CyberWire Daily - Trends in COVID-19-themed cybercrime. Social media seek to inhibit the misinformation pandemic. Corp[dot] off the market. BEC in cloud services. Investment notes. Big big fraud.
Episode Date: April 7, 2020Criminals increase their targeting of hospitals and pharmaceutical companies. Ordinary scams proliferate worldwide, using COVID-19 as their bait. Social media seek to inhibit the flow of coronavirus m...isinformation. The commodification of zero-day exploits. Corp[dot]com is no longer available. FBI warns of business email compromise via cloud services. A quick look at investment, and, finally, something other than the Brooklyn Bridge is for sale. Ben Yelin from UMD CHHS on a class action lawsuit against Zoom, guest is Matt Davey from 1Password on shadow IT trends, security risks, and best practices for oversight. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_07.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Criminals increase their targeting of hospitals and pharmaceutical companies.
Ordinary scams proliferate worldwide using COVID-19 as their bait.
Social media seek to inhibit the flow of coronavirus misinformation.
The commodification of zero-day exploits. Corp.com is no longer available. The FBI warns
of business email compromise via cloud servers. A quick look at investment. And finally,
something other than the Brooklyn Bridge
is for sale. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Tuesday, April 7th, 2020. The COVID-19 pandemic seems not to have induced much repentance or even restraint among cyber criminals.
Contrary to the hopes of criminal good behavior that some may have entertained, ransomware attacks against hospitals have predictably not only continued despite criminal protestations of good intentions, but appear to have increased.
An Interpol warning suggests that the value of access to data during a health emergency
has been too much for the criminals to resist.
Bleeping Computer, which received promises from some ransomware gangs
that they'd place medical facilities off-limits for the duration of the pandemic emergency,
has been tracking the criminals' activity and reports that Mays, Ryuk, and Sodinokibi
have all been used recently against health care and pharmaceutical targets.
More of the ordinary, dreary scams are being reported around the world.
The FBI, according to Smart Office, received 1,200 COVID-19-related scams in a single week.
ZDNet reports that Brazilian authorities saw a 124% increase in scams last month,
and also that the Australian Signals Directorate is going on the counteroffensive against offshore
grifters targeting Australian citizens. The Australian Signals Directorate, a Five Eyes
counterpart of the U.S. National Security Agency, is, according to its director, working with
telecommunications companies to block fraud and take down the infrastructure that supports it.
Quote,
Our offensive cyber campaign has only just begun, and we will continue to strike back at these cyber criminals operating offshore as they attempt to steal money and data from Australians, Director General Rachel Noble said.
General Rachel Noble said. Back in the U.S., the Wall Street Journal notes that the Securities and Exchange Commission has suspended trading of two stocks over the company's dubious claims
about their activities during the pandemic emergency. Both are obscure penny stocks
trading in the relatively lightly regulated over-the-counter market.
Social media providers are grappling with disinformation and misinformation.
YouTube, Facebook, and WhatsApp are trying various measures to come to grips with the volume of fear,
nonsense, and lies in circulation about COVID-19. YouTube is using a relatively soft hand with
borderline content, that is, content not in formal violation of the platform's guidelines, and is especially
concerned about the bogus theory that cell towers, especially when connected to or prepared
for a 5G network, are responsible for the virus.
Videos peddling this particular meme could lose advertising revenue, says YouTube's
corporate parent Google.
They will be removed from search results
and will also see reduced recommendations by Google's algorithm, CNN reports.
The Telegraph says that Facebook is meeting with British government officials this week
to see what it can do to prevent further threats and vandalism inspired by the cell tower panic.
And WhatsApp, according to Computing,
is concentrating on inhibiting the spread of false
information by restricting message forwarding to one chat at a time. A FireEye study concludes that
zero-day exploitation now depends upon money more than it does on skill. 2019 saw an uptick in zero-day
attacks. Quote, we surmise that access to zero-day capabilities is becoming increasingly
commodified based on the proportion of zero-days exploited in the wild by suspected customers of
private companies, end quote. Many of the incidents the report tracks, especially those in the Middle
East, have some connection to NSO Group. The researchers' conjecture that the increase in
zero-day use observed over the course of 2019
could indicate either that intelligence services are making more use of private contractors
or that the vendors are selling tools to customers who themselves have more slipshod operational security
and poor OPSEC simply makes the use of zero days more obvious.
Or, of course, it could be both.
If your average worker finds a barrier between themselves and getting their work done,
they are likely going to try to find a way around that barrier, one way or another.
When that initiative finds itself at odds with security, we call that shadow IT.
Matt Davey is from password manager provider 1Password.
We always want to find out more things about how people use 1Password and what happens when they don't use a password manager in a company.
And just from an ethos of the company,
we have zero analytics in any of our apps
and minimal analytics on our marketing site.
So we really don't know that much about our customers
and anything that we want to know, we have to go and find out.
So research plays a huge part in that.
So in this case, you went out and spoke to over 2,000 of your business users.
What are some of the key findings here?
What did they report back to you?
Well, we did actually a wider survey than that.
It wasn't just kind of our users.
We went out and we spoke to the general public.
Yeah, it was really around this concept of shadow IT.
What did you discover?
So we pretty much knew what we would discover.
At least we had an inkling.
Basically, people are sharing and creating accounts outside the purview of IT,
outside this kind of authorized IT.
And I think this is happening mainly due to productivity.
Waiting for IT is quite difficult.
So there's a lot of aspects like that to shadow IT.
One of the interesting stats that you shared was 37% of the folks you surveyed had shared
an account with a colleague. Take us through the implications of that one.
Yeah, I mean, that's another interesting point where they're sharing things. And mostly it's
by things like instant messenger. So
I mean, we're really talking something like Slack. It's, you know, via a spreadsheet. How many times
have you seen that in a company where the password manager is essentially a Google Doc,
and they just share the link out to everyone? It's always difficult to share something like a password and then
take it back. You know, usually it's, again, the departments in a company that are not given a
password manager. But really, some of the ones that aren't given a password manager are holding
almost more sensitive data than the IT team are.
So what were the take-homes from the survey in terms of advice that you can share with
people based on what you learned here?
Most of the problem is unseen passwords, right?
So this kind of shadow IT is that your IT team might have something like a single sign-on
in place.
It might have something that it determines as,
you know, these are the services that you can use.
But most probably there are a bunch of unseen passwords
and unseen services under the purview of IT.
And so really how a password manager can help there is,
you know, it's the understanding that if you install that habit in people,
that then they will, you know,
use that again, both at home and at work.
But it increases that kind of security habit as a whole.
So those, you know, underlying reused passwords
or anything like the services under the scenes,
they might be there,
but at least they're using strong, unique passwords
for those services.
That's Matt Davey from 1Password.
Because it is so susceptible to abuse,
the potentially risky corp.com domain is off the market.
Krebs on Security reports that Microsoft has bought the domain
to keep it out of the hands of hackers.
The risk lay for the most part with Active Directory, Krebs on Security reports that Microsoft has bought the domain to keep it out of the hands of hackers.
The risk lay for the most part with Active Directory, where namespace collision was a possibility.
Krebs explains that, quote, Early versions of Windows that supported Active Directory, Windows 2000 Server, for example,
the default or example Active Directory path was given as Corp,
and many companies apparently adopted this setting
without modifying it to include a domain they controlled, end quote. With Microsoft having
purchased Corp.com, this particular risk has been substantially reduced. The U.S. FBI warns
organizations to be alert for business email compromise scams that exploit cloud-based mail
services.
The phishing tackle the criminals use spoofs the legitimate email services.
While most cloud services have security features designed for protection against business email compromise,
they must be properly configured.
A single swallow doesn't make a spring, neither do a few investments make an economic recovery, still less a boom.
But a small flock of venture capital swallows have perched in the cybersecurity sector.
Cato Networks at $77 million, Accelion at $120 million, Privatar $80 million, CyberMDX $20
million, and Okira $15 million have all reported new funding this week.
And finally, if we may return to COVID-19 scams, you can forget all about that Brooklyn Bridge.
Could we interest you maybe in a statue of unity?
For just $4 billion, it can be yours, art lovers, patriots, philanthropists, collectors of curiosities.
And it's for a good cause, too. The proceeds, we hear, will help the state of Gujarat deal with
the coronavirus. But of course, not really. Reuters reports what must be the brassiest
online scam to surface so far during the pandemic emergency. We hope no one fell for it.
The Statue of Unity, about twice the height of
the Statue of Liberty in New York Harbor, commemorates Sardar Patel, one of India's
founders. At 182 meters tall, the Statue of Unity would be tough to fit on your coffee table,
but with heroic art, who measures, really? The moxie and low cunning behind the scam really
put all the other COVID-19 grifters in the
shade. What's a business email compromise scam baited with masks and hand sanitizer compared
to the offer of a monumental heroic statue whose steel framing, reinforced by concrete and brass
coating, supports a bronze cladding? Think big, friends. Think big. Calling all sellers. Salesforce is hiring
account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Good to be with you, Dave.
Interesting article from Vice.
This is a hot topic these days.
Of course, the Zoom video conferencing software has become a bit of a darling during this coronavirus situation.
Everyone's using it because it's easy to use and affordable.
But they are running into some issues here when it comes to some privacy stuff.
And somebody has spun up a class action suit.
What's going on here, Ben?
Yeah, so we're all using Zoom these days.
I've used them for
conversations with my colleagues, virtual happy hours. I sort of wish I had invested in Zoom
prior to this crisis taking place. If only you were a U.S. Senator, right?
Oh, sorry. Well played, Dave. But, you know, with all excellent easy-to-use applications
come some potential privacy risks.
And what Motherboard on Vice revealed the other day
is that the Zoom application on the iOS platform
was sending analytical data to Facebook
once that application was opened.
The claim that this class action suit is making,
and it was one individual user who instigated the class action suit,
is that this violates the new California Consumer,
the CCPA, California Consumer Privacy Act,
because they did not obtain consent from the users
before they transmitted that data to
Facebook. Zoom has claimed that this was not done purposefully. They were not aware that they were
sending information to Facebook, and they came up with a patch that was available if users updated
the application on their iOS platform.
And what the plaintiffs are saying in this case is that that is not satisfactory.
Many users aren't necessarily going to be aware
that this patch exists,
and they're still going to be using
the previous version of Zoom,
meaning that their information
is still going to be shared with Facebook.
So we're at obviously the very early
stages of this lawsuit. It was just filed in the last couple of days. It's a class action suit,
meaning it potentially could represent hundreds of thousands to millions of people who have used
the Zoom application on iOS. And this is something that we're going to have to pay attention to. My
guess is that because Zoom has
sort of admitted its error here and has tried to come up with a patch to correct its error,
perhaps they'd be amenable to settling the case. But that's just sort of, that's just me guessing.
So we're going to have to see where this goes going forward. Well, I was going to ask you,
I mean, does Zoom's claim that this was inadvertent,
that they didn't realize that some of the underlying technology that they were using
was sending data to Facebook? I mean, does that really matter in their defense?
Is ignorance a defense here? Ignorance is rarely a defense, especially ignorance of the law. Now,
ignorance of on the basis of facts,
for example, they did not know that information was being transmitted to Facebook, that could
potentially be a valid legal defense. They'd have to convince a court, either a judge or a jury,
that they actually did not know at the time that they were creating the application that
certain user data was being transmitted to Facebook.
And that would be very difficult for them to try to show.
Now, the burden of proof is on the plaintiff.
The plaintiff has to show with the preponderance of the evidence
that Zoom knew that some of this information was being transmitted to Facebook.
But, you know, once you start a discovery process,
I'm sure could find a Slack conversation between Zoom employees where
they were talking about whether or not information was being transmitted to Facebook.
So my guess is that they might be able to use that as a defense at the outset. They might say that
while answering the lawsuit. But if you dig a little deeper, my premonition is that someone
probably knew at some point that this was going on.
And, you know, without informing the users and without obtaining the user's consent,
that is a violation of this new California statute.
Now, is the California statute what's really enabling this class action suit?
It is.
I mean, it's filed in a federal court in California, but the claim is based on the new California state law. And I think we're going to see a lot of different lawsuits like this one because the CCPA is now in effect.
supposed to not technically go into effect until July 1st, but there still is this cause of action here under this new statute. So this might be, at least in terms of major cases, the first of its
kind emanating from this new California law. And I think we'll see many more cases going forward.
Well, Ben Yellen, thanks for joining us.
Thank you.
for joining us. Thank you. Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.