CyberWire Daily - 2021 may look a lot like 2020 in cyberspace, only moreso. Cold chain cyberespionage. Cybercriminals are also interested in COVID-19 vaccines. And beware of online dog fraud.
Episode Date: December 4, 2020Predictions for 2021 focus on ransomware: it’ll be better, more aggressive, bigger, and a greater problem in every way. Cyberespionage and the cold chain. Cybercriminal interest in COVID-19 vaccines... extends to both theft and fraud. Johannes Ullrich on the .well-known Directory. Our guest is Michael Magrath from OneSpan on what the financial sector needs to consider now that we’re post-election season. And what’s one effect of the pandemic? Dog fraud. Ask the Better Business Bureau. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/233 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Predictions for 2021 focus on ransomware.'ll be better more aggressive bigger and a greater
problem in every way cyber espionage and the cold chain cyber criminal interest in covid19 vaccines
extends to both theft and fraud johannes ulrich on the dot well-known directory our guest is michael
mcgrath from one span on what the financial sector needs to consider
now that we're in post-election season.
And what's one effect of the pandemic?
Dog fraud.
Ask the Better Business Bureau.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 4th, 2020.
The increase in ransomware and its now routine combination with data theft and doxing
formed one of the bigger trends of 2020.
Terrible is an adjective that rightly appears in StateScoop's account
of the discussion of ransomware at this week's Aspen Institute's Cyber Summit.
The ransomware operators have increased both their determination and rapacity.
The addition of data theft adds bite to the extortion.
Not only are the criminals denying the victims access to their data,
but the criminals have another opportunity to monetize the results of their attack
by selling stolen information on criminal markets.
It's the threat of releasing the information that has now rendered the classic defense against ransomware, regular secure backup, as imperfect protection.
And it's unreasonable to expect criminals to keep their word when they promise to destroy stolen data if they're paid off.
So in many respects, 2021 is expected to be a lot like 2020, only more so.
be a lot like 2020, only more so. Continuity Central has five ransomware-centric predictions for the coming year, and they're representative of what we're hearing. First, cybercriminals will
concentrate attacks on the most critical industries, including healthcare and manufacturing
organizations. Organizations that depend upon high data availability will continue to be
particularly attractive to attackers.
The deep pockets of the financial services sector will always be targets,
but those pockets are also among the best protected.
Healthcare and manufacturing? Not necessarily so.
Second, attacks will find more sophisticated ways to get into your data center.
Attacks will adapt to defenses.
Third, CISOs are going to focus more time and budget on recovering from an attack.
The ransoms demanded are rising, and while it may soon be illegal to pay them in many jurisdictions,
the increased sophistication of the attacks will increase recovery costs.
Fourth, cyber attacks will put a renewed focus
on data governance.
This prediction is related to the now routine data theft
ransomware gangs will continue to commit.
It also adds considerable regulatory risk
to the victim's headache.
And fifth, backup infrastructure will look very different
and see a noticeable transformation.
Backup is no longer a complete fix, but it remains a vital one.
It will evolve into more secure, more routine, easier-to-use forms.
Randori offered a similar set of predictions to eWeek.
The first three applied directly to ransomware, the final pair to national policy.
Their first prediction involves a projected advance in criminal technology.
Deep fakes and voice fakes come to the enterprise.
These will enable more effective social engineering
and the production of falsified records
that could cause considerable reputational damage to the victims.
The second prediction is ransomware evolves to enterprise extortion.
This is a step up from the threat of doxing.
As Randori put it, quote, ransomware attacks will shift from I've stolen all your data, now pay me,
to I'm going to extort your CEO with information I've found in the data I've stolen from you.
And if you don't pay, we'll devalue your stock on Wall Street, end quote.
And third, expect more cloud infrastructure ransom attacks.
Enterprises are in the cloud. Criminals will be too.
Fourth, a leadership crisis in IT talent will hit the U.S. government.
Maybe high senior turnover will stop, or maybe not,
but its effects may continue to be felt.
We note in passing here that the acting director of the U.S. Cybersecurity and Infrastructure Security Agency,
the Washington Examiner reports, is standing by his predecessor's conclusion that the U.S. elections were secure.
And finally on the list, expect an antitrust, anti-tech reckoning in 2021.
There's bipartisan interest in some form of tech regulation
in the U.S., and the situation is similar in the EU. This week's announcement by IBM that its
researchers had discovered a concerted campaign directed at compromising the cold chain was widely
taken as a warning about state-directed cyber espionage effort. The cold chain is that part of the supply chain that's used to transport biomedical material
under temperature-controlled conditions.
Security Week summarizes the case for classifying the effort as the work of an intelligence service.
It's difficult to see how a socially engineered intrusion into a vaccine supply chain
could be easily monetized, but it would yield information an intelligence service would find interesting.
Some experts, Reuters notes, sees this as a general attempt at supply chain espionage
that's only accidentally connected with COVID-19 vaccine research,
and IBM's own conclusions suggest the activity they observed was consistent with battle space preparation.
SC Magazine reports that big pharmaceutical company Eli Lilly's CISO sees a risk in the vaccine supply chain's lack of awareness that it's a target.
It's not that the links in the chain are oblivious, but rather that the chain is, as IBM pointed out, extraordinarily complex.
Many of the links may not be fully aware that they're in the COVID-19 vaccine supply chain at all.
One reason for thinking espionage against the cold chain is state-directed is, as we've mentioned,
the absence of any obvious way in which criminals could cash out on their take.
But there are strong criminal
motives for vaccine fraud, too. Vice points out the dark web drug dealers are pushing bogus COVID-19
vaccines, including counterfeits of legitimate emerging treatments. The Wall Street Journal
adds that vaccines will be attractive targets of theft, too. They are liquid gold.
targets of theft too. They are liquid gold. And finally, how much is that doggy in the window?
In Bitcoin, maybe? Here's one odd effect of the pandemic, at least in the U.S.
A rise in dog purchase or adoption fraud. WBBM cites a caution from the Better Business Bureau to the effect that criminals are bilking people trying to get a dog.
Why?
It's supply and demand.
It's because people want dogs around while they're locked down at home.
And who wouldn't?
We note that the dog rescue outfit
that sprung the Cyber Wire's official editorial pooch
from a South Carolina slammer a little more than three years ago
has been out of dogs for a couple of months.
Demand is high and the grifters have noticed.
We hope to be able to write a dog bites man story
about these hoods soon.
Hack forward and go get them, doggos.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Share your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
With the U.S. election in the rearview mirror and a new administration and Congress preparing to take their place,
banks may find themselves facing new regulatory challenges.
Joining us to discuss this possibility is Michael McGrath. He's Director, Global Regulations and Standards at OneSpan,
a company that provides digital identity and anti-fraud solutions.
They recently published their OneSpan Global Financial Regulations Report.
Michael McGrath, thanks for joining us.
Yes, it's a pleasure.
Happy to be here and thanks for having me.
So today we're going to be talking about what banks should be doing to prepare for the post-election challenges they may be facing,
looking at perhaps some new regulatory landscapes.
Let's start off with some high-level stuff here.
Can you give us a little bit of a lay of the land?
I mean, where do we find ourselves in terms of where the banks are and what they're dealing with in terms of
potential regulations on the horizon? Sure, sure. I'd be happy to. So, you know, where things are,
we're right in the middle of a pandemic. And, you know, things have really changed over this year.
The fraudsters, they kind of know what's going on out there. And cyber attacks
against banks increased. There was a report done earlier this year, 238% during the pandemic.
A lot of this is done through social engineering and phishing attacks and those types of things.
and phishing attacks and those types of things.
But I think where the banks are right now,
they have put things in place to secure,
not all banks, but a lot of the banks have.
And those that haven't, the fraudsters have realized this and attacked them.
But just some interesting statistics that have come about. Account takeover fraud
has grown over 72% this year over 2019. And banks reported a seven-fold increase in suspicious
business loan activity. And that's on top of what was happening at the state level,
where it was very well documented the state unemployment offices were getting inundated
with false claims for unemployment when the pandemic hit. And that was really from
nation-state attacks. So that's the lay of the land right now, as I see it,
is the banks are really fast tracking their plans to digitize
and have been forced to.
Yeah.
So we just made our way through the election cycle here in the U.S.
Where do the banks stand in terms of anticipating the possibility of new regulations
with a new administration coming into power? I think what you're going to see with the Biden
administration is a more prominent role or prominent focus on cybersecurity.
The Trump administration did do some good things,
but one of the key things that the Trump administration did is that they eliminated
the role of the cybersecurity coordinator at the national level. And I would expect the Biden
administration to restore that role. On a side note, there's a, within Congress, there's a,
they established what they're calling a Solarium Commission that kind of goes through a whole host
of different cybersecurity initiatives at the national level. And one of the initiatives or
recommendations coming out of that commission is to create a formal national cybersecurity
director within the White House. And then on the legislative front, there was a lot of good
legislation introduced this year. One was called the National Biometric Information Privacy Act.
So if it was passed, it would prohibit businesses in the private sector
from collecting a wealth of biometric data,
including fingerprints and face and retina scans, voice prints,
without having consumer consent.
And there was also a Data Protection Act that was introduced this year,
and that would create a federal data protection agency. We really
don't have one today. We have the Federal Trade Commission does some of that work. The Consumer
Financial Protection Board does some of that work. So I think you're going to see legislation like
that come into play. And then the other big one is really
what happened during the election. The state of California, they had a ballot initiative to,
I would say, update or replace the current California Consumer Privacy Act with a new version called the California Privacy Rights Act, or CPRA.
And that legislation was overwhelmingly passed by the voters.
And one of the key provisions in that is that it's all about protecting individuals' most personal information
and allowing that individual to prevent businesses from using or sharing what
they define as sensitive personal information. So that was just passed. That's not going to
come into play. But I wanted to mention that because I think you're going to see more states
roll out their own similar legislation. And so there's a lot going on in Washington, both as it relates to the incoming
Biden administration, but also within the next congressional session. That's Michael McGrath
from OneSpan. Don't forget, we have extended versions of many of our CyberWire interviews
as part of CyberWire Pro. You can find out more about that on our website, thecyberwire.com. and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, always great to have you back.
We want to touch today on some files that are sort of, I don't know,
is hiding in plain sight a good way to say it, or perhaps lesser known.
Lesser known, yeah.
That's a very good way to put it, yes.
Okay, what's going on here today?
Yeah, so thanks for having me.
It's actually a little security feature that you have in your web server.
And yes, you called it lesser known.
Actually, the directory is called.wellknown.
Yes, you called it lesser known.
Actually, the directory is called.wellknown.
And this is a directory that really has sort of evolved in a collection of, I don't want to call it random file, but various files.
And people keep adding sort of to that collection of files that you have in there. And some of them are certainly interesting and files that you should have there or that you should consider supporting.
are certainly interesting and files that you should have there or that you should consider supporting.
And it sort of all started out with the good old robots.txt file,
which is a file that has existed on web servers forever to sort of tell search engines how to index your page.
Now, people wanted initially to add similar files, but then decided, hey, instead of littering your document root with them, let's set up this.wellknown directory for it.
And there's sort of two features in particular that have become more popular recently that I think have some real neat sort of security implications.
The first one is, well, the file is just called security.txt.
And it's a text file, as the name implies, similar to robots.txt.
as the name implies, similar to robots.txt,
but its purpose is to tell a researcher,
to tell a security professional that finds a vulnerability on your website,
how do they get in touch with you?
So you can leave an email address in there
for your security contact.
You can even indicate that you're participating
in a bug bounty program or such.
Because I myself run into this,
trying to contact websites about a security vulnerability.
And it's hard.
It's hard and it's a lot of work to figure out
who to send the email to.
And often you end up at the wrong address
and it bounces or they don't know what you're talking about.
And often I've given up and said,
hey, let them worry about it.
But I'm doing a lot of free work for them.
So here you make it actually easier and you sort of make that.
It's pretty much automatable at that point where someone could automatically.
I was going to say, it's important to keep that one up to date as well.
Yeah, it's important to keep that up to date.
So it goes to a valid email address.
And there are a couple of different options you have, but more or less it's just a simple text file.
So it's very easy to maintain too.
It's easy to install, so you don't need to enable any big features on your web server.
And you probably already have that.wellknown directory because Let's Encrypt uses it for their Acme protocol
to set up certificates.
And that's how usually that directory is created
in the first place.
Oh, I see. Now there's another one that's related to passwords.
What's going on with that one?
Yeah, and that's really change password.
The problem they're trying to solve here is that these days people use password
managers. So the problem then comes up once you want to change that password, you have to go to
a website, you have to find the page where you change the password, you change the password,
and then you have to go to your password manager and make sure everything is in sync.
to go to your password manager and make sure everything is in sync.
And of course, if that fails, then passwords get lost and costs happening because of reset passwords and such.
Change password really just points to the URL that you use to change the password on
your site.
And a couple of password managers, like for example, one that's built into Safari and
Google Chrome, also one password, started to support this feature now.
So it actually works where I can now tell my password manager, hey, I want to change the password for this site.
And it will automatically open the browser on the right page.
And then as I change the password, remember the new password.
and then as I change the password, remember the new password.
So a lot less friction in changing passwords,
which probably users should do occasionally. So I don't want to make it too hard on them.
Yeah, and it seems like all this is really about making it easier for the users.
Like you said, reducing friction.
Correct. It's all about reducing friction, making it easier.
And all of these features are very easy to implement.
So there isn't really any big tools or anything like this that need to install.
It's just simple files or like that redirect.
You can do that in various ways depending on what web server you're using.
Yeah.
All right.
Johannes Ulrich, thanks for joining us.
Yeah, thank you. care. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Quality is remembered long after the price is forgotten.
Listen for us on your Alexa smart speaker, too.
Be sure to check out this weekend's episode of Research Saturday and my conversation with Deepan Desai from Zscaler.
We're going to be discussing the Raiyuk ransomware.
That's Research Saturday. Don't miss it.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology.
teams and technology.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.