CyberWire Daily - DPRK leadership crisis? Probably not. Economic espionage in the oil patch. COVID-19 relief fraud. US Supreme Court will take up CFAA. Virtual proctoring.
Episode Date: April 21, 2020Fears about North Korean instability can wait until it’s determined that there’s actually instability. An economic espionage campaign targeted the oil and gas sector. Much phishing surrounds gover...nment COVID-19 economic relief programs around the world. The US Supreme Court will hear a case involving the Computer Fraud and Abuse Act. And if you’re studying from home, don’t cheat. And teacher, maybe don’t spy. Ben Yelin from UMD CHHS on training facial recognition software to recognize medical masks, guest is Gonda Lamberink from UL on making product security transparent and accessible to consumers. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_21.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fears about North Korean instability can wait until it's determined that there's actually instability.
An economic espionage campaign targeted the oil and gas sector.
Much fishing surrounds government COVID-19 economic relief programs around the world.
The U.S. Supreme Court will hear a case involving the Computer Fraud and Abuse Act.
Ben Yellen on facial recognition software in a world of medical masks.
Our guest is Gonda Lamberink from UL on making product security transparent and accessible to consumers. Thanks for joining us. For our studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, April 21, 2020.
Reports that North Korean leader Kim Jong-un is in serious condition as he recovers from heart surgery have been circulating, NBC News reports.
But they report this cautiously and with reservations.
If true, instability in the DPRK could be expected to be accompanied by cyber operations and perhaps a spike in cybercrime, as Military Times suggests,
and that anyone betting on form would expect.
But the news from the peninsula seems to be that Kim isn't in extremis,
isn't at death's door, and is in fact working.
Yonhap summarizes the evidence that things north of the 38th parallel
are pretty much as they have been in recent months, as normal as they ever get in that neck
of the woods. The bottom has fallen out of oil prices, with futures actually trading in negative
ranges, and the register describes a spear phishing campaign apparently designed to install the
information-stealing agent Tesla.
The phishing emails impersonated NP, the Engineering for Petroleum and Process Industries,
a well-known contractor in oil and gas production.
Researchers at Bitdefender discovered and tracked the campaign,
which actually antedates the conclusion of a meeting among OPEC and the Group of 20
that resulted in an agreement to cut oil production and stabilize prices.
It's unknown who's behind the campaign of apparent economic espionage.
The UK's National Cyber Security Centre is urging people to report
the COVID-19-related scam emails they've received.
The agency has established an online reporting portal
to make the process simpler and more convenient. The NCSC established an online reporting portal to make the process
simpler and more convenient. The NCSC has, according to ZDNet, taken down more than 2,000
online scams related to the pandemic, including 471 fake online shops selling fraudulent coronavirus
related items, 555 malware distribution sites, 200 phishing sites, and 832 advance fee frauds.
Advance fee frauds, it's worth recalling, are a venerable email scam,
long famous as the Nigerian Prince scam.
The versions presently circulating promise a large payment in exchange for a small but non-negligible setup fee.
The occasion of the offer is some bogus bit of nonsense about COVID-19,
designed to render the mark willing to part with some cash in exchange for a big score down the
road. It's not an investment scam where one might buy real estate in a non-existent country,
a sure thing penny stock being pumped and dumped, the Brooklyn Bridge, or shares in a heroic statue.
Rather, the advance fee scam presents itself as the first stage in a transaction with the victim.
The scammers say they need to move money and are willing to pay a service fee for the victim's assistance.
They may simply say that Grace has moved their hearts to generosity toward the victim.
But, of course, even the operations of Grace require the recipient to establish some financial infrastructure.
It's, of course, a bad deal and worse theology. The current run of advanced fee scams play upon
COVID-19 news. One might think no one would fall for them, but people do.
The Australian Cyber Security Centre's regular threat update, COVID-19 Malicious Cyber Activity,
outlines a set of problems similar to those seen in the UK and elsewhere.
Since March 10th, ACSC has received roughly two reports a day of Australians losing money to coronavirus-themed online scams.
And note that these are actual losses, not mere attempts.
losses, not mere attempts. With their private sector partners, including Google and Microsoft,
ACSC has disrupted more than 150 COVID-19-themed websites that had been engaged in malicious activity. UL has a history spanning over 125 years as a safety testing and analysis organization.
They've recently set their sights on IoT devices, aiming at providing clarity for
consumers with the UL verified mark. Gonda Lamberink is Senior Business Development Manager,
Global Identity Management and Security from UL. So UL is focusing on various IoT verticals
or ecosystems for cybersecurity purposes. And even though there is a few security standards
and evaluation options out there,
there wasn't something that was a good fit for consumer IoT
or also portions of commercial IoT yet.
And the IoT security rating is meant to fill a void
that existed for a baseline security assessment.
And this is in line with also some of the regulatory developments calling out connected
devices and that they should have reasonable security features, such as the California
Senate Bill 327. So the IoT Security rating assesses products for their security features,
So the IoT security rating assesses products for their security features, incorporating industry best practices,
and then gives them a rating where there's multiple levels that a product can obtain from levels bronze up till diamond.
All right. Well, take us through some of the specifics here. How would companies go about implementing it, getting evaluated and so on?
Yeah, so we have incorporated best practices and requirements in line with leading industry and policy guideline documents.
We've also written, for example, a blog post on how the IoT security rating requirements compare to requirements covered in, for example, the NIST
guideline, NIST Air A259, or in the US, the C2 consensus, which is an industry consensus
on baseline security led by the Consumer Technology Association and the Council to
Secure the Digital Economy, and some other leading guidelines. So starting point is I think to look at some of
those documents and then look at the IoT security rating, understand the requirements that it covers.
We've published those requirements in a document called the UL Marketing Claims Validation 1376.
Yeah, with a bit of an understanding of the requirements, start preparing for an assessment,
which we cover in two flavors, a lighter weight assessment that can result in a bronze or silver
rating, or a full assessment to a majority of the IoT security rating requirements,
where the resulting rating is levels gold and higher. So levels gold, platinum,
or diamond. And is there going to be an accompanying educational campaign to get the
word out with consumers themselves? Yeah, so we see a good opportunity for collaboration with
industry there, with individual manufacturers that work with us on the IoT security rating.
We invest in co-marketing effort together with them to get the word out.
We also see a potential role for retailers here if they can start promoting this label in their retail environments.
And then hopefully also more direct outreach to consumers, but probably as part of collaborative effort with our customers.
That's Gondo Lamberink from UL.
The UK's coronavirus job retention scheme
is also being used as bait by criminals
prospecting individual victims.
Less than 24 hours after the program opened yesterday,
Computer Weekly reports,
bogus emails sporting Her Majesty's Revenue and Customs branding
and claiming to be from HMRC Chief
Executive Jim Harra were already hitting inboxes. Demand for relief under the scheme is expected to
be heavy, computing says, and that will lend urgency to the scams as well as tend to reduce
the victim's skepticism and resistance. Reuters reports that the U.S. Supreme Court has agreed
to hear a case that has the potential to limit the scope of the Computer Fraud and Abuse Act.
The law prohibits accessing a computer without authorization
or exceeding your authorized level of access.
The appellant, a former police officer in the U.S. state of Georgia,
claims he was authorized to access the information that he obtained.
His motive was assisting an acquaintance of his
who offered the police officer $6,000
to run a license plate to see if an exotic dancer
was in fact really an undercover cop.
He was asking for a friend, as it were,
and that motive, he claims, is irrelevant.
He was still authorized to run a plate.
ZDNet reports that students in universities find themselves in conflict over university plans to install remote monitoring tools onto students' devices, the better to detect and deter academic dishonesty.
The specific software package is Proctorio.
Universities are concerned about cheating during exams administered online.
about cheating during exams administered online.
Students resent the invasion of privacy,
and some of them, not you, the student who's listening to this, of course,
but other students, bad students,
no doubt resist proctoring that would make it harder to cheat,
copy, plagiarize, and so on.
The university's concerns about cheating are reasonable,
but so is students' irritation with this kind of dean-of-student-ish hovering
that no one likes.
The center of the dispute, for now,
is the Australian National University,
but you can expect it to surface elsewhere.
It's a classic apparent conflict of rights and duties.
Discuss, and class dismissed.
Calling all sellers. dismissed. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, good to speak with you.
Good to be with you, Dave.
You know, I was out and about taking a walk, getting outside recently,
and being the good citizen that I am, I was wearing a mask to cover my face to help protect myself and others.
The CDC appreciates you, Dave.
But one thing, a side effect of this was that from time to time I would try to look at my phone and my face ID on my iOS device would not let me in.
It was not at all amused at the fact that I was wearing a mask.
And that reminded me of this article that I saw come by.
It's a long way to get there,
but an article in Ars Technica written by Kate Cox.
And it's about some shirts that can hide you from cameras
and this notion that we may be able to hide
ourselves from facial recognition software. What's going on here? So facial recognition
is generally very good at what it does. This article talks about that in China, for example,
the facial recognition software they use there has been trained to identify people who are wearing
medical masks. So perhaps that would have solved your issue of not being recognizable
on your device. But unlike human beings, according to this article, you can trick
the facial recognition software. If you sort of bombard the software with very confusing,
bombard the software with very confusing, incongruous images that throw off the learning capability of this artificial intelligence, then you can cloak yourself. In order to do so,
you have to wear probably one of the silliest shirts I've ever seen.
And I've seen you in person, Ben, and you're not someone who's afraid of silly shirts.
I'm not, no.
I wouldn't call myself a fashionista, but I'd probably rather expose my identity to all 7 billion people in the world than wear this shirt.
And I don't mean that literally.
But they do have a picture of it in this article, and they call it a bright adversarial pattern.
It looks like the craziest Christmas sweater you've ever worn.
I think the author jokes that you could probably see this from space, but it does render the wear of this shirt or sweater invisible to the software looking at this person.
So the question is, are people concerned enough
about privacy in the age of facial recognition
that they'd wear these sort of cloaks?
Because now we know that that technology exists.
Humans created the facial recognition software
and humans have figured out a way to provide a cloak to it.
Are you drawing attention to yourself just by wearing something like this?
Is that enough to put yourself under suspicion?
Absolutely. I mean, if I saw a person wearing this sweater out in public,
I would stare at them for several minutes just to figure out what in the world was going on.
So it's sort of a conundrum.
To make yourself invisible in the world of facial recognition,
you need to wear this very colorful, silly shirt.
But that makes you far more visible in the physical world and in public.
And that's why I think, you know, even though the technology exists,
we're not seeing people go out in public with shirts designed to confuse facial recognition systems or any type of similar software.
From a policy point of view, could you be running afoul of any law or anything by doing this?
Not the way I read it, there's no law preventing you from providing yourself an invisible cloak in
responding to any sort of facial recognition or similar software.
Over on the Caveat podcast, you and I have talked about, we've gotten
feedback from listeners that there are some places who have prohibitions against
masks, for example. But this would not be that. This isn't that.
And to somebody who knew nothing
about facial recognition or, you know, any type of artificial intelligence, this would seem to
just be a silly shirt. So unless law enforcement were explicitly trained to find these types of
shirts, which once you create many of them, it would be hard for them to identify which ones
are invisibility cloaks, then I don't even think there's a way of enforcing it.
And then you have potential First Amendment issues of expression,
policing what people wear in public as a law enforcement matter
could get you into some sticky areas.
So I don't see a law or policy that would prohibit somebody
from wearing one of these invisibility cloaks.
Now, if it becomes enough of a problem
that law enforcement isn't able to do its work
because we get to a point where most shirts are manufactured
to evade this type of technology,
then that's where Congress could step in
or a state legislature could step in
and make policy banning this type of shirt.
But as we've talked about on this podcast
and on the Caveat podcast, the law and the
policymaking is always behind the technology.
And because the technology is so new, I don't expect that that's something that we're going
to come across in the legal world for a long time.
Yeah.
I almost wonder if something like this could be sort of a badge of honor of someone, for
people in the know to say, hey, look at me,
I'm sticking it to the man,
nobody's going to track me.
And folks who are aware of it
would be able to kind of,
sort of be like a code word when you're out in public.
You give a knowing nod to each other.
Pass each other with your
colorful shirts on.
Yeah, it's sort of like being
in the world's nerdiest gang.
You recognize the oddly blotted color scheme.
You're like, I see what you're doing here, bud.
You've done your research into invisibility cloaks
for artificial intelligence.
You're one of those people.
But yeah, I could definitely see that happening.
All right.
Well, it's interesting research.
Again, the stories in Ars Technica.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart
speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.