CyberWire Daily - Cybersecurity notes during the pandemic emergency. Twitter bots. Ransomware attack on a biotech firm. WHO updates. And how are the cyber gangs doing these days?
Episode Date: April 3, 2020Geolocation in support of social distancing. Fixing vulnerabilities in a popular teleconferencing service. Twitter bots running an influence campaign against the Turkish government are taken down. A b...iotech firm reports a ransomware attack. More on attempts to compromise the World Health Organization. And a look at how cyber criminals are faring during the emergency. Michael Sechrist from BAH on cybercrime changes in the age of Coronavirus, guest is Admiral James Stavridis (Ret.) from Preveil on global cyber security threats and realities. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_03.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. and a popular teleconferencing service. Twitter bots running an influence campaign against the Turkish government are taken down.
A biotech firm reports a ransomware attack.
More on attempts to compromise the World Health Organization.
And a look at how cyber criminals are faring during the emergency.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 3, 2020.
More companies and governments moved to share geolocation information during the pandemic emergency.
In support of enforced social isolation, Google yesterday decided to make location data in the form of mobility reports
available to governments, the Wall Street Journal reports. According to France 24,
the data is being collected from 131 countries. The University of Toronto's Citizen Lab has taken
a look at Zoom's less-than-end-to-end encryption, which Citizen Lab characterizes as roll-your-own.
There's a strong suggestion in the report
that some questionable security decisions
were driven by a decision to put speed and ease of use first,
with everything else following when and where it could.
The lab also points to Zoom's apparent ownership
of three companies in China that have a total workforce of 700.
They write software for Zoom in a typical labor arbitrage agreement.
But Citizen Lab worries that the Chinese connection
could expose Zoom to pressure from Beijing.
The Canadian University Lab asks,
a U.S. company with a Chinese heart?
The teleconferencing service is patching vulnerabilities disclosed to it
as the company's services see an enormous spike in demand
during the COVID-19 emergencies period of enforced social isolation and remote work.
The Washington Post says that Zoom's quick response has generally been well-received,
even by such normally skeptical critics as the Electronic Frontier Foundation.
Errata Security offers some perspective on the bugs,
advising users to take
sensible security steps and not exaggerate the risk. The Atlantic Council's Digital Forensic
Research Lab reports some 9,000 inauthentic Twitter bots promoting a Saudi and Emirati
line against Turkey's activities in Libya. The bots, which Twitter has taken down, also sought
to politicize the COVID-19 pandemic.
It's not that they're interested, really, in COVID-19. Rather, it's that coronavirus hashtags
draw attention. How do you recognize bot activity on Twitter? The Digital Forensic Research Lab
points out a few indicators. For one thing, the so-called egg avatar, the gray circle enclosing a dark gray oval that stands in for a face, often says bot,
especially when the botmasters lack the time, resources, or attention to detail that would be required to put up a stock photo of the account's sock puppet.
And repetition of content, verbatim, is also another tip-off.
In this case, the botmasters did somewhat better.
Quote, the accounts were posting similar content
rather than verbatim or copy-pasted content.
The messages had the same political resonance, though.
End quote.
10X Genomics, a California biotech firm
working on COVID-19 treatments,
disclosed in a Form 8K filed Wednesday
with the U.S. Securities and Exchange Commission
that it had sustained a ransomware attack.
The company says it has restored both access to its data and normal operations,
but the attack also involved theft of some unspecified company information.
The World Health Organization has said little more about the attempts
to compromise staffers' personal email accounts,
but it has said it believed the attempts were unsuccessful.
Reuters quoted sources who suggested the campaign was run on behalf of Iran,
quote,
We've seen some targeting by what looks like Iranian government-backed attackers
targeting international health organizations, generally via phishing.
This was from a source identified as someone at a large technology company
that monitors Internet traffic for malicious cyber activity.
Reuters also consulted security firm Prevalion, which made no attribution,
but which did say they'd captured evidence of compromise suggesting the activity
of what they characterize as a sophisticated hacking group.
Computing reports the attacks, which appear to have begun in the first week of
March, are continuing. In what may be a distinct campaign, the World Health Organization has also
been said to be the target of Dark Hotel, a threat actor generally believed to operate from East Asia.
Dark Hotel is also said to be at work against targets in Japan and China with attacks that
cybersecurity help and others, say,
exploit Firefox and Internet Explorer vulnerabilities.
So how are the criminals doing under the current conditions of pandemic and emergency response?
Digital Shadows has been looking over the shoulder of the hoods
who chat amongst themselves in their dark web markets,
and they've summarized the mood of the underworld,
at least in its Russian and English-speaking precincts, as revealed by the chatter.
Some of the conclusions are entirely foreseeable, as the emergency cuts brick-and-mortar commerce
way back, people are doing much more shopping online, and the criminals see opportunity for
carding and other forms of online retail fraud. They're also shifting their direct
fraud to follow the market. A number of them see opportunity and demand for face masks, vaccines,
and other items people want but can't get. Sometimes it's because the stuff isn't available,
like face masks, in some places, or toilet paper in others. Sometimes, as in the case of the
vaccines, it's because such things don't exist. And of course, some of the fraud is familiar snake oil, like the colloidal silver
cure-all you may have seen, or that one weird trick that will see you through the coming
economic hard times and right onto Easy Street. On the other hand, the gangs are also feeling
some economic pain. Opportunities for travel and event fraud have essentially dried up,
and the criminals who specialize in these are feeling the pinch.
The gangs are also having difficulty completing their theft
when it requires an actual physical transfer of goods or cash, as it often does.
They depend on drop workers to close those deals,
and they're having trouble getting their drop workers to actually work.
For one thing, the authorities are a lot more alert to people who are out and about with no
evident legitimate purpose. For another, the drop workers themselves are often afraid to leave the
house. May the pandemic crash the cybercriminal economy fast and hard. Faster and harder than
any of the damage it's doing to the honest and the hardworking.
Yes, that's overly optimistic, but we can hope, right?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
My guest today is retired four-star admiral James Stavridis. He served as NATO's Supreme
Allied Commander, Europe, and was dean of the Fletcher School at Tufts University.
He's the author of several books, the most recent of which is titled Sailing True North, Ten Admirals and the Voyage of Character.
Admiral Stavridis serves on the board of encrypted email and file-sharing firm Prevail, which is how we came to speak with him at the RSA conference.
how we came to speak with him at the RSA conference. In the mid-70s, I'm in Annapolis,
and into my classroom walks Rear Admiral Grace Hopper, amazing grace, the mother of COBOL.
And she's there to tell us about COBOL, this magical way of communicating with a computer. And of course, we do it with paper punch cards to make very simple commands.
So that's the mid-1970s. Now, flash forward to today, at every step of my career, I've seen the
deeper and deeper engagement of the Navy and the other services to where we are today, which is,
in my view, it is so complex and so central to everything we do
that it's time for us to have a cyber force.
Just like we have an army, a navy, an air force, and a marine corps,
I think it's time for a cyber force.
So we've come from punch cards and BASIC as a language and COBOL as a language
to a need to create a separate branch of the armed forces
because of the inherent complexities of cybersecurity.
So where do you suppose we find ourselves today, taking the temperature of how things are in the DOD and the government sector?
In your estimation, where do we stand?
I'll give you good news and bad news, and I'm going to start with the bad news.
you good news and bad news, and I'm going to start with the bad news. The bad news is in cyber and cybersecurity nationally, we find the greatest mismatch between level of threat and level of
preparation. In other words, we worry a lot about Russia, China, Afghanistan, Islamic State, piracy.
Those are serious threats, high level of threat, but our level of preparation to deal with it is quite high.
In cyber, the level of threat is expanding unbelievably rapidly because the threat surface is expanding.
Today, there are 25 billion devices connected to the Internet of Things.
By mid-decade, it'll be 50 billion.
That's great.
I can get out my iPhone and open my garage door from San Francisco.
The bad news is the threat surface is huge and we are not moving as rapidly as we should. And
offense is outpacing defense in my view. So I'm concerned. That's the bad news. Here's the good
news to the Department of Defense. There's growing awareness. There's growing expertise. We are
moving toward the idea of a cyber force. And most recently, and this will sound a little wonky,
but it's really important. The Department of Defense is releasing something called the
Cybersecurity Maturity Model Certification, kind of a mouthful, CMMC. What it is, is think of it like karate. It's a series of belts that
you have to attain if you're going to do business with the government. So level one is very basic.
Think of it as a white belt. You got to know what a phishing attack is. You got to have a basic
resiliency plan. You have to be able to coherently reconstitute data. The levels go up to level five.
If you want to do serious business with the government, you got go up to level five. If you want to do serious business
with the government, you got to be a level five. That means we're going to force standards on the,
glad you're sitting down, 300,000 companies who do business with the Department of Defense.
That's called the Defense Industrial Base. It's an unregulated zone in terms of cyber.
The department is about to regulate it.
It's a profoundly good initiative.
How do you suppose that transition is going to play out?
And how long is it going to take?
It's starting almost immediately.
By early summer, if you want to participate in a request for information, so-called RFI,
you have to have the basics put together.
By October, if you want to be in an RFP, which is pretty serious request for proposal, that's
where you're actually presenting a bid, if you will, to the government.
You have to have attained the appropriate level for your organization, its size.
And so let me give you an example involving a company
that I'm working with called Prevail,
which does end-to-end encryption.
If you want to do business with the government,
you're going to have to demonstrate to the government
that you can move emails and file attachments
that can't be attacked in the server system,
which is, of course, what happens now with Gmail or any
other broad area messaging or email service. So as we get into this, it's going to happen fast.
Companies are going to need solutions quickly. And by the way, Dave, I'll close on this.
It has to be not self-certification. It has to be certified by an outside observer,
and that outside observer has to be certified by the Department of Defense.
So this is a big change, a big system.
There are going to be fits and starts in this.
There will be discontinuities, but it's a move in the right direction.
I have one more question for you.
The world that you come from, which is a world of aircraft carriers, of fighter
jets, of soldiers. Tanks. Tanks. All of that hardware requires large investments, you know,
the best people designing them, operating them. The soldiers that we have trained are second to none.
But that is all visible. That is all you can look into the harbor and see an
aircraft carrier, and there it is. And so in terms of expressing our nation's strength globally,
those things are very easy to see. Cyber is different. And we're in this era where
nations who perhaps wouldn't have gotten our attention before, for them to stand up a force in the cyber realm
doesn't require, they don't have to build an aircraft carrier.
They don't need the capabilities to build a jet fighter.
Correct.
Do you have any insights on that disproportionality?
I think another way to phrase the question is,
if you'll permit me, is,
do we still need all that massive, old line, hyper expensive equipment?
Or can we do all this with cyber? And unfortunately, I think we're going to continue to need
some level of those legacy systems. But here's the mistake people make. They tend to think of it as
an on and off switch that
only has two positions. Either, yeah, we just need all that big, beautiful aircraft carriers,
or we're just going to do it all with cyber. Think of it more like a rheostat, you know,
like a dimmer in your dining room. You got to move the needle. And I think the needle is moving
away from those big, expensive legacy platforms and more
toward the cyber. And there's two reasons. One is it is less expensive. We need it to defend our
systems. And critically, our opponents are doing it. And so we may find ourselves in very contentious
situations in the cyber world. We got to be prepared for that. Aircraft carrier is not going to get you there,
but there are going to be times when that aircraft carrier comes in pretty handy as well.
Going to need a bit of both.
All right.
Admiral, thank you so much for joining us.
What a pleasure. Thanks for doing it.
Thank you.
All the best.
That's retired four-star Admiral James Stavridis.
Our thanks to the team at Prevail for coordinating the interview.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Michael Sechrist.
He's the chief technologist at Booz Allen Hamilton.
Michael, it's great to have you back.
I just want to do a check-in with you. As we're sort of hunkered down dealing with the situation with COVID-19.
What sort of insights can you share with us?
What sort of things are on your mind?
Well, thank you so much again for having me back.
It's been a while, but happy to talk to a familiar voice.
So, you know, obviously this is dominating the news cycle. And when we think about cyber,
and we think about cybersecurity, it's basically an extension, really a physical
world activity. And so it's no surprise that we're seeing an uptick in kind of everything related
to what's happening out in kind of the pandemic news into cyberspace.
And some of the things that we've generally seen kind of change,
I think number one is that it's really becoming difficult to find out what the normal baseline of a company is
in terms of their network activity,
in terms of what activity, what should they be expecting from,
in terms of traffic network activity, in terms of what activity, what should they be expecting from, in terms of traffic from external sources, what should they be expecting in terms of basically flows with their bandwidth.
In addition, we're seeing a rise in basically all the attack vectors that you would expect that are going to target availability.
So if you think of the CIA triad, the confidentiality, integrity, and availability, availability has become essential now to the lifeblood of kind of the economy to just the overall health of corporations.
And so as such, you have attackers and those who just want to cause like kind of disruption from the outside wanting to use things like you know
malware spam mail spam you've got probably you're going to see a rise in business email compromise
attacks because it's difficult to get a sense of what you know if that if that email address
that's asking you to move money is not from your CFO or not from somebody in authority how it's
a little bit more difficult to kind of
arrive at that conclusion now because of everybody working from different addresses,
different places remotely.
You're seeing a rise in ransomware attacks that are going to try to, again, affect availability.
You'll probably see a rise in DDoS attacks.
You'll see a rise in attacks that are targeting just VPN infrastructure or trying to avoid that because of the rise in connections using VPN.
And then also, you know, expect that you'll still see nation state, you know, quote unquote, sophisticated APT type attacks that are going to try to blend in with the noise and move during the chaos that is currently facing us.
What about this reality that many organizations have had work-from-home policies, and so they've
had procedures in place for that?
But I suppose it's fair to say that having such a large percentage of your workforce
relying on consumer-grade technology, their home internet
connections, that's quite a shift. Yeah, it certainly is. I mean, even when you set up a
work-from-home policy for your employees, there are certain specifications that companies typically
require. Usually, you have to be kind of somewhat segmented off even internally at your house.
You have to kind of have a standard setup, work from home location, and then you have to have,
you know, pretty much unfettered internet connectivity and activity there. You know,
both of those can be very challenging right now. Not everybody has set those up. Child care while
working is also very difficult. If you're working on very sensitive
and confidential activities, you've now kind of potentially put yourself in exposure with others
who you're living with a lot more than you previously did. And then you having the unfettered
access, right, the internet access, that is always not the case. And certain, you're going to see
probably certain degraded or downgraded connectivity at times, basically with the influx of everybody kind of logging on around maybe your area at the same time.
And that can affect your abilities to operate.
So, yeah, there's definitely, it's a much different work from home kind of setup.
And, you know, the other thing I would mention here that is interesting is that, you know, I've been a part of a lot of
cybersecurity exercises in the past. And I don't think we ever had one or I've ever seen or heard
anyone talk about having a fully work from home cybersecurity exercise. You know, the other kind
of thought is, you know, having a massive cybersecurity event while most of the company
is distracted, right? Like, I don't think that is
typically something that companies ever have created. And when I say distracted, I mean,
what would happen if, you know, you're facing one adversary on one side doing some sort of
the activities we described, but then you have another attack kind of unfolding either in the
background or on a second front. Having like a two-front attack is very difficult.
And I would consider almost the pandemic and COVID to be at least one type of attack,
maybe not obviously deliberately here,
but just something that companies have to focus on
while they're also having to maintain
potential attacks from other areas.
Yeah, no, it's an interesting insight.
Well, Michael Seacrest, thanks for joining us.
Thank you so much.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.