Coronavirus phishing. Money mule recruiting. Remote work and behavioral baselining. HHS incident seems to have been...an incident. Advice from NIST, and from Dame Vera Lynn.
Dave Bittner: [00:00:03] More coronavirus phishing expeditions. Don't let idleness or desperation lead you into a money mule scam. How do behavioral expectations change during periods of remote work? The Health and Human Services incident appears to be just that. NIST has some advice for video conferencing and virtual meetings. And an exhortation to return to the Blitz spirit.
Dave Bittner: [00:00:32] It's time to take a moment to tell you about our sponsor Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insights into emerging threats. We read their dailies at the CyberWire, and you can, too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, much more. Subscribe today and stay ahead of the cyberattacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Subscribe today and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And it's on the money. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:01:57] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 18, 2020. As security companies continue to watch the cyber underworld, they're seeing the expected spike in coronavirus-themed scams, phishbait and general online bottom feeding. Malwarebytes reported this morning on the latest criminal phishing expedition. This one is baited with an offer of an e-book from the World Health Organization. Inside this E-Book "My-Health," write the skids in their email, you shall find out the complete research and origin of corona-virus and the recommended guide to follow to protect yourself and others. Enough to get you to click? But wait; there's more. This guidance provides critical considerations and practical checklists to keep Kids and business center safe. So do it for the children, of course, and for business center. It's not a badly spelled email, but capitalization and usage are off enough that the wary recipient need look no further before bonging (ph) these bozos to the spam list.
Dave Bittner: [00:03:03] Another underworld development that preys on the economic hardship occurring in tandem with telecommuting is an increase in the number of people being recruited as money mules, KrebsOnSecurity reports. One of the larger operations Krebs describes, the Vasty Health Care Foundation, strikes a high-minded tone about connecting causes and providers, tells prospective mules they're hired, assigns busywork and then has them process donations - that is, launder money. The busywork is a particularly nasty ploy. It weeds out lazy and unreliable slackers, for one thing, and so plays on the diligent and trusting.
Dave Bittner: [00:03:44] But as we think about these scams, let's follow the wise advice of an op-ed by Dr. Salvatore Stolfo, founder and CTO of Allure Security, that Dark Reading ran yesterday. Dr. Stolfo's thinking about tax season scams, but it's good advice in any case. Let's save our contempt for the criminals and spare the victims, especially when they're motivated by trust or fear. If it's crook-on-crook crime, red-on-red, then fine. It's in the interest of civilized people that both sides lose. But the ordinary Jane or Joe who falls for a scam? Give them some help and some understanding.
Dave Bittner: [00:04:23] The pandemic-driven surge in remote work has a side effect that many of us might overlook. Many of the norms that inform behavioral anomaly detection may need reevaluation and revision. Duo Security's Decipher blog points out that people will work at unusual times and from unusual places, and they may fumble VPN access or unfamiliar multifactor authentication to such an extent that multiple login attempts will no longer indicate that some form of credential stuffing or brute force attack is in progress. Evelyn from HR logging in from Chicken Gizzard Ridge or Blue Lake? Remote work. Fran from IT working at 4 a.m.? Needs to fit work from home around distractions of home - remote work. The gang from sales engineering all in the office? Well, it may not be remote work, but they can't be on the road anymore. All those conferences have been canceled. Anyway, if you do use behavioral analytics in your security program, it might be a good time to talk to your vendor about whether and how your baselines might need to be redrawn.
Dave Bittner: [00:05:31] Some such anomaly may be behind the Iranian attack that wasn't this past weekend. The consensus about the incident the U.S. Department of Health and Human Services experienced Sunday and Monday is now relatively firm. It probably wasn't an attack at all. And clearly, the department's operations didn't suffer. Some think it might not even have amounted to a probe or a preliminary distributed denial-of-service attack. It might have been an unusually large number of visitors looking for reliable information on COVID-19, or even an artifact of the department's Drupal instance. The episode should indicate, as we've seen so often in the past, the difficulties of attribution. It's often difficult to tell whether an incident is an attack at all or simply a malfunction, or even just routine functioning that's a bit out of the ordinary.
Dave Bittner: [00:06:21] So what should you be thinking about in these challenging times? The U.S. National Institute of Standards and Technology, known as NIST, has some advice on how to conduct online meetings securely. The challenge, of course, is keeping out eavesdroppers. First of all, follow your organization's policies for virtual meeting security. You do have policies, right? Avoid reusing access codes. As NIST points out, if you've used the same code for a while, you've probably shared it with more people than you can imagine or recall. Sensitive discussions call for one-time PINs or meeting codes, and also for multifactor authentication. Don't let the meeting start until the host joins. Enable notification when someone joins; play a tone or speak a name. In any case, have new attendees announce themselves, and use a dashboard to monitor attendees. Think twice about recording the meeting. If it's not necessary, then don't. If it's a web meeting with video, then disable features you don't need, like chat or file sharing. And before someone shares their screen, remind them not to inadvertently put up any sensitive information.
Dave Bittner: [00:07:30] We are all experiencing useful reminders of our public responsibilities to each other these days. And if you'll forgive me an awkward transition, there are those in cybersecurity who remind us of our shared responsibilities in the public cloud, especially given the prevalence of cloud misconfigurations. Johnnie Konstantas is among those spreading the good word. She's senior director of security product management at Oracle. And I sat down with her at the RSA Conference.
Johnnie Konstantas: [00:08:00] Yeah. I mean, I think the big word of the hour is misconfiguration, right? So I think where we stand is we have a lot of security tools. I mean, a show like this is evidence of that, right?
Dave Bittner: [00:08:11] Mmm hmm.
Johnnie Konstantas: [00:08:12] And clearly, a lot of innovation is happening in security, especially for cloud. But we're still in a state where the losses associated with data are mounting. And, you know, the biggest culprit here is really not a lack of tools but tools that don't really automate risk reduction.
Dave Bittner: [00:08:35] Can you walk me through? Help me understand because obviously, no one sets out to have an insecure bucket...
Johnnie Konstantas: [00:08:41] Of course.
Dave Bittner: [00:08:42] ...In the cloud.
Johnnie Konstantas: [00:08:43] Right.
Dave Bittner: [00:08:43] So what is the typical way that someone finds themself inadvertently in this situation?
Johnnie Konstantas: [00:08:51] Sure. If you consider, you know, one of the recent breaches that had credit card applications - right? - that configuration is likely very common to a lot of cloud customers. So you have some object stores. They contain various kinds of unstructured data - so spreadsheets, documents, photos, what have you. And you might have an object store that contains database backup. So databases are its own entity or instance, but it is very common to take a database and back it up into an object store.
Johnnie Konstantas: [00:09:25] Now, object stores by their very nature in the cloud are meant to be easily accessible because accessing that unstructured data, obviously, is very common. What happens is, those buckets - whoever sort of set it up thought, well, this is a database that contains sensitive information; I'm going to make it private. Months pass, and someone says, you know that database backup? We're going to run some analytics, so it would really be great to, you know, sort of get access to that backup. And so they flip it open - should probably only be kept open for - I don't know - the hour or so that...
Dave Bittner: [00:10:01] Mere moments.
Johnnie Konstantas: [00:10:01] Mere moments.
Dave Bittner: [00:10:01] (Laughter).
Johnnie Konstantas: [00:10:04] And there it stays. And so what that all is called is configurations drift. So you start off with a security posture that is quite good. You will apply best practices. But over time, things get opened up for one reason or another, and they're never flipped back to their proper state.
Dave Bittner: [00:10:23] How do you see the standards, the expectations for these sorts of things evolving over the next year or so? Are these - the sorts of things that you're offering, do you expect by necessity these are going to be the expected standard from cloud providers, these...
Johnnie Konstantas: [00:10:39] Absolutely.
Dave Bittner: [00:10:40] ...Types of security measures?
Johnnie Konstantas: [00:10:41] Definitely. You know, we ran a survey last year at Oracle with KPMG. And customers were all in on cloud. They even believed that it was more secure than their premises environment, which didn't have the benefit of newer technologies and homogeneous architecture. But what they were very confused about was shared responsibility. The shared responsibility model - where do you draw the line? It's mine - this is what I take care of in the security perspective; this is what you take care of. What we're saying is, yes, of course, there will always be, you know, the need for some diagram that shows what controls you as a customer actually get.
Dave Bittner: [00:11:15] Right.
Johnnie Konstantas: [00:11:15] But it has to be easier. It has to be automated.
Dave Bittner: [00:11:19] That's Johnnie Konstantas from Oracle.
Dave Bittner: [00:11:23] NIST has been busy this week. They're not only posting advice about the security of virtual meetings, but they've also issued a revised draft of draft Special Publication 800-53 Revision 5, "Security and Privacy Controls for Information Systems and Organizations." It is an important document, and this is their first revision in seven years. NIST is happy to accept comments through May 15. What better way to spend a period of more or less enforced leisure - if you're among those who find themselves in that position - than to snuggle up with SP 800-53 and then lay some of your knowledge on NIST? They'll thank you for it, and you'll deserve well of the republic.
Dave Bittner: [00:12:05] And finally, an outage described as a technical issue, not an attack, has disrupted voice service in four British mobile carriers - O2, Three, Vodafone and EE - inconveniencing many who were depending on voice service for their COVID-19-driven remote work, The Telegraph reports. The carriers are recovering. We wish everyone in the U.K. well and, if we may, a return to what the Forces' Sweetheart, singer Vera Lynn, now a vigorous 102 years old, this week called the Blitz spirit - keep calm, and keep on. And here's some Dame Vera to put you in the right frame of mind.
0:12:42:(SOUNDBITE OF SONG, "THE WHITE CLIFFS OF DOVER")
Vera Lynn: [00:12:44] (Singing) There'll be bluebirds over the white cliffs of Dover tomorrow. Just you wait and see.
Dave Bittner: [00:13:14] And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's looking lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:14:27] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:14:36] Hi, Dave.
Dave Bittner: [00:14:36] You and I regularly discuss this notion that two-factor authentication is a good thing.
Joe Carrigan: [00:14:42] It is.
Dave Bittner: [00:14:43] And one thing we've noticed is that two-factor has gotten a lot easier thanks to apps on mobile devices that allow you to have that two-factor happen in a sort of frictionless way on your mobile device.
Joe Carrigan: [00:14:57] Right.
Dave Bittner: [00:14:57] Recently, at the RSA Conference, there were a couple of researchers who were presenting on this topic. And they said, not so fast.
Joe Carrigan: [00:15:06] Right. Yeah, these researchers are Aaron Turner and Georgia Weidman. They emphasize that these authenticator apps like Google Authenticator or - there's a Microsoft version. There's other third-party ones out there. They're better than the SMS two-factor, but they're only as secure as the phones they're running on, right? So if you're running an older phone that has malware on it, you're making yourself vulnerable to an attacker who may be able to get your two-factor authentication that way. Now, they'd have to target you specifically, and they'd have to know which phone was yours and - but if they had the malware, they could do it.
Dave Bittner: [00:15:41] How far back are we talking about here?
Joe Carrigan: [00:15:44] That's a good point, Dave. This talks a lot about older systems. One of the things they say is, you do not want any of the risks associated with a 32-bit IOS from Apple. And when you're talking about Android devices, they said use the Pixel devices or, if you can't get a Pixel device, an Android One device, which - now, Android One, we've talked about this before. That's the Google program for essentially bare Android. You get the Android security updates just like the Pixels do, and they're a more affordable line of Android phones.
Dave Bittner: [00:16:15] You know, I think this brings up another good point, which is, I think for a lot of people, there's this notion that these devices are expensive.
Joe Carrigan: [00:16:22] Right.
Dave Bittner: [00:16:23] My mobile device is working fine for me. It ain't broke.
Joe Carrigan: [00:16:27] Don't...
Dave Bittner: [00:16:27] Why fix it?
Joe Carrigan: [00:16:28] Yeah, why fix it? And that's also a good point. I empathize a lot with that point. And I paid a lot of money for my Google Pixel 3...
Dave Bittner: [00:16:33] Sure.
Joe Carrigan: [00:16:33] ...That I have sitting right here. And I'm not looking forward to replacing it. And I'm sure your - you feel the same way with your iPhones.
Dave Bittner: [00:16:40] Yeah.
Joe Carrigan: [00:16:40] But eventually, what they will stop - Apple and Google and everybody will stop supporting these older phones because they have become end-of-lifed. And we as consumers have to understand that when we're buying a phone, it is going to be end-of-lifed at some point in time.
Dave Bittner: [00:16:53] Right.
Joe Carrigan: [00:16:53] It is not going to last forever. And one of the main reasons it doesn't last forever and gets end-of-lifed is because of the security problems it has.
Dave Bittner: [00:17:00] Right. But I think also - and a nuance here is that it's not just that end-of-lifing. Perhaps you don't want to wait for the end of life.
Joe Carrigan: [00:17:09] Right.
Dave Bittner: [00:17:09] Perhaps as part of your investment in your own security, you should be on a cycle of X number of years because with that update to the device, the hardware and the software comes security updates.
Joe Carrigan: [00:17:22] Right. There have been massive improvements in the hardware level of security updates on these devices. They didn't use to have Secure Enclaves or Trusted Platform Modules or whatever hardware was in there. Now they do.
Dave Bittner: [00:17:34] Yeah.
Joe Carrigan: [00:17:34] And that is a huge step forward in security.
Dave Bittner: [00:17:36] Mmm hmm.
Joe Carrigan: [00:17:37] And I don't know what's coming in the future. But there may be something in the future in a couple of years that's even a bigger step forward in security that's hardware-based.
Dave Bittner: [00:17:44] Right.
Joe Carrigan: [00:17:45] And there's no amount of software updates that'll help you with that. We've also seen a lot of vulnerabilities happen in hardware recently, particularly with the Intel products. I can't remember what they were called because it's been over a year and I...
Dave Bittner: [00:17:56] You mean like Spectre and Meltdown?
Joe Carrigan: [00:17:58] Yes, exactly, Spectre and Meltdown. Thank you, Dave.
Dave Bittner: [00:18:00] (Laughter) Yeah.
Joe Carrigan: [00:18:01] That eventually, the next generation of processors that are going to come out are not going to have those vulnerabilities.
Dave Bittner: [00:18:05] Right.
Joe Carrigan: [00:18:06] But you can't go into your server farm and go, well, I just got to replace all these CPUs. That's not going to happen.
Dave Bittner: [00:18:11] Yeah.
Joe Carrigan: [00:18:12] So it's the same thing with your phone. There may be some kind of vulnerability that gets discovered in the CPU of the phone, and you can't just change that out. You have to get a new phone.
Dave Bittner: [00:18:21] Yeah. I just think it's a good idea that - to look at it as an investment in your security to be on some sort of a regular upgrade cycle. Yes, this is expensive. I guess it could be considered money well-spent.
Joe Carrigan: [00:18:34] Aaron Turner makes a good point in this - talking in this article that we're looking at from Tom's Guide. He says, really, the better solution is to go with a hardware token like a Yubikey or the Google Titan product. I've actually made that move, and I'm actually starting to use that more often. There is one thing you have to do, though. You have to buy two of these devices.
Dave Bittner: [00:18:53] (Laughter).
Joe Carrigan: [00:18:55] And you have to buy two of them and keep one of them at home and safe because if the main one you use breaks, you're going to need a backup.
Dave Bittner: [00:19:01] Yeah.
Joe Carrigan: [00:19:02] ...'Cause if you don't have it, you could be locked out of everything. Then you have to go through the hassle of calling all these different providers and trying to get your account reset. And good luck if you don't pay for Gmail, getting Google to respond to your request.
Dave Bittner: [00:19:14] Yeah, yeah.
Joe Carrigan: [00:19:15] It might just be a new email address for you, right?
Dave Bittner: [00:19:17] Let me also tell you, just from personal experience, if you're someone who travels, and when you travel, you like to leave your keys at home because you don't want to risk losing your keys while...
Joe Carrigan: [00:19:26] Right.
Dave Bittner: [00:19:26] ...You're on the road...
Joe Carrigan: [00:19:27] Yep.
Dave Bittner: [00:19:27] Well, if your keys happen to include that hardware key on it, you may find yourself away from home without your hardware key. And that might not work out well for you.
Joe Carrigan: [00:19:36] Right.
Dave Bittner: [00:19:36] So (laughter)...
Joe Carrigan: [00:19:36] That means you're going to have a hard time getting...
Dave Bittner: [00:19:37] (Laughter).
Joe Carrigan: [00:19:38] You know, I keep my Yubikey attached to my backpack because usually, when I travel, I have my backpack with me. In fact, always when I travel, I have my backpack with me.
Dave Bittner: [00:19:45] Right.
Joe Carrigan: [00:19:45] It has a lot of things in it that I need to live.
Dave Bittner: [00:19:47] (Laughter).
Joe Carrigan: [00:19:48] So I just keep it there. I don't keep it with my keys.
Dave Bittner: [00:19:52] Yeah, yeah. All right, well, good advice - interesting article here. It's from Tom's Guide. It's "Don't Run Your 2FA Authenticator App on These Smartphones." Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:20:01] My pleasure, Dave.
Dave Bittner: [00:20:07] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:25] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:38] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Take care of yourself. Take care of each other. Stay safe. Thanks for listening. We'll see you back here tomorrow.