CyberWire Daily - The Cyberspace Solarium reports. Coronavirus scams and coronavirus realities. Notes on March’s Patch Tuesday.
Episode Date: March 11, 2020The Cyberspace Solarium has released its report, as promised, and they wish to make your flesh creep. Coronavirus scams and phishbait amount to what some are calling an “infodemic.” Some notes on ...Patch Tuesday, and, finally, some words on the actual coronavirus epidemic. Joe Carrigan from JHU ISI on FBI recovering stolen funds, guest is Josh Mayfield from RiskIQ on his 2020 predictions. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Cyberspace Solarium has released its report as promised,
and they wish to make your flesh creep.
Coronavirus scams and fish bait
amount to what some are calling an infodemic. Some notes on Patch Tuesday, and finally,
some words on the actual coronavirus epidemic.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 11, 2020.
The U.S. Cyberspace Solarium released its report today, which includes, as foreseen, 75 recommendations grouped under six headings.
First, reform the U.S. government structure and organize for cyberspace.
Second, strengthen norms and non-military tools.
Third, promote national resilience.
Fourth, reshape the cyber ecosystem.
Fifth, operationalize cybersecurity collaboration
with the private sector.
And finally, preserve and employ
the military instrument of national power.
The recommendations are framed against the background
of national vulnerability
to a sudden disabling cyber campaign.
That possibility is established imaginatively within the report by an introductory piece of fiction,
a warning from tomorrow, in which legislative staffers working from a Roslyn, Virginia high-rise,
survey the cyber-induced devastation across the Potomac with a sense of despair and futility.
The river itself is discolored red with the release of the wrong chemicals from upstream
treatment plants. The city's low-lying areas were flooded from reservoirs drained when their
sensors were hacked. Drone wreckage litters the mall, and so on. The story speaks of Capitol Hill,
and of course Roslyn is across the Potomac from the
actual Capitol Hill, but clearly the writers are dealing with the geography of the spirit,
not prosaic real estate. Cyberspace, as the Solarium sees it, is an incipient dystopia.
We quote, while America looks forward to the potential of cyberspace and associated technologies
to improve the quality of human life,
threats continue to grow at an accelerating pace. America is facing adversary nation-states,
extremists, and criminals that are leveraging emerging technologies to an unprecedented degree.
Authoritarian states seek to control every aspect of life in their societies and export this style of government, in which surveillance trumps liberty
to the rest of the world. There is no public square, only black boxes proliferating propaganda
and organizing economic activity to benefit the few at the expense of the many. Rogue states,
extremists, and criminals thrive in the dark web, taking advantage of insecure network connections and a market for malware to prey on victims.
End quote.
There's no mystery as to the identity of the principal nation-state adversaries this time around, either.
They're the familiar four, Russia, China, Iran, and North Korea.
The non-state actors the report cites are also familiar, criminal gangs, hacktivist organizations, lone wolves.
Like the report of the original Cold War Solarium, which considered nuclear strategy, the Cyberspace Solarium used
three teams to come up with competing approaches to the challenge it was set. Also like the original,
the new Solarium's recommendations concentrate heavily on deterrence and resilience.
The commissioners offer some big ideas to get the conversation started.
These include the conviction that deterrence in cyberspace is possible,
that such deterrence relies on a resilient economy,
and will require government reform,
that the private sector must up its own security game,
and that election security must be given high priority.
Deterrence would involve defending forward, would be layered,
the report says, designed to shape behavior, deny benefits, and impose costs. Thus, prospective
attackers who worked the calculus of cyber conflict would be dissuaded first by international
entanglement and international norms. The low probability of deriving any benefit from an
attack would further persuade them that
offensive action would be largely futile. And finally, in the third level, the sure prospect
of retaliation, punishment, the imposition of costs would convince them that it wasn't in their
interest to attack. The logic of deterrence, the report says, hasn't substantially changed in more
than half a century. Josh Mayfield is from security
firm Risk IQ, and he joins us with insights on what he describes as the coming age of conquest
and information control. One of the things that's probably under-emphasized is the motivating
imperative that attackers feel that really drives a lot of their behavior. I mean, these are belief-generating, goal-seeking animals,
as all humans are.
And so one of the things that's necessary
is to understand what those motives are.
And one of the things that I had mentioned
that got this conversation going
was that Rewind the Clock 20 years ago or so,
and the main driver, the main motive,
was notoriety within someone's own
social clique, right? The notoriety and the esteem I would get among my peers. And
that motive gave way to a more financially driven motive, primarily snatch and grab.
So let me break in, steal, and then go pawn it off somewhere else. And now we see another wave, another epoch that I see and that we see at RiskIQ is that it's moved into conquest.
And so now, no, I don't just want to break in and steal and take away and sell to someone else who might want this piece of digital material, whether it's, again, a social security number or a resource itself.
We're seeing a mindset shift where instead of trespassing like it used to be, you know,
notoriety among your group, oh, you snuck in. Oh, you found the weaknesses. Oh, aren't you
extraordinary to financial gain and now all the way to direct conquest.
Well, I mean, let's explore that a bit. I mean, given what you're saying here,
that we've reached this point of professionalism and the way that the bad guys are coming at us,
what is the appropriate response these days then? How do organizations best prepare themselves
for defense? The best way to prepare yourself for defense, especially in an age where
there's the baseline of savvy is much higher. The people that are going into the cyber criminal
profession are people that are coming in with a higher baseline. And so you have that sophistication
and skill set that's already being developed. And then when you add to it the opportunity and the motive that
drives all of us, but then the opportunity because the flank is open, it's a short hop,
skip and a jump for someone to enter that criminal behavior. And so when you have just more of them,
they have more skills and they have more opportunity to take advantage of a weakness
because there are more weaknesses that are going unnoticed,
that's the part that organizations can control. We can't change the motives and the drives of an attacker. We can't even change what their skill sets happen to be. But what we can do is
we can reduce their opportunity. We can neutralize that tendency to go from esteem to theft to
conquest. We can be a very inhospitable environment for them to try to tiptoe into because we have eyes everywhere and we can see all of that. Risk and threat work in cybersecurity
is a game of probabilities. What we can focus on, what we can put our attention on is lowering the
probability of exploit. And the best way to do that is by seeing all those places where it could happen and mitigate any of the risks and exposures before they actually are hit.
And I would just say that that's one of the things to really focus on.
We can do a lot of work trying to interpret and understand an APT.
We can look into nation states and we can imagine worst case scenarios. But in reality, what ends up getting
hit is the exposure you didn't see coming that was just opportunistically available for an attacker
at the right time. That's Josh Mayfield from Risk IQ. Take the coronavirus seriously, but stay alert
to COVID-19 themed scams. Know beforeQ, and others share warnings about this trend.
It's the usual sad, all-too-often-sadly persuasive stuff.
Buy this cure, buy this product, donate to this charity, and all will be well.
Yesterday was Patch Tuesday, and Microsoft addressed a total of 115 vulnerabilities,
26 of which are rated critical, 88 are considered important, and
one is held to be moderately severe.
The good news is that none of them appear to be currently exploited in the wild.
Mozilla also released updates for Firefox and Firefox ESR yesterday.
Their patches resolved 12 distinct vulnerabilities.
The most serious Firefox vulnerability addressed exposes unpatched
systems to arbitrary code execution. We heard from security firm Ivanti on March's round of patches.
Their recommendation is to give priority to Windows OS, Microsoft Office, and browser patches
this month. Adobe did not issue its usual round of patches, HelpNet Security reports.
It's not immediately known whether Adobe will push fixes in the near term or not.
And finally, at least two of our industry's own have come down with COVID-19,
the coronavirus strain that's been the source of so much concern.
Exabeam says that two of its people have come down with COVID-19,
and we wish them a swift and complete recovery.
It's not clear when they contracted the virus, but both of them were at Exabeam's booth in the Moscone Center last month.
Symptoms appeared after their return from the conference.
If you are at RSAC, Exabeam urges that you take whatever steps you find prudent to ensure you're not affected. For their part, RSAC says they've been monitoring the outbreak
but haven't yet found any clear link to the conference.
Nonetheless, the conference organizers urge anyone who attended
to refer to CDC recommendations concerning testing, treatment, and prevention of COVID-19.
The CDC emphasizes that the best prevention is to avoid infection
and the measures they recommend are familiar from advice given during flu season.
Wash your hands frequently, avoid places where you might be exposed, and so on.
Vox has a summary of advice from public health experts on what individuals and
organizations can do to slow the rate at which the virus spreads.
Their headline sums it up.
Cancelled events and self-quarantines
save lives. The cases of X-Beams people aren't trivial. One of those affected is hospitalized
in guarded condition, CRN reports. Spare a thought or a prayer for two of our colleagues
and their families and stay safe.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create
the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Hackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Interesting story you have to share this week. This is some good stuff coming out of the FBI.
Yes, it's a mixed bag of stuff.
It's interesting and it's good.
And I don't mean to disparage the FBI here.
I think what they're doing here is great.
Yeah.
But the headline, this is from CyberScoop, it says,
an FBI unit recovered $300 million of reported cybercrime from losses last year.
But that's out of $3.5 billion in losses.
So it's less than 10% of the money that was lost they've
recovered however yeah 300 million dollars is nothing to sneeze at no um no not at all and
not at all they've spoken with uh tanya ugoretz who is a deputy assistant director from the cyber
division and she was talking about the uh the internet crime complaint center the IC3, that responded to more than 467,000 complaints in 2019. Now, there were 351,000
complaints in 2018. So that is a huge increase. And something that I find amazing about this is
every one of these complaints gets analyzed by a person, right? That's amazing. That is amazing. I mean, that you
can get more than a close to half a million complaints and every one of them gets examined
by a person at some point. I'm just trying to imagine the staffing that requires. Yeah, it's
huge. Some interesting statistics in this of the 3.5 billion that was stolen last year, 1.7 of that,
1.7 billion of that was taken from business email compromise scams.
These are very sophisticated scams where people are in your email.
We've talked about them on Hacking Humans.
We've talked about them here.
They're watching the conversation.
And when the time is right, they inject a message into the conversation that says,
oh, by the way, we're changing our banking details, and here's the new banking information. And then the money gets sent to the scammers or to the
criminals, and off it goes. And then it's very difficult to recoup that loss, particularly if
you're doing a wire transfer. Yeah. They talk about a particular case here where someone
transferred $785,000. Yeah. this is a case out of New Jersey.
Someone who was buying a home
believed they were transferring almost $800,000 to a lender,
but was actually sending it to an imposter
masquerading as a bank.
When this happens, it's absolutely devastating
because that transaction is not happening again.
Because if you can't get that money back,
then you don't have another $800,000
lying around to buy a home.
Right.
Right.
I imagine this was a down payment on a large property.
Yeah.
But, you know, you're not going to have that money laying around again.
This happens at smaller scales, too.
We've seen this happen where people lose down payments of like $20,000 that they're putting down on a house that cost $150,000.
Sure.
And these are people who have worked for years to save up that $20,000.
Yeah.
And now it's gone.
And now they can't buy a house, which is, you know,
one of the great things that we like to do here in America
is we'd like to have home ownership.
Yeah.
Right?
They say in this article that in this case,
the recovery asset team was able to get $665,000 of the money back.
Right, which is a great ratio for that.
And evidently, there was also an insurance policy that'll help make up the difference.
Well, that's good news.
It is good news.
Unfortunately, very unusual, I think, in this sort of case.
It is.
This person transferring $800,000 probably is aware of the risk in doing this.
They probably have
insurance for this purpose. Good for them. But again, like I said, when this happens to someone
smaller, some first-time homebuyer who might be 25 years old, doesn't have a lot of money,
it's devastating. Yeah. Well, a good reminder that folks like these teams at the FBI are out there
fighting the good fight and they are able to claw back some of this money, but not as much as you'd hope.
Yeah, not as much as you'd hope, but I think they're getting better at it.
And I think there's ways to make this better with policy and checks and balances in the system, as well as criminal prosecution.
And I think that we're going to start seeing a lot more of that over time.
All right. Well, interesting story. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.