Operation Pinball. Implausibly spoofed, not really official, COVID-19 emails. CISA updates US Federal telework guidance. ICO defers some big GDPR fines. Zoom agonistes. Fleeceware in Apple’s store.

Dave Bittner: [00:00:04] Operation Pinball roils up Eastern Europe and the near abroad. Crooks who can't write idiomatic American English are spoofing emails from the White House in a COVID-19-themed phishing campaign. CISA updates telework guidelines for federal agencies. Some GDPR fines are deferred until after the pandemic. Zoom continues to reel from its success. And fleeceware is found in the iTunes store. 

Dave Bittner: [00:00:35]  And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms," everything you need to know about security, orchestration, automation and response. The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business, it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:06]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 9, 2020. 

Dave Bittner: [00:02:15]  The threat intelligence specialists of Recorded Future’s Insikt Group have identified an ongoing disinformation campaign, Operation Pinball, probably of Russian origin, that seems to overlap the Secondary Infektion campaign the Atlantic Council described earlier this year. Operation Pinball for the most part targets Russophone populations in eastern Europe and the near abroad of former Soviet republics. 

Dave Bittner: [00:02:40]  Two of its principal objectives appear to be undermining the government of Estonia with content that exploits fears connected with European migrant crisis and disrupting Georgia's growing relationship with NATO. Operation Pinball uses inauthentic websites and social media accounts in what appears to be a hack-and-leak campaign. In fact, the purportedly leaked documents, while often convincing, down to the images of hard copy letters that piously declare themselves to be printed on recycled paper, are entirely bogus. 

Dave Bittner: [00:03:13]  Recorded Future's analysts think it likely that other similar campaigns are under preparation. Operation Pinball involves deception and influence operations conducted by an intelligence service. But, of course, not all deceptive social engineering is the work of a nation-state. Criminal gangs also get into this act. Researchers at the email security firm INKY describe some implausible emails on the coronavirus pandemic that pretend to originate from either the White House or U.S. Vice President Pence. INKY outlines two distinct series of emails. The first said that current measures against the pandemic would continue through August, and that the IRS had pushed tax day back from April 15 to August 15. It also urged recipients to download the president's guidance that would, quote, "protect you and your family from pamdemic" - that's pamdemic. The second series reiterated the claims of the first and encouraged recipients to follow a link for more information. 

Dave Bittner: [00:04:12]  The spelling and usage are, of course, appalling. But the attackers did use some of the White House's actual html code. We observe in passing that the dropped articles, spoonerisms, misspellings and malapropisms are nowhere near as funny as the ShadowBrokers' copy used to be. Maybe the ShadowBrokers spoiled us. Where are those guys these days, anyway? 

Dave Bittner: [00:04:35]  The emails do originate from Russia, but they seem pretty clearly to be a criminal as opposed to a state-sponsored campaign. For one thing, the troll farmers of St. Petersburg handle American English much better, without all the Boris-Badenovisms on display in these communications. Nevertheless, someone - someone out there - is sadly likely to fall for them. 

Dave Bittner: [00:04:57]  CISA has updated its telework guidance for U.S. federal agencies. The Cybersecurity and Infrastructure Security Agency has issued Trusted Internet Connections - that is, TIC 3.0 Telework Guidance Documents. The TIC guidance is intended to support federal agencies as they seek to comply with the Office of Management and Budget direction to maximize both the opportunity for and the security of remote work across the government during the pandemic emergency. One of the agencies likely to stand in need of the guidance is NASA. BleepingComputer reports that the space agency is receiving particular social engineering attention as much of its workforce is now telecommuting. 

Dave Bittner: [00:05:40]  As we've noted, the global pandemic has prompted many phishing attackers to pivot to COVID-19-related lures. That's not all they're up to. There are a variety of ways the bad guys and gals are effectively getting around phishing defenses. Or Katz is principal lead security researcher at Akamai. 

Or Katz: [00:05:59]  So there are a variety of defenses out there. We can call it the multi-layered kind of defense. The first point is email gateways, where everybody are getting their emails - their organization gets emails. Those emails can be inspected if there is something malicious in the content of the email. And therefore, you can filter some of that malicious content out. That's the first line of defense. 

Or Katz: [00:06:23]  The second line of defense will be once those emails being transformed or whether the phishing was actually propagated through other means. And you can see the phishing from the network point of view, meaning if you press that link for a malicious phishing website, once you press the link, there is actually an HTTP request to that given website, and you can track that - the level of the network and try to mitigate that kind of attack. 

Or Katz: [00:06:52]  The third layer of defense, as far as I see, is actually related to education and awareness - our ability to go to our users and tell them, these are the things that you need to do in order to make sure you are well-protected and that you are doing the right actions once you see something that looks suspicious and you want to make sure that it's not. 

Dave Bittner: [00:07:17]  So in terms of recommendations for organizations to best defend themselves, what sort of things do you suggest? 

Or Katz: [00:07:26]  I think you need to have a multilayered approach to make sure that those kind of attacks will be properly mitigated. And the most important thing, as far as I see, is the ability to go to your users and make sure that they are well-educated and whether they see something that is too good to be true, it's probably. Therefore, they need to be careful and make sure that they are not giving away their sensitive information, they are not opening files that they are not aware of or not - or don't know the source of those files. That are the things that I would recommend doing. 

Dave Bittner: [00:08:00]  Where do you think we're headed with this in terms of our ability to defend against this in the future? Are there any new developments you see coming along? 

Or Katz: [00:08:11]  I would say - well, there are two - well, I would take your question to two places. The first place where I would take it is the fact that we will still continue to be able to see a lot of phishing attacks out there. It's not going to slow down, unfortunately. We can see that the level of sophistication of those attacks is getting much more advanced. The techniques that those threat actors are using much more robust in that sense. And that's something that we need to be aware of. 

Or Katz: [00:08:39]  And the second part, from a technology point of view, I think it's that ability to bound (ph) those things together and have more security around distribution channels that are not just email because a lot of the things that we see out there is the fact that a lot of those phishing are actually being distributed through social networks. Therefore, in order to track those, you need to make sure that you have some visibility into what happened there and you have that ability to detect phishing, even if it's not landing into your organization through email. 

Dave Bittner: [00:09:17]  That's Or Katz from Akamai. 

Dave Bittner: [00:09:20]  SC Magazine says that the U.K.'s Information Commissioner's Office is deferring the large fines for data breaches it imposed last year on British Airways and Marriott International. The extension recognizes the economic stress the COVID-19 pandemic has imposed, especially on the travel industry. It is a deferral and not forgiveness. The companies are expected, eventually, to pay up, and investigations of data breaches in violation of GDPR aren't being closed. 

Dave Bittner: [00:09:50]  Zoom continues to suffer from the pyrrhic commercial triumph the company enjoyed when demand for its teleconferencing services exploded in February and March. It's fixed some security issues. Yahoo says Zoom has added a new security menu in its latest versions, and ZDNet reports that the company has removed meeting IDs from its toolbar. But on balance, it's still been a bad week - what CIO Dive calls a no good, very rotten week. According to Buzzfeed, Google has banned its employees from using the teleconferencing app on grounds of its questionable security. And as the U.S. Congress continues to figure out how it will conduct as much business as possible online, the Senate, at least, is fighting shy of Zoom. Reuters reports that senators are being told not to use Zoom's services. 

Dave Bittner: [00:10:39]  Sophos, yesterday, reported finding what it calls fleeceware in apps sold through iTunes. By their count, there are 30 of them. What counts as fleeceware is something of a judgment call. The applications Sophos singled out charged subscriptions - $30 per month or $9 per week after a three- or seven-day trial period. If someone kept paying that subscription for a year, it would cost $360 dollars or $468, respectively, for an app. Sophos closes with an expression of contempt, suggesting that apps are unlikely to be worth a third to half a grand annually. These rates are high, especially since the apps in question seem, in Sophos's opinion, to offer no real value that can't be found in truly free apps and, therefore, lack that ongoing value to the customer Apple requires subscription products sold in its store to offer. 

Dave Bittner: [00:11:33]  And finally, CISA, we hear, is looking for student interns, and some of the positions are even open to high school students. The application deadline is April 15. If you are interested, go to usajobs.gov and search for CISA. That's C-I-S-A - CISA. 

Dave Bittner: [00:11:58]  And now a word from our sponsor BlackCloak. Oh, come on. It's not like anybody actually needs this anymore. I mean, executives in their personal lives - they're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock-solid secure, and they never, ever use a weak password. As for their families, Little Luke and Leia and their significant other - well, they're pillars in the cybersecurity community. Right? Right? Right? Right? Right? Right? 

0:12:27:(SOUNDBITE OF ALARM RINGING) 

Dave Bittner: [00:12:29]  You're right. I was dreaming there for a minute. The fact is executives and their families are targets. And at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cybercontrols, hackers have turned their attention to the executives' home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show. 

Dave Bittner: [00:13:24]  And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. I wanted to touch today on OODA loops and some thoughts you have there. What do you have for us today? 

Caleb Barlow: [00:13:37]  Well, you know, this brings up another one of my heroes, a guy named Colonel John Boyd, who was a - he was a fighter pilot. And you know, he studied how do people make decisions in a crisis - in this case, in an aircraft in a dogfight. 

Caleb Barlow: [00:13:56]  And interestingly enough, this can be parlayed into cybersecurity and how we think about our decision-making during a crisis event, whether that's something like COVID-19 or a large cybersecurity event. 

Dave Bittner: [00:14:09]  All right. Well, let's dig into some of the details here. What sort of things did you come up with? 

Caleb Barlow: [00:14:14]  Well, you know, I was trying to figure out - when I was working in these large-scale cyber ranges, you would see executives just making really bad decisions, even in simulation, because they couldn't understand that they had to make a decision without having all the data. And at the time, I was working with a guy named Bruce Schneier and - who I'm sure a lot of your listeners know. And Bruce introduced me to this concept called an OODA loop, and it completely changed my perspective on how you make decisions in a crisis. 

Caleb Barlow: [00:14:45]  And it's really simple. It stands for observe, orient, decide and act. And it's a crisis decision-making methodology developed by Colonel John Boyd that recognizes the fact that you're up against a human adversary. And the idea is to think of this in a loop. You need to observe, orient, decide, act and then rinse and repeat the whole process with new information. So you know, think about that fighter pilot that's trying to dodge a missile headed towards them. They observe the missile. They orient to where it is. They decide that, OK, it looks like I should go left. They go left, and they act. And then they go back around to reobserve. OK, where's the missile? Did that work? Did it miss me? No, it didn't work. What's my next action? 

Caleb Barlow: [00:15:26]  Now - OK, that's in the case of a fighter pilot. But if we think about the same thing in terms of cybersecurity, we have to remember there's a human on the other end. They can observe what you're doing. They can orient to your defenses. They can jog around your decisions. And he who wins is the one that moves through their OODA loop the fastest. 

Dave Bittner: [00:15:46]  You know, it's interesting - I have spoken to a lot of folks who have, you know, done time in the military. And that is something I hear over and over again, that - the appreciation that their time and their training in the military gave them the ability to make decisions without having all of the information. 

Caleb Barlow: [00:16:06]  Exactly. So let's talk about a couple of the steps, right? 

Caleb Barlow: [00:16:09]  So parlayed into cyber, if we think about, what do you want to know in the observe stage? Well, what can you learn from these unfolding events? Is there anything that may have changed in your environment? Are there anything you can learn from intel sources - OSINT, dark web, et cetera? Is this normal behavior or anomalous behavior? And can you tell the difference? Are there parts of your environment that you don't have visibility to? 

Caleb Barlow: [00:16:34]  But if you go through a few of those simple questions in the observe stage, then you go on to the orient stage, where you start to think about - what can these intel sources tell you about events as they're unfolding? You know, are there operational realities that you must accept right now? For example, oh, everybody's work from home because it happens to be in the middle of a global pandemic, like we're in the middle of right now. Are there intel sources that can tell you something about your adversary? But then - and I love these two questions - what is the adversary's likely next move? And what is their likely worst course of action? Because as we now move to the decision phase, if you haven't thought of those two things, you don't have a good plan. 

Caleb Barlow: [00:17:20]  Then, Dave, we get to deciding. Like, what are the risks and the likelihood that this is going to work? What are your options? You know, what do your run books tell you - the things you built with that kind of explicit intent versus your implicit intent, which is coming from your executives and kind of their emotions at the moment? And do you have hypotheses? Can you test those hypotheses? And ultimately, this is the hard thing in a lot of organizations - who's responsible for making the decision? 

Caleb Barlow: [00:17:47]  Now, once you decide that, you've got to act. Take that action, but then test it. Come back around and reorient yourself. Did it work? Do I need to try something new? You know, this is the one time in your executive career where it's OK to make a decision and then, 10 minutes later, go, oh, yeah, that was a bad decision; let's try this instead. You know, any other time in your life, that's viewed as weakness. During a crisis response, that's a huge strength. 

Dave Bittner: [00:18:13]  So what are your recommendations for folks to sort of set down this path? If they want to make this a part of their planning, what's the best way to begin? 

Caleb Barlow: [00:18:22]  Well, I think the first thing to do is - you know, these are great tools you can look at and study and kind of come up with ideas. But the first thing to do is write down a plan. And it can be really simple at first. Maybe pick something, you know, simple like ransomware. How are we going to make a decision? Who's going to pay? Can we get a quarter-million dollars by 2 o'clock this afternoon in bitcoin, and how would we do it? Who do we need on our team? How do we communicate with them? You start asking those questions, the next thing you know, you got a 40-page plan together. 

Dave Bittner: [00:18:55]  (Laughter) I laugh at that 40-page plan. But I suppose that - and that's a starting point, and then there's a distillation from there. 

Caleb Barlow: [00:19:01]  Absolutely. And you have to realize that your plan is kind of that warm blanket that you can go back to during an incident when your body is flush with adrenaline, you don't have all the information and you can pull out that plan and go, OK, when I was calm with my team, I wrote this plan. Is there anything I haven't thought of today that's in the plan? You know, what decisions do we make when we're able to look at this calmly? And believe it or not, you always forget things. But if you did a good job writing the plan, it's in there. But the big thing I would encourage people to do - and you know, this is a lot of what we do at my company - is constantly be rewriting the plan. There's a new reality, everybody, which is everybody's working from home. How does that change your plan? Get it updated. 

Dave Bittner: [00:19:46]  All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: [00:19:54]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. It'll also give you fresh breath. Listen for us on your Alexa smart speaker, too. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIt, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:26]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.