Hacking the UN. Avast closes Jumpshot over privacy uproar. Facebook settles a biometric lawsuit. Data exposures, a LiveRamp compromise, and more newly aggressive ransomware.
Dave Bittner: [00:00:00] Hey, everybody. Dave here. We are excited to announce our new subscription program, CyberWire Pro, that will be coming in February. For cybersecurity professionals who need to stay abreast of their rapidly evolving industry, CyberWire Pro is an independent news service you can depend on to stay informed and save time. This unique offer includes valuable content, such as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. Sign up to be one of the first to know of the CyberWire Pro release at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:43] UN agencies in Geneva and Vienna were successfully hacked last summer in an apparent espionage campaign. Avast shuts down its Jumpshot data analysis subsidiary and resolves to stick to security. Facebook reaches a preliminary $550 million settlement in a privacy class action lawsuit. SpiceJet and Sprint suffer data exposures. LiveRamp was compromised for ad fraud. And Russia blocks ProtonMail and StartMail.
Dave Bittner: [00:01:19] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire and subscribe for free threat intelligence updates. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:02:28] Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:53] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 30, 2020.
Dave Bittner: [00:03:01] Leaked documents reveal that three United Nations agencies were hacked last year by exploitation of a Microsoft SharePoint vulnerability. The attack began in July and was detected in early August, at which point a confidential memo on remediation was circulated internally. According to the AP and Computing, forty servers in Vienna and Geneva were compromised. And the UN Office at Vienna, the UN Office at Geneva and the UN Office of the High Commissioner for Human Rights, also in Geneva, were hit. The AP says the UN described the hack as sophisticated and so probably the work of a nation-state. What the campaign actually obtained is publicly unknown.
Dave Bittner: [00:03:45] UN staff members were not, in general, informed of the breach. Geneva-based Ian Richards, president of the Staff Council at the United Nations whose role is to advocate for UN employees, told the AP, quote, "All we received was an email on September 26 informing us about infrastructure maintenance work."
Dave Bittner: [00:04:05] The New Humanitarian, which obtained the leaked documents, calls the UN's response a cover-up. Why didn't the UN disclose the breach? UN spokesperson Stephane Dujarric admitted to The New Humanitarian that core IT infrastructure in Vienna and Geneva were compromised. He further explained that, quote, "As the exact nature and scope of the incident could not be determined, the UN offices in Geneva and Vienna decided not to publicly disclose the breach." So that's one way to look at it and possibly not an entirely frivolous way either, given that the goal of the hack was, in all likelihood, espionage about which, in some cases, the less said the better.
Dave Bittner: [00:04:47] Oh, you might ask, what about GDPR? Well, not so fast. They're the UN. They've got diplomatic immunity. The UN has said that the compromise was confined to Vienna and Geneva, although we'd have to offer a don't-get-cocky caution to the folks at Turtle Bay.
Dave Bittner: [00:05:05] Avast has been roughed up this week. The Prague-based antivirus firm sustained reputational damage when the company's sale of anonymized data through its Jumpshot subsidiary came to light. As the company put it in a blog post Tuesday, we want to reassure our users that at no time have we sold any personally identifiable information to third parties. And indeed, the reports about the incident did note that the company anonymized the data. Avast also said they had obtained consent from users to collect the information and that such consent was gathered through an opt-out mechanism. They expressed their understanding that this wasn't an optimal method and that they intended to replace it with an opt-in mechanism.
Dave Bittner: [00:05:48] But this was judged insufficient, and late yesterday, Avast's CEO Ondrej Vlcek announced that both data collection and the Jumpshot subsidiary would be closed down. As attractive and useful as big data analytics might be, he and the board decided that continuing with the Jumpshot business was incompatible with the company's core mission of security. He put it this way, quote, "For these reasons, I - together with our board of directors - have decided to terminate the Jumpshot data collection and wind down Jumpshot's operations with immediate effect," end quote.
Dave Bittner: [00:06:23] Avast had been caught last month in an embarrassing data collection squabble when Google and Mozilla excluded Avast's and subsidiary AVG's extensions from their store. After a few days' suspension, the extensions were restored. After the restoration, 9to5Google quoted Avast on December 20 as, "saying privacy is our top priority, and the discussion about what is best practice in dealing with data is an ongoing one in the tech industry. We have never compromised on the security or privacy of personal data. We are listening to our users and acknowledged that we need to be more transparent with our users about what data is necessary for our security products to work and to give them a choice in whether they wish to share their data further and for what purpose," quote.
Dave Bittner: [00:07:08] In any case, the event indicates how dangerous data collection can be, not only to the people whose data are collected but to the organizations that do the collecting. Avast is far from alone in struggling with privacy and data collection. The Wall Street Journal reports that Facebook yesterday reached a tentative $550 million settlement in a class action lawsuit in which the plaintiffs allege that the social network violated an Illinois law against collection of biometric data without permission. The Journal says this is the largest cash award in a privacy class action lawsuit. The Journal also says that Facebook's defense that its opt-out mechanism provided appropriate consent didn't fly with the court.
Dave Bittner: [00:07:51] Matthew Doan is a cybersecurity policy fellow at New America, and he recently penned an article for The Harvard Business Review titled "Companies Need to Rethink What Cybersecurity Leadership Is." Well, that sparked our interest so we got him on the line.
Matthew Doan: [00:08:08] For years now, I've been in the mix as a consultant and really helping organizations think through how to do this better and pairing that as well with my role at New America, which is a think tank. I'm there as a cybersecurity policy fellow. We've been doing some research and some interviews with a wide range of executives across industries. So collectively, I've seen a challenge in cybersecurity leadership pop up through my experiences in that research, and I felt compelled, really, to bring this to light in a way that hopefully people from a wide range of audiences can understand and develop a framework that they can do something with it.
Dave Bittner: [00:08:47] Yeah. So what are your suggestions? What are the things that folks need to put in place to do a better job with this?
Matthew Doan: [00:08:56] So what I'm laying out here in this article is that, first, the board and C-suite executives, like CEOs and CFOs, need to establish accountability and own this topic from where they sit to make sure that it goes well. That's the first point. But then I lay out a three-part framework for how they can be successful to ensure cybersecurity comes to life in the right way. The first part is really about setting your intent with cyber strategy. From the top level of the organization, it's about understanding those unique business characteristics that you have, the constellation of partners that you're working with, the industry that you're in, your threat and risk profile. The idea here is that there is no one-size-fits-all for doing cybersecurity well within a business, and we have to appreciate that.
Dave Bittner: [00:09:46] The second thing that you outline here is positioning the cybersecurity function to have influence. What's involved there?
Matthew Doan: [00:09:54] Yeah, I'd like to break this down into three chunky items - location, authority and incentives. From a location point of view, this is about positioning the cyber leader in the cyber organization to a place where it's going to have more influence and be able to do what you need it to do. In these days, as you see, it's making less and less sense oftentimes to slot that organization under a CIO management of risk compared to cost efficient IT - are very competing missions at times. So you're starting to see it go other places, sometimes even directly reporting to a CEO.
Matthew Doan: [00:10:33] Second point, then, is authority. We need to make sure that this is a top-level mandate. We have consolidated decision rights for the cyber leader to be able to do what needs to be done. That policy makes it very clear. And then the last phase, then, is incentives, really bringing other people along. We don't want to just use the sticks out there and be the enforcers, but use some carrots, too, even creating things like bonus structures for business unit leaders to follow cyber requirements so they feel motivated.
Dave Bittner: [00:11:04] You know, I was just speaking with someone recently about some of the stresses that leaders in cybersecurity experience. And one of the things that this person brought up was that with how things have changed, that it's possible that some of these folks may have seen kind of their position change underneath of them, where, you know, if they got hired a decade ago and they were hired for their technical skills, that the needs of that position may have changed. And it's important to be open to the fact that maybe it's not a good fit for you.
Matthew Doan: [00:11:38] That's a great comment. I mean, the world is changing so fast. And I think that people that are able to succeed in this discipline or that are aspiring to jump into it have to have that continuous learning mindset. You have to see how the world around you is changing, how technology is changing, what businesses are doing differently, even how the modern workforce is changing. So we can't be stagnant. We need people that are always sensing, adapting and then making the call for themselves. If it's still the right position for them, maybe they even go down a particular technology route if that's their passion. But the idea of a leader needs to be something far more than it used to be.
Matthew Doan: [00:12:20] Board members and C-suite executives need to embrace their accountability. I think they look downward to ensure the job gets done, but they're forgetting that it all starts and ends with them, and the strategic choices they make are going to have so much cascading impact to how successful their businesses are. So we need people to step up and appreciate that, and then hopefully the right things come to life from their great decisions.
Dave Bittner: [00:12:47] That's Matthew Doan, cybersecurity policy fellow at New America. The article is "Companies Need to Rethink What Cybersecurity Leadership" Is. It's in the Harvard Business Review.
Dave Bittner: [00:12:59] More companies have suffered data exposure incidents. Indian airline SpiceJet had data on 2.1 million passengers in a database secured by what TechCrunch's report characterizes as an easily guessed password that was brute-forced by unnamed, self-described white hats. The publication doesn't name the white hats because brute-forcing a system without permission the way they did is probably a violation of US law and of who knows how many other jurisdictions laws. SpiceJet has since taken steps to better secure the data.
Dave Bittner: [00:13:33] KrebsOnSecurity found that Sprint's Social Care forum, a place for customers to address issues with the telco, was being indexed by search engines, an indication that it was exposed to the internet. He informed Sprint, which acknowledged that the forum should have been private, and which then secured the exposed portion of its network.
Dave Bittner: [00:13:53] CNET reports that LiveRamp, a major marketing company and Facebook partner, was compromised when hackers obtained an employee's personal account and used it to gain access to a business manager account, which they exploited to run fraudulent advertising. The advertising, which the scammers charged to LiveRamp customers, directed customers to sites that either stole credentials or built them into purchasing bogus products. LiveRamp says the problem has been contained.
Dave Bittner: [00:14:21] If you're a Russian citizen interested in keeping your online communication private, you've now got fewer options than you might have enjoyed a few months ago. Moscow has blocked ProtonMail and StartMail, Computing reports, as the Russian government clamps down on encrypted communications.
Dave Bittner: [00:14:39] And finally, ransomware operators continue to grow more insistent and aggressive. The hoods behind Maze have posted a list of slow-to-pay victims they intend to dox if the victims don't start opening their wallets. Twenty-five victims, several of which Computing says were previously unknown, are on the latest list. You may wonder how they're posting these things, given the international legal action that took down the page they were operating from Ireland. They've reconstituted operations and are now hosted out of Singapore - for now, anyway.
Dave Bittner: [00:15:19] And now a word from our sponsor, PlexTrac. PlexTrac is the purple teaming platform that enables red teams to report security issues and blue teams to remediate them through a single web-based interface. PlexTrac offers public, private cloud and on-premise deployment options. You can learn more and request a demo at plextrac.com/demo. That's plextrac.com/demo. And we thank PlexTrac for sponsoring our show.
Dave Bittner: [00:15:58] And joining me once again is Caleb Barlow. He is the CEO at Cynergistek. Caleb, it's always great to talk to you. I wanted to touch today on ransomware specifically targeting hospitals and what that can do to the business side of a hospital that may get hit with this sort of thing.
Caleb Barlow: [00:16:17] Well, hey, Dave. It's always fun to talk about some of these interesting ways to think about common cybersecurity problems. And if we look at ransomware - and let's face it; we kind of read about this it seems like every week or two - and it's typically targeting either health care institutions or kind of state and local government. So I thought it would be kind of interesting to look at what happens in a hospital when they're shut down with ransomware and what does that impact really kind of look like. And the reality is, it's pretty harsh what goes down.
Dave Bittner: [00:16:52] Well, take me through. I mean, a hospital gets hit. It starts working its way through the systems. First of all, is there a pattern of where it usually begins? Is there a common ground zero?
Caleb Barlow: [00:17:05] The common ground zero is often health care. So if we look at the 621 ransomware attacks that occurred in the first part of last year - so Q1 through Q3 of 2019 - 79% of them, or 491 attacks, targeted health care. So the first thing that happens - and we've seen this in several recent cases - is if they hit the EHR, the electronic health care records system, that hospital for all intents and purposes is pretty much down.
Caleb Barlow: [00:17:38] Now, here's the next thing that happens, which is that you kind of close down the ER to anything that is not urgent, and you cancel anything that's scheduled. So now you're just doing the stuff where, you know, there's a life-threatening situation or an emergency. Well, now you start using lots of paper because the HR doesn't work. A typical hospital will create 50,000 patient notes a day. All of that now has to be done on paper. And here's the other thing to keep in mind - they don't get paid on paper anymore. So anybody who's paying them - whether it's the insurance company, Medicare, Medicaid - they have to submit those claims electronically. So this - literally, Dave - mountain of paper is growing. And you're dependent on the older nurses and doctors that still remember how to chart on paper.
Dave Bittner: [00:18:34] Right. I was going to ask you about that. Are we heading - are we hitting a time where it's been long enough since that was standard operating procedure that that legacy knowledge is fading into the distance?
Caleb Barlow: [00:18:45] Well, one of our guys was asking a couple of clinicians about this, and the comment was, thank God for older nurses, right?
Dave Bittner: [00:18:52] Yeah.
Caleb Barlow: [00:18:52] Because they still to know how to - you know, if you think about when you used to write out a medical record on paper, you would document in prose. You know, I saw a patient of this age with this medical condition. And you kind of write everything out, and you know all the questions to ask. Well, you don't have to remember the questions to ask in an electronic system because the system's asking you. But, of course, the real worry we all have is that one hospital isn't independent anymore. You know, I don't about where you live, Dave, but where I am, they're all connected together; they're all owned by the same entity.
Caleb Barlow: [00:19:28] Where this gets really scary - and we saw a little bit of this in Alabama. We also saw this happen last year with 100 nursing homes that were using the same system. And that system, which was a cloud provider, got locked up, and they all went down, right? So the opportunity here for a somewhat catastrophic regional impact is very real. So OK, we're writing stuff on paper. We're diverting patients. We're doing things manually. But we're also starting to impact the business because if we're now a month and a half into this, we've done no claims processing for a month and a half.
Dave Bittner: [00:20:07] Is that a realistic timeline for this sort of thing? Would a hospital typically find itself down for that long?
Caleb Barlow: [00:20:14] Well, here's where this also gets interesting, Dave - they all seem to pay.
Dave Bittner: [00:20:20] Yeah.
Caleb Barlow: [00:20:20] Now, there are a few that haven't. So the Wisconsin-based VCP, or virtual care provider, those hundred nursing homes I was talking about, they didn't pay, and actually, you know, there's news reports out just over the last week or two that now they're being extorted by the bad guys. So we're all kind of waiting to see what happens there, right? And, you know, the other challenge here is that even when you do get things back online - so let's say two months go by. You start restoring from scratch. You start bringing systems back online. You're not going to be able to capture everything that you did because you wrote it on paper. You know, a couple of things happen. One, you know, the doctors probably didn't write down everything. And...
Dave Bittner: [00:21:04] Well, who can read their handwriting?
Caleb Barlow: [00:21:05] Who can read their hand...
0:21:06:(LAUGHTER)
Caleb Barlow: [00:21:06] Actually, that's probably a very real concern in this case. And the second thing, though, is you're going to start to run out of time to build this stuff, right?
Dave Bittner: [00:21:14] Yeah.
Caleb Barlow: [00:21:14] So you really start to run into a longer-term scenario that becomes really problematic.
Dave Bittner: [00:21:20] Yeah.
Caleb Barlow: [00:21:21] So I think the recommendation here is that, you know, continuing to just go out, get insurance and hope you can pay the ransom, that's probably not a good plan. All these hospitals now are planning on and exercising what are they going to do as the coronavirus spreads, right? Well, what are you going to do if you get hit with a ransomware incident? Because it's going to be just as devastating to the community and could also result in a similar impact for patients.
Dave Bittner: [00:21:47] Yeah. All right. Well, it is certainly sobering information. Thanks for sharing those insights. Caleb Barlow, thanks for joining us.
Dave Bittner: [00:22:01] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:22:07] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:22:19] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.
