CyberWire Daily - Coronavirus misinformation, phishbait, and disinformation. Ransomware’s growing reach. How criminals’ desire for glory works against their desire to escape apprehension.
Episode Date: March 9, 2020Coronavirus misinformation, coronavirus online scams, and coronavirus disinformation. Ransomware hits a steel plant, local government, and a defense contractor. And how criminals’ desire for glory b...etrays them in social media. Zulfikar Ramzan from RSA Security with three product updates, guest is Robert Waitman from Cisco on their Annual Data Privacy Benchmark study. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Coronavirus misinformation, coronavirus online scams, and coronavirus disinformation,
ransomware hits a steel plant, local government, and a defense contractor,
and how criminals' desire for glory betrays them in social media.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberW Wire summary for Monday, March 9th, 2020.
A great deal of coronavirus misinformation continues to circulate, including descriptions of bogus cures, paranoid descriptions of secret laboratories, and oddball accounts of government conspiracies.
Much, and probably most of this, is spontaneously generated by Internet users,
and the New York Times reports that some of the larger platforms like Facebook and Twitter are at a loss as to how they might seek to control baseless and potentially harmful rumors.
Some of those rumors are old folk wisdom.
They resurface whenever there's an epidemic.
You'll see, for example, stories that garlic or vitamin C
or drinking lots of water will cure the virus.
No, they may be good things to do, but they're just folklore.
Other folk remedies, like the one that says it's a good idea to take a bath in bleach,
well, those are just bad ideas on any level, so don't do them.
At any rate, such folk remedies always gurgle up in such times,
so don't believe them. At any rate, such folk remedies always gurgle up in such times, so don't believe them.
But some of the misinformation is deliberate, as online scammers use coronavirus stories as
fish bait. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure
Security Agency, CISA, offers common-sense advice on how to avoid swallowing it. A lot of the fish
bait is taking the form of appeals to donate to charities,
offers of cures or preventative measures that can be had for the low, low price of,
well, handing over your credit card number.
For a nice bit of that good, reliable, common-sense advice,
go online to us-cert.gov slash ncas and search COVID-19.
You'll get the straight skinny and won't be taken advantage of. And some of that misinformation is, alas, state-driven disinformation.
And this, we hasten to add, isn't among the oddball conspiracy theories,
like the ones that say coronavirus was produced in some top-secret government lab,
or that it's the work of space aliens, and so on.
The U.S. State Department warned late last week, according to the Washington Post, that the familiar apparatus of Russian
trolling has been at work pushing coronavirus scare stories. The goal of the information
operation is, as usual, disruption and chaos, confusion to the enemy, that enemy being,
unfortunately, Mr. and Ms. United States, and civil societies
in other countries that aren't necessarily reliably aligned with Russian interest.
Leah Gabrielle, coordinator of the State Department's Global Engagement Center,
an organization charged with counteracting disinformation, told Congress last week that
threat actors tied to Russia were working through what she called state proxy websites,
as well as official state-owned media and inauthentic online accounts, forming a coordinated effort to take advantage of a health crisis where people are terrified worldwide to try to advance
their priorities. Moscow's general objective, she said, is to weaken its adversaries by manipulating
the information environment in nefarious ways, by polarizing political conversations and attempting to destroy the public's faith in good governance, independent media, and democratic principles.
End quote.
That goal should be familiar from earlier discussions of election influence operations.
Cisco recently released their annual Data Privacy Benchmark Study.
Here to share the results is Robert Waitman, Cisco's Director of Data Privacy.
Yes, we were very excited to be able to finally put a number on the overall return on privacy.
We had looked for a couple of years at some of the areas of benefit,
like having shorter sales delays associated with privacy investment,
which means you can answer customers' questions
more quickly and be able to streamline your sales process.
We found some security benefits that those organizations that had invested in privacy
were seeing fewer and less costly breaches when they evaluated over time, and we could
correlate that data.
And what we've done this year is to take not only those results and be able to validate
them, but also to put an overall umbrella on the value of these privacy investments. And the net takeaway
is that for the average organization, spending $100 translates into $270 of business benefit.
And that is a very good investment for most organizations to make, to get that kind of
return. And again, we're encouraging people to think hard about not
just doing the minimum required, but doing those kinds of investments, which build the kind of
trust with customers, which again, return those business values to you. What sorts of things are
you tracking in terms of awareness? Is word getting out or are people buying into this notion that
privacy is a good investment? Well, organizations are certainly
paying attention to the regulations. GDPR, which came into place a year and a half ago,
caused organizations around the world, and not just those in Europe, this really was a worldwide
effort to get ready for and be compliant with the requirements of GDPR. In fact, we found in a study
last year that 97% of organizations around
the world were either ready for or getting ready for GDPR. We found that again this year.
So if it was my responsibility to report findings like this to my board of directors,
what sort of message should I take into the boardroom?
Well, I think you'd say that, you know, number one, we're doing what we have to
and complying with the law. Everybody wants to hear that. But also that we're making the kind of investments that support what our customers are looking for,
that we are building trust and loyalty with our constituencies.
And that's important both internally, let's say with our employees,
and improving our own internal operations, which there's a lot of business value for doing that,
but also with improving the relationships with our customers,
that we are helping keep their data safe, that they can trust that we are doing the right things, that we are
being open and transparent about how their data is being used, and therefore building the trust
and loyalty. Was there anything that came out of the data you collected that was particularly
surprising? Anything that was unexpected? Well, I think this issue of around certifications
and surprises in a very positive way. We've talked about the huge increase in organizations
recognizing their own benefits. I think the thing that would highlight here, this is,
you know, while it's somewhat similar to what we've seen before, again, it's strong validation
and the message that we want people to get is those investments beyond the minimum requirement
are translating into benefits outside of what you'd expect normally just in terms of privacy.
And one of those areas, in fact, was security.
So, you know, noticing that organizations that were more than just the minimum, that
were more mature when it comes to privacy and privacy accountability, were seeing true
benefits in terms of those security outcomes.
So those that were higher on that scale were much less likely to have been breached last
year. So this idea that you are prepared, that your data house is in order and you've minimized
what you have and protected what you need to keep is something that's translating into strong
security benefits. I think that's a strong message and it's one that wouldn't be obvious of saying,
if I'm working on privacy, how is that really helping me on the security front? But not only
are we seeing that in the data, but organizations are saying that they believe that to be true as well.
And I think that's an important insight for people to think in somewhat of a counterintuitive way.
That's Robert Waitman from Cisco.
Ransomware continues to surge with greater virulence and rapacity. For a look at what it can do to an organization, see the Regina Leader Post account of a shutdown
riot ransomware induced at Evraz Regina, a major steel mill in Saskatchewan, Canada.
The steelworkers at Evraz Regina are looking at work stoppage, a temporary furlough that
is thought likely to last around two weeks as the company recovers from its riot infestation,
according to local news station CKRM.
Local governments continue to suffer from Riyak as well.
The city and county of Durham, North Carolina were hit over the weekend, bleeping computer reports.
In this case, the infection began when a city worker clicked on a link in a phishing email,
and the infestation spread from there.
Municipal governments in North America and elsewhere
have been favorite targets of phishing attacks designed to spread ransomware.
Local radio station WRAL reported that the city and county governments
disclosed the attack yesterday.
It came to their attention Friday.
It's not just industrial plants or municipal governments either.
TechCrunch reports that U.S. defense contractor Communications and
Power Industries paid extortionists half a million dollars in ransom back in January.
The particular strain of ransomware is unknown. With ransomware becoming increasingly aggressive
and now routinely engaged in data theft before it encrypts files, a piece in Forbes offers advice.
First, have a plan for responding to ransomware attacks
that include steps to restore normal operations as soon as possible.
Second, regularly backup data in a way that minimizes the backup's exposure.
Attackers are increasingly trying to hit backups as well
to make their extortion more compelling.
And third, deploy systems that can detect and contain hostile activity
in organizational networks as early as possible.
And finally, how do police catch criminals?
Is it through patient detective work aided by the forensic razzle-dazzle of crime scene investigators?
Sure. Sometimes.
But as often as not, nowadays it's because criminals talk about their crimes quite openly in social media accounts
that are accessible to the world at large, Quartz reports. They're betrayed by the libido ostentandi,
the irresistible desire to show off just like everyone else. Examples? Posting pictures of
yourself wearing the same clothes you had on when the security camera caught you. Smile? Knocking
off that convenience store., posing with the swag you
took in a burglary, things like that. Two separate but equally important groups who represent the
people in the criminal justice system, the police who investigate crimes, and the district attorneys
who prosecute the offenders, are paying attention to what the masterminds put in their social media
feeds. Not in the court's article, but a particular favorite that's achieved local
legend status around Baltimore is the possibly apocryphal tale of the drug dealer who wanted
to imitate beloved Disney cartoon character Scrooge McDuck, who, as viewers of cartoons
and readers of old comic books will know, is wont to celebrate his wealth by diving into a pile of
coins he stores in Uncle Scrooge's money bin. So, said criminal mastermind converted his ill-gotten holdings into U.S. coins,
dimes and quarters mostly,
filled a room in his den with them,
and videoed himself diving into the coins.
A dollar ninety-five!
He fractured his neck, and we hope he made a full recovery while in custody.
We're pretty sure it's a good story,
because one of our guys heard it a
few years ago on Morning Drive Time Radio, which if you can't trust, then who the heck can you trust
in this sad old world? Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Zulfikar Ramzan, Chief Technology Officer at RSA Security.
Zuli and I sat down at the RSA conference.
Well, it's great to have you back.
And as we sit here, 2020 RSA is winding down.
It is just about in the books.
What's been your take?
How was the show this year?
You know, it has been phenomenal.
I mean, we were certainly concerned about all the news leading up to the show with things like coronavirus and whether that would attract from people being able to attend.
But the energy levels seem to be phenomenal. I think people are continuing to be passionate about this industry. We're seeing just continued interest. And I think that's a good sign for our
times in terms of the challenges we have to deal with. What sort of trends are you all tracking in terms of the number of people setting up on the show floor,
the conversations they're having, the scale of what's going on?
It's just amazing to see how many different vendors are here.
We're capped by the number of spaces we have available,
not by anything else.
When we limit the number of vendors, it's not because we can't get more.
It's because we literally can't fit more
and make it useful.
I really saw this firsthand a few years ago.
I was in the W Hotel.
If you go to the W Hotel,
there's this bar area where you enter.
There's a bunch of lounges
and different sets of couches
where people can hang out.
There was a startup company
that got to that lounge area early
and they set up a booth
in a corner of the bar at the W Hotel.
They had a folding table, they had collaterals,
they had the whole nine yards.
And that was like a moment of like, wow,
just how important it is for companies to be at RSA Conference
to show their presence in this industry.
And it was a sign of the times.
And I think we've only seen that continue to grow.
What about overall themes, the trends that you're tracking,
the messaging that the folks out there are putting out
in terms of what are the priorities this year?
Yes, I mean, if I took it from a customer lens
versus a vendor lens, when I talked to our customers this week,
I would say a few key trends were popping up.
The first key trend was around digital transformation.
So I think everyone
is looking to embrace some form of technology to move their business forward, whether it's cloud,
maybe they're less mature and they want to embrace cloud. If they already are doing stuff with cloud,
they're thinking about maybe microservices or cloud native stacks and so on and so forth.
I think with each of these new technology elements, they have to think about what it
means from a security perspective. So that's kind of priority number one.
Priority number two for them is really around that sort of vendor rationalization and consolidation.
So a lot of our customers are saying, you know, we have way too many vendors.
Each of them can do 10 different things.
And I'm trying to find out, do I need all these different vendors?
You know, are there situations where, you know, these three vendors can give me the
same benefits as these other six or seven?
And so they're looking for opportunities in that realm of rationalization, just because it's impossible to manage all these different tools and do something useful with them.
And then I think the final big trend that we're seeing, we're really starting to see,
is I think a shift back to our roots in the industry to focus on business problems versus
on cool, shiny technologies. And if I had to kind of articulate, if you've looked at what's happened in the last few years,
10 years ago in cybersecurity,
people marketed the business problem they were solving.
You had antivirus to address viruses
and anti-malware technology to find malware.
And you had IPS and so on and so forth.
But then we saw kind of a shift in the market
where all of a sudden,
some of the newer vendors are popping up and saying,
we do AI-powered this or data science-powered that. And to me, that was kind of a shift in the market where all of a sudden some of the newer vendors are popping up and saying we do AI powered this
or data science powered that.
And to me that was kind of a shift in the wrong direction
because it focuses on the how versus the why.
Let's swing back and wrap up
talking about the conference again.
For you, what are the types of things
you like to take away from a show like this?
For your own enrichment, the things you want to,
when you go back and you reflect on the things you've learned here,
what sort of insights do you take home with you?
I really focus a lot on customer conversations.
I want to understand what's going on in the mind.
Ultimately, we build all these technologies.
We're not just building them for their own sake.
We want people to be able to deploy them successfully.
We want to make sure they're able to gain value out of them.
So it's really critical for me to see
what our customers are thinking about,
whether or not there are particular problem areas
that we haven't yet solved for them
or that are going to be coming down the pike.
Obviously my role as CTO, I've got to think a bit ahead
in terms of where we want to go.
So I spend a lot of my energy identifying
perhaps even problems that customers have
but don't even know that they have yet.
And that's kind of my main takeaway every year from the show
is identifying those areas.
And that's an amalgamation of customer conversations,
going out on the show floor,
looking at what some of the early stage companies are doing.
The innovation sandbox is a great source of information there.
We have the executive security action forum on Monday
where we have all these top CISOs
and security executives who get together.
And to me, the amazing thing about the conference
is there's so much going on.
It's like you're at a massive buffet table
or you've got 50 buffet tables.
And I like to be the hungry kid at that buffet table
and learn as much as I can during this week.
Yeah, it strikes me that despite how connected we are online
and the massive amounts of information
we can exchange that way, there is still nothing
like being able to get together with friends and colleagues and people you've known for years and
all those side conversations that happen that are such an important part of this business that we're
in. Absolutely. And this is the whole purpose of the conference. It's where the industry comes
together. Yeah. Yeah. All right. Well, Zuli, great seeing you. Thanks for joining
us. Oh, what a pleasure. I love being on the show, Dave. Huge fan. Thank you. Hey, thank you.
That's Zulfikar Ramzan from RSA Security.
Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. The Cyber Wire rest of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.