Cyber conflict in the Middle East. EasyJet breached. More errors than exploits. The Dark Web during the pandemic. 5G misinformation. REvil updates.
Dave Bittner: [00:00:00] Hey, everybody. Dave here. As you know, we've been fortunate to have built a pretty influential audience over the years. Security leaders across the globe trust us and depend on us every day to deliver the news and analysis they need to do their jobs. And that's also why so many top security companies and hot startups trust us to connect them to the decision-makers and influencers to help get the word out about their brand and fill their sales funnels. We've got lots of great sponsorship opportunities that can help you get the word out, too. Just visit thecyberwire.com/sponsorship (ph) to learn more and connect with us. That's thecyberwire.com/sponsorship. Thanks.
Dave Bittner: [00:00:44] Foreign intelligence services attribute a recent cyberattack on an Iranian port to Israeli operators. EasyJet discloses a breach of passenger information. Verizon's annual Data Breach Report is out, and it finds more errors than it does exploits. A look at the dark web during the pandemic. U.S. authorities warn local law enforcement to watch out for misinformation-driven telecom vandalism. Ben Yelin explains why the ACLU is suing Baltimore over a surveillance plane. Our guest is Robb Reck from Ping Identity on a recent CISO Advisory Council meeting regarding the sudden shift to working from home. And REvil is still offering celebrity dirt for sale if they've actually got any.
Dave Bittner: [00:01:28] And now a word from our sponsor, ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems, more potentially unsecured IOT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, quote, "there is no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop." See how it works in the full product demo, free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:02:33] Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 19, 2020.
Dave Bittner: [00:03:04] Citing anonymous sources in a foreign government, The Washington Post reports that intelligence services have concluded that a recent cyberattack against the Iranian port of Shahid Rajaee was the work of Israeli operators, possibly in retaliation for earlier attacks against Israeli water treatment facilities. EasyJet has disclosed a data breach that affected some 9 million customers. The Guardian writes that the airline describes the incident as the work of highly sophisticated criminals. Verizon this morning released its annual Data Breach Report. This year's version is twice the length of its predecessors, covering more regions and more economic sectors. As Reuters reads it, one of the principal conclusions is that financial gain significantly outpaces espionage as a motive for hacking. Eighty-six percent of the breaches covered were committed for money, not intelligence. IndustryWeek's takeaway is the biggest problem is people, not systems. Our own pre-briefing call with Verizon led to that same conclusion. Exploits are rarely the way breaches are accomplished. Report concluded that error, such mistakes as incorrectly configured databases and misdelivered emails, are now about as big a problem as social engineering. There's another trend in attack technique - web app attacks, the researchers conclude, have roughly doubled.
Dave Bittner: [00:04:26] Turning to the effects the COVID-19 pandemic is having on cybersecurity, France is proceeding with its centralized approach to COVID-19 contact tracing, ZDNet reports. Authorities maintain that this is being done with due regard for preserving users' privacy. The government is particularly interested in the utility the system, called StopCOVID, might have in containing a recurrence of the virus. Earlier this month, Medium offered a summary of the app's development, including its goals and prospects. Researchers at Trustwave's SpiderLabs described the various pandemic-related scams they're finding on the dark web and notes some of the underworld reaction to them. They do note that the criminals follow the news, like everyone else, swap advice about staying healthy, express concerns about the consequences of the pandemic for their own enterprises and so on; in short, an inverted version of the kind of chatter one sees in legitimate channels. But the more interesting material reveals the deliberations and plans that directly shape the criminal enterprises themselves. For example, there's chatter about demand for masks and whether that presents an opportunity for various forms of illicit trade. Masks and other medical supplies are being offered for sale in online markets that normally hawk contraband. Those same markets also offer patently bogus nostrums, most prominently COVID-19 vaccines, which, of course, don't exist. Accompanying the offers are an array of bogus stories alluding to widespread cover-ups and misinformation by various authorities.
Dave Bittner: [00:05:59] The underground markets are themselves feeling some of the pain legitimate markets are experiencing. They warn their customers that they may expect service disruptions, and they shed virtual crocodile tears over the health risks vulnerable customers face during the pandemic. And some of the subsectors of the criminal-to-criminal market seem to be feeling considerable pain. Carding, in particular, appears to be experiencing a rough patch. Why this is happening is unclear and seems to call for explanation. Perhaps with a general slowing of economic activity, there's been a reduction in available inventory. And with the relative scarcity of new stolen numbers, carders are recycling their wares in the markets. Criminals who have access to new stolen cards are reserving them for their own use.
Dave Bittner: [00:06:47] Robb Reck is chief information security officer at Ping Identity. He shares insights from a recent ISSA CISO Advisory Council meeting regarding the sudden shift to working from home.
Robb Reck: [00:06:59] So, generally, we have roughly 10 of our customer CISOs get together and talk about, you know, trends in the industry and kind of give some feedback to Ping on roadmap. We were intending to have our in-person meeting this year in - around the 20 of March. And you can imagine that didn't happen with COVID hitting. And we ended up having to shift to virtual about two weeks later. And we really used that shift to virtual as a chance to just get all of the members of the council to talk about, how has COVID and the rapid shift to work from home impacted them and impacted their companies and impacted their security departments?
Dave Bittner: [00:07:34] Well, what can you share with us. What sort of insights did they have?
Robb Reck: [00:07:37] Yeah. So we got together April 2. It was nine different folks from a variety of different industries. And I think the industries matter because, you know, you have the really heavily impacted industries like health care providers. We had a cable internet provider there, an online learning provider, kind of strangely enough. And we had, you know, less directly impacted - manufacturing and financial services. But everyone had a kind of a unique perspective.
Dave Bittner: [00:07:59] But what are some of the things that you were discussing when it comes to potential changes when we're through this? When we get through this together, are they seeing that there are going to be some changes to the way they come at things?
Robb Reck: [00:08:13] Yeah. You know, one of the interesting things that I learned out of this - everyone kind of across the board agreed, we're moving so quickly that we're probably not making fully understood risk decisions here, that the CISOs are trying to get in front of it, trying to understand, what are the implications of every risk? But we're not able to go fast enough when, you know, you shift from one way of doing work to another basically, you know, at the drop of a hat. So one of the - my favorite recommendations I heard coming out of this is make sure that you're documenting each of the decisions you make as a part of this. And come back and just really consider, is it the right thing to do? If you now are allowing BYOD because you don't have enough laptops across your enterprise, OK, maybe that's the right thing, but maybe it's not. Or maybe you need to put some kind of new mitigation controls in place to allow you to do that BYOD.
Dave Bittner: [00:08:59] What sort of things are you tracking in terms of the community response to this? How are these companies engaging with the broader community?
Robb Reck: [00:09:07] Yeah, I was really excited as we talked the CISOs as a part of this council that a number of the companies that they worked for have actually used this as an opportunity to give back and really not just go after the bottom line but try and make things better. Top of the list - the worker's comp insurance company that was a part of our council - they worked overtime for the first few days of this to make sure that they were keyed in to be able to accept claims for COVID for workman's comp, which, you know, not on top of my list. I'm thinking about. But they really were making sure their customers were able to react quickly and make sure their employees were getting paid in the middle of this. We talked already about the online school that's put a 24/7 war room on this to make sure it's running. Another one we had - there was a scientific society that really - they were generally, like, a fee-based research organization where you can get access if you pay for it. They made all of their resources, all of the research available to anyone who's working on COVID. So they just, you know, threw that whole paywall out of the way and said, if you're doing this, we want to make sure we support you.
Dave Bittner: [00:10:02] Yeah. It's really been heartening to see the good-faith community response to all this.
Robb Reck: [00:10:07] And, of course, we're continuing to see how things are going to change. And I expect - you know, this is just Chapter 1 of the new normal.
Dave Bittner: [00:10:14] That's Robb Reck from Ping Identity. Robb is also the co-host of the Colorado = Security Podcast. So if that is your neck of the woods, be sure to check it out. ABC News reports that the US Department of Homeland Security, the FBI and the National Counterterrorism Center have issued an advisory to law enforcement authorities warning them to expect vandalism directed against 5G and other telecommunications infrastructure. Quote, "Violent extremists have drawn from misinformation campaigns online that claim wireless infrastructure is deleterious to human health and helps spread COVID-19, resulting in a global effort by like-minded individuals to share operational guidance and justification for conducting attacks against 5G infrastructure, some of which have already prompted arson and physical attacks against cell towers in several US states," end quote. Such attacks, hitherto more commonly observed in Europe, have begun to appear in the U.S. as the bogus theory of a link between cellular networks and COVID-19 gained traction. Some of this vandalism predates the emergence of the COVID-19 virus and therefore also predates the misinformation that's now driving the incidents, Business Insider notes. Arson was reported at cellular infrastructure sites as early as December of 2019. And finally, DarkOwl researchers have been tracking the activities of the REvil gang that's claimed responsibility for hacking celebrity law firm Grubman Shire Meiselas & Sacks. The criminals say they've received offers for information they claim to have on President Trump and that their next offer is of data connected with Madonna. Bidding starts at $1 million. We are living in a material world.
Dave Bittner: [00:12:07] And now a word from our sponsor Thycotic. Thycotic protects companies from cyberattacks by developing innovative technologies that secure privileged accounts across the modern enterprise. Thycotic recently partnered with Cybrary to conduct a global survey of IT professionals focusing on how organizations are implementing least privilege. Their new survey report shows overprivileged users are still a big challenge for IT professionals. The report reveals important insights for anyone planning or already down the path with their own least-privilege security program. From the survey, they found that even though least privilege is a top or urgent priority, most organizations struggle with complexity and user complaints when implementing a least-privilege security strategy. Go to thycotic.com/cyberwire to download the report now and get more details about the survey results, the key takeaways and recommendations for how to ensure success in your least-privilege implementation. Again, that's thycotic.com/cyberwire to download this special report on the state of least privilege. And we thank Thycotic for sponsoring our show.
Dave Bittner: [00:13:23] And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, always great to have you back.
Ben Yelin: [00:13:32] Great to be with you, Dave.
Dave Bittner: [00:13:34] We are going to revisit a story that you and I have talked about on more than one occasion. And that is this plan to put some spy planes over our city of Baltimore, our beloved city of Baltimore, basically a DVR in the sky for surveillance. There's been a development here. The ACLU is taking issue with this plan.
Ben Yelin: [00:13:57] Yes, they are. They're actually suing to try and stop that surveillance plane. And as of now, that plane is actually in the sky. I was reading commentary on some neighborhood Facebook pages saying that they've been hearing this bizarre humming sound. It kind of sounds like a blimp flying over a baseball stadium. And it turns out it is the surveillance plane. So it's been up in the air for about a week. It was sold to the city of Baltimore by a former Army individual, Mr. McNutt, who has his own surveillance technology. There've been a lot of legal policy challenges to this, but the airplane is finally airborne.
Ben Yelin: [00:14:35] And the ACLU is suing on a bunch of grounds. Obviously, they're worried about individuals' Fourth Amendment rights. When you have an airplane that can take millions of different pictures in real time of the city, that certainly, almost by definition, lead to unreasonable searches and seizures. The government did not get any sort of judicial authorization to take those pictures. And you know, because of the way the technology works, you can zoom in beyond a city block onto an individual home or an individual sidewalk and see an individual there.
Ben Yelin: [00:15:10] And then, you know, there are a lot of potential First Amendment concerns here. We've talked about on this podcast and on our podcast how, you know, the potential for racial bias creeps into all of these surveillance technologies. And it's notable, from the ACLU's perspective, that, you know, the first one of these spy planes that's going up in the country is going up over a city that is 60% African American. And you know, even though it is a city that has suffered from a pretty serious crime spree over the past several years, I think that's certainly something worth noting.
Ben Yelin: [00:15:45] And you know, they've talked about how surveillance methods have been used for both religious and - or against religious and political groups. One of the ones they mention in this article is the Black Lives Matter group in Baltimore City. So yeah, I think we're going to have to sit back and wait to see where this lawsuit goes. Litigation like this could take a long time. You're going to have dueling motions, a lot of different legal proceedings. I think we could be several years away from some sort of resolution on this issue.
Ben Yelin: [00:16:16] And meanwhile, you know, unless the ACLU is able to obtain an injunction, which I think is unlikely because a judge would have to find that the spy plane is irreparably harming the citizens of Baltimore, then, you know, while this litigation continues, that plane is in the sky taking pictures. So smile, Baltimore. You're on camera.
Dave Bittner: [00:16:40] (Laughter) Well, let me play devil's advocate here because, first of all, is it even fair to call it a spy plane? I mean, do we call security cameras that police put out - do we call them spy cameras?
Ben Yelin: [00:16:50] Fair enough. Sure. You - one could. But yes. You're right. You're right.
Dave Bittner: [00:16:55] Well - but also, it makes me wonder. It is my understanding that when you are out and about in public, you have no reasonable expectation of privacy. How does that not apply here? Is it just the scale of it?
Ben Yelin: [00:17:09] I think the scale is a huge part of it. So you know, that doctrine that you don't have a reasonable expectation of privacy when you are in public view was created in an age of much less pervasive technology. It was really about, what would the police spot, you know, if they were to see you running on the street or running out of your house? That's sort of the notion of the plain-view doctrine. Does that doctrine and should that doctrine change when we're talking about a plane that can take millions of real-time photos and engage in, you know, 24-hour surveillance of people who are out in public? Is it still fair to have that same legal doctrine apply in this age of new technology?
Ben Yelin: [00:17:50] And I think the ACLU is going to argue - and they have some, you know, reasonable Supreme Court precedents at their side - that things are fundamentally different. We're going to have to adapt that plain-view doctrine to deal with a technology like this because the legal doctrine is outdated. And I think they're going to be justified in making that argument. But you know, I'm not sure which way federal judges will come down on that issue.
Dave Bittner: [00:18:16] Do you suppose that it would - could be a situation here where the plane is allowed to stay in the air but in order to use any of the information it gathers, you'll need a warrant?
Ben Yelin: [00:18:26] So that's possible, you know, unless the program is enjoined on one of those First Amendment issues because you can burden people's constitutional rights even if there's no criminal proceeding. But yeah, I mean, I could certainly envision a circumstance where a crime is - or a potential crime is caught using this aerial surveillance technology and a criminal suspect tries to suppress that evidence on the Fourth Amendment or First Amendment claims. And then that's going to be litigated at an individual criminal proceeding. You know, maybe that, instead of this ACLU lawsuit, will be the vehicle where we get some clarity on the constitutionality of this surveillance.
Ben Yelin: [00:19:05] But you know, that's going to take time, too, because we're going to have to wait to have an airtight case where we really did catch a person committing a crime; the only evidence that was used to arrest that person was aerial surveillance. And you know, once those circumstances present themselves, then we can go through that case. I think because the plane has just been launched, we don't have any criminal suspects who have standing to challenge it. So that's why we're seeing this civil suit from the ACLU.
Dave Bittner: [00:19:36] Interesting. Well, in the meantime, I'm launching my line of umbrellas that, from the sky, look like other people.
Ben Yelin: [00:19:42] There you go. See, you just have to - you have to fight fire with fire.
Dave Bittner: [00:19:47] You have to look on the bright side of things, right?
Ben Yelin: [00:19:49] Yes, exactly. And if you notice a lot of people in Baltimore City pointing their middle finger to the sky, you'll know exactly what that means.
Dave Bittner: [00:19:58] Perhaps (laughter). Right. It's a new citywide sign of solidarity.
Ben Yelin: [00:20:04] Yep.
Dave Bittner: [00:20:04] There you go. All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:20:06] Thank you.
Dave Bittner: [00:20:14] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexis smart speaker, too.
Dave Bittner: [00:20:32] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:44] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.