CyberWire Daily - A warning for US critical infrastructure operators. Blackbaud extortion and data breach update. Who’s got the keys to Twitter? Sino-American cyber tensions.
Episode Date: July 24, 2020CISA and NSA warn of a foreign threat to US critical infrastructure. A look at what the Bears have been up to lately. The Blackbaud extortion incident shows its ripple effects. An awful lot of Twitter... employees had access to powerful admin tools. China orders a US consulate closed in a tit-for-tat response to the closure of China’s consulate in Houston. Andrea Little Limbago on cyber in a re-globalized world system. Our guest is Dominique Shelton Leipzig from Perkins Coie LLP on the CA Consumer Privacy Act. And DJI drones may be a bit nosey. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/143 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
CISA and NSA warn of a foreign threat to U.S. critical infrastructure.
A look at what the bears have been up to lately.
Garmin goes down for undisclosed
reasons. The black bot extortion incident shows its ripple effects. An awful lot of Twitter
employees had access to powerful admin tools. China orders a U.S. consulate closed in a tit-for-tat
response to the closure of China's consulate in Houston. Andrea Little Limbago on cyber in a
re-globalized world system. Our guest is Dominique Shelton-Lipsig from Perkins Coal LLP on the California Consumer Privacy Act.
And DJI drones may be a bit nosy.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 24th, 2020.
Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Friday, July 24, 2020.
A joint warning from the U.S. Cybersecurity and Infrastructure Security Agency and the National Security Agency points out a heightened cyber threat to the industrial Internet of Things.
Recent months, the agencies say, have seen significantly increased attention paid to Internet-accessible operational technology assets
as cyber actors have demonstrated their continued willingness
to conduct malicious cyber activity against critical infrastructure.
Operators of such systems should be ready, CISA and NSA say,
to protect themselves during a time of crisis.
The agencies don't name names in their warning, but the media have.
Wired, in a representative piece, calls out Fancy Bear, Russia's military intelligence service, the GRU,
as the cyber actor snuffling at U.S. critical infrastructure.
The campaign has apparently been in progress for the better part of a year,
which suggests that it's in its reconnaissance and battle space preparation phase.
The alert warns that the agencies have seen an increase in email spear phishing attacks aimed at gaining access to critical infrastructure networks with the aim of pivoting into OT systems.
They've also seen ransomware attempts against such systems,
systems. They've also seen ransomware attempts against such systems, and ransomware is both disruptive in itself as well as affording an opportunity for information theft.
CISA and NSA recommend a set of actions operators should take to become harder targets.
Many of them are solid advice at any time, like their recommendations to develop and exercise
resilience and incident
response plans, and to disconnect devices from the internet that don't need to be connected
to it.
Some of them, however, including the most urgent recommendations, may be less familiar.
For example, quote, create an accurate as-operated OT network map immediately, for example,
and the related understand and evaluate cyber risk on
as-operated OT assets. Take fishing. It's not an advanced technique. Anyone can do it, and do it
they will, from the high-end operators back at the aquarium to the grubby grifter living on pizza
and Mountain Dew in his parents' basement. It's troubling, though, when nation-states are involved.
Their reach is far greater, their timing and coordination are more damaging,
and they can be far more patient and focused than the proverbial skid with a fishing kit.
CISA and NSA say in their warning,
quote,
It is important to note that while the behavior may not be technically advanced,
it is still a serious threat because the potential impact to critical assets is so high, end quote. The good news is
that sound hygiene and attention to basics go a long way toward helping targets stay safe.
Check out the warning and read the whole thing. We note, by the way, that Fancy Bear isn't the
only Russian threat actor in the news lately.
Warnings in the UK seconded by Five Eyes colleagues have also called attention to the activities of Cozy Bear,
Fancy's quieter and more demure sister, a unit of Russia's SVR foreign intelligence service.
The Daily Swig has an overview of what Cozy's been up to lately, besides poking into COVID-19 research.
The consequences of the Blackbaud hack have spread to more universities and not-for-profits in the UK, Canada, and the US.
The BBC gives the following list of known victims.
The University of York, Oxford Brookes University, Lauborough University, the University of Leeds,
the University of London, the University of Reading,
University College Oxford,
Ambrose University in Alberta,
Canada, Human Rights Watch,
Young Minds, the Rhode Island School of
Design in the U.S., and the University
of Exeter.
Blackbaud, which serves educational
and not-for-profit organizations,
stressed to the BBC that not all of its users have been affected,
and indeed the BBC confirmed that University College London,
Queen's University Belfast, and University of the West of Scotland,
Islamic Relief and Prevent Breast Cancer were not affected.
Blackbaud has been criticized for paying ransom in exchange for the attacker's assurance that they'll destroy the stolen information.
An apparently unverifiable promise on the part of criminals seems to many to be grounds more for despair than for hope.
So, hey everybody, here's a riddle for you.
How many Twitter employees and contractors does it take to hand your account over to someone else?
Ah, just one.
Okay, so it's not a very good joke, not particularly funny,
but it's an interesting question how many employees and contractors had access to internal tools
that would enable them to change account settings
and give control of those accounts over to someone other than the owner.
Reuters says it was more than 1,000, which is a lot of points of human failure.
Twitter CEO Jack Dorsey said in an earnings call yesterday
that everyone at Twitter feels terrible about last week's hack.
We fell behind, the Washington Post quotes him as saying,
both in our protections against social engineering of our employees and restrictions on our internal tools, end quote. The Washington Post quotes him as saying, It seems that Twitter didn't see it coming, and the question investors and others will ask is, should they have?
China orders the U.S. consulate in Chengdu shuttered, Reuters reports, in response to the U.S. closure of China's Houston consulate.
Such a move had been widely expected.
The only unknown was which city's consulate would be the one to go.
Concerns mount over the risk of data exposure through Chinese-manufactured DJI drones,
CyberScoop, and others write.
The concern is that DJI's smartphone interface
could capture data from users' phones
and transfer them to Chinese intelligence and security services.
There's no particular evidence that DJI has done this,
but it's pretty clearly possible,
and Sino-American cyber relations are clearly in a state
where no one is prepared to accept absence of evidence as evidence of absence.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with
agents, winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
We'll see you next time. shake up your mood with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
My guest today is Dominique Shelton-Liepzig. She's a partner at the Perkins Coie LLP law firm
and co-chair of the firm's ad tech privacy and data management team. The firm is
headquartered in Los Angeles, so when it comes to the California Consumer Privacy Act, it's fair to
say that they are in the middle of it. The CCPA, as of January 1st, 2020, ushered in eight new
rights for California residents. Three of those have to do with the right to know. In other words, California residents can know what data a company
has collected about them and the purposes for the collection going back a
year prior. They can also know the sources of the data and even what data
has been sold about them. They can also opt out of the sale of data if they're
adults and for children they have a right they're adults. And for children,
they have a right to opt in. In other words, kids under the age of 16 have a right to give opt-in
consent before their data is sold. And then there is a right to access the data, a right to delete
the data, and then a right to be free from discrimination or retaliation,
really, for exercising any of the other seven rights I just mentioned. So things like special
price discounts or, you know, variances in quality of goods that are linked to data,
the ability of the consumer to provide consent for the use of their data
will be considered discriminatory or retaliatory
unless there's some show of the value of the data to the business.
So that's where it is right now.
And we've certainly had plenty of warning and plenty of lead time
as CCPA sort of came online and went into effect.
Where are we seeing now in terms of people adhering to it?
Yeah, so the big news is that effective July 1st,
our California Attorney General has the legal right
and has already begun, I understand, to begin enforcement.
And so this was really the key up until between January 1st and July 1st,
there was certainly a spate of consumer class actions, putative class actions that have been
filed, about 55 of them related to the CCPA. But for the first time as of July 1st, the AG, our Attorney General, who's the primary enforcer of the CCPA, the entirety of the statute, has the right to begin enforcement.
And that appears to be exactly what's taking place right now.
Can you give us some examples of the types of things that people are flagging?
types of things that people are flagging?
Yeah. So, you know, I think the June 30th and July 1st press releases from the
California attorney general were very telling in those he encouraged consumers
to exercise their rights to not have their data sold by clicking do not sell
links on websites, of course, the statute requires a do not sell link on the homepage of a website if a company is selling data to provide an opt-out for consumers to opt out of the sale.
Now, there are a vast number of businesses for a variety of different reasons who don't believe that having a cookie on a website constitutes a sale.
The AG and a number of consumer groups have different views about that
when the cookie can track the consumer across multiple websites that a business does not own.
Now, can you remind us what the reach is of this law?
For example, I'm here in Maryland.
If I'm doing business with a company in California,
or if I've got Californians doing business with me, how much do I need to be concerned about this?
Very concerned, actually, because the statute has extraterritorial reach. In that regard,
we're very similar to the General Data Protection Regulation in the EU. So the rights are bestowed on California residents, meaning that wherever California residents
are, they do have these rights as long as they are dealing with a business.
And the definition of business is in itself very broad for purposes of the statute.
It includes any company that collects personal information
from California residents and does business in California. You don't have to have a physical
presence. And then you need to have one of the following three things to be a business in
addition. Either you have revenues of $25 million or more, or you have your collecting personal information of 50,000 or
more California residents, or you are deriving 50% or more of your revenue from the sale of
data of California residents. It doesn't mean that the company has to make that over $25 million in California.
That's just, does the company have revenue over $25 million?
If it does, and it collects personal information in California, it collects personal information of California residents, and it does business in California, it will be a business.
Similarly, collecting personal information from 50,000 or more California residents seems like a lot until you think about it this way.
If you have a website and you have 137 visitors to your website every day from California,
that will have you hitting the collection of personal information mark for purposes of statute.
Our thanks to Dominique Shelton-Lipsick for joining us.
There's an extended version of our conversation on CyberWire Pro.
You can check that out on our website, thecyberwire.com.
We're also featuring Dominique Shelton-Lipsick on an upcoming episode of our Career Notes
podcast, so be sure to check that out as well.
that out as well. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data, and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant. And joining me once again is Andrea Little-Limbago.
She is the Vice President of Research and Analysis at Interos.
It's great to have you back.
I wanted to go on a little journey with you today
and sort of take a real broad global look at where we find
ourselves when it comes to some of the changes that you're tracking and when it comes to the
policy around the world, when it comes to cybersecurity, what do you suppose a good
place to start is? That's a great question because, you know, I feel like we're at a point where
things are starting to move really quickly, which, you know, in the policy space, you don't say that very often.
The way I look at it currently,
and this will paint sort of a broader picture,
there were these trends that were already underway
prior to COVID-19,
and we can address any number of these,
but new movements towards data storage,
less trust towards different countries
and some of their national champions and their software.
Internet blackouts, which we've talked about in the past.
Concerns over privacy, data stealing, all those kind of things.
They were there and starting to become quite worrisome in different areas.
With COVID-19, I feel like so much has been accelerated because of that.
As countries start turning inward, you're starting to see just more tensions are starting to emerge on the geopolitical scene.
And so that has direct repercussions for what's going on as far as the broader range of cybersecurity and cyber risk that's going on.
And so the way I think about it, COVID was almost a perfect storm where you had sort of this fragile system that was emerging.
it's almost, you know, COVID was almost a perfect storm where you had sort of this fragile system that was emerging. And with such a big shock to that system, it's just become really, really
disruptive. And so that's why you start, you know, we've seen, you know, article after article on
how there's been just, you know, a string of, you know, ransomware attacks and phishing attacks and
so forth, you know, linked to COVID-19 and trying to take advantage of people's, their current states
and the work
from home environment, all that, that's going on. And then at the same time, you know, on the
geopolitical scene, you know, the U.S. and China obviously had, you know, underlying tensions that
were already bubbling up. They had a big trade war and terror war that was going on. You know,
across almost every issue you can think of, there were different tensions. And those are really just
escalating. And we're seeing that play out in a lot of the restricted entities that are popping up from the
government. And as far as the one big trend that I'm looking at that I think was a little bit below
the surface prior and is really accelerating, I look at the restricted entities because I think
of it almost as similar to the indictments. And if you remember, 2014 was when there were the indictments against five People's Liberation Army
members. And that sort of kicked off what we now see in indictments now for cyber, you know,
espionage, cyber theft, cyber attacks, however you want to frame it. You know, those are fairly
commonplace now. But in 2014, that was a really
big deal because that was the very first time that there were indictments against another country.
And I feel like we're at a sort of a similar tipping point right now with restricted entities
where we're seeing, and it's not just Huawei and ZTE. It's, you know, it's, those were, to me,
like those are almost more of the same as the 2014 PL, you know, the 5PLA, where we're seeing everything from restrictions on software
that include Huawei and ZTE,
but also extend into a broader range of various kinds of tech companies.
I mean, it was just last month, in June,
Pentagon had named 20 different companies with alleged links to PLA.
And that's different than some of the other Department of Commerce,
Bureau of Industry and Security. They've designated entities over 30 in the last few weeks. And you've got
State Department naming some of them. And so you've got this sort of whole of government approach
going on that's naming these restricted entities. And I think it just highlights the growing
distrust between the two countries. And so that's, to me, is just a really interesting way to look
at how geopolitics is directly impacting various components of cybersecurity. And so that's, to me, is just a really interesting way to look at how geopolitics
is directly impacting various components of cybersecurity. And it really is through some
of the tech and the trusted components that are of both the software and hardware.
Well, and even we see things like what's going on with TikTok, where you have,
you know, Australia threatening to ban them, India banning them, and, you know,
Australia threatening to ban them,
India banning them, and starting to hear people in Congress
making suggestions that perhaps
banning an app like TikTok
would be a good thing to do.
I mean, that's an interesting development.
No, I think it absolutely is.
And the great,
why TikTok is such a good example,
if you actually,
now on the one hand,
I've got children and I think,
I just give this one to take one off their phone, you know, I've got children and we would, I think, I just think,
I just gave this one to take one off their phone,
you know, yesterday.
Well, I'm sure it's already back on because it's, which gets into how much,
how integrated it is into their lives,
especially for Gen Z.
But, you know, India was the first one really to,
you know, to make more of a prominent statement
and ban it.
And I think we can't overlook the timing of that
and that there were the conflict between the troops
between India and China that are still ongoing,
but really took off, you know, a few weeks ago.
You know, it's one of those things that, you know,
in their terms of service, which are, you know,
like almost all of them are, you know,
huge and hard to get through
and no one's really going to read them all.
But, you know, buried within there,
you know, basically it does say, you know, we're going to take up all, you know, we're them all. But, you know, buried within there, basically it does say,
we're going to be taking you
a ridiculous amount of data.
Yeah.
And it is.
I think it'll be interesting
to see what happens with that
and how much people actually care.
And that's where you get into the,
you get the security experts talking about it,
the government worried about it.
It'll be interesting to see
whether it's something that
does actually pervade throughout society or whether it becomes something where certain corporations don't about it. It'll be interesting to see whether it's something that does actually pervade throughout society
or whether it becomes something where certain corporations don't allow it.
And that's sort of the angle that we're seeing right now.
A couple of different companies have been trying to ban their workforce from using it.
So we'll see which direction it goes or whether the government will step in
and add it to some sort of restricted entity.
Yeah, yeah.
And how do you get it off all those kids' phones?
I know.
Can you imagine?
Exactly.
If you thought Huawei was hard to get off, wait till you're trying your way up TikTok.
Yeah.
During, in the middle of a pandemic.
Exactly.
Good luck with that.
Right.
That's exactly right.
Yeah.
All right.
Well, Andrea Little-Limbago, thanks for joining us.
Thank you so much.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.