CyberWire Daily - Operation Pinball. Implausibly spoofed, not really official, COVID-19 emails. CISA updates US Federal telework guidance. ICO defers some big GDPR fines. Zoom agonistes. Fleeceware in Apple’s store.
Episode Date: April 9, 2020Operation Pinball roils up Eastern Europe and the Near Abroad. Crooks who can’t write idiomatic American English are spoofing emails from the White House in a COVID-19-themed phishing campaign. CISA... updates telework guidelines for Federal agencies. Some GDPR fines are deferred until after the pandemic. Zoom continues to reel from its success. And fleeceware is found in the iTunes store. Caleb Barlow from CynergisTek on OODA loops, guest is Or Katz from Akamai on how current industry (and employee) phishing defenses are being bypassed by attackers. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_09.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Operation Pinball roils up Eastern Europe and the near abroad.
Crooks who can't write idiomatic American English are spoofing emails from the White House
in a COVID-19-themed phishing
campaign. CISA updates
telework guidelines for federal agencies.
Some GDPR fines are
deferred until after the pandemic.
Zoom continues to reel from its
success. And fleeceware is
found in the iTunes store.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 9th, 2020. The threat intelligence specialists of
Recorded Future's Insect Group have identified an ongoing disinformation campaign, Operation
Pinball, probably of Russian origin, that seems
to overlap the secondary infection campaign the Atlantic Council described earlier this year.
Operation Pinball, for the most part, targets Russophone populations in Eastern Europe and
the near abroad of former Soviet republics. Two of its principal objectives appear to be
undermining the government of Estonia, with content that exploits fears connected with European migrant crises, and disrupting Georgia's growing relationship with NATO.
hack-and-leak campaign. In fact, the purportedly leaked documents, while often convincing,
down to the images of hardcopy letters that piously declare themselves to be printed on recycled paper, are entirely bogus. Recorded Futures analysts think it likely that other
similar campaigns are under preparation. Operation Pinball involves deception and
influence operations conducted by an intelligence service,
but of course not all deceptive social engineering is the work of a nation-state.
Criminal gangs also get into this act.
Researchers at the email security firm Inky describe some implausible emails on the coronavirus pandemic
that pretend to originate from either the White House or U.S. Vice President Pence.
Inky outlines two distinct series of emails.
The first said that current measures against the pandemic would continue through August
and that the IRS had pushed tax day back from April 15th to August 15th.
It also urged recipients to download the president's guidance that would, quote,
protect you and your family from pandemic.
That's Pam-demic.
The second series reiterated the claims of the first and encouraged recipients to follow a link
for more information. The spelling and usage are, of course, appalling, but the attackers did use
some of the White House's actual HTML code. We observe in passing that the dropped articles,
spoonerisms, misspellings, and malapropisms are nowhere near as funny as the Shadow Broker's copy used to be.
Maybe the Shadow Broker spoiled us. Where are those guys these days, anyway?
The emails do originate from Russia, but they seem pretty clearly to be a criminal as opposed to a state-sponsored campaign.
as opposed to a state-sponsored campaign.
For one thing, the troll farmers of St. Petersburg handle American English much better without all the Boris Badanov-isms on display in these communications.
Nevertheless, someone, someone out there, is sadly likely to fall for them.
CISA has updated its telework guidance for U.S. federal agencies.
The Cybersecurity and Infrastructure Security Agency
has issued Trusted Internet Connections,
that is TIC 3.0, telework guidance documents.
The TIC guidance is intended to support federal agencies
as they seek to comply with Office of Management and Budget Direction
to maximize both the opportunity for and the security of
remote work across the government during the pandemic emergency.
One of the agencies likely to stand in need of the guidance is NASA.
Leaping Computer reports that the space agency is receiving particular social engineering attention
as much of its workforce is now telecommuting.
As we've noted, the global pandemic has prompted many phishing attackers to pivot to COVID-19-related lures.
That's not all they're up to.
There are a variety of ways the bad guys and gals are effectively getting around phishing defenses.
Or Katz is principal lead security researcher at Akamai.
So there are a variety of defenses out there.
We can call it a multi-layered kind of defense.
The first point is email gateway, where everybody are getting their emails, the organization gets email.
Those emails can be inspected if there is something malicious in the content of the email,
and therefore you can filter some of that malicious content out.
That's the first line of defense.
The second line of defense will be once those emails are being transformed or whether the phishing was actually propagated through other
means and you can see the phishing from the network point of view. Meaning if you press the
link for a malicious phishing website, once you press the link, there is actually an HTTP request to that given website,
and you can track that in the level of the network and try to mitigate that kind of attack.
The third layer of defense, as far as I see it, is actually related to education and awareness,
our ability to go to our users and tell them, these are the things that you need to do in order to make sure that you are well protected
and that you are doing the right actions once you see something that looks suspicious
and you want to make sure that it's not.
So in terms of recommendations for organizations to best defend themselves,
what sort of things do you suggest?
I think you need to have a multilayered approach to make sure that those kind of attacks will be properly mitigated.
And the most important thing as far as I see it is the ability to go to your users and make sure that they are well educated.
And whether they see something that is too good to be true,
it's probably, therefore, they need to be careful,
make sure that they are not giving away their sense of information,
they are not opening files that they are not aware of
or don't know the source of those files.
That are the things that I would recommend doing.
Where do you think we're headed with this
in terms of our ability to
defend against this in the future? Are there any new developments you see coming along?
I would say, well, there are two. I would take your question to two places. The first
place where I would take it is the fact that we will still continue to be able to see a lot of
phishing attacks out there. It's not going to slow down, unfortunately.
We can see that the level of sophistication of those attacks is getting much more advanced. The technique that those threat actors are using is much more robust in that sense.
And that's something that we need to be aware of.
And the second part from a technology point of view, I think it's the ability to bundle things together
and have more security around distribution channels that are not just email.
Because a lot of the things that we see out there is the fact that a lot of those phishing
are actually being distributed through social networks.
Therefore, in order to track those, you need to make sure that you have some visibility
to what happened there and you have the ability to detect phishing,
even if it's not landing into your organization through email.
That's Orr Katz from Akamai.
SC Magazine says that the UK's Information Commissioner's Office is deferring the large fines for data breaches it imposed last year on British Airways and Marriott International.
The extension recognizes the economic stress the COVID-19 pandemic has imposed, especially on the travel industry.
It is a deferral and not forgiveness. The companies are expected eventually to pay up, and investigations
of data breaches in violation of GDPR aren't being closed. Zoom continues to suffer from the
Pyrrhic commercial triumph the company enjoyed when demand for its teleconferencing services
exploded in February and March. It's fixed some security issues. Yahoo says Zoom has added a new security menu in its
latest versions. And ZDNet reports that the company has removed meeting IDs from its toolbar.
But on balance, it's still been a bad week, what CIO Dive calls a no-good, very rotten week.
According to BuzzFeed, Google has banned its employees from using the teleconferencing app
on grounds of its questionable security.
And as the U.S. Congress continues to figure out how it will conduct as much business as possible online,
the Senate, at least, is fighting shy of Zoom.
Reuters reports that senators are being told not to use Zoom's services.
Sophos yesterday reported finding what it calls fleeceware in apps sold through iTunes.
By their count, there are 30 of them.
What counts as fleeceware is something of a judgment call.
The application Sophos singled out charged subscriptions.
$30 per month or $9 per week after a three- or seven-day trial period.
If someone kept paying that subscription for a year, it would cost $360 or $468, respectively, for an app.
Sophos closes with an expression of contempt, suggesting that apps are unlikely to be worth a third to half a grand annually.
These rates are high, especially since the apps in question seem, in Sophos' opinion,
to offer no real value that can't be found in truly free apps,
and therefore lack that ongoing value to the customer Apple requires subscription products sold in its store to offer.
And finally, CISA, we hear, is looking for student interns,
and some of the positions are even open to high school students.
The application deadline is April 15th.
If you're interested,
go to USAjobs.gov and search for CISA. That's C-I-S-A, CISA. is hiring account executives to join us on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergistech.
Caleb, it's always great to have you back.
We want to touch today on OODA Loops
and some thoughts you have there. What do you have for us today?
Well, you know, this brings up another one of my heroes, a guy named Colonel John Boyd, who was a
fighter pilot. And, you know, he studied how do people make decisions in a crisis, in this case, in an aircraft, in a dogfight.
And interestingly enough, this can be parlayed into cybersecurity and how we think about our decision-making during a crisis event, whether that's something like COVID-19 or a large cybersecurity event.
All right.
Well, let's dig into some of the details here.
What sort of things did you come up with?
Well, you know, I was trying to figure out when I was working in these large-scale cyber ranges, you would see executives just making really bad decisions, even in simulation, because they couldn't understand that they had to make a decision without having all the data.
They had to make a decision without having all the data.
And at the time, I was working with a guy named Bruce Schneier,
and who I'm sure a lot of your listeners know.
And Bruce introduced me to this concept called an OODA loop.
And it completely changed my perspective on how you make decisions in a crisis.
And it's really simple. It stands for Observe, Orient, Decide, and Act.
And it's a crisis decision-making methodology developed by Colonel
John Boyd that recognizes the fact that you're up against a human adversary. And the idea is to
think of this in a loop. You need to observe, orient, decide, act, and then rinse and repeat
the whole process with new information. So, you know, think about that fighter pilot that's trying
to dodge a missile headed towards them. They observe the missile. They orient to where it is. They decide that, okay, it looks like I should go left. They go left
and they act. And then they go back around to re-observe. Okay, where's the missile? Did that
work? Did it miss me? No, it didn't work. What's my next action? Now, okay, that's in the case of
a fighter pilot. But if we think about the same thing in terms of cybersecurity, we have to
remember there's a human on the other end.
They can observe what you're doing.
They can orient to your defenses.
They can jog around your decisions.
And he who wins is the one that moves through their OODA loop the fastest.
You know, it's interesting.
I have spoken to a lot of folks who have done time in the military, and that is something I hear over and over again, that the appreciation that their time and their training in the military gave them the ability to make decisions without having all of the information.
Exactly.
So let's talk about a couple of the steps, right?
So parlayed into cyber, if we think about what do you want to know in the observed stage, well, what can you learn from these unfolding events? Is there anything
that may have changed in your environment? Are there anything you can learn from intel sources,
OSINT, dark web, et cetera? Is this normal behavior or anomalous behavior? And can you
tell the difference? Are there parts of your environment that you don't have visibility to? But if you go through a few of those simple questions of the observe stage, then you go on to the orient stage where you start to think about what can these intel sources tell you about events as they're unfolding?
that you must accept right now?
For example, oh, everybody's work from home because it happens to be in the middle of a global pandemic
like we're in the middle of right now.
Are there intel sources that can tell you something
about your adversary?
But then, and I love these two questions,
what is the adversary's likely next move?
And what is their likely worst course of action?
Because as we now move to the decision
phase, if you haven't thought of those two things, you don't have a good plan. Then, Dave, we get to
deciding, like, what are the risks and the likelihood that this is going to work? What are
your options? You know, what do your run books tell you? The things you built with that kind of
explicit intent versus your implicit
intent, which is coming from your executives and kind of their emotions at the moment.
And do you have hypotheses? Can you test those hypotheses? And ultimately, this is the hard
thing in a lot of organizations. Who's responsible for making the decision? Now, once you decide that
you got to act, take that action, but then test it, come back around and reorient yourself.
Did it work? Do I need to try something new? You know, this is the one time in your executive
career where it's okay to make a decision. And then 10 minutes later go, oh yeah, that was a
bad decision. Let's try this instead. You know, any other time in your life that's viewed as weakness
during a crisis response, that's a huge strength.
So what are your recommendations for folks to sort of set down this path? If they want to make this a part of their planning, what's the best way to begin? Well, I think that the first thing to do
is, you know, these are great tools you can look at and study and kind of come up with ideas. But
the first thing to do is write down a plan. And it can be really simple at first.
Maybe pick something, you know, simple like ransomware.
How are we going to make a decision?
Who's going to pay?
Can we get a quarter million dollars
by two o'clock this afternoon in Bitcoin?
And how would we do it?
Who do we need on our team?
How do we communicate with them?
You start asking those questions,
the next thing you know, you got a 40-page plan together.
I laugh at that 40-page plan, but I suppose that that's a starting point and then there's a distillation from there. Absolutely. And you have to realize that your plan is kind
of that warm blanket that you can go back to during an incident when your body is flush with
adrenaline, you don't have all the information,
and you can pull out that plan and go, okay, when I was calm with my team, I wrote this plan.
Is there anything I haven't thought of today that's in the plan? You know, what decisions do
we make when we're able to look at this calmly? And believe it or not, you always forget things,
but if you did a good job writing the plan, it's in there. But the big thing I would encourage people to do, and you know, this is a lot of what we do at my company is
constantly be rewriting the plan. There's a new reality, everybody, which is everybody's
working from home. How does that change your plan? Get it updated. All right. Well, Caleb Barlow,
thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, Thank you. approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. See you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.