The Cyberspace Solarium reports. Coronavirus scams and coronavirus realities. Notes on March’s Patch Tuesday.

Dave Bittner: [00:00:04] The Cyberspace Solarium has released its report as promised, and they wish to make your flesh creep. Coronavirus scams and phish bait amount to what some are calling an infodemic; some notes on Patch Tuesday, and finally, some words on the actual coronavirus epidemic. 

Dave Bittner: [00:00:27]  And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers; to empower your change-makers, like developers; and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:01:38]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 11, 2020. The U.S. Cyberspace Solarium released its report today, which includes, as foreseen, 75 recommendations grouped under six headings. First, reform the U.S. government structure and organize for cyberspace. Second, strengthen norms and nonmilitary tools. Third, promote national resilience. Fourth, reshape the cyber ecosystem. Fifth, operationalize cybersecurity collaboration with the private sector. And finally, preserve and employ the military instrument of national power. The recommendations are framed against the background of national vulnerability to a sudden disabling cyber campaign. 

Dave Bittner: [00:02:25]  That possibility is established imaginatively within the report by an introductory piece of fiction, "A Warning From Tomorrow," in which legislative staffers working from a Rosslyn, Va., high-rise survey the cyber-induced devastation across the Potomac with a sense of despair and futility. The river itself is discolored red with the release of the wrong chemicals from upstream treatment plants. The city's low-lying areas were flooded from reservoirs drained when their sensors were hacked. Drone wreckage litters the mall and so on. The story speaks of Capitol Hill. And of course, Rosslyn is across the Potomac from the actual Capitol Hill. But clearly, the writers are dealing with the geography of the spirit, not prosaic real estate. 

Dave Bittner: [00:03:12]  Cyberspace, as the Solarium sees it, is an incipient dystopia. We quote, "While America looks forward to the potential of cyberspace and associated technologies to improve the quality of human life, threats continue to grow at an accelerating pace. America is facing adversary nation-states, extremists and criminals that are leveraging emerging technologies to an unprecedented degree. Authoritarian states seek to control every aspect of life in their societies and export this style of government in which surveillance trumps liberty to the rest of the world. There is no public square, only black boxes proliferating propaganda and organizing economic activity to benefit the few at the expense of the many. Rogue states, extremists and criminals thrive in the dark web, taking advantage of insecure network connections and a market for malware to prey on victims." 

Dave Bittner: [00:04:06]  There's no mystery as to the identity of the principal nation-state adversaries this time around, either. They're the familiar four - Russia, China, Iran and North Korea. The nonstate actors the report cites are also familiar - criminal gangs, hacktivist organizations, lone wolves. Like the report of the original Cold War Solarium, which considered nuclear strategy, the Cyberspace Solarium used three teams to come up with competing approaches to the challenge it was set. Also like the original, the new Solarium's recommendations concentrate heavily on deterrence and resilience. 

Dave Bittner: [00:04:41]  The commissioners offer some big ideas to get the conversation started. These include the conviction that deterrence in cyberspace is possible, that such deterrence relies on a resilient economy and will require government reform, that the private sector must up its own security game and that election security must be given high priority. Deterrence would involve defending forward, would be layered, the report says, designed to shape behavior, deny benefits and impose costs. Thus prospective attackers who work the calculus of cyber conflict would be dissuaded first by international entanglement and international norms. The low probability of deriving any benefit from an attack would further persuade them that offensive action would be largely futile. And finally, in the third level, the sure prospect of retaliation, punishment, the imposition of costs would convince them that it wasn't in their interest to attack. The logic of deterrence, the report says, hasn't substantially changed in more than half a century. 

Dave Bittner: [00:05:43]  Josh Mayfield is from security firm RiskIQ. And he joins us with insights on what he describes as the coming age of conquest and information control. 

Josh Mayfield: [00:05:53]  One of the things that's probably underemphasized is the motivating imperative that attackers feel that really drives a lot of their behavior. I mean, these are belief-generating, goal-seeking animals, as all humans are. And so one of the things that's necessary is to understand what those motives are. And one of the things that I had mentioned that got this conversation going was that - rewind the clock 20 years ago or so and the main driver, the main motive was notoriety within someone's own social clique - right? - the notoriety and the esteem I would get among my peers. And that motive is - gave way to a more financially driven motive - primarily, snatch and grab. So let me break in, steal and then go pawn it off somewhere else. 

Josh Mayfield: [00:06:42]  And now we see another wave, another epoch that I see and that we see at RiskIQ - is that it's moved into conquest. And so now, no, I don't just want to break in and steal and take away and sell it to someone else who might want this piece of digital material, whether it's, again, a Social Security number or a resource itself. We're seeing a mindset shift where instead of trespassing like it used to be, you know, notoriety among your group - oh, you snuck in; oh, you found the weaknesses; oh, aren't you extraordinary - to financial gain and now all the way to direct conquest. 

Dave Bittner: [00:07:21]  Well, I mean, let's explore that a bit. I mean, given what you're saying here, that we've reached this point of professionalism and the way that the bad guys are coming at us, what is the appropriate response these days, then? How do organizations best prepare themselves for defense? 

Josh Mayfield: [00:07:40]  The best way to prepare yourself for defense, especially in an age where there's - the base line of savvy is much higher. The people that are going into the cybercriminal profession are people that are coming in with a higher baseline. And so you have that sophistication and skill set that's already being developed. And then when you add to it the opportunity and the motive that drives all of us - but then (ph) the opportunity - because the flank is open, it's a short hop, skip and a jump for someone to enter that criminal behavior. And so when you have just more of them that have more skills, and they have more opportunity to take advantage of a weakness because there are more weaknesses that are going unnoticed, that's the part that organizations can control. 

Josh Mayfield: [00:08:26]  We can't change the motives and the drives and the attacker. We can't even change what their skill sets happen to be. But what we can do is we can reduce their opportunity. We can neutralize that tendency to go from esteem (ph) to theft to conquest. We can be a very inhospitable environment for them to try to tiptoe into because we have eyes everywhere and we can see all of that. Risk and threat work in cybersecurity is a game of probabilities. 

Josh Mayfield: [00:08:53]  What we can focus on, what we can put our attention on is lowering the probability of exploit. And the best way to do that is by seeing all those places where it could happen and mitigate any of the risks and exposures before they actually are hit. And I would just say that that's one of the things to really focus on. We can do a lot of work trying to interpret and understand an APT. We can look into nation-states, and we can imagine worst-case scenarios, but in reality, what ends up getting hit is the exposure you didn't see coming that was just opportunistically available for an attacker at the right time. 

Dave Bittner: [00:09:31]  That's Josh Mayfield from RiskIQ. 

Dave Bittner: [00:09:35]  Take the coronavirus seriously, but stay alert to COVID-19-themed scams. KnowBe4, RiskIQ, and others share warnings about this trend. It's the usual sad, all too often sadly persuasive stuff - buy this cure, buy this product, donate to this charity, and all will be well. 

Dave Bittner: [00:09:55]  Yesterday was Patch Tuesday, and Microsoft addressed a total of 115 vulnerabilities, 26 of which are rated critical. Eighty-eight are considered important. And one is held to be moderately severe. The good news is that none of them appear to be currently exploited in the wild. Mozilla also released updates for Firefox and Firefox ESR yesterday. Their patches resolved 12 distinct vulnerabilities. The most serious Firefox vulnerability addressed exposes unpatched systems to arbitrary code execution. We heard from security firm Ivanti on March's round of patches. Their recommendation is to give priority to Windows OS, Microsoft Office and browser patches this month. Adobe did not issue its usual around of patches, Help Net Security reports. It's not immediately known whether Adobe will push fixes in the near term or not. 

Dave Bittner: [00:10:49]  And finally, at least two of our industry's own have come down with COVID-19, the coronavirus strain that's been the source of so much concern. Exabeam says that two of its people have come down with COVID-19. And we wish them a swift and complete recovery. It's not clear when they contracted the virus, but both of them were at Exabeam's booth in the Moscone Center last month. Symptoms appeared after their return from the conference. If you were at RSAC, Exabeam urges that you take whatever steps you find prudent to ensure you're not affected. 

Dave Bittner: [00:11:22]  For their part, RSAC says they've been monitoring the outbreak but haven't yet found any clear link to the conference. Nonetheless, the conference organizers urge anyone who attended to refer to CDC recommendations concerning testing, treatment and prevention of COVID-19. The CDC emphasizes that the best prevention is to avoid infection. And the measures they recommend are familiar from advice given during flu season. Wash your hands frequently, avoid places where you might be exposed and so on. Vox has a summary of advice from public health experts on what individuals and organizations can do to slow the rate at which the virus spreads. Their headline sums it up - "Canceled Events and Self-Quarantines Save Lives." The cases of Exabeam's people aren't trivial. One of those affected is hospitalized in guarded condition, CRN reports. Spare a thought or a prayer for two of our colleagues and their families. And stay safe. 

Dave Bittner: [00:12:25]  It's time to take a moment to tell you about our sponsor Recorded Future. They help security teams make more confident decisions faster. Recorded Future's technology automates broad collection and analysis of cyberthreat data and delivers the rich external context you need to understand alerts and emerging threats. With real-time threat intelligence from Recorded Future, security teams respond to threats 63% faster and find undetected threats 10 times quicker. Recorded Future integrates with the security products you already use, making the intelligence you need accessible and relevant. Use it to improve your security operations, incident response, vulnerability management and more. If you're facing challenges like the cybersecurity skill shortage or more alerts than your team can handle, consider Recorded Future threat intelligence. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And it's on the money. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:13:35]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:13:45]  Hi, Dave. 

Dave Bittner: [00:13:46]  Interesting story you have to share this week - this is some good stuff coming out of the FBI. 

Joe Carrigan: [00:13:51]  Yes. It's a mixed bag of stuff. It's interesting, and it's good. And I don't mean to disparage the FBI here. I think what they're doing here is great. 

Dave Bittner: [00:13:58]  Yeah. 

Joe Carrigan: [00:13:59]  But the headline - this is from CyberScoop. It says, "An FBI Unit Recovered $300 Million..." 

Dave Bittner: [00:14:05]  Hmm. 

Joe Carrigan: [00:14:05]  ...Of reported cybercrime from losses last year. But that's out of $3.5 billion in losses. 

Dave Bittner: [00:14:10]  (Laughter). 

Joe Carrigan: [00:14:10]  So it's less than 10% of the money that was lost, they've recovered. However... 

Dave Bittner: [00:14:14]  Yeah? 

Joe Carrigan: [00:14:15]  Three hundred million dollars is nothing to sneeze at. 

Dave Bittner: [00:14:17]  No, no, not at all, not at all. 

Joe Carrigan: [00:14:19]  And they've spoken with Tonya Ugoretz, who is a deputy assistant director from the cyber division. And she was talking about the Internet Crime Complaint Center, the IC3, that responded to more than 467,000 complaints in 2019. Now, there were 351,000 complaints in 2018, so that is a huge increase. 

Dave Bittner: [00:14:43]  Yeah. 

Joe Carrigan: [00:14:44]  And something that I find amazing about this is every one of these complaints gets analyzed by a person, right? That's amazing. 

Dave Bittner: [00:14:53]  That is amazing. 

Joe Carrigan: [00:14:54]  ...I mean, that you can get more than - close to half a million complaints, and every one of them gets examined by a person at some point in time. 

Dave Bittner: [00:15:01]  I'm just trying to imagine the staffing that requires. 

Joe Carrigan: [00:15:03]  Yeah. It's huge. Some interesting statistics in this - of the 3.5 billion that was stolen last year, 1.7 of that - 1.7 billion of that was taken from business email compromise scams. Now, these are very sophisticated scams where people are in your email. We've talked about them on "Hacking Humans." We've talked about them here. 

Dave Bittner: [00:15:22]  Yeah. 

Joe Carrigan: [00:15:22]  They're watching the conversation. And when the time is right, they inject a message into the conversation that says, oh, by the way, we're changing our banking details, and here's the new banking information. And then the money gets sent to the scammers or to the criminals, and off it goes. And then it's very difficult to recoup that lost, particularly... 

Dave Bittner: [00:15:44]  Sure. 

Joe Carrigan: [00:15:44]  ...If you're doing a wire transfer. 

Dave Bittner: [00:15:45]  Yeah. They talk about a particular case here where someone transferred $785,000. 

Joe Carrigan: [00:15:53]  Yeah. This is a case out of New Jersey. Someone who was buying a home believed they were transferring almost $800,000 to a lender but was actually sending it to an imposter masquerading as a bank. When this happens, it's absolutely devastating because that transaction is not happening again, because if you can't get that money back, then you don't have another $800,000 lying around to buy a home. 

Dave Bittner: [00:16:14]  Right. 

Joe Carrigan: [00:16:15]  Right? 

Dave Bittner: [00:16:15]  Right. 

Joe Carrigan: [00:16:15]  I imagine this was a down payment on a large property. 

Dave Bittner: [00:16:18]  Yeah. 

Joe Carrigan: [00:16:19]  But you know, you don't - you're not going to have that money laying around again. This happens at smaller scales, too. We've seen this happen where people lose down payments of, like, $20,000 that they're putting down on a house that cost $150,000. 

Dave Bittner: [00:16:31]  Sure. 

Joe Carrigan: [00:16:31]  And these are people who have worked for years to save up that $20,000. 

Dave Bittner: [00:16:35]  Yeah. 

Joe Carrigan: [00:16:35]  And now it's gone. And now they can't buy a house, which is, you know, one of the great things that we like to do here in America, is we like to have homeownership. 

Dave Bittner: [00:16:43]  Yeah. 

Joe Carrigan: [00:16:43]  Right? 

Dave Bittner: [00:16:44]  They say in this article that in this case, the recovery asset team was able to get $665,000 of the money back. 

Joe Carrigan: [00:16:52]  Right, which is a great ratio for that. 

Dave Bittner: [00:16:56]  And evidently, there was also an insurance policy that'll help make up the difference, so... 

Joe Carrigan: [00:17:00]  Well, that's good news. 

Dave Bittner: [00:17:02]  It is good news - unfortunately, very unusual, I think, in these sort of cases. 

Joe Carrigan: [00:17:06]  It is. This person transferring $800,000 probably is aware of the risk in doing this. You know, it's - they probably have insurance for this purpose. Good for them. But again, like I said, when this happens to someone smaller, some first-time homebuyer who might be 25 years old, doesn't have a lot of money, it's devastating. 

Dave Bittner: [00:17:25]  Yeah. Well, a good reminder that folks like these teams at the FBI are out there, fighting the good fight, and you know, they are able to claw back some of this money. 

Joe Carrigan: [00:17:34]  And... 

Dave Bittner: [00:17:34]  ...But not as much as you'd hope. 

Joe Carrigan: [00:17:37]  Yeah, not as much as you'd hope, but they're - I think they're getting better at it. And I think there's ways to make this better with policy and checks and balances in the system, as well as criminal prosecution. And I think that - we're going to start seeing a lot more of that over time. 

Dave Bittner: [00:17:53]  Mmm hmm. All right. Well, interesting story - Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:17:56]  My pleasure, Dave. 

Dave Bittner: [00:18:02]  And that's the CyberWire. You may note I am not in particularly good voice today. That is just seasonal allergies, so no fever, no worries, not yet. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:18:29]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:18:41]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.