Dave Bittner: [00:00:05] Shade ransomware operators close down, or so they say. A U.S. pharmaceutical company is the victim of CLOP ransomware. And a Chinese medical research firm is breached by cybercriminals. Centralized versus decentralized approaches to contact tracing. A GDPR assistance site proves leaky. Disinformation breeds misinformation, which breeds folly that brings misery. Ben Yelin tracks responses to the EARN IT Act. Our guest is Katie Arrington, CISO for assistant secretary for defense acquisition on the Cybersecurity Maturity Model Certification. And Mr. Kim seems to be (imitating Baltimore accent) chilling downy ocean.
Dave Bittner: [00:00:48] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:15] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 28, 2020.
Dave Bittner: [00:02:24] The operators of the Shade ransomware, also known as Troldesh, say they've closed up shop and that they regret the harm they've done. As an earnest of their good faith, they've released, ZDNet reports, 750,000 decryption keys and expressed the hope that their victims might use the keys to recover some of their data. Researchers at Kaspersky have looked at the keys and said that they're genuine. Why the gang behind Shade, one of the oldest if not the most consistently successful ransomware strains, decided to shutter operations is unclear. BleepingComputer points out that Shade, unlike many gangs, didn't shun Russian or Ukrainian targets and, in fact, was most active in those two countries. One always suspects that feeling the hot breath of the law on your neck is a more effective goad than the promptings of a troubled conscience. On the other hand, if that's the case, why bother release the keys?
Dave Bittner: [00:03:23] In another ransomware incident, pharmaceutical company ExecuPharm has disclosed that it was the victim of a ransomware attack in March. The attackers compromised and encrypted personal data belonging to employees of ExecuPharm, as well as information concerning employees of Parexel that was also maintained on ExecuPharm servers. TechCrunch confirmed that CLOP ransomware was specifically involved. No decryptors are yet available for CLOP, and the gang has begun to publish the stolen data on a dark website.
Dave Bittner: [00:03:55] HackRead reports that security firm Cyble says it's found evidence that the biomedical company Huiying Medical has been hacked and that some of its stolen data are now for sale in the dark web. Cyble's report says that a threat actor going by the name THE0TIME, whose claims Cyble deems credible, is asking four bitcoin for Huiying data. The stolen information is said to include users, technology and knowledge for COVID-19 experiments information. Huiying Medical gained a degree of fame or notoriety for its strong claims reported by VentureBeat and others that it has a method of using CT scans to detect COVID-19 infections and that their technology has a 97% accuracy rate. The U.S. Centers for Disease Control and Prevention recommend against using either CT scans or X-rays for COVID-19 diagnosis, as do radiological professional organizations in Canada, New Zealand, the U.S. and Australia.
Dave Bittner: [00:04:57] Apple and Google are rolling out their decentralized contact tracing app, and it's found favor in some places, Germany among them. Britain's National Health Service will not be using it, however. The NHS is pursuing its own system that will also use Bluetooth Low Energy signals as a proxy for close approaches to possible sources of infection, but the BBC says NHS wants the data centralized - the better to adapt them to closer management of the pandemic. According to the New Statesman, the British health agency has brought in U.S. big data company Palantir to help them develop their preferred alternative.
Dave Bittner: [00:05:35] Gdpr.eu, a Proton-run site co-funded by the European Union that offers pointers about GDPR compliance, was found by Pen Test Partners to be leaking data. It is now secured. It was a .git repository.
Dave Bittner: [00:05:51] If your work touches the federal government sector, you should be well aware of the Cybersecurity Maturity Model Certification, the CMMC. Katie Arrington is CISO for assistant secretary for defense acquisition at the U.S. Department of Defense.
Katie Arrington: [00:06:07] Cumulatively, we're losing about $600 billion a year in the U.S. to cyber-espionage - IP loss and straight up cyber-espionage. And so we knew we had to do something different. And we had - in 2014, President Obama signed in Special Publication 800-171 R1. And it was directed that all Department of Defense contracts that had CUI, controlled unclassified information, had to be attesting to doing these 110 controls in that NIST guideline. And so we just needed a way to create - you know, get companies, A, prepared for the data that they'd be receiving, and to have an auditable, trackable way to do that, understanding the resourcing within the DOD. So we understood clearly that this needed to be outside the government, something that companies - much like an ISO certification. And we could then make sure that everybody had the critical thinking skills behind cyber that are needed to defend themselves in this industrial age.
Dave Bittner: [00:07:12] And where do we stand today when it comes to the rollout?
Katie Arrington: [00:07:16] So the rollout - we put the model out in January 2020. The accreditation body - that is actually the ones that certify the auditors - they are working on the training and curriculum programs. We are still on target to roll out some RFIs in June with the CMMC in it that - you know, we're in the process of the rule change to the DFAR rule. So we're still on target.
Katie Arrington: [00:07:41] I'm not going to pretend and say that COVID-19 hasn't had an impact, as the training for those - you know, the CMMC. That's what's really struggling, because we did - when we originally set it up, it was a 50-50 split. Fifty percent of the education and the training was online, and 50% was in person. We have the training and curriculum. I just don't know how we can modify it quickly enough to execute in early May. That's the only caveat that we have right now.
Dave Bittner: [00:08:09] And what has the response been overall to the folks that this is going to affect? How are they reacting to it?
Katie Arrington: [00:08:17] So in the beginning, a little bit of, you know, why? Now it's widely accepted that this is the path forward, that everybody needs to have cyber hygiene and that everyone needs to have some critical thinking skills behind it. So we've actually had an overwhelming response moving forward. Everyone needs cybersecurity. And, you know, COVID-19 has shown us that, you know, the world, the nation, our culture, the way we deal with each other has changed. If there's anything positive to be made out of this, it's the heightened awareness of why the CMMC was desperately needed and, you know, what impact cyber has on day-to-day life. It's been a resounding effort at that maturation right now during this horrible time in our country and our world's history.
Dave Bittner: [00:09:07] That's Katie Arrington. She's CISO for assistant secretary for defense acquisition.
Dave Bittner: [00:09:12] State-run disinformation can gain surprising amplification when it finds an audience. The Chinese Communist Party's claims that COVID-19 was brought to Wuhan in October by U.S. service members participating in the world military games - a kind of goodwill Olympics among the world's military services - have been widely broadcast by Chinese official statements, often in the form of a call for investigation, sometimes with the suggestion that the virus was an American bioweapon.
Dave Bittner: [00:09:41] U.S. Secretary of Defense Esper calls the allegation completely ridiculous and irresponsible, and we're with him on that, but not everybody is, and everybody, in this case, includes some YouTubers. CNN reports that one U.S. Army reservist who participated in the games has been called out as the source of infection and is receiving all the hostile attention one would expect. The charge that the reservist is the patient zero of the infection and the prime mover in the pandemic is, of course, absurd, but that hasn't prevented YouTubers from pushing it, acting in effect as a kind of cybermob.
Dave Bittner: [00:10:18] Prominent among the YouTubers flacking the story is a gentleman, whom we will not name, whom CNN calls a misinformation broker but who describes himself as investigative journalist. He's propounded numerous conspiracy theories in the past, to the extent that Google has stopped running ads on his channel. He is, as he would put it, only asking questions, but the questions are specific and damaging, especially to the reservist who has nothing to do with the virus at all and is being mobbed for it. False suggestion is a form of false witness. But, hey, they're just asking questions, right?
Dave Bittner: [00:10:56] Finally, it now seems likely that rumors of North Korean leader Kim Jong Un's death or incapacitation are false. The Washington Post cites U.S. and South Korean sources that suggest Mr. Kim and his private train are in Wonsan on the Korean east coast. The rumors had prompted and will no doubt continue to prompt speculation about the future of the North Korean regime, jockeying for succession and so on. But Mr. Kim's father and grandfather were similarly content to let unfounded accounts of their death circulate. That may be the case with Pyongyang's current leader. Wonsan is, in some sources, being described as a seaside resort, but in truth, the port city might be more Perth Amboy or even Port Elizabeth than it is Asbury Park. But assume it's a DPRK Asbury Park or Ocean City. What's Mr. Kim up to - enjoying the boardwalk, little miniature golf, maybe some Skee-Ball? Hey, we're just asking questions.
Dave Bittner: [00:12:02] And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:13:43] And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast. Ben, great to have you back. Interesting article came by from Mashable. And this is something you and I have been talking about quite a bit over on "Caveat," and that is the EARN IT Act, which is something making its way through Congress. But it's gotten a response from the folks who make the Signal app, which is an end-to-end encryption communications app. It allows you to text and have audio conversations and video and so forth. They're saying they may pull out of the U.S. market if this EARN IT Act goes through. Help us understand what's going on here.
Ben Yelin: [00:14:29] Sure. So the EARN IT Act was introduced in the United States Senate. And you know you and I love legislative acronyms.
Dave Bittner: [00:14:36] (Laughter).
Ben Yelin: [00:14:37] So this one is Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020. They even included the word IT in the acronym, so credit to them for that.
Dave Bittner: [00:14:49] High praise, yes.
Ben Yelin: [00:14:50] Absolutely. The bill has bipartisan sponsors, and it basically is a way to make companies comply with best practices in terms of encryption based on the recommendations of a government-appointed commission. Now, the way they will try to enforce these best practices is to remove the protections under Section 230 of the Communications Decency Act. As your listeners know, and we've talked about this on "Caveat," that act shields companies from liability based on what the users post on those applications or services. If the EARN IT Act were to be enacted into law and the commission put together regulations that were critical of end-to-end encryption services, like Signal, then Signal could be subject to a number of lawsuits under Section 230 of the Communications Decency Act. And what Signal is saying is it would not be worth it for us to do business within the United States if we were subject to those lawsuits.
Ben Yelin: [00:15:53] I think their fear is certainly a legitimate one. The commission is largely going to be at the direction of the attorney general. The attorney general of the United States, William Barr, is a foremost - one of the foremost critics of end-to-end encryption, and encryption, generally. He supports a back door for the government to access information. He has his legitimate reasons behind it. This bill is intended to curb child abuse, child pornography, those types of things.
Dave Bittner: [00:16:21] Right.
Ben Yelin: [00:16:22] But he is very hostile to the concept of encryption. And if he has his hand in putting these regulations together, you know, this is likely going to be something that Signal will choose not to comply with because it would go against the mission of their messaging service. And if they fail to comply, they would be subjecting themselves to legal liability and would have to leave the market.
Ben Yelin: [00:16:42] And they let their users know about this. In a long blog post, they basically said, look; if you enjoy our application, you better start making some calls to your senators. Right now, this has bipartisan support. There's a lot of opposition among privacy groups. And we need you, our users, to make your voice heard, to tell your members of Congress that you value our service, you value end-to-end encryption and you think the EARN IT Act is going to undermine that service.
Dave Bittner: [00:17:13] And a lot of folks make the point, which I think is correct, that encryption is not exotic. So if we're trying to protect ourselves from bad guys, there's nothing keeping a bad guy from going offshore of the United States and finding some encryption - end-to-end encrypted app that's available somewhere else and making use of it.
Ben Yelin: [00:17:36] Right. And in that sense, this sort of introduces a perverse incentive for people to use overseas applications, applications that, you know, aren't headquartered in the United States, because, yeah, as you say, this encryption is going to exist. It's just whether, you know, the commission writes into regulation that this type of encryption doesn't comply with the commission's best practices and, thus, companies are going to be subjected to this flood of lawsuits. So I think you're right that any bad guy could find an encrypted application. There are a lot of them out there, especially those that originate outside of the United States. And I think that's a large purpose for such a widespread opposition to this piece of legislation in Congress.
Ben Yelin: [00:18:21] And I actually - just, you know, commenting on that opposition, it's interesting because for people who don't know a lot about digital privacy, when you read the plain language of this act, it seems like a no-brainer. You know, we're trying to protect against child exploitation. Let's put best practices in place to ensure that, you know, the government can get the bad guys if it needs to. So it's good that these privacy groups and, you know, some of these applications like Signal that have a loyal user base are getting their voices heard on this matter.
Dave Bittner: [00:18:53] Isn't it sort of - that phrase, best practices, isn't that a bit loaded in this case?
Ben Yelin: [00:18:59] It is. You know, best practices is consultant-speak. So, you know, I'm always wary of that term. They're using best practices, but when you're threatening to remove a liability shield, it's not really best practices. It's more like, do this or you're going to get sued.
Ben Yelin: [00:19:16] So best practices kind of implies...
Dave Bittner: [00:19:19] Yeah. Nice company you got here. Be a shame if anything were to happen to it.
Ben Yelin: [00:19:23] Exactly, yeah.
Dave Bittner: [00:19:23] (Laughter).
Ben Yelin: [00:19:23] Like, best practices implies this would be a good idea for you. It would be a good idea for you to engage in these practices...
Dave Bittner: [00:19:30] Right.
Ben Yelin: [00:19:30] ...Not, you're going to be sued out of business if you don't comply. So, yeah.
Dave Bittner: [00:19:34] Yeah.
Ben Yelin: [00:19:34] It definitely is a loaded term.
Dave Bittner: [00:19:36] All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:39] Thank you, Dave.
Dave Bittner: [00:19:45] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:03] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:14] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.