CyberWire Daily - Coronavirus phishing. Money mule recruiting. Remote work and behavioral baselining. HHS incident seems to have been...an incident. Advice from NIST, and from Dame Vera Lynne.
Episode Date: March 18, 2020More coronavirus phishing expeditions. Don’t let idleness or desperation lead you into a money-mule scam. How do behavioral expectations change during periods of remote work? The Health and Human Se...rvices incident appears to be just that. NIST has some advice for video-conferencing and virtual meetings. And an exhortation to return to the Blitz spirit. Joe Carrigan from JHU ISI on limitations of two-factor authenticator mobile apps, guest is Johnnie Konstantas from Oracle on cloud misconfigurations and shared responsibility in the public cloud. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More coronavirus fishing expeditions.
Don't let idleness or desperation lead you into a money mule scam.
How do behavioral expectations change during periods of remote work?
The Health and Human Services incident appears to be just that.
NIST has some advice for video conferencing and virtual meetings.
And an exhortation to return to the blitz spirit.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, March 18, 2020.
As security companies continue to watch the cyber underworld,
they're seeing the expected spike in coronavirus-themed scams,
fish bait, and general online bottom feeding.
Malware Bites reported this morning on the latest criminal fishing expedition.
This one is baited with an offer of an e-book from the World Health Organization.
Inside this e-book, My Health, write the skids in their email,
you shall find out the complete research and origin of coronavirus and the recommended guide to follow to protect yourself and others.
Enough to get you to click, but wait, there's more.
This guidance provides critical considerations and practical checklists to keep kids and business centers safe.
So do it for the children, of course, and for business center.
It's not a badly spelled email, but capitalization and usage are off enough that the wary recipient need look no further before bonging these bozos to the spam list.
Another underworld development that preys on the economic hardship occurring in tandem with telecommuting
is an increase in the number of people being recruited as money mules, Krebs on Security reports.
One of the larger operations Krebs describes, the Vasty Healthcare Foundation,
strikes a high-minded tone about connecting causes and providers,
tells prospective mules they're hired, assigns busy work,
and then has them process donations, that is, launder money.
The busy work is a particularly nasty ploy.
It weeds out lazy and unreliable slackers, for one thing,
and so plays on the diligent and trusting.
But as we think about these scams,
let's follow the wise advice of an op-ed by Dr. Salvatore Stolfo,
founder and CTO of Allure Security that Dark Reading ran yesterday.
Dr. Stolfo's thinking about tax season scams, but it's good advice in any case.
Let's save our contempt for the criminals and spare the victims,
especially when they're motivated by trust or fear.
If it's crook-on-crook crime, red-on-red, then fine.
It's in the interest of civilized people that both sides lose.
But the ordinary Jane or
Joe who falls for a scam? Give them some help and some understanding. The pandemic-driven surge in
remote work has a side effect that many of us might overlook. Many of the norms that inform
behavioral anomaly detection may need re-evaluation and revision. Duo Security's Decipher blog points out that people will work at unusual times and from unusual places,
and they may fumble VPN access or unfamiliar multi-factor authentication to such an extent
that multiple login attempts will no longer indicate that some form of credential stuffing
or brute force attack is in progress.
Evelyn from HR logging in from Chicken Gizzard Ridge or Bluelick.
Remote work.
Fran from IT working at 4 a.m.
Needs to fit work from home around distractions of home.
Remote work.
The gang from sales engineering all in the office.
Well, it may not be remote work, but they can't be on the road anymore.
All those conferences have been canceled. Anyway, if you do use behavioral analytics in your security program,
it might be a good time to talk to your vendor about whether and how your baselines might need
to be redrawn. Some such anomaly may be behind the Iranian attack that wasn't this past weekend.
The consensus about the incident the U.S. Department of Health and Human Services experienced Sunday and Monday is now relatively firm.
It probably wasn't an attack at all.
And clearly the department's operations didn't suffer.
Some think it might not even have amounted to a probe or a preliminary distributed denial of service attack.
to a probe or a preliminary distributed denial of service attack.
It might have been an unusually large number of visitors looking for reliable information on COVID-19 or even an artifact of the department's Drupal instance.
The episode should indicate, as we've seen so often in the past, the difficulties of
attribution.
It's often difficult to tell whether an incident is an attack at all or simply a malfunction
or even just routine functioning that's a bit out of the ordinary. It's often difficult to tell whether an incident is an attack at all, or simply a malfunction,
or even just routine functioning that's a bit out of the ordinary.
So what should you be thinking about in these challenging times?
The U.S. National Institute of Standards and Technology, known as NIST,
has some advice on how to conduct online meetings securely. The challenge, of course, is keeping out eavesdroppers.
First of all, follow your organization's policies for virtual meeting security.
You do have policies, right?
Avoid reusing access codes.
As NIST points out, if you've used the same code for a while,
you've probably shared it with more people than you can imagine or recall.
Sensitive discussions call for one-time pins or meeting codes and also
for multi-factor authentication. Don't let the meeting start until the host joins. Enable
notification when someone joins, play a tone, or speak a name. In any case, have new attendees
announce themselves and use a dashboard to monitor attendees. Think twice about recording the meeting.
If it's not necessary, then don't.
If it's a web meeting with video, then disable features you don't need, like chat or file sharing.
And before someone shares their screen, remind them not to inadvertently put up any sensitive information.
We are all experiencing useful reminders of our public responsibilities to each other these days.
And if you'll forgive me an awkward transition,
there are those in cybersecurity who remind us of our shared responsibilities in the public cloud,
especially given the prevalence of cloud misconfigurations.
Johnny Constantis is among those spreading the good word.
She's Senior Director of Security Product Management at Oracle,
and I sat down with her at the RSA conference.
Yeah, I mean, I think the big word of the hour is misconfiguration, right?
So I think where we stand is we have a lot of security tools.
I mean, a show like this is evidence of that, right?
And clearly a lot of innovation is happening in security,
especially for cloud.
And clearly a lot of innovation is happening in security, especially for cloud.
But we're still in a state where the losses associated with data are mounting.
And the biggest culprit here is really not a lack of tools, but tools that don't really automate risk reduction. Can you walk me through, help me understand,
because obviously no one sets out to have an insecure bucket in the cloud.
So what is the typical way that someone finds themselves inadvertently in this situation?
Sure. If you consider one of the recent breaches that had credit card applications, right?
That configuration is likely very common to a lot of cloud customers.
So you have some object stores.
They contain various kinds of unstructured data. So spreadsheets, documents, photos, what have you.
And you might have an object store that contains database backup.
So databases are its own entity or instance, but it is very common to take a database and back it
up into an object store. Now, object stores by their very nature in the cloud are meant to be
easily accessible because accessing that unstructured data obviously is very common.
accessing that unstructured data obviously is very common.
What happens is those buckets, whoever sort of set it up,
thought, well, this is a database that contains sensitive information.
I'm going to make it private.
Months pass and someone says, you know, that database backup,
we're going to run some analytics. So it would really be great to sort of get access to that backup.
And so they flip it open.
It should probably only be kept open for, I don't know, the hour or so.
Mere moments.
Mere moments.
And there it stays.
And so what that all is called is configurations drift.
So you start off with a security posture that is quite good.
You've applied best practices.
But over time, things get opened up for one reason or another,
and they're never flipped back to their proper state.
How do you see the standards, the expectations for these sorts of things
evolving over the next year or so?
The sorts of things that you're offering, do you expect by necessity
these are going to be the expected standard from cloud providers, these types of security measures?
Definitely. You know, we ran a survey last year at Oracle with KPMG and customers were all in on
cloud. They even believed that it was more secure than their premises environment, which didn't have
the benefit of newer technologies and homogeneous architecture.
But what they were very confused about was shared responsibility. The shared responsibility model,
where do you draw the line? It's mine. This is what I take care of from a security perspective. This is what you take care of. What we're saying is, yes, of course, there will always be
the need for some diagram that shows what controls you as a customer actually get.
But it has to be easier. It has to
be automated. That's Johnny Constantis from Oracle. NIST has been busy this week. They're not only
posting advice about the security of virtual meetings, but they've also issued a revised draft
of Draft Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.
It is an important document, and this is their first revision in seven years.
NIST is happy to accept comments through May 15th.
What better way to spend a period of more or less enforced leisure,
if you're among those who find themselves in that position,
than to snuggle up with SP 800-53 and then lay some of your knowledge on NIST.
They'll thank you for it, and you'll deserve well of the Republic.
And finally, an outage described as a technical issue, not an attack,
has disrupted voice service in four British mobile carriers,
O2, 3, Vodafone, and EE,
British mobile carriers, O2, 3, Vodafone, and EE, inconveniencing many who are depending on voice service for their COVID-19-driven remote work, the Telegraph reports. The carriers are
recovering. We wish everyone in the UK well, and if we may, a return to what The Force's sweetheart,
singer Vera Lynn, now a vigorous 102 years old, this week called The Blitz Spirit.
Keep calm and keep on, and here's some Dame Vera to put you in the right frame of mind.
There'll be bluebirds over the white cliffs of Dover
Tomorrow
Just you wait and see
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1 thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And now, a word from our sponsor, Looking Glass Cyber.
Organizations have been playing a dangerous game of cyberjenga,
stacking disparate security tools, point solutions, and boxes one on top of the other,
hoping to improve their security posture.
This convoluted and overloaded security stack can't hold up in today's micro-segmented, borderless, and distributed networks.
stack can't hold up in today's micro-segmented, borderless, and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network
ecosystems. By weaving security into the investments your organization has already made,
formerly disjointed tools can communicate with one another to disrupt and distract the adversary
without revealing your defenses. With a software-based
approach to unifying your security stack, security teams can easily scale their protection to fit
their needs. With one integrated software solution requiring no specialty hardware,
meet the AONIC security fabric. Learn more at lookingglasscyber.com. That's LookingGlassCyber.com.
And we thank Looking Glass Cyber for sponsoring our show.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave. You and I regularly discuss this notion that two-factor authentication is a good thing.
It is.
And one thing we've noticed is that two-factor has gotten a lot easier thanks to apps on mobile devices that allow you to have that two-factor happen in a sort of frictionless way on your mobile device.
Recently at the RSA conference, there were a couple of researchers who were presenting on this topic,
and they said, not so fast.
Right. These researchers are Aaron Turner and Georgia Weidman.
They emphasize that these authenticator apps like Google Authenticator,
or there's a Microsoft version, there's other third-party ones out there, they're better than the SMS two-factor, but they're only
as secure as the phones they're running on, right? So if you're running an older phone that has
malware on it, you're making yourself vulnerable to an attacker who may be able to get your
two-factor authentication that way. Now, they'd have to target you specifically, and they'd have to know which phone was yours,
but if they had the malware, they could do it.
How far back are we talking about here?
That's a good point, Dave.
This talks a lot about older systems.
One of the things they say is you do not want any of the risks
associated with the 32-bit iOS from Apple.
And when you're talking about Android devices,
they said use the Pixel devices,
or if you can't get a Pixel device, an Android One device. Now, Android One, we've talked about
this before. That's the Google program for essentially bare Android. You get the Android
security updates just like the Pixels do, and they're a more affordable line of Android phones.
You know, I think this brings up another good point,
which is I think for a lot of people,
there's this notion that these devices are expensive.
My mobile device is working fine for me.
It ain't broke.
Why fix it?
Why fix it?
And that's also a good point.
I empathize a lot with that point.
You know, I paid a lot of money for my Google Pixel 3
that I have sitting right here,
and I'm not looking forward to replacing it.
And I'm sure you feel the same way with your iPhones.
But eventually, they will stop, Apple and Google and everybody will stop supporting these older phones because they have become end-of-life.
And we as consumers have to understand that when we're buying a phone, it is going to be end-of-life at some point in time.
It is not going to last forever.
And one of the main reasons it doesn't last forever and gets end of life is because of the security problems it has.
Right. But I think also a nuance here is that it's not just that end of lifing.
Perhaps you don't want to wait for the end of life. Perhaps as part of your investment in your
own security, you should be on a cycle of X number of years because with that update to the device,
the hardware and the software comes security updates.
Right.
There have been massive improvements
in the hardware level of security updates on these devices.
They didn't used to have secure enclaves
or trusted platform modules
or whatever hardware was in there.
Now they do.
And that is a huge step forward in security.
And I don't know what's coming in the future,
but there may be something in the future in a couple of years
that's even a bigger step forward in security that's hardware-based.
And there's no amount of software updates that'll help you with that.
We've also seen a lot of vulnerabilities happen in hardware recently,
particularly with the Intel products.
I can't remember what they were called because it's been over a year.
You mean like Spectre and Meltdown? Yes, exactly. Spectre and Meltdown. Thank you, Dave. with the Intel products. I can't remember what they were called because it's been over a year and I...
You mean like Spectre and Meltdown?
Yes, exactly.
Spectre and Meltdown.
Thank you, Dave.
That eventually the next generation of processors
that are going to come out
are not going to have those vulnerabilities.
Right.
But you can't go into your server farm and go,
well, I just got to replace all these CPUs.
That's not going to happen.
Yeah.
So it's the same thing with your phone.
There may be some kind of vulnerability
that gets discovered in the CPU of the phone,
and you can't just change that out.
You have to get a new phone.
Yeah, yeah.
I just think it's a good idea
to look at it as an investment in your security
to be on some sort of a regular upgrade cycle.
Yes, this is expensive.
I guess it could be considered money well spent.
Aaron Turner makes a good point in this talk
and in this article that we're looking at from Tom's Guide.
He says, really, the better solution is to go with a hardware token
like a YubiKey or the Google Titan product.
I've actually made that move,
and I'm actually starting to use that more often.
There is one thing you have to do, though.
You have to buy two of these devices.
And you have to buy two of them and keep one of them at home and safe.
Because if the main one you use breaks, you're going to need a backup.
Yeah.
Because if you don't have it, you could be locked out of everything.
Then you have to go through the hassle of calling all these different providers
and trying to get your account reset.
And good luck if you don't pay for Gmail, getting Google to respond to your request.
Yeah.
It might just be a new email address for you.
Let me also tell you just from personal experience,
if you're someone who travels and when you travel,
you like to leave your keys at home
because you don't want to risk losing your keys
while you're on the road.
Well, if your keys happen to include that hardware key on it,
you may find yourself away from home
without your hardware key
and that might not work out well for you.
Right, that means you're gonna have a hard time getting, you know, I keep my YubiKey attached to
my backpack because usually when I travel, I have my backpack with me. In fact, always when I travel,
I have my backpack with me. It has a lot of things in it that I need to live. So I just keep it
there. I don't keep it with my keys. Yeah. Yeah. All right. Well, good advice. Interesting article
here. It's from Tom's Guide. It's don't run your 2FA authenticator app on these smartphones. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.