The CyberWire Daily Podcast 5.29.20
Ep 1098 | 5.29.20
Sandworm is out and about, so patch already. Steganography used in attacks on industrial targets. An Executive Order on Preventing Online Censorship. Breaches, ransomware, and lessons.
Transcript

Rick Howard: Hey, all. Rick Howard here. I'm the CyberWire's CSO and chief analyst. I wanted to take a moment and talk to you about my weekly podcast and article series called "CSO Perspectives" available in CyberWire Pro and Pro Plus. In this series, I discuss the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis. So far, I've talked about first principles, metrics and risk models, intelligence that can be found on the dark web and even - my favorite - cybersecurity novels. Tune in every Monday and join me on this exclusive series to ensure that your critical information is never out of reach. You can check it out at thecyberwire.com/pro/cso/perspectives. That's thecyberwire.com/pro/cso/perspectives. 

Dave Bittner: NSA warns the GRU's Sandworm outfit has been actively exploiting a known vulnerability in Exim. Someone is attacking industrial targets in Japan and Europe using steganography and other evasive tactics. NTT Communications is breached, and Michigan State University sustains a ransomware attack. Ben Yelin unpacks the president's executive order aimed at social media companies. Our guest is Vik Arora of the Hospital for Special Surgery on protecting health care organizations during COVID-19. 

Dave Bittner: And now a word from our sponsor the University of San Diego. Cybersecurity newsflash - in addition to gumming up the works with malware, phishing expeditions and DNS attacks, the black hat hackers of the world are also creating jobs. Let me explain. Cybercrime is causing so many headaches and financial losses for many CEOs that companies everywhere are paying top dollar for cybersecurity talent. By some estimates, the financial damage caused by the global cybercrime epidemic each year is about to hit $6 trillion. That's why employers across all industries are paying six-figure salaries for cybersecurity pros with the right experience and training. University of San Diego and its online cybersecurity engineering master's degree program are doing a lot of reporting on this. They also offer an outstanding online training program if you're interested in sharpening your skills to advance your career or to transition into cybersecurity. Connect with the team at sandiego.edu/cyberwire. Mention this podcast, and they'll waive the fee to apply. That's sandiego.edu/cyberwire, and we thank the University of San Diego for sponsoring our show. 

Dave Bittner: Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 29, 2020. The US National Security Agency warned yesterday that Russia's GRU continues to exploit the Exim mail vulnerability CVE-2019-10-149. NSA identifies the Russian unit involved as specifically belonging to GRU's Main Center for Special Technologies (ph), the group commonly known as Sandworm. The vulnerability was disclosed and patched in June of last year, and NSA advises users to apply it. This provides another object lesson in the importance of keeping software up to date. The GRU has been exploiting the bug since August 2019. It also provides another example of the ways in which the historically reticent NSA has become increasingly engaged in providing public warnings and advice on cybersecurity. 

Dave Bittner: Kaspersky outlines a campaign against industrial targets in Japan, Italy, Germany and the UK. The specific goals of the campaign are unknown, although Kaspersky says they've observed destructive activity and extraction of data. The attackers use steganography in the data extraction process; that is, they hide code in an image. This and other aspects of the campaign make the attacks difficult to detect and block. 

Dave Bittner: Yesterday U.S. President Trump signed an Executive Order on Preventing Online Censorship intended to address ways in which social media are applying selective censorship that is harming our national discourse. It addresses Section 230 of the Communications Decency Act, which affords civil liability protection to online service providers that act as neutral platforms as opposed to editors. The secretary of commerce will lead a petition for rulemaking to clarify Section 230. 

Dave Bittner: Federal agencies will evaluate spending on platforms that engage in viewpoint discrimination, and the Federal Trade Commission will investigate unfair trade practices related to content moderation. Among the points that stand out in the order are its observation that the protections in Section 230 were designed narrowly to provide certain protection for minors. It also emphasizes the act's provision that restrictions on content be done in good faith, and it asks the Federal Trade Commission to take a close look at social media companies' outsourcing of content moderation to third parties that themselves arguably engage in viewpoint discrimination. 

Dave Bittner: The order is widely viewed as a response to the president's recent experiences with Twitter. At issue is the difficult question of what counts as a neutral supplier of a service and what counts as being a publisher with responsibility for content. Thus, should Facebook, Instagram and Twitter be treated like sellers of newsprint or like newspapers, like a telephone company or like a television station? We'll hear more on the executive order from our guest, Ben Yelin of the University of Maryland's Center for Health and Homeland Security, a little later in the show. 

Dave Bittner: Several data breaches and ransomware incidents are being reported. NTT Communications, the Tokyo-based telecommunications service provider giant, has disclosed that one of its servers was breached. A relatively small number of customers is so far and thought to be affected - a little more than 600. The attack began in a Singapore cloud server from where the attackers moved to an internal server and then to an NTT Active Directory server from which the data was taken. 

Dave Bittner: The criminal proprietors of NetWalker ransomware have also been active. They've hit Michigan State University and given the administration until next Thursday to pony up the ransom. If the university doesn't come up with the ransom, the amount of which isn't yet publicly known, the extortionist will release the sensitive data they've stolen. To show that they're in earnest, the gang has posted images of directories, a passport scan and financial documents, BleepingComputer reports. ZDNet notes that NetWalker has recently been used against the Australian Logistics company Toll Group and the Australian city of Weiz. NetWalker is a ransomware-as-a-service operation that's actively recruiting new affiliates. 

Dave Bittner: And finally, what have people been learning with respect to cybersecurity during the pandemic emergency? As far as we can see, we're learning a great deal about improvisation under pressure, and we're also learning what we can live without or at least work without. We've been following the COVID pandemic since the CyberWire, like many other businesses in our area, moved to remote work on March 16. This was, of course, consistent with shelter-in-place guidance from public health authorities. Maryland relaxes some of its public health guidelines today, and this seems a good point in which to take stock of how the emergency has affected the cybersecurity sector. While the pandemic and its effects are far from over, its consequences for cybersecurity now seem clear enough for us to suggest some lessons we might draw from the experience. And it also seems to be the right time to roll our coverage of COVID-19-related news into our ordinary coverage of cybersecurity. We conclude this series with today's story. If there's one overarching observation to be made about the pandemic and its effects on cybersecurity, it's that improvisation under pressure creates unexpected challenges, risks and opportunities. We'll have a final wrap-up Monday with our planned final daily update on COVID-19 and its effects on the cybersecurity community. Until then, enjoy the weekend. 

Dave Bittner: And now a word from our sponsor PlexTrac. PlexTrac is the ultimate purple teaming platform, guiding the healthy collaboration of your red and blue teams through a single web-based interface. PlexTrac does this by first elevating red teams, eliminating the struggle of reporting and allowing the team to focus on what's important - identifying security issues. Red teams are provided with an easy-to-use platform that allows reports to be created and then exported with a click of a button, saving the team valuable time. PlexTrac also powers up blue teams by providing them with a platform to consolidate findings and then remediate them in an efficient and timely manner. Gone are the days of 500-page penetration test reports, as PlexTrac streamlines the process with a status tracker, integrations with ticketing systems, dashboards and analytic capabilities and much more. You can visit their website at plextrac.com/demo to learn more. That's plextrac.com/demo. And we thank PlexTrac for sponsoring our show. 

Dave Bittner: My guest today is Vik Arora, chief information security officer of the Hospital for Special Surgery in New York. He shares his insights on protecting a health care facility in the midst of COVID-19. 

Vik Arora: [00:10:34]  So HSS is an orthopedics and rheumatology hospital with presence in New York metropolitan area, Colorado and Florida. We've been ranked No. 1 in orthopedics for 10 straight years. We're also the official hospital for New York Giants, Mets and a few others, along with being a top teaching hospital with a well-respected orthopedic residency program. 

Vik Arora: In terms of my role at HSS, I'm responsible for cybersecurity and risk management, basically making sure that the digital transformation of the hospital is done securely, we remain compliant with HIPAA and other regulations and, at the same time, we're able to take advantage of various innovations out there and technology in a secure and safe manner while making sure that we deliver better care on an ongoing basis. 

Dave Bittner: Can you give us some insights? What sort of threat activities have you seen during the pandemic? 

Vik Arora: Yeah. So for the past six weeks, we've been in a state of heightened awareness. And four things kind of bubble up for me and my team. The first and foremost is a significant increase in COVID-19-related phishing attacks. To give you some numbers, we see about 10,000 to 15,000 daily phishing email attacks on the organization. They range from stimulus plans, paycheck programs, WHO and CDC advisories or protective equipment. The second thing which I think most of us are seeing is we have almost a thousand percent increase in work from home within the organization from prior to crisis to now. And that has led to a significant recon (ph) of our public-facing environment. We've seen an uptick in exploitation of VPN infrastructure, as well as attacks on personal home routers. Some users have reported it to us, and then we've seen an uptick in those reports. The third thing is what I like to say is on-the-fly IT engineering, where consumer-grade tools, like Doodle for scheduling or WhatsApp or other collaboration tools - people find them quick and easy to use. And sometimes, they end up deploying those for corporate needs. And managing risks around that has been challenging. And last but not the least is the supply chain risks. Because of obvious constraints, we've had to onboard some new vendors relatively quickly. And making sure that they are secure and they align with all the best practices has been challenging. 

Dave Bittner: What is your approach in terms of balancing those risks when it comes to you have those urgent needs, you have those business needs, but, at the same time, you've got to manage security? 

Vik Arora: Yeah. So before I get into the tactical things that we've done, maybe I'll talk a little bit about what has allowed us to do it or get through the crisis or at least come this far. The first and foremost is that we're able to draw inspiration from the front-line health care workers not just at HSS but across the world. And everybody in IT and cybersecurity very much appreciates the opportunity to support them in any manner. We find that very humbling. So that has allowed us to get inspired by them and deliver the best cybersecurity that we can. The second is HSS is a place where we attribute culture to our reputation and results all the time. So there has been an amazing job at the leadership level where they came up with new principles to handle the crisis, namely protecting our staff, protecting the organization and protecting the society. So that allowed us to align all the activities to those principles and defer or cancel any non-COVID-related priorities. So we were able to focus all in a very harmonious manner. So the third thing is empathy. On a personal note, I have a 2-year-old daughter and a 6-year-old boy. The babysitter's no longer available, so we had to ask our in-laws for help. Managing work from home, home-schooling our son and managing daily routines has been challenging, and we had a few false starts, but then we found our rhythm. So I think it's important to be cognizant that our teams are going through similar challenges. The crisis is not organizational; it's also a personal crisis. So being aware of that and allowing the team to work at any times that work for them has helped us to kind of earn their commitment and support. 

Dave Bittner: That's Vik Arora, chief information security officer at the Hospital for Special Surgery. If you'd like to hear an extended version of this interview, check out our website thecyberwire.com and sign up for CyberWire Pro. 

Dave Bittner: And now a word from our sponsor, Dragos. Don't miss next Tuesday's free webinar Mapping Threat Detection, the MITRE ATT&CK for ICS (ph). You can see the details at dragos.com/webinars. Dragos will share how they incorporate results from threat hunts, incident response and lessons learned working with their customers into the Dragos platform to provide better visibility and threat detection of industrial environments. Visit dragos.com/webinars. That's dragos.com/webinars. And we thank Dragos for sponsoring our show. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, we fired up the bat signal this morning to get you back on the line here right away because I want to get your help unpacking this executive order that the president signed yesterday on Thursday, coming at social media and Section 230 of the Communications Decency Act. Unpack what's going on here for us, my friend. 

Ben Yelin: Oh, where to begin, Dave? Where to begin? So I got a chance to read the executive order, and I'm glad we're getting a chance to talk today. I think the bottom line for viewers who don't want to hear a lot of - or listeners who don't want to hear a lot of legalese and analysis of the Communications Decency Act and Section 230 is this executive order is relatively toothless, and I think it misinterprets a lot of legal precedents. It won't have much of an impact. It's largely a distraction. But it is, you know, certainly an example of the president willing to use the power of the federal government to at least threaten and intimidate social media companies whom he feels are being biased against him. 

Ben Yelin: And it's also part of an escalating war between particularly Twitter and the president. And we've seen that over the past couple of days as they've flagged a couple of his tweets, one of them with a little note saying that it was based on false and misleading information, then one overnight where they said that his tweet could've been interpreted as a call for violence. So I think that's just very important context. 

Ben Yelin: So for those of you who do want the legalese, I'll get a little bit into the executive order itself, if that's OK with you, Dave. 

Dave Bittner: Please, please. 

Ben Yelin: So a couple of things. The executive order first kind of starts by stating general principles. These social networks should have the goal of neutrality and maintaining robust debate. They say that Section 230 of the Communications Decency Act, which does shield these sites from liability from the content posted by users, is not an unlimited license to inject what they determine to be political biases into their content restrictions and terms of services. 

Ben Yelin: So this is problematic for a couple of reasons. For one, they talk about that perhaps Twitter could actually be liable under Section 230 because they are the creator of content. So they're talking about the instances when Twitter puts those little notices on the president's tweets. They're saying, well, those types of notices, because Twitter is actually creating that content, that does not fall under Section 230. That narrowly is true. These platforms are only shielded from liability as it relates to what users post on them, not their own content. But the government through an executive order cannot ban Twitter from putting its own commentary on particular tweets. That would be a very clear violation of the First Amendment. And it would also get into areas of compelled speech, which the Supreme Court looks very disfavorably upon. 

Ben Yelin: As the executive order continues, just a couple of other, you know, things that stuck out to me. One, it asks the Commerce Department, specifically the NTIA, to petition the FCC to develop regulations to interpret Section 230 according to how the president wants it interpreted in this executive order. So that can't really happen. For one, it's up to the courts to interpret what Section 230 means. It's not up to the executive branch. And, just as importantly, the FCC does not have the authority to regulate these types of platforms. They've - courts have explicitly rejected giving the FCC the authority to issue these regulations. 

Ben Yelin: The executive order also calls on the FTC, which does have a little bit more of a regulatory role. They've called on them to issue their own regulations. You know, the FTC can enforce actions to protect against unfair trade practices. But that's - you know, that can happen as it relates to antitrust, can't really happen as it relates to what we're talking about here with Section 230. 

Ben Yelin: Then there are a couple of things that fall into provisions that don't necessarily carry that much force in terms of the force of law but are still nonetheless concerning. So the executive order empowers the attorney general to convene a working group with state attorneys general, and that working group is allowed to report users on these platforms that are posting problematic content. And that goes undefined in the executive order, but I think it's something that certainly raised a lot of eyebrows. And then, lastly, the executive order talks about how if Twitter does not change their practices to comply with the guidelines set out here, then the federal government should at least consider ceasing advertising on Twitter or any other platform. 

Ben Yelin: So the bottom line is it's I think a relatively poorly drafted and largely toothless effort to cut away at Section 230. If there really was a groundswell of opposition to 230, if we really, as a society, wanted to change the law to remove this shield of liability for the moderation of content on these platforms, that would be something that Congress would have to do. That's not something generally that the president is able to do through executive order. 

Dave Bittner: So what happens next? The president has put this out there. How does it make its way through determining what actually happens? 

Ben Yelin: So that's a great question. I mean, so much of this - the process that he's describing is not a process that's actually going to lead anywhere. You know, it's like telling somebody directions to a room in a house that doesn't have anything in it. So, you know, it's instructing the NTIA to propose new rules and regulations consistent with this executive order to the FCC. But as I said, the FCC does not have authority over that. 

Dave Bittner: Right. 

Ben Yelin: So the FCC has no obligation to accept or reject whatever the NTIA or the Department of Commerce presents it. So I don't really see how that's going to be productive for anyone. And I think that just sort of leads to a dead end. If this executive action - order doesn't create any new cause of action for any particular users, you know, the one tangible effect it might have is we'll see what this working group does led by the attorney general. They might recommend more concrete enforcement actions. But until that happens, you know, there really is no realistic endgame here on policy changes. It's just - I think we can largely say it's a political document. It doesn't really carry much in terms of the force of law. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us and providing some clarity. 

Ben Yelin: Thank you very much. Have a good day. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: And be sure to check out this weekend's "Research Saturday" show, where Akamai's security researcher Larry Cashdollar outlines his recent experiment setting up a rootable docker image to capture credentials used by hackers in an attempt to log in. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.