CISA on running critical sectors during an emergency. Disinformation, phishbait, and rumor. What’s Fancy Bear up to these days? Distinguishing altruism from self-interest.
Dave Bittner: [00:00:03] CISA describes what counts as critical infrastructure during a pandemic and offers some advice on how to organize work during the emergency. Iran runs a disinformation campaign - apparently mostly for the benefit of a domestic audience - alleging that COVID-19 is a U.S. bio war operation. Intelligence services, criminals, vandals and gossips all flack coronavirus hooey in cyberspace. Fancy Bear is back. And what would provoke good behavior among thieves? I'll give you a little hint - it is not altruism.
Dave Bittner: [00:00:42] It's time to take a moment to tell you about our sponsor, Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insights into emerging threats. We read their dailies at the CyberWire, and you can, too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, much more. Subscribe today and stay ahead of the cyberattacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Subscribe today and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And it's on the money. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:44] Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your team's. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:07] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 20, 2020.
Dave Bittner: [00:02:15] The COVID-19 virus, of course, continues to affect most aspects of life in most parts of the world. And that includes, of course, those parts of life that touch cyberspace. There's been a great deal of discussion of how the public and private sectors will need to organize their work during the pandemic. As the Voice of America and others point out, the risk of cyberattack rises with the incidence of telework, and so security considerations assume a correspondingly greater importance.
Dave Bittner: [00:02:43] But what about telework? Not everybody's work can be done remotely. And as the White House put it Monday, quote, "if you work in a critical infrastructure industry as defined by the Department of Homeland Security, such as health care services and pharmaceutical and food supply, you have a special responsibility to maintain your normal work schedule," end quote.
Dave Bittner: [00:03:04] With that in mind, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, has issued guidance for how organizations should consider organizing their work and employees during the present COVID-19 emergency. CISA stresses that the recommendations are advisory in nature, but they do suggest how organizations might decide who needs to report physically to the job and who might work remotely. They also suggest ways of arranging workplaces and work schedules to reduce the likelihood of spreading the disease. A number of the jobs the recommendations discuss are directly concerned with cybersecurity.
Dave Bittner: [00:03:44] The sectors CISA discusses include health care and public health, law enforcement, public safety and first response, food and agriculture, energy - and that includes not only electrical power, but oil, gas and renewables - water and wastewater, transportation and logistics, public works, communications and information technology, other community-based government operations and essential functions. One example CISA discusses is hospitality. If local governments and organizations are given access to hotels for quarantine or emergency housing, then these assume a criticality they wouldn't normally have. Critical manufacturing - that is, manufacturing that supports the other critical sectors - hazardous materials, financial services, the chemical industry and, finally, the defense industrial base.
Dave Bittner: [00:04:32] CISA encourages some specific measures, including letting people work remotely wherever possible. But the document is careful to emphasize that there's an important element of decentralization in any effective response. As CISA puts it, quote, "response efforts to the COVID-19 pandemic are locally executed, state managed and federally supported," end quote.
Dave Bittner: [00:04:55] Iran appears to have suffered particularly badly from COVID-19, with an acknowledged 17,361 cases, 1,135 of which have proven fatal, Foreign Policy reports. The Islamic Revolutionary Guard Corps has mounted a domestic influence campaign to place responsibility for the pandemic on its two usual suspects, the U.S. and Israel - the Great Satan and the Lesser Satan. The virus originated, the disinformation says, as a U.S. bio war program that Zionists have moved to the U.S. to use in a campaign of biological terror against Iran.
Dave Bittner: [00:05:33] The U.S. this week unambiguously told Iran that it had no intention of relaxing sanctions imposed on the regime for what the U.S. has long characterized as Tehran's support of terror. Iran called the decision cruel, coming as it did during a pandemic. The Wall Street Journal's report notes that yesterday the U.S. Treasury Department added five companies to the list of those sanctioned - in this case, Emirati-based firms accused of serving as conduits for Iranian oil exports.
Dave Bittner: [00:06:03] Some of the fictions circulating about the pandemic are disinformation, others promote fraud, while still others are popular bits of misinformation. Tenable has a rundown of fake cures, phony government statements and simple panicky mistakes often amplified by fearful conspiracy theories. Cash App scammers have been busy on the legitimate peer-to-peer payment app. They make their approach with tweets, and they found some marks willing to fall for their COVID-19 fraud. Others are making bogus offers of COVID-19 test kits. This particular scam seems to be particularly common around Toronto.
Dave Bittner: [00:06:39] Some are opportunistic variations on familiar scams, like the one claiming to be from a grandchild or other relative instead of the customary car accident or drunk driving arrest. The hoods are now telling people that a close relative has tested positive for COVID-19, and that the usual financial help is required.
Dave Bittner: [00:06:59] And some of the misinformation is either deliberate disinformation, either state spread or the work of chaos artists, or it's just the work of what the Middle Ages would have called rattles - gossips who must, for reasons deep in their personal nature, keep up a steady flow of information, true, false or unknown. These have recently been text messages from people who say they've heard from a friend who knows a guy who said the lady heard from someone really high up in the government that a national quarantine was about to be declared - or something like that. In any case, the Martians have landed, and the man is about to get you. If the text message or tweet is saved and circulated as an image, the better to evade text-based filters, well, you may be seeing something that's hostile government work.
Dave Bittner: [00:07:45] But don't underestimate the ability of your friends, connections, co-workers and that guy down the street who seems nice enough and kind of keeps to himself to come up with stuff like this. As is so often the case, we have met the enemy, and he is us.
Dave Bittner: [00:08:01] Some of the misinformation, of course, is the work of organized crime. IBM has found one set of hoaxed communiques that pretend to be from the World Health Organization. They're vectors for HawkEye malware.
Dave Bittner: [00:08:14] With all the pandemic-themed badness in circulation, it's almost with relief that one turns to a familiar cyber espionage campaign. Remember Fancy Bear? Sure you do. That's the Russian GRU, you the noisy sister of the more discreet Cozy Bear.
Dave Bittner: [00:08:29] Trend Micro reports that APT28 - that is, Fancy Bear - is using previously compromised corporate email accounts to spear fish for credentials in the defense sector. Over the past year, most of the targets have been in the Middle East, with the United Arab Emirates being a particular target. In addition to spamming and phishing, Fancy Bear is also scanning servers looking for vulnerable instances of Microsoft SQL Server and Directory Services.
Dave Bittner: [00:08:57] And, finally, what is one to make of the cyber gangs who've said that they won't target hospitals or other health care providers during the pandemic? If you believe them, the crooks who run the DoppelPaymer and Maze ransomware operations, that's what they've said they'll do. We don't entirely believe them, although BleepingComputer, which is in email contact with the ransomware impresarios, is does share convincing-sounding vowels. But if we do see a wave of relatively good behavior, we think Forbes probably has the best explanation. It's not out of honor or sympathy, but rather out of self-preservation. The hoods think that, during the pandemic, the cops will come down on them like the proverbial ton of bricks if ransomware gets into hospital systems.
Dave Bittner: [00:09:47] And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's micro-segmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:11:00] My guest today is Thomas Quinn. He's chief information security officer at T. Rowe Price, a global investment management firm headquartered in Baltimore. His career includes service as an officer in the United States Navy, as well as stops at Prudential, Goldman Sachs and JPMorgan Chase. Tom Quinn joined us in our studios.
Thomas Quinn: [00:11:20] I think financial services, you know, is just a terrific industry to be in. It really, to me, the purpose of those firms are to enable people's dreams. So without money, without financing, without the capital markets, sometimes that becomes problematic to enable people to achieve them. Where I am now in a retirement-focused company, it's other kinds of dreams. It's what you do when you finish those great ideas and those great - those companies.
Dave Bittner: [00:11:50] How much collaboration goes on between you and your colleagues who are in other financial services organizations? Is there a lot of information being shared?
Thomas Quinn: [00:12:01] There's quite a bit of information being shared, and thankfully it is. Bad actors share regularly and robustly. And for defenders - and I'll talk about financial services in particular - it's a daily sharing of information. And I think thankfully there are organized sharing mechanisms in place it makes it easier to do so. People are used to sharing in those organizations. But bilateral and other kind of sharing is important to me because I do find that - like, I think the phrase is politics is - all politics is local.
Dave Bittner: [00:12:41] Right.
Thomas Quinn: [00:12:42] It's helpful to know your colleagues in and around the area that you're in. I regularly meet with my peers in the Baltimore region. There's a variety of large firms, not all financial services, and they all have similar problems. And I think being able to know who those people are building that trust, building the bridge allows for robust communication as well.
Thomas Quinn: [00:13:07] Does that even extend down to, for example, community banks who could benefit from the knowledge and resources of a larger institution like your own?
Thomas Quinn: [00:13:17] There are. One of the organizations that does quite a bit of this organized sharing is the Financial Services Information Sharing and Analysis Center, FS-ISAC.
Dave Bittner: [00:13:28] Yeah.
Thomas Quinn: [00:13:29] And there are a variety of subgroups in there - and to help sharing because each group is a little bit different. But I will share with you one example of some of that sharing, and at a local level, that I think is important. So the legal profession has a concept of pro bono. So they're - part of being a lawyer is being able to give yourself to the community to help people for free.
Dave Bittner: [00:13:56] Right.
Thomas Quinn: [00:13:57] So I've embarked upon a similar kind of process for pro bono cyber support. So I call it CISO for a day. And this is through my firm. So most large firms, most firms allow for volunteering. And there's a set of protections - right? - that firms also have through this volunteering effort. And I was able to volunteer at a nonprofit in Baltimore City to help them with their cybersecurity. So - and it was instructive. You know, again, technology is opaque. Cybersecurity looks like magic. And for this very small firm, about 10 people, they just were trying to help other people. And it seemed challenging, at the very least, to figure out what to do to protect themselves.
Thomas Quinn: [00:14:50] But I sat down with them for a few hours for a few months, and at the end of it, they felt comfortable that they could ask the right questions. And there was some specific guidance I provided, but it really was an opportunity for them to comfortably share with somebody that didn't have an agenda, wasn't looking to sell anything to them and was really there to provide help for them. And it was a great experience, and certainly have encouraged some of my peers to do similar kinds of things because everyone can use a little bit of help.
Dave Bittner: [00:15:25] Yeah. Are there any specific insights that you think you have that you'd want to share with folks who are in other parts of the cybersecurity world, anything from the view that you have from the financial side of things, the tools you have available to you, those resources? Are there any specific areas that you think aren't getting the attention they deserve?
Thomas Quinn: [00:15:47] So that really is a great question. We continue to see that third-party risk is a concern. There's a real threat. One of the things I find is the more outsourcing that one does to achieve the goals that you need - and I think many of us do out of necessity, you can't be perfect at everything - doing proper due diligence is important. And I think understanding what those risks are and having a strategy to mitigate any risk that you may have with a third party, I really think it's key. It's much more than just having a contract in place. It's much more than just saving money. And we see regularly where some firms that are doing these outsource practices are being targeted, whether it's for malware and ransomware or for infiltration. And I think for certainly my peers, just another reminder that, you know, something that appears to be trusted and maybe even innocuous may actually be an entry point to attacking your firm.
Dave Bittner: [00:16:51] In the time that you have been serving as a CISO, how have you seen that role change? I've heard many people say that there's been an elevation of that role, and the things that are required of people in that role have evolved over the years.
Thomas Quinn: [00:17:07] It has. Gary McGraw, another security luminary, has a great paper on the four tribes of the CISO, I think. It's well worth reading. I think early day heads of security were really focused on running security products like intrusion detection systems and firewalls. And it really was a technology-oriented role. That started to expand when the internet started connecting more and more things together. You started seeing the CISO go up the stack.
Dave Bittner: [00:17:46] Right.
Thomas Quinn: [00:17:47] You'll find that there are CISOs that are much more focused on risk and compliance. That skill set is critically important as well, but it's only part of it. And I think you'll find CISOs that are focused on program project management, another critical skill and capability. But you'll see a whole tribe of folks that do that. And I think as you build a team, you need to consider what you do well and then how you surround yourself with talent to fill in some of the things that you do less well.
Dave Bittner: [00:18:21] That's Thomas Quinn. He's chief information security officer at T. Rowe Price.
Dave Bittner: [00:18:26] Coming up on Tuesday, March 31, Rick Howard, the CyberWire's chief analyst, and I will be hosting our first quarterly Cybersecurity Analyst Call for members of CyberWire Pro Plus. Each quarter we'll be joined by a rotating group of experts to engage in an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you're responsible for and the daily lives of people all over the world. Those who tune in to the livestream will be able to ask questions and participate in the conversation. To learn more, you can visit thecyberwire.com/analystcall. That's thecyberwire.com/analystcall. We hope to see you there.
Dave Bittner: [00:19:14] And joining me once again is Malek Ben Salem. She's the Americas cybersecurity R&D lead for Accenture. Malek, it's great to have you back. We wanted to talk today about mobile tracking and privacy and some things that have been on your mind when it comes to that. What can you share with us today?
Malek Ben Salem: [00:19:30] Yeah. So, Dave, when you download an app, the permission requests and privacy policy are usually the only warnings you get about the data that it's collecting. Usually, you just have to take the app's word that it's grabbing only the data you've agreed to give it. Well, it turns out that some security researchers have taken a deeper look at those apps. And they've identified more than 1,000 apps that have been found to take data even after you've denied them permissions. It's interesting that some of the more widespread apps and more well-known ones like AccuWeather are collecting data that is more than what you've agreed to and is more than just your location.
Dave Bittner: [00:20:17] How does this work? Is this a matter of, I don't know, the feature creep equivalent of data collection?
Malek Ben Salem: [00:20:25] Exactly. Yeah. The privacy policy does not necessarily reflect the actions taken by that app. All we have as users is trusting that security - that privacy policy. But if it's not doing what it's telling us it's doing, then we don't have control over it. Even, you know, simple apps like those apps trying to block spam calls have been found to share phone data with analytics firms. So the question is, what can we do as users? Obviously, the best thing is not to download those apps in the first place. But once we download them, we don't have much we can do. Well, obviously, we can download some tools to look at the traffic that those apps are - or the data that those apps are sharing. But that's not at - you know, that's not something that every person can do. So there are tools like Charles Proxy that are available to download and intercept the network traffic from your device. But learning how to use them is more complex.
Dave Bittner: [00:21:35] Sure. And that's not - probably not something the average user is going to be able to do. And I've noticed that, you know, some folks like Apple, for example, have tried to be a little proactive about this, letting their users know when an app is requesting their location data, for example.
Malek Ben Salem: [00:21:52] Correct. Yeah. So with location data, it's easier. But the thing is, even if you're location data is not shared, what has been found is that just by the analytics firms who are collecting this data from the various apps can reconstruct your behavior just by getting snippets from each app. So you may share your location data just with one app, and you share some other type of data with another app, and yet another type of data with another app. The analytics firm can take all of those bits and pieces of your data and reconstruct your entire behavior. So the concern is not just the app that you're sharing the data with - right? - but it's all of these research analytics firms that are trying to understand how you behave and reconstruct your behavior.
Dave Bittner: [00:22:45] So what's a person to do here, any suggestions?
Malek Ben Salem: [00:22:49] Well, I think we definitely need some watchdog groups to monitor what these apps are actually doing. There is a startup called AppCensus that's trying to analyze all of these apps and perhaps create another app that watches what's happening or what's being shared on your mobile device. I don't think that app is available now but, you know, that's something to be on the lookout for if you want to understand more what's being shared. Or for the more, you know, networking savvy people, I've mentioned this Charles Proxy tool that can be used to intercept network traffic and to analyze it and to understand better what's happening under the hood.
Dave Bittner: [00:23:34] Yeah. All right. Well, it's good information. Malek Ben Salem, thanks for joining us.
Malek Ben Salem: [00:23:38] Thank you, Dave.
Dave Bittner: [00:23:44] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:24:02] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:14] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: [00:24:22] Our amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Take care of yourself. Take care of each other. Stay safe. Thanks for listening. We'll see you back here next week.