CyberWire Daily - Opportunistic paydays and soft targets. Crooks use captchas and padlocks, too. Protecting against Zerologon. A microelectronics strategy.
Episode Date: September 30, 2020Ransomware gangs continue to look for an opportunistic payday. Another exposed database is found, and secured. Captchas and padlock icons have their place, but they’re not a guarantee of security. M...icrosoft explains how to reduce exposure to Zerologon. The US looks to reduce dependence on foreign microelectronics. Joe Carrigan has thoughts on Facebook running SuperPAC ads. Our guest is Sanjay Gupta from Mitek on how online marketplaces can balance security with biometrics. And there’s just one shopping day before National Cybersecurity Month. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/190 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody from the CyberWire studios at DataTribe.
I'm Dave Bittner in my new hot tub.
Who's my guest in the hot tub today?
Hot tub time with the Cyber Wire.
Ransomware gangs continue to look for an opportunistic payday.
Another exposed database is found and secured.
Captchas and padlock icons have their place, but they're not a guarantee of security.
Microsoft explains how
to reduce exposure to zero logon. The U.S. looks to reduce dependence on foreign microelectronics.
The U.S. Army thinks about what to call information warfare. Joe Kerrigan has thoughts on Facebook
running super PAC ads. Our guest is Sanjay Gupta from MyTech on how online marketplaces can balance security with biometrics.
And there's just one more shopping day before National Cybersecurity Month.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 30th, 2020.
Ransomware operators continue to show that their target selection is a matter of high payoff moderated by opportunism.
South Africa's Justice Department disclosed that the Doppelpamer gang attempted an attack
on the Guardian's fund at the master's office Pierre-Terre Martisburg, Reuters reports.
The government-administered fund is held by the courts in trust on behalf of minors,
unborn heirs, and missing or absent persons.
So far, no ransom demand has been received,
but some of the data from the fund has been posted to a dark website.
The incident is under investigation.
Hospitals operated by Universal Health Services continue to work through the difficulties imposed
by the ransomware attack the system suffered over the weekend. The ransomware, probably RIAC, has forced the hospitals to revert to manual systems
and to reschedule surgeries and other procedures. Hospitals are hoping that the incident amounts
only to a disruption of IT services and not the theft of data. Ransomware, however, has evolved
since last year to the point where data theft Ransomware, however, has evolved since last year
to the point where data theft and the additional leverage
and revenue stream stolen information brings with it
are now a routine part of criminal practice.
There's been another case of a large database
containing personal information exposed online.
Security researchers at Safety Detectives report
that Bangalore-based e-learning vendor
Edgerica was operating an unsecured Elasticsearch server. About 25 gigabytes of personal information
belonging to some 2 million users were exposed. The data included first names, email addresses,
phone numbers, country of residence, login activity records, and miscellaneous authentication token information.
The data has now been secured.
Two familiar security design elements should be viewed with a skeptical eye.
The first is the CAPTCHA, designed to let you prove you're the natural person
that you, your own wonderful self, in fact are,
and not just some mangy bot grifting its sleazy way around the internet.
The cyber firm Menlo Security, investigating a criminal campaign targeting the hospitality sector,
found that the gang made extensive use of captchas in their spoofed pages
to lend credibility to their scam.
So remember, just because they ask you to put a
checkmark wherever you see a coconut or a parking space doesn't mean they're legit.
The other comforting visual cue, the closed padlock in the browser bar,
also means less than many users think. ThreatPost draws a lesson from a recent
anti-phishing working group report, criminals can use encryption too.
The padlock means that a site is protected by HTTPS encryption and has a transport layer
security certificate. This helps secure data exchange between users' browsers and the website
they're visiting. The anti-phishing work group quotes digital risk protection company FishLabs
as saying, the number of phishing sites using TLS continues to increase. Most websites, good and bad, So have a skeptical eye, but a friendly one.
It's not that CAPTCHAs and padlocks are bad.
They're not.
It's just that they don't constitute a guarantee of safety.
The zero logon vulnerability continues to pose a significant risk,
and Microsoft has published clarification of the patching and mitigation guidance it issued last month.
As Redmond said at the time, a more comprehensive patch is in the works and is
due to be released this coming February 9th, when the fix moves to its enforcement phase.
For now, Microsoft wants users to understand that they should respond to the vulnerability
in four steps. First, update your domain controllers with an update released August 11,
2020 or later. Find which devices are making vulnerable connections by monitoring event logs.
Address non-compliant devices making vulnerable connections.
And enable enforcement mode to address CVE-2020-1472 in your environment.
As Microsoft points out, the vulnerability is being exploited in the wild, and reducing your exposure is important.
U.S. Undersecretary of Defense for Acquisition and Sustainment, Ellen Lord,
has outlined U.S. plans to disentangle supply chains from Chinese-produced microelectronics,
breaking defense reports.
The Defense Department is working on a microelectronics strategy intended to secure the defense industrial
base against both economic and cyber threats.
That strategy will be designed not only to keep unfriendly intelligence services from
selling the U.S., the rope with which they intend to hang America, but also to encourage
and foster the development of a robust domestic microelectronics sector
capable of supplying Defense Department systems.
And hey, hey, hey, hey, hey, Red Alert shields up.
You've got less than one shopping day left.
The U.S. National Institute of Standards and Technology wishes to remind all
that National Cybersecurity Awareness Month begins tomorrow.
that National Cybersecurity Awareness Month begins tomorrow.
It's a good time to reflect on things you do to make yourself and your organization more cyber secure.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges
faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Biometric authentication has drawn attention during the pandemic,
in part because people don't really want to touch stuff right now,
at the bank, at the grocery store,
who really wants to enter their PIN number when, say, using Face ID will verify your identity.
On the other hand, some rightfully point out that the permanence of things like facial scans and fingerprints
present their own
challenges. Sanjay Gupta is VP and Global Head of Product and Corporate Development from MyTech,
and he offers these thoughts. So on the verification side of the house, on onboarding
side, what we recommend and what our best practice is to really, depending on the type of marketplace you are, if you're
a realtor selling clothes online, you may let them come to your website and then put
something in the cart and then ask them to go through kind of the verification process.
And typically, we think of that process being kind of layers of protection there.
So asking for the ID, having them take a picture of the ID front and back
and then being able to provide a selfie.
And the selfie would contain two pieces of it,
which is as a person live at the time
when they're trying to onboard
and then matching the selfie to the photo
really assures the person
that's trying to sign up for the account
is really the individual at the time
when they're going through the process. Yeah, you know, it seems to me like a big part of this is
removing the friction. You know, I mean, I suppose study after study has shown that if there's
too many steps, people tend to bail. That's correct. So there's the balance that you have to achieve, right?
So getting new customers on board is faster,
but also in this day and age,
we've got the pandemic going on
and more and more people are transacting online.
You want to know that your own information is protected
and nobody else is using your credentials
to sign up for accounts and then transact on those.
So it's also on the consumer side of the house,
they should be aware that it's also on the consumer side of the house, they should be
aware that it's actually for their protection, even though you may have to go through an extra
step. And I think more and more, especially in this day and age, consumers are willing to
have a little friction in that process to assure that there's some security on the back end.
What about some of the things like behavioral biometrics where, you know,
the systems are actually using the way that I do things, the way that I move my mouse, or even
I've heard of studies where, you know, the way that I walk, my gait, you know, things like that
could be used to verify that I am who I say I am. That's correct. I mean, you have what's called
device metrics and then behavioral biometrics associated with that.
So how you browse, how you hold your device, how fast you type on your device.
Those are unique identifiers of you and your interaction with the individual, I mean, with the device.
So even if, let's say, your wife or spouse got onto the same device, the way they would hold it and the way they would transact on it would be a unique signature.
And so companies have employed that.
Now, what's interesting is that it's also scary for consumers because if they don't know if that's really happening
and all of a sudden you pick up your device and you go into your front screen and then you get in and you go to your, let's say, bank account
and all of a sudden there's no password or anything that asks for, there's this feeling of, wait a second,
what really happened here? Where's my security?
It's too fast.
You can't make it too easy. That's interesting, isn't it?
It is. Human behavior is very difficult to predict, right?
That's Sanjay Gupta from MyTech. Thank you. ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
This is something you and I discussed at length on our next episode of Hacking Humans,
that tis the season for political advertising.
Yes.
Yes, it is. We've got an article caught my eye over on CNN.
It's titled, Facebook Allowed Hundreds of Misleading Super PAC Ads
an Activist Group Finds.
Lead us in here, Joe.
What's going on?
So what is happening here is there is a group called AVVAZ, A-V-A-A-Z.
I hope I'm saying that right.
And they have found that two super PACs have emerged as what they call the worst offenders.
And the first is a pro-Trump group called America First Action.
And then a Democratic group called Stop Republicans.
Okay.
Right.
Very creative names, right?
Right.
Right.
Republicans. Okay. Right. Very creative names, right? Right. These guys are super PACs, which is a political action committee, which can accept money from people and spend it however it wants
to benefit whichever candidate they want in terms of advertising. And they don't have to
clear it with the Federal Elections Commission because it's a First Amendment issue, right?
People are allowed to make their own First Amendment statements, and they're even allowed to buy
advertising for that. And I really wouldn't have that any other way, right? But once again, we find
out that they are producing misleading information and putting it out on Facebook, where it is
getting huge amounts of traction. Now, if you look at the amount they
spent, the Stop Republicans campaign or PAC spent $45,000 on 30 ads with misleading information
about the United States Postal Service, resulting in 1 million ad impressions. America First Action was a bigger offender here. They had spent $287,000 on 450 ads, making about 9 million impressions.
So Facebook has said, we're going to take political advertising this year.
And Twitter has said they're not.
Twitter has just walked away from this issue.
They said, there's no way we can control this.
There's no way we can vet the information being correct. And in fact, Facebook has even said, yeah,
we're not going to vet information as being correct or incorrect when it comes from political
candidates, but they still will vet it when it comes from something like a political action
committee. That's, that's a different, a different body. But even when they're vetting it, they're
not doing a good job of vetting it. And this article quotes
or paraphrases Fadi Karan, who is the campaign director of Havaz. And he says many of the
surviving ads, in other words, these are the ads that Facebook didn't pull. Facebook pulled the
ads it found violated the terms. But many of the surviving ads were virtually identical to the ones
Facebook took down, indicating that while the social media
giant understands the content to be problematic, it is unable or unwilling to deal with it
comprehensively across the platform. This is a big problem. And this is why I say,
don't get your political news from Facebook. I'd like to broaden that to say, don't get your
political news from social media. But really, Facebook is a bigger offender here than any other platform that it competes with, simply because of its reach.
It's huge. It's massive. And it has this problem where it can't police its own content. And it's
financially disincentivized to do so. By taking these ads, they're making money in the amount of
upwards of half a million dollars from one of these political action committees. Now, what's
interesting also is that the money that I quoted earlier in the article is a small portion of the
money that's spent by these political action committees. These political action committees
spend millions of dollars putting these ads out there, and they use the Facebook modeling to push the ads to people that they want to push the ads to.
Yeah, you know, to your point about them either being unable or unwilling to control this sort of thing in any meaningful kind of way, I often say that in response to when you hear people say, oh,
but we can't do that at scale. I say, well, then maybe you shouldn't do that.
Right, exactly. Right. And that's what Jack Dorsey and Twitter decided. They decided we
can't do this at scale, so we're just not going to do this. And I think that's the right decision.
I agree with that decision 100%. And Facebook should be following suit, but I don't think Facebook's going to follow suit.
I mean, there's no way they're going to be able to walk away from the amount of money that they're making on these ads.
Yeah, yeah.
Well, it'd be interesting to see.
I mean, I suppose it's hard to imagine regulatory relief here because, as you say, that you have those first amendment issues and also time and time again, uh, particularly when it comes to political
communication, politicians tend to exclude themselves from these sorts of regulations,
right? Like, you know, you, nobody, you can't stand on the side of the road and wave your sign
unless you're a politician, then it's fine. Yeah, that's exactly right. There's, I don't
want to get political Dave, so I'm not going to. But there are plenty of examples of things where these politicians vote themselves very nice cutaways that they get that the general population does not get or that even people who are challenging them do not get. It's disconcerting to me.
it's disconcerting to me.
Yeah.
Well, you know, make an effort to break out of your own political bubble there.
We've only got a few weeks to go in this election period.
So be sure to spread around your sources of information, trusted information.
And don't get your political news from Facebook or any other social media platform.
Right.
Remember, their business model is dependent upon engagement,
which means they're going to show you something that you want to see.
That's not conducive to good political thought.
Right.
Something that's going to get you riled up for good or for bad, right? Right.
Exactly.
Yeah.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and you'll feel like you just stepped
out of the salon. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Errol Terrio,
Ben Yellen, Nick Bilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.