Dave Bittner: [00:00:02] Geolocation in support of social distancing. Fixing vulnerabilities in a popular teleconferencing service. Twitter bots running an influence campaign against the Turkish government are taken down. A biotech firm reports a ransomware attack. More on attempts to compromise the World Health Organization, and a look at how cybercriminals are faring during the emergency.
Dave Bittner: [00:00:31] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Transitioning to remote work can be complicated. LastPass Identity is here to make the transition easier without decreasing security. Through integrated single sign-on, password management and multifactor authentication, LastPass Identity enables remote teams to increase security. With an uptick in phishing attacks, LastPass reduces the risk of phishing schemes by never auto-filling passwords on suspicious websites and adds MFA across apps, workstations and VPNs. It helps manage user access. Regardless of where or how employees need access, LastPass ensures employees have secure access to work applications through SSO and password manager. It enables secure sharing. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it allows you to maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources, no matter where they're coming from. With LastPass Identity, the transition to remote work can be a simple and secure one. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:02:07] Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:33] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 3, 2020.
Dave Bittner: [00:02:42] More companies and governments move to share geolocation information during the pandemic emergency. In support of enforced social isolation, Google yesterday decided to make location data in the form of mobility reports available to governments, The Wall Street Journal reports. According to France 24, the data is being collected from 131 countries.
Dave Bittner: [00:03:06] The University of Toronto's Citizen Lab has taken a look at Zoom's less-than-end-to-end encryption, which Citizen Lab characterizes as roll your own. There's a strong suggestion in the report that some questionable security decisions were driven by a decision to put speed and ease-of-use first, with everything else following when and where it could.
Dave Bittner: [00:03:27] The lab also points to Zoom's apparent ownership of three companies in China that have a total workforce of 700. They write software for Zoom in a typical labor arbitrage arrangement, but Citizen Lab worries that the Chinese connection could expose Zoom to pressure from Beijing. The Canadian university lab asks, a U.S. company with a Chinese heart?
Dave Bittner: [00:03:49] The teleconferencing service is patching vulnerabilities disclosed to it as the company's services see an enormous spike in demand during the COVID-19 emergency's period of enforced social isolation and remote work. The Washington Post says that Zoom's quick response has generally been well-received, even by such normally skeptical critics as the Electronic Frontier Foundation. Errata Security offers some perspective on the bugs, advising users to take sensible security steps and not exaggerate the risk.
Dave Bittner: [00:04:20] The Atlantic Council's Digital Forensic Research Lab reports some 9,000 inauthentic Twitter bots promoting a Saudi and Emirati line against Turkey's activities in Libya. The bots, which Twitter has taken down, also sought to politicize the COVID-19 pandemic. It's not that they're interested, really, in COVID-19. Rather, it's that coronavirus hashtags draw attention.
Dave Bittner: [00:04:44] How do you recognize bot activity on Twitter? The Digital Forensic Research Lab points out a few indicators. For one thing, the so-called egg avatar, the grey circle enclosing a dark gray oval that stands in for a face, often says bot, especially when the botmasters lack the time, resources or attention to detail that would be required to put up a stock photo of the account's sock puppet. And repetition of content verbatim is also another tipoff. In this case, the botmasters did somewhat better - quote, "the accounts were posting similar content rather than verbatim or copy-pasted content. The messages had the same political resonance, though," end quote.
Dave Bittner: [00:05:23] 10x Genomics, a California biotech firm working on COVID-19 treatments, disclosed in a Form 8-K filed Wednesday with the U.S. Securities and Exchange Commission that it had sustained a ransomware attack. The company says it has restored both access to its data and normal operations, but the attack also involved theft of some unspecified company information.
Dave Bittner: [00:05:46] The World Health Organization has said little more about the attempts to compromise staffers' personal email accounts, but it has said it believed the attempts were unsuccessful. Reuters quoted sources who suggested the campaign was run on behalf of Iran - quote, "we've seen some targeting by what looks like Iranian government-backed attackers targeting international health organizations, generally via phishing." This was from a source identified as someone at a large technology company that monitors internet traffic for malicious cyberactivity.
Dave Bittner: [00:06:18] Reuters also consulted security firm Prevailion, which made no attribution but which did say they'd captured evidence of compromise suggesting the activity of what they characterize as a sophisticated hacking group. Computing reports the attacks, which appear to have begun in the first week of March, are continuing.
Dave Bittner: [00:06:37] In what may be a distinct campaign, the World Health Organization has also been said to be the target of DarkHotel, a threat actor generally believed to operate from East Asia. DarkHotel is also said to be at work against targets in Japan and China, with attacks that CyberSecurity Help and others say exploit Firefox and Internet Explorer vulnerabilities.
Dave Bittner: [00:07:00] So how are the criminals doing under the current conditions of pandemic and emergency response? Digital Shadows has been looking over the shoulder of the hoods who chat amongst themselves in their dark web markets, and they've summarized the mood of the underworld, at least in its Russian- and English-speaking precincts, as revealed by the chatter. Some of the conclusions are entirely foreseeable. As the emergency cuts brick-and-mortar commerce way back, people are doing much more shopping online, and the criminals see opportunity for carding and other forms of online retail fraud. They're also shifting their direct fraud to follow the market. A number of them see opportunity in demand for face masks, vaccines and other items people want but can't get. Sometimes it's because the stuff isn't available, like face masks in some places or toilet paper in others, sometimes, as in the case of the vaccines, because such things don't exist. And, of course, some of the fraud is familiar snake oil, like the colloidal silver cure-all you may have seen, or that one weird trick that will see you through the coming economic hard times and right onto easy street.
Dave Bittner: [00:08:08] On the other hand, the gangs are also feeling some economic pain. Opportunities for travel and event fraud have essentially dried up, and the criminals who specialize in these are feeling the pinch. The gangs are also having difficulty completing their theft when it requires an actual physical transfer of goods or cash, as it often does. They depend on dropworkers to close those deals, and they're having trouble getting their dropworkers to actually work. For one thing, the authorities are a lot more alert to people who are out and about with no evident legitimate purpose. For another, the dropworkers themselves are often afraid to leave the house.
Dave Bittner: [00:08:45] May the pandemic crash the cybercriminal economy fast and hard, faster and harder than any of the damage it's doing to the honest and the hardworking. Yes, that's overly optimistic, but we can hope, right?
Dave Bittner: [00:09:05] And now a word from our sponsor, Mazars Cybersecurity. Currently, the largest fine under the GDPR is over 200 million euros. With other similar laws like the California Consumer Privacy Act coming online, it's critical to review your company's readiness for and compliance with privacy regulations. The legal experts and cybersecurity professionals at Mazars Cybersecurity can review your systems and processes, ensuring that you are in compliance with privacy regulations, reducing your risk moving forward. Their world-class team in over 90 countries has experience with a full range of regulatory regimes globally and insight into local requirements at the state level. They can even act as your data protection officer. They understand that today's business world is international, online and interconnected. A law a world away can substantially impact your organization. Can you afford to be out of compliance? See how Mazars helps at www.mazarsusa.com/cybersecurity. Again, that's www.mazarsusa.com/cybersecurity. And we thank Mazars Cybersecurity for sponsoring our show.
Dave Bittner: [00:10:29] My guest today is retired four-star Admiral James Stavridis. He served as NATO Supreme Allied Commander Europe and was dean of The Fletcher School at Tufts University. He's the author of several books, the most recent of which is titled "Sailing True North: Ten Admirals and the Voyage of Character." Admiral Stavridis serves on the board of encrypted email and file sharing firm PreVeil, which is how we came to speak with him at the RSA Conference.
James Stavridis: [00:11:04] In the mid-'70s, I'm in Annapolis. And into my classroom walks Rear Admiral Grace Hopper - Amazing Grace, the mother of COBOL. And she's there to tell us about COBOL, this magical way of communicating with a computer. And, of course, we do it with paper punch cards to make very simple commands. So that's the mid-1970s.
James Stavridis: [00:11:23] Now flash-forward to today. At every step of my career, I've seen the deeper and deeper engagement of the Navy and the other services to where we are today, which is, in my view, it is so complex and so central to everything we do that it's time for us to have a Cyber Force. Just like we have an Army, a Navy, an Air Force and a Marine Corps, I think it's time for a Cyber Force. So we've come from punch cards and BASIC as a language and COBOL as a language to a need to create a separate branch of the armed forces because of the inherent complexities of cybersecurity.
Dave Bittner: [00:12:01] So where do you suppose we find ourselves today? Taking the temperature of how things are in the DOD and the government sector, in your estimation, where do we stand?
James Stavridis: [00:12:13] I'll give you good news and bad news, and I'm going to start with the bad news The bad news is in cyber and cybersecurity nationally, we find the greatest mismatch between level of threat and level of preparation. In other words, we worry a lot about Russia, China, Afghanistan, Islamic State, piracy. Those are serious threats, high level of threat, but our level of preparation to deal with it is quite high.
James Stavridis: [00:12:40] In cyber, the level of threat is expanding unbelievably rapidly because the threat surface is expanding. Today, there are 25 billion devices connected to the internet of things. By mid-decade, it'll be 50 billion. That's great. I can get out my iPhone and open my garage door from San Francisco. The bad news is the threat surface is huge. And we are not moving as rapidly we should, and offense is outpacing defense in my view. So I'm concerned. That's the bad news.
James Stavridis: [00:13:12] Here's the good news to the Department of Defense. There's growing awareness. There's growing expertise. We are moving toward the idea of a Cyber Force. And most recently - and this will sound a little wonky, but it's really important - the Department of Defense is releasing something called the Cybersecurity Maturity Model Certification - kind of a mouthful - CMMC. What it is is think of it like karate. It's a series of belts that you have to attain if you're going to do business with the government.
James Stavridis: [00:13:41] So Level 1 is very basic. Think of it as a white belt. You got to know what a phishing attack is. You got to have a basic resiliency plan. You have to be able to coherently reconstitute data. The levels go up to Level 5. If you want to do serious business with the government, you got to be a Level 5. That means we're going to force standards on - glad you're sitting down - 300,000 companies who do business with the Department of Defense. That's called the defense industrial base. It's an unregulated zone in terms of cyber. The department is about to regulate it. It's a profoundly good initiative.
Dave Bittner: [00:14:24] How do you suppose that transition is going to play out? And how long's it going to take?
James Stavridis: [00:14:30] It's starting almost immediately. By early summer, if you want to participate in a request for information, so-called RFI, you have to have the basics put together. By October, if you want to be in an RFP, which is pretty serious, a request for proposal - that's where you're actually presenting a bid, if you will, to the government - you have to have obtained the appropriate level for your organization, its size.
James Stavridis: [00:14:56] And so let me give you an example involving a company that I'm working with called PreVeil, which does end-to-end encryption. If you want to do business with the government, you're going to have to demonstrate to the government that you can move emails and file attachments that can't be attacked in the server system, which is, of course, what happens now with Gmail or any other broad-area messaging or email service.
James Stavridis: [00:15:22] So as we get into this, it's going to happen fast. Companies are going to need solutions quickly. And by the way, Dave, I'll close on this. It has to be not self-certification. It has to be certified by an outside observer, and that outside observer has to be certified by the Department of Defense. So this is a big change, a big system. There are going to be fits and starts in this. There'll be discontinuities. But it's a move in the right direction.
Dave Bittner: [00:15:53] I have one more question for you. The world that you come from, which is a world of aircraft carriers, of fighter jets, of soldiers...
James Stavridis: [00:16:01] Tanks.
Dave Bittner: [00:16:02] ...Tanks - all of that hardware requires large investments - you know, the best people designing them, operating them. The soldiers we have trained are second to none. But that is all visible. That is all - you can look into the harbor and see an aircraft carrier, and there it is. And so in terms of expressing our nation's strength globally, those things are very easy to see. Cyber is different. And we're in this era where nations who perhaps wouldn't have gotten our attention before, for them to stand up a force in the cyber realm doesn't require - they don't have to build an aircraft carrier. They don't need the capabilities to build a jet fighter.
James Stavridis: [00:16:47] Correct.
Dave Bittner: [00:16:48] Do you have any insights on that disproportionality?
James Stavridis: [00:16:51] I think another way to phrase the question is, if you'll permit me, is, do we still need all that massive old-line, hyperexpensive equipment, or can we do all this with cyber? And unfortunately, I think we're going to continue to need some level of those legacy systems. But here's the mistake people make. They tend to think of it as an on and off switch that only has two positions. Either, yeah, we just need all that big, beautiful aircraft carriers or we're just going to do it all with cyber.
James Stavridis: [00:17:23] Think of it more like a rheostat - you know, like a dimmer in your dining room. You got to move the needle. And I think the needle is moving away from those big, expensive legacy platforms and more toward the cyber, and there's two reasons. One is it is less expensive. We need it to defend our systems. And, critically, our opponents are doing it. And so we may find ourselves in very contentious situations in the cyber world. We got to be prepared for that. Aircraft carrier's not going to get you there. But there are going to be times when that aircraft carrier comes in pretty handy as well. You're going to need a bit of both.
Dave Bittner: [00:18:06] All right. Admiral, thank you so much for joining us.
James Stavridis: [00:18:07] What a pleasure. Thanks for doing it.
Dave Bittner: [00:18:09] Thank you.
James Stavridis: [00:18:09] All the best.
Dave Bittner: [00:18:11] That's retired four-star Admiral James Stavridis. Our thanks to the team at PreVeil for coordinating the interview.
Dave Bittner: [00:18:21] And now a word from our sponsor, ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems, more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, quote, "there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop." See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:19:25] And joining me once again is Michael Sechrist. He's the chief technologist at Booz Allen Hamilton. Michael, it's great to have you back. I just wanted to check in with you as we're all sort of hunkered down dealing with the situation with COVID-19. What sort of insights can you share with us? What sort of things are on your mind?
Michael Sechrist: [00:19:45] Well, thank you so much again for having me back. It's been it's been a while, but happy to talk to a familiar voice. So the, you know, obviously this is dominating the news cycle. And when we think about cyber and we think about cybersecurity, it's basically an extension, really, of physical world activity. And so it's no surprise that we're seeing an uptick in kind of everything related to what's happening out in kind of the pandemic news into, you know, cyberspace.
Michael Sechrist: [00:20:18] And, you know, some of the things that we've generally seen kind of change, I think No. 1 is that it's really becoming difficult to find out what the normal baseline of a company is in terms of their network activity, in terms of what activity, what should they be expecting from in terms of, you know, traffic from external sources. What should they be expecting in terms of, you know, basically flows with their bandwidth? In addition, we're seeing a rise in basically all the attack vectors that you would expect that are going to target availability.
Dave Bittner: [00:20:52] Right.
Michael Sechrist: [00:20:53] So if you think of the CIA Triad - the confidentiality, integrity and availability - availability has become, you know, essential now to the lifeblood of kind of the economy to just the overall health of corporations. And so as such, you have attackers and those who are - just want to cause, like, kind of disruption from the outside wanting to use things like, you know, malware spam, malspam. You've got probably - you're going to see a rise in business email compromise attacks because it's difficult to get a sense of what, you know, if that email address that's asking you to move money is not from your CFO or not from somebody in authority. It's a little bit more difficult to kind of arrive at that conclusion now because of everybody working from different addresses, different places, remotely.
Dave Bittner: [00:21:44] Right.
Michael Sechrist: [00:21:45] You're seeing a rise in ransomware attacks that are going to try to, again, affect availability. You'll probably see a rise in DDoS attacks. You'll see a rise in attacks that are targeting just VPN infrastructure or trying to avoid that because of the rise in connections using VPN. And then also, you know, expect that you'll still see nation-state, quote-unquote, "sophisticated" APT-type type attacks that are going to try to blend in with the noise and move during the chaos that is currently facing us.
Dave Bittner: [00:22:20] What about this reality that, you know, many organizations have had work-from-home policies, and so they've had procedures in place for that? But I suppose it's fair to say that having such a large percentage of your workforce relying on consumer-grade technology or their home Internet connections, that's quite a shift.
Michael Sechrist: [00:22:43] Yeah, it certainly is. I mean, even when you set up a work-from-home policy for your employees, there are certain specifications that companies typically require. Usually, you have to be kind of somewhat segmented off. Even internally at your house, you have to kind of have a standard setup work-from-home location. And then you have to have, you know, pretty much unfettered internet connectivity and activity there. You know, both of those can be very challenging right now. Not everybody has set those up.
Michael Sechrist: [00:23:13] Childcare while working is also very difficult. If you're working on very sensitive and confidential activities, you've now kind of potentially put yourself in exposure with others who you're living with a lot more than you previously did. And then you having the unfettered access - right? - the internet access, that is always not the case. And certain - you're going to see probably a certain degraded or downgraded connectivity at times basically with the influx of everybody kind of logging on around maybe your area at the same time. And that can affect your abilities to operate.
Dave Bittner: [00:23:46] Right.
Michael Sechrist: [00:23:46] So yeah. There's definitely - it's a much different work from home kind of setup. And, you know, the other thing I would mention here that is interesting is that, you know, I've been a part of a lot of cybersecurity exercises in the past, and I don't think we ever had one or I've ever seen or heard anyone talk about having a fully work-from-home cybersecurity exercise. You know, the other kind of thought is, you know, having a cyber - a massive cybersecurity event while most of the company is distracted, right? Like, I don't think that is typically something that companies ever have created. And when I say distracted, I mean, what would happen if, you know, you're facing one adversary on one side doing some sort of the activities we described, but then you have another attack kind of unfolding either in the background or on a second front?
Dave Bittner: [00:24:35] Right.
Michael Sechrist: [00:24:35] Having like a two-front attack is very difficult. And I would consider almost the pandemic and COVID to be one - at least one type of attack, maybe not obviously deliberately here but just like something that companies have to focus on while they're also having to maintain potential attacks from other areas.
Dave Bittner: [00:24:53] Yeah. No, it's an interesting insight. Well, Michael Sechrist, thanks for joining us.
Michael Sechrist: [00:24:57] Thank you so much.
Dave Bittner: [00:25:03] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:25:21] Don't forget to check out this weekend's episode of Research Saturday. I speak with Allan Liska about the Recorded Future ransomware trends research report.
Dave Bittner: [00:25:30] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:25:42] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: [00:25:50] Are amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Do stay safe. We'll see you back here next week.