Dave Bittner: [00:00:04] The U.S. Senate authorizes more COVID-19 small-business relief. A data exposure at the U.S. Small Business Administration. A zero-day disclosure process error bites IBM. A list of the ransomware gangs who maintain leak sites. The CTI League looks like a model for cyber volunteer organizations. The U.S. Senate reports its evaluation on the intelligence community's look at Russian active measures in 2016. Joe Carrigan from JHU on Microsoft zero-days. Our guest is Chris Chiles from OST on what companies need to be considering before implementing 5G. And calls for deterrence amid a converged campaign of disinformation.
Dave Bittner: [00:00:50] And now a word from our sponsor, ExtraHop - securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IOT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As Chief Architect and Information Security Officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:13] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 22, 2020. Yesterday afternoon, the U.S. Senate voted to approve an additional $310 billion in the Small Business Administration's Paycheck Protection Program, the PPP. Fortune reports that the House, which is expected to vote in favor of the measure, could do so as early as tomorrow. The entire stimulus bill is larger than the amount allocated for the PPP. Bloomberg says the package totals $484 billion.
Dave Bittner: [00:02:49] In an incident that isn't directly related to the Paycheck Protection Program but that amounts to bad news for the U.S. Small Business Administration and its clients, the SBA has disclosed that personal information belonging to nearly 8,000 small-business owners who applied for assistance under the agency's Economic Injury Disaster Loan Program appears to have been accidentally exposed. The data involved includes names, Social Security numbers, addresses, birth dates, email addresses, phone numbers, citizenship status and insurance information, according to The Washington Post. Again, this is a distinct and longer-running program from the paycheck protection program. But small businesses affected by COVID-19 shutdowns have also been eligible to apply for assistance under the EIDL.
Dave Bittner: [00:03:38] The CTI League - full name Cyber Threat Intelligence League - is a voluntary group of information security professionals, and they've gained some positive reviews for their work helping organizations, especially hospitals, during the COVID-19 pandemic. Founded just last month on March 14, the CTI League's services are in high demand, CyberScoop says, and the Hill describes the group's activities as a quiet daily war. U.S. Cybersecurity and Infrastructure Security Agency Director Krebs tweeted his appreciation for the CTI League's work during the emergency.
Dave Bittner: [00:04:13] The CTI League's inaugural report says the organization has grown to over 1,400 vetted members in 76 countries from 45 different sectors, including cybersecurity, health care, technology, telecommunications, computer emergency response teams, government and law enforcement. There have long been discussions of the ways in which volunteer organizations might enhance cybersecurity, but the CTI League may afford the first clear example of how one might actually work in practice. It seems closer in conception to earlier models from outside the sector, like the U.S. Civil Air Patrol or the ham operators of the Amateur Radio Relay League.
Dave Bittner: [00:04:54] The U.S. Senate Select Committee on Intelligence reported this week on the U.S. intelligence community's investigation of Russian interference in the 2016 U.S. elections. This volume of the committee's report, the fourth of a projected five, set out to evaluate the credibility of the intelligence community's conclusions and the integrity of its analytical processes. The committee concluded that the intelligence community conducted its investigation properly and that its analysis supported the conclusion that Russia sought to damage the Clinton campaign to the advantage of the Trump campaign.
Dave Bittner: [00:05:29] The intelligence community did not offer recommendations for protecting future elections against foreign influence. But, as the IC people interviewed told the committee, making recommendations like that isn't something the intelligence community is supposed to do. The Washington Post suggests that Congress will have plenty of recommendations of its own before November rolls around.
Dave Bittner: [00:05:51] On Monday, U.S. Senators Blumenthal, Democrat of Connecticut; Cotton, Republican of Arkansas; Warner, Democrat of Virginia; Perdue, Republican of Georgia; and Markey, Democrat of Massachusetts, wrote to CISA Director Krebs and U.S. Cyber Command's General Nakasone, asking that their organizations increase their efforts against cyberthreats that have emerged during the COVID-19 pandemic. They said in their letter, quote, "We write to urge the Cybersecurity and Infrastructure Security Agency, in coordination with United States Cyber Command and its partners, to issue guidance to the health care sector, convene stakeholders, provide technical resources and take necessary measures to deter our adversaries in response to these threats."
Dave Bittner: [00:06:34] The call for deterrence is directed against Russia, China, Iran and North Korea, all of whom the senators say are currently engaged in attacks against health care, public health and research organizations, a particularly threatening target set as the U.S. attempts to contain and recover from the COVID-19 pandemic.
Dave Bittner: [00:06:54] The transition to 5G continues despite the occasional vandalism of 5G tower installations from conspiracy theorists who think it's somehow responsible for the global pandemic. There is more to 5G than just speed. Chris Chiles is from Open Systems Technologies, and he offers insights on what companies need to consider before implementing 5G.
Chris Chiles: [00:07:17] When we're looking at 5G, I think there's additional risks that we need to be considering from a business perspective but also from a consumer protection standpoint because, as I mentioned, we're going to be seeing more data being collected and different types of data. So that means that, you know, it's more than just, you know, customer data at this point. If we're talking about controlling things like driverless cars or health care devices, those are things that could, you know, mean life or death. And if organizations are not thinking about some of those risks at the forefront, then there's, you know, potential for issues down the road.
Dave Bittner: [00:08:02] Can you share with us some specific examples of the types of things that you work on to make sure that message reaches the people who are using these tools?
Chris Chiles: [00:08:12] Yeah, that's a good question. I think the - in terms of the work that we're doing at OST, we're working a lot in digital transformation. So we're working with organizations on kind of both sides of that, organizations who are trying to understand what this whole technology thing is, which I think to a lot of us is a funny thing to think about. But the businesses are - tend to move a little bit slower in that area. So in the - on the other side of it, we're helping businesses who are looking to move faster. Maybe they're a digital-native company.
Chris Chiles: [00:08:47] Like, take Nest, for example. We've worked with them in the past, where - you know, they started as a digital company, and they were looking to improve their product and move faster so that they could keep up with what their customers were looking for. And I think in terms of ways that we're looking at the user interface for those things, it's looking at security from the point of view of the customer. So we're looking at their customers and talking to them to figure out what their concerns are around security and privacy so that we can make better decisions to make them feel more comfortable and have a better system from the forefront, rather than just tacking it on at the end once something major happens.
Dave Bittner: [00:09:37] When you look around the industry today, do you feel as though the message is out that people have gotten the word that these things matter, that the design of these interfaces makes a real difference?
Chris Chiles: [00:09:51] I think we're getting to that point. I would say that we're starting to see - is a move in that direction, where organizations are starting to see the need where they need to care about their customers and they need to understand the impact that they have on their customers. But I think we still have room to go in that area and help organizations see the benefits of that because it's not always something that can easily be tracked on a spreadsheet. It's not as simple as saying, this feature we added to our application has done X for customers. We have to be looking more long term. And a lot of organizations don't think about that until an issue comes up.
Dave Bittner: [00:10:36] That's Chris Chiles from Open Systems Technologies.
Dave Bittner: [00:10:41] A U.S. State Department report describes converging COVID-19 disinformation campaigns. Politico has reviewed a report by the State Department's Global Engagement Center that concludes three governments - those of Russia, China and Iran - are pushing complementary lines of disinformation, most of which contrast Russian, Chinese and Iranian effectiveness with American incompetence and which suggests that the virus itself is an American bioweapon.
Dave Bittner: [00:11:07] The lines of disinformation have both domestic and international audiences, and it seems likely that the convergence is, to a great extent, an opportunistic matter. Iran, China and Russia share a common adversary - the United States - and it's useful to deflect any blame for the crisis in that direction.
Dave Bittner: [00:11:25] The report describes the activity as a convergence, and that was partially confirmed by a comment from a representative of the Global Engagement Center to The Wall Street Journal. Lea Gabrielle, the GEC's special envoy, told The Journal that much of the common messaging did seem to be opportunistic, but she added that there was also some evidence of coordinated action among the three governments. She said, quote, "Russia, China and Iran do have media cooperation agreements, and I think this is important because disinformation narratives are known to originate from official state news sources," end quote.
Dave Bittner: [00:12:01] The Chinese and Russian embassies in Washington didn't respond to The Journal's request for comment, but Iran's mission to the United Nations in New York emailed the paper as follows, quote, "For sure, any disinformation or propaganda on the coronavirus pandemic is emanating from the U.S. administration, not Iran. U.S. media is full of stories of lies and disinformation spread by the administration," end quote. So there you have it, direct from Turtle Bay.
Dave Bittner: [00:12:35] And now a word from our sponsor, KnowBe4. Email is still the No. 1 attack vector the bad guys used, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys, and he also shares a hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick. So check out the 10 incredible ways where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind click-jacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways and watch the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:13:49] And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute - also my co-host over on the "Hacking Humans" podcast. Joe, always great to have you back.
Joe Carrigan: [00:13:59] Hi, Dave.
Dave Bittner: [00:14:01] Interesting story came by - this is from our friends over at Naked Security by Sophos.
Joe Carrigan: [00:14:05] Yup.
Dave Bittner: [00:14:06] And they're covering some Windows zero days here.
Joe Carrigan: [00:14:10] Right.
Dave Bittner: [00:14:11] Let's go through this together. But why don't we start off, just to get everybody up to speed - quick review - what are we talking about when we say a zero day?
Joe Carrigan: [00:14:18] A zero day is a vulnerability that is not generally known to the public, right? So in other words, you have this vulnerability right now, and you have zero days to prepare for it. There was a researcher - I can't remember who it was, so if you - if you're hearing this, let me know who I'm quoting here. But he said, I don't like the term zero day. I would prefer a negative number day exploit because in fact, you don't have zero days. You have actually been exposed to this for some period of time because this vulnerability has always existed in the code since it came out or has - since the code has been updated to whatever version had this vulnerability, that's how long you've had this problem. You just didn't know about it until now.
Dave Bittner: [00:14:58] Right. So the point is when you hear something referred to as a zero day, that means it demands your attention right away.
Joe Carrigan: [00:15:03] It demands your immediate attention. Exactly.
Dave Bittner: [00:15:06] Yeah. So what are we covering here from Sophos with these zero days?
Joe Carrigan: [00:15:09] Well, they're talking about Patch Tuesday, which just happened in April, and Microsoft did not miss it because of the pandemic, which is very good on Microsoft's part. There are a bunch of fixes in this. They're saying that this month's patch updates Windows versions from 7 through 10, and it fixes a cadre of about 113 CVE-level vulnerabilities or flaws, 19 of which are labeled critical. Now, CVE is the Common Vulnerabilities and Exposures. I always get that wrong. I always think it's common vulnerability enumeration for some reason. I don't know why I have that stuck in my head.
Dave Bittner: [00:15:44] (Laughter).
Joe Carrigan: [00:15:45] But it's Common Vulnerabilities and Exposures. It's a list maintained by MITRE of all the different flaws that have been found, and when something is deemed bad enough, it - MITRE issues a CVE number for it.
Dave Bittner: [00:15:58] OK.
Joe Carrigan: [00:15:59] And this particular CVE, 2020-0968, is interesting because Microsoft says they're not seeing it exploited yet in the wild, but the article says it soon will be. And the reason it soon will be exploited is because the bad guys know that not everybody patches on time - right? - or patches in a timely manner. So when they see Patch Tuesday come out, every bad guy in the world goes, get that patch because that patch is going to show us where the vulnerabilities are. And they can look at the patch; they can reverse-engineer the patch, see what Microsoft is changing, and it's - the vulnerabilities will stick out like a sore thumb.
Dave Bittner: [00:16:38] Right, so it's...
Joe Carrigan: [00:16:38] ...Because then they can compare it to the existing code. They know exactly where to look, and they can find it very quickly. Then they can begin exploiting them.
Dave Bittner: [00:16:46] Mmm hmm. There's, like, a road map to the vulnerability.
Joe Carrigan: [00:16:48] Exactly. It's a road map to the vulnerability. So when this patch comes out, your time is very limited. It's kind of the irony of the problem, right? Microsoft has to fix the vulnerability, but in order to fix the vulnerability, they essentially have to tell everybody how the vulnerability works and not - they don't actually tell everybody in plain English, but they have to fix it so it makes it easy for people to find it.
Dave Bittner: [00:17:12] And there's coordination here, right?
Joe Carrigan: [00:17:14] Right.
Dave Bittner: [00:17:14] ...Where they're, like - Microsoft will work up the patch. They'll be alerted privately of the vulnerability, let's say.
Joe Carrigan: [00:17:21] Correct.
Dave Bittner: [00:17:22] They'll work up the patch so that the CVE and the patch can be released at the same time.
Joe Carrigan: [00:17:27] Correct. Yeah. Or MITRE will say, we have a CVE here; we're not releasing any technical details until Microsoft patches.
Dave Bittner: [00:17:35] I see.
Joe Carrigan: [00:17:35] You know, MITRE is - conducts themselves very well. They're a trusted source for these - for this vulnerability tracking. But the other piece of this ecosystem, if you will, is that there are security researchers out there that find these vulnerabilities, and most of them behave ethically as well. So they will call Microsoft's - or get in touch with Microsoft's Bug Bounty Program and say, hey, we have a bug, and it's critical, and we're going to go ahead and give you the information so you can fix it.
Joe Carrigan: [00:18:04] The vast majority of people will work inside that system. There are actually companies out there, like HackerOne or a similar company - that runs their Bug Bounty Program for them. And then when you participate in these bug bounty programs, you're obligated to conduct yourself in an ethical way in order to get compensation for it. But some people will go ahead and do a couple of different things. They will either sell the vulnerability on the black market, which is very bad because they never tell the company that has the vulnerability that it exists, and they're financially motivated not to do so. Or they will just publish it right away.
Dave Bittner: [00:18:46] Now, this is something that's part of your day to day at Johns Hopkins, right? You're part of the team that handles disclosure when some of your students, your professors, the researchers there find things.
Joe Carrigan: [00:18:57] Yes. Yes, I am the vulnerability disclosure coordinator for the Information Security Institute. So if anybody finds a vulnerability, they're supposed to come to me. Some of our cryptographers have relationships, existing relationships with other companies. But yeah, generally, when our students find something, I disclose it. And I will tell you, there are two kinds of companies out there. There are companies that embrace this and are responsive, and then there are companies that are like, hey, what are you doing reverse-engineering our stuff? You can't do that.
Dave Bittner: [00:19:24] (Laughter).
Joe Carrigan: [00:19:24] And they try to get litigious, but it doesn't work. It never works, and it never will work. And companies have to embrace the fact that their software is going to have defects or their hardware is going to have defects, and they need to find ways to fix it.
Dave Bittner: [00:19:38] All right. Well, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:41] It's my pleasure, Dave.
Dave Bittner: [00:19:47] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:06] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.