CyberWire Daily - Cyberattacks and hacktivism around Minnesota’s unrest. Amtrak breach. Port scanning. Some lessons from the pandemic.
Episode Date: June 1, 2020Hacking, and more claims of hacking, surround the unrest in Minnesota. Data breach at Amtrak Guest Rewards. More companies found port scanning. Four cybersecurity lessons from the pandemic. David Dufo...ur from Webroot with an overview of online scams his team is tracking during COVID-19, Our own Rick Howard compares resiliency with business continuity. And a new 5G device is not only holographic, but quantum oscillatin’ too. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/105 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hacking and more claims of hacking surround the unrest in Minnesota.
A data breach attack at Amtrak guess rewards.
More companies are found port scanning,
four cybersecurity lessons from the pandemic,
David DeFore from WebRoot with an overview of online scams
his team is tracking during COVID-19,
our own Rick Howard compares resiliency with business continuity,
and a new 5G device is not only holographic,
but quantum oscillating too.
5G device is not only holographic, but quantum oscillating, too.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 1, 2020.
Minnesota's Chief Information Officer Tarek Tomas said yesterday that the State Security Operations Center is defending against distributed denial-of-service cyberattacks
aimed at overloading state information systems and networks to tip them offline,
the Twin Cities Pioneer Press reports.
He added that the state had succeeded in preventing disruption of operations.
There have been many claims that the attacks represent an operation by Anonymous
designed to punish Minnesota for the death of George Floyd in police custody,
a death that's provoked widespread protest and rioting.
Many of the reports in social media claim that Anonymous is releasing email addresses and passwords
from the Minneapolis Police Department.
But that seems, researcher Troy Hunt says, to be almost surely false.
The email addresses and passwords displayed as evidence seem to come from older breaches and from such online resources as Have I Been Pwned?
Civil unrest will certainly continue, however, to manifest itself in cyberspace through hacking, disinformation, doxing, and denial of service.
disinformation, doxing, and denial of service.
Amtrak, the U.S. National Railroad Passenger Corporation,
has disclosed a data breach that affects Amtrak guest rewards accounts.
Bleeping Computer reports that Amtrak believes no financial data,
credit card info, or social security numbers were compromised,
and the railroad says that the incident was quickly contained.
Last week, eBay was found port-scanning computers of users visiting their site.
Leaping Computer looked at other prominent sites and determined that eBay isn't alone.
Citibank, TD Bank, Ameriprise, Chick-fil-A, LendUp, Beachbody, Equifax IQ Connect,
TIAA-CREF, Sky, Gumtree, and WePay are port scanning too.
While the pandemic and its effects are far from over,
its consequences for cybersecurity now seem clear enough for us to suggest some lessons we might draw from the experience.
The first lesson is that improvisation under pressure is difficult.
It's better to plan.
We know, we know, that's a banal observation, but
still, it's a useful one, we think. So if there's one overarching observation to be made about the
pandemic and its effects on cybersecurity, it's that improvisation under pressure creates unexpected
challenges, risks, and opportunities. We've seen that improvisation in organizations scramble to
come up with ways of
continuing to do business under conditions of lockdown and social isolation. We've also seen
it in the need to protect the rapidly expanding attack surface remote work presents. The companies
that provide the services and platforms necessary for remote work were also caught off guard.
Zoom's very fast, very large success brought the company
security and reputational problems it hadn't prepared itself to answer. We've also seen
improvisation at national levels as public health authorities in many countries tried,
with decidedly mixed results, to develop and deploy technologies that could trace contacts
and monitor the spread of infection. The U.S. Cyberspace Solarium Commission argued that the principal lesson should be the value
of preparedness, of sound advanced planning, and swift, effective execution in the moment of crisis.
The commission's co-chairs, Senator Angus King, independent of Maine,
and Representative Mike Gallagher, Republican, Wisconsin 8th, told the Washington Post they hope the U.S. Congress draws the lesson
that it's important to prepare for a disaster before it hits.
The commissioners intend to issue an appendix tomorrow, June 2nd,
they hope gives Congress an after-action review of cybersecurity and the pandemic that will nudge lawmakers in the right direction.
and the pandemic that will nudge lawmakers in the right direction.
And that may represent an unexpected opportunity to avoid being caught short by failures to plan or simply by failures of imagination.
The second lesson is that crises are opportunities for disinformation
and for spontaneously arising misinformation.
Both constructive disinformation, propaganda that seeks to convince,
and disruptive disinformation, propaganda that seeks merely to confuse, were on display during the pandemic.
The former is much more in the Chinese, the latter in the Russian style.
spontaneously generated looniness that saw 5G and its electromagnetic fields prompt cell tower vandalism and spawned a small industry of crank products
designed to ward off infection with wearable Faraday cages.
These have a life of their own,
as resistant to rational correction as delusions about chemtrails.
They also afford useful opportunities for disinformation campaigns,
especially the disruptive kind.
No one has any good ways of handling either disinformation or misinformation.
Social media companies seem to have settled into some version of a marketplace of ideas to fight lies and delusions.
It seemed unsatisfying, but it's hard to see how they could do much better, especially at the scales on which they operate.
Third, crises force startups to grow up.
Whatever insulation from business reality,
plentiful venture capital, and easy exits may have provided,
the pandemic-induced downturn forced more startups
to start acting like businesses.
It's been painful, but many startup businesses
are now being run more like, well, businesses,
or at least are in a position to see that that's the direction they'll have to move.
And fourth, espionage doesn't stop for crisis.
In fact, espionage likes crisis.
Your crisis is the spy's opportunity, and the spies know it.
Finally, to close with one more COVID-19 themed scam,
the BBC ran a story last week about the 5G BioShield, which for just £339 provides protection
for your home and family thanks to the wearable holographic nanolayer catalyzer, which can be
worn or placed near to a smartphone or any other electrical radiation or
emf emitting device the vendors even explain how it works through the process of quantum oscillation
the 5g bioshield usb key balances and reharmonizes the disturbing frequencies arising from the
electric fog induced by devices such as laptops cord cordless phones, Wi-Fi, tablets, etc.
So, maybe treat that one with respectful skepticism as well.
Although, who couldn't do with a little quantum oscillation nowadays?
And I am pleased to be joined once again by the CyberWire's chief analyst, Rick Howard.
Rick, always great to have you back.
Thank you, sir.
You are covering an interesting topic on this week's CSO Perspectives, your podcast over on CyberWire Pro.
And you're talking about resilience and business continuity.
Now, at first glance, in my mind, I would say there's a lot of crossover there, but there's more to this than meets the eye.
Yeah, and there's a little bit of controversy, too, which I didn't realize until I was looking into it, which is kind of fun.
Resilience, if you haven't heard, is the new buzzword for what people are trying to do.
And in terms of keeping their organizations functional after some big cyber event.
Now, it could be a hacker thing like the Sony stuff,
or it could be just some sort of natural disaster, right?
But the whole mantra is make sure whatever you build can withstand a crisis like that
so you can continue delivering services.
And so when the business continuity people hear that, they say,
hey, hey, wait a second. That's what we do. Okay. Because why do we need a newfangled marketing team
for that or name for that? And it turns out that the business continuity people have been around
since the seventies. I didn't even know that. Right. But mostly, those folks have been dealing with physical issues.
You know, like I just said, natural disasters, earthquakes, force majeure kinds of things.
Right.
You know, executives dying, you know, that kind of stuff.
Okay.
Resilience in the new digital age, especially as we've gone to the cloud, is really how do you build infrastructure as code okay is how I look at it
you know how do you build systems of systems that can withstand giant catastrophes and you never
notice right and so I think that's the big difference I think the the resilience people
can learn from the business continuity people because they've had lots of experience and they
know how to execute plans resilience is aience is a fairly new idea. But I
think there is a big separation there and the two groups can learn from each other.
You know, I can't help thinking about industrial control systems and the IT people versus the OT
people. I know. It does have a similar theme, doesn't it? Yeah, that's interesting. You know,
in my mind too, when you talk about those things, it's not different. It's just a different protocol. How you protect all that stuff is,
the same strategies apply. So, we all got to get on the same sheet of music here, I think.
Yeah. How does it play out? Where do you go with this on your show?
Well, what's interesting is if you look at a company like Netflix, right? They have this famous app that they call Chaos Monkey,
and it routinely destroys pieces of their customer-facing infrastructure on purpose,
right? So that their DevOps people understand the value of resilience, right? And they're so good at
it that I get to watch Witcher without any service outage, even though I know they're
having giant outages all the time because they're so big, because they design it to be within their
system. They've done so well with that. They have all kinds of applications. They call the simian
army, you know, chaos monkey and security monkey and blah, blah, blah. So I love that. All right.
But that's a difference between what maybe resilience is in the digital age and what business continuity is in the physical world.
Yeah, that's fascinating. I suppose there's a lots of, I don't know, practice like you play
here where your rehearsals have to be realistic. Oh, yeah. And when you know that the code that
you're writing is going to be attacked and destroyed, you know, before you even deploy it.
Okay.
You do some things to make sure that customers won't notice.
Yeah.
All right.
Well, check it out.
It's the latest episode of CSO Perspectives over on CyberWire Pro.
Rick Howard, as always, thanks for joining us.
Thank you, sir.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He is the Vice President of Cybersecurity and Engineering at WebRoot, an open text company.
David, always great to have you back.
I wanted to check in with you and see what kind of scams you all are tracking
as we find ourselves in this ongoing situation with COVID-19.
What sorts of things are on your radar?
Hey, David, always glad to be back. Great being here. Thanks for having me.
You know, what's interesting, if a lot of folks can kind of put their marketing hats on,
you know, COVID is just another branding of all the scams we typically see, the phishing scams, the fake website scams,
the malware scams. And so really, whatever's popular, that's what the malicious actors are
really going to focus their tools in on. So right now, seeing a ton of phishing,
a ton of fake websites that really are focusing on COVID and trying to draw people in.
And how are they wrapping COVID around some of the well-known popular scams? Are there
any particular areas that they're focusing on? Yeah, so what we're really seeing a lot of folks
doing, first of all, we're seeing 2% of all sites that have to do with coronavirus or COVID, 2%
are malicious. So what people are doing is truly standing up sites that emulate or look like or
have a look and feel of something to do with COVID in terms of, do they want to donate? Have you
donate to the site? Or they're trying to pass on information and have you click through things that
could be clickbait that installs malware. So you've got to be really aware of what you're
doing when you're navigating just on the web.
And now we're seeing a lot of phishing scams as well.
David, you're very familiar with phishing scams.
It happens all the time.
And I know you're always calling me because you've infected your computer or given somebody, you know, your credentials and you want to know what to do.
That's true.
Yeah, that's true.
That's absolutely true.
But no, seriously.
I have you on speed dial.
You do. You do. And your IT people are always calling me. David did it again.
But in all seriousness, we're seeing a ton of phishing scams, emails going out there. Again,
people trying to get you to log into accounts based on COVID or donate money based on COVID.
And a lot of these are fake sites that are being stood up.
And all the standard phishing and all the standard malware safety mechanisms apply here. Make sure
that you know it's a reputable site. Don't click that link, David. Navigate to the website and
enter that you're certain you're on the site you want to be on. You know, folks like the Red Cross, you know, large charities that you're very comfortable with,
they're taking donations that focus on this as well.
So maybe go to those trusted sites instead of these pop-up charities that are trying to just get money quickly,
just so you're sure.
Yeah, yeah.
Now, you've also been tracking these folks taking advantage of using some of the apps that have gotten more popular in the midst of all this, services like Zoom.
That's exactly right. So we've seen a 2000% increase in malicious files that are being sent through Zoom.
We've seen, you know, when people are, you know, bombing Zoom where they're trying to get in.
And I don't want to just pick on Zoom. Zoom's done a really good job really quickly of putting tools in place to prevent and protect. Now,
the thing is, you have to enable those tools, things like requiring people to have a password
to get in or having people wait in kind of a virtual lobby and you let them in. But a lot of,
again, what's happening is anytime something's popular and malicious actors see that, they're going to jump on that wave and try to figure out ways to exploit it.
So it's all about being vigilant.
And we always talk about being vigilant, especially when it comes to COVID now.
People's hearts are involved and we're worried about our loved ones or other folks and we want to help.
We just have to maintain that vigilance, not be jaded, but have a little bit of wariness when we're doing things
in this time. Yeah. All right. Well, David DeFore, thanks for joining us. Great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.