CyberWire Daily - Ransomware epidemic during the pandemic. Cyber insurance and state actors. Cyberstalking. Don’t exaggerate election meddling. Reflections on National Cybersecurity Awareness Month.
Episode Date: October 30, 2020Ransomware becomes endemic in the healthcare sector. Cyber metaphors--we read a good one this morning. Does your cyber insurance indemnify you against state-sponsored attacks? More guilty pleas in the... ex-eBayers’ cyberstalking case. US Cyber Command and others advise everyone not to see foreign election meddling where it isn’t. David Defour looks at the spookiest malware of 2020. Our guest is Travis Leblanc from Cooley on the European court Invalidating the EU-US Privacy Shield. And what do we make of National Cybersecurity Awareness Month as it recedes into our collective rearview mirror? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/211 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware becomes endemic in the healthcare sector.
Cyber metaphors, we read a good one this morning.
Does your cyber insurance indemnify you against state-sponsored attacks?
More guilty pleas in the ex-eBayers cyber-stalking case.
U.S. Cyber Command and others advise everyone not to see foreign election meddling where it isn't.
David DeFore looks at the spookiest malware of 2020.
Our guest is Travis LeBlanc from Cooley on the European court invalidating the EU-US privacy shield.
And what do we make of National Cybersecurity Awareness Month as it recedes into our collective rearview mirror?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, October 30th, 2020.
This week's warnings about hospitals and ransomware continue to move organizations to higher levels of alert and to be borne out in reported attacks.
U.S. public and private organizations, CISA, the FBI, and the Department of Health and Human Services on the federal side,
and FireEye's Mandiant unit on the private side,
the federal side, and FireEyes Mandiant unit on the private side, have warned that organizations in the healthcare and public health sector are under an increasing threat from ransomware.
The strains deployed are usually Conti and especially Rayuk. The perpetrators are
Russophone gangsters, not spies. These particular gangsters get even worse press than such gonifs
usually attract.
Brazen, Ars Technica calls them.
Others say despicable, consciousness, loathsome.
You get the picture.
It's clear why they've attracted so much deserved odium.
Attacks on the availability of health care are hateful in the best of times. And with the COVID-19 pandemic, these aren't the best of times.
It's equally clear why the hoods are interested in hospitals.
Data availability and privacy are at a premium
and the healthcare sector is under unusual pressure to knuckle under extortion.
They can't always shrug off a successful attack when patient safety and privacy are at stake.
Security Affairs says the hospitals in New York and Vermont
have been the latest RYAC victims.
Both the Wyckoff Heights Medical Center in Brooklyn
and the University of Vermont Health Network
have disclosed that they've sustained
and are recovering from ransomware attacks.
They're not alone.
Wired puts the number of ransomware attacks
against hospitals in the dozens.
And the Wall Street Journal quotes Charles Carmichael,
chief technology officer at FireEye's Mandiant cybersecurity firm, as saying,
quote, most threat actors, they're explicitly not looking to hit hospitals.
This group in particular has explicitly stated that they're going to hit hospitals,
and they've proven it.
He adds, this is the most significant cyber threat that I've seen in the United States in my career.
End quote.
While U.S. hospitals have been notably affected by cybercrime, it's not solely a U.S. problem.
The Montreal Gazette reports that various targets in Quebec have been hit,
including non-healthcare targets in the transportation and law enforcement sectors.
Montreal's Jewish General Hospital has been hit with a cyber attack
the hospital's administrator says wasn't ransomware,
but his conclusion was based on the fact that no extortion demand had yet been received.
We've heard a lot of metaphors about cybersecurity over the years.
There's the Cyber Pearl Harbor and the related Cyber 9-11.
There's the herd immunity metaphor for control of computer viruses. There's Cyber Moonshot,
beloved of industrial research and development. But here's one that strikes us as not bad and
worth thinking about. Cloudflare's COO, Michelle Zaitlin, offers an interesting metaphor as she looks at the future of cybersecurity.
It's moving toward a water treatment model, she told Business Insider's inaugural tech executive roundtable.
It would be mixing the metaphor to point out that this seems especially true given the widespread move to the cloud,
but she does seem to be on to something.
cloud, but she does seem to be on to something. The Harvard Business Review reminds business leaders that cyber insurance policies may have war clauses that exclude coverage for state-sponsored
attacks. Since companies and private organizations are often the victims of state-sponsored hacking,
they would do well to examine their policies for appropriate coverage. It's long been said that
only people who legally wear badges and carry guns,
that is, law enforcement and the military, are really interested in attribution.
This piece reminds us that others, notably underwriters,
can be closely interested in attribution as well.
Two more former eBayers took guilty pleas yesterday in a Massachusetts cyber-stalking case.
A former senior manager of special operations for eBay's global security team
and the former manager of eBay's Global Intelligence Center
pleaded guilty to conspiracy to commit cyber-stalking and conspiracy to tamper with witnesses.
This brings the total of guilty pleas to five.
Two other former eBayers in the e-commerce bites newsletter harassment case have yet to plead.
Is there a downside to seeing too much foreign interference in these upcoming U.S. elections you may have heard about?
Yes, various experts tell the Washington Post.
Washington Post. The recent failed attempt by Iran to impersonate the Proud Boys in an evident attempt to discredit the campaign of President Trump by communicating threats to Democrat and
other voters was an example of how tactics that seem to have been effective in 2016 have fallen
flat in 2020. U.S. Cyber Command's election security lead, Brigadier General Joe Hartman,
told the Post, quote, my biggest concern is that we give a foreign adversary more credit than they actually do,
end quote. He thinks that social media platforms in particular have grown more adept at recognizing,
exposing, and taking down coordinated inauthenticity. General Hartman said, quote,
Their platforms have been exposed. Social media companies have taken down their personas.
In most cases, their personas have gained very little traction, end quote.
And finally, National Cybersecurity Awareness Month is winding down this weekend in the United States.
Did it have any effect?
ESG's John Olczyk has an op-ed in CSO in which he laments the limited reach of the observance.
He sees it as having traction mostly in universities and inside the Beltway,
and wishes for more public service programs to get people generally to pay attention.
His recommendations surely place him on the side of the angels.
Among other things, he calls for a visible public service
campaign like the Forest Service's Smokey the Bear, more kindergarten through 12th grade education
in cyber, and greater cybersecurity career awareness. We don't know much about this Smokey
the Bear, sounds like he might work for Moscow, but maybe there's just too much competition for
mindshare among the observances.
We consulted our public awareness desk, and they inform us that October has also been the month during which we've been asked to observe
Eye Injury Prevention Month, Healthy Lung Month, Home Eye Safety Month, Filipino American History Month,
Italian American Heritage and Culture Month, Polish American Heritage Month,
and National Pizza Month. The individual days are too many to enumerate here, but
one of them just this week was Plush Animal Lovers Day, celebrated this past Wednesday.
So let's be realistic, friends. We're as into InfoSec as anyone,
but how can cyber compete with pizza and Beanie Babies?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Travis LeBlanc from law firm Cooley LLC.
He's a member of Cooley's litigation department leadership team and vice
chair of the firm's cyber data and privacy practice. He had the honor of being selected by
the U.S. Department of Commerce and the European Commission as an arbitrator for the EU-U.S.
Privacy Shield Framework in 2017 and was unanimously confirmed by the U.S. Senate
to the Privacy and Civil Liberties Oversight Board in 2019.
We reached out to Travis LeBlanc for his insights on the European Court's recent invalidation of the EU-U.S. Privacy Shield.
There was, prior to 2015 or so, a bilateral agreement between the United States and Europe that permitted the transfer of personal
data about Europeans across the Atlantic to the United States. Safe Harbor was the framework that
the United States had negotiated with Europe for a determination of adequacy. In 2015 or so,
a determination of adequacy. In 2015 or so, there was a decision out of the European Court of Justice, Schrimms, now known as Schrimms 1. The case was brought by Max Schrimms, who's an
Austrian privacy activist. It was brought against Facebook and was challenging Facebook's transfer of data about Europeans to the United States and argued
largely in part that the safe harbor framework was not an adequate protection under European
law because the national security programs and activities of the United States government would require Facebook and any other company in the United States to permit access, to either permit it or to not have the the national security activities of the United States government were not adequate.
Many of these activities had been exposed by Edward Snowden.
And that is what became the basis of the lawsuit and much of the decision. Shortly after that decision came down,
the United States and the European Commission went back to the table to negotiate a new agreement
that would permit the transfer of personal data
about Europeans to the United States.
That new agreement was called Privacy Shield.
And so what are the main sticking points here?
What's keeping us from coming up with something that everyone can agree on?
Well, you know, by and large, the main sticking points are not the activities of the, you know, 5000 plus companies that relied upon Privacy Shield.
European Commission, I mean, of the European Court of Justice, are that there isn't a, you know,
a due process right for Europeans to challenge the exercise of the national security authorities of the United States government, that there isn't a way to, that some of the authorities exceed
the privacy right, the privacy rights as they see it, of Europeans in particular. It really does go to national
security. And, you know, the challenge after Safe Harbor was that the Privacy Shield framework
did not come into existence along with substantial modifications to the intelligence authorities
of the United States government.
And so, you know, part of the negotiation will certainly be around, you know, what additional insurances the U.S. government can give as to the, you know, transparency and the limits
of the authorities of the United States intelligence community.
But I do suspect that without changes to those authorities,
meaning changes by law, it's going to be quite difficult to get the ECJ on board.
Yeah, it's interesting. Well, I mean, getting back to the privacy shield issue, how do you
suspect this is going to play out? What do you see as some of the possible resolutions here? The Europeans and the Americans are already negotiating. We know that they've been quite
transparent about the existence of the negotiations. You know, we've seen an effort by
the U.S. Department of Commerce to try and keep the Privacy Shield framework at least nominally in existence.
For example, the Department of Commerce has announced that it's going to continue
to process applications to join Privacy Shield. I personally am perplexed by that decision because
the European Court of Justice and the data protection authorities over in Europe have made quite clear that they don't view the Privacy Shield as a valid framework. And so, you know, it's not clear to me
why the Department of Commerce would want to keep that in play. But my best guess is that
in the negotiations, the United States would seek to use the privacy shield framework as essentially a model for or a basis for whatever comes next. give the Europeans the comfort that there is sufficient transparency and oversight of the
intelligence community in the United States that they do not have to be concerned, you know, about
the NSA, for example, you know, breaking into Facebook. That's going to be a challenge. The United States did a lot in the
negotiations around Privacy Shield to try to assuage Europe of these concerns. And so I think
the challenge we're going to face is identifying who in the intelligence community in the United
States is going to go to the table with the Europeans and whether we will need to,
you know, make any changes to the, you know, authorities of the ombudsperson, the authorities
of the Privacy and Civil Liberties Oversight Board. So there's a lot on the table and it is
apparent that the Department of Commerce alone won't be able to make all the assurances that are necessary,
but that the intelligence community, or at least some component of it, will have to be at the table
as well as it was in the negotiations after Safe Harbor and that put in place privacy shield.
That's Travis LeBlanc from Cooley.
You can hear our full interview over on the Caveat podcast,
and it's also available in our interview selects as part of CyberWire Pro.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering at Webroot.
David, always great to have you back.
We are not far off from Halloween.
Tied into that, you sent over a list of some spooky trends that you've been
tracking. What sort of things are on your radar right now? David, as always, great being here.
And, you know, the marketing folks, the PR folks, they wanted me to say spookiest, but to me,
a lot of this is terrifying. So to be clear, you know, we're talking about cyber threats and, you know,
we continue to see huge uptick in threats around COVID phishing attacks, attacks that are around
stimulus checks and people trying to steal your bank account information. So I think that's all
top of mind. People are aware of that, but we do need to, you know, stay on top of the fact that
those are coming at us. Even though we may know it, it's happening. So just stay aware of that.
But, you know, that's kind of the general spooky, but we got some real fun ones here, David, if
you're going to let me run in with this. Yeah, let's go. So to me, the most terrifying statistic
I can throw out there is five years ago, six years ago, we'd see a ransomware
attack and it was your aunt Judy, whose, you know, computer got locked up and they wanted $200 to
unlock, you know, her selfies. Right. I mean, you can remember those days, right, David? Yeah. Yeah.
Well, now we're seeing the average ransomware payment north of $175,000. They're no longer going for Aunt Judy's computer
anymore. The real terror here is municipalities, universities, medical facilities. This has really
turned into big, big business. And they don't care about your Aunt Judy's computer anymore.
They really care about these midsize institutions that can afford to pay $200,000 because it's cheaper than trying to restore all their computers.
Yeah.
Well, take us through some of the threats that you're tracking here.
So some of the biggest ones we're seeing now, Emotet, that's a botnet.
We're seeing continuous growth.
They're super effective through emails and things like that.
You know, you're not going to get an email that says, I'm Emotet, click here to be infected.
It'd be nice. I would probably, that would work on me because I would want to see what happens,
but most people are going to not pay attention to that. But that we're seeing an uptick there.
I always spell, pronounce this wrong, so you're going to bear with me.
Royuk.
I say Ryuk, but who knows?
Well, you're probably right.
We're going to go with you because this is your show.
Okay.
You know, it's growing as well.
It's a fairly new one, but we're seeing it grow in the ability to infect machines as a ransomware threat, lock those computers down.
Phobos is always a great one.
And the big thing about Phobos that is actually scary
with people working from home
is it takes advantage of RDP vulnerabilities,
RDP being what a lot of people use
to remote into their offices
and do work on machines in an office.
So obviously people working from home more, if you're using that functionality,
I mean, RDP is always being attacked because there are always exploits being found in it.
You've always got to make sure you're being patched.
So huge uptick there.
And, you know, mobile threat jokers out there.
It's kind of, you know, just trying to steal information.
And we've got to throw a mobile app in there once in a while.
I got to admit, though, the mobile providers do a pretty good job.
Google with Android and Apple with iOS protecting mobile devices.
But we do see from time to time something pop up.
Do you suspect we're going to see a continued shift in that direction?
Or is it that the opportunities are so rich on the desktop
machines that there's no reason to go away from them? Well, I think just like the ransomware
example, if somebody can figure out a type of threat on a mobile device that makes them a
couple hundred bucks now, but they can foresee a future where they have a greater ROI. And I don't
mean to be funny. I mean, this isn't
the kids hacking anymore. This is big business. The cyber criminals are in. So the problem with
a mobile attack is what's your long term ability to make money? And so, yes, I think the possibility
exists and we shouldn't ignore it. I still think, though, that there's so much money to be made in
ransomware and attacking small to medium sized businesses and getting real money out of them that that's going to be the focus for the for the foreseeable future.
All right. David DeFore, thanks for joining us.
Great being here, David. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
That's the best tasting pickle I ever heard.
Listen for us on your Alexa smart speaker too.
Be sure to check out Research Saturday
and my conversation with John DiMaggio from Symantec.
We're speaking about APT41 indictments.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here next week. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.