CyberWire Daily - COVID-19 updates: crime, propaganda, and craziness. (Also telework.) BGP hijacking. DarkHotel sighting. Apps behaving badly. And a risk of sim-swapping.
Episode Date: April 6, 2020The COVID-19 pandemic continues to drive a spike in cybercrime. It’s also been the occasion for various state-operated disinformation campaigns, and for some surprisingly widespread popular delusion...s. Zoom’s acknowledgement that some traffic was mistakenly routed through China draws more scrutiny to the teleconferencing service. A possible BGP hijack is reported. DarkHotel is said to be back. Bad stuff in Google Play. And a sim-swapping risk. Malek Ben Salem from Accenture on CISO health concerns, guest is Dr. Celeste Paul from NSA on cognitive capacity and burnout. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_06.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The COVID-19 pandemic continues to drive a spike in cybercrime.
It's also been the occasion for various state-operated disinformation campaigns
and for some surprisingly widespread popular delusions. Zoom's acknowledgement that some
traffic was mistakenly routed through China draws more scrutiny to the teleconferencing service.
A possible BGP hijack is reported, Dark Hotel is said to be back,
bad stuff at Google Play, and a SIM swapping risk.
said to be back, bad stuff at Google Play, and a sim-swapping risk.
From the CyberWire studios at Datatribe, I'm Dave Bittner with your CyberWire summary for Monday,
April 6, 2020. The coronavirus pandemic continues to provide an occasion for criminal hacking,
state-directed disinformation, and popular delusions.
There's been a general spike in coronavirus-themed attacks as criminals move towards the soft,
or at least novel targets, public fear and widespread remote work afford.
Both Europol and the US FBI are reporting a significant increase in cybercrime, and other regions are seeing much the same, which ought to place criminal avowals that they be on their best behavior,
all for the greater and most high-minded good, into some perspective.
Here, for example, is another Cointelegraph report that the dark web monopoly market says
it will permanently ban hoods running COVID-19 scams. We won't link to their own site, but we will quote some of the
extracts Cointelegraph ran. We have class here, Monopoly Market's impresarios say, albeit
implausibly and in a self-refuting kind of way, since classy people don't generally draw attention
to their classiness. They go on. You do not, under any circumstances, use COVID-19 as a marketing tool.
No magical cures.
No silly effing mask selling, toilet paper selling.
None of that horse excrement.
The impresarios also give some advice with an FYI.
News you can use.
You are about to ingest drugs from a stranger on the internet. Under no circumstances should you trust any vendor that is using COVID-19 as a marketing tool to peddle, tangle already
questionable goods. But we guess other marketing tools would still be fine with them. We still
think such public-spirited piety should be assessed in the light of the source and be received with
reservations. Other notes from the underground that have
promised good behavior by criminals have proven to be largely moonshine,
or as Security Week puts it, they've gained little traction. Listener beware.
Beijing continues to be the prime suspect in various disinformation campaigns that surround
the pandemic, as the Express reports, but Russian organs have also been active.
Canada's foreign minister is the latest to complain,
not in so many words, but by clear implication
of Moscow's involvement in pushing bogus information.
Digital Journal says that foreign minister
Francois-Philippe Champagne said after a NATO meeting,
certainly this is not the time for a state actor
or non-state actor to spread disinformation
at a time when basic humanity is facing one common challenge, which is the virus.
Researchers at the University of Calgary weren't reluctant to make an attribution,
and they're attributing the campaign NATO discussed to Russia.
This is not to suggest that the two governments' goals or styles have been identical,
as is usually the case.
China is interested in pushing a persuasive line,
in this case the line that COVID-19 didn't originate in China,
and that China has been a good global citizen in helping people recover from the epidemic,
and that anything bad that's going on is somebody else's fault,
maybe the fault of the Spanish or, more likely, the fault of the Americans.
It's worth noting that some people posting comment on the pandemic to Twitter have reported
being the recipients of waves of counter-comment in cases where the original posts were Sino-skeptical
.
The Russian line tends to be opportunistic,
interested in increasing the opposition's friction, not usually in reducing their own.
And of course, misinformation as opposed to disinformation proper also spontaneously
boils to the surface in times of stress. The completely unfounded attribution of COVID-19
to 5G infrastructure continues to gain surprising
traction, with the UK for some reason seeming particularly susceptible. The Guardian reports
that broadband engineers have received threats, and the vandalism of a Birmingham cell tower
seems linked to the meme. Computing says the British government has asked social media
platforms to take stronger measures against such misinformation about coronavirus conspiracies.
The fear of 5G as the source of COVID-19 is strangely reminiscent of the popular fears
around which the righteous and harmonious fists organized themselves during the Boxer Rebellion in China at the end of the 19th century.
Back then, it wasn't 5G, of course, but rather the telegraph lines associated with foreigners.
The singing of the wind in the wires sounded like spirits in torment.
Rust-tinged rainwater dripping from poles and lines
was taken for the spirits' blood.
Lest one be inclined to read histories of that time
as accounts of an utterly alien and benighted people,
think twice and take a look at Birmingham.
Some popular delusions may also be undergoing amplification by botnets, tech radar reports,
and such amplification suggests that state operators may be using the memes for disruptive
purposes. We speak often about the shortage of qualified candidates for jobs in cybersecurity,
We speak often about the shortage of qualified candidates for jobs in cybersecurity,
and an important but arguably underreported element of that fact is burnout.
Many positions in this industry suffer from high turnover.
Dr. Celeste Paul is a human factors and cybersecurity researcher and senior computer scientist at NSA, and she offers these insights.
Cybersecurity is extremely stressful. It's just something about
the environment. It's complex. It's unpredictable. But that's a lot of why we get into it, because
it's so much of what we like. It's the challenge. That's why we're doing cyber. But those things can
also cause stress, especially the unpredictability and lack of control that you might have,
not just over your environment, but the things around it.
And so I think that's some of what contributes to the stress and burnout and turnover that we see in cybersecurity.
And so some of the things that I've been working on is understanding more about what causes that stress.
And so during my talk, I'll focus on Maslow's hierarchy of needs as one way of
understanding that. And then I also provide some techniques in how we can manage our own stress or
stress within our organizations. Can you give us some insights there? I mean, what are those
human factors in an environment like the one that so many of us function in? What are the
things that are contributing to that? And how do people end up in a tailspin? Cybersecurity is hard. It has a lot of challenge associated with it. And so
there's going to be a cognitive tax associated with that. And so anytime you have that challenge,
you're going to be taking resources away from your body and your mind. And as long as you have
enough time to recover afterwards, it's fine. We learn,
we build up hardiness so that the next time that we have stress, we are more resilient and can
recover faster. However, if we don't have enough time to recover from stressful event to stressful
event, it starts to build up in our bodies and it starts to build up in our minds. And that's
where we start to feel the effects more and it's starting to affect our work itself.
How much of this is a cultural component?
I think about, particularly I think here in the United States,
it's almost a badge of honor to say how many hours you worked.
And if you're in a startup environment, for example,
you know, we're burning the midnight oil,
not getting any sleep, but we're getting it done.
And it seems to me like there's a point where you hit diminishing returns with that.
There are definitely diminishing returns, whether or not we like to accept it,
just because as cybersecurity professionals, we like to overcome those challenges.
And one of them is going harder and faster than everybody else.
So at NSA, we understand the benefits of work-life balance.
And so we have programs within the agency that are available to the workforce to help them with that work-life balance.
So it's not just managing stress within the workplace, but anything outside of work.
So whether it's at home or just other activities that you have, we realize that helping people balance those activities will
help them be happier and more productive at work. But we also want them to be happy and productive
at work and then take that home with them where they're also happy at home. Do you have any
guidance or tips for that team leader who's trying to do a better job keeping an eye on their team
and making sure that people are getting the care and feeding that
they need? So as a team leader, you can check in with your people as much and as necessary as you
feel. I think sometimes we get to know our people, know how much they can take and know, oh, well,
they'll be okay. But it still helps to check in with them.
That's Dr. Celeste Paul from the National Security Agency.
Zoom has acknowledged that it allowed certain calls to be routed through China,
and this was a mistake, according to Yahoo. Zoom's China connections have drawn fresh suspicion and scrutiny, including a U.S. congressional request for an explanation.
ZDNet says traffic from more than 200 of the world's biggest cloud hosting providers
and content delivery networks was suspiciously redirected
through Russia's state-owned telecommunications provider Rostelcom.
It looks like Border Gateway Protocol, that's BGP, hijacking,
and ZDNet calls Rostelcom a repeat offender.
BGP hijacking, and ZDNet calls Rostelcom a repeat offender.
Kihu360 reports an operation by Dark Hotel that exploits a zero-day in Sangfor SSL VPN servers widely used by the Chinese government. The targets have for the most part been government
agencies in Beijing and Shanghai and Chinese diplomatic missions in some 19 countries, by ZDNet's count.
The researchers called Dark Hotel a Korean Peninsula APT gang.
Researchers at universities in Italy, Amsterdam, and Zurich have published research into apps on
Google Play, where more than 4,000 apps collect information about other installed applications
and do so without user permission.
A follow-on study by the same team showed that such information can be reliably used
to develop profiles of the affected users. Gender, for example, seems relatively easy to infer.
Other popular Android apps present direct security risks.
VPNPro reports that SuperVPN, an application with over 100 million downloads,
is vulnerable to exploitation for men in the middle attacks. And a study by CyberNews suggests
the existence of a group of Android developers who share code in producing risky or fraudulent apps.
Following up a study into SIM swapping, researchers at Princeton University found
that some affected services had corrected the vulnerabilities,
but that an alarming number haven't done so yet.
Motherboard summarizes the findings.
Meanwhile, keep patching.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And I'm pleased to be joined once again by Malek Bensalem. She's the America's
cybersecurity R&D lead for Accenture.
Malek, always great to have you back. We wanted to take a look at some of the human side of
cybersecurity today, looking at the health of some of the folks in the field and how that can affect
things. What do you have to share with us today? Yeah, this is a topic that is not often talked
about, which is the health state of security professionals in general and the health state of CISOs in particular.
There has been a recent survey conducted by Nominat that talked to various CISOs in an effort to understand their stress levels and how they're coping with stress.
stress levels and how they're coping with stress. And throughout that survey, they've identified that the vast majority of interviewed CISOs, 88% to be exact, reported high levels of stress.
A third of them reported that the stress levels caused physical health issues and half reported mental health issues. They even talked about that stress
affecting not just their ability or their productivity, but it affected their relationships
with their partners or children. 40% of CISOs reported that. 32% reported that their job stress levels had repercussions on their marriage or romantic relationships.
32% said their stress levels had affected their personal friendships.
23% of CISOs said they turned to medication or alcohol.
So this is a problem that is more widespread
than we talk about and than we think.
And it's definitely something that has to be raised, right?
And we see some organizations bringing this up.
Most recently, obviously this nominate survey, but also
an online community by the name of Mental Health Hackers have tried to make people in the community
aware about this problem. They've been presented at Black Hat a couple of years ago. But I think as security as a topic and as CISOs gain more visibility
to the board, hopefully there will be more awareness of this issue.
Yeah, it's interesting to me because I can see two sides of it. I mean, on the one hand,
I could see folks saying, well, this is a high level position. Of course, it's stressful. That
comes with the territory. But on the other hand, I imagine you hit a point of diminishing returns. If someone is not
functioning at their full capacity because of this stress, well, that could be a real security
problem for the organization. Absolutely. I mean, if you have
levels to the point where you cannot adequately perform your job, then there are repercussions
to that organization. Also, because of these stress levels, most CISOs don't last in their
jobs more than 26 months. So the high turnover is also worrisome because, you know, if you have
somebody on the job who's trying, you know, who has this huge mission of making the enterprise secure and your customers' data secure, and they're
only there for two years. By the time they start
building a strategy and start executing on it, they move on
to another job. So I think, yeah, definitely even from the organization's
risk exposure perspective that we need to
take this seriously.
Yeah, it seems to me like there needs to be open lines of communication so that there's
no shame in someone coming to their bosses and their teams and saying,
hey, listen, I've got a situation here. We need to make some adjustments.
That's absolutely, absolutely true. And also the other point of the other aspect of this is that this is not just for CISOs, right?
Information security professionals overall are exposed to these high stress levels.
You can think about the threat intelligence analysts.
You can think about SOC analysts having to respond to alerts so quickly and kind of stress that brings about.
So I think as an InfoSec community, overall, we need to just start talking about these problems
so that we can address them.
All right. Malek Ben-Salem, thanks for joining us.
Thank you, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro. It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.