CyberWire Daily - COVID-19 relief. Data exposure at the SBA. Ransomware gangland. The CTL-League’s volunteer defenders. Active measures, disinformation, and cyber deterrence.
Episode Date: April 22, 2020The US Senate authorizes more COVID-19 small business relief. A data exposure at the US Small Business Administration. The CTL-League looks like a model for cyber volunteer organizations. The US Senat...e reports its evaluation of the Intelligence Community’s look at Russian active measures in 2016. Calls for deterrence amid a converged campaign of disinformation. Joe Carrigan from JHU ISI on Microsoft zero-days, guest is Chris Chiles from OST on what companies need to consider before implementing 5G. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_22.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Senate authorizes more COVID-19 small business relief,
a data exposure at the U.S. Small Business Administration,
a zero-day disclosure process error bites IBM, COVID-19 small business relief, a data exposure at the U.S. Small Business Administration,
a zero-day disclosure process error bites IBM, a list of the ransomware gangs who maintain leak sites, the CTL League looks like a model for cyber volunteer organizations, the U.S.
Senate reports its evaluation on the intelligence community's look at Russian active measures
in 2016, Joe Kerrigan from JHU on Microsoft Zero Days.
Our guest is Chris Childs from OST
on what companies need to be considering
before implementing 5G.
And calls for deterrence
amid a converged campaign of disinformation.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Wednesday, April 22, 2020.
Yesterday afternoon, the U.S. Senate voted to approve an additional $310 billion in the Small Business Administration's Paycheck Protection Program, the PPP.
Fortune reports that the House, which is expected to vote in favor of the measure,
could do so as early as tomorrow. The entire stimulus bill is larger than the amount allocated
for the PPP. Bloomberg says the package totals $484 billion. In an incident that isn't directly
related to the Paycheck Protection Program, but that amounts to bad news for the U.S. Small
Business Administration and its clients. The SBA has disclosed that personal information belonging
to nearly 8,000 small business owners who applied for assistance under the agency's Economic Injury
Disaster Loan Program appears to have been accidentally exposed. The data involved includes
names, social security numbers, addresses, birthdates, email addresses, phone numbers, citizenship status, and insurance information, according to the Washington Post.
Again, this is a distinct and longer-running program from the Paycheck Protection Program, but small businesses affected by COVID-19 shutdowns have also been eligible to apply for assistance under the EIDL.
The CTI League, full name Cyber Threat Intelligence League, is a voluntary group of information security professionals,
and they've gained some positive reviews for their work helping organizations, especially hospitals, during the COVID-19 pandemic.
Founded just last month on March 14th, the CTI League's services are in high demand,
CyberScoop says, and the Hill describes the group's activities as a quiet daily war.
U.S. Cybersecurity and Infrastructure Security Agency Director Krebs tweeted his appreciation
for the CTI League's work during the emergency. The CTI League's inaugural report says the organization has grown to over 1,400
vetted members in 76 countries from 45 different sectors, including cybersecurity, healthcare,
technology, telecommunications, computer emergency response teams, government, and law enforcement.
There have long been discussions of the ways in which volunteer organizations might enhance cybersecurity,
but the CTI League may afford the first clear example of how one might actually work in practice.
It seems closer in conception to earlier models from outside the sector,
like the U.S. Civil Air Patrol or the ham operators of the Amateur Radio Relay League.
The U.S. Senate Select Committee on Intelligence reported this week
on the U.S. intelligence community's investigation of Russian interference in the 2016 U.S. elections.
This volume of the committee's report, the fourth of a projected five, set out to evaluate the
credibility of the intelligence community's conclusions and the integrity of its analytical
processes. The committee concluded that the intelligence community's conclusions and the integrity of its analytical processes.
The committee concluded that the intelligence community conducted its investigation properly and that its analysis supported the conclusion that Russia sought to damage the Clinton campaign
to the advantage of the Trump campaign. The intelligence community did not offer
recommendations for protecting future elections against foreign influence,
but as the IC people
interviewed told the committee, making recommendations like that isn't something
the intelligence community is supposed to do. The Washington Post suggests that Congress
will have plenty of recommendations of its own before November rolls around.
On Monday, U.S. Senators Blumenthal, Democrat of Connecticut, Cotton, Republican of Arkansas,
Warner, Democrat of Virginia, Perdue, Republican of Georgia, and Markey, Democrat of Massachusetts,
wrote to CISA Director Krebs and U.S. Cyber Command's General Nakasone asking that their
organizations increase their efforts against cyber threats that have emerged during the
COVID-19 pandemic. They said in their letter,
We write to urge the Cybersecurity and Infrastructure Security Agency in coordination with United States Cyber Command
and its partners to issue guidance to the healthcare sector,
convene stakeholders, provide technical resources,
and take necessary measures to deter our adversaries
in response to these threats.
The call for deterrence is directed against Russia,
China, Iran, and North Korea, all of whom the senators say are currently engaged in attacks
against health care, public health, and research organizations, a particularly threatening target
set as the U.S. attempts to contain and recover from the COVID-19 pandemic. The transition to 5G continues, despite the occasional vandalism
of 5G tower installations from conspiracy theorists who think it's somehow responsible
for the global pandemic. There's more to 5G than just speed. Chris Childs is from Open Systems
Technologies, and he offers insights on what companies need to consider before implementing 5G.
When we're looking at 5G, I think there's additional risks that we need to be considering from a business perspective,
but also from a consumer protection standpoint.
Because, as I mentioned, we're going to be seeing more data being collected and different types of data.
So that means that it's more than just customer data at this point.
If we're talking about controlling things like driverless cars or healthcare devices,
those are things that could mean life or death.
And if organizations are not thinking about some of those risks at the forefront,
And if organizations are not thinking about some of those risks at the forefront, then there's potential for issues down the road.
Can you share with us some specific examples of the types of things that you work on to make sure that message reaches the people who are using these tools?
Yeah, that's a good question. I think in terms of the work that we're doing at OST,
we're working a lot in digital transformation. So we're working with organizations on both sides of that, organizations who are trying to understand what this whole technology thing is, which I think
to a lot of us is a funny thing to think about. But businesses tend to move a
little bit slower in that area. So on the other side of it, we're helping businesses who are
looking to move faster, that maybe they're a digital native company. Like Dignestra, for
example, we've worked with them in the past where they started as a digital company and they
were looking to improve their product and move faster so that they could keep up with what their customers were looking for.
And I think in terms of ways that we're looking at the user interface for those things,
it's looking at security from the point of view of the customer.
So we're looking at their customers and talking to them
to figure out what their concerns are around security and privacy
so that we can make better decisions to make them feel more comfortable
and have a better system from the forefront
rather than just tacking it on at the end once something major happens.
When you look around the industry today, do you feel as though the message is out that people have gotten the word that these things matter,
that the design of these interfaces makes a real difference?
I think we're getting to that point.
I think we're getting to that point. I would say that what we're starting to see is a move in that direction where organizations are starting to see the need where they need to care about their customers and they need to understand the impact that they have on their customers. But I think we still have a room to go in that area and help organizations see the benefits of that, because it's not always something that can easily be tracked on a
spreadsheet. It's not as simple as saying, this feature we added to our application has done X
for customers. We have to be looking more long term. And a lot of organizations don't think
about that until an issue comes up. That's Chris Childs from Open
Systems Technologies. A U.S. State Department report describes converging COVID-19 disinformation
campaigns. Politico has reviewed a report by the State Department's Global Engagement Center
that concludes three governments, those of Russia, China, and Iran, are pushing complementary lines of
disinformation, most of which contrast Russian, Chinese, and Iranian effectiveness with American
incompetence, and which suggest that the virus itself is an American bioweapon. The lines of
disinformation have both domestic and international audiences, and it seems likely that the convergence
is to a great extent an opportunistic matter.
Iran, China, and Russia share a common adversary, the United States,
and it's useful to deflect any blame for the crisis in that direction.
The report describes the activity as a convergence,
and that was partially confirmed by a comment from a representative of the Global Engagement Center to the Wall Street Journal.
Leah Gabrielle, the GEC's special envoy,
told the journal that much of the common messaging did seem to be opportunistic,
but she added that there was also some evidence of coordinated action among the three governments.
She said, quote,
Russia, China, and Iran do have media cooperation agreements,
and I think this is important because disinformation narratives
are known to originate from official state news sources, end quote. The Chinese and Russian
embassies in Washington didn't respond to the journal's request for comment, but Iran's mission
to the United Nations in New York emailed the paper as follows, quote, for sure any disinformation
or propaganda on the coronavirus pandemic is emanating from the U.S. administration, not Iran.
U.S. media is full of stories of lies and disinformation spread by the administration.
End quote.
So there you have it.
Direct from Turtle Bay.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute.
Also my co-host over on the Hacking Humans podcast.
Joe, always great to have you back.
Hi, Dave.
Interesting story came by.
This is from our friends over at Naked Security by Sophos.
Yep.
And they're covering some Windows Zero days here.
Right.
Let's go through this together. But why don't we start off just to get everybody up to speed.
Quick review.
What are we talking about when we say a zero day?
A zero day is a vulnerability that is not generally known to the public, right?
So, in other words, you have this vulnerability right now, and you have zero days to prepare for it.
There was a researcher.
I can't remember who
it was. So if you're hearing this, let me know who I'm quoting here. But he said, I don't like
the term zero day. I would prefer a negative number day exploit. Because in fact, you don't
have zero days. You have actually been exposed to this for some period of time because this
vulnerability has always existed in the code since it came out or has since the code has been updated to whatever version had this vulnerability that's how long
you've had this problem you just didn't know about it until now so the point is when you hear
something referred to as a zero day that means it demands your attention it demands your immediate
attention exactly yeah so what are we covering here from uh from sofos with these zero days
well they're they're they're talking about Patch Tuesday, which just happened in April.
And Microsoft did not miss it because of the pandemic, which is very good on Microsoft's part.
There are a bunch of fixes in this.
They were saying that this month's patch updates Windows versions from 7 through 10.
And it fixes a cadre of about 113 CVE-level vulnerabilities or flaws, 19 of which
are labeled critical. Now, CVE is the common vulnerabilities and exposures. I always get that
wrong. I always think it's common vulnerability enumeration for some reason. I don't know why I
had that stuck in my head, but it's common vulnerabilities and exposures. It's a list
maintained by MITRE of all the different
flaws that have been found. And when something is deemed bad enough, MITRE issues a CVE number for
it. Okay. And this particular CVE, 2020-0968, is interesting because Microsoft says they're not
seeing it exploited yet in the wild, But the article says it soon will be.
And the reason it soon will be exploited is because the bad guys know that not everybody
patches on time, right? Or patches in a timely manner. So when they see Patch Tuesday come out,
every bad guy in the world goes, get that patch, because that patch is going to show us where the
vulnerabilities are. And they can look at the patch, they can reverse get that patch, because that patch is going to show us where the vulnerabilities are.
And they can look at the patch, they can reverse engineer the patch, see what Microsoft is changing,
and the vulnerabilities will stick out like a sore thumb. Because then they can compare it to the existing code, they know exactly where to look, and they can find it very quickly.
Then they can begin exploiting them. So it's like a roadmap to the vulnerability.
Exactly. It's a roadmap to the vulnerability.
So when this patch comes out, your time is very limited.
It's kind of the irony of the problem, right?
Microsoft has to fix the vulnerability.
But in order to fix the vulnerability, they essentially have to tell everybody how the vulnerability works.
And they don't actually tell everybody in plain English, but they have to fix it so it makes it easy for people to find it.
And there's coordination here, right? Where they're like, Microsoft will work up the patch.
They'll be alerted privately of the vulnerability, let's say. Correct. They'll work up the patch so that the CVE and the patch can be released at the same time. Correct. Yeah. Or MITRE will say,
we have a CVE here.
We're not releasing any technical details
until Microsoft patches.
I see.
MITRE conducts themselves very well.
They're a trusted source
for this vulnerability tracking.
But the other piece of this ecosystem,
if you will,
is that there are security researchers out there
that find these vulnerabilities.
And most of them behave ethically as well.
So they will call Microsoft's or get in touch with Microsoft's bug bounty program and say,
hey, we have a bug and it's critical and we're going to go ahead and give you the information
so you can fix it.
The vast majority of people will work inside that system.
There are actually companies out there like HackerOne or a similar
company that runs their bug bounty program for them. And then when you participate in these bug
bounty programs, you're obligated to conduct yourself in an ethical way in order to get
compensation for it. But some people will go ahead and do a couple of different things. They will
either sell the vulnerability on the black market,
which is very bad because they never tell the company
that has the vulnerability that it exists,
and they're financially motivated not to do so,
or they will just publish it right away.
Now, this is something that's part of your day-to-day at Johns Hopkins, right?
You're part of the team that handles disclosure when some of your students, your professors, the researchers there find things?
Yes, yes.
I am the vulnerability disclosure coordinator for the Information Security Institute.
So if anybody finds a vulnerability, they're supposed to come to me.
Some of our cryptographers have relationships, existing relationships with other companies.
But, yeah, generally when our students find something, I disclose it.
And I will tell you, there are two kinds of companies out there.
There are companies that embrace this and are responsive.
And then there are companies that are like, hey, what are you doing reverse engineering
our stuff?
You can't do that.
And they try to get litigious.
But it doesn't work.
It never works.
And it never will work.
And companies have to
embrace the fact that their software is going to have defects or their hardware is going to
have defects and they need to find ways to fix it. All right. Well, Joe Kerrigan,
thanks for joining us. It's my pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.