CyberWire Daily - Ransomware recovery in Louisiana. DPRK phishing for aerospace jobseekers? Cybercrime campaigns. Notes on current legal matters.
Episode Date: November 19, 2019Louisiana recovers from a ransomware attack against state servers. North Korea appears to still be interested in Indian industry--this time it’s people looking for jobs at Hindustan Aeronautics. Com...promised CMS distributing info-stealing Trojans. HydSeven mounts a cross-platform spearphishing campaign. Macy’s and Magecart. Thoughts on supply chain security and cyber deterrence. And some legal updates, including some alleged academic money laundering. Ben Yelin from UMD CHHS on your rights to images you post of yourself online. Guest is Tom Miller from ClearForce on continuous discovery of insider threats. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Louisiana recovers from a ransomware attack against state servers.
North Korea appears to still be interested in Indian industry.
Compromise CMS is distributing
info-stealing Trojans. Hyde 7 mounts a cross-platform spearfishing campaign. Macy's and Magecart.
Thoughts on supply chain security and cyber deterrence. And some legal updates, including
some alleged academic money laundering.
laundering. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, November 19, 2019. There's a good news, bad news story out of Louisiana today.
The bad news is that the Pelican State was hit by a ransomware attack yesterday.
What variety of ransomware isn't yet known, but the incident is
believed to be similar to the one that hit school districts in Morehouse, Sabine, Monroe City,
and Wachita this past July. A number of state agencies and services were affected, including,
bleeping computer reports, all 79 of Louisiana's Office of Motor Vehicles locations.
The good news is that the state's Cybersecurity Commission,
established in 2017 against just this sort of eventuality,
was activated and appears to have been working effectively
to contain and remediate the damage.
The commission includes law enforcement personnel,
cybersecurity professionals from both the public and private sector,
and academic specialists.
Affected agencies began restoring service soon after the attack hit.
Recovery is expected to be substantially complete in about two days.
The Office of Motor Vehicles, for example, thinks it will be back in business this afternoon,
KPLC reports. ZDNet says the state's Office of Technology Services contained the infestation
quickly and that the commission took appropriate action. None of this would have been possible ZDNet says the state's Office of Technology Services contained the infestation quickly
and that the commission took appropriate action.
None of this would have been possible without effective preparation.
It's still early to call victory, but so far it does seem that Louisiana,
unlike too many other state and local governments,
had a sound plan that's been executing effectively.
An after-action review with lessons learned that might be shared with
other states would be interesting, and we hope Louisiana's Cybersecurity Commission holds one
and publishes the results. India continues to receive the attention of North Korean cyber
operators. A phishing campaign is underway that poses as a job opportunity at Hindustan Aeronautics,
the Herald publicist says.
Little else has been reported, but the Lazarus Group seems to have been leaving its spore across the subcontinent recently,
with incidents reported at both the Kudankulam Nuclear Power Facility and the Indian Space Research Organization.
Zscaler has discovered two campaigns that use compromised WordPress sites to distribute a remote-access Trojan.
Malicious redirector scripts in the compromised content management systems do the work.
One campaign uses a bogus Flash Player update as the vector.
The other deploys an equally phony font updater.
The font it helpfully offers to update is PT Sans.
The payload is essentially an information stealer.
We often address the serious issue of insider threats,
the vulnerabilities your organization faces from employees or close partners.
There are many technical countermeasures to insider threats,
but it's important to remember there's a human side to this as well.
Tom Miller is CEO at employee risk management firm
Clearforce. The earlier that an organization can become aware of issues, the more options they have
to address those issues, hopefully in a positive and productive way. But one of the challenges of
early discovery is you have to make sure in every case that you're carefully protecting the rights of the employee and the privacy of
the individual. And so privacy and civil liberties really need to be the foundation for any type of
insider risk or employee risk management program. Once you start from that, then you're in a
position to have a shared objective between the workforce and leadership within the organization to really create a more safe and secure environment. Yeah I think
nobody likes to have that feeling that someone's always looking over their
shoulder. How do you establish that the sort of culture of security without it
feeling adversarial? Well I think today today's workplace, there is a basic requirement
for organizations to deliver safety and security to their employees. We just see and hear so many
negative and violent acts that occur both inside and outside the workplace that I think there's a
basic assumption today that when you go to work,
your employer will take the appropriate steps to keep you safe and secure.
And so when you start from that perspective, then it becomes much easier as an organization
to really put together the kind of approach and the kind of policy and technology to achieve
that objective.
And again, I go back to transparency.
Often capturing and making sure that you've got explicit consent from your employees to
be able to evaluate certain information about misconduct, about criminal activity as examples
become really important.
Typically, it's not a one-size-fits-all
approach. Different jobs, different positions lend themselves to different levels of physical
and information access inside virtually every organization. And so from an employer's perspective,
it's really important to create your policy and define those risk policies specific to each job role and not try to come up with an overarching single solution across the board.
Are there any typical red flags that stand out where an employer should say, hey, perhaps this employee needs a little more of my attention?
It really is identifying this disengaged individual. And what we find time and again is
when somebody becomes disengaged, whether it's from their job or quite frankly in the community,
if you become disengaged and nobody notices, then bad things tend to happen.
If you become disengaged and nobody notices, then bad things tend to happen.
And so from an employer's perspective, you have to find these early indicators that that employee that you brought into the organization, a trusted, productive part of the corporate
organization, all of a sudden has issues.
They have stress.
They have problems either inside or outside of work that have created this situation.
And so, you know, oftentimes that can range from arguments or problems that they're having
with their colleagues.
So let's say internal incidents.
Perhaps it's with customers.
Perhaps it's with coworkers.
But having an efficient and effective way of having those incidents communicated into
leadership becomes really important. Perhaps another common indicator would be identifying
individuals that are under financial stress. And so for an organization to be able to then pair
employee assistant programs, counseling, or other wellness opportunity, again, is a good opportunity to
create a positive outcome through some preemptive action.
That's Tom Miller from Clearforce.
U.S. department store giant Macy's is the latest retailer to suffer a data breach.
Computing, Bleeping Computer, and others are calling the incident a mage cart attack.
Macy's mailed breach disclosures to affected customers on November 14th.
The compromised information includes customers' first and last names, complete physical address,
phone number, email address, pay card number and security code, and pay card expiration month and year.
Macy's says it believes it's unlikely someone could open an account in a
customer's name, but it's warning people to stay alert. The department store chain has brought in
an unnamed security company to assist with investigation and remediation, and it says
it's engaged law enforcement as well. Fifth Domain quotes a senior U.S. Marine general on an
interesting question. Who has more to lose if cyber deterrence moves toward a counter-value balance, authoritarian or open societies?
Lieutenant General Eric Smith, head of the Marine Corps Combat Development Command, suggested at a recent AFSIA meeting that it's the former.
In some respects, he may have a point. Consider networked surveillance cameras.
They occupy a much bigger, more important place in Chinese national policy than they do in American national life.
Would taking them out be irritating? Sure.
But crashing them in China would be more seriously disruptive.
Of course, a cyber attack that took down a power grid or a nation's financial system would be a disaster,
much worse than just getting your hair must.
So perhaps this perspective on deterrence works best at the lower to mid ranges of the spectrum of conflict, up at the levels that the nuclear deterrence think tanks used to call spasm war, or as Major King Kong put it in the movie Dr. Strangelove,
Well, boys, I reckon this is it.
Nuclear combat, toe-to-toe with the Ruskies.
Speaking of cyber conflict, Huawei has received a 90-day reprieve from the U.S.
as the government continues to work toward the ejection of Huawei gear from U.S. networks.
China hawks are concerned that the U.S. administration has gone wobbly, the Washington Post reports, but in any case, this is going to be a long dance.
And finally, two stories of crime and punishment. First, Sweden is discontinuing its investigation
of WikiLeaks impresario Julian Assange for alleged sexual offenses, accusation of which prompted Mr.
Assange to decamp to the UK in 2010.
The Swedish prosecution authority says that, quote, the evidence has weakened considerably
due to the long period of time that has elapsed since the events in question, quote.
The Register reports that Mr. Assange, long resident in Ecuador's London embassy until his ejection earlier this year,
remains in British custody at Her Majesty's Prison Belmarsh in southeast London.
The U.S. has asked that he be extradited to face charges of conspiracy to commit computer intrusion.
As the Register puts it in their lead, U.S. Department of Justice books one-way plane ticket in his name.
in their lead, U.S. Department of Justice books one-way plane ticket in his name.
And second, in what sounds allegedly like either a case of physician-heal-thyself or one-cannot-touch-pitch-and-remain-undefiled, a Miami academic and expert on money laundering
has been charged in the U.S. with laundering money from the failed state of Venezuela,
allegedly pocketing a cool quarter of a million greenbacks for his troubles
on behalf of clients trafficking in dirty money.
Bruce Bagley, age 73, is a professor of international studies at the University of Miami.
He's been a frequently quoted expert on money laundering and drug cartels.
The University of Miami's only comment has been to say that Professor Bagley is on administrative leave.
We note that Professor Bagley, like Mr. Assange,
is entitled to the presumption of innocence.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first
future together. Head to salesforce.com slash careers to learn more.
Visit Salesforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security.
More importantly, he is my co-host on the Caveat podcast.
Ben, it's always great to have you back.
Good to be here, Dave.
Ben, you and I are going to talk today about strip clubs.
Now, I know you and I have run into each other many times at the local strip club.
You're not supposed to say that live on the podcast.
local strip club. You're not supposed to say that live on the podcast. Actually, before we recorded,
you and I were both saying how we sort of scratch our heads and don't really understand the appeal of strip clubs, but that's a whole nother thing. Yes. We're talking today about that on our private
podcast. Right, exactly. But today we're talking about an interesting legal case. This was from
Bloomberg Law, and the title of the article is, Strip Club Cases Show
How Little Your Image is Protected Online. What's going on here?
So this case arises from 11 plaintiffs. They are models. 10 of them you would have never
have heard of. The 11th is Carmen Electra.
Oh, I've heard of her.
Which, you know, if you were alive in the mid-2000s, you've probably heard of her.
She was on Baywatch.
She was on Baywatch. She was marriedwatch she was married i believe to dennis rodman they sued a strip club
and their cause of action was under what's called the lanham acts particularly the false endorsement
provision of the lanham act so basically what happened is the strip club found online photos
of these individuals in like cat costumes and other suggestive photos
and used them to promote events at their strip club.
And this violates the statute, the Lanham Act,
which prevents companies from using one's personal likeness for advertising purposes
without that person's authorization.
So these were photos that these people had posted online of themselves
so that it wasn't like the strip club broke into someone's phone to gather these images. consent of the models themselves. Now, even though the rest of these models weren't Carmen Electra, it seems from what
we can glean about the case that they all did have significant social media following.
So they're sort of social media celebrities, if not real celebrities.
What was interesting is that only Carmen Electra was actually able to succeed.
She won the case, the ban against the strip club from using her image.
And one of the reasons she won is because her image is actually worth something because she's a famous person.
That's sort of the nature of the Lanham Act is it's very difficult for a normal person, somebody who's not famous, to reclaim one's image once it gets on the Internet.
Because the Lanham Act is specifically about commercializing somebody's image. And if that image doesn't have any commercial value, then you're generally in
most cases going to be barred from recovery. Now, there are other courts that are a little
more lenient in these cases. They talk about in this article courts that don't actually try to
gouge the plaintiff's fame and they only look about whether a company like the strip club would intend to commercialize somebody's persona, so somebody's online images. But when we're
dealing with the Lanham Act, it's going to be very difficult for a non-famous person who doesn't
already have a commercial presence, a commercial image, to gain relief. And I think that's scary
for people. For one, it's a reminder that posting images online is not safe, no matter the privacy protections, the specific social
media application that you're using. I just think once the image is out there, it's really hard to
reclaim it. You're going to be compensated if you win this type of case based on your own commercial
value. So if you don't have any commercial value,
there's not going to be much compensation, which means it's not really going to be worth it for
somebody to pursue a lawsuit. Now, you can talk about intangible things like effects to your
reputation. But if you're a person who doesn't have any commercial fame, then it's hard to put
a dollar amount on that hit to one's reputation. And downstream from
that is it's going to be very difficult for plaintiff's attorneys, or not difficult, but
plaintiff's attorneys are going to be reluctant to take up one of these cases because the contingency
fees aren't really going to be worth it for them if there's not a lot of money at stake.
So I think that's a big problem with our right of publicity statutes.
Now that we're in a digital age and more people are becoming Internet famous.
You know, this law was was drafted in an era where this was 1946.
So television was just coming into prominence.
Probably most famous people were Internet was not even a gleam in someone's eyes.
So, no no it was uh yeah futurists were probably
wondering about sharing images yeah so you know perhaps we need to have more robust legislation
that protects uh people's online integrity and protects uh those somebody's images that they
post on their own social media whether they're famous or not they can have a cause of action
against a company
who tries to use that photo for commercial purposes. Yeah, that is it's really interesting
that that this I guess I never considered that a picture that you put out there could be used in a
commercial situation and you have very little relief against that. What about even just a
copyright claim? The copyright claim applies to creative work. So it would be like somebody who actually took the
photo and posted it on social media for creative purposes. You can't appropriate that for commercial
value. This is generally a trademarks case where the value is not necessarily artistic or creative,
but it's in the commercial value of the image itself. I see. Yeah. I mean, it's scary that
there isn't more recourse.
Yeah.
Particularly when, you know, you think about instances
where somebody's photo is posted without their consent.
That's particularly scary to a lot of people.
Yeah.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.