Warnings on healthcare attacks and espionage campaigns. Post-patching issues in VPNs. COVID-19 phishing. Contact tracing, for lungs and minds. Telework notes.
Dave Bittner: [00:00:03] Czech intelligence warns of an impending cyber campaign against hospitals. The U.S. Defense Department alerts contractors that Electric Panda is back and after their data. Secure Pulse (ph) VPN's post-patching issues. Google blocks COVID-19 phishing emails. Apple and Google work on tracing physical contact, but Facebook is tracing contact with misinformation. Johannes Ullrich from the SANS Technology Institute explains exposed RDP servers while we work from home. And our guest is Tia Hopkins from eSentire. She talks STEM and cybersecurity education. Zoom offers some fixes, gets banned in India and receives a mash note from Larry Ellison. And notes on HIPAA and CMMC.
Dave Bittner: [00:00:51] And now a word from our sponsor, ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:14] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 17, 2020.
Dave Bittner: [00:02:23] The Czech cybersecurity agency NUKIB told its allies yesterday, according to Reuters, that it expects a major campaign against hospitals to begin soon, possibly as early as today. It's expected to be a destructive attack. Quote, "the information we have available has led us to a reasonable fear of a real threat of serious cyberattacks on major targets in the Czech Republic, especially on health care systems," NUKIB said. It's not clear who's behind the attack, and it seems that Czech authorities are unsure of the attribution themselves, but officials speaking on background told Reuters that it was a serious and advanced adversary. Battlespace preparation in the form of a spear-phishing campaign has been in progress for several weeks.
Dave Bittner: [00:03:09] Politico reports that the U.S. Defense Counterintelligence and Security Agency this week warned contractors in a bulletin that it had detected renewed activity by the Chinese government's Electric Panda group. The memorandum Politico obtained said that nearly 600 inbound and outbound connections from highly likely Electric Panda cyber threat actors targeting 38 cleared contractor facilities, including those specializing in health care technology, had been detected since the beginning of February. Electric Panda has been active since 2016, at least, and its interest in health care technology seems to represent a shift driven by the current pandemic. A similar shift in interest has been observed in Electric Panda's sister threat group, Pirate Panda. But in that case, it's a shift in phishbait, not in targeting.
Dave Bittner: [00:03:59] CISA warns that the Pulse Secure virtual private network remains vulnerable to certain forms of exploitation even after its most recent patch has been applied. The vulnerability the patch addressed, CVE-2019-11510, is an arbitrary file reading issue. CISA includes in its advisory a tool to detect indicators of compromise and suggestions for mitigating risk of exploitation. Japan's CERT has issued similar warnings. The problem, ZDNet explains, is that attackers were able to exploit the vulnerability to extract Active Directory credentials, and they've since used these to get into organizations' internal networks even after patches have been applied.
Dave Bittner: [00:04:43] VentureBeat reports that Google is blocking some 18 million malicious coronavirus-themed emails daily. The company explained in its Google Cloud Blog the measures it's put in place to help secure Gmail users during the current pandemic. The company's Advanced Protection Program has been adjusted to adapt to the new style of threat, and G Suite's phishing and malware controls are enabled by default.
Dave Bittner: [00:05:06] Google's own explanations of how to combat phishing emphasize training and education as much as they do technical filtering. It's unreasonable to expect technical filtering, no matter how advanced, to fully cope with social engineering. That threat plays on peoples' beliefs and desires. The threat actors are after figurative hearts and literal minds, after all. Email is just the avenue of approach.
Dave Bittner: [00:05:30] Apple and Google are proceeding with their work on technology for contact tracing - and ESET has a quick overview of how Apple's Mobility Trends Reports are working out - but their system, designed in the first instance for U.S. domestic use, may have difficulty attracting enough opt-ins to be effective. A report from the Sinclair Broadcasting (ph) Group quotes experts who doubt that Americans are likely to sign on in sufficient numbers to attain the 75% threshold generally thought to be the point at which such contact-tracing tools become valuable. The perception that people generally have become skeptical about Big Tech's privacy record seems to contribute to the pessimistic conclusion.
Dave Bittner: [00:06:10] Facebook yesterday announced its intention to introduce a kind of misinformational contact tracing. It will be coupled with a kind of online rumor control Facebook is calling Get the Facts and by the introduction of some straight dope about the virus in the news feeds of users who've interacted with dubious content. It will work like this - quote, "we're going to start showing messages in news feed to people who have liked, reacted or commented on harmful misinformation about COVID-19 that we have since removed. These messages will connect people to COVID-19 myths debunked by the WHO, including ones we've removed from our platform for leading to imminent physical harm. We want to connect people who may have interacted with harmful misinformation about the virus with the truth from authoritative sources in case they see or hear these claims again off of Facebook. People will start seeing these messages in the coming weeks," end quote.
Dave Bittner: [00:07:05] The system depends upon Facebook's large troupe of fact-checkers, and it's unavoidably a time-consuming process to execute at scale. A study by the content moderation-friendly advocacy group Avaaz generally had good things to say about Facebook's work against misinformation but found it took about 22 days, on the average, for correction to catch up with suspect reporting.
Dave Bittner: [00:07:28] The new security measures and processes teleconferencing company Zoom has introduced seem to be drawing good reviews, as far as they go. There's one new feature that BleepingComputer describes that will enable users to report Zoombombing. But as SecurityWeek points out, Zoom hasn't convinced all users. The government of India has joined those who've banned Zoom from their remote meetings.
Dave Bittner: [00:07:50] A new problem has also surfaced for Zoom. CNET writes that a researcher found a vulnerability that could allow Zoom videos to persist in the cloud even after the users had deleted them.
Dave Bittner: [00:08:01] Zoom did receive a strong note of confidence from the IT sector, however. CRN reports that Oracle's Larry Ellison, more often known for his critical takes on other companies than for sending them fan letters, called Zoom an essential service for Oracle.
Dave Bittner: [00:08:17] And, finally, we have two quick notes on U.S. privacy and cybersecurity law and policy during the pandemic emergency.
Dave Bittner: [00:08:24] An op-ed in Law360 cautions against assuming that the privacy protections in HIPAA, the Health Insurance Portability and Accountability Act of 1996, somehow go away during a public health emergency. They don't. Prudent organizations will lawyer up before they get too frisky with health care data, no matter how public-spirited their mood and motives may be.
Dave Bittner: [00:08:47] And the Department of Defense has been telling contractors that the Cybersecurity Maturity Model Certification - CMMC - program would not be delayed by the pandemic. That may be true insofar as the policy's effective date is concerned. But the CMMC audits themselves will probably, in fact, be delayed. FCW reports that Katie Arrington, CISO at the Office of the Undersecretary of Defense for Acquisition, who had been prominent among those who said the program would become effective as scheduled, said yesterday that the first audits could be delayed for up to a month. FCW goes on to say that, quote, "Arrington suggested that auditors would wear masks and employ social distancing practices to complete their duties, and that company representatives present during the audit would respect each other's personal space." So should we all.
Dave Bittner: [00:09:42] Hey, everybody. Dave here. And I want to tell you about CyberWire's new subscription program, CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great, and something my entire organization can benefit from. We think so too. With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape, save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia too. To learn more, visit thecyberwire.com/pro and click on the contact us link in the Enterprise box. That's thecyberwire.com/pro, and then click Contact us in the Enterprise box. And we will help you become that office hero.
Dave Bittner: [00:10:48] My guest today is Tia Hopkins. She’s Vice President of Global Solutions Engineering at eSentire. Our conversation focuses on her insights with regard to the important STEM in education, and preparing that next generation for success in the field.
Tia Hopkins: [00:11:05] From an educational perspective, I think more applied versus theoretical education would be helpful. And then on the other side of that, just getting more folks interested in the field and feeling comfortable with their ability to succeed. I know a lot of STEM focuses on coding, but cybersecurity itself doesn't necessarily have to start there. You know, personally, my background is in networking, spoken to individuals who have very strong background in endpoint security and things like that. And all of those things really don't touch on coding at all.
Dave Bittner: [00:11:37] Yeah, it's interesting to me. I've heard more and more people saying that they're looking to folks who have specialties in other disciplines, things like music, you know, because there's the ability to collaborate, the ability to solve problems, to think through things in real-time. All of those skills can be applied to the needs we have in cybersecurity.
Tia Hopkins: [00:11:58] That's an interesting one. Music specifically, I've not heard that one, but I do agree with it in theory that it does require more than just, you know, the ability to think technically, right? In order to be able to thwart a hacker, you have to be able to think like a hacker. And hackers are very creative. And sometimes that isn't technically driven. You know, if you think about social engineering, that has really not a lot of - it doesn't have a lot of technical requirements. I'll phrase it that way. You know, you could just have a great personality and get people to want to open up to you, and you can pretty much get anything you want, right? So that's one angle of it. But definitely being able to think outside the box, your point to collaboration and just being creative in general, yeah, all critical to being successful in this field.
Dave Bittner: [00:12:46] What about opening up that pipeline from the get-go, those those young students coming up, to let them know that there is a possibility for them in this field. I'm thinking specifically of young women coming up who may not feel encouraged along the way.
Tia Hopkins: [00:13:04] I agree with that 100%. I mean, in general, I think we could do a bit better at shining a light on cybersecurity as an opportunity. You know, STEM is pretty broad. You know, it's technical, it's non-technical. You know, you have engineers out there and that's technical, but it's not necessarily technology related in the way of, you know, something like cybersecurity or DevOps or something like that. So I think I'm unpacking STEM a bit would be helpful, but definitely introducing these things to an audience at a younger age, specifically girls, and helping young ladies and young girls understand that, one, they can be successful in technology.
Tia Hopkins: [00:13:44] And specific to cybersecurity, again, back to my point, it's not all around, you know, coding because you see a lot of programs like, you know, Girls Who Code and coding camps and things like that. And that's great. But I find that that can lead to girls feeling like, if they don't start there or if they don't have a mind for coding or there's not something that they're interested in, maybe STEM is not for them. So just overall a better job of representation of what the possibilities are and having conversations with young girls like, hey, what do you like to do every day? How does - how do you think your brain works? What do you think you would enjoy doing as a career? And kind of working backwards from there and figuring out the things that may or may not align to the types of personalities of these young girls that we're talking to, rather than, you know, maybe making them feel like they have to fit into a box, whether that's on purpose or not.
Dave Bittner: [00:14:33] What about from the other direction, the folks who are doing the hiring in organizations? Do you have any suggestions for them to make sure that they're looking at a broad range of folks for these jobs?
Tia Hopkins: [00:14:47] I personally, you know, I'm a hiring manager. So when I speak to my recruiters, I push on them to bring me, you know, diverse applicants. You know, wherever you've been typically fishing, go somewhere else. You know, I reach out to my personal networks, professional networks. I'm involved in a lot of organizations that are driving more women toward technology in general and organizations that are, you know, trying to drive more women towards cybersecurity. The challenge is, you know, as wide as we try to cast that net, there's just not a lot of applicants coming through. And I don't know if that's a lack of interest, a lack of perceived ability to be successful.
Tia Hopkins: [00:15:25] And that all goes back to my point of representation. I think we need more women specifically that are successful in the field to show themselves and encourage women and say, yeah, you can be successful here. And here's what my journey looks like. And it wasn't pretty, but here I am today. And it's OK to fall. And, you know, all those things that make it real and relatable for women.
Dave Bittner: [00:15:47] Yeah. I mean, you touch on that notion of mentorship, which I think is so critical. How do you do that yourself? What sort of things have you done along the way to make sure you're being a mentor to folks who might need that little extra boost?
Tia Hopkins: [00:16:02] Sure. So I am a member of a number of organizations as a mentor. So I'm a career mentor with Cybrary. I'm a mentor with Built By Girls. I'm a member of a minority-focused cybersecurity consortium, and they have a specific focus on mentoring women as well. So I do some, I guess you'd say, organized mentorships through programs. But just based on, you know, the things that I'm doing like posting on social media and doing interviews like this, I have a lot of individuals that reach out to me with questions and ask for, you know, my feedback on what they should be looking into, types of schools that they should be going to as well.
Tia Hopkins: [00:16:41] So just outside doing, you know, more organized mentorship, I try to make myself as available as possible because part of the challenge with knowing what to do or where to go is just, you know, being confident that you're taking the right path. You know, it could be difficult to navigate such a broad field. Even when you break technology down into the cybersecurity space, there's lots of different paths that you could go. You know, it's not cheap to get education or certification. So people want to make sure they're doing the right thing. So I always try to make myself available to give my feedback based on my personal experience and research, of course, 'cause everyone's story is going to be different.
Dave Bittner: [00:17:18] Our thanks to Tia Hopkins from eSentire for joining us.
Dave Bittner: [00:17:22] And now a word from our sponsor, BlackCloak. Oh, come on. It's not like anybody actually needs this anymore. I mean, executives and their personal lives? They're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock-solid secure, and they never ever use a weak password. As for their families, little Luke and Leia and their significant other? They're pillars in the cybersecurity community, right? Right? Right? Right? You're right. I was dreaming there for a minute. The fact is executives and their families are targets, and at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars worth of cyber controls, hackers have turned their attention to the executive's home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:18:50] And joining me once again is your Johannes Ullrich He's the dean of research at the SANS technology institute. He's also host of the ISC Stormcast podcast. Johannes, it's always great to have you back. We wanted to touch today on some issues that you all are tracking here when it comes to this newly expanded work-from-home situation and RDP servers. What are you all tracking here?
Johannes Ullrich: [00:19:13] Yeah. So, you know, everybody has now to work from home, has to administer their systems from home. And a lot of companies apparently, you know, weren't quite ready for this. And, of course, at this point, it's also kind of difficult, for example, to quickly buy, like, you know, a VPN server or anything like that. Now, at the end of March, Shodan released a report where they noted that the number of RDP servers that are exposed to the internet increased. They had to revise this a little bit, but still, the final result was, yes, the number increased. No real surprise here because it's a little bit cheap and easy way to expose your system for remote administration.
Johannes Ullrich: [00:19:59] Problem with RDP, of course, is it's also one of the top targets that the bad guys are scanning for. We are monitoring with our DShield sensor net for sort of what the bad guys are scanning for. And RDP is always sort of in the top 10 of the ports being scanned. So I went back a little bit and checked, did this increase as well? And what we noted was that, in March, the bad guys were spending quite a bit more resources scanning for RDP. Like, it's noisy data because RDP's always so busy, but certainly something that is notable.
Dave Bittner: [00:20:39] And, of course, RDP stands for Remote Desktop Protocol. What are some of the recommendations you have then if folks - I mean, this is a necessity. People find themselves in this situation, what are some of the basics for making sure they're doing it right?
Johannes Ullrich: [00:20:55] Yeah. So the No. 1 way how these RDP services are being attacked is weak passwords. So definitely, you know, make sure you set up a strong password. Secondly, there have been a number of vulnerabilities in RDP over the years. And so definitely, you know, make sure that the systems that you are exposing are up to date. If possible, if you have some kind of firewall and such in front of these RDP servers, make sure that you limit the IP addresses that they can be accessed from them. This, of course, can be a little bit tricky in the work-from-home situation where you may not necessarily have, like, a static IP address at home.
Johannes Ullrich: [00:21:38] But maybe you can limit it to like a couple of subnets that your ISP tends to use. If you have a couple of administrators, maybe, you know, set up each administrators home IP address and hope you don't all change the same day. So there are a couple sort of workarounds. I'm talking about a little dirty tricks kind of because apparently you can't really do too much. Of course, the problem is at this point, you are already working from home, so the last thing you probably want to have happen is sort of lose access to these RDP servers while you're making these changes.
Dave Bittner: [00:22:12] Yeah. What part in all of this could a VPN play? Where does that fit into this?
Johannes Ullrich: [00:22:17] Yeah. Like, a VPN is certainly, you know, the best way to solve this problem, where you set up VPN access to your network. You authenticate to the VPN. Let's hope you're using strong authentication there as well. And then via the VPN, you're connecting to these RDP servers. Problem with VPNs, of course, is they take a little bit of time to set up. They may need you to buy some equipment, depending on what you already have.
Johannes Ullrich: [00:22:44] One issue we have actually seen is that companies sort of run out of bandwidth on their VPNs. And also ports. Like, the problem is if everybody works off a subnet to the VPN, you now don't really have the IP addresses you need for the VPN. And then you're dealing, like, with fairly large NAT issues. In particular, if you're using like cloud service, let's say Office 365 and such through this VPN, the problem then is that for each user, you need about 100 or so ports. So you very easily actually run out of TCP ports there.
Johannes Ullrich: [00:23:23] Again, we were talking about dirty solutions here in the end, but you may want to set up things where maybe the Office 365 traffic is not routed through the VPN. You hope that HTTPS and so does its job. But there are no great solutions if you have to do it, you know, very quickly. That's the thing. That's something you probably should have planned a little bit ahead of time.
Dave Bittner: [00:23:45] Right. Right. There's that old saying about hindsight, right?
Johannes Ullrich: [00:23:48] Yeah, like late January, we actually published a little blog post about how to get ready for the upcoming pandemic. It had not really gotten a lot of traction back in January, but that would have been the time kind of...
Dave Bittner: [00:24:01] Yeah. Interesting. Right. Right. All right. Well, Johannes Ullrich, thanks for joining us.
Dave Bittner: [00:24:09] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:24:27] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:38] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: [00:24:47] Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yellin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here next week.