Cybersecurity Roundup: February 13, 2018
 
This week the Olympics may have been hacked by a country, CNET peddles Verizon's SIM-locking BS, the CIA thinks NYT and Intercept are smoking Russian crack, the DHS came out swinging at NBC News, some very unsettling questions about Facebook surveilling employees and journalists are emerging, and much more...


The most underrated Olympic competition

On Friday, the 2018 Winter Olympics website went offline. Ticket sales and downloads were interrupted, and stadium wifi went down during the opening ceremony.

The Guardian reported it as a potential "cyber-attack" and -- with a quick and highly scientific roll of its attribution dice -- pointed its blaming-finger at North Korea

The same day, Mail Online ran a headline and URL saying Russian "cyber crooks" had hacked the Winter Olympics opening ceremony. To be safe, it added: "Officials don’t know who was behind it."

This was when some of us just put our hands in our pockets and stared at the ground.

Guardian was back the following day with a new article confirming a malware intrusion, but this time cited ambiguous "growing concerns" to follow in Daily Fail's lets-blame-Russia-maybe footsteps.

There was cyberblood in the cyberwater. The scent was picked up instantly by PR teams of firms large and small, as well as spotlight-chasing cyberpundits. Gotta love the usual suspects -- CrowdStrike, FireEye, McAfee and Talos were in the churn fast, assisted by click-chasing media outlets eager to cash in on timely headline keywords such as "Olympics" and "hack."

When Monday came, attribution was being evenly handed to Russia, China, North Korea, and even Iran got a bonus mention.

The one thing everyone can agree on, however, is that the malworm was a wiper, and its very metal name is "Olympic Destroyer."


Sucker punch

The phrase "hook, line, and sinker" best describes the way CNET fell for Verizon's PR spin on the cell company's decision to start SIM-locking the phones it sells to consumers. CNET went deep with Verizon's side of the story without even gagging once, explaining that the company was doing it to protect customers and deter theft. 

The sharp and savvy folks at Android Police were quick to call bullshit on the whole shenanigan, saying: "Essentially no details are provided about how this will be implemented, but it really doesn't matter, because Verizon rather explicitly agreed not to do this ten years ago."

Per the restrictions imposed by the 700MHz Upper Block C spectrum auction it won in 2008, Verizon is expressly barred from locking down handsets on its network that utilize this spectrum. The plain text from the restrictions makes this absolutely clear.
(...) So, Verizon's announcement today is complete and utter bullshit. It doesn't matter if you'll be able to unlock your phone 90, 60, or 30 days after you buy it. It doesn't matter if it is or isn't paid off. What matters is that Verizon agreed to the above rules when it won the auction for that spectrum, and it is now deciding that a clear and flagrant violation of those restrictions is worth pursuing because the current FCC leadership has very little interest in protecting consumers. When the restrictions on the spectrum were first added, Verizon actually sued the FCC over them, though later dropped that suit and pledged to honor them... for as long as was politically expedient, apparently.
Verizon has peddled CNET the story that this is about preventing handset theft and fraud.

Embarrassingly for CNET (and sadly for us), they fell for it.


Not just a river in Egypt

The CIA on Saturday denied reports from The Intercept and the New York Times that it was ripped off by a mystery Russian who promised compromising information on Trump. "The fictional story that CIA was bilked out of $100,000 is patently false," the Central Intelligence Agency said in a statement sent to AFP.

Intercept and NYT made splashy headlines late last week that US intel had run a top-secret operation to get its stolen NSA files back from Russian spies (as if that works, somehow, in a magical mirror universe where the function of computers is not to copy files). AFP detailed:

"The people swindled here were James Risen and Matt Rosenberg," the CIA said, referring to Times reporter Rosenberg, who wrote the story, and Risen, a former Times reporter who authored The Intercept's article.
Both reports appeared on Friday.
The president tweeted approvingly that The Times article shows a need to "drain the swamp" in Washington.
In a story worthy of a John le Carre novel that included secret USB-drive handovers in a small Berlin bar and coded messages delivered over the National Security Agency's Twitter account, CIA agents spent much of last year trying to buy back from the Russians hacking programs stolen from the NSA, the Times reported.
(...) Trump on Saturday referred favorably to the Times article about the Russian who "sold phony secrets on 'Trump' to the US," and noted the operative reportedly had drastically lowered his original price.

Denial fever spread to the DHS this week as well. The Department of Homeland Security yesterday slammed NBC News for its report last week, "Russians penetrated U.S. voter systems, top U.S. official says." 

The National Protection and Programs Directorate (NPPD) Assistant Secretary for the Office of Cybersecurity and Communications published a blistering statement Monday saying that NBC News was at the very least super wrong, and at the very most were total lying liarpants to say that any votes in the 2016 elections were manipulated by Russian hackers.

"NBC’s irresponsible reporting, which is being roundly criticized elsewhere in the media and by security experts alike," it said, "undermines the ability of the Department of Homeland Security, our partners at the Election Assistance Commission, and state and local officials across the nation to do our incredibly important jobs."


Built to be bad

A generous, yawny Wired feature about how Mark Zuckerbrg is trying to save Facebook dropped a few freaky details about the way the company surveils its employees -- and also possibly how it surveils journalists (or others). 

In explaining some of its reporting methodology for the article, Wired wrote something that has raised a lot of very concerning questions. It stated, "(One current employee asked that a WIRED reporter turn off his phone so the company would have a harder time tracking whether it had been near the phones of anyone from Facebook.)"

In another section the article explains:

Soon [former employee Benjamin Fearnow] was on a video­conference with three Facebook employees, including Sonya Ahuja, the company’s head of investigations. According to his recounting of the meeting, she asked him if he had been in touch with [Gizmodo reporter Michael Nuñez]. 
He denied that he had been. Then she told him that she had their messages on Gchat, which Fearnow had assumed weren’t accessible to Facebook. He was fired. “Please shut your laptop and don’t reopen it,” she instructed him.

So ... is Facebook tracking the phone locations of journalists? Questions, we have so many questions.


More clickables:

Hackers In Equifax Breach Accessed More Personal Information Than Previously Disclosed (CNN)

FCC Says Releasing 'Jokes' It Wrote About Ajit Pai Colluding With Verizon Would 'Harm' Agency (Gizmodo)

Crucial iPhone source code posted in unprecedented leak (Engadget)

Consumers prefer security over convenience for the first time ever, IBM Security report finds (TechRepublic)

Sex, Pong, And Pioneers: What Atari Was Really Like, According To Women Who Were There (Kotaku)

German court rules Facebook use of personal data illegal (Reuters)

Facebook patents tech to determine social class (Engadget)

Smartphone Users Tracked Even with GPS, WiFi Turned Off (Security Ledger)

Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds (Consumer Reports)


Thank you!

By the time you're reading this post, I'm working on next week's roundup. I love it! It's something I work on every day, and I'm grateful for your support and readership. Thank you truly, madly, and cyberly for being a patron and making it possible. If you're not a patron, please consider a donation to help keep this indie female voice in cybersecurity reporting -- a rarity -- going strong.