CyberWire Daily - China hacks at Vietnam over a territorial dispute. Kim’s still in charge, but could Hidden Cobra get loose if his grip slackens? COVID-19 and cybersecurity.

Episode Date: May 1, 2020

Tensions between China and its neighbors. ICS incursions are troubling. The US intelligence community comments on COVID 19 disinformation. The FBI tracks increased cybercrime activity during the pande...mic. Johannes Ullrich explains Excel 4 Macro vulnerabilities. Our guest is Tina C. Williams-Koroma, from TCecure on the importance of strong, effective leadership in cybersecurity. And smile for the web-cam. Your boss may be watching. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_01.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Tensions between China and its neighbors. ICS incursions are troubling. The U.S. intelligence community comments on COVID-19 disinformation. The FBI tracks increased cybercrime activity during the pandemic.
Starting point is 00:02:11 Johannes Ulrich explains Excel 4 macro vulnerabilities. Our guest is Tina C. Williams-Karoma from T-Secure on the importance of strong, effective leadership in cybersecurity. And smile for that webcam. Your boss may be watching. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 1st, 2020. Tensions between China and its neighbors are finding more expression in cyberspace. As FireEye reported last week, Vietnam is thought to have conducted a recent cyber espionage campaign against Chinese targets, mostly targets that might yield information about the origins and transmission of COVID-19. Now Chinese threat actors are engaged in spear phishing officials in Da Nang.
Starting point is 00:03:03 Anomaly sees strong indications that the Pirate Panda Group is behind the attacks. Da Nang is a coastal city relatively close to the Paracel Islands, ownership of which is disputed among China, Vietnam, and the Philippines. CyberScoop says that the spearfishing campaign seems linked to the territorial dispute, especially since Da Nang was recently visited by the USS Theodore Roosevelt and the USS Bunker Hill on a diplomatic goodwill mission that took them near the disputed waters. The U.S. regards those waters as international. China says it owns them. While the best available information indicates that Kim Jong-un is still running North Korea and isn't under any serious immediate challenge.
Starting point is 00:03:47 The recent scare about his health and the realization that the DPRK's succession plans are vague at best have led the Atlantic Council to warn that North Korean offensive cyber capabilities could become a loose cannon in the event of a leadership crisis in Pyongyang. The attacks on Israeli water and wastewater treatment facilities were conducted by hackers who knew how to affect programmable logic controllers, Security Week reports. The CBC says the Royal Canadian Mounted Police are investigating a ransomware attack against Northwest Territories Power Corporation website and email services. Both incidents are troubling.
Starting point is 00:04:25 The Israeli incident appears to have been, possibly, a direct attack against industrial control systems. The Canadian incident, while still troublesome, looks like a more conventional ransomware attack on business systems. How and where the coronavirus strain that's come to be known as COVID-19 emerged has been the subject of a great deal of misinformation and disinformation. It seems beyond serious dispute that the virus emerged in China, and although consensus here is strong, that it jumped to humans from bats.
Starting point is 00:04:57 The U.S. intelligence community has been investigating COVID-19's origins, and the Office of the Director of National Intelligence has released its initial findings. The statement in brief, and we quote it in full, quote, the entire intelligence community has been consistently providing critical support to U.S. policymakers and those responding to the COVID-19 virus which originated in China. The intelligence community also concurs with the wide scientific consensus that the COVID-19 virus was not man-made or genetically modified. As we do in all crises, the community's experts respond by surging resources and producing critical intelligence on issues vital to U.S.
Starting point is 00:05:38 national security. The IC will continue to rigorously examine emerging information and intelligence to determine whether the outbreak began through contact with infected animals There had been disinformation from China that the virus was an American biowar program gone rogue, and from fringe conspiracy speculators, largely but not exclusively in the U.S., that it was deliberately engineered by China in a Wuhan lab. The least credible version of the conspiracy theory was that the virus was a weapon the Chinese lost control of. The more credible version was that the virus emerged in its lethal form when some gain-of-function research in Wuhan was bungled and the virus was accidentally released. There is a major biological laboratory in Wuhan,
Starting point is 00:06:29 and the U.S. intelligence community continues to investigate whether there may have been an accident in a research program there, but the ODNI's statement categorically rules out both deliberate weaponization and risky genetic engineering. So the remaining options seem to be either a lab accident or, more probably, zoonotic disease that made the jump from bats to humans. Foreign policy reports signs that Russian influence operations under preparation for the upcoming European and U.S. elections will prominently feature COVID-19 disinformation. Some of that disinformation will represent low-hanging fruit.
Starting point is 00:07:06 If people fear coming into a public polling place to vote, exaggerating and playing to such fear will have the effect of undermining the electorate's willingness to participate. According to Security Week, the European Union yesterday issued a condemnation of cyberattacks mounted against hospitals and other organizations engaged in fighting the COVID-19 pandemic. The EU didn't name names and much of the hacking is surely criminal and not under state direction. But some of the malicious activity probably is
Starting point is 00:07:36 state-directed, notably attacks on Czech health care facilities, which Czech authorities and public opinion increasingly ascribe to Russian intelligence services. The U.S. Federal Bureau of Investigation says that reported cases of cybercrime have risen dramatically during the pandemic. How dramatically? The FBI's Internet Crime Complaint Center normally receives about 1,000 complaints a day. The IC3 is now logging two to three times that number, CyberArk observes. A report by Kaspersky concludes that remote desktop protocol brute forcing has increased tremendously. Quote, the lockdown has seen the appearance of a great many computers and servers
Starting point is 00:08:17 able to be connected remotely. Right now, we are witnessing an increase in cyber criminal activity with a view to exploiting the situation to attack corporate resources that have now been made available, sometimes in a hurry, to remote workers. End quote. And finally, how do you keep workers on task while they're working remotely? And how hard do you even need to try? Granted that telework is not the same as phoning it in, but it does seem that some organizations are taking very intrusive steps to ensure that employees stay on task. The Washington Post writes, quote,
Starting point is 00:08:52 Thousands of companies now use monitoring software to record employees' web browsing and active work hours, dispatching the kind of tools built for corporate offices into workers' phones, computers, and homes. built for corporate offices into workers' phones, computers, and homes. But they have also sought to watch over the workers themselves, mandating always-on webcam rules, scheduling thrice-daily check-ins, and inundating workers with not-so-optional company happy hours, game nights, and lunchtime chats. End quote.
Starting point is 00:09:21 Some of these seem fine. Well-intentioned morale boosters like happy hours and game nights seem innocent enough, and entirely innocent if they're truly voluntary and non-coercive. The key loggers and always-on webcams, however, seem to be another matter entirely. But even the innocent measures by which companies stay connected trouble some, who see them as further blurring the lines between home and work, between free time and the time you spend on the clock. And eventually, close surveillance may become a net negative. We're fortunate at the Cyber Wire in that our work is the kind that doesn't seem to tempt anyone to keep very close tabs on us. If the stories are filed and accurate, well, the suits are good to
Starting point is 00:10:02 go, and all of us have been enjoying the virtual happy hours, which are voluntary. But there may be kinds of work where some form of monitoring seems necessary. Are you, for example, working under a time and materials contract? Then managers might become a bit antsy over whether time was actually being entered honestly. Still, it seems there ought to be a solution that stops short the kind of benthamite panopticon the post describes, and we hesitate to even speculate about the workload involved in actually checking all those webcams and keylogs. Management by walking around is fine, but management by online lurking? Well, that's another kettle of fish. Besides, do we all need another reminder
Starting point is 00:10:46 of how toxic the data we collect can prove to be? Join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like, right now?
Starting point is 00:11:35 We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Starting point is 00:12:12 Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
Starting point is 00:13:06 with Black Cloak. Learn more at blackcloak.io. My guest today is Tina C. Williams-Karoma. She's owner and president of T-Secure, a cybersecurity services company based in Baltimore. Our conversation centers on her approach to leadership in cybersecurity and why the human side is so important. I think one of the first things I bring up is just being clear on whether it's a services company or more of a product solution company, because how you start and what you need to start, I think, can be a little bit different. So with a services company, the upside is that need to start, I think, can be a little bit different. So with a services company, the upside is that, you know, I think it's easier to get started, less capital required up front, typically, with a services-oriented business.
Starting point is 00:13:56 Depends on the specific type of service, but from a general rule of thumb, it is. You can have clients and be revenue generating, I think, a lot quicker than if it's a product or a solution that takes some R&D type of time and building a prototype and things like that. So likewise and similarly, it's also, you know, whether they want a consultant type of company where it's just them as an individual type of contributor or if they're trying to build, you know, a larger entity where they would have employees and things like that. So across the board, it's just making sure that there's enough capital or money there, you know, to get the business started and to make payroll, even if it's just you. A lot of times clients pay a lot slower, right? You have to think of what the cycle is like. It's making sure they're understanding the difference between how you get income when you're a business owner versus being an employee where there's this dedicated check that arrives,
Starting point is 00:15:00 you know, every, you know, two weeks or semi-monthly or whatever the schedule is. So I think that that's one of the biggest things that I say that might catch people by surprise. Just because you did work, you know, one day doesn't mean you're suddenly going to have your money two weeks later the way that you might in an employee type of capacity or realm. Yeah, it's funny. You know, back when I had my own company as well, I remember we used to joke that one of the perceptions that people often have who don't run their own companies is they think at every company, there's a room in the back that's full of money.
Starting point is 00:15:42 Exactly. Exactly. Yeah. Yeah. It's, you know, it's like, oh, you have your of money. Exactly. Exactly. Yeah, yeah. It's like, oh, you have your own company. Oh, you're your own boss. Man, how great. You know, it's like, tell me what you think that means. Set your own hours.
Starting point is 00:15:56 Right, right. Right. It's awesome. I get to choose which of the 80 hours per week I work. It's just, it's great. Exactly. Exactly. Yeah. Yeah. Yeah. Let me ask you this. In particular, when you're speaking to women who are on that entrepreneurial path, are there specific messages that you share with them?
Starting point is 00:16:18 Yeah. I think one of the biggest things that I share with women is just really the importance for confidence and just knowing that you know what you know and you belong where you are. You know, I think that that's just really important because in a lot of cases, especially in a technology context, but in business ownership in general, you know, ownership in general. You know, I recently just became aware that it was even more recent than I thought, you know, for women being able to get like business loans on their own without having a male relative have to sign for them. You know, that's as recent as 1988. That is squarely within my, you know, generation. Like I was already born in here, you know? And so with that being so recent, it's, you know, I think some people may take it for granted the role and presence that women have in business and in entrepreneurship in particular. So I think that that confidence and just, you know, knowing that as a woman, you know, you're here, you know what you know,
Starting point is 00:17:26 be confident in that and carry that with you. Because I think confidence really goes a long way in terms of how we pursue financing, how we pursue our ideas, the risks that we take, et cetera. So I think that that's one of the biggest things. And I've had different encounters in my career being asked, like, why are you in the room? And it's just like, oh boy. Right. Do you mind taking notes? Right. Right. Exactly. It's like, no. So yeah, I think that that's one of the biggest things is just the confidence. I think everything else, you know, stems from there. They've received a certain, you know, education.
Starting point is 00:18:10 They have a certain training. They certainly have the ideas, the innovation, you know, kind of mentality, the creativity. And just with that confidence, you know, it makes sure they're asking questions. Like, you know, don't be afraid to ask questions thinking that it's going to, you know, make you look less competent. You know, that that can only serve as a disservice. Right. To them. Be confident in what you know and be confident enough to ask the questions and say, OK, tell me more about that. That's Tina C. Williams-Karoma from T-Secure. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
Starting point is 00:19:13 and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich. He's the Dean of Research at the SANS Technology Institute, and he's also the host of the ISC Stormcast podcast. Johannes, it's always great to have you back. We want to touch today about an oldie but a goodie. We're talking about some Excel macros here. What are you guys tracking when it comes to this? Probably the number one ways how organizations are being compromised these days is the email with the office document as an attachment that includes a macro. Now, these macros are typically written in Visual Basic. That's sort of the modern, current way how you are writing macros. We had an interesting story here from
Starting point is 00:20:13 one of our Internet Storm Center handlers. One of his users actually asked for a document to be released from quarantine. The document was flagged as suspicious, and the user says, hey, I know that person sent it to me, it was something I was waiting for. Well, so I think it was Xavier who looked at it closer, and initially he didn't find any problems with that document. But, so it passed all the tests, like it didn't have any visual basic macros in there, but it still looked suspicious to him. It's one of these where your spidey senses are kind of tingling. And what he then found was that this particular document used an Excel 4 macro.
Starting point is 00:20:56 Excel 4, you know, I don't know how old it is. Pretty old. But it's one of those things. These old things never go away. So yes, there was indeed an Excel 4 macro. And since he found this, he sort of started, of course, looking for it and found many, many more examples. Wow. So this is a case of, I guess, that backwards compatibility that is sort of out of sight, out of mind, could come back and bite you.
Starting point is 00:21:25 Yes, and we had this before with Office documents. Not sure if you remember the Velvet Sweatshop password in some Word documents. It was another example here. With these macros, there are a couple other little tricks that are being played. Like in Excel, you can hide a worksheet. That's nothing really special. You just right-click and hide it. But it turns out that in the Excel file format, the hidden parameter, actually three values, it's either visible, it's hidden, then they have a very hidden value.
Starting point is 00:21:59 Very hidden actually means that this predictor macro cannot be unhidden just by clicking on it. So lots of these little tricks that the bad guys use to make it more difficult to really detect these malicious documents. Yeah, I'm always left scratching my head because, and I suppose it is a reality that there are plenty of people out there who need to enable macros. plenty of people out there who need to enable macros. But I wonder, who are these people? Because it's not something that, in my own experience, I've found to be so.
Starting point is 00:22:34 Well, there are a lot of sort of enterprise Excel or office artists, I call them, that come up with fairly complex spreadsheets and such that use these macros to even pull in values from APIs and such. So, yes, they exist. And that's really the hard part here for these security guys to filter out the right macros. Like in this case, the user actually expected a document like this. And that makes it really difficult. In particular, if you're talking about more targeted attacks or these business email compromises where an attacker already has insight into some of the emails being exchanged,
Starting point is 00:23:17 then you can figure out who is the guy sending those weird macros and maybe add even code to it. Yeah. those weird macros and maybe add even code to it. Yeah. Well, and how interesting, too, that in this case, just, you know, somebody had a notion. It's something just didn't feel right. And that ended up exposing the problem.
Starting point is 00:23:37 And that's really, you know, what usually matters is sort of that experience. What are you knowing? What a document is supposed to look like? It's a lot of it is just experience and figuring out what's good, what's bad. Yeah. I guess that's the part they're trying to do with artificial intelligence. They have to clone Xavier here to make that work.
Starting point is 00:23:56 Right, right. Just get him to sign off on that. That won't be a problem. Yeah, yeah. All right. Johannes Elric, thanks for joining us. Thank you. And that's the Cyber Wire.
Starting point is 00:24:19 For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
Starting point is 00:25:19 That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.