in Russia. Yandex, for example, a Rambler competitor that operates the country's biggest search engine, said the raid sent a very bad signal. 

Dave Bittner: [00:13:19]  And finally, it's ho-ho-ho time, and so we send out a holiday wish to President Putin. May Ded Moroz and Snegurochka bring him a nice new laptop fully loaded and up to date. The Guardian, quoting Open Media, a fairly independent and opposition-friendly Russian news outfit, says that official photographs taken at both the president's Kremlin office and in his official residence show that his machines are still running Windows XP. This is probably not as bad for Mr. Putin as it would be for you and me, to pick two people at random. For one thing, he's not a big fan of the internet in the first place, since he regards it in his darker moods as a CIA-built tool - actually, DARPA, but why be pedantic over whether the net came from an American five-letter agency as opposed to a three-letter one? The important letters are U and S, or in the phonetic alphabet, Yankee. He also probably has a world-class help desk to keep him out of trouble. And anyhoo, no one's going to call him out for visiting, say, xHamster. 

Dave Bittner: [00:14:20]  And as it happens, XP is the last version of Windows approved for use on Russian government machines that hold state secrets. Russia is in the process of moving toward domestic software - its Astra version of the Linux OS and homegrown browsers like Yandex. It can be tough to quit an OS, and that's no joke. We see it in the industrial IoT all the time. Fun fact, his desktop background shows the towers of the Kremlin. Better than flying toasters, right? So, Grandpa Frost, send the president something nice - maybe a Best Buy gift card, right? 

Dave Bittner: [00:14:59]  Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:15:31]  And joining me once again is Ben Yelin. He's the program director for public policy and external affairs at the University of Maryland's Center for Health and Homeland Security. Ben, it's great to have you back. 

Ben Yelin: [00:15:39]  Good to be here again. 

Dave Bittner: [00:15:40]  I should mention that you are also my co-host on the "Caveat" podcast, which if you have not yet subscribed to, what are you waiting for? It's a great show. Check it out. 

Ben Yelin: [00:15:47]  On your favorite podcast platforms. 

Dave Bittner: [00:15:49]  (Laughter) There you go. Interesting story came by. This is via NBC News, and it's about the police using some Google location data to find an accused bank robber, and his lawyers say that's no good. What's going on here? 

Ben Yelin: [00:16:05]  So this is about the use of geofencing technology. Basically, what happened here is there was a bank robbery in Richmond, Va. 

Dave Bittner: [00:16:11]  OK. 

Ben Yelin: [00:16:12]  Nobody who could identify who the suspect was. They ended up stealing, like, $200,000 from the bank. But in one of the security - in security video footage of the incident, they saw somebody on a personal device - the suspect using a personal device... 

Dave Bittner: [00:16:27]  Right. 

Ben Yelin: [00:16:27]  ...Even though they couldn't identify who that suspect was. So the government asked Google to do geofencing, basically to list every device that was within that geographical area where that bank robbery took place. And using process of elimination, they landed on the suspect, who was charged with armed robbery. 

Ben Yelin: [00:16:48]  That individual's lawyer is challenging this arrest, saying that this is an unconstitutional search. We've had court decisions on other types of location information. Historical cell site location information, for example, was the impetus behind the Carpenter case, which came out in 2018. We have not yet had a case specifically on geofencing where you sort of figure out every single device that you can find that was in a particular area at a particular time, work backwards and narrow down your list to find a suspect. 

Dave Bittner: [00:17:23]  So what's the hazard here? How are they arguing that this bumps up against our constitutional rights? 

Ben Yelin: [00:17:29]  So there's always the risk of false positives. That's, you know, first and foremost. Second of all, this sort of goes against the rationale for having the Fourth Amendment in the first place, which is avoiding what are called these general warrants, where - and this goes back to our common law ancestry in England. You know, you'd get a warrant to just go search every house to try and find incriminating material without any sort of particularity - naming the person to be searched or the things to be seized. 

Ben Yelin: [00:17:56]  One of the attorneys here in this article notes that this is sort of the digital equivalent of going into everybody's house in a given neighborhood and trying to find incriminating evidence. And if that's, you know, the analogue for what's going on with geofencing, I think we can understand why geofencing presents these civil liberties concerns. 

Dave Bittner: [00:18:16]  So the notion here being that if, for example, you or I were also doing some business at that bank, or maybe the sandwich shop next door, that we would have been subject to an illegal search by virtue of our data getting caught up in this geofence effort. 

Ben Yelin: [00:18:33]  Right, and it's completely suspicionless. So the government would have no inclination or idea that we committed any crime or had any evidence whatsoever about the crime that did take place. Now, of course, what law enforcement will argue is that the third-party doctrine applies here, which means, you know, when you log on to your phone, you know or should know that when you're using, you know, Gmail or any other Google apps, they are tracking your location. 

Dave Bittner: [00:18:59]  Right. 

Ben Yelin: [00:19:00]  They keep those as part of their business records, so you don't have an expectation of privacy... 

Dave Bittner: [00:19:04]  Right. 

Ben Yelin: [00:19:05]  ...In that information. We'll see how courts square that with the Carpenter decision, which said that people do have a reasonable expectation of privacy as it relates to historical cell site location information. My inkling is that if you have a reasonable expectation of privacy about where location-identifying information that's taken place in the past, then perhaps that would apply to geofencing as well. But without any actual court cases, you know, we can't know for sure. 

Dave Bittner: [00:19:32]  How is this different than just good, old-fashioned surveillance video, you know? In other words, I've got a video camera that's tracking the parking lot of where this bank is. And it's getting everybody coming and going from the bank and, like I said, the sandwich shop next door and the dry cleaners and all that sort of stuff. Is it that the amount of information that can be gathered with this, that we absolutely know the names of everybody involved, or is there a difference there? 

Ben Yelin: [00:19:57]  So that's part of it. And, you know, the other part is with video surveillance, you know, you're putting yourself in plain view, which means you're forfeiting your expectation of privacy. We're not necessarily doing that just by opening your device, even though now, perhaps people should know that their location is being tracked if they're using certain applications, if they're permitting location services on that application. That's different than you're walking on the street and a camera captures you. You're in a public place. 

Dave Bittner: [00:20:23]  Right. 

Ben Yelin: [00:20:24]  So you're sort of are assuming the risk that somebody has a camera and is observing you. 

Dave Bittner: [00:20:28]  All right. This will be interesting to see how this one plays out. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:20:32]  Thank you. 

Dave Bittner: [00:20:38]  And that's the CyberWire. 

Dave Bittner: [00:20:40]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:51]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.