CyberWire Daily - The pandemic and trends in cybersecurity. The secret to the handset’s low, low price? Fleeceware and adware. TikTok’s lawsuit. Influence ops. Bogus Bitcoin exchange.
Episode Date: August 25, 2020Security trends during the pandemic include shifts in underworld markets and some enduring changes in the way organizations approach cybersecurity. Discount phones come preloaded with adware and fleec...eware. TikTok files its lawsuit. Ben Yelin on the Massachusetts Attorney General creating a data privacy office. Our guest is Nitzan Miron from Barracuda Networks on how brick & mortar shops have accelerated their shift online. And spoofing a Bitcoin exchange to spread malware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/165 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Security trends during the pandemic include shifts in underworld markets and some enduring changes in the way organizations approach cybersecurity.
Discount phones come preloaded with adware and fleeceware.
TikTok files its lawsuit.
Ben Yellen on the Massachusetts Attorney General creating a data privacy office.
Our guest is Nitsan Miran from Barracuda Networks on how brick and mortar shops have accelerated their shift online and spoofing a Bitcoin exchange to spread malware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 25th, 2020.
It's probably worth taking stock of how the pandemic has been affecting cybersecurity since several organizations have released studies of trends
they've been seeing and that they're now prepared to project into the mid-future.
First of all, COVID-19 has had an effect on the underworld and its markets themselves.
Stolen credentials had been dropping in price before the pandemic hit,
showing a long-term trend of commodification. Not only was the market flooded, but aggressive
law enforcement had made the merchandise harder to move, producing a crash in prices.
But that's changed over the last few months. Tech News World says the pandemic has reversed
an underworld trend, driving stolen credential prices up. Credentials for delivery services
and physical fitness brands are
particularly valuable. A compromised Instacart account goes for an average of $22. Peloton
credentials sell for $18, Postmates for $15, and Amazon for $14.50. People want to stay at home,
and they'd like to stay fit. Some of the increased interest in these credentials derives from new users of these services
whom criminals find susceptible to fraud, and their stolen credentials are fresh.
On the side of the defense, Microsoft thinks it sees five enduring trends for the security industry.
According to a summary in Tech Republic, Redmond calls the first of these digital empathy,
that is, the importance of designing a user experience for remote work that suits the user's needs
and facilitates safe and security-conscious behavior on the part of employees working from home.
Second, remote work has made the ability to handle an influx of potentially unsecured devices a priority.
an influx of potentially unsecured devices a priority.
Microsoft's study suggests that 94% of the companies surveyed were in the process of deploying zero-trust capabilities.
Third, more data sets make for better intelligence.
Phishing has risen, and organizations are finding that ability
to collect and analyze a diverse range of data
enables them to recognize and block threats before they reach users.
Fourth, cyber resilience is now perceived as fundamental to business operations.
And fifth, the cloud has come to be seen as a business imperative.
It not only serves efficiencies, but more importantly, it's come to be regarded as a
crucial cybersecurity investment.
So how will things change as the pandemic eases or recedes into the background?
It's early to say, but a study by TransUnion concludes that
as businesses reopen their physical locations,
scamming attempts against organizations have fallen off from their pandemic highs.
But COVID-19-themed fraud directed against consumers has picked up some of that slack.
An investigation by SecureD and BuzzFeed concludes that discount Chinese phones
sold for the most part in underdeveloped markets
arrive in consumers' hands with adware and fleeceware pre-installed.
Most of the users affected have been located in Africa.
The phones most affected are Tecno W2s, an inexpensive device that goes for about $30 in Johannesburg.
The Tecno W2 is produced by Shenzhen-based Tranjin,
which since entering the market in 2014 has become Africa's leading seller of handsets.
As expected, TikTok has sued the U.S. government over the executive
order that found the company a security threat. The Washington Post reports that TikTok says the
government ban is not rooted in bona fide national security concerns. In its explanation of the suit,
the company cites the steps it had already taken to secure user data, and it alleges that the executive order constitutes a violation of due process.
And finally, Information Security reports the conclusions of researchers at the firm Abnormal Security
that criminals are impersonating BTC ERA, a widely used Bitcoin trading platform.
Victims are phished with encouragement to send money to what they're
told will be an investment. As an investment scam, it's a little more plausible than the
conventional advance fee scams, proverbially run by those purporting to be the bereaved widows of
Nigerian princes who've been moved to ask you to deposit a bit of cash, throwing your bread upon
the waters, as it were, with the prospect of
a big, big payout. This one is, as we've noted, marginally more convincing, especially given the
feeding frenzy of pink sheet altcoin speculation. It's more convincing because the criminals use
the entirely legitimate and widely used email marketing provider Constant Contact to distribute
their phishing emails. This also
makes it easier for them to reach a big contact list without having to craft and spoof persuasive
sender email accounts. And the goal seems to be installation of malware as opposed to the direct
theft of the old-fashioned advanced fee scam. The crooks ask for a minimum deposit of $250,
scam. The crooks ask for a minimum deposit of $250, which you can ride to wealth. The phishing message includes a link helpfully placed so the investor can follow it and create an account.
After a meander through multiple redirections, the investor winds up on a landing page that
requests permission to show notifications. Why not, figures the investor, who's now ready to get speculating.
When the investor clicks Allow, that enables Adware to run on the now-infected machine.
The Adware monitors user behavior and enables the criminals to spam from the victim's machine.
So, speculate if you must, but speculate with caution. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
There's no question that online merchants like Amazon and Shopify
have had an advantage over traditional
brick-and-mortar shops
when the pandemic shutdown hit.
In order to survive,
many of those brick and mortar shops have accelerated
their shift to online sales. Nitsan Miran is Vice President of Product Management Application
Security Services at Barracuda Networks, and he shares his insights on securing that transition.
So what I think I've been seeing is this huge change that specifically comes from businesses that were not really set
up to do online services before. Retail is probably the biggest service, but there are many
others, whether it's real estate, car buying, many other professions where in-person was really a big
part of what they do. And with the pandemic starting, they found themselves in a position
where it's either innovate or die. And what I've seen from the businesses I've spoken to is there has been a
huge amount of innovation in a very short amount of time. People that never thought that within,
you know, two, three weeks, they could launch a new app and change their business model entirely,
but they've been doing it. And there have been amazing innovations like, you know, video tours
for real estate or video tours of cars that you want to buy or contactless delivery of cars even.
Locker pickup, curbside pickup, and all these things that really, they may have been there before, but not as ubiquitous as they are now.
We're a couple months into this now.
And as organizations look back at how they did, what are some of the lessons that
they're learning? The number one lesson is really secure before you deploy. Launching even for a day,
even for a week, even just the temporary solution. Cybercriminals are very adept at finding new
things and finding updated things and finding weaknesses in them. And if you deploy, say,
an open source version of Magento, which is an e-commerce platform, and you deploy a version
that has vulnerabilities, you can expect attackers to find those vulnerabilities within 24 hours.
What are your recommendations for organizations now at this stage of the game? Should they have
other people come in to take an outside look at what they've done? What sort of things should
they do to make sure that they're where they need to be?
You know, a lot of vendors, a lot of security vendors offer free assessments.
And these are automated tools where you log in and you give them some information about your environment and they scan it.
And they give you kind of the attacker's view, right?
Here's what an attacker would have found in your environment.
And it's almost always a free service,
which is obviously a selling point for the rest of the products that you can buy,
but it gives you a really good idea of where you are.
And maybe you're in a good spot, maybe you're in a bad spot,
and it'll come with specific recommendations for how to fix these problems.
Where do you suppose we're going to be when we get on the other side of this?
Do you think this is going to have a big impact
on how many organizations look at
doing business from a broader view? I really do. And what I've been hearing from a lot of
businesses is as soon as they made that shift to online, they found out that customers actually
prefer it. Hey, I would love to view a new car from the comfort of my own home using my phone
rather than having to drive all the way to a dealership or to a private party. And honestly, as a customer, I would love to continue doing that even when the pandemic is
over. And I think a lot of businesses are realizing that this kind of expedited digital
transformation that they're going through is actually here to stay. It's not just a temporary
stopgap measure. It's actually something that they're going to have to keep online.
That's Nitsan Mehran from Barracuda Networks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, great to have you back.
Good to be with you again, Dave.
Interesting article came by.
This is from Wall Street Journal Pro in their cybersecurity section written by David
Uberti. And this is about the Massachusetts Attorney General creating a unit to police
data privacy and security abuses. It's an interesting development here, Ben.
Yeah. So a number of states have taken this step and Massachusetts is the latest to do so.
The Attorney General
appointed an Assistant Attorney General to lead this department. It's a small group of states
that have established these data privacy offices, but it is a growing number of states. And I think
it's certainly in reaction to a need. I mean, we've had high-profile data breaches, and states
want to be at the forefront of protecting their consumers.
And so I think it's certainly a commendable effort on behalf of the state of Massachusetts.
What sort of things are they going to be focusing on here?
I just think it's a general focus for consumers on protecting their data privacy,
both from breaches and from malicious actors, and looking at deceptive practices that
result in the undue collection of consumer data. So you have instances where a company might be
misleading a consumer about what data is being collected. This is the type of office that would
investigate and potentially levy fines or file lawsuits against one of these
companies. So it's kind of like any consumer watchdog organization housed within a state
government where they're going to be proactive and look at potential abuses of consumer privacy
and try and take legal action against it. Now, have you been seeing any sort of pattern
when it comes to states establishing these offices?
Are we seeing these more in blue states or red states,
or has it been a pretty even mix throughout?
So it tends to be more blue states.
They generally have more active governments
and are more eager, shall we say, to enact regulations. But it's not solely
democratic states. Your prototypical purple state, Florida, started a similar organization.
They built a dedicated privacy and security enforcement team housed within the Consumer
Protection Division of the AG's office, the Attorney General's office in the state of Florida.
of the AG's office, the Attorney General's office in the state of Florida. And, you know,
they were able to have a robust department, three attorneys dedicated full-time to data privacy.
I mean, I think part of it is if you were to just have your standard consumer protection agency or sub-agency of an Attorney General's office, it would be difficult to handle the
influx of reports that come into
these offices about data breaches and privacy breaches. So I think having a dedicated office
is something that's going to make a huge difference. Now, as it is always in these
situations, it's going to come down to our sufficient resources being allocated to these
departments. I think they say in Massachusetts, it's going to be two attorneys
to start. So that's relatively limited. And I think when Attorney General Healey wanted to
start up this division, she probably didn't realize that we'd be entering a global recession
where state and local revenues are going to be drying up and it's not going to be easy to expand state governments.
So I think that's going to be the main constraint here
in trying to develop an effective agency.
What about within the states themselves?
In other words, do these folks are sort of functioning
as consumer advocates, as consumer watchdogs?
Is it expected that they would be
within state government to be reaching out to other departments? You and I have talked about
stories, for example, where DMVs are sharing lots of information about people. Would these folks be
advocating for consumers within the state government itself? Absolutely. I mean, I think that's fully within their purview.
Now, there are some state government organizations
that are more devoted to internal audits
of government agencies.
And, you know, so there might be
some cross-jurisdictional efforts there.
But I think if you're going to have a data privacy effort,
you have to realize that data breaches happen
and abuses of data privacy happen in you have to realize that data breaches happen and abuses of
data privacy happen in both the public and private sectors. So you can't have an effective office
if you're not solely focused on one or the other. Another thing I thought is interesting here is
a lot of states want to sue some of the big companies where there have been these high
profile data breaches like Equifax.
And if you have an office like this that you've set up, you're really on the front lines in terms of enforcement and regulations.
You're going to be best situated to join one of those lawsuits, to be one of the attorneys general who enters into that type of lawsuit.
And that's going to be very beneficial for your state's consumers,
particularly if there's some sort of large settlement,
as we've seen in a number of these data breaches.
So that's kind of the tangible benefit
I would see from the consumer's perspective
if you live in one of these states.
Because as an individual consumer,
you don't have much bargaining power.
You or I, it's going to be tough for us
to go one-on-one with Google
on a data privacy lawsuit.
But if your state has a dedicated team
focusing on data breaches
and potential privacy invasions,
then it's going to be much easier
to develop a cause of action.
Right, and they're going to even just demand
a response from large tech organizations.
Absolutely, absolutely.
All right, well, interesting stuff.
Ben Yellen, thanks for joining us.
Thank you, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro. It'll save you time, keep you informed, and it stays crunchy even in milk.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan, Harold Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.