The CyberWire Daily Podcast 3.9.20
Ep 1040 | 3.9.20

Coronavirus misinformation, phishbait, and disinformation. Ransomware’s growing reach. How criminals’ desire for glory works against their desire to escape apprehension.


Dave Bittner: [00:00:04] Coronavirus misinformation, coronavirus online scams and coronavirus disinformation - ransomware hits a steel plant, local government and a defense contractor, and how criminals' desire for glory betrays them in social media. 

Dave Bittner: [00:00:26]  And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at That's And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest like containers to empower your change-makers like developers and to enable business accelerators, like your team's. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:01:37]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 9, 2020. A great deal of coronavirus misinformation continues to circulate, including descriptions of bogus cures, paranoid descriptions of secret laboratories and oddball accounts of government conspiracies. Much, and probably most of this, is spontaneously generated by internet users, and The New York Times reports that some of the larger platforms like Facebook and Twitter are at a loss as to how they might seek to control baseless and potentially harmful rumors. 

Dave Bittner: [00:02:14]  Some of those rumors are old folk wisdom. They resurface whenever there's an epidemic. You'll see, for example, stories that garlic or vitamin C or drinking lots of water will cure the virus. No. They may be good things to do, but they're just folklore. Other folk remedies like the one that says it's a good idea to take a bath in bleach - well, those are just bad ideas on any level, so don't do them. At any rate, such folk remedies always gurgle up in such times, so don't believe them. But some of the misinformation is deliberate as online scammers use coronavirus stories as phish bait. 

Dave Bittner: [00:02:51]  The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, offers commonsense advice on how to avoid swallowing it. A lot of the phish bait is taking the form of appeals to donate to charities, offers of cures or preventative measures that can be had for the low, low price of, well, handing over your credit card number. For a nice bit of that good, reliable, commonsense advice, go online to and search COVID-19. You'll get the straight skinny and won't be taken advantage of. 

Dave Bittner: [00:03:26]  And some of that misinformation is, alas, state-driven disinformation. And this, we hasten to add, isn't among the oddball conspiracy theories like the ones that say coronavirus was produced in some top-secret government lab or that it's the work of space aliens and so on. The U.S. State Department warned late last week, according to The Washington Post, that the familiar apparatus of Russian trolling has been at work pushing coronavirus scare stories. The goal of the information operation is, as usual, disruption and chaos, confusion to the enemy - that enemy being, unfortunately, Mr. and Ms. United States and civil societies in other countries that aren't necessarily reliably aligned with Russian interest. 

Dave Bittner: [00:04:09]  Lea Gabrielle, coordinator of the State Department's Global Engagement Center - an organization charged with counteracting disinformation - told Congress last week that threat actors tied to Russia were working through what she called state proxy websites as well as official state-owned media and inauthentic online accounts forming a coordinated effort to take advantage of a health crisis where people are terrified worldwide to try to advance their priorities. Moscow's general objective, she said, is "to weaken its adversaries by manipulating the information environment in nefarious ways by polarizing political conversations and attempting to destroy the public's faith in good governance, independent media and democratic principles," end quote. That goal should be familiar from earlier discussions of election influence operations. 

Dave Bittner: [00:04:59]  Cisco recently released their annual "Data Privacy Benchmark Study." Here to share the results is Robert Waitman, Cisco's director of data privacy. 

Robert Waitman: [00:05:08]  Yes, we were very excited to be able to finally put a number on the overall return on privacy. We have looked for a couple of years at some of the areas of benefit, like having shorter sales delays associated with privacy investment, which means you can answer customers' questions more quickly and be able to streamline your sales process. We found some security benefits, that those organizations that had invested in privacy were seeing fewer and less costly breaches when they evaluate it over time, and we can correlate that data. 

Robert Waitman: [00:05:38]  And what we've done this year is to take not only those results and be able to validate them but also to put an overall umbrella on the value of these privacy investments. And the net takeaway is that for the average organization, spending $100 translates into $270 of business benefit, and that is a very good investment for most organizations to make to get that kind of return. And again, we're encouraging people to think hard about not just doing the minimum required but doing those kinds of investments which build a kind of trust with customers which, again, return those business values to you (ph). 

Dave Bittner: [00:06:13]  What sorts of things are you tracking in terms of awareness? Is word getting out? Are people buying into this notion that privacy is a good investment? 

Robert Waitman: [00:06:23]  Well, organizations are certainly paying attention to the regulations. GDPR, which came into place a year and a half ago, caused organizations around the world and not just those in Europe - this really was a worldwide effort to get ready for and be compliant with the requirements of GDPR. In fact, we found in a study last year that 97% of organizations around the world were either ready for or getting ready for GDPR. We found that again this year. 

Dave Bittner: [00:06:48]  So if it was my responsibility to report findings like this to my board of directors, what sort of message should I take into the boardroom? 

Robert Waitman: [00:06:57]  Well, I think you'd say that, you know, No. 1, we're doing what we have to in complying with the law - everybody wants to hear that - but also that we're making the kind of investments that support what our customers are looking for, that we are building trust and loyalty with our constituencies. And that's important both internally - let's say, with our employees and improving our own internal operations, which - there's a lot of business value for doing that - but also with improving the relationships with our customers, that we are helping keep their data safe, that they can trust that we are doing the right things, that we are being open and transparent about how their data's being used and therefore building the trust and loyalty. 

Dave Bittner: [00:07:33]  Was there anything that came out of the data you collected that was particularly surprising, anything that was unexpected? 

Robert Waitman: [00:07:40]  Well, I think this issue of - around certification, again, surprised us in a very positive way. We've talked about the huge increase in organizations recognizing their own benefits. I think the thing that I would highlight here - this is, you know, while it's somewhat similar to what we've seen before, again, it's strong validation. And the message that we want people to get is those investments beyond the minimum requirement are translating into benefits outside of what you'd expect normally just in terms of privacy. And one of those areas, in fact, was security. So you know, noticing that organizations that were more than just the minimum, that were more mature when it comes to privacy and privacy accountability - we're seeing benefits in terms of those security outcomes. So those that were higher on that scale were much less likely to have been breached last year. 

Robert Waitman: [00:08:25]  So this idea that you are prepared, that your data house is in order and you've minimized what you have and protected what you need to keep, is something that's translating into strong security benefits. I think that's a strong message, and it's one that, you know, wouldn't be obvious with, saying if I'm working on privacy, how is that really helping me on the security front? But not only are we seeing that in the data, but organizations are saying that they believe that to be true as well. And I think that's an important insight for people to think in somewhat of a counterintuitive way. 

Dave Bittner: [00:08:50]  That's Robert Waitman from Cisco. 

Dave Bittner: [00:08:54]  Ransomware continues to surge with greater virulence and rapacity. For a look at what it can do to an organization, see the Regina Leader-Post account of a shutdown Ryuk ransomware induced at EVRAZ Regina, a major steel mill in Saskatchewan, Canada. The steel workers at EVRAZ Regina are looking at work stoppage, a temporary furlough that is thought likely to last around two weeks as the company recovers from its Ryuk infestation, according to local news station CKRM. 

Dave Bittner: [00:09:25]  Local governments continue to suffer from Ryuk as well. The city and county of Durham, N.C., were hit over the weekend, BleepingComputer reports. In this case, the infection began when a city worker clicked on a link in a phishing email, and the infestation spread from there. Municipal governments in North America and elsewhere have been favorite targets of phishing attacks designed to spread ransomware. Local radio station WRAL reported that the city and county governments disclosed the attack yesterday. It came to their attention Friday. 

Dave Bittner: [00:09:56]  It's not just industrial plants or municipal governments either. TechCrunch reports that U.S. defense contractor Communications & Power Industries paid extortionists half a million dollars in ransom back in January. The particular strain of ransomware is unknown. With ransomware becoming increasingly aggressive and now routinely engaged in data theft before it encrypts files, a piece in Forbes offers advice. First, have a plan for responding to ransomware attacks that includes steps to restore normal operations as soon as possible. Second, regularly back up data in a way that minimizes the backup's exposure. Attackers are increasingly trying to hit backups as well to make their extortion more compelling. And third, deploy systems that can detect and contain hostile activity in organizational networks as early as possible. 

Dave Bittner: [00:10:46]  And finally, how do police catch criminals? Is it through patient detective work aided by the forensic razzle-dazzle of crime scene investigators? Sure, sometimes. But as often as not, nowadays it's because criminals talk about their crimes quite openly in social media accounts that are accessible to the world at large, Quartz reports. They're betrayed by the libido ostentandi, the irresistible desire to show off, just like everyone else. Examples - posting pictures of yourself wearing the same clothes you had on when the security camera caught you - smile - knocking off that convenience store, posing with the swag you took in a burglary, things like that. Two separate but equally important groups who represent the people in the criminal justice system - the police, who investigate crimes, and the district attorneys, who prosecute the offenders - are paying attention to what the masterminds put in their social media feeds. 


Dave Bittner: [00:11:40]  Not in the Quartz article, but a particular favorite that's achieved local legend status around Baltimore is the possibly apocryphal tale of the drug dealer who wanted to imitate beloved Disney cartoon character Scrooge McDuck, who, as viewers of cartoons and readers of old comic books will know, is wont to celebrate his wealth by diving into a pile of coins he stores in Uncle Scrooge's money bin. So said criminal mastermind converted his ill-gotten holdings into U.S. coins - dimes and quarters, mostly - filled a room in his den with them and videoed himself diving into the coins. 


Bill Thompson: [00:12:14]  (As Scrooge McDuck) A dollar ninety-five. 

Dave Bittner: [00:12:16]  He fractured his neck, and we hope he made a full recovery while in custody. We're pretty sure it's a good story because one of our guys heard it a few years ago on morning drive-time radio, which if you can't trust, then who the heck can you trust in this sad, old world? 

Dave Bittner: [00:12:36]  It's time to take a moment to tell you about our sponsor Recorded Future. They help security teams make more confident decisions faster. Recorded Future's technology automates broad collection and analysis of cyberthreat data and delivers the rich external context you need to understand alerts and emerging threats. With real-time threat intelligence from Recorded Future, security teams respond to threats 63% faster and find undetected threats 10 times quicker. Recorded Future integrates with the security products you already use, making the intelligence you need accessible and relevant. Use it to improve your security operations, incident response, vulnerability management and more. If you're facing challenges like the cybersecurity skills shortage or more alerts than your team can handle, consider Recorded Future threat intelligence. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and it's on the money. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:13:47]  Joining me once again is Zulfikar Ramzan, chief technology officer at RSA Security. Zuli and I sat down at the RSA Conference. 

Dave Bittner: [00:13:57]  Well, it's great to have you back, and as we sit here, 2020 RSA is winding down. It is just about in the books. What's been your take? How was the show this year? 

Zulfikar Ramzan: [00:14:07]  You know, it has been phenomenal. I mean, I - we were certainly concerned about all the news leading up to the show with things like coronavirus and whether that would detract from people being able to attend. But the energy levels seem to be phenomenal. I think people are continuing to be passionate about this industry. We're seeing just continued interest, and that's a good sign for our times in terms of the challenges we have to deal with. 

Dave Bittner: [00:14:30]  What sort of trends are you all tracking in terms of the number of people setting up on the show floor, the conversations they're having, the scale of what's going on? 

Zulfikar Ramzan: [00:14:40]  Yeah, I mean, it's just amazing to see how many different vendors are here. You know, we're capped by the number of spaces we have available, not by anything else. And we limit the number of vendors not because we can't get more. It's because we literally can't fit more and make it useful, and I really saw this firsthand a few years ago. I was in the W Hotel, and if you go in the W Hotel, there's this kind of bar area where you enter. There's a bunch of kind of lounges and different sets of couches where people can hang out. And there was a startup company that got to that lounge area early, and they set up a booth in a corner of the bar at the W Hotel. 

Dave Bittner: [00:15:15]  (Laughter) Right. 

Zulfikar Ramzan: [00:15:15]  They had a folding table. They had collaterals. You know, they had the whole nine yards. 

Dave Bittner: [00:15:20]  Right. 

Zulfikar Ramzan: [00:15:20]  And that was, like, a moment of, like - wow - just how important it is for companies to be at RSA conference to show their presence in this industry. And it was a sign of the times, and I think we've only seen that continue to grow. 

Dave Bittner: [00:15:32]  What about overall themes, the trends that you're tracking, the messaging that the folks out there are putting out in terms of - what are the priorities this year? 

Zulfikar Ramzan: [00:15:40]  Yeah, so I mean, if I, you know, took it from a customer lens versus a vendor lens, when I talked to our customers this week, I would say a few key trends were popping up. The first key trend was around digital transformation. So I think everyone is looking to embrace some form of technology to move their business forward, whether it's cloud - maybe they're less mature, and they want to embrace cloud. If they already are doing stuff with cloud, they're thinking about maybe microservices or cloud-native stacks and so on and so forth. And I think with each of these new technology elements, they have to think about what it means from a security perspective, so that's kind of priority No. 1. 

Zulfikar Ramzan: [00:16:14]  Priority No. 2 for them is really around that sort of vendor rationalization and consolidation. So a lot of our customers say, you know, we have way too many vendors. Each of them can do 10 different things, and I'm trying to find out - do I need all these different vendors? You know, Are there situations where, you know, these three vendors can give me the same benefits as the other six or seven? And so we're looking for opportunities in that realm of rationalization just because it's impossible to manage all these different tools and do something useful with them. 

Zulfikar Ramzan: [00:16:40]  And then I think the final big trend that we're seeing - we're really starting to see is, I think, a shift back to our roots in the industry to focus on business problems versus on cool, shiny technologies. And if I had to kind of, you know, articulate it, if you look at what's happened in the last few years, 10 years ago in cybersecurity, people marketed the business problem they were solving. You had antivirus to address viruses and anti-malware technology to find malware, and you had, you know, IPSs and so on and so forth. But then we saw kind of a shift in the market where, all of a sudden, some of the newer vendors are popping up and saying, we do AI-powered this or data science-powered that, and to me, that was kind of a shift in the wrong direction because it focuses on the how versus the why. 

Dave Bittner: [00:17:21]  Let's swing back and wrap up talking about the conference again. You know, what - for you, what are the types of things you like to take away from a show like this? For your own enrichment, the things you want to - when you go back and you reflect on the things you've learned here, what sort of insights do you take home with you? 

Zulfikar Ramzan: [00:17:38]  You know, I really focus a lot on customer conversations because I want to understand what's going on in the mind. Ultimately, we build all these technologies. We're not just building them for their own sake. We want people to be able to deploy them successfully. We want to make sure they're able to get value out of them. So it's really critical for me to see what our customers are thinking about, whether or not there are particular problem areas that we haven't yet solved for them or that are going to be coming down the pike. Obviously, in my role as CTO, I've got to think a bit ahead in terms of where we want to go. 

Dave Bittner: [00:18:03]  Right. 

Zulfikar Ramzan: [00:18:04]  So I spend a lot of my energy identifying perhaps even problems that customers have but don't even know that they have yet. And that's kind of my main takeaway every year from the show - is identifying those areas, and that's an amalgamation of customer conversations, going out on the show floor, looking at what some of the early-stage companies are doing. The Innovation Sandbox is a great source of information there. We have the Executive Security Action Forum on Monday, where they have all these top CISOs and security executives who get together. And to me, the amazing thing about the conference is there's just so much going on. It's like, you know, you're at a massive buffet table, or you've got 50 buffet tables. 

Dave Bittner: [00:18:39]  (Laughter). 

Zulfikar Ramzan: [00:18:40]  And I like to be the hungry kid at that buffet table and learn as much as I can during this week. 

Dave Bittner: [00:18:44]  Yeah. It strikes me that, you know, despite how connected we are online and the massive amounts of information we can exchange that way, there is still nothing like being able to get together with friends and colleagues and people you've known for years and all those side conversations that happen that are such an important part of this business that we're in. 

Zulfikar Ramzan: [00:19:08]  Absolutely, and this is the whole purpose of the conference. It's where the industry comes together. 

Dave Bittner: [00:19:13]  Yeah. Yeah. All right, well, Zuli, great seeing you. Thanks for joining us. 

Zulfikar Ramzan: [00:19:16]  Oh, what a pleasure. I love being on the show, Dave. Huge fan. 

Dave Bittner: [00:19:19]  Thank you. 

Zulfikar Ramzan: [00:19:20]  Thank you. 

Dave Bittner: [00:19:21]  That's Zulfikar Ramzan from RSA Security. 

Dave Bittner: [00:19:29]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at, and don't forget you can get the daily briefing as an Alexa flash briefing, too. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: [00:20:18]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.