DPRK leadership crisis? Probably not. Economic espionage in the oil patch. COVID-19 relief fraud. US Supreme Court will take up CFAA. Virtual proctoring.
Dave Bittner: [00:00:04] Fears about North Korean instability can wait until it's determined that there's actually instability. An economic espionage campaign targeted the oil and gas sector. Much phishing surrounds government COVID-19 economic relief programs around the world. The U.S. Supreme Court will hear a case involving the Computer Fraud and Abuse Act. Ben Yelin on facial recognition software in a world of medical masks. Our guest is Gonda Lamberink from UL on making product security transparent and accessible to consumers. And if you're studying from home, don't cheat - and a teacher, maybe don't spy.
Dave Bittner: [00:00:46] And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:10] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 21, 2020.
Dave Bittner: [00:02:19] Reports that North Korean leader Kim Jong Un is in serious condition as he recovers from heart surgery have been circulating, NBC News reports, but they report this cautiously and with reservations. If true, instability in the DPRK could be expected to be accompanied by cyber operations and perhaps a spike in cybercrime, as Military Times suggests and that anyone betting on form would expect. But the news from the peninsula seems to be that Kim isn't in extremis, isn't at death's door and is, in fact, working. Yonhap summarizes the evidence that things north of the 38th parallel are pretty much as they have been in recent months - as normal as they ever get in that neck of the woods.
Dave Bittner: [00:03:04] The bottom has fallen out of oil prices, with futures actually trading in negative ranges. And The Register describes a spear-phishing campaign apparently designed to install the information-stealing Agent Tesla. The phishing emails impersonated ENPPI, the Engineering for Petroleum & Process Industries, a well-known contractor in oil and gas production. Researchers at BitDefender discovered and tracked the campaign, which actually antedates the conclusion of a meeting among OPEC and the Group of 20 that resulted in an agreement to cut oil production and stabilize prices. It's unknown who's behind the campaign of apparent economic espionage.
Dave Bittner: [00:03:45] The U.K.'s National Cyber Security Centre is urging people to report the COVID-19-related scam emails they've received. The agency has established an online reporting portal to make the process simpler and more convenient. The NCSC has, according to ZDNet, taken down more than 2,000 online scams related to the pandemic, including 471 fake online shops selling fraudulent coronavirus-related items, 555 malware distribution sites, 200 phishing sites and 832 advance fee frauds. Advance fee frauds, it's worth recalling, are a venerable email scam, long famous as the Nigerian prince scam. The versions presently circulating promise a large payment in exchange for a small but nonnegligible setup fee. The occasion of the offer is some bogus bit of nonsense about COVID-19 designed to render the mark willing to part with some cash in exchange for a big score down the road. It's not an investment scam, where one might buy real estate in a nonexistent country, a sure-thing penny stock being pumped and dumped, the Brooklyn Bridge or shares in a heroic statue. Rather, the advance fee scam presents itself as the first stage in a transaction with the victim. The scammers say they need to move money and are willing to pay a service fee for the victim's assistance. They may simply say that grace has moved their hearts to generosity toward the victim. But, of course, even the operations of grace require the recipient to establish some financial infrastructure. It's, of course, a bad deal and worse theology. The current run of advance fee scams play upon COVID-19 news. One might think no one would fall for them, but people do.
Dave Bittner: [00:05:30] The Australian Cyber Security Centre's regular threat update, COVID-19 malicious cyberactivity, outlines a set of problems similar to those seen in the U.K. and elsewhere. Since March 10, ACSC has received roughly two reports a day of Australians losing money to coronavirus-themed online scams and note that these are actual losses, not mere attempts. With their private sector partners, including Google and Microsoft, ACSC has disrupted more than 150 COVID-19-themed websites that had been engaged in malicious activity.
Dave Bittner: [00:06:05] UL has a history spanning over 125 years as a safety testing and analysis organization. They've recently set their sights on IoT devices, aiming at providing clarity for consumers with the UL Verified Mark. Gonda Lamberink is senior business development manager, Global, Identity Management & Security from UL.
Gonda Lamberink: [00:06:27] So UL is focusing on various IoT verticals or ecosystems for cybersecurity purposes. And even though there's a few security standards and evaluation options out there, there wasn't something that was a good fit for consumer IoT or also portions of commercial IoT yet. And the IoT Security Rating is meant to fill a void that existed for a baseline security assessment. And this is in line with also some of the regulatory developments calling out connected devices and that they should have reasonable security features, such as the California Senate Bill 327. So the IoT Security Rating assesses products for their security features, incorporating industry best practices and then gives them a rating, where there's multiple levels that a product can obtain from levels bronze up till diamond.
Dave Bittner: [00:07:28] All right. Well, take us through some of the specifics here. How do - how would companies go about implementing it, getting evaluated and so on?
Gonda Lamberink: [00:07:37] Yeah. So we have incorporated best practices and requirements in line with leading industry and policy guideline documents. We've also written, for example, a blog post on how the IoT Security Rating requirements compare to requirements covered in, for example, the NIST guideline NISTIR 8259 or, in the U.S., the C2 Consensus, which is an industry consensus on baseline security led by the Consumer Technology Association and the Council to Secure the Digital Economy, and some other leading guidelines. So starting point is, I think, to look at all those documents and then look at the IoT Security Rating, understand the requirements that it covers. We've published those requirements in a document called the UL Marketing Claim Validation 1376 - yeah.
Gonda Lamberink: [00:08:33] With a bit of an understanding of the requirements, start preparing for an assessment, which we cover in two flavors - a lighter-weight assessment that can result in a bronze or silver rating or a full assessment to a majority of the IoT Security Rating requirements where the resulting rating is levels gold and higher, so levels gold, platinum or diamond.
Dave Bittner: [00:08:59] And is there going to be an accompanying educational campaign to get the word out with consumers themselves?
Gonda Lamberink: [00:09:06] Yeah. So we see a good opportunity for collaboration with industry there, with individual manufacturers that work with us on the IoT Security Rating. We invest in co-marketing effort together with them to get the word out. We also see a potential role for retailers here if they can start promoting this label in their retail environments, and then, hopefully, also more direct outreach to consumers, but probably as part of collaborative effort with our customers
Dave Bittner: [00:09:34] That's Gonda Lamberink from UL.
Dave Bittner: [00:09:38] The U.K.'s coronavirus job retention scheme is also being used as bait by criminals prospecting individual victims. Less than 24 hours after the program opened yesterday, Computer Weekly reports, bogus emails sporting Her Majesty's Revenue and Customs branding and claiming to be from HMRC chief executive Jim Harra were already hitting inboxes. Demand for relief under the scheme is expected to be heavy, Computing says, and that will lend urgency to the scams, as well as tend to reduce the victim's skepticism and resistance.
Dave Bittner: [00:10:12] Reuters reports that the U.S. Supreme Court has agreed to hear a case that has the potential to limit the scope of the Computer Fraud and Abuse Act. The law prohibits accessing a computer without authorization or exceeding your authorized level of access. The appellant, a former police officer in the U.S. state of Georgia, claims he was authorized to access the information that he obtained. His motive was assisting an acquaintance of his who offered the police officer $6,000 to run a license plate to see if an exotic dancer was, in fact, really an undercover cop. He was asking for a friend, as it were. And that motive, he claims, is irrelevant. He was still authorized to run a plate.
Dave Bittner: [00:10:54] ZDNet reports that students and universities find themselves in conflict over university plans to install remote monitoring tools onto students' devices, the better to detect and deter academic dishonesty. The specific software package is Proctorio. Universities are concerned about cheating during exams administered online. Students resent the invasion of privacy, and some of them - not you, the student who's listening to this, of course, but other students, bad students - no doubt resist proctoring that would make it harder to cheat, copy, plagiarize and so on. The university's concerns about cheating are reasonable, but so is students' irritation with this kind of dean of student-ish hovering that no one likes. The center of the dispute, for now, is The Australian National University, but you can expect it to surface elsewhere. It's a classic apparent conflict of rights and duties. Discuss. And class dismissed.
Dave Bittner: [00:11:58] And now a word from our sponsor KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways, where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways and watch the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:13:11] And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, good to speak with you.
Ben Yelin: [00:13:22] Good to be with you, Dave.
Dave Bittner: [00:13:24] You know, I was out and about, taking a walk, getting outside recently. And being the good citizen that I am, I was wearing a mask to cover my face to help protect myself and others, as...
Ben Yelin: [00:13:37] The CDC appreciates you, Dave.
Dave Bittner: [00:13:40] (Laughter) But one thing - a side effect of this was that from time to time, I would try to look at my phone. And my Face ID on my iOS device would not let me in. It was not at all amused at the fact that I was wearing a mask. That reminded me of this article that I saw come by. It's a long way to get there, but article in Ars Technica written by Kate Cox. And it's about some shirts that can hide you from cameras and this notion that we may be able to hide ourselves from facial recognition software. What's going on here?
Ben Yelin: [00:14:17] So facial recognition is generally very good at what it does. This article talks about that in China, for example, the facial recognition software they use there has been trained to identify people who are wearing medical masks. So perhaps that would've solved your issue of not being recognizable...
Dave Bittner: [00:14:35] Maybe there will be an update.
Ben Yelin: [00:14:37] ...On your device. But unlike human beings, according to this article, you can trick the facial recognition software. If you sort of bombard the software with very confusing, incongruous images that, you know, throw off the learning capability of this artificial intelligence, then you can cloak yourself. In order to do so, you have to wear probably one of the silliest shirts I've ever seen.
Dave Bittner: [00:15:07] (Laughter) And I've seen you in person, Ben. And you're not someone who's afraid of silly shirts, so...
Ben Yelin: [00:15:11] I'm not, no.
Dave Bittner: [00:15:13] (Laughter).
Ben Yelin: [00:15:14] I wouldn't call myself a fashionista. But I'd probably rather expose my identity to all 7 billion people in the world than wear this shirt. And I don't mean that literally.
Dave Bittner: [00:15:25] (Laughter).
Ben Yelin: [00:15:26] But they do have a picture of it in this article, and they call it a bright adversarial pattern. It looks like the craziest Christmas sweater you've ever worn.
Dave Bittner: [00:15:37] (Laughter) OK.
Ben Yelin: [00:15:40] I think the author jokes that you could probably see this from space. But...
Dave Bittner: [00:15:43] (Laughter).
Ben Yelin: [00:15:43] ...It does render the wearer of this shirt or sweater invisible to the software looking at this person. So the question is, you know, are people concerned enough about privacy in the age of facial recognition that they'd wear these sort of cloaks?
Dave Bittner: [00:16:01] Yeah.
Ben Yelin: [00:16:01] Because now we know that that technology exists. Humans created the facial recognition software, and humans have figured out a way to provide a cloak to it.
Dave Bittner: [00:16:11] Are you drawing attention to yourself just by wearing something like this? Is that enough to put yourself under suspicion?
Ben Yelin: [00:16:21] Absolutely. I mean, if I saw a person wearing this sweater out in public, I would stare at them for several minutes just to figure out what in the world was going on.
Dave Bittner: [00:16:30] Yeah.
Ben Yelin: [00:16:32] So it's sort of a conundrum. To make yourself invisible in the world of facial recognition, you need to wear this very colorful, silly shirt. But that makes you far more visible in the physical world and in public. And that's why I think, you know, even though the technology exists, we're not seeing people go out in public with shirts designed to confuse facial recognition systems or any type of similar software.
Dave Bittner: [00:16:58] From a policy point of view, could you be running afoul of any law or anything by doing this?
Ben Yelin: [00:17:05] Not the way I read it. There's no law preventing you from, you know, providing yourself an invisible cloak in responding to any sort of facial recognition or similar software.
Dave Bittner: [00:17:17] Right. Over on the "Caveat" podcast, you and I have talked about - we've gotten feedback from listeners that there are some places who have prohibitions against masks, for example. But this would not be that.
Ben Yelin: [00:17:28] This isn't that. And to somebody who knew nothing about facial recognition or, you know, any type of artificial intelligence, this would seem to just be a silly shirt. So unless law enforcement were explicitly trained to find these types of shirts, which once you create many of them, it would be hard for them to identify which ones are invisibility cloaks, then I don't even think there's a way of enforcing it. And then you have, you know, potential First Amendment issues of expression, you know, policing what people wear in public as a law enforcement matter. It could get you into some sticky areas. So I don't see a law or a policy that would prohibit somebody from wearing one of these invisibility cloaks.
Dave Bittner: [00:18:08] Yeah.
Ben Yelin: [00:18:08] Now, if it becomes enough of a problem that law enforcement isn't able to do its work because we get to a point where most shirts are manufactured to evade this type of technology, then that's where, you know, Congress could step in and - or, you know, a state legislature could step in and make policy banning this type of shirt. But as we've talked about on this podcast and on the "Caveat" podcast, the law and the policymaking is always behind the technology. And because the technology is so new, I don't expect that's something that we're going to come across in the legal world for a long time.
Dave Bittner: [00:18:43] Yeah. I almost wonder if something like this could be sort of a badge of honor of someone, for people in the know to say, hey, look at me. You know, I'm sticking it to the man. Nobody's going to track me. And folks who are aware of it would be able to kind of - you know, it would sort of be like a code word when you're out in public. You know, you give a knowing...
Ben Yelin: [00:19:01] A wink to someone.
Dave Bittner: [00:19:01] ...Nod to someone as you...
Ben Yelin: [00:19:03] Yeah.
Dave Bittner: [00:19:04] ...Pass each other with your colorful shirts on (laughter).
Ben Yelin: [00:19:08] Yeah. It's sort of like being in the world's nerdiest gang, you know?
Dave Bittner: [00:19:13] (Laughter).
Ben Yelin: [00:19:13] It's like you recognize the oddly blotted color scheme, and you're like...
Dave Bittner: [00:19:17] Right, right.
Ben Yelin: [00:19:18] ...I see what you're doing here, bud.
Dave Bittner: [00:19:20] Right, right.
Ben Yelin: [00:19:20] You've done your research.
Dave Bittner: [00:19:21] You recognize each other.
Ben Yelin: [00:19:23] Yeah. You've done your research into invisibility cloaks for...
Dave Bittner: [00:19:26] Right.
Ben Yelin: [00:19:27] ...Artificial intelligence. You're one of those people.
Dave Bittner: [00:19:29] Right.
Ben Yelin: [00:19:30] But, yeah, I could definitely see that happening.
Dave Bittner: [00:19:33] (Laughter) All right. Well, it's interesting research. Again, the story's in Ars Technica. Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:40] Thank you.
Dave Bittner: [00:19:46] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:04] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:16] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.