Trends in COVID-19-themed cybercrime. Social media seek to inhibit the misinformation pandemic. Corp[dot] off the market. BEC in cloud services. Investment notes. Big big fraud.
Dave Bittner: [00:00:03] Criminals increase their targeting of hospitals and pharmaceutical companies. Ordinary scams proliferate worldwide using COVID-19 as their bait. Social media seek to inhibit the flow of coronavirus misinformation; the commodification of zero-day exploits. Corp.com is no longer available. The FBI warns of business email compromise via cloud servers. A quick look at investment. And finally something other than the Brooklyn Bridge is for sale.
Dave Bittner: [00:00:40] And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms," everything you need to know about security, orchestration, automation and response. The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:48] Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business, it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:11] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 7, 2020.
Dave Bittner: [00:02:20] The COVID-19 pandemic seems not to have induced much repentance or even restraint among cyber criminals. Contrary to the hopes of criminal good behavior that some may have entertained, ransomware attacks against hospitals have predictably not only continued despite criminal protestations of good intentions but appear to have increased. An Interpol warning suggests that the value of access to data during a health emergency has been too much for the criminals to resist. Bleeping Computer, which received promises from some ransomware gangs that they'd place medical facilities off limits for the duration of the pandemic emergency, has been tracking the criminals' activity and reports that Maze, Ryuk and Sodinokibi have all been used recently against health care and pharmaceutical targets.
Dave Bittner: [00:03:09] More of the ordinary, dreary scams are being reported around the world. The FBI, according to Smart Office, received 1,200 COVID-19-related scams in a single week. ZDNet reports that Brazilian authorities saw 124% increase in scams last month and also that the Australian Signals Directorate is going on the counter offensive against offshore grifters targeting Australian citizens. The Australian Signals Directorate, a Five Eyes counterpart of the U.S. National Security Agency, is, according to its director, working with telecommunications companies to block fraud and take down the infrastructure that supports it. Quote, "our offensive cyber campaign has only just begun, and we will continue to strike back at these cyber criminals operating offshore as they attempt to steal money and data from Australians," director-general Rachel Noble said.
Dave Bittner: [00:04:02] Back in the U.S., the Wall Street Journal notes that the Securities and Exchange Commission has suspended trading of two stocks over the company's dubious claims about their activities during the pandemic emergency. Both are obscure penny stocks trading in the relatively lightly regulated over-the-counter market. Social media providers are grappling with disinformation and misinformation. YouTube, Facebook and WhatsApp are trying various measures to come to grips with the volume of fear, nonsense and lies in circulation about COVID-19. YouTube is using a relatively soft hand with borderline content - that is, content not in formal violation of the platform's guidelines - and is especially concerned about the bogus theory that cell towers, especially when connected to or prepared for a 5G network, are responsible for the virus. Videos peddling this particular meme could lose advertising revenue, says YouTube's corporate parent, Google. They will be removed from search results and will also see reduced recommendations by Google's algorithm, CNN reports. The Telegraph says that Facebook is meeting with British government officials this week to see what it can do to prevent further threats and vandalism inspired by the cell tower panic. And WhatsApp, according to Computing, is concentrating on inhibiting the spread of false information by restricting message forwarding to one chat at a time.
Dave Bittner: [00:05:31] A FireEye study concludes that zero-day exploitation now depends upon money more than it does on skill. 2019 saw an uptick in zero-day attacks. Quote, "we surmise that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies" - end quote. Many of the incidents the report tracks, especially those in the Middle East, have some connection to NSO Group. The researchers conjecture that the increase in zero-day use observed over the course of 2019 could indicate either that intelligence services are making more use of private contractors or that the vendors are selling tools to customers who themselves have more slipshod operational security and poor opsec simply makes the use of zero-days more obvious or, of course, it could be both.
Dave Bittner: [00:06:24] If your average worker finds a barrier between themselves and getting their work done, they are likely going to try to find a way around that barrier one way or another. When that initiative finds itself at odds with security, we call that shadow IT. Matt Davey is from password manager provider 1Password.
Matt Davey: [00:06:45] We always want to find out more things about how people use 1Password and what happens when they don't use a password manager in a company. And just from an ethos of the company, we have zero analytics in any of our apps and minimal analytics on our marketing site. So we really don't know that much about our customers. And anything that we want to know, we have to go and find out. So research plays a huge part in that.
Dave Bittner: [00:07:15] So in this case, you went out and spoke to over 2,000 of your business users. What are some of the key findings here? What did they report back to you?
Matt Davey: [00:07:23] Well, we did, actually, a wider survey than that. It wasn't just kind of our users. We went out. And, you know, we spoke to the general public and - yeah, it was really around this concept of shadow IT. And...
Dave Bittner: [00:07:37] And what did you discover?
Matt Davey: [00:07:40] So we pretty much knew what we would discover. At least, we had an inkling. Basically, people are sharing and creating accounts outside the purview of IT, outside, you know, this kind of authorized IT. And I think this is happening, you know, mainly due to productivity. Waiting for IT is quite difficult.
Dave Bittner: [00:08:03] Right.
Matt Davey: [00:08:03] So there's a lot of aspects like that to shadow IT.
Dave Bittner: [00:08:07] One of the interesting stats that you shared was 37% of the folks you surveyed had shared an account with a colleague. Take us through the implications of that one.
Matt Davey: [00:08:17] Yeah. I mean, that's another interesting point where they're sharing things. And mostly, it's by things like instant messenger. So I mean, we're really talking something like Slack. It's, you know, via a spreadsheet. How many times have you seen that in a company, where the password manager is essentially a Google Doc and they just share the link out to everyone? It's always difficult to share something like a password and then take it back. You know, usually, it's, again, the departments in a company that are not given a password manager. But really, some of the ones that aren't given a password manager are holding almost more sensitive data than the IT team.
Dave Bittner: [00:09:05] So what were the take homes from the survey in terms of advice that you can share with people based on what you learned here?
Matt Davey: [00:09:13] Most of the problem is unseen passwords, right? So this kind of shadow IT is that, you know, your IT team might have something like a single sign on in place. It might have something that it determines as, you know, these are the services that you can use. But most probably, there are a bunch of unseen passwords and unseen services under the purview of IT.
Matt Davey: [00:09:38] And so really, how a password manager can help there is - you know, it's the understanding that if you install that habit in people, that then they will use that again, both at home and at work. But it increases that kind of security habit as a whole. So those, you know, underlying, reused passwords or anything like the services under the scenes, they might be there. But at least they're using strong, unique passwords for those services.
Dave Bittner: [00:10:08] That's Matt Davey from 1Password.
Dave Bittner: [00:10:12] Because it is so susceptible to abuse, the potentially risky corp.com domain is off the market. KrebsOnSecurity reports that Microsoft has bought the domain to keep it out of the hands of hackers. The risk lay, for the most part, with Active Directory, where namespace collision was a possibility. Krebs explains that, quote, "early versions of Windows that supported Active Directory - Windows 2000 Server, for example - the default or example Active Directory path was given as corp. And many companies, apparently, adopted this setting without modifying it to include a domain they controlled," end quote. With Microsoft having purchased corp.com, this particular risk has been substantially reduced.
Dave Bittner: [00:10:56] The U.S. FBI warns organizations to be alert for business email compromise scams that exploit cloud-based mail services. The phishing tackle the criminals use spoofs the legitimate email services. While most cloud services have security features designed for protection against business email compromise, they must be properly configured.
Dave Bittner: [00:11:18] A single swallow doesn't make a spring, neither do a few investments make an economic recovery still less a boom. But a small flock of venture capital swallows have perched in the cybersecurity sector. Cato Networks at $77 million, Accellion at $120 million - Privitar, $80 million - CyberMDX, $20 million - and Okera, $15 million - have all reported new funding this week.
Dave Bittner: [00:11:48] And finally, if we may return to COVID-19 scams, you can forget all about that Brooklyn Bridge. Could we interest you maybe in a Statue of Unity? For just $4 billion, it can be yours, art lovers, patriots, philanthropists, collectors of curiosities. And it's for a good cause, too. The proceeds - we hear - will help the state of Gujarat deal with the coronavirus - but, of course, not really. Reuters reports what must be the brassiest online scam to surface so far during the pandemic emergency. We hope no one fell for it. The Statue of Unity - about twice the height of the Statue of Liberty in New York Harbor - commemorates Sardar Patel, one of India's founders. At 182 meters tall, the Statue of Unity would be tough to fit on your coffee table. But with heroic art, who measures, really?
Dave Bittner: [00:12:40] The moxie and low cunning behind the scam really put all the other COVID-19 grifters in the shade. What's a business email compromise scam baited with masks and hand sanitizer compared to the offer of a monumental, heroic statue whose steel framing, reinforced by concrete and brass coating, supports a bronze cladding? Think big, friends. Think big.
Dave Bittner: [00:13:04] And now a word from our sponsor, BlackCloak. Oh, come on. It's not like anybody actually needs this anymore. I mean, executives in their personal lives, they're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock solid secure. And they never, ever use a weak password. As for their families - little Luke and Leia and their significant other - well, they're pillars in the cybersecurity community, right? You're right. I was dreaming there for a minute. The fact is executives and their families are targets. And at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cybercontrols, hackers have turned their attention to the executives' home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:14:32] And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, always great to have you back.
Ben Yelin: [00:14:42] Good to be with you, Dave.
Dave Bittner: [00:14:44] Interesting article from VICE. This is a hot topic these days. Of course, the Zoom video conferencing software has become a bit of a darling during this...
Ben Yelin: [00:14:55] (Laughter).
Dave Bittner: [00:14:56] ...Coronavirus situation. Everyone's using it because...
Ben Yelin: [00:14:59] Yeah.
Dave Bittner: [00:14:59] ...It's easy to use and affordable. But they are running into some issues here when it comes to some privacy stuff. And somebody has spun up a class-action suit. What's going on here, Ben?
Ben Yelin: [00:15:11] Yeah. So we're all using Zoom these days. I've used them for conversations with my colleagues, virtual happy hours. I sort of wish I had invested in Zoom prior to this crisis taking place. But alas...
Dave Bittner: [00:15:26] If only you were a U.S. senator, right?
Ben Yelin: [00:15:27] Oh (laughter).
Dave Bittner: [00:15:30] You would've had that information ahead of time. (Laughter) Sorry.
Ben Yelin: [00:15:31] Well played. Well played, Dave. But, you know, with all excellent, easy-to-use applications come some potential privacy risks. And what Motherboard on VICE revealed the other day is that the Zoom application on the iOS platform was sending analytical data to Facebook once that application was open. The claim that this class-action suit is making - and it was one individual user who instigated the class-action suit - is that this violates the new California Consumer - the CCPA, California Consumer Privacy Act, because they did not obtain consent from the users before they transmitted that data to Facebook. Zoom has claimed that this was not done purposefully. They were not aware that they were sending information to Facebook. And they came up with a patch that was available if users updated the application on their iOS platform. And so what the plaintiffs are saying in this case is that that is not satisfactory.
Dave Bittner: [00:16:40] Yeah.
Ben Yelin: [00:16:41] Many users aren't necessarily going to be aware that this patch exists. And they're still going to be using the previous version of Zoom, meaning that their information is still going to be shared with Facebook. So we're at the - obviously, the very early stages of this lawsuit. It was just filed in the last couple of days. It's a class-action suit, meaning it potentially could represent hundreds of thousands to millions of people who have used the Zoom application on iOS. And this is something that we're going to have to pay attention to. My guess is that because Zoom has sort of admitted its error here and has tried to come up with a patch to correct its error, perhaps they'd be amenable to settling the case. But that's just sort of - that's just me guessing.
Dave Bittner: [00:17:27] Yeah.
Ben Yelin: [00:17:27] So we're going to have to see where this goes going forward.
Dave Bittner: [00:17:30] Well, I was going to ask you. I mean, does Zoom's claim that this was inadvertent, that they didn't realize that some of the underlying technology that they were using was sending data to Facebook - I mean, does that really matter in their defense? Is ignorance a defense here?
Ben Yelin: [00:17:48] Ignorance is rarely a defense, especially ignorance of the law. Now, ignorance on the basis of facts - for example, they did not know that information was being transmitted to Facebook - that could potentially be a valid legal defense. They'd have to convince a court - either a judge or a jury - that they actually did not know at the time that they were creating the application that certain user data was being transmitted to Facebook. And that would be very difficult for them to try to show.
Ben Yelin: [00:18:17] Now, the burden of proof is on the plaintiff. The plaintiff has to show with preponderance of the evidence that Zoom knew that some of this information was being transmitted to Facebook. But, you know, once you start a discovery process, you, I'm sure, could find a Slack conversation between Zoom employees where they were talking about whether or not information was being transmitted to Facebook. So my guess is that they might be able to use that as a defense at the outset. They might say that while answering the lawsuit. But if you dig a little deeper, my premonition is that someone probably knew at some point that this was going on. And you know, without informing the users and without obtaining the user's consent, that is a violation of this new California statute.
Ben Yelin: [00:19:04] Now, is the California statute what's really enabling this class-action suit?
Ben Yelin: [00:19:10] It is. I mean, it's filed in a federal court in California. But the claim is based on the new California state law. And I think we're going to see a lot of different lawsuits like this one because the CCPA is now in effect. The CCPA went to effect on January 1 of this year. Some of the enforcement actions were supposed to not technically go into effect until July 1. But there still is this cause of action here under this new statute. So this might be, at least in terms of major cases, the first of its kind emanating from this new California law. And I think we'll see many more cases going forward.
Dave Bittner: [00:19:48] Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:50] Thank you.
Dave Bittner: [00:19:56] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:14] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:26] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.