CyberWire Daily - A look at what’s up in some of the criminal markets. The continued resilience of TrickBot. What you can buy for $155,000.
Episode Date: November 10, 2020Criminals get the news like everyone else, and online crime continues to follow current events. It’s up, it’s down, it’s up again--forget it: it’s TrickBot. A cyber incident affects computer m...aker Compal. Zoom settles an FTC complaint. Price check in the criminal markets. Ben Yelin on a Canadian shopping mall's collection of over 5 million shopper's images. Our guest is Ben Brook from Transcend with best practices in privacy and data protections.And spare a thought for a veteran tomorrow. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/218 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Criminals get the news like everyone else,
and online crime continues to follow current events.
It's up, it's down, it's up again.
Forget it, it's TrickBot.
A cyber incident affects computer maker Compal.
Zoom settles an FTC complaint.
Price check on the criminal markets.
Ben Yellen on a Canadian shopping mall's collection
of over 5 million shoppers' images.
Our guest is Ben Brook from Transcend with best practices in privacy and data protections.
And spare a thought for a veteran tomorrow.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, November 10th, 2020.
It should come as no surprise, but it remains worth noting, that criminal fish bait and pretext for online scams closely track current events.
The Wall Street Journal, having talked to a range of security companies,
reports that U.S. election-themed spam remains high.
It's likely to remain high for the next couple of months.
And TechRepublic, citing Trustwave researchers' scanning of dark web markets,
writes that COVID-19 is also a hot brand in the criminal world. And TechRepublic, citing Trustwave researchers' scanning of dark web markets,
writes that COVID-19 is also a hot brand in the criminal world.
Phony COVID cures, counterfeit travel documents, and scam-called boiler room services are all being pushed vigorously.
The COVID stuff began to circulate early, Trustwave told TechRepublic.
They were surprised by how quickly criminals saw opportunity in widespread suffering
and moved to monetize the main chance COVID-19 presented them.
None of the approaches they've been taking are particularly novel, but they've been effective nonetheless.
A large number of domains were registered with COVID-themed names.
These are useful for waterholing or as destinations for fishing links. There have
been many cases in many countries of campaigns designed to collect fraudulent claims on
government disaster relief programs. Fish bait has been devised to inveigle employees trying to
adjust to new work arrangements into opening malicious attachments or following equally
malicious links. And finally, of course, are traditional scams.
Quack medicines, bogus treatments, and the whole familiar soft array of hoaked-up medical
charlatanism. So where some people see suffering and ask, how can I help? And others who don't
quite go so far as, how can I protect myself? Still others ask, how can I monetize this?
The people in the third category regard the first two classes as their prey.
Prominent among the criminal activity that's continued through the pandemic, of course, is ransomware.
A study released this morning by Zscaler finds an interesting wrinkle in the ransomware landscape.
They're observing a marked increase in malicious SSL traffic,
which suggests that criminals are finding this form of encryption attractive
as a way of avoiding inspection and detection.
It's not a foolproof way of evading defenses,
but there may be some relaxed vigilance with respect to SSL.
It's worth noting that SSL is often used loosely to both the deprecated SSL, that is Secure Sockets Layer,
and its successor, TLS, Transport Layer Security.
In any case, SSL, TLS, and the things that mark them online,
like the HTTPS prefix and the comforting padlock,
aren't sure guarantees that there's no badness in the traffic.
TrickBot continues to seem able to take a punch.
Intel 471 today outlined how the gang behind TrickBot has managed to recover,
shift, and work around repeated government and industry disruption of its infrastructure.
The anti-TrickBot campaign began in earnest on September 22nd,
when U.S. Cyber Command is generally believed to have begun interrupting the bots' ability
to reach their command and control servers.
There was a continued back and forth
until the beginning of November,
and by the end of last week,
TrickBot activity proper had dropped to negligible levels.
The operators had, in the meantime,
shifted to Emotet and other tools.
As Intel 471 put it,
between October 28th, 2020 and November 6th, 2020, But in a sign of how resilient and we were unable to identify any working TrickBot control servers as of November 6.
End quote.
But in a sign of how resilient this sort of criminal enterprise can be,
that inactivity lasted about three days.
Quote,
On November 9, 2020, we did see a new version of TrickBot that was distributed via a spam campaign.
End quote.
So, back to the grind for those who would take out TrickBot once and for all.
Good hunting. Compal, a Taiwan-based manufacturer that's the world's second largest laptop maker,
is said to have sustained a ransomware attack over the weekend. ZDNet, which sources the news about ransomware to media in Taiwan, also reports that a Compal executive denied any ransomware to media in Taiwan also reports that a Compal executive denied any
ransomware attack but did acknowledge an unspecified hacking incident, apparently confined
to business networks. Compal deputy managing director King Xiong Liu told news outlets that
the company is not being blackmailed by hackers as it is rumored by the outside world. Apple, Acer, Lenovo, Dell, Toshiba, HP, and Fujitsu
are among Compal's customers. The company also makes a large range of peripherals.
The company is returning to normal operations. Zoom has settled a U.S. Federal Trade Commission
complaint in which the FTC alleged that the online meeting platform had engaged in a series
of deceptive and unfair practices that undermine the security of its users. TechCrunch says that
the complaint turned in part on suggestions that Zoom services were in fact more secure,
more robustly encrypted than in fact they were. The settlement requires Zoom to implement a robust
information security program
to settle allegations that the video conferencing provider engaged in a series of deceptive and
unfair practices that undermined the security of its users. The criminal market has its ups and
downs. InfoSecurity magazine reports that prices of a batch of RDP credentials belonging to 7,500 educational
institutions have dropped in two Russophone criminal markets. Digital Shadows confirmed
to the publication that the price fell last week from 25 bitcoins, roughly $387,000,
to 10 bitcoins, about $155,000. Cheaper, but still pricey.
For $155,000, you could buy a decent little bungalow in Florida,
or a Polestar 1 hybrid sports coupe.
But some people think they'd rather spend their jack on, you know,
remote desktop protocol credentials for school networks.
Sad.
And finally, we'll be taking tomorrow off as we observe Veterans Day.
It's sobering to recall that November 11th was chosen for this day
in remembrance to mark the end of the First World War,
and that no veterans of that war remain with us.
Other generations are passing.
So spare a thought for the veterans tomorrow,
and spend some time with any you know, young or old.
We will.
The Cyber Wire will be back, as usual, on Thursday.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Ben Brook is co-founder and CEO at data privacy infrastructure company Transcend.
He joins us with thoughts on best practices in dealing with new privacy and data protections.
Recently, there were two major privacy laws passed.
There was GDPR and CCPA.
And these are some of the first laws to encode what we call data rights.
And you can think of data rights as the first time that users really have any degree of
control over the personal data that companies collect about them. Whereas before, privacy laws
were all about just writing policies and informing users. Now users have actual controls in their
hands that they can use. And so companies are actually scrambling to adopt and companies are actually scrambling to comply
with these new incoming requests coming from end users.
So when somebody says, delete my data,
it's a very tall task for a company to go
to its hundreds of data systems and vendors
and actually execute that erasure process.
What are your recommendations for organizations
who are looking to get a handle
on this? I mean, what's the best way for them to get started? Yeah, so there's a few key principles
that companies can adopt right now. And one of those is just adopting a philosophy of alignment
over antagonism between these two departments, the legal and the engineering department. So something that we see that actually works very well is just to set up
a working group between these two functions and sort of have them meet regularly to hash out
these differences because inevitably they're going to come up repeatedly. And having that
alignment is key. Another one is to actually think more about the user experience rather than compliance.
And this is really interesting because once you start actually taking privacy from a UX perspective,
you actually start figuring out how to simplify a lot of the things that the regulations say.
to simplify a lot of the things that the regulations say.
And if you think of the core principle of these regulations, it's really about respecting users, right?
So rather than trying to go through an itemized list
of compliance requirements,
it's often a lot simpler to think of it
in the perspective of,
would my users be mad if we did this?
Or how do we give them the best privacy controls that we can?
And so, yeah, user experience as a priority over compliance,
I think is really helpful.
And then lastly, really pushing to achieve technical scale
over manual workflows.
So companies really need to think about getting it to a place
where they have set it and forget it automation,
where it's a secure and it's a system agnostic infrastructure that can be connected once to
wherever that personal data lives, and then allow for automatic fulfillment of these privacy
requests. And once you have that, everything sort of makes sense again. And you're no longer sort of like running in this
hamster wheel of continuously trying to like case down systems and put some unique workflow to each
one. So just doing those are really actually simple ways of making this an effort that is
sane and actually fosters a better sort of collaborative environment around privacy.
That's Ben Brook from Transcend.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Hello, Ben.
Hi, Dave.
You and I talk a lot about the collection of people's images,
with or without their consent, over on the Caveat podcast.
You know, privacy issues are something we talk about regularly.
We've got a story here from Yahoo Finance.
It's titled Cadillac Fairview.
That's a mall, not a car.
I was so disappointed when I found that out.
Right.
They collected five million shoppers' images without their consent.
What's going on here, Ben? So this happened in Canada. There are 12 shopping malls where they had this pilot program
where they were going to take images of shoppers, and it ended up being 5 million,
apparently to analyze the age and gender of the shoppers for their own advertising purposes,
to kind of see who was there, during time periods, et cetera. It was basically market
research. They said they're not doing it to identify individuals. Now, Canada has a, or at
least the provinces of Canada have what are called privacy commissioners. We have that in some states
here or equivalents of that, but they seem pretty robust in Canada. And they are pushing back
against what happened at these malls. The malls are saying that patrons had fair notice because
there were decals on the shopping mall entry doors referring to a privacy policy. I don't know about
you. I have never read a decal on a mall, on the entry to a mall, I'd assume that if I did read it,
it would say something like, you know,
no yelling and screaming after 8 p.m.
and, you know, things that are not related to
we're taking real-time photos of you,
you know, 5 million of you as you walk through our malls.
So what the Privacy Commissioner said in a
release is that shoppers had no reason
to expect that their image was being
collected by an inconspicuous
camera, nor that it would be used with facial
recognition technology for analysis.
And the big problem here is
meaningful consent, especially
in their view considering how sensitive
this data is. It's biometric data,
so you can find out a lot of personal information about somebody.
So yeah, it was a really interesting story.
I have to say I'm not generally on the beat of what happens at malls in Canada,
but certainly a story that's up our alley.
Well, I guess I have a few questions about this.
I mean, first of all, just in the pure gathering of images, I mean, how is this different
from gathering up just run-of-the-mill security footage? You know, that's it. You got video
cameras all over the mall that are always rolling, and that's being recorded and stored for a certain
amount of time. We all seem to be, I don't know, at peace with that. So I think that's a good point. The one thing
that I think the privacy commissioners tried to get across here is that these are more secretive
and inconspicuous. So they're in digital information kiosks. People probably don't
expect that those are going to exist at a mall, whereas they do expect that there are going to be
closed caption security cameras, not closed closed-caption security cameras.
Not closed-caption.
Closed-circuit security cameras.
So I think that's potentially one difference.
But yeah, I mean, it is a very public place.
It's a place where you probably don't have
much of a reasonable expectation of privacy
no matter what you're doing.
Because you should know that if the camera isn't catching you, there are generally a lot of people there who could matter what you're doing. Because you should know that if the camera isn't catching you,
there are generally a lot of people there who could see what you're doing.
So I think that kind of cuts against the outrage that one would have
about this story, that it's not like they're using this technology
outside people's houses.
It is a mall, and you are choosing to go there.
I think if the mall made it clear and had warnings that were a little more accessible to their shoppers,
then maybe the privacy commissioners in Canada wouldn't have had such a problem.
Right. I'm envisioning something like how some malls will have interactive maps of the mall
where you can walk up and say, oh, say, oh, I'm shocked.
I want to find all the stores that have shoes.
Yeah.
Sunglasses hot.
Yeah.
Right.
Exactly.
But while you're facing that sign, I suppose there's a camera in the sign that is then taking this very clear, front on, well lit photograph of you.
Smile.
You're on camera.
If you don't know that's happening,
that could be disconcerting.
I will say, you know,
back in a previous life
when I was working in the broadcast industry,
if we were shooting at a place like a mall,
we would put up signage that said,
hey, you know, this is a public place,
but, you know, be aware
we're making a movie today.
And if you walk by,
there's a chance you could be in the movie.
And if you have a problem with that, please avoid this area.
Let somebody know or something like that.
And I think they could have gotten away with this.
I don't think there's anything inherently...
So it is biometric data, so it is personal.
I don't think there's inherently anything wrong with this. If customers were given proper warning and, you know, something that said very clearly, not in just a small decal on the entryway door, this is what's happening in the mall.
You know, you can opt out of this by leaving, but at least you're aware of it.
And if you're going to stay, you're consenting to it.
Right.
Or click here and the mall doors will unlock.
Yeah, exactly.
Otherwise, you got nothing.
Yep.
Yeah.
Boy, what a quaint idea, right?
Asking someone's permission before you gather an image of them.
It's adorable, isn't it?
I know.
So antiquated.
Yeah.
Yeah.
All right.
Well, interesting story for sure.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed, like a rock.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening. We'll see you back here on Thursday. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.