The CyberWire Daily Podcast 3.31.20
Ep 1056 | 3.31.20
Supply chain attack warning. CFAA clarified. COVID-19 and its economic squalls.
Transcript

Dave Bittner: [00:00:02] The FBI warns of another supply chain attack this one distributing the Kwampirs RAT. More exposed databases have been found. The U.S. Computer Fraud and Abuse Act gets some clarification from a federal court. Security and networking companies are weathering the COVID-19 economic storm but not without squalls, some legal, some cyber and others just reputational. 

Dave Bittner: [00:00:32]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Transitioning to remote work can be complicated. LastPass Identity is here to make the transition easier without decreasing security. Through integrated single sign-on, password management and multifactor authentication, LastPass Identity enables remote teams to increase security. With an uptick in phishing attacks, LastPass reduces the risk of phishing schemes by never auto-filling passwords on suspicious websites and ads MFA across apps, workstations and VPNs. It helps manage user access. Regardless of where or how employees need access, LastPass ensures employees have secure access to work applications through SSO and password manager. It enables secure sharing. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it allows you to maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're coming from. With LastPass Identity, the transition to remote work can be a simple and secure one. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:02:11]  Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud; to protect the latest, like containers; to empower your change-makers, like developers; and to enable business accelerators, like your teams. Cloud security that accelerates business, it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:34]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 31, 2020. 

Dave Bittner: [00:02:43]  The U.S. FBI warned yesterday that the advanced persistent threat group behind the Kwampirs malware has been using the remote access trojan to establish itself in a wide range of enterprises. The bureau says the health care sector is particularly at risk. Kwampirs gains access to its targets via their supply chains. While it appears to be an information collector and not functioning as a wiper, the FBI notes that several code-based similarities exist with the data destruction malware Disttrack, commonly known as Shamoon. ZDNet observes that this is the third supply chain warning the FBI has issued in as many months. The supply chains affected include hardware supply chains. 

Dave Bittner: [00:03:26]  Two more exposed databases have been found as people continue to be careless in the cloud where too many stumble around in a fog. The Australian Broadcasting Corporation reports that a data leak from the country's federal courts exposed the names and related information of at least 400 refugees seeking protective asylum. Comparitech reports finding a database that contains usernames and phone numbers for a third-party unofficial fork of the Telegram messaging app. The users whose data were exposed are in Iran where Telegram is banned. 

Dave Bittner: [00:04:01]  The U.S. District Court for the District of Columbia has ruled in a test case that violating a site's terms of service does not in itself constitute a crime under the Computer Fraud and Abuse Act. The test case was brought by researchers who wanted to use fictitious persona to sign up for some online services as they studied various aspects of the site's behavior. There was no question of fraud, but using a fictitious persona violated most of the site's terms of service. And so the researchers prudently sought clarity about the famously inclusive CFFA before proceeding. 

Dave Bittner: [00:04:37]  There are too many reports of COVID-19-themed cyberthreats to summarize quickly. As Proofpoint and others have been pointing out, the topic dominates the phishbait, clickbait and other bait currently chumming the online waters. You can check out the CyberWire's daily briefing for a curated set of links to all of the glum news. 

Dave Bittner: [00:04:58]  Success draws attention for better and for worse. While Zoom has certainly drawn investors' eyes in a good way, it's also attracted the ministrations of white hat researchers, cybercriminals, the plaintiffs' bar and state attorneys general. The platform's encryption isn't really end-to-end, the Intercept reports. Instead, it uses familiar transport encryption, which gives Zoom itself the potential to access its users' traffic. Check Point describes the ways in which criminals have registered domains that include the name Zoom. These domains are, of course, up to no good at all. 

Dave Bittner: [00:05:33]  Zoom was also discovered to have been sharing analytic data with Facebook, a practice Zoom halted after it came to public attention but not in time to forestall a class-action suit under California's Unfair Competition Law, Consumers Legal Remedies Act and Consumer Privacy Act. And The New York Times reports that all of this news has prompted the New York state's attorney general to ask Zoom for an explanation of its privacy and security policies. 

Dave Bittner: [00:06:01]  Many organizations rely on continuous monitoring to make sure that their SaaS solutions aren't inadvertently leaking data as a sort of backup against the risks that can come with increased complexity. Brendan O'Connor is CEO at AppOmni, and he shared his thoughts with me at this year's RSA Conference. 

Brendan O’Connor: [00:06:21]  So I think that SaaS providers do, for the most part, an excellent job of their portion in the shared responsibility model. They patch quickly. Their patch holistically. They harden their infrastructure. They guard their perimeter. But buying a safe car doesn't make you a good driver. Ultimately, you're responsible for configuring and running that application. And these applications are so powerful, they can run and adapt to almost any conceivable business process. The cloud provider doesn't always know where you're trying to go with the application. So it's possible that people do things, like share data with the public internet or expose or overprivilege APIs that were meant to be internal. And for the most part, you know, speaking about the language barrier, you have the line of business or IT business specialists that are running these systems. 

Dave Bittner: [00:07:06]  So does it ultimately come down to most of these issues being with the users themselves of improperly configuring things or losing track of what's what? 

Brendan O’Connor: [00:07:18]  Absolutely - or sometimes just not understanding the security ramifications of some of their choices because they're business experts or they're users just trying to get their job done. And they have good intentions. But security has no idea what they're doing. What we usually see is we'll do a risk assessment and analyze the current running state of a SaaS environment and just show security how things are currently configured. One of the things that we tend to find is the amount of third-party applications that users have connected directly into the cloud. Most enterprises have something like a vendor security review program, a sanction process for who is the vendor, do we trust them, do they have the right security controls? 

Brendan O’Connor: [00:07:55]  Well, in SaaS, they may know about five or 10 different vendors that are connected to their SaaS applications. We'll come in and do an assessment and show them 40, 60, 100 that they didn't even know about that have direct cloud-to-cloud access into their data. And, again, it's not a malicious insider. It's someone who's just trying to get their job done, and they installed something on their iPhone and authorized it via I/O (ph) or they connected something through their browser and now it has direct access to their SaaS systems. 

Dave Bittner: [00:08:22]  And then what happens next? When you establish what your baseline is, what's the next step? How do you correct for those things without disabling all of those things that people put in place for legitimate business purposes? 

Brendan O’Connor: [00:08:39]  That's the hard part. And at AppOmni, what we're really solving is that specific problem. How do you put guardrails around your users? You don't necessarily know where they need to go. You need the business to be able to move fast and in the direction that it needs to move. You can't stop the business. But you don't want them to drive their car off a cliff either. And so when we think about guardrails, what we're able to do is assert a minimum level of access to make sure that certain critical business functionality is not impacted and also a maximum boundary on what kind of security controls need to always be in place or what kind of data access should never be possible. 

Brendan O’Connor: [00:09:14]  Most of our customers get started with a global external policy that says the public internet shall not have access to any internal data. I may have some, you know, role-based access control I need to deal with my contractors and my outsourcers or third parties. But let's just start with people completely outside my environment and making sure that they don't have access. 

Dave Bittner: [00:09:34]  Where do you think we're headed when it comes to cloud security? As we - as it continues to mature and you look down the road, where do you think these things have to land? 

Brendan O’Connor: [00:09:46]  I think a lot of the problems that we're facing today in cloud are the same problems we were facing yesterday and on premise. I like to sum it up as, can you be excellent at the ordinary? There's a lot of security basics that you need to do. You're not immune from a breach or a compromise. There's always the human element, and good people make mistakes and they click on phishing and download malware. But if you are doing the ordinary things really well everywhere, I think that you're in a highly defensible position. 

Dave Bittner: [00:10:14]  That's Brendan O'Connor from AppOmni. 

Dave Bittner: [00:10:17]  It's not just Zoom that's getting attention either. Houseparty is another service whose popularity has risen sharply. Houseparty is a more virtual hangout than it is a teleconferencing tool like Zoom. But its usage has similarly surged because there's more to life than work. You show up, you see who else is there, and you chat among yourselves, thereby overcoming self-isolation. Anyway, panicky users have been telling each other that Houseparty is unsafe. A representative post on social media - and that's where this particular threat report is being sourced - reads like this, courtesy of the moderately skeptical express (reading) delete Houseparty. They are hacking into Spotify, Snapchats and even online banking. Delete your account before deleting the app. 

Dave Bittner: [00:11:03]  Here's another one, more lurid, recounted by the utterly skeptical ZDNet, quote, "I'd urge everyone to delete Houseparty. My car was stolen this afternoon, and I was then robbed at gunpoint by a man in a balaclava. I have absolutely no doubt that Houseparty is responsible for this. Delete it now." Perhaps we digress. What we mean is while the influencers have been barking this stuff at the internet and while much of it's been picked up by Fleet Street - the skedaddle seems particularly strong in the U.K. - it's not clear just who or what spooked the herd. 

Dave Bittner: [00:11:40]  So madness of crowds or a commercial conspiracy to do reputational damage or both? Houseparty's leaning toward both. The company tweeted (reading) we are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1 million bounty for the first individual to provide proof of such a campaign to bounty@houseparty.com. As Naked Security points out, the only thing the claims of hacking lack is evidence. Houseparty itself immediately and consistently denied that anything was going on. Quote, "all Houseparty accounts are safe. The service is secure, has never been compromised and doesn't collect passwords for other sites" - end quote. Admittedly, they don't address Grand Theft Auto or armed robberies by button men in balaclavas. But in fairness, there's only so much you can squeeze into 280 characters. 

Dave Bittner: [00:12:42]  And now a word from our sponsor, Mazars Cybersecurity. Currently, the largest fine under the GDPR is over 200 million euros. With other similar laws like the California Consumer Privacy Act coming online, it's critical to review your company's readiness for and compliance with privacy regulations. The legal experts and cybersecurity professionals at Mazars Cybersecurity can review your systems and processes, ensuring that you are in compliance with privacy regulations, reducing your risk moving forward. Their world-class team in over 90 countries has experience with the full range of regulatory regimes globally and insight into local requirements at the state level. They can even act as your data protection officer. They understand that today's business world is international, online and interconnected. A law a world away can substantially impact your organization. Can you afford to be out of compliance? See how Mazars helps at www.mazarsusa.com/cybersecurity. Again, that's www.mazarsusa.com/cybersecurity. And we thank Mazars Cybersecurity for sponsoring our show. 

Dave Bittner: [00:14:06]  And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: [00:14:15]  Hi, Dave. 

Dave Bittner: [00:14:16]  So every now and then, an article comes by. And I read it. And I just can't get it out of my head. And this is one of them. This is from WIRED magazine, written by Gilad Edelman. And it's titled, "Why Don't We Just Ban Targeted Advertising?" And I think what he's getting at here is sort of this thought exercise of, why don't we just get rid of the original sin of the internet, as it were, which is let's just get rid of the targeted advertising? That would fix all sorts of ills that ail us. Unpack this for me here, Ben. What's going on? 

Ben Yelin: [00:14:48]  It's really a fascinating article because it's an idea that's so far-fetched given that - I think the article mentions Google makes something like 90% of its revenue from targeted advertising. To me, it's so far out of the realm of possibility of actually happening that it makes it more interesting to read about. Basically, the argument is that targeted advertising is everything that's wrong about the internet. It's the reason why websites collect information about us when we visit them, which is bad. It's the reason that we have these algorithms on sites like YouTube and Facebook, which direct us to content that's harmful in a political sense, in a social sense. And, you know, it really should persuade us to take a radical step in banning this type of targeted advertising. 

Ben Yelin: [00:15:40]  One thing I like about the article is it does grapple with what the alternative would be. It would be the type of advertising that existed in the pre-internet age, where all of us would drive by the same billboards. You know, I have very little use for a Chanel billboard, but I drive by it. That makes the advertising less effective because from Chanel's perspective, you know, you're getting a pair of eyes that's not actually going to net you any new sales. So the advertising wouldn't be very efficient. And that means that the companies would have to make up the revenue somehow. 

Ben Yelin: [00:16:13]  How would they do that? I mean, there's really a couple of options. They don't want to charge users a fee to use their services because they've used too many users. I mean, if Facebook started charging us 10 bucks a month to use Facebook, I know that I would immediately quit Facebook. And I assume that's true for a lot of people, a lot of my contemporaries. The other option is charging for some sort of premium service. So, you know, maybe you can get a basic Facebook, but if you want certain features, access to certain applications, et cetera, you buy the premium version. And that's a way that Facebook could make up the revenue if it didn't have targeted advertising. 

Dave Bittner: [00:16:49]  Right. 

Ben Yelin: [00:16:50]  So, you know, that's sort of the choice we'd have to make as consumers. Targeted advertising - as this article, I think, makes very clear - has its detrimental impacts. But the alternative is we'd - you know, they'd have to make up the costs somehow. And those costs would be passed on to us. One thing that's interesting is they do have - it's preliminary data. But it's interesting data that I think was done in Europe, that when they gave the people the option of opting out of targeted advertising, I think something like 90% of the consumers did decide to opt out. 

Ben Yelin: [00:17:23]  And, you know, whether they were fully aware of what the alternatives were and whether that's something that would be scalable, you know, I think that that question's unknowable. But, you know, I think that certainly it's - the article is certainly eye-opening. And it's one of those possibilities that's fun to ponder, even though we don't think it's going to happen. 

Dave Bittner: [00:17:45]  Here's what I can't help wondering, though. You know, back in the old days, when dinosaurs still walked the earth before the internet, the wheels of commerce still spun. And if I was an advertiser, you know, maybe I would want to put one of my products, you know, on a soap opera that ran during the day. And maybe I would want to put ads for a different product on "Gunsmoke" that ran at night because I would know that those different TV shows attracted different types of audiences. I might not know down to the individual level, you know, the age, the sex, the sexual preference and all those... 

Ben Yelin: [00:18:23]  Right, but you know you'd be getting a better cross section. 

Dave Bittner: [00:18:25]  Right, exactly. So what's so bad about that? (Laughter) Right? Like, why - I mean, to me, it seems like if I'm writing a website that is focused on people who like to knit, you know, well, that's a great place for someone to advertise their knitting needles or things like that. So it strikes me that those opportunities would still be there. It's just this obsessive level that we've become accustomed to. If we lose that... 

Ben Yelin: [00:18:51]  Or it's uber microtargeting. 

Dave Bittner: [00:18:53]  Right. Right. 

Ben Yelin: [00:18:54]  I actually do like the theoretical world where, you know, OK, I'm interested in sports. But what if, you know, there's an advertisement for an art gallery on my ESPN homepage? That's actually - you know, maybe that would make the world a better place because we could expand our horizons, pursue different interests, different products that we otherwise wouldn't be familiar with. But, you know, it would be taking away those types of advertising mechanisms for the companies but also the convenience of the users of kind of only seeing what the algorithms think that we need. 

Dave Bittner: [00:19:30]  Yeah. All right. Well, certainly, if nothing else, an interesting thought exercise. Like I said, I've been thinking about it a lot. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:38]  Yeah, absolutely. Highly recommend the article as well. 

Dave Bittner: [00:19:46]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:20:05]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:16]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: [00:20:25]  Our amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.