CyberWire Daily - Election phishing, without hook, but with line and sinker? Data breaches, and the importance of prompt disclosure. Misplaced hacktivist sympathy.
Episode Date: October 27, 2020EI-ISAC reports a curious election-related phishing campaign, widespread, but indifferently coordinated and without an obvious motive. Nitro discloses a “low impact security incident.” A breach at... a law firm affects current and former Googlers. Finnish psychological clinic Vastaamo dismisses its CEO for not disclosing a breach promptly. Ben Yelin looks at a controversial White House to divvy up 5G spectrum. Carole Theriault shares results from Panaseer’s 2020 GRC Peer Report. And a terrorist murder finds support online. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/208 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
EI ISAC reports a curious election-related phishing campaign campaign widespread but indifferently coordinated and without an obvious motive.
Nitro discloses a low-impact security incident.
A breach at a law firm affects current and former Googlers.
Finnish psychological clinic Vastamo dismisses its CEO for not disclosing a breach promptly.
Ben Yellen looks at a controversial White House plan to divvy up 5G spectrum. Carol Terrio shares results from Panacea's 2020 GRC peer report.
And a terrorist murder finds support online.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 27th, 2020.
The Elections Infrastructure Information Sharing and Analysis Center, the EI-ISAC, has alerted local authorities in the U.S. to an apparently widespread phishing campaign
in which unknown actors are contacting election officials with spoofed emails.
The Wall Street Journal reports that EI-ISAC describes the messages as potentially malicious,
although most don't include the malicious links normally used in phishing.
The journal quotes EI ISAC to the effect that the emails don't appear particularly sophisticated or highly coordinated.
The ISAC said, quote,
While these phishing messages appear to be part of a widespread campaign, the source and motive remain unclear, end quote.
So there are a variety of possibilities,
bungled criminal or hacktivist work,
espionage services trying to habituate targets
to opening their emails,
or just the usual crew of maladjusted skids
doing things for the lulz.
Australian document services company Nitro
says it sustained a low-impact security incident,
but Bleeping Computer says researchers at Sybil have found Nitro user and document information for sale on the dark web.
IT Wire contacted both Sybil and Nitro about the incident.
Since Nitro has a number of large, high-profile users, their response is worth quoting.
The company told ITWire,
quote,
Nitro continues to investigate
an isolated security incident
involving limited access
to a Nitro database
by an unauthorized third party.
The database does not contain
user or customer documents
which are hosted
in a separate database.
There is currently
no established evidence
that any sensitive
or financial data
relating to customers has been compromised. There is currently no established evidence that any sensitive or financial data relating to customers has been compromised.
There is no impact to NitroPro or Nitro Analytics.
Usage of Nitro's popular free document conversion service does not require users to create an account or become a Nitro customer.
Users are required to provide an email address and common email domains are frequently entered.
End quote.
Seibel thinks the incident is more serious than that.
They told ITWire and Bleeping Computer that they found both user and document databases,
as well as a terabyte of documents, up for auction in a dark web market.
Opening bids are set at $88,000 US dollarsS. dollars, that's $112,000 Australian,
not that any of you would be in the market for stolen data.
The incident remains under investigation.
Nitro reported the breach to the authorities and is cooperating with law enforcement.
The law firm Fragomen Del Rey, Bernson & Lowy,
which provides Google with I-9 employment verification compliance services,
disclosed Friday that it had been breached and that some Google employees' personal information
was compromised. Which data elements apparently vary with the individual? Fragomen's disclosure
letter it sent to affected individuals says that names were compromised, along with other
information that depends upon what Fragman had.
The board of Finnish psychotherapeutic practice Vastamo has dismissed the clinic's CEO.
After concluding he'd been aware of a significant data breach for more than a year without disclosing
it, Finnish news media report, the breach began to come to light last week when people complained
to various tabloids that they were being held for ransom.
An update from the BBC says the breach included records of therapeutic sessions,
which presumably lends urgency to the extortion demands being made of the individual victims.
Victim Support Finland has advice for those affected.
It offers both general emotional support as well as some advice
specific to the details of how Finnish law handles privacy. Some of its advice, however,
is generally useful wherever you might live. If you've become a victim of cyber extortion,
take a screenshot if you discover your stolen data posted to the web, and do the same with
any demands for ransom. And finally, of course, don't pay the ransom.
If it's any consolation,
civilized and well-disposed people won't hold it against you
that you've sought therapy.
The general lessons for organizations here are familiar.
First, bad news doesn't improve with age.
And second, whistling past the graveyard
is unlikely to be an effective incident response technique.
One would think that the terrorist execution of a schoolteacher by beheading
would not be seen as something to celebrate or support.
Alas, one would be wrong.
You may recall seeing reports of the awful murder of Samuel Petit
ten days ago in the Paris suburb of
Coflanc-en-Horan. He was killed by an Islamist extremist because he had shown some of the
cartoons of the Prophet Muhammad that Charlie Hedboe had published in 2015. Those cartoons
prompted a massacre at the newspaper's offices shortly after they were published.
a massacre at the newspaper's offices shortly after they were published.
They've evoked that response again.
Major Petit's murderer was shot by police shortly after his crime.
The Dhaka Tribune now reports that Bangladeshi hacktivists identifying themselves as Cyber 71 have taken up the cause of the extremist, may his name be forgotten.
Cyber 71 claimed responsibility for the defacement of various French commercial
websites in retaliation for perceived insult to the prophet. Police in Dhaka say they're open to
investigating reports of cybercrimes, even though they think this one may fall outside their
jurisdiction. Thank you. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I-O.
Continuous Controls Monitoring Platform provider Panacea recently published their 2020 GRC peer report,
GRC being short for Governance, Risk Management and Compliance.
Our UK correspondent Carol Theriault has the story.
We are here today to try and answer a rather big question.
How are the security gurus out there feeling about their defenses in 2020,
now that there's this whole new landscape to contend with?
I've invited Sharaka Gunatillaki, CTO of Panacea,
to share some of the insights they've gathered on the cyber pulse of the
nation's experts. Thank you for coming on the show, Sharaka.
Thank you, Carol. Thank you for having me.
So first, a bit about Panacea. As I understand it, you guys help big companies better understand
their operational risk. So does that mean if you have an employee and they're not cyber trained,
they increase your risk.
Is that a fair way of explaining it?
What we recognized when we started the business about five years ago was that the vast majority of companies are struggling with some of the most fundamental basics of cybersecurity.
They simply don't know what assets they have to protect and whether the various security controls that they've
deployed are being deployed correctly to protect those assets. So you mentioned users, people are
potential risks, and we have controls like security awareness training to mitigate that.
But are those actually being effective to protect the organization? And actually having this
visibility into your security posture could actually prevent a vast majority of the cyber attacks.
And also we're seeing a growing level of scrutiny from the regulators.
You know, there's so many regulations that these organizations have to comply with.
And the organizations are struggling to measure their security posture and report accurately against all these compliance requirements.
You know, I hate to blow my own trumpet, but I think I'm one of the few thousand people that actually read the entire GDPR regulation.
Now, you guys recently published a report that provides insight in how security professionals in the finance industry are feeling in the face of this new digital landscape. Can you share a few highlights about that?
Yeah, what we've seen is that GRC teams in these financial services companies are
increasingly subject to time-sensitive requests from the regulators. And there's
lots of quite complex and scrutinizing questions.
And just for some of us, what does GRC stand for?
It's obviously an acronym. Yeah, that's right. So it stands for Governance, Risk and Compliance.
And it's part of the organization that, you know, looks after all of the risks that the organization
is facing and helps to manage that and also looks at all of the compliance obligations that they
have and make sure that the organization is actually being compliant.
Go on with your highlights. Fantastic.
These organizations may well be secure, but what they're struggling with is to prove that they're actually secure.
GRC leaders are frequently unsure if they're actually giving accurate security data to these regulators and auditors.
giving accurate security data to these regulators and auditors. In many cases, this information is likely to be incomplete or out of date or just based on subjective beliefs that they have.
The GRC report, the survey that we ran, there were a couple of key findings that we pulled
out from it. First of all, what we're seeing is that the traditional GRC tools are simply not fit for the current challenges.
Less than half of the GRC leaders are confident that they can fulfill the security-related requests from the regulators.
Less than half?
That's right.
Wow.
Yeah. And 92% are looking for quantitative rather than qualitative reporting to assure their security controls. And also,
there's a huge overload in the number of requests that they're facing as well.
It sounds like they're like neck deep in the proverbial.
Yeah.
Any main key points you would tell these people, these people that are feeling stressed out?
The main takeaway is that the GRC functions in these organizations need to become more data-driven as with other departments.
You know, if you think about a CFO, they're not relying on manually adding up reports when they're balancing the books.
And the same principle applies to security information being given to regulators, auditors, and the board.
And really, the main thing that these organizations need is an automated way of delivering trusted insights. And we're seeing this as a critical requirement that is emerging for these GRC functions. through more of your highlights. Listeners, you can find out more about this research from Penicere
on their website, penicere.com.
Sharaka, thank you for giving us your time.
I really appreciate it.
Thank you very much, Carol.
Thanks for having me.
This was Carol Theriault for The Cyber Wire.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Hello, Ben.
Hi, Dave.
Interesting story that caught my eye today.
This is from CNN, and it's titled,
Administration Officials Alarmed by White House Push to Fast-Track Lucrative 5G Spectrum Contract,
Sources Say.
Ben, I don't know if you've been living in a cave or not,
but this 5G thing seems to be—
Pretty big deal, yeah.
Seems to be kind of a big deal, and seems like the White House has their eye on it. And some folks want to
access to some of that spectrum. What's going on here?
Yeah, I mean, so this spectrum is just an extremely valuable resource, as you can expect.
It's going to be no matter who wins this contract, it's just going to be
an enormous financial windfall for that company.
So what some administration sources have been telling the media, there is a large push within the highest reaches of the White House to encourage Pentagon to accept what's basically a
no-bid contract from the company Rivada. They want to fast-track Rivada's request for proposal
in a way that would preclude the more competitive bidding process
you would usually see for something like this.
So obviously most people are familiar with how this works,
but generally you have this request for proposal.
Every company puts in their most competitive bid.
The government chooses the one that hopefully will be
the most cost-effective to the taxpayers.
That seems to be what is not happening here.
There are allegations that allies, political allies of the administration,
have been pushing, particularly the chief of staff to the president, Mark Meadows,
to have this fast-tracked.
One of those individuals is our old friend Karl Rove,
who is a Republican political strategist
from the George W. Bush era.
He is also a formal slash informal advisor
to the Donald Trump re-election campaign.
And he's a lobbyist for Avada.
And he's apparently been getting in the ear
of administration officials trying to push this.
Now, he's denied doing that.
And he claims when he was asked about it by CNN that he
would turn down a no-bid contract.
To me, that language leaves a lot of wiggle room.
It might not technically be a no-bid contract, but if they were given an advantage in this
process, it still would be an unfair process and would disfavor the interests of the consumers.
process and would disfavor the interests of the consumers.
And then there's former Speaker of the House, Newt Gingrich, who also seems to have connections with Rivada.
He's been advocating for the Pentagon to grant this contract to the company.
Even though he's not officially a lobbyist for Rivada, administration sources have said
that he's one of the people that's been pushing this, and he's also a major political ally of the president. Interestingly enough, former Speaker
Gingrich said he never advocated for Rivada. However, if he did it, in the words of OJ Simpson,
he would have done it pro bono as a citizen. And I'm sure we all believe the veracity of that
statement. Out of the goodness of his heart. Yes, yes. Well, and I think it's worth some clarification here that a couple things.
So this is spectrum that currently belongs to the military.
Right.
It's been set aside for them.
And so this push is for them to share that spectrum with private industry for the public good.
Obviously, you know, this spectrum can be used for a lot of things
and there are many good uses for it.
This article points out that a government auction
of 70 megahertz of spectrum back in August
sold for more than $4.5 billion.
And this is for 350 megahertz of spectrum, five times as much.
So we're talking about some big dollars here.
Yeah, and this is a great opportunity for the government.
I mean, the government controls a lot of resources.
This is one of their most valuable resources, having the Department of Defense have domain over the spectrum.
have domain over the spectrum.
So it certainly behooves the administration and the country for there to be a competitive bidding process
to make sure that we are getting our money's worth,
that whatever deal is agreed to is in the best interest
of the American people and the consumers.
So any effort to sidetrack that competitive bidding process
is going to have a really negative impact on, frankly,
our bottom line as a country.
I don't know if you've heard,
our budget situation isn't exactly in tip-top shape.
No, it's not.
This is certainly a small piece of that.
But if you are one of those people,
like many of us who think that every dollar counts, if you use this what's essentially a no-bid process, you not only could be doing something that reeks of cronyism and potentially corruption, but you could be doing something that negatively affects our nation's finances.
Yeah, and worth noting here that there's bipartisan concern about this. There seems to be plenty of people who want to take a closer look at what's going on here.
Absolutely.
I mean, from a Republican conservative perspective, this is a no-brainer.
You want there to be a competitive process that relies on the innovations of the free market.
I mean, that's bread-and-butter Republicanism, and that's been reflected in some of the statements we've seen from Republican senators.
My guess is that now that this story has gotten on the radar and has been picked up by the media, we might see more of an organized pushback against this that might force the Pentagon to avoid the appearance of impropriety.
Right, ixnay on the uncompetitive bid.
Yeah, exactly.
They tried to pull a fast one on us, but couldn't quite make it.
But I think it's incumbent upon all of us to keep our eyes on this, because it's really
important for the future of 5G.
It's really important for the future of good government as well.
Yeah, and I think, as they point out, Spectrum is a limited resource.
I mean, there's only so much of it,
and it's very valuable, so we can't just...
They're not making any more of it, right?
No, they're not creating more Spectrum.
I don't want to get into the supernatural here,
but that's, I think, nuts.
I don't think that's something that we can just create more of.
Yeah, yeah. All right. Well, interesting one, as you say, I don't think that's something that we can just create more of.
All right.
Well, interesting one, as you say, an important one to keep an eye on.
Ben Yellen, thanks for joining us.
Thank you, Dave. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
And it kills germs that cause bad breath. Listen for us on your Alexa smart speaker, too. Thank you. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Paziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.