CyberWire Daily - Ransomware slows down many students’ return to school, even virtually. Hacking gamers. Patch Tuesday. Notes on election security from CISA.
Episode Date: September 9, 2020Back to school time for everyone...or it would be, if it weren’t for all that ransomware. The sad criminal underworld stealing from online gamers. Notes on Patch Tuesday. Joe Carrigan considers digi...tal comfort zones. Our guest is Sandra Wheatley from Fortinet with key findings from their new report on the cybersecurity skills shortage. And some thoughts on election security and disinformation from the US Cybersecurity and Infrastructure Security Agency. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/175 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. time for everyone, or it would be if it weren't for all that ransomware. The sad criminal underworld stealing from online gamers.
Notes on Patch Tuesday.
Joe Kerrigan considers digital comfort zones.
Our guest is Sandra Wheatley from Fortinet, with key findings from their new report on
the cybersecurity skills shortage, and some thoughts on election security and disinformation
from the U.S. Cybersecurity and Infrastructure Security Agency.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 9th, 2020. A number of U.S. school districts already stressed by the unfamiliarity of distance learning systems
whose use the COVID-19 pandemic has imposed on them are recovering from a range of cyberattacks.
A few, like the distributed denial of
service attack the Miami-Dade public schools sustained last week, were essentially cyber-enabled
truancy. So easy a teenager could do it. WPLG sniffed haughtily. A lot of teenagers, we should
note, have experience with booters, some of it gained in their play of online games. But ransomware seems to have been
more common. The case of the Hartford, Connecticut public schools is representative. A ransomware
infestation forced a delayed opening. Schools in Toledo, Ohio and Clark County, Nevada were among
the larger systems similarly affected. Schools are reopening as they're able, but Tuesday's planned first day
was, for many students, disrupted. It's not difficult to see why schools have been appealing
targets. Ransomware operators are attracted to targets during periods of heightened vulnerability,
and schools attempting to operate either fully remotely or in some hybrid combination of distance
and in-person instruction, present criminals an opportunity.
They depend upon high availability,
they have a large number of users and a difficult-to-control attack surface,
and as we mentioned above, remote instruction remains an unfamiliar process,
complex and fraught with unfamiliar challenges in planning and execution.
So, these attacks are the main thing that kids have to worry about, right?
Well, no, not really.
If you're a kid yourself, or if you know kids or live with kids,
you may have noticed that a lot of them spend a great deal of time online, like playing games.
So, the Wall Street Journal yesterday summarized the implications of another threat to youth.
Online games themselves present a big attack surface, and the players are attractive targets for a variety of reasons.
Online vandals simply enjoy interfering with others' ability to play.
Online bullies find games another space in which they can threaten and demean others.
And, of course, there are things of value, like credentials and skins,
to be stolen. The journal leads with the story of a teenaged boy who found in April that his
credentials for the online game platform Steam were incorrect. After Steam restored his access,
he found that some $200 worth of games he'd purchased had disappeared. Further review
showed that someone had been signing
into his account from an IP address in Moldova. There are other examples, and the journal makes
its case that online game fraud is widespread. They offer some advice on protecting accounts.
Most of it has a familiar ring. Use two-factor authentication and strong passwords, for example.
Check the URL address to make sure you're not
following a phishing link, and never click on a link in an email telling you there's a problem
with your account. Two other bits of advice are also good, but as anyone who is or knows a kid
will tell, amount to counsels of imperfection. Never share login information even with friends,
still less with friends. And finally, set up parental controls
to ensure that purchases can't be made without parental approval. To these last, we wish everyone
luck when advising teenagers on such matters. Well, as Catullus said, write it on the running water,
write it on the air. Yesterday was September's Patch Tuesday, and the Zero Day Initiative has a summary of the major fixes.
Adobe's three patches addressed FrameMaker, out-of-bounds read and stack-based buffer overflow,
InDesign, memory corruption problems, and Experience Manager, mostly cross-site scripting issues.
Microsoft's 129 fixes dealt with issues in Microsoft Windows, Edge, Chakra Core, Internet Explorer, SQL Server, Office and Office Services and Web Apps,
Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive, and Azure DevOps.
23 of the patches are rated critical, 105 as important, and 1 as being of moderate severity.
U.S. Cybersecurity and Infrastructure Security Agency Director Christopher Krebs
sees no serious signs of attempts to hack, in the narrow technical sense, U.S. voting infrastructure.
Director Krebs said yesterday during the Billington Cybersecurity Summit,
quote,
The technical stuff on networks we're not seeing.
It gives me a little bit of confidence, end quote.
Reuters observes that this would seem to qualify remarks made a few weeks ago
by U.S. National Security Advisor Robert O'Brien,
who warned of the likelihood of Chinese attempts against election infrastructure.
CISA has been receiving reports from state and local election officials, and Director
Krebs hasn't seen anything alarming there, at least not in this respect.
Disinformation is another matter.
DHS and its CISA unit are seeing enough of that.
One possibility Krebs brought up yesterday involved the probability that election results
might well take longer to tabulate than the swift results Americans have become accustomed to over the last few decades.
Quote, this is probably going to take a little bit longer to do the counting because of the
increase in absentee ballots, the Voice of America quoted him as saying, and going on to ask for
people to have a little bit of patience. Democracy wasn't made overnight, end quote.
What conclusions can be drawn from this?
For one thing, it's likely that delays in counting votes
could be used in hostile disinformation
designed to sow doubt about the result's validity.
This would be useful in particular for threat actors
with the negative goal of exacerbating
existing social division and mistrust.
So be patient and recognize that we live online, surrounded by a lot of nonsense and confusion.
Cultivate your garden.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin
travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Depending on who you ask, the cybersecurity skills shortage,
that is the shortage of qualified workers to fill open positions,
sits somewhere between the most serious issue facing the security industry today and an overhyped illusion that doesn't match the reality on the ground.
Sandra Wheatley is from Fortinet,
and she joins us with key findings from their new report on the cybersecurity skills shortage.
I believe the skills shortage is one of the biggest challenges that security organizations are dealing with.
In fact, from the survey, we found that 68% of respondents reported that their companies are struggling to recruit, hire and retain talent.
And in fact, I was talking to a CISO recently, and he was telling the story of how, you know, one of his top people had been hired and had a 100% increase in pay. So it's a constant challenge. And we believe that you would need
over 4 million professionals just to close the skills gap alone.
One of the things that your research points out here that caught my eye was the role that
veterans could play in closing this skill gap, the important role that they could have.
Yes, we started our veterans program about two years ago, and it's been hugely successful.
It turns out that veterans have a lot of the skill sets that cybersecurity requires.
And if you think about it, cybersecurity started in the armed forces and defense, and that's where it really
sprung up. And a lot of those skills map to cybersecurity very well. And so our cybersecurity
program, not only does it provide our training, but we also do job skills training, mentoring, interviewing skills, resume building.
And so far, we've trained 400 veterans in the last two years.
200 of those veterans have been hired into technology because what we do is not only
once they receive their certifications, we also try to map those to jobs
that our channel partners have and really just complete that whole loop. Is there a sense that
we're gaining ground on this? Do you think there's hope that we could actually close this gap?
I mean, I think we're doing all of the right things. I see that the one thing
that's very encouraging that I think is really required is we're seeing more partnerships,
private-public partnerships coming together to tackle this issue. Of all of the initiatives,
this one definitely has probably the most support. So I think this is what is required to really improve the situation.
I mean, the other area I think we need to tap into is getting more females into the industry.
Only 14% of the workforce is female. And I came into cybersecurity four years ago, and
of all of the IT industries I've worked in, it's the most thrilling and dynamic and interesting industry.
So I think there's a lot of opportunities for women to come into the industry, but it does
mean breaking some of the stereotypes and really marketing cybersecurity and educating females
much earlier and really focusing on how you market to them.
That's Sandra Wheatley from Fortinet.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
and joining me once again is joe kerrigan he's from the johns hopkins university information security institute also my co-host over on the hacking humans podcast hello joe hi dave
uh interesting uh article from the folks over at kaspersky. They did some surveying
and they published this article called
More Connected Than Ever,
How We Build Our Digital Comfort Zones.
That's a new term to me.
What do you make of this, Joe?
Yeah, it's an interesting survey.
They have gone out and surveyed over 10,000 people
in a bunch of different countries,
including the US, the UK, UAE, Turkey, Thailand, Saudi Arabia. I mean, it's a of different countries, including the U.S., the U.K., UAE, Turkey,
Thailand, Saudi Arabia. I mean, it's a lot of countries all over the place. And they've gathered some data and they're looking at a couple of things. One of the first things
we're talking about is how we spend our time now that we're in lockdown. And it turns out
the biggest increase among a group of people is among people like us, Dave.
People like us are spending much more time online, an increase of about two and a half hours a day.
You mean in our age group?
In our age group, yes.
People in our age group.
It's broken down by age group. And, of course, they call them Generation Z, Millennials, and Generation X.
And then they define those age groups pretty rigidly.
X. And then they define those age groups pretty rigidly. And actually, Generation X is generally the generation that you and I fall into, but I don't know that we'd fall into this survey group
because it's a little younger than us. Interesting. So older people are spending more time online.
What are people worried about in terms of their online connectivity and their security of their online information?
60% of people are worried about personal payment and financial details that are saved on their devices.
Generally, Dave, I don't use mobile applications for banking.
I only use them when I absolutely have to.
I like to deposit a check.
I only use them when I absolutely have to, like to deposit a check.
In the early part of the pandemic, I had to use it to deposit a check because I couldn't get to the bank because it was closed, right?
Everything else I do on my PC when I'm doing these payments, I don't do them on a mobile device.
And I have all my credentials stored in a password manager. I don't stay logged in on that device. So to most
of the financial institutions' credits, they will actually log you out after a short period of an
activity on a web browser. But that is not the case on phone apps. They'll keep you logged in
on a phone app indefinitely. So I think that's a good concern, being concerned about the ability of people to access your credentials via your phone.
Just somebody picking up your phone, if you have your banking app on there, you may very well be giving them access to it unless you have some kind of like biometrics, like a fingerprint or something on it.
Yeah.
A couple of things that struck me in this report, one of them was about sharing of
accounts. Right. Things like Netflix. And I think that's very common, but they were pointing out
that for some generations, basically sharing the Netflix credentials with your roommates is quite
common. Yeah. Yeah. Well, and that's, I think that's
within the licensing agreement of Netflix, isn't it? I mean, you're, I don't know, you're buying
a license for a household. So everybody in that household can watch up to two screens. If you pay
the two screen price, or if you have the four screen price, you can pay a little bit more.
I don't know that I would share credentials. And in fact, the Hulu account that we use in our house is my son's Hulu
account. And my son lives with me. So this is within the terms and conditions. But he didn't
share the credentials either. He said, go ahead and use the online activation. And I'll just tell
me what the code is that shows up on the screen and I'll activate it for you. And I felt a moment of pride. That's right. My chest swelled with pride when he said that. Another thing that struck
me here that I thought was kind of funny, they asked who takes the technology lead in the home?
And four-fifths of male respondents claim that they take the lead in making IT decisions for their household.
But this is contradicted by three-fifths of women stating that they take the role.
Right.
So there's some overlap there.
There's at least some percentage of people that think they're in charge while the other person also thinks they're in charge.
Right, right.
Yes, dear.
You're totally in charge, dear.
Right.
Here's one thing I found very concerning in the report, and it's just one sentence. It says,
over a third, 37% of millennials doubt they are of interest, enough interest to cyber criminals
to be attacked. This is one of the things, when I give talks, this is one of the things I say,
is that you are of interest. It doesn't matter
if you think you're not. You are of interest to these attackers. Do you have a bank account with
any money in it? $20, $5. It doesn't matter. That's of interest to a cyber criminal. Do you have
personal information? Do you have accounts online that people could sell for any value? Yes, of course. If you're online,
if you're a millennial in particular, you're part of the digital native generation, right?
You've grown up online. You have all these different accounts online. That all has value.
You are of interest to cyber criminals, period. If you have any kind of online presence at all,
you're of interest. Yeah, yeah.
All right, well, again, the report is from Kaspersky.
It's titled, More Connected Than Ever Before, How We Build Our Digital Comfort Zones.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field sign up for CyberWire Pro.
It'll save you time, keep you informed, and it's free of dyes and fragrances.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Errol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.