CyberWire Daily - NAM hacked during US-China trade tensions. DDoS against British political parties. Pemex recovers from ransomware. Project Nightingale gets US Federal scrutiny. Patch notes.
Episode Date: November 13, 2019National Association of Manufacturers hacked during Sino-American trade negotiations (and tensions). Ineffectual DDoS attacks hit both of the UK’s largest political parties. Pemex says it’s comple...ted recovery from ransomware. The US Department of Health and Human Services will investigate Google’s Project Nightingale for possible HIPAA issues. And did BlueKeep warnings scare people into patching? Apparently not. Ben Yelin from UMD CHHS on California going after Facebook on alleged user privacy violations. Guest is Edward Roberts from Imperva on Ecommerce and bots. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The National Association of Manufacturers were hacked during Sino-American trade negotiations.
Ineffectual DDoS attacks hit both of the UK's largest political parties.
Pemex says it's completed recovery from ransomware.
The US Department of Health and Human Services
will investigate Google's Project Nightingale
for possible HIPAA issues.
And did Blue Keep warnings scare people into patching?
Apparently not.
Apparently not. a major U.S. industry group, came under cyber attack by Chinese intelligence services earlier this year as Sino-American trade tensions grew.
The association says it hired an outside cybersecurity firm to investigate and stop the breach.
Neither the U.S. government nor the Chinese embassy has so far commented,
but the story is still developing.
In advance of next month's elections,
both of the UK's two largest parties are considering the risk of disruption by cyber attack.
Monday's cyber attack against Britain's Labour Party was repeated yesterday.
Reuters says the Conservative Party sustained its own DDoS attack yesterday.
While sources suggest this attack came from a different actor,
this incident also looks unsophisticated and minor.
A Tory spokeswoman, when asked about it, said she had nothing to offer on the subject,
which she said she hadn't heard of.
That suggests that neither party was particularly seriously afflicted.
Labour did qualify the original report, saying that yesterday's incident was indeed sophisticated
and thwarted by their
robust security, and party leader Jeremy Corbyn expressed his own concern that upcoming elections
might be conducted under the threat of cyberattack. But the apparent ease with which
Labour shrugged off the attack suggests that original characterization of the distributed
denial-of-service attack as unsophisticated were probably closer to the mark.
Computing reports that Cloudflare, which mitigated the attack on labor's networks,
called the attack nothing special and said it was the sort of thing we deal with daily.
Another observation quoted in Computing characterized the incident as
nothing more than what you would expect to see on a regular basis.
It looked like someone bored in their bedroom with a botnet.
The Independent cites former GCHQ honcho Brian Lord, now with PGI,
to the effect that labor could have been hit by a nation-state,
but reading what he actually told the paper makes his take less alarming.
There's an a priori possibility that a nation-state could run a dumbed-down attack, for sure.
There's an a priori possibility that a nation-state could run a dumbed-down attack, for sure.
And sure, criminals and others will often use DDoS as misdirection to distract security teams from something more serious.
But again, that's a matter of a priori possibility,
something to consider, of course, but keep calm and carry on.
So nothing special, apparently, just the normal skid background noise.
But we do like bored in the bedroom with a botnet.
It's a variation on the familiar picture of the big guy in his parents' basement.
But maybe British skids are different in that way from their transatlantic cousins.
As we head quickly and relentlessly into the holiday shopping season,
retailers are looking to their websites and e-commerce
as primary avenues for sales. Imperva recently published a report citing the growing threat of
bots interfering with commerce sites. Edward Roberts works in product marketing for bot
management at Imperva. The main finding that people should understand is that your website
lies to you and that the users are on there.
There are fake users and they are fake in that they are bots,
but they are not benign and they are on your site for a reason.
So they could be doing a multitude of things like scraping your prices,
trying to use credentials to get into any accounts that you have there, trying to steal gift card balances, all manner of things
to try and exploit your business. So whatever functionality you put on that website, there is
some bot or some piece of automation that is trying to abuse it. And typically, what we saw
in this report was 17.7% of all traffic on all of the websites that we covered, and it was over 200, 17.7% of that
traffic was bad bots. So these are bots that you do not want on there. You know, there are good
bots like Google that you would willingly have, but these are bad ones who are doing the nefarious
things that I mentioned. As someone running a website, how do you differentiate between the
good and the bad and try to put controls on the bad bots?
Yeah, that's the big challenge is that you can use your various security tools that you have.
You might use your WAF and block certain IP addresses in certain countries and do things manually and try and clean your traffic that way.
and try and clean your traffic that way.
But in the end, there are bot management solutions that are out there that are built to actually automatically clean your traffic with these bad bots.
And so that's the ultimate solution.
But there are techniques you can do to block them on your own as well.
So what were some of the key take-homes in the research that you did here?
The wide array of things that bots can be tasked with doing on your site is larger across e-commerce
sites because they have more different styles of functionality and information available
on their websites than other websites. So for example, competitors are scraping all your prices. So that's one group of
people who are trying to damage you in the marketplace by making sure that they beat you
price-wise or they understand what sales or promotions you're offering or what
delivery discounts you've put in place. So there is a scraping of information. And if you have thousands and thousands of products
that you sell on your e-commerce site, there are people scraping each one of those. And
that's a volume of traffic that you were not really expecting to deliver to bots and to your
competitors. So it definitely affects your competitive place in the market. The other ones are things like what they call Grinch bots or sneaker bots.
So these are if you have rare items, you see them in sneakers.
There are limited edition sneakers that are made available by various sneaker companies.
And if you have those made available, it's very similar to ticketing.
There's a finite number of them.
So bots are used to try and claim that inventory before anybody else can get them.
And then if they can get them at the list price and the demand is high enough, they can then resell them somewhere else on a secondary market.
So you have these, you know, you're making the customer experience for somebody who wants to get those limited edition items more difficult for
them, you're leading to customer dissatisfaction and they're having to pay more or pay a premium
as well for that dissatisfaction. Another range of ones are gift card balances. Bots can be used
to enumerate through the numbers of those gift cards and see which ones have balances. And if
they find ones that have balances, they can then use that number to buy things.
And suddenly you find that a customer has got a gift card
that no longer has a balance on it,
but they thought it had a certain amount of money on it.
So the ability of bots to look at what's on your website
and understand what they can go after
and what they can exploit is really wide.
And so those are a few examples of some of the findings that we had in the report.
Thinking about it in terms of what's available on your website, it's how could that information
be used by somebody against me?
And it's amazing how many different use cases we see.
But I think that's a testament to the cat and mouse part of this is that there
are so much information that people find valuable that they're willing to invest money to actually
launch these bots and the economics around it are in their favor. So they're not there for a benign
reason. I think that some people in the past have thought that they were benignly there. They're
just, oh, it's just internet junk that's going around.
And it's just a simple, simple automated script.
But really, the majority of it is actually quite sophisticated.
And they're trying to attack a certain part of your website for a particular reason.
That's Edward Roberts from Imperva.
The report is titled Automated Cyber Attacks on E-Commerce growing more sophisticated and difficult to detect.
Pemex continues to work toward recovery from the ransomware attack it sustained over the weekend.
The Mexican oil giant's administrative systems are believed to have been hit with doppelpaymer ransomware.
Reuters, which has been in email contact with people who may or may not be the attackers,
says the extortionists complained that Pemex missed its chance at a discount
and that the ransom is now $5 million in Bitcoin.
Computing connects the attack to the Russian criminal gang
also running Drydex and BitPamer.
CrowdStrike is called that group Indrik Spider.
Pemex says that operations are back to normal
and that production was unaffected, Reuters reports.
Google's Project Nightingale, which would collect and analyze patient information from the Ascension
health care system, has come under investigation by the U.S. Department of Health and Human Services
Office for Civil Rights, the Wall Street Journal reports. At least two matters are of concern.
Was patient approval obtained to share HIPAA-protected data, and are those data adequately secured?
Computing sources its own coverage of the agreement between Ascension and Google, in part,
to what appear to be two PowerPoint presentations from the organizations, leaked with commentary,
by someone computing characterizes as a whistleblower.
The Wall Street Journal broke the story about Project Nightingale yesterday.
The intent of the agreement between Google and Ascension,
a Catholic network of health care providers that's regarded as the second largest in the U.S.,
with tens of millions of patients,
seems to be the improvement of both administration and clinical outcomes.
But as observers are quoted by the journal,
the optics are bad for Google,
even if those two goals are really the only ones Mountain View has in mind.
You do want patient consent for the use of their data.
Computing's story suggests that the data might be used for other,
less mission-focused purposes as well.
The story is developing.
You'd think Blue Keep scares would have motivated patching, but you'd think wrong.
So says Sands.
Sure, Blue Keep's been around for a long time, and so has the patch for it.
And sure, Shodan searches indicate that the number of unpatched machines
has been tailing off along a gentle downward path for months.
But were people energized to patch by all the recent media chatter?
Apparently not.
That path continues to slope gently downward.
Sands says there are still hundreds of thousands of vulnerable systems out there.
And Sands hopes they get patched before they turn into worm food.
Speaking of patches, yesterday was Patch Tuesday.
Microsoft addressed 74 vulnerabilities, including one zero day.
Do take a look.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. And joining me once again is Ben Yellen.
He's the program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security,
and also my co-host on the Caveat podcast. Ben, it's great to have you back.
Always good to be here, Dave.
Interesting story came by. This is a press release from the Attorney General of California,
who is petitioning the San Francisco Superior Court to go after Facebook for some things.
What's going on here?
So the Attorney General of the state of California, Javier Becerra,
is petitioning a superior court to compel Facebook to hand over documents. This is the first time we're hearing about this investigation conducted by the California Department of Justice
into a couple of Facebook's practices. One of the allegations is that they're violating user privacy rights,
and the other has to do with their involvement with Cambridge Analytica
and the collection of data of over 87 million of their users.
The California Attorney General and the California Department of Justice
had issued subpoenas requesting documents,
information on both the Cambridge Analytica scandal
and specific
questions on their privacy policy and their privacy practices. And so they issued a series
of written questions interrogatories. They alleged that Facebook refused to respond to several of the
questions contained within those interrogatories. They said that some of the other answers were
incomplete or missing information and were wholly inadequate to the scale of the investigation.
And as a result, not only is Attorney General Becerra going to court, but he's going public with the fact that Facebook is being investigated.
And that's sort of a tool he has in his toolbox.
Going public sort of puts Facebook on notice at a time when, frankly, they've been in the national spotlight and they don't want to face any additional political scandals.
Well, help me understand the sort of process here when it comes to subpoenas.
If I get subpoenaed to provide information, my assumption is that I can't just drag my feet or pick and choose what questions I'm going to answer.
Right. So a subpoena itself is compelling you to hand over that data.
Generally, the legal standard for obtaining a subpoena, for getting that information is smaller.
It is less rigorous than obtaining documents through some sort of warrant or something like that.
This is an administrative subpoena. So it's just a request for records.
Obviously, a subpoena means so it's just a request for records. Obviously,
a subpoena means you are required to comply by law. And if you don't, then as we see here,
the Department of Justice has an avenue of going to court to have a court enforce the transfer of documents from Facebook or any company to the California Department of Justice. And that
would be a process that would be overseen by the Superior Court in California.
So is this a situation where they will now get in front of a judge and a judge will decide what a
reasonable timeline is and say to Facebook, if you don't do these things, these are the
potential heartaches that you're in for?
Exactly. So they can impose potential civil or criminal penalties on Facebook. I think we're
probably a long way from getting to that point. Facebook perhaps will take these requests
seriously, not only because the superior court has gotten involved, but because this is now
all on the public record. And like I said, I mean, they're dealing with national scandals related to their change in policy
as it applies to advertisements on their platform.
So this is just sort of another headache they probably don't want.
My guess is that they will probably be more apt to fulfill these subpoenas,
to respond more fully to these interrogatories now that this investigation is public and now that the Superior Court has gotten
involved. I will note that the vice president of state and local policy of Facebook said in a
statement that they've cooperated extensively with the state of California's investigation.
He says they provided thousands of pages of written responses
and hundreds of thousands of documents.
I have no reason to actually doubt that that's the case.
That still doesn't tell us whether they fully comply with the subpoena.
If it's true that they haven't answered information demanded in interrogatories,
then they haven't fulfilled the obligations of that subpoena,
even if they've handed over hundreds of thousands of pages of documents.
So they could potentially still be in a good bit of trouble. All right. Well, we'll keep
an eye on it. Facebook doesn't seem to be doing themselves any favors. They sure aren't. It would
be nice for their purposes as they could stay out of the news. Although since they control the news
these days, I think that's probably literally impossible.
All right. Well, as always, Ben Yellen, thanks for joining us.
Thank you.
And don't forget to check out the Caveat podcast where Ben Yellen and I take on law and policy
issues, surveillance and privacy. Our guest this week is former Secretary of Homeland Security,
Michael Chernoff. He weighs in on the crypto wars. It's the Caveat Podcast. Do check it out.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.