CyberWire Daily - Shade shuts down. CLOP hits pharma. Medical research firm breached. The pain caused by disinformation. Mr. Kim goes downy ocean?
Episode Date: April 28, 2020Shade ransomware operators close down, or so they say. A US pharmaceutical company is the victim of CLOP ransomware, and a Chinese medical research firm is breached by cyber criminals. Centralized ver...sus decentralized approaches to contact tracing. A GDPR assistance site proves leaky. Disinformation breeds misinformation which breeds folly that brings misery. And Mr. Kim seems to be chillin’ downy ocean. Ben Yelin from UMD CHHS on responses to the EARN IT Act, guest is Katie Arrington, CISO for Assistant Secretary for Defense Acquisition on the Cybersecurity Maturity Model (CMMC) certification. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_28.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Shade ransomware operators close down, or so they say.
A U.S. pharmaceutical company is the victim of clop
ransomware, and a Chinese medical research firm is breached by cybercriminals. Centralized versus
decentralized approaches to contact tracing. A GDPR assistance site proves leaky. Disinformation
breeds misinformation, which breeds folly that brings misery. Ben Yellen tracks responses to
the EARN IT Act. Our guest is Katie Arrington, CISO for Assistant Secretary for Defense Acquisition on the Cybersecurity
Maturity Model Certification.
And Mr. Kim seems to be chilling down the ocean.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, April 28th, 2020.
The operators of the Shade ransomware, also known as Trolldash, say they've closed up shop and that they regret the harm they've done.
As an earnest of their good faith, they've released, ZDNet reports, 750,000 decryption keys and expressed the hope that their
victims might use the keys to recover some of their data. Researchers at Kaspersky have looked
at the keys and said that they're genuine. Why the gang behind Shade, one of the oldest, if not the
most consistently successful ransomware strains, decided to shutter operations is unclear.
successful ransomware strains, decided to shutter operations is unclear.
Bleeping Computer points out that Shade, unlike many gangs,
didn't shun Russian or Ukrainian targets,
and in fact was most active in those two countries.
One always suspects that feeling the hot breath of the law on your neck is a more effective goad than the promptings of a troubled conscience.
On the other hand, if that's the case,
why bother release the keys? In another ransomware incident,
pharmaceutical company ExecuPharm has disclosed that it was the victim of a ransomware attack in
March. The attackers compromised and encrypted personal data belonging to employees of ExecuPharm,
as well as information concerning employees of Parexcel that was also maintained on ExecuPharm, as well as information concerning employees of Parexcel that was also
maintained on ExecuPharm's servers. TechCrunch confirmed that Klopp ransomware was specifically
involved. No decryptors are yet available for Klopp, and the gang has begun to publish the
stolen data on a dark web site. HackRead reports that security firm Cyble says it's found evidence that the biomedical company Weighing Medical has been hacked,
and that some of its stolen data are now for sale in the dark web.
Cyble's report says that a threat actor going by the name Theotime,
whose claims Cyble deems credible, is asking for Bitcoin for Weighing data.
asking for Bitcoin for weighing data. The stolen information is said to include users, technology,
and knowledge for COVID-19 experiments information. Weighing Medical gained a degree of fame or notoriety for its strong claims reported by VentureBeat and others that it has a method of
using CT scans to detect COVID-19 infections and that their technology has a 97% accuracy rate.
The U.S. Centers for Disease Control and Prevention recommend against using either
CT scans or x-rays for COVID-19 diagnosis, as do radiological professional organizations in Canada,
New Zealand, the U.S., and Australia. Apple and Google are rolling out their
decentralized contact tracing app
and it's found favor in some places, Germany among them. Britain's National Health Service
will not be using it, however. The NHS is pursuing its own system that will also use
Bluetooth low energy signals as a proxy for close approaches to possible sources of infection, but the BBC says NHS wants the data centralized,
the better to adapt them to closer management of the pandemic.
According to the New Statesman,
the British health agency has brought in US big data company Palantir
to help them develop their preferred alternative.
GDPR.eu, a Proton-run site co-funded by the European Union that offers pointers about GDPR compliance, was found by Pentest partners to be leaking data.
It is now secured. It was a.git repository.
If your work touches the federal government sector, you should be well aware of the Cybersecurity Maturity Model Certification, the CMMC.
Katie Arrington is CISO for Assistant Secretary for Defense Acquisition at the U.S. Department of Defense.
Cumulatively, we're losing about $600 billion a year in the U.S. to cyber espionage, IP loss, and straight-up cyber espionage.
And so we knew we had to do something different.
And we had, in 2014, President Obama signed in special publication 800-171R1.
And it was directed that all Department of Defense contracts that had CUI, Controlled Unclassified Information,
contracts that had CUI, controlled unclassified information, had to be attesting to doing these 110 controls in that NIST guideline. And so we just needed a way to create, you know, get companies
prepared for the data that they'd be receiving and to have an auditable, trackable way to do that,
understanding the resourcing within the DOD. So we understood clearly that this needed to be outside the government,
something that companies much like an ISO certification,
and we could then make sure that everybody had the critical thinking skills
behind cyber that are needed to defend themselves in this industrial age.
And where do we stand today when it comes to the rollout?
So the rollout, we put the model out in January 2020. The
accreditation body that is actually the ones that certify the auditors, they are working on the
training and curriculum programs. We are still on target to roll out some RFIs in June with the CMMC
in it that, you know, we're in the process of the rule change to the DFAR rule. So we're still on
target. I'm not going to pretend and say that COVID-19 hasn't had a impact as the training for
those, you know, the CMMC, that's what's really struggling because we did, when we originally set
it up, it was a 50-50 split. 50% of the education and the training was online and 50% was in person. We have the training
and curriculum. I just don't know how we can modify it quickly enough to execute in early May.
That's the only caveat that we have right now. And what has the response been overall to the
folks that this is going to affect? How are they reacting to it? So in the beginning, a little bit of, you know, why.
Now it's widely accepted that this is the path forward,
that everybody needs to have cyber hygiene
and that everyone needs to have some critical thinking skills behind it.
So we've actually had an overwhelming response moving forward.
Everyone needs cybersecurity.
And, you know, COVID-19 has shown us that the world,
the nation, our culture, the way we deal with each other has changed. If there's anything
positive to be made out of this, it's the heightened awareness of why the CMMC was
desperately needed and what impact cyber has on day-to-day life. It's been a resounding effort at that maturation right now
during this horrible time in our country and our world history.
That's Katie Arrington.
She's CISO for Assistant Secretary for Defense Acquisition.
State-run disinformation can gain surprising amplification when it finds an audience.
The Chinese Communist Party's claims
that COVID-19 was brought to Wuhan in October by U.S. service members participating in the World
Military Games, a kind of Goodwill Olympics among the world's military services, have been widely
broadcast by Chinese official statements, often in the form of a call for investigation, sometimes
with the suggestion that the virus was an American bioweapon.
U.S. Secretary of Defense Esper calls the allegation
completely ridiculous and irresponsible, and we're with him on that.
But not everybody is, and everybody in this case includes some YouTubers.
CNN reports that one U.S. Army reservist who participated in the games
has been called out as the source of infection and is receiving all the hostile attention one would expect.
The charge that the reservist is the patient zero of the infection and the prime mover in the pandemic is, of course, absurd, but that hasn't prevented YouTubers from pushing it, acting in effect as a kind of cyber mob.
acting in effect as a kind of cyber mob.
Prominent among the YouTubers flacking the story is a gentleman whom we will not name,
whom CNN calls a misinformation broker,
but who describes himself as investigative journalist.
He's propounded numerous conspiracy theories in the past to the extent that Google has stopped running ads on his channel.
He is, as he would put it, only asking questions.
But the questions are specific and damaging,
especially to the reservist who has nothing to do with the virus at all
and is being mobbed for it.
False suggestion is a form of false witness.
But hey, they're just asking questions, right?
Finally, it now seems likely that rumors of North Korean leader Kim Jong-un's death or
incapacitation are false. The Washington Post cites U.S. and South Korean sources that suggest
Mr. Kim and his private train are in Wonsan on the Korean East Coast. The rumors had prompted,
and will no doubt continue to prompt, speculation about the future of the North Korean regime,
and will no doubt continue to prompt speculation about the future of the North Korean regime,
jockeying for succession and so on.
But Mr. Kim's father and grandfather were similarly content to let unfounded accounts of their deaths circulate.
That may be the case with Pyongyang's current leader.
Wonsan is in some sources being described as a seaside resort,
but in truth, the port city might be more Perth Amboy
or even Port Elizabeth than it is Ashbury Park.
But assume it's a DPRK Ashbury Park or Ocean City.
What's Mr. Kim up to?
Enjoying the boardwalk?
Little miniature golf?
Maybe some skee-ball?
Hey, we're just asking questions.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security,
also my co-host on the Caveat podcast.
Ben, great to have you back.
Interesting article came by from Mashable.
And this is something you and I have been talking about quite a bit over on Caveat, and that is the EARN IT Act, which is something making its way through Congress.
But it's gotten a response from the folks who make the Signal app, which is an end-to-end encryption communications app.
It allows you to text and have audio conversations and video and so forth.
app. It allows you to text and have audio conversations and video and so forth. They're saying they may pull out of the U.S. market if this EARN IT Act goes through. Help us understand
what's going on here. Sure. So the EARN IT Act was introduced in the United States Senate, and you
know, you and I love legislative acronyms. So this one is Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020.
They even included the word IT in the acronym.
So credit to them for that.
High praise, yes.
Absolutely.
The bill has bipartisan sponsors
and it basically is a way to make companies
comply with best practices in terms of encryption
based on the recommendations of a
government-appointed commission. Now, the way they will try to enforce these best practices is to
remove the protections under Section 230 of the Communications Decency Act. As your listeners know,
and we've talked about this on Caveat, that act shields companies from liability based on what the users post on those
applications or services. If the EARN IT Act were to be enacted into law and the commission put
together regulations that were critical of end-to-end encryption services like Signal,
then Signal could be subject to a number of lawsuits under Section 230 of the
Communications Decency Act. And what Signal is saying is it would not be worth it for us to do
business within the United States if we were subject to those lawsuits. I think their fear
is certainly a legitimate one. The commission is largely going to be at the direction of the
Attorney General. The Attorney General of the United States, William Barr, is one of the foremost critics of end-to-end encryption and encryption
generally. He supports a backdoor for the government to access information. He has his
legitimate reasons behind it. This bill is intended to curb child abuse, child pornography,
those types of things. But he is very hostile to the concept of encryption.
And if he has his hand in putting these regulations together,
this is likely going to be something that Signal will choose not to comply with
because it would go against the mission of their messaging service.
And if they fail to comply, they would be subjecting themselves to legal liability
and would have to leave the market.
And they let their users know about this. In a long blog post, they basically said,
look, if you enjoy our application, you better start making some calls to your senators.
Right now, this has bipartisan support. There's a lot of opposition among privacy groups,
and we need you, our users, to make your voice heard,
to tell your members of Congress that you value our service, you value end-to-end encryption,
and you think the EARN IT Act is going to undermine that service.
Well, and a lot of folks make the point, which I think is correct, that encryption is not exotic.
So if we're trying to protect ourselves from bad guys,
there's nothing keeping a bad guy
from going offshore of the United States
and finding some end-to-end encrypted app
that's available somewhere else and making use of it.
Right, and in that sense,
this sort of introduces a perverse incentive
for people to use overseas applications, applications that aren't headquartered in the United States.
Because, yeah, as you say, this encryption is going to exist.
It's just whether the commission writes into regulation that this type of encryption doesn't comply with the commission's best practices, and thus companies aren't going to be subjected to this flood of lawsuits. So I think you're right that any bad guy could find
an encrypted application. There are a lot of them out there, especially those that originate outside
of the United States. And I think that's a large purpose for such widespread opposition to this
piece of legislation in Congress. And I actually just, you know,
commenting on that opposition, it's interesting because for people who don't know a lot about
digital privacy, when you read the plain language of this act, it seems like a no-brainer. You know,
we're trying to protect against child exploitation. Let's put best practices in place to ensure that,
you know, the government can get the bad guys if it needs to. So it's good that these privacy groups and
some of these applications, like Signal, that have a loyal
user base are getting their voices heard on this matter.
Isn't it sort of that phrase, best practices?
Isn't that a bit loaded in this case?
It is. Best practices is consultant speak.
So I'm always wary of that term.
They're using best practices,
but when you're threatening to remove a liability shield,
it's not really best practices.
It's more like, do this or you're going to get sued.
Nice company you got here.
It would be a shame if anything were to happen to it. Exactly, yeah. Best practices kind of implies... Nice company you got here. It'd be a shame if anything were to happen to it.
Exactly, yeah.
Best practices implies this would be a good idea for you.
It would be a good idea for you to engage in these practices,
not you're going to be sued out of business if you don't comply.
So yeah, it definitely is a loaded term.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.