COVID-19 updates: crime, propaganda, and craziness. (Also telework.) BGP hijacking. DarkHotel sighting. Apps behaving badly. And a risk of sim-swapping.
Dave Bittner: [00:00:03] The COVID-19 pandemic continues to drive a spike in cybercrime. It's also been the occasion for various state-operated disinformation campaigns and for some surprisingly widespread popular delusions. Zoom's acknowledgment that some traffic was mistakenly routed through China draws more scrutiny to the teleconferencing service. A possible BGP hijack is reported. DarkHotel is said to be back. Bad stuff at Google Play. And a SIM swapping risk.
Dave Bittner: [00:00:38] And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place - enhanced by intelligence, enriched with analytics, driven by workflows - you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:46] Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud, to protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your team's. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 6, 2020.
Dave Bittner: [00:02:17] The coronavirus pandemic continues to provide an occasion for criminal hacking, state-directed disinformation and popular delusions. There's been a general spike in coronavirus themed attacks as criminals move towards the soft - or at least novel - targets public fear and widespread remote work afford. Both Europol and the U.S. FBI are reporting a significant increase in cybercrime, and other regions are seeing much the same, which ought to place criminal avowals that they be on their best behavior, all for the greater and most high-minded good, into some perspective.
Dave Bittner: [00:02:53] Here, for example, is another Cointelegraph report that the dark web Monopoly Market says it will permanently ban hoods running COVID-19 scams. We won't link to their own site, but we will quote some of the extracts Cointelegraph ran. We have class here, Monopoly Market's impresarios say - albeit implausibly and in a self-refuting kind of way, since classy people don't generally draw attention to their classiness. They go on - you do not, under any circumstances, use COVID-19 as a marketing tool. No magical cures, no silly effing mask selling, toilet paper selling; none of that horse excrement.
Dave Bittner: [00:03:34] The impresarios also give some advice with an FYI, news you can use. You are about to ingest drugs from a stranger on the internet. Under no circumstances should you trust any vendor that is using COVID-19 as a marketing tool to peddle, tangle already questionable goods. But we guess other marketing tools would still be fine with them. We still think such public-spirited piety should be assessed in the light of the source and be received with reservations. Other notes from the underground that have promised good behavior by criminals have proven to be largely moonshine - or as SecurityWeek puts it, they've gained little traction. Listener beware.
Dave Bittner: [00:04:14] Beijing continues to be the prime suspect in various disinformation campaigns that surround the pandemic, as the Express reports, but Russian organs have also been active. Canada's foreign minister is the latest to complain - not in so many words, but by clear implication of Moscow's involvement in pushing bogus information. Digital Journal says that Foreign Minister Francois-Philippe Champagne said after a NATO meeting, certainly this is not the time for a state actor or nonstate actor to spread disinformation at a time when basic humanity is facing one common challenge, which is the virus. Researchers at the University of Calgary weren't reluctant to make an attribution, and they're attributing the campaign NATO discussed to Russia.
Dave Bittner: [00:04:59] This is not to suggest that the two governments' goals or styles have been identical. As is usually the case, China is interested in pushing a persuasive line - in this case, the line that COVID-19 didn't originate in China and that China has been a good global citizen in helping people recover from the epidemic and that anything bad that's going on is somebody else's fault; maybe the fault of the Spanish or, more likely, the fault of the Americans. It's worth noting that some people posting comment on the pandemic to Twitter have reported being the recipients of waves of countercomment in cases where the original posts were Sino-skeptical. A big bot cannon is delivering a big volume of informational counterfire. The Russian line tends to be opportunistic, interested in increasing the opposition's friction, not usually in reducing their own.
Dave Bittner: [00:05:50] And of course misinformation, as opposed to disinformation proper, also spontaneously boils to the surface in times of stress. The completely unfounded attribution of COVID-19 to 5G infrastructure continues to gain surprising traction, with the U.K. for some reason seeming particularly susceptible. The Guardian reports that broadband engineers have received threats, and the vandalism of a Birmingham cell tower seems linked to the meme. Computing says the British government has asked social media platforms to take stronger measures against such misinformation about coronavirus conspiracies.
Dave Bittner: [00:06:28] The fear of 5G as the source of COVID-19 is strangely reminiscent of the popular fears around which the Righteous and Harmonious Fists organized themselves during the Boxer Rebellion in China at the end of the 19th century. Back then, it wasn't 5G, of course, but rather the telegraph lines associated with foreigners. The singing of the wind and the wires sounded like spirits in torment. Rust-tinged rainwater dripping from poles and lines was taken for the spirits' blood.
Dave Bittner: [00:06:57] Lest one be inclined to read histories of that time as accounts of an utterly alien and benighted people, think twice and take a look at Birmingham. Some popular delusions may also be undergoing amplification by botnets, TechRadar reports, and such amplification suggests that state operators may be using the memes for disruptive purposes.
Dave Bittner: [00:07:19] We speak often about the shortage of qualified candidates for jobs in cybersecurity, and an important but arguably underreported element of that fact is burnout. Many positions in this industry suffer from high turnover. Dr. Celeste Paul is a human factors and cybersecurity researcher and senior computer scientist at NSA, and she offers these insights.
Celeste Paul: [00:07:42] Cybersecurity is extremely stressful. It's just something about the environment. It's complex. It's unpredictable. But that's a lot of why we get into it because it's so much of what we like. It's the challenge. That's why we're doing cyber. But those things can also cause stress, especially the unpredictability and lack of control that you might have not just over your environment but the things around it. And so I think that's some of what contributes to the stress and burnout and turnover that we see in cybersecurity.
Celeste Paul: [00:08:14] And so some of the things that I've been working on is understanding more about what causes that stress. And so during my talk, I'll focus on Maslow's hierarchy of needs is one way of understanding that, and then I also provide some techniques in how we can manage our own stress or stress within our organizations.
Dave Bittner: [00:08:32] Can you give us some insights there? I mean, what are those human factors? In an environment like the one that so many of us function in, what are the things that are contributing to that, and how do they - how do people end up in a tailspin?
Celeste Paul: [00:08:46] Cybersecurity is hard. It's just - it has a lot of challenge associated with it, and so there's going to be a cognitive tax associated with that. And so anytime you have that challenge, you're going to be taking resources away from your body and your mind. And as long as you have enough time to recover afterwards, it's fine. We, you know, learn. We build up hardiness so that the next time that we have stress, we're more resilient and can recover faster. However, if we don't have enough time to recover from stressful event to stressful event, it starts to build up in our bodies, and it starts to build up in our minds. And that's where we start to feel the effects more, and it's starting to affect our work itself.
Dave Bittner: [00:09:26] How much of this is a cultural component? I think about - particularly, I think, here in the United States, it's almost a badge of honor to say how many hours you worked. And if you're in a startup environment, for example, you know, we're burning the midnight oil, not getting any sleep, but we're getting it done. And it seems to me like there's a point where you hit diminishing returns with that.
Celeste Paul: [00:09:46] There are definitely diminishing returns whether or not we like to accept it just because as, you know, cybersecurity professionals, we like to overcome those challenges. And one of them is going harder and faster than everybody else. So at NSA, we understand the benefits of work-life balance, and so we have programs within the agency that are available to the workforce to help them with that work-life balance. So it's not just managing stress within the workplace but anything outside of work. So whether it's at home or, you know, just other activities that you have, we realize that helping people balance those activities will help them be happier and more productive at work, but we also want them to be happy and productive at work and then take that home with them, where they're also happy at home.
Dave Bittner: [00:10:34] Do you have any guidance or tips for that team leader who's trying to do a better job keeping an eye on their team and making sure that people are getting the care and feeding that they need?
Celeste Paul: [00:10:47] So as a team leader, you can check in with your people as much and as necessary as you feel. I think sometimes we get to know our people and know how much they can take and know, oh, well, they'll be OK. But it still helps to check in with them.
Dave Bittner: [00:11:04] That's Dr. Celeste Paul from the National Security Agency.
Dave Bittner: [00:11:08] Zoom has acknowledged that it allowed certain calls to be routed through China. And this was a mistake, according to Yahoo. Zoom's China connections have drawn fresh suspicion and scrutiny, including a U.S. congressional request for an explanation. ZDNet says traffic from more than 200 of the world's biggest cloud hosting providers and content delivery networks was suspiciously redirected through Russia's state-owned telecommunications provider Rostelecom. It looks like Border Gateway Protocol - that's BGP - hijacking. And ZDNet calls Rostelecom a repeat offender.
Dave Bittner: [00:11:45] Qihoo 360 reports an operation by DarkHotel that exploits a zero-day in Sangfor SSL VPN servers widely used by the Chinese government. The targets have, for the most part, been government agencies in Beijing and Shanghai and Chinese diplomatic missions in some 19 countries, by ZDNet's count. The researchers called DarkHotel a Korean Peninsula APT gang.
Dave Bittner: [00:12:11] Researchers at universities in Italy, Amsterdam and Zurich have published research into apps on Google Play, where more than 4,000 apps collect information about other installed applications and do so without user permission. A follow-on study by the same team showed that such information can be reliably used to develop profiles of the affected users - gender, for example, seems relatively easy to infer. Other popular Android apps present direct security risks. VPNpro reports that SuperVPN, an application with over 100 million downloads, is vulnerable to exploitation from man-in-the-middle attacks, and a study by CyberNews suggests the existence of a group of Android developers who share code in producing risky or fraudulent apps.
Dave Bittner: [00:12:58] Following up a study into SIM swapping, researchers at Princeton University found that some affected services had corrected the vulnerabilities but that an alarming number haven't done so yet. Motherboard summarizes the findings - meanwhile, keep patching.
Dave Bittner: [00:13:19] And now a word from our sponsor, the "Coronavirus Morning Report" podcast. Are you one of those people losing sleep, distracted from work because you're nervously refreshing coronavirus news all day long? Subscribe to the "Coronavirus Morning Report" instead. Every morning, in a short 15 to 20 minutes, it's all the latest you need to know in quick podcast form. The New Yorker magazine called it one of the top coronavirus podcasts to listen to, saying it stays on the right side of informed, nonhysterical and focused. Search your podcast app right now and subscribe to "Coronavirus Morning Report." That's "Coronavirus Morning Report," brought to you by the same guy who gives you the "Techmeme Ride Home" podcast. And we thank the "Coronavirus Morning Report" for sponsoring our show.
Dave Bittner: [00:14:14] And I'm pleased to be joined once again by Malek Ben Salem. She's the Americas cybersecurity R&D lead for Accenture. Malek, always great to have you back. We wanted to take a look at some of the human side of cybersecurity today, looking at the health of some of the folks in the field and how that can affect things. What do you have to share with us today?
Malek Ben Salem: [00:14:35] Yeah. This is a topic that is not often talked about, which is the health state of security professionals in general and the health state of CISOs in particular. There has been a recent survey conducted by Nominet that talked to various CISOs and in an effort to understand their stress levels and how they're coping with stress. And throughout that survey, they have identified that the vast majority of interviewed CISOs, 88% to be exact, reported high levels of stress.
Malek Ben Salem: [00:15:09] A third of them reported that the stress levels caused health - physical health issues, and half reported mental health issues. They even talked about that stress affecting not just their ability or their productivity, but it affected their relationships with their partners or children - 40% of CISOs reported that. Thirty-two percent reported that their job stress levels had repercussions on their marriage or romantic relationships. Thirty-two percent said their levels - stress levels had affected their personal friendships. Twenty-three percent of CISOs said they turned to medication or alcohol.
Malek Ben Salem: [00:15:59] So this is a problem that is more widespread than we talk about and than we think. And, you know, it's definitely something that has to be raised, right? And we see some organizations bringing this up, most recently - obviously, this Nominet survey - but also an online community by the name of Mental Health Hackers have tried to make people in the community aware about this problem. They've even presented at Black Hat a couple of years ago. But I think as security as a topic and CISOs gain more visibility to the board, hopefully there will be more awareness of this issue.
Dave Bittner: [00:16:49] Yeah, it's interesting to me because, like, I can see two sides of it. I mean, on the one hand, I could see folks saying, well, this is a high-level position. Of course it's stressful. That's - that comes with the territory. But on the other hand, I imagine you hit a point of diminishing returns. If someone is not functioning at their full capacity because of this stress, well, that could be a real security problem for the organization.
Malek Ben Salem: [00:17:12] Absolutely. I mean, if you're - if you have stressful levels to the point where you cannot adequately perform your job, then there are repercussions to that organization. Also, because of these stress levels, most CISOs don't last in their jobs more than 26 months. So the high turnover is also worrisome because, you know, if you have somebody on the job who's trying - you know, who has this huge mission of making the enterprise secure and your customers' data secure and they're only there for two years, by the time they start - you know, they build a strategy and start executing on it, they move onto another job. So I think, yeah, definitely, even from the organization's risk exposure perspective, that we need to take this seriously.
Dave Bittner: [00:18:01] Yeah. It seems to me like there needs to be open lines of communication so that there's no shame in someone coming to their bosses or their teams and saying, hey, listen - I've got a situation here; we need to make some adjustments.
Malek Ben Salem: [00:18:15] That's absolutely true. And also, the other point of the other aspect of this is that this is not just for CISOs, right? Information security professionals overall are exposed to these high stress levels. You can think about the threat intelligence analysts. You can think about SOC analysts having to respond to alerts so quickly and kind of stress that brings about. So I think as an infosec community overall, we need to start talking about these problems and so that we can address them.
Dave Bittner: [00:18:50] All right. Malek Ben Salem, thanks for joining us.
Malek Ben Salem: [00:18:53] Thank you, Dave.
Dave Bittner: [00:18:59] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:19:18] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:30] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:56] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.