CyberWire Daily - Supply chain attack warning. CFAA clarified. COVID-19 and its economic squalls.
Episode Date: March 31, 2020FBI warns of another supply chain attack, this one distributing the Kwampirs RAT. More exposed databases found. The US Computer Fraud and Abuse Act gets some clarification from a Federal Court. Securi...ty and networking companies are weathering the COVID-19 economic storm, but not without squalls, some legal, some cyber, and others just reputational. Ben Yelin from UMD CHHS on ending targeted advertising, guest is Brendan O’Connor from AppOmni on the state of cloud security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_31.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI warns of another supply chain attack,
this one distributing the Quampiers rat.
More exposed databases have been found.
The U.S. Computer Fraud and Abuse Act
gets some clarification from a federal court. Security and networking companies are weathering
the COVID-19 economic storm, but not without squalls, some legal, some cyber, and others just
reputational. From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 31, 2020.
The U.S. FBI warned yesterday that the advanced persistent threat group behind the QAMPIRS malware
has been using the remote access Trojan to establish itself in a wide range of enterprises.
The Bureau says the healthcare
sector is particularly at risk. Quampirs gains access to its targets via their supply chains.
While it appears to be an information collector and not functioning as a wiper,
the FBI notes that several code-based similarities exist with the data destruction malware Distrack,
commonly known as Shamoon.
ZDNet observes that this is the third supply chain warning the FBI has issued in as many months.
The supply chains affected include hardware supply chains.
Two more exposed databases have been found as people continue to be careless in the cloud,
where too many stumble around in a fog.
The Australian Broadcasting Corporation reports that a data leak from the country's federal
courts exposed the names and related information of at least 400 refugees seeking protective
asylum.
Comparatech reports finding a database that contains usernames and phone numbers for a
third-party unofficial fork of the Telegram messaging app.
The users whose data were exposed are in Iran, where Telegram is banned.
The U.S. District Court for the District of Columbia has ruled in a test case that violating
a site's terms of service does not in itself constitute a crime under the Computer Fraud
and Abuse Act.
The test case was brought by researchers who wanted to use fictitious persona
to sign up for some online services as they studied various aspects of the site's behavior.
There was no question of fraud,
but using a fictitious persona violated most of the site's terms of service,
and so the researchers prudently sought clarity about the famously inclusive CFFA before proceeding.
There are too many reports of COVID-19-themed cyber threats to summarize quickly.
As Proofpoint and others have been pointing out, the topic dominates the fish bait, clickbait,
and other bait currently chumming the online waters. You can check out the CyberWire's daily
briefing for a curated set of links to all of the
glum news. Success draws attention for better and for worse. While Zoom has certainly drawn
investors' eyes in a good way, it's also attracted the ministrations of white-hat researchers,
cybercriminals, the plaintiff's bar, and state attorneys general. The platform's encryption
isn't really end-to-end, the Intercept reports.
Instead, it uses familiar transport encryption,
which gives Zoom itself the potential to access its users' traffic.
Checkpoint describes the ways in which criminals have registered domains
that include the name Zoom.
These domains are, of course, up to no good at all.
Zoom was also discovered to have been sharing analytic data with Facebook,
a practice Zoom halted after it came to public attention,
but not in time to forestall a class action suit under California's unfair competition law,
Consumer's Legal Remedies Act, and Consumer Privacy Act.
And the New York Times reports that all of this news has prompted the New York State's Attorney General to ask Zoom for an explanation of its privacy and security policies.
Many organizations rely on continuous monitoring to make sure that their SaaS solutions aren't inadvertently leaking data as a sort of backup against the risks that can come with increased complexity.
up against the risks that can come with increased complexity. Brendan O'Connor is CEO at AppOmni,
and he shared his thoughts with me at this year's RSA conference.
So I think that SaaS providers do, for the most part, an excellent job of their portion in the shared responsibility model. They patch quickly, they patch holistically, they harden their
infrastructure, they guard their perimeter. But buying a safe car doesn't make you a good driver.
Ultimately, you're responsible for configuring and running that application.
And these applications are so powerful, they can run and adapt to almost any conceivable
business process. The cloud provider doesn't always know where you're trying to go with the
application. So it's possible that people do things like share data with the public internet,
or expose or overprivilege
APIs that were meant to be internal.
And for the most part, speaking about the language barrier, you have the line of business
or IT business specialists that are running these systems.
So does it ultimately come down to most of these issues being with the users themselves
of improperly configuring things
or losing track of what's what? Absolutely. Or sometimes just not understanding the security
ramifications of some of their choices because they're business experts or they're users just
trying to get their job done and they have good intentions, but security has no idea what they're
doing. What we usually see is we'll do a risk assessment and analyze the current running state
of a SaaS environment and just show security how things are currently configured.
One of the things that we tend to find is the amount of third-party applications that
users have connected directly into the cloud.
Most enterprises have something like a vendor security review program, a sanction process
for who is the vendor, do we trust them, do they have the right security controls?
Well, in SaaS, they may know about five or 10 different vendors that are connected to a sanction process for who is the vendor, do we trust them, do they have the right security controls?
Well, in SaaS, they may know about five or 10 different vendors that are connected to their SaaS applications.
We'll come in and do an assessment and show them 40, 60, 100
that they didn't even know about,
that have direct cloud-to-cloud access into their data.
And again, it's not a malicious insider,
it's someone who's just trying to get their job done,
and they installed something on their iPhone and authorized it via OAuth, or they connected something through their browser, and now it has direct access to their SaaS systems.
And then what happens next when you establish what your baseline is? What's the next step? How do you correct for those things without disabling all of those things that people put in place for legitimate business purposes?
That's the hard part.
And at AppOmni, what we're really solving is that specific problem.
How do you put guardrails around your users?
You don't necessarily know where they need to go.
You need the business to be able to move fast and in the direction that it needs to move.
You can't stop the business.
But you don't
want them to drive the car off a cliff either. And so when we think about guardrails, what we're
able to do is assert a minimum level of access to make sure that certain critical business
functionality is not impacted. And also a maximum boundary on what kind of security controls need
to always be in place, or what kind of data access should never be possible. Most of our customers
get started with a global external policy that says the public internet shall not have access
to any internal data. I may have some role-based access control I need to deal with with my
contractors and my outsourcers or third parties, but let's just start with people completely
outside my environment and making sure that they don't have access.
with people completely outside my environment and making sure that they don't have access.
Where do you think we're headed
when it comes to cloud security?
As it continues to mature and you look down the road,
where do you think these things have to land?
I think a lot of the problems that we're facing today
in cloud are the same problems
we were facing yesterday in on-premise.
I like to sum it up as,
can you be excellent at the ordinary?
There's a lot of security basics that you need to do. You're not immune from a breach or
compromise. There's always the human element and good people make mistakes and they click
on phishing and download malware. But if you are doing the ordinary things really well everywhere,
I think that you're in a highly defensible position.
That's Brendan O'Connor from AppOmni.
It's not just Zoom that's getting attention either.
House Party is another service whose popularity has risen sharply.
House Party is a more virtual hangout than it is a teleconferencing tool like Zoom,
but its usage has similarly surged because there's more to life than work.
You show up, you see who else is there, and you chat among yourselves,
thereby overcoming self-isolation.
Anyway, panicky users have been telling each other that Houseparty is unsafe.
A representative post on social media,
and that's where this particular threat report is being sourced,
reads like this, courtesy of the moderately skeptical Express,
Delete Houseparty!
They are hacking into Spotify's, Snapchat's, and even online banking. Delete your account before deleting the app. Here's another one, more lurid, recounted by the utterly skeptical ZDNet.
Quote, I'd urge everyone to delete Houseparty. My car was stolen this afternoon, and I was then
robbed at gunpoint by a man in a balaclava. I've absolutely no doubt that Houseparty is Perhaps we digress.
What we mean is, while the influencers have been barking this stuff at the internet,
and while much of it's been picked up by Fleet Street,
the skedaddle seems particularly strong in the UK.
It's not clear just who or what spooked the herd.
So, madness of crowds or a commercial conspiracy to do reputational damage? Or both?
House parties leaning toward both.
The company tweeted,
We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm House Party.
We are offering a $1 million bounty for the first individual to provide proof of such a campaign to bounty at houseparty.com.
As Naked Security points out, the only thing the claims of hacking lack is evidence.
House Party itself immediately and consistently denied that anything was going on.
Quote,
All House Party accounts are safe, the service is secure, has never been compromised,
and doesn't collect passwords for other sites.
End quote.
Admittedly, they don't address grand theft auto or armed robberies by button men in Balaclavas,
but in fairness, there's only so much you can squeeze into 280 characters.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
also my co-host over on the Caveat podcast.
Hello, Ben.
Hi, Dave.
So every now and then an article comes by and I read it
and I just can't get it out of my head.
And this is one of them.
This is from Wired Magazine written by Gilad Edelman.
And it's titled, Why Don't We Just Ban Targeted Advertising?
And I think what he's getting at here is sort of this thought exercise of why don't we just get rid of the original sin of the internet, as it were, which
is let's just get rid of the targeted advertising that would fix all sorts of ills that ail us.
Unpack this for me here, Ben. What's going on? It's really a fascinating article because it's
an idea that's so far-fetched given that I think the article mentions Google makes something like
90% of its revenue from targeted advertising.
To me, it's so far out of the realm of possibility of actually happening that it makes it more interesting to read about. Basically, the argument is that targeted advertising is everything that's
wrong about the internet. It's the reason why websites collect information about us when we
visit them, which is bad. It's the reason that we have information about us when we visit them, which is bad.
It's the reason that we have these algorithms on sites like YouTube and Facebook, which direct us
to content that's harmful in a political sense, in a social sense. And it really should persuade
us to take a radical step in banning this type of targeted advertising.
One thing I like about the article is it does grapple with what the alternative would be.
It would be the type of advertising that existed in the pre-internet age where all of us would drive by the same billboards. I have very little use for a Chanel billboard,
but I drive by it. That makes the advertising less effective because from Chanel's perspective,
you're getting a pair of eyes that's not actually going to net you any new sales.
So the advertising wouldn't be very efficient. And that means that the companies would have to
make up the revenue somehow. How would they do that? I mean, there's really a couple of options.
They don't want to charge users a fee to use their services because they've used too many users.
I mean, if Facebook started charging us $10 a month to use Facebook,
I know that I would immediately quit Facebook.
And I assume that's true for a lot of people, a lot of my contemporaries.
The other option is charging for some sort of premium service.
So maybe you can get a basic Facebook,
but if you want certain features,
access to certain applications, etc., you buy the premium version. And that's a way that Facebook
could make up the revenue if it didn't have targeted advertising.
Right.
So that's sort of the choice we'd have to make as consumers. Targeted advertising,
as this article I think makes very clear, has its detrimental impacts.
But the alternative is they'd have to make up the cost somehow, and those costs would be passed on to us.
One thing that's interesting is they do have...
It's preliminary data, but it's interesting data that I think was done in Europe.
That when they gave the people the option of opting out of targeted advertising,
I think something like 90% of the consumers did option of opting out of targeted advertising. I think something like
90% of the consumers did decide to opt out. And whether they were fully aware of what the
alternatives were and whether that's something that would be scalable, I think that question's
unknowable. But I think that's certainly... the article is certainly eye-opening and it's one of those possibilities that's fun to ponder even though we don't think it's going to happen.
Here's what I can't help wondering, though.
You know, back in the old days when dinosaurs still walked the earth before the internet, the wheels of commerce still spun.
spun. And if I was an advertiser, maybe I would want to put one of my products on a soap opera that ran during the day. And maybe I would want to put ads for a different product on Gunsmoke
that ran at night because I would know that those different TV shows attracted different types of
audiences. I might not know down to the individual level,
you know, the age, the sex, the sexual preference,
and all those things. Right, but you'd be getting a better cross-section.
Right, exactly.
So what's so bad about that?
I mean, to me, it seems like if I'm running a website
that is focused on people who like to knit,
you know, well, that's a great place for someone to advertise their knitting needles or things like that.
So it strikes me that those opportunities would still be there.
It's just this obsessive level that we've become accustomed to.
Or it's uber micro-targeting.
Right, right. do like the theoretical world where, okay, I'm interested in sports, but what if there's an advertisement for an art gallery on my ESPN homepage? That's actually... Maybe that would
make the world a better place because we could expand our horizons, pursue different interests,
different products that we otherwise wouldn't be familiar with. But it would be taking away
those types of advertising mechanisms
for the companies,
but also the convenience of the users
of kind of only seeing
what the algorithms think that we need.
Yeah.
All right.
Well, certainly, if nothing else,
an interesting thought exercise.
Like I said, I've been thinking about it a lot.
Ben Yellen, thanks for joining us.
Yeah, absolutely.
Highly recommend the article as well.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. CyberWire? For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving
field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your
Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.