National Association of Manufacturers hacked during Sino-American trade negotiations (and tensions). Ineffectual DDoS attacks hit both of the UK’s largest political parties. Pemex says it’s completed recovery from ransomware. The US Department of Health and Human Services will investigate Google’s Project Nightingale for possible HIPAA issues. And did BlueKeep warnings scare people into patching? Apparently not. Ben Yelin from UMD CHHS on California going after Facebook on alleged user privacy violations. Guest is Edward Roberts from Imperva on Ecommerce and bots.
Dave Bittner: [00:00:03] The National Association of Manufacturers were hacked during Sino-American trade negotiations. Ineffectual DDoS attacks hit both of the U.K.'s largest political parties. Pemex says it's completed recovery from ransomware. The U.S. Department of Health and Human Services will investigate Google's Project Nightingale for possible HIPAA issues. And did BlueKeep warnings scare people into patching? Apparently not.
Dave Bittner: [00:00:35] And now a word from our sponsor ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 13, 2019. Reuters reported this morning that the National Association of Manufacturers, a major U.S. industry group, came under cyberattack by Chinese intelligence services earlier this year as Sino-American trade tensions grew. The association says it hired an outside cybersecurity firm to investigate and stop the breach. Neither the U.S. government nor the Chinese Embassy has so far commented, but the story is still developing.
Dave Bittner: [00:02:27] In advance of next month's elections, both of the U.K.'s two largest parties are considering the risk of disruption by cyberattack. Monday's cyberattack against Britain's Labour Party was repeated yesterday. Reuters says the Conservative Party sustained its own DDoS attack yesterday. While sources suggest this attack came from a different actor, this incident also looks unsophisticated and minor. A Tory spokeswoman, when asked about it, said she had nothing to offer on the subject, which she said she hadn't heard of. That suggests that neither party was particularly seriously afflicted.
Dave Bittner: [00:03:02] Labour did qualify the original report, saying that yesterday's incident was indeed sophisticated and thwarted by their robust security. And party leader Jeremy Corbyn expressed his own concern that upcoming elections might be conducted under the threat of cyberattack. But the apparent ease with which Labour shrugged off the attack suggests that original characterization of the distributed denial of service attack as unsophisticated were probably closer to the mark. Computing reports that Cloudflare, which mitigated the attack on Labour's networks, called the attack nothing special and said it was the sort of thing we deal with daily. Another observation quoted in Computing characterized the incident as nothing more than what you would expect to see on a regular basis; it looked like someone bored in their bedroom with a botnet.
Dave Bittner: [00:03:51] The Independent cites former GCHQ honcho Brian Lord, now with PGI, to the effect that Labour could have been hit by a nation-state, but reading what he actually told the paper makes his take less alarming. There is an a priori possibility that a nation-state could run a dumbed-down attack for sure, and sure, criminals and others will often use DDoS as misdirection to distract security teams from something more serious. But again, that's a matter of a priori possibility - something to consider, of course, but keep calm and carry on. So nothing special apparently - just the normal skid background noise. But we do like bored in the bedroom with a botnet. It's a variation on the familiar picture of the big guy in his parents' basement, but maybe British skids are different in that way from their transatlantic cousins.
Dave Bittner: [00:04:42] As we head quickly and relentlessly into the holiday shopping season, retailers are looking to their websites and e-commerce as primary avenues for sales. Imperva recently published a report citing the growing threat of bots interfering with commerce sites. Edward Roberts works in product marketing for bot management at Imperva.
Edward Roberts: [00:05:02] The main finding that people should understand is that your website lies to you and that the users are on there are - there are fake users, and they are fake in that they are bots. But they are not benign, and they are on your site for a reason. So they could be doing a multitude of things, like scraping your prices, trying to use credentials to get into any accounts that you have there, trying to steal gift card balances - all manner of things to try and exploit your business. So whatever functionality you've put on that website, there is some bot or some piece of automation that is trying to abuse it. And typically, what we saw in this report was 17.7% of all traffic on all of the websites that we covered - and it was over 200 - 17.7% of that traffic was bad bots. So these are bots that you do not want on there. You know, there are good bots, like Google, that you would willingly have. But these are bad ones who are doing the nefarious things that I mentioned.
Dave Bittner: [00:06:03] As someone running a website, how do you differentiate between the good and the bad and try to put controls on the bad bots?
Edward Roberts: [00:06:10] Yeah, that's the big challenge, is that, you know, you can use your various security tools that you have. You might use your WAF and block certain IP addresses in certain countries, and do things manually, and try and clean your traffic that way. But in the end, there are bot-management solutions that are out there that are built to actually automatically clean your traffic from - with these bad bots. And so, you know, that's the ultimate solution. But, you know, there are techniques you can do to, you know - to block them on your own as well.
Dave Bittner: [00:06:45] So what were some of the key take-homes in the research that you did here?
Edward Roberts: [00:06:50] The wide array of things that bots can be tasked with doing on your site is larger across e-commerce sites because they have more different styles of functionality and information available on their websites than other websites. So for example, competitors are scraping all your prices. So that's one group of people who are trying to damage you in the marketplace by making sure that they beat you pricewise, or they understand what sales or promotions you're offering or what delivery discounts you've put in place. So there is a scraping of information. And if you have thousands and thousands of products that you sell on your e-commerce site, there are people scraping each one of those. And, you know, that's a volume of traffic that you were not really expecting to deliver to bots and to your competitors, so it's definitely - affects your competitive place in the market.
Edward Roberts: [00:07:48] The other ones are things like what they call Grinch bots or sneaker bots. So these are - if you have rare items - you see them in sneakers. There are limited-edition sneakers that are made available by various sneaker companies, and if you have those made available, it's very similar to ticketing. There's a finite number of them, so bots are used to try and claim that inventory before anybody else can get them. And then if they can get them at the list price and the demand is high enough, they can then resell them somewhere else on the secondary market. So you have these - you know, you're making the customer experience with somebody who wants to get those limited-edition items more difficult for them. You're leading to customer dissatisfaction, and they're having to pay more or pay a premium as well for that dissatisfaction.
Edward Roberts: [00:08:38] Another range of ones are gift card balances. Bots can be used to enumerate through the numbers of those gift cards and see which ones have balances. And if they find ones that have balances, they can then use that number to buy things. And suddenly, you find that a customer has got a gift card that no longer has a balance on it, but they thought it had, you know, a certain amount of money on it. So the ability of bots to look at what's on your website and understand what to - what they can go after and what they can exploit is really wide. And so those are a few examples that - of some of the findings that we had in the report. Thinking about it in terms of what's available on your website, it's, how could that information be used by somebody against me? You know, and it's amazing how many different use cases we see.
Edward Roberts: [00:09:26] But I think that's a testament to the cat-and-mouse part of this is that there is so much information that people, you know, find valuable that they are willing to invest money to actually launch these bots. And the economics around it are in their favor. So they're not there for a benign reason. I think that some people in the past have thought that they were benignly there; they're just - oh, it's just internet junk that's going around, and it's just a simple automated script. But really, the majority of it is actually quite sophisticated, and they're trying to attack a certain part of your website for a particular reason.
Dave Bittner: [00:10:00] That's Edward Roberts from Imperva. The report is titled "Automated Cyberattacks on E-commerce Companies Growing More Sophisticated and Difficult to Detect."
Dave Bittner: [00:10:10] Pemex continues to work toward recovery from the ransomware attack it sustained over the weekend. The Mexican oil giant's administrative systems are believed to have been hit with DoppelPaymer ransomware. Reuters, which has been in email contact with people who may or may not be the attackers, says the extortionists complained that Pemex missed its chance at a discount and that the ransom is now $5 million in bitcoin. Computing connects the attack to the Russian criminal gang also running Dridex and BitPaymer. CrowdStrike has called that group INDRIK SPIDER. Pemex says that operations are back to normal and that production was unaffected, Reuters reports.
Dave Bittner: [00:10:50] Google's Project Nightingale, which would collect and analyze patient information from the Ascension health care system, has come under investigation by the U.S. Department of Health and Human Services Office for Civil Rights, The Wall Street Journal reports. At least two matters are of concern. Was patient approval obtained to share HIPAA-protected data, and are those data adequately secured? Computing sources its own coverage of the agreement between Ascension and Google in part to what appear to be two PowerPoint presentations from the organizations leaked with commentary by someone Computing characterizes as a whistleblower.
Dave Bittner: [00:11:28] The Wall Street Journal broke the story about Project Nightingale yesterday. The intent of the agreement between Google and Ascension, a Catholic network of health care providers that's regarded as the second largest in the U.S. with tens of millions of patients, seems to be the improvement of both administration and clinical outcomes. But as observers are quoted by the Journal, the optics are bad for Google, even if those two goals are really the only ones Mountain View has in mind. You do want patient consent for the use of their data. Computing's story suggests that the data might be used for other less-mission-focused purposes as well. The story is developing.
Dave Bittner: [00:12:08] You'd think BlueKeep scares would've motivated patching, but you'd think wrong, so says SANS. Sure, BlueKeep's been around for a long time, and so has the patch for it. And sure, Shodan searches indicate that the number of unpatched machines has been tailing off along a gentle downward path for months. But were people energized to patch by all the recent media chatter? Apparently not. That path continues to slope gently downward. SANS says there are still hundreds of thousands of vulnerable systems out there, and SANS hopes they get patched before they turn into worm food. Speaking of patches, yesterday was Patch Tuesday. Microsoft addressed 74 vulnerabilities, including one zero day. Do take a look.
Dave Bittner: [00:12:59] And now a word from our sponsor ObserveIT - the greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:13:56] And joining me once again is Ben Yelin. He's the program director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Ben, it's great to have you back.
Ben Yelin: [00:14:08] Always good to be here, Dave.
Dave Bittner: [00:14:10] A interesting story came by. This is a press release from the attorney general of California, who is petitioning the San Francisco Superior Court to go after Facebook for some things. What's going on here?
Ben Yelin: [00:15:10] And so they issued a series of written questions - interrogatories. They alleged that Facebook refused to respond to several of the questions contained within those interrogatories. They said that some of the other answers were incomplete or missing information and were wholly inadequate to the scale of the investigation. And as a result, not only is Attorney General Becerra going to court, but he's going public with the fact that Facebook is being investigated. And that's sort of a tool he has in his toolbox. Going public sort of puts Facebook on notice at a time when, frankly, they've been in the national spotlight, and they don't want to face any additional political scandals.
Dave Bittner: [00:15:49] Well, help me understand the sort of process here when it comes to subpoenas. If I get subpoenaed to provide information, my assumption is that I can't just drag my feet or pick and choose what questions I'm going to answer.
Ben Yelin: [00:16:04] Right. So a subpoena itself is compelling you to hand over that data. Generally, the legal standard for obtaining a subpoena, for getting that information is smaller - is less rigorous than obtaining documents through some sort of warrant or something like that. This is an administrative subpoena, so it's just a request for records. Obviously, a subpoena means you are required to comply by law. And if you don't, then as we see here, the Department of Justice has an avenue of going to court to have a court enforce the transfer of documents from Facebook - or any company - to the California Department of Justice. And that would be a process that would be overseen by the Superior Court in California.
Dave Bittner: [00:16:51] So is this a situation where they will now get in front of a judge and a judge will decide what a reasonable timeline is and say to Facebook, if you don't do these things, these are the potential heartaches that you're in for?
Ben Yelin: [00:17:06] Exactly. So they can impose potential civil or criminal penalties on Facebook. I think we're probably a long way from getting to that point. Facebook perhaps will take these requests seriously, not only because the Superior Court has gotten involved, but because this is now all in the public record. And like I said, I mean, they're dealing with national scandals related to their change in policy as it applies to advertisements on their platform. So this is just, you know, sort of another headache they probably don't want. My guess is that they will probably be more apt to fulfill these subpoenas, to respond more fully to these interrogatories now that this investigation is public and now that the Superior Court has gotten involved.
Ben Yelin: [00:17:53] I will note that the vice president of state and local policy of Facebook said in a statement that they've cooperated extensively with the state of California's investigation. He says they provided thousands of pages of written responses and hundreds of thousands of documents. I have no reason to actually doubt that that's the case. That still doesn't tell us whether they fully complied with the subpoena. And, you know, if it's true that they haven't answered information demanded in interrogatories, then they haven't fulfilled the obligations of that subpoena even if they've handed over hundreds of thousands of pages of documents.
Dave Bittner: [00:18:24] Mmm hmm.
Ben Yelin: [00:18:25] So they could potentially still be in a good bit of trouble.
Dave Bittner: [00:18:28] All right. Well, we'll keep an eye on it. Facebook doesn't seem to be doing themselves any favors.
Ben Yelin: [00:18:34] They sure aren't. It would be nice for their purposes if they could stay out of the news. Although, since they control the news these days...
Dave Bittner: [00:18:42] (Laughter) Right.
Ben Yelin: [00:18:42] That's - I think that's probably literally impossible, so...
Dave Bittner: [00:18:46] OK (laughter). All right. Well, as always, Ben Yelin, thanks for joining us.
Ben Yelin: [00:18:50] Thank you.
Dave Bittner: [00:18:51] And don't forget to check out the "Caveat" podcast, where Ben Yelin take on law and policy issues, surveillance and privacy. Our guest this week is former Secretary of Homeland Security Michael Chertoff. He weighs in on the crypto wars. It's the "Caveat" podcast. Do check it out.
Dave Bittner: [00:19:11] And that's the CyberWire.
Dave Bittner: [00:19:13] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ExtraHop provides cyber analytics for the hybrid enterprise. Using wire data and machine learning for real-time threat detection and investigation from Core to Cloud, ExtraHop delivers unprecedented visibility, definitive insights, and immediate answers so security teams can act with confidence. Learn more at ExtraHop.
Email is still the #1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware! Find out how to protect your organization in this on-demand webinar by Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and he also shares a hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick. Go to www.KnowBe4.com/10Ways to watch the webinar!