CyberWire Daily - Hacking the UN. Avast closes Jumpshot over privacy uproar. Facebook settles a biometric lawsuit. Data exposures, a LiveRamp compromise, and more newly aggressive ransomware.
Episode Date: January 30, 2020UN agencies in Geneva and Vienna were successfully hacked last summer in an apparent espionage campaign. Avast shuts down its Jumpshot data analysis subsidiary and resolves to stick to its security la...st. Facebook reaches a preliminary, $550 million settlement in a privacy class-action lawsuit. SpiceJet and Sprint suffer data exposures. LiveRamp was compromised for ad fraud. And Russia blocks ProtonMail and StartMail. Caleb Barlow from Cynergistek on the business impact of ransomware on a hospital. Guest is Matthew Doan, cyberecurity policy fellow at New America, discussing his recent recent Harvard Business Review article “Companies Need to Rethink What Cybersecurity Leadership Is.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
UN agencies in Geneva and Vienna were successfully hacked last summer in an apparent espionage campaign.
Vienna were successfully hacked last summer in an apparent espionage campaign. Avast shuts down its jumpshot data analysis subsidiary and resolves to stick to security. Facebook reaches a preliminary
$550 million settlement in a privacy class action lawsuit. SpiceJet and Sprint suffer data exposures.
LiveRamp was compromised for ad fraud. And Russia blocks ProtonMail and StartMail
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 30th, 2020
Leaked documents reveal that three United Nations agencies were hacked last year by exploitation of a Microsoft SharePoint vulnerability.
The attack began in July and was detected in early August, at which point a confidential memo on remediation was circulated internally.
computing, 40 servers in Vienna and Geneva were compromised, and the UN office at Vienna,
the UN office at Geneva, and the UN office of the High Commissioner for Human Rights,
also in Geneva, were hit. The AP says the UN described the hack as sophisticated,
and so probably the work of a nation-state. What the campaign actually obtained is publicly unknown. UN staff members were not in general informed of the breach.
Geneva-based Ian Richards, president of the staff council at the United Nations,
whose role is to advocate for UN employees, told the AP,
The new humanitarian, which obtained the leaked documents,
calls the UN's response a cover-up.
Why didn't the UN disclose the breach?
UN spokesperson Stefan Džarek admitted to the new humanitarian
that core IT infrastructure in Vienna and Geneva were compromised.
He further explained that, quote,
as the exact nature and scope of the incident
could not be determined, the UN offices in Geneva and Vienna decided not to publicly disclose the
breach, end quote. So that's one way to look at it, and possibly not an entirely frivolous way
either, given that the goal of the hack was in all likelihood espionage, about which in some cases the less said the better.
Oh, you might ask, what about GDPR?
Well, not so fast.
They're the UN.
They've got diplomatic immunity.
The UN has said that the compromise was confined to Vienna and Geneva,
although we'd have to offer a don't-get-cocky caution to the folks at Turtle Bay.
Avast has been roughed up this week.
The Prague-based antivirus firm sustained reputational damage
when the company's sale of anonymized data through its JumpShot subsidiary came to light.
As the company put it in a blog post Tuesday,
we want to reassure our users that at no time have we sold any personally identifiable information to third parties.
And indeed the reports about the incident did note that the company anonymized the data. that at no time have we sold any personally identifiable information to third parties, end quote.
And indeed, the reports about the incident did note that the company anonymized the data.
Avast also said they had obtained consent from users to collect the information and that such consent was gathered through an opt-out mechanism.
They expressed their understanding that this wasn't an optimal method
and that they intended to replace it with an opt-in mechanism.
But this was judged insufficient, and late yesterday, Avast CEO Andrei Vilchek
announced that both data collection and the JumpShot subsidiary would be closed down.
As attractive and useful as big data analytics might be,
he and the board decided that continuing with the JumpShot business was incompatible with the company's core mission of security.
He put it this way, quote,
For these reasons, I, together with our board of directors, have decided to terminate the
jumpshot data collection and wind down jumpshot's operations with immediate effect, end quote.
Avast had been caught last month in an embarrassing data collection squabble
when Google and Mozilla excluded Avast's and subsidiary AVG's extensions from their store.
After a few days' suspension, the extensions were restored.
After the restoration, 9to5Google quoted Avast on December 20th as saying,
Privacy is our top priority, and the discussion about what is best practiced
in dealing with data is an ongoing one
in the tech industry.
We have never compromised on the security
or privacy of personal data.
We are listening to our users
and acknowledge that we need to be more transparent
with our users about what data is necessary
for our security products to work
and to give them a choice
in whether they wish to share their data further
and for what purpose. In any case, the event indicates how dangerous data collection can
be, not only to the people whose data are collected, but to the organizations that do
the collecting. Avast is far from alone in struggling with privacy and data collection.
The Wall Street Journal reports that Facebook yesterday reached a tentative
$550 million settlement in a class action lawsuit in which the plaintiffs alleged that the social
network violated an Illinois law against collection of biometric data without permission.
The journal says this is the largest cash award in a privacy class action lawsuit.
The journal also says that Facebook's defense that its opt-out mechanism
provided appropriate consent didn't fly with the court. Matthew Doan is a cybersecurity policy
fellow at New America, and he recently penned an article for the Harvard Business Review titled
Companies Need to Rethink What Cybersecurity Leadership Is. Well, that sparked our interest, so we got him on the line.
For years now, I've been in the mix as a consultant and really helping organizations
think through how to do this better. And pairing that as well with my role at New America,
which is a think tank, I'm there as a cybersecurity policy fellow. We've been doing some research and some interviews with a wide range of executives across industries.
So collectively, I've seen a challenge in cybersecurity leadership pop up through my experiences and that research.
And I felt compelled, really, to bring this to light in a way that hopefully people from a wide range of audiences can understand and develop a framework that they can do something
with it. Yeah. So what are your suggestions? What are the things that folks need to put in place
to do a better job with this? So what I'm laying out here in this article is that first,
the board and C-suite executives like CEOs and CFOs need to establish accountability and own this topic
from where they sit to make sure that it goes well. That's the first point. But then I lay out
a three-part framework for how they can be successful to ensure cybersecurity comes to
life in the right way. The first part is really about setting your intent with cyber strategy
from the top level of the organization. It's about
understanding those unique business characteristics that you have, the constellation of partners that
you're working with, the industry that you're in, your threat and risk profile. The idea here is
that there is no one size fits all for doing cybersecurity well within a business, and we
have to appreciate that. And then the second thing that you outline here
is positioning the cybersecurity function
to have influence.
What's involved there?
Yeah, I'd like to break this down
into three chunky items,
location, authority, and incentives.
From a location point of view,
this is about positioning the cyber leader
and the cyber organization to a place where
it's going to have more influence and be able to do what you need it to do. And these days, as you
see, it's making less and less sense oftentimes to slot that organization under a CIO. The management
of risk compared to cost efficient IT are very competing missions at times. So you're
starting to see it go other places, sometimes even directly reporting to a CEO. Second point
then is authority. We need to make sure that this is a top level mandate. We have consolidated
decision rights for the cyber leader to be able to do what needs to be done. That policy makes it
very clear. And then the last piece then
is incentives, really bringing other people along. We don't want to just use the sticks out there and
be the enforcers, but use some carrots too. Even creating things like bonus structures
for business unit leaders to follow cyber requirements so they feel motivated.
You know, I was speaking with someone recently about some of the
stresses that leaders in cybersecurity experience. And one of the things
that this person brought up was that with how things have
changed, that it's possible that some of these folks may have seen
kind of their position change underneath of them, where if they got
hired a decade ago and they were
hired for their technical skills, that the needs of that position may have changed. And
it's important to be open to the fact that maybe it's not a good fit for you.
That's a great comment. I mean, the world is changing so fast. And I think the people that
are able to succeed in this discipline or that are aspiring to jump
into it have to have that continuous learning mindset. You have to see how the world around
you is changing, how technology is changing, what businesses are doing differently,
even how the modern workforce is changing. So we can't be stagnant. We need people that are
always sensing, adapting, and then making the call for themselves if
it's still the right position for them.
Maybe they even go down a particular technology route if that's their passion.
But the idea of a leader needs to be something far more than it used to be.
Board members and C-suite executives need to embrace their accountability.
I think they look downward to ensure the job gets done,
but they're forgetting that it all starts and ends with them.
And the strategic choices they make
are going to have so much cascading impact
to how successful their businesses are.
So we need people to step up and appreciate that.
And then hopefully the right things come to life
from their great decisions. That's Matthew Doan, Cybersecurity Policy Fellow at New America. The article is
Companies Need to Rethink What Cybersecurity Leadership Is. It's in the Harvard Business Review.
More companies have suffered data exposure incidents. Indian airline SpiceJet had data
on 2.1 million passengers in a database
secured by what TechCrunch's report characterizes as an easily guessed password that was brute
forced by unnamed self-described white hats. The publication doesn't name the white hats because
brute forcing a system without permission the way they did is probably a violation of U.S. law and of who knows how many other jurisdictions' laws.
SpiceJet has since taken steps to better secure the data.
Krebs on Security found that Sprint's social care forum,
a place for customers to address issues with the telco,
was being indexed by search engines, an indication that it was exposed to the Internet.
He informed Sprint, which acknowledged that the forum should have been private, and which
then secured the exposed portion of its network.
CNET reports that LiveRamp, a major marketing company and Facebook partner, was compromised
when hackers obtained an employee's personal account and used it to gain access to a business
manager account, which they exploited to run fraudulent advertising.
The advertising, which the scammers charged to LiveRamp customers,
directed customers to sites that either stole credentials
or bilked them into purchasing bogus products.
LiveRamp says the problem has been contained.
If you're a Russian citizen interested in keeping your online communication private,
you've now got fewer options than you might have enjoyed a few months ago.
Moscow has blocked ProtonMail and StartMail computing reports,
as the Russian government clamps down on encrypted communications.
And finally, ransomware operators continue to grow more insistent and aggressive.
The hoods behind Maize have posted a list of slow-to-pay victims
they intend to dox if the victims don't start opening their wallets.
25 victims, several of which computing says were previously unknown,
are on the latest list.
You may wonder how they're posting these things,
given the international legal action that took down the page
they were operating from Ireland.
They've reconstituted operations and are now hosted out of Singapore.
For now, anyway.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Caleb Barlow.
He is the CEO at Synergistic.
Caleb, it's always great to talk to you.
I want to touch today on ransomware,
specifically targeting hospitals,
and what that can do to the business side of a hospital
that may get hit with this sort of thing.
Well, hey, Dave.
It's always fun to talk about some of these interesting ways
to think about common cybersecurity problems.
And if we look at ransomware, some of these interesting ways to think about common cybersecurity problems. And, you know,
if we look at ransomware, and let's face it, we kind of read about this, it seems like every week
or two, and it's typically targeting either healthcare institutions or kind of state and
local government. So I thought it would be kind of interesting to look at what happens in a hospital
when they're shut down with ransomware. And what
does that impact really kind of look like? And the reality is it's pretty harsh what goes down.
Well, take me through. I mean, a hospital gets hit, it starts working its way through the systems.
First of all, is there a pattern of where it usually begins? Is there a common ground zero?
a pattern of where it usually begins? Is there a common ground zero?
Well, unfortunately, the common ground zero is often healthcare. So if we look at the 621 ransomware attacks that occurred in the first part of last year, so Q1 through Q3 of 2019,
79% of them, or 491 attacks, targeted healthcare.
So the first thing that happens, and we've seen this in several recent cases,
is if they hit the EHR, the electronic healthcare record system,
that hospital, for all intents and purposes, is pretty much down.
Now, here's the next thing that happens,
which is that you kind of close down the ER to anything that is
not urgent and you cancel anything that's scheduled. So now you're just doing the stuff
where, you know, there's a life-threatening situation or an emergency. Well, now you start
using lots of paper because the EHR doesn't work. A typical hospital will create 50,000 patient notes a day.
All of that now has to be done on paper. And here's the other thing to keep in mind.
They don't get paid on paper anymore. So anybody's paying them, whether it's the insurance company,
Medicare, Medicaid, they have to submit those claims electronically.
So this literally, Jave, mountain of paper is growing.
And you're dependent on the older nurses and doctors that still remember how to chart on paper. Right. I was going to ask you about that.
Are we hitting a time where it's been long enough since that was standard operating procedure
that that legacy knowledge is fading
into the distance. Well, one of our guys was asking a couple of clinicians about this,
and the comment was, thank God for older nurses, right? Because they still know how to,
you know, if you think about when you used to write out a medical record on paper,
you would document in prose, you know, I saw a patient of this age with this medical condition
and you kind of write everything out and you know all the questions to ask.
Well, you don't have to remember the questions to ask in an electronic system because the system's
asking you. But of course, the real worry we all have is that one hospital isn't independent
anymore. You know, I don't know about where you live, Dave, but where I am, they're all connected together.
They're all owned by the same entity.
Where this gets really scary,
and we saw a little bit of an incident of this in Alabama.
We also saw this happen last year
with a hundred nursing homes
that were using the same system.
And that system, which was a cloud provider,
got locked up and they all went down, right?
So the opportunity here for a somewhat catastrophic regional impact is very real.
So, okay, we're writing stuff on paper, we're diverting patients, we're doing things manually,
but we're also starting to impact the business.
Because if we're now a month and a half into this, we've done no
claims processing for a month and a half. Is that a realistic timeline for this sort of thing?
Would a hospital typically find itself down for that long? Well, here's where this also gets
interesting, Dave. They all seem to pay. Now, there are a few that haven't. So the Wisconsin-based VCP or virtual care provider,
those hundred nursing homes I was talking about, they didn't pay. And actually, you know, there's
news reports out just over the last week or two that now they're being extorted by the bad guys.
So we're all kind of waiting to see what happens there, right? And, you know, the other challenge here is that even when you do get things back online, so let's say two months go by, you start restoring from scratch, you start bringing systems back online, you're not going to be able to capture everything that you did because you wrote it on paper.
You know, a couple things happen.
One, you know, the doctors probably didn't write down everything.
Well, who can read their handwriting?
Who can read their handwriting?
Actually, that's probably a very real concern in this case.
And the second thing, though, is you're going to start to run out of time to build this stuff, right?
Yeah.
So you really start to run into a longer-term scenario that becomes really problematic.
becomes really problematic. So I think the recommendation here is that, you know, continuing to just go out, get insurance and hope you can pay the ransom, that's probably not a good plan.
All these hospitals now are planning on and exercising what are they going to do as the
coronavirus spreads, right? Well, what are you going to do if you get hit with a ransomware
incident? Because it's going to be just as devastating to the community and could also result in a similar impact for patients. Yeah. All right. Well, it's certainly
sobering information. Thanks for sharing those insights. Caleb Barlow, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.