Cyberattacks and hacktivism around Minnesota’s unrest. Amtrak breach. Port scanning. Some lessons from the pandemic.
Dave Bittner: [00:00:04] Hacking and more claims of hacking surround the unrest in Minnesota. A data breach attack at Amtrak Guest Rewards. More companies are found port scanning. Four cybersecurity lessons from the pandemic. David Dufour from Webroot with an overview of online scams his team is tracking during COVID-19. Our own Rick Howard compares resiliency with business continuity. And a new 5G device is not only holographic, but quantum oscillating, too.
Dave Bittner: [00:00:37] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web by identifying new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest like containers, to empower your change-makers like developers, and to enable business accelerators like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:04] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 1, 2020. Minnesota's chief information officer Tarek Tomes said yesterday that the state's Security Operations Center is defending against distributed denial-of-service cyberattacks aimed at overloading state information systems and networks to tip them offline, the Twin Cities Pioneer Press reports. He added that the state had succeeded in preventing disruption of operations.
Dave Bittner: [00:02:36] There have been many claims that the attacks represent an operation by Anonymous designed to punish Minnesota for the death of George Floyd in police custody, a death that's provoked widespread protest and rioting. Many of the reports in social media claim that Anonymous is releasing email addresses and passwords from the Minneapolis Police Department. But that seems, researcher Troy Hunt says, to be almost surely false. The email addresses and passwords displayed as evidence seem to come from older breaches and from such online resources as Have I Been Pwned. Civil unrest will certainly continue, however, to manifest itself in cyberspace through hacking, disinformation, doxing and denial of service.
Dave Bittner: [00:03:20] Amtrak, the US National Railroad Passenger Corporation, has disclosed a data breach that affects Amtrak Guest Rewards accounts. BleepingComputer reports that Amtrak believes no financial data, credit card info or Social Security numbers were compromised, and the railroad says that the incident was quickly contained.
Dave Bittner: [00:03:40] Last week, eBay was found port scanning computers of users visiting their site. BleepingComputer looked at other prominent sites and determined that eBay isn't alone. Citibank, TD Bank, Ameriprise, Chick-fil-A, LendUp, Beachbody, Equifax IQ Connect, TIAA-CREF, Sky, Gumtree and WePay are port scanning, too.
Dave Bittner: [00:04:03] While the pandemic and its effects are far from over, its consequences for cybersecurity now seem clear enough for us to suggest some lessons we might draw from the experience. The first lesson is that improvisation under pressure is difficult. It's better to plan. We know, we know. That's a banal observation. But still, it's a useful one, we think. So if there's one overarching observation to be made about the pandemic and its effects on cybersecurity, it's that improvisation under pressure creates unexpected challenges, risks and opportunities. We've seen that improvisation in organizations' scramble to come up with ways of continuing to do business under conditions of lockdown and social isolation. We've also seen it in the need to protect the rapidly expanding attack surface remote work presents. The companies that provide the services and platforms necessary for remote work were also caught off guard. Zoom's very fast, very large success brought the company security and reputational problems it hadn't prepared itself to answer.
Dave Bittner: [00:05:07] We've also seen improvisation at national levels as public health authorities in many countries tried with decidedly mixed results to develop and deploy technologies that could trace contacts and monitor the spread of infection. The US Cyberspace Solarium Commission argued that the principle lesson should be the value of preparedness, of sound advance planning and swift, effective execution in the moment of crisis. The commission's co-chairs, Senator Angus King (Independent of Maine) and Representative Mike Gallagher (Republican, Wisconsin 8th) told The Washington Post they hope the US Congress draws the lesson that it's important to prepare for a disaster before it hits. The commissioners intend to issue an appendix tomorrow, June 2, they hope gives Congress an after-action review of cybersecurity and the pandemic that will nudge lawmakers in the right direction and that may represent an unexpected opportunity to avoid being caught short by failures to plan or simply by failures of imagination.
Dave Bittner: [00:06:09] The second lesson is that crises are opportunities for disinformation and for spontaneously arising misinformation. Both constructive disinformation - propaganda that seeks to convince - and disruptive disinformation - propaganda that seeks merely to confuse - were on display during the pandemic. The former is much more in the Chinese; the latter in the Russian style. Misinformation has also been common as the spontaneously generated looniness that saw 5G and its electromagnetic fields prompt cell tower vandalism and spawned a small industry of crank products designed to ward off infection with wearable Faraday cages. These have a life of their own, as resistant to rational correction as delusions about chemtrails. They also afford useful opportunities for disinformation campaigns, especially the disruptive kind. No one has any good ways of handling either disinformation or misinformation. Social media companies seem to have settled into some version of a marketplace of ideas to fight lies and delusions. It's seemed unsatisfying, but it's hard to see how they could do much better, especially at the scales on which they operate.
Dave Bittner: [00:07:21] Third, crises force startups to grow up. Whatever insulation from business reality plentible venture capital and easy exits may have provided, the pandemic-induced downturn forced more startups to start acting like businesses. It's been painful, but many startup businesses are now being run more like, well, businesses, or at least are in a position to see that that's the direction they'll have to move. And fourth, espionage doesn't stop for crisis. In fact, espionage likes crisis. Your crisis is the spy's opportunity, and the spies know it.
Dave Bittner: [00:08:00] Finally, to close with one more COVID-19-themed scam, the BBC ran a story last week about the 5GBioShield which, for just 339 pounds, provides protection for your home and family thanks to the wearable holographic nanolayer catalyzer which can be worn or placed near to a smartphone or any other electrical, radiation or EMF emitting device. The vendors even explain how it works. Through the process of quantum oscillation, the 5GBioShield USB key balances and re-harmonizes the disturbing frequencies arising from the electric fog induced by devices such as laptops, cordless phones, Wi-Fi, tablets, et cetera. So maybe treat that one with respectful skepticism as well, although who couldn't do with a little quantum oscillation nowadays?
Dave Bittner: [00:09:00] And I am pleased to be joined once again by the CyberWire's chief analyst, Rick Howard. Rick, always great to have you back.
Rick Howard: [00:09:06] Thank you, sir.
Dave Bittner: [00:09:07] You are covering an interesting topic on this week's "CSO Perspectives," your podcast over on CyberWire Pro. And you're talking about resilience and business continuity. Now at first glance, in my mind, I would say there's a lot of crossover there, but there's more to this than meets the eye?
Rick Howard: [00:09:25] Yeah. And there's a little bit of controversy, too, which I didn't realize until I was looking into it, which is kind of fun. Resilience is - if you haven't heard - is the new buzzword for what people are trying to do in terms of keeping their organizations functional after some big cyber event. Now it could be a hacker thing like the Sony stuff, or it could be just some sort of natural disaster, right? But the whole mantra is make sure you - whatever you build can withstand a crisis like that so you can continue delivering services. And so when the business continuity people hear that, they say hey, hey, wait a second. That's what we do, OK? Because - (laughter) why do we need a newfangled marketing team for that or name for that? And it turns out that the business continuity people have been around since the '70s. I didn't even know that, right? But mostly those folks have been dealing with physical issues, you know, like I just said - natural disasters, earthquakes, force majeure kinds of things...
Dave Bittner: [00:10:28] Right.
Rick Howard: [00:10:28] ...You know, executives dying. You know, that kind of stuff.
Dave Bittner: [00:10:31] OK.
Rick Howard: [00:10:32] Resilience in the new digital age, especially as we've gone to the cloud, is really how do you make/build infrastructure as code - OK? - is how I look at it. You know, how do you build systems of systems that can withstand giant catastrophes and you never notice, right? And so I think that's the big difference. I think the resilience people can learn from the business continuity people because they've had lots of experience, and they know how to execute plans. Resilience is a fairly new idea, but I think there is a big separation there. And the two groups can learn from each other.
Dave Bittner: [00:11:07] You know, I can't help thinking about industrial control systems and the IT people versus the OT people.
Rick Howard: [00:11:13] I know. (Laughter) It does have a similar theme, doesn't it?
Dave Bittner: [00:11:18] Yeah, that's interesting.
Rick Howard: [00:11:19] You know, in my mind, too, when you talk about those things, it's not different. It's just a different protocol. How you protect all that stuff is - you know, the same strategies apply. So yeah, we all got to get on the same sheet of music here, I think.
Dave Bittner: [00:11:30] Yeah. How does it play out? Where do you go with this on your show?
Rick Howard: [00:11:34] Well, what's interesting is if you look at a company like Netflix - right? - they have this famous app that they call Chaos Monkey. And it routinely destroys pieces of their customer-facing infrastructure on purpose - right? - so that their dev ops people understand the value of resilience, right? And they're so good at it that I get to watch "Witcher" without any service outage even though I know they're having giant outages all the time because they're so big - because they designed it to be within their system. They've done so well with that they have all kinds of applications they call the Simian Army - you know, Chaos Monkey and Security Monkey and blah, blah, blah. So I love that - all right? - but that's the difference between what maybe resilience is in the digital age and what business continuity is in the physical world.
Dave Bittner: [00:12:27] Yeah, that's fascinating. I suppose there's lots of - I don't know - practice like you play here, where your rehearsals have to be realistic.
Rick Howard: [00:12:34] Oh, yeah. And when you know that the code that you're writing is going to be attacked and destroyed, you know, before you even deploy it - OK? - you do some things to make sure that customers won't notice.
Dave Bittner: [00:12:47] Yeah. All right. Well, check it out. It's the latest episode of "CSO Perspectives" over on CyberWire Pro. Rick Howard, as always, thanks for joining us.
Rick Howard: [00:12:55] Thank you, sir.
Dave Bittner: [00:13:01] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multi-factor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:14:43] And I'm pleased to be joined once again by David Dufour. He is the vice president of cybersecurity and engineering at Webroot, an OpenText company. David, always great to have you back. I wanted to check in with you and see what kind of scams you all are tracking as we find ourselves in this ongoing situation with COVID-19. What sorts of things are on your radar?
David Dufour: [00:15:05] Hey, David. Always glad to be back. Great being here. Thanks for having me. You know, what's interesting, if a lot of folks can kind of put their marketing hats on, you know, COVID is just another branding of all the scams we typically see - the phishing scams, the fake website scams, the malware scams. And so really whatever is popular, that's what the malicious actors are really going to focus their tools in on. So right now, we're seeing a ton of phishing, a ton of fake websites that really are focusing on COVID and trying to draw people in.
Dave Bittner: [00:15:40] And how are they wrapping COVID around some of the well-known popular scams? Or are there any particular areas that they're focusing on?
David Dufour: [00:15:49] Yeah. So what we're really seeing a lot of folks doing - first of all, we're seeing 2% of all sites that have to do with coronavirus or COVID - 2% are malicious. So what people are doing is truly standing up sites that emulate or look like or have a look and feel of something to do with COVID in terms of do they want to donate, have you donate to the site. Or they're trying to pass on information and have you click through things that could be clickbait that installs malware. So you've got to be really aware of what you're doing when you're navigating just on the web. And now we're seeing a lot of phishing scams as well. David, you're very familiar with phishing scams. It happens all the time. And I know you're always calling me because you've infected your computer, given somebody, you know, your credentials and you want to know what to do.
Dave Bittner: [00:16:40] (Laughter) Yeah, that's true. That's absolutely true.
David Dufour: [00:16:42] But no, seriously...
Dave Bittner: [00:16:43] I have you on speed dial, yeah. (laughter).
David Dufour: [00:16:44] You do. You do. And your IT people are always calling me. David did it again. No, but in all seriousness, we're seeing a ton of phishing scams, emails going out there - again, people trying to get you to log into accounts based on COVID or donate money based on COVID. And a lot of these are fake sites that are being stood up. And all the standard phishing and all the standard malware safety mechanisms apply here. Make sure that you know it's a reputable site. Don't click that link, David. Navigate to the website and enter, you know, that you're certain you're on the site you want to be on. You know, folks like the Red Cross, you know, large charities that you're very comfortable with, they're taking donations that focus on this as well. So maybe go to those trusted sites instead of these pop-up charities that are trying to just get money quickly just so you're sure.
Dave Bittner: [00:17:39] Yeah. Yeah. Now you've also been tracking these folks taking advantage of - using some of the apps that have gotten more popular in the midst of all this, services like Zoom.
David Dufour: [00:17:50] That's exactly right. So we've seen a 2,000% increase in malicious files that are being sent through Zoom. We've seen, you know, when people are bombing Zoom, where they're trying to get in. And I don't want to just pick on Zoom. Zoom's done a really good job really quickly of putting tools in place to prevent and protect. Now the thing is, you have to enable those tools - things like requiring people to have a password to get in or having people wait in kind of a virtual lobby and you let them in. But a lot of - again, what's happening is anytime something's popular and malicious actors see that, they're going to jump on that wave and try to figure out ways to exploit it. So it's all about being vigilant - and we always talk about being vigilant - especially when it comes to COVID now. People's hearts are involved, and we're worried about our loved ones or other folks, and we want to help. We just have to maintain that vigilance - not be jaded, but have a little bit of wariness when we're doing things in this time.
Dave Bittner: [00:18:50] Yeah. All right. Well, David Dufour, thanks for joining us.
David Dufour: [00:18:53] Great being here, David.
Dave Bittner: [00:18:59] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. We'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:19:18] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more and observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called "Security, Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:58] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.