CyberWire Daily - US elections: CISA calls security success, but reminds all that it’s not over yet. Notes from the cyber underground. Two more indictments in cyberstalking case.
Episode Date: November 4, 2020Election security, hunting forward, rumor control, and the value of preparation. Maze may be gone (so its proprietors say) but its affiliate market has moved on to Egregor ransomware-as-a-service. An ...illicit forum has leaked large repositories of personal information online. Joe Carrigan shares thoughts on hospital systems getting hit by ransomware. Our guest is Alan Radford from One Identity who wonders whether robots should have identities. And two more ex-eBayers are indicted in the Massachusetts cyberstalking case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/214 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Election security hunting forward rumor control and the value of preparation.
Maize may be gone, but its affiliate market has moved on.
An illicit forum has leaked large repositories of personal information online.
Joe Kerrigan shares thoughts on hospital systems getting hit by ransomware.
Our guest is Alan Radford from One Identity, who wonders whether robots should have identities.
And two more ex-eBayers are indicted in the Massachusetts cyber-stalking case.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, November 4th, 2020.
It looks like any other election day, even any other Tuesday.
That's what a senior CISA official said yesterday at a virtual press briefing we attended.
Senior officials at the U.S. Cybersecurity and Infrastructure Security Agency, that is CISA official said yesterday at a virtual press briefing we attended. Senior officials at the U.S.
Cybersecurity and Infrastructure Security Agency, that is CISA, yesterday tentatively attributed the relative lack of foreign adversaries' action against U.S. elections to deterrence by denial,
but they also credited U.S. Cyber Command's hunt-forward operations, with having made a significant contribution to election security.
The Washington Post quotes the Cyber Command head and director NSA, General Paul Nakasone,
as confirming that his organizations took unspecified action against Iranian actors
after the threatening email campaign that tried to fly a false Proud Boys flag was determined to emanate from Tehran.
CNN reports that hunt-forward operations extended to Russia and China as well.
For two years before yesterday's voting, U.S. Cyber Command deployed, quote,
the whole spectrum of offensive and defensive measures, end quote,
against threat actors in Moscow, Tehran, and Beijing, CNN reports.
The New York Times says Cybercom sent squads to Europe, Asia, and the Middle East to investigate tactics, techniques, and procedures.
Deputy Commander Lieutenant General Charles Moore explained,
quote,
We want to find the bad guys in red space in their own operating environment.
We want to take down the archer rather than dodge the arrows.
End quote.
Cyber Command will continue its efforts indefinitely.
General Moore calls election defense a persistent and ongoing campaign,
and Fort Meade can be expected to remain engaged.
Returning to CISA, the Homeland Security Agency executed
a long-prepared national effort to secure the vote.
CISA has for some time expressed the view that public engagement through the media and directly online make an important contribution to cybersecurity.
Through Election Day, CISA held a series of six online media briefings, the first at 9.30 a.m. Eastern Time, the last at 11.30 p.m. Eastern Time,
providing updates on election security and the perspective their virtual situational awareness
room provided. The good news, repeated throughout the day, is that no major cybersecurity threats
surfaced during the voting. Since spectacular claims of spectacular wickedness are maybe to be expected in the post-election phase,
it's worth a quick review of CISA's rumor control page to see what the agency thinks are rumors most likely to surface.
Here's one.
If results as reported on election night change over the ensuing days or weeks, the process is hacked or compromised, so I can't trust the results.
Well, here's the reality. Election results reporting may occur more slowly than prior years.
This does not indicate there is any problem with the counting process or results.
Official results are not certified until all validly cast ballots have been counted,
including ballots that are counted after election night. This is why the process of counting votes is likely to take days.
Certifying them will take longer.
Here's another rumor.
Provisional ballots are only counted if there's a close race.
The truth is that provisional ballots are counted in every election, regardless of result margins.
This hasn't happened much, if at all, but there's a rumor in circulation to the effect that
if the election night reporting webpage is defaced or displays incorrect results, the integrity of
the election is compromised. Again, not so. The truth is that a defaced webpage has nothing to do
with either counting votes or certifying official results. And finally, if election night reporting
sites experience an outage,
then some people think that vote counts will be lost or manipulated.
Not at all.
If we can take away anything from yesterday's commentary at CISA,
it's that election night results aren't official.
And reports by news media are, if possible, even less official.
Where is CISA getting its rumors and replies?
They develop them during the exercises they ran before the election
to explore and prepare for the kinds of problems the agency might encounter
before, during, and after the voting.
It's another illustration of the value exercises and wargaming can hold for cybersecurity.
The Maze Gang may have taken down its shingle, but the members of its affiliate network haven't
been slow to adopt another ransomware strain.
ZDNet says they're migrating to the ransomware-as-a-service option Egregor, itself a spinoff of Sekhmet.
According to DevDiscourse, CERT India has published an alert warning organizations in that country to expect a rise in egregor infestations.
Data from the criminal data clearinghouse SitZeroDay, itself taken down in mid-September, has, according to ZDNet, leaked online, exposing some 26,000 hacked databases.
online, exposing some 26,000 hacked databases. And finally, two more eBayers, both executives,
were indicted yesterday on 15 counts related to the alleged stalking, witness tampering,
and destruction, alteration, and falsification of records during the harassment of the e-commerce bite's mom-and-pop newsletter. James Bao, formerly eBay's senior director for safety and security,
and David Harville, formerly eBay's Senior Director for Safety and Security, and David Harville, formerly eBay's Director of Global Resiliency,
were two former executives named, Silicon Valley Business Journal reports. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
To what degree do you anthropomorphize your personal digital assistants?
Does there come a point when your automation tools, your assistant in your mobile phone,
or your robot vacuum cleaner need to have their own online personas and credentials?
It sounds like an odd question to ask, but it's the kind of thing the folks who are in the business
of managing online identities have to think about.
Alan Radford is regional CTO at OneIdentity.
When you look at how much we have in common with technology,
it's important to understand that we as an employee have an owner, quote unquote,
which would be our manager. We have a line of reporting.
A robot doesn't necessarily have that.
So when we think about identity in the context of a virtual identity, there still needs to be a sense of
ownership, but it's a little bit different than that. Ownership, accountability, interchangeable
in the robot conversation, because somebody's always pulling the strings. If I go off and I
do something non-compliant, I might answer for that,
okay, or my boss might answer for it, depending on what happens.
If a robot does something non-compliant, well, is it doing something non-compliant because it
made the decision to do that, or is it doing it because somebody pulled the wrong strings,
or it was configured to do it? And so that sense of ownership still comes into play.
So where do you suppose we're headed then in terms of these virtual assistants and the
need for them to have their own identities? Where do you see things going?
I see things going in a more holistic sense. When you create these robots, everything the robot needs to do in order to perform its task gets created as well.
So you think about an employee.
Employee gets given some accounts, AD accounts and so on.
They would use those accounts to go and do some stuff.
When a robot's created, robot also gets given accounts to go and do some stuff. When a robot's created, the robot also gets given accounts to go and do some stuff.
But the way in which robotic architecture works
means that typically virtual machines get spun up
in order for the robot to architecturally do what it needs to do.
The arms and legs of the robot, if you will,
get spun up in the form of VMs around an organization.
And that's why we
see more and more RPA DevOps pipelines popping up here, there, and everywhere. RPA tends to filter
into those DevOps pipelines. So I see it going very firmly in the direction of AI, and I think
the identity market has a challenge before it,
which is to keep up with that rate of change.
The rate at which robots are created and destroyed and indeed execute their tasks is,
I'll use the word infinitely,
the pedants out there may disagree,
but for the purposes of conversation,
it may as well be infinitely faster than a human
employee can you know we don't enlist them in hr we don't go through employee legislation
they don't have any rights there's no need to pay them okay there's no vacation there's no sick leave
there's no morale there's no culture And increasingly, those workloads that they're taking on leave things by the by. How many of those robots are using cryptography keys? When those robots are destroyed, what happens to those keys? When the robots are destroyed, what happens to the accounts they were using?
are destroyed what happens to the accounts they were using does anybody know and in the conversations that i've been having in in industries all around the world you know i
spent time in australia north america and in in amia it's it's normal to say do you know what i
haven't got a clue it's a normal thing and that's not just for virtual identities or robots. It's the same for people as well.
That's why the identity access management industry is a thing.
So it is important to consider that when you look at creating robots,
how those robots are handled in your organization, who owns them, how are they governed,
being able to answer those fundamentally basic questions if they were a normal employee,
Being able to answer those fundamentally basic questions if they were a normal employee,
that's the grounding force that's going to see us win out over the robots when it eventually comes to that.
That's Alan Radford from One Identity. Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Hello, Joe. Hi, Dave. We've been tracking these developing stories about hospital systems who've been hit with ransomware, and I wanted to check in with you, get your take on this. What are your
thoughts here, Joe? This is interesting. The FBI and the Department of Health and Human Services
and Department of Homeland Security have all been warning people in the medical industry that there is a concerted effort to attack hospitals with ransomware.
Now, you remember last month in September when Graham Cooley reported on the – we had a story about the ransomware attack on the German hospital that was
inadvertent. And they said, hey, you attacked the hospital. And the people were like, oh, well,
here are the keys, bye. And I was like, well, that seems like these guys reached beyond what they
were going for. But I don't think that's going to be something that's very common among these
ransomware criminals. And here now we have this gang, this riot gang,
targeting hospitals.
And they're a Russian gang.
And it seems to me that this timing
is a little bit on the nose, isn't it?
You know, they're-
They create more chaos in the midst of an election season?
Exactly.
I mean, this, as we're recording this,
it's a few days from the election.
And this is going to keep a lot of people very busy.
I don't know if this is part of some larger election operation on behalf of the Russian – because we know these Russian cyber gangs operate with some understanding from the government that as long as they don't attack Russian assets, that they're fine to do this.
And there may be some quid pro quo on that from the Russian government.
Like, hey, when we need you to do something, you'll do it.
So University of Vermont is one system that's already been hit with this.
Interesting, though, is that the head of their medical center has said
he hasn't received a ransom demand.
Hmm. That is interesting.
Well, there have been two other groups, healthcare systems in the U.S. that have been hit, and the criminals have demanded $1 million apiece from them.
Hmm. You know, it makes me think about kind of the consolidation that we've seen over the past years, a decade or so, with some of these hospital systems.
This affects you and I locally. Of course, you're with Johns Hopkins.
Johns Hopkins has a very well-known, well-respected hospital system.
Yes, they do.
And our local hospital here where you and I live in Howard County, a while back, became part of the Johns Hopkins system.
Yes, and it's a good hospital.
Yeah, it's a good hospital. Yeah, it's a great hospital, but it strikes me that there's a peril here, a potential peril,
in that when they hitch their wagon to the larger Hopkins mothership,
well, I'm guessing there's some connectivity there between those systems.
I'm sure there is.
There's two sides of this coin.
There's the diversity argument that you're making, right?
Right.
That if we have more people spread out, and then
when a system gets hit, like one healthcare system gets hit, it won't be as bad for everybody in the
community. But there's also the consolidation argument that by consolidating, we can pool our
resources and build a better security program because we have more money to do it, which a
smaller healthcare system may not have. So I don't think that one argument is more valid than the other. But I don't know that, I'm not a big fan of large
consolidations in any market. I think that can be bad, but that's neither here nor there for
a security reason. Yeah. I guess it's a shame that there can't be
more international diplomacy and who knows what's going on behind the scenes, but for governments
to have influence over other governments to say, hey, look, knock it off. You know, medical
facilities are out of bounds, just like in war, right? Right, exactly. You know, you don't bomb hospitals.
That's why those hospitals have big red crosses
painted on top of them with white backgrounds
so that there is no mistake
in that you're going to be targeting a medical facility.
This is, that's an excellent point, Dave.
This is exactly the same thing.
These people are actively targeting
hospitals and going after them. And maybe we should say to the Russians, you know, why don't
you round some of these guys up and stop this from happening? Yeah. Yeah. It just seems, I don't know,
I guess in a better world, some things would be out of bounds, but it doesn't seem to be the world
that we're in at the moment. I don't know how cooperative the Russians would be with that request, though.
Probably not very.
No, but, you know, by what other means could we convince them that it's in their best interest to apply pressure to the folks who are doing this?
It's one of those things that I suppose the folks who are handling foreign policy in the big picture, I'm sure it is on their radar,
but as this becomes a more immediate and proximate thing,
as more and more hospitals get hit,
our representatives are going to have to respond.
They will have no choice.
As people, as lives are lost, they will have no choice but to respond to this.
And it'll be interesting to see how that plays out in something like this that is happening across borders.
Yeah.
Yeah.
It's certainly interesting times, Dave.
Yeah, absolutely.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
It walks downstairs alone or in pairs.
Listen for us on your Alexa smart speaker, too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.