CyberWire Daily - Cyber conflict in the Middle East. EasyJet breached. More errors than exploits. The Dark Web during the pandemic. 5G misinformation. REvil updates.
Episode Date: May 19, 2020Foreign intelligence services attribute a recent cyberattack on an Iranian port to Israeli operators. EasyJet discloses a breach of passenger information. Verizon’s annual Data Breach Report is out,... and it finds more errors than it does exploits. A look at the Dark Web during the pandemic. US authorities warn local law enforcement to watch for misinformation-driven telecom vandalism. Ben Yelin explains why the ACLU is suing Baltimore over a surveillance plane. Our guest is Robb Reck from Ping Identity on a recent CISO Advisory Council meeting regarding the sudden shift to working from home. And REvil is still offering celebrity dirt for sale...if they’ve actually got any. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/97 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Foreign intelligence services attribute a recent cyber attack on an Iranian port to Israeli operators.
EasyJet discloses a breach of passenger information.
Verizon's annual data breach report is out
and it finds more errors than it does exploits.
Look at the dark web during the pandemic.
U.S. authorities warn local law enforcement
to watch out for misinformation-driven telecom vandalism.
Ben Yellen explains why the ACLU is suing Baltimore
over a surveillance plane.
Our guest is Rob Reck from Ping Identity
on a recent CISO advisory council meeting
regarding the sudden shift to working from home.
And our evil is still offering celebrity dirt for sale,
if they've actually got any.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Tuesday, May 19, 2020.
Citing anonymous sources in a foreign government, the Washington Post reports that intelligence services have concluded that a recent cyber attack against the Iranian port of Shahid Rajeh was the work of Israeli operators,
possibly in retaliation for earlier attacks against Israeli water treatment facilities.
EasyJet has disclosed a data breach that affected some 9 million customers.
The Guardian writes that the airline describes the incident as the work of highly sophisticated criminals.
Verizon this morning released its annual data breach report.
This year's version is twice the length of its predecessors,
covering more regions and more economic sectors.
As Reuters reads it, one of the principal conclusions is that financial gain
significantly outpaces espionage as a motive for hacking.
86% of the breaches covered were committed for money, not intelligence.
Industry Week's takeaway is the biggest problem is people, not systems.
Our own pre-briefing call with Verizon led to that same conclusion.
Exploits are rarely the way breaches are accomplished. The report concluded that error,
such mistakes as incorrectly configured databases and misdelivered emails,
are now about as big a problem as social engineering. There's another trend in attack
technique.
Web app attacks, the researchers conclude, have roughly doubled.
Turning to the effects the COVID-19 pandemic is having on cybersecurity,
France is proceeding with its centralized approach to COVID-19 contact tracing, ZDNet reports.
Authorities maintain that this is being done with due regard for preserving users' privacy. The government is particularly interested in the utility the system, called
StopCovid, might have in containing a recurrence of the virus. Earlier this month, Medium offered
a summary of the app's development, including its goals and prospects.
Researchers at Trustwave's Spider Labs described the various pandemic-related scams they're finding on the dark web
and note some of the underworld reaction to them.
They do note that the criminals follow the news, like everyone else,
swap advice about staying healthy, express concerns about the consequences of the pandemic for their own enterprises, and so on.
In short, an inverted version of the kind of chatter one sees in
legitimate channels. But the more interesting material reveals the deliberations and plans
that directly shape the criminal enterprises themselves. For example, there's chatter about
demand for masks and whether that presents an opportunity for various forms of illicit trade.
Masks and other medical supplies are being offered for sale in online markets that normally hawk Thank you. to widespread cover-ups and misinformation by various authorities. The underground markets are themselves feeling some of the pain legitimate markets are experiencing.
They warn their customers that they may expect service disruptions, and they shed virtual
crocodile tears over the health risks vulnerable customers face during the pandemic.
And some of the subsectors of the criminal-to-criminal market seem to be feeling considerable pain.
Carding, in particular, appears to be experiencing a rough patch.
Why this is happening is unclear and seems to call for explanation.
Perhaps with a general slowing of economic activity, there's been a reduction in available inventory,
and with the relative scarcity of new stolen numbers, carters are recycling their wares in the markets.
Criminals who have access to new stolen cards are reserving them for their own use.
Rob Reck is Chief Information Security Officer at Ping Identity.
He shares insights from a recent ISSA CISO Advisory Council meeting regarding this sudden shift to working from home.
advisory council meeting regarding this sudden shift to working from home.
So generally, we have roughly 10 of our customer CISOs get together and talk about, you know,
trends in the industry and kind of give some feedback to Ping on Roadmap. We were intending to have our in-person meeting this year in around the 20th of March. And you can imagine
that didn't happen with COVID hitting. And we ended up having to shift to virtual about two weeks later.
And we really used that shift to virtual as a chance to just get all of the team members of the council to talk about how has COVID and the rapid shift to work from home impacted them and impacted their companies and impacted their security departments.
Well, what can you share with us?
What sort of insights did they have?
Yeah, so we got together April 2nd.
It was nine
different folks from a variety of different industries. And I think the industries matter
because, you know, you have that really heavily impacted industries like healthcare providers.
We had a cable internet provider there, an online learning provider, kind of strangely enough.
I mean, we had, you know, less directly impacted manufacturing and financial services,
but everyone had a kind of a unique perspective. But what are some of the things that you were discussing when it comes to
potential changes when we're through this, when we get through this together?
Are they seeing that there are going to be some changes to the way they come at things?
Yeah, you know, one of the interesting things that I learned out of this,
everyone kind of across the board agreed we're moving so quickly
that we're probably not making fully understood risk decisions here. The CISOs are trying to get
in front of it, trying to understand what are the implications of every risk, but we're not able to
go fast enough when you shift from one way of doing work to another, basically at the drop of a hat.
So one of my favorite recommendations I heard coming out of this is,
is make sure that you're documenting each of the decisions you make as a part of this,
and come back and just really consider, is it the right thing to do? If you now are allowing BYOD because you don't have enough laptops across your enterprise, okay, maybe that's the right thing,
but maybe it's not. Or maybe you need to put some kind of new mitigation controls in place
to allow you to do that BYOD. What sort of things are you
tracking in terms of the community response to this? How are these companies engaging with the
broader community? Yeah, I was really excited as we talked to the CISOs as a part of this council
that a number of the companies that they work for have actually used this as an opportunity to give
back and really not just go after the bottom line, but try and make things better. Top of the list, the workers' comp insurance company that was a part of our council, they
worked overtime for the first few days of this to make sure that they were keyed in
to be able to accept claims for COVID for workman's comp, which, you know, not on the
top of my list I'm thinking about, but they really were making sure their customers were
able to react quickly and make sure their employees were getting paid in the middle
of this.
We talked already about the online school that's put a 24-7 war room on this to make sure it's
running. Another one we had, though, is a scientific society that really, they're generally
like a fee-based research organization where you can get access if you pay for it. They made all
of their resources, all of their research available to anyone who's working on COVID.
So they just threw that whole paywall out of the way and said, if you're doing this, we want to make sure we support you.
Yeah, it's really been heartening to see the good faith community response to all this.
And of course, we're continuing to see how things are going to change. And I expect,
you know, this is just chapter one of the new normal.
That's Rob Reck from Ping Identity. Rob is also the co-host of the Colorado Equals Security
podcast. So if that is your neck of the Colorado Equals Security podcast,
so if that is your neck of the woods, be sure to check it out.
ABC News reports that the U.S. Department of Homeland Security,
the FBI, and the National Counterterrorism Center
have issued an advisory to law enforcement authorities
warning them to expect vandalism directed against 5G
and other telecommunications infrastructure.
Quote, violent extremists have drawn from misinformation campaigns online that claim
wireless infrastructure is deleterious to human health and help spread COVID-19, resulting
in a global effort by like-minded individuals to share operational guidance and justification
for conducting attacks against 5G infrastructure,
some of which have already prompted arson and physical attacks against cell towers in several U.S. states. Such attacks, hitherto more commonly observed in Europe,
have begun to appear in the U.S. as the bogus theory of a link between cellular networks
and COVID-19 gain traction. Some of this vandalism predates the emergence of the COVID-19 gained traction.
Some of this vandalism predates the emergence of the COVID-19 virus and therefore also predates the misinformation that's now driving the incidents,
Business Insider notes.
Arson was reported at cellular infrastructure sites as early as December of 2019.
And finally, Dark Owl researchers have been tracking the activities of the R-Evil gang
that's claimed responsibility for hacking celebrity law firm Grubman, Shire, Macilus, and Sachs.
The criminals say they've received offers for information they claim to have on President Trump
and that their next offer is of data connected with Madonna.
Bidding starts at $1 million.
We are living in a material world.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with
agents, winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Great to be with you, Dave.
We are going to revisit a story that you and I have talked about on more than one occasion,
and that is this plan to put some spy planes over our city of Baltimore,
our beloved city of Baltimore, basically a DVR in the sky for surveillance.
There's been a development here.
The ACLU is taking issue with this plan.
Yes, they are. They're actually suing to try and stop that surveillance plane.
And as of now, that plane is actually in the sky.
I was reading commentary on some neighborhood Facebook pages saying that they've been hearing this bizarre humming sound.
It kind of sounds like a blimp flying over a baseball stadium.
And it turns out it is the surveillance plane. So it's been up in the air for about a week. It was sold to the city
of Baltimore by a former army individual, Mr. McNutt, who has his own surveillance technology.
There have been a lot of legal policy challenges to this, but the airplane is finally airborne.
challenges to this, but the airplane is finally airborne. And the ACLU is suing on a bunch of grounds. Obviously, they're worried about individuals' Fourth Amendment rights. When you
have an airplane that can take millions of different pictures in real time of the city,
that certainly almost by definition lead to unreasonable searches and seizures. The
government did not get any sort of judicial authorization
to take those pictures.
And because of the way the technology works,
you can zoom in beyond a city block onto an individual home
or an individual sidewalk and see an individual there.
And then there are a lot of potential First Amendment concerns here.
We've talked about on this podcast and on our
podcast how, you know, the potential for racial bias creeps into all of these surveillance
technologies. And it's notable from the ACLU's perspective that, you know, the first one of
these spy planes that's going up in the country is going up over a city that is 60% African-American.
And, you know, even though it is a city that has suffered
from a pretty serious crime spree over the past several years,
I think that's certainly something worth noting.
And, you know, they've talked about how surveillance methods
have been used for both religious and or against religious and political groups.
One of the ones they mention in this article
is the Black Lives Matter group in Baltimore City.
So yeah, I think we're gonna have to sit back
and wait to see where this lawsuit goes.
Litigation like this can take a long time.
You're gonna have dueling motions,
a lot of different legal proceedings.
I think we could be several years away
from some sort of resolution on this issue. And meanwhile, you know, unless the ACLU is able to obtain an injunction, which I
think is unlikely because a judge would have to find that this spy plane is irreparably harming
the citizens of Baltimore, then, you know, while this litigation continues, that plane is in the sky taking pictures.
So smile, Baltimore.
You are on camera.
Well, let me play devil's advocate here because, first of all, is it even fair to call it a spy plane?
I mean, do we call security cameras that police put out, do we call them spy cameras?
Fair enough.
Sure.
One could, but yes.
You're right.
You're right. Well, but also it makes me wonder, it is my understanding that when you are out and about in public, you have no reasonable expectation of privacy.
How does that not apply here?
Is it just the scale of it?
I think the scale is a reasonable expectation of privacy when you are in public view was created in an age of much less pervasive technology.
It was really about what would the police spot, you know, if they were to see you running on the street or running out of your house.
That's the sort of notion of the plain view doctrine. Does that doctrine and should that doctrine change when
we're talking about a plane that can take millions of real-time photos and engage in, you know,
24-hour surveillance of people who are out in public? Is it still fair to have that same
legal doctrine apply in this age of new technology? And I think the ACLU is going to argue,
and they have some, you know, reasonable Supreme Court precedents at their side
that things are fundamentally different. We're going to have to adapt that plain view doctrine
to deal with a technology like this, because the legal doctrine is outdated. And I think they're
going to be justified in making that argument. But, you know, I'm not sure which way federal
judges will come down on that issue.
Do you suppose that it could be a situation here where the plane is allowed to stay in the air, but in order to use any of the information it gathers, you'll need a warrant?
So that's possible, you know, unless the program is enjoined on one of those First Amendment issues, because you can burden people's constitutional rights even if there's no criminal proceeding. But yeah, I mean, I could certainly envision a circumstance where a crime or a potential crime is caught using this aerial surveillance technology
and a criminal suspect tries to suppress that evidence on Fourth Amendment or First Amendment
claims. And then that's going to be litigated at an individual criminal proceeding.
You know, maybe that instead of this ACLU lawsuit will be the vehicle where we get some clarity on the constitutionality of this surveillance. But, you know, that's going to take time too,
because we're going to have to wait to have an airtight case where we really did catch a person
committing a crime. The only evidence that was used to arrest that person was aerial surveillance.
And, you know, once those circumstances present themselves, then we can go through that case.
I think because the plane has just been launched, we don't have any criminal suspects who have standing to challenge it.
So that's why we're seeing the civil suit from the ACLU.
Interesting.
Well, in the meantime, I'm launching my line of umbrellas that from the sky look like other people.
There you go.
See, you just have to fight fire with fire.
You have to look on the bright side of things, right?
Yes, exactly.
And if you notice a lot of people in Baltimore City pointing their middle finger to the sky, you'll know exactly what that means now.
It's a new citywide sign of solidarity.
Yep.
There you go.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com