Dave Bittner: Security trends during the pandemic include shifts in underworld markets and some enduring changes in the way organizations approach cybersecurity. Discount phones come preloaded with adware and fleeceware. TikTok files its lawsuit. Ben Yelin on the Massachusetts attorney general creating a data privacy office. Our guest is Nitzan Miron from Barracuda Networks on how brick-and-mortar shops have accelerated their shift online. And spoofing a bitcoin exchange to spread malware.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 25, 2020.
Dave Bittner: It's probably worth taking stock of how the pandemic has been affecting cybersecurity, since several organizations have released studies of trends they've been seeing and that they're now prepared to project into the mid-future.
Dave Bittner: First of all, COVID-19 has had an effect on the underworld and its markets themselves. Stolen credentials had been dropping in price before the pandemic hit, showing a long-term trend of commodification. Not only was the market flooded, but aggressive law enforcement had made the merchandise harder to move, producing a crash in prices.
Dave Bittner: But that's changed over the last few months. TechNewsWorld says the pandemic has reversed an underworld trend, driving stolen credential prices up. Credentials for delivery services and physical fitness brands are particularly valuable. A compromised Instacart account goes for an average of $22, Peloton credentials sell for $18, Postmates for $15 and Amazon for $14.50 U.S. bucks. People want to stay at home, and they'd like to stay fit. Some of the increased interest in these credentials derives from new users of these services whom criminals find susceptible to fraud. And their stolen credentials are fresh.
Dave Bittner: On the side of the defense, Microsoft thinks it sees five enduring trends for the security industry. According to a summary in TechRepublic, Redmond calls the first of these digital empathy - that is, the importance of designing a user experience for remote work that suits the users' needs and facilitates safe and security-conscious behavior on the part of employees working from home. Second, remote work has made the ability to handle an influx of potentially unsecured devices a priority. Microsoft's study suggests that 94% of the companies surveyed were in the process of deploying zero-trust capabilities.
Dave Bittner: Third, more datasets make for better intelligence. Phishing has risen, and organizations are finding that ability to collect and analyze a diverse range of data enables them to recognize and block threats before they reach users. Fourth, cyber resilience is now perceived as fundamental to business operations. And fifth, the cloud has come to be seen as a business imperative. It not only serves efficiencies but, more importantly, it's come to be regarded as a crucial cybersecurity investment.
Dave Bittner: So how will things change as the pandemic eases, or recedes into the background? It's early to say, but a study by TransUnion concludes that, as businesses reopen their physical locations, scamming attempts against organizations have fallen off from their pandemic highs. But COVID-19-themed fraud directed against consumers has picked up some of that slack.
Dave Bittner: An investigation by Secure-D and BuzzFeed concludes that discount Chinese phones, sold for the most part in underdeveloped markets, arrive in consumers' hands with adware and fleeceware pre-installed. Most of the users affected have been located in Africa. The phones most affected are Tecno W2s, an inexpensive device that goes for about $30 in Johannesburg. The Tecno W2 is produced by Shenzhen-based Transsion, which since entering the market in 2014 has become Africa's leading seller of handsets.
Dave Bittner: As expected, TikTok has sued the U.S. government over the executive order that found the company a security threat. The Washington Post reports that TikTok says the government ban is not rooted in bona fide national security concerns. In its explanation of the suit, the company cites the steps it had already taken to secure user data, and it alleges that the executive order constitutes a violation of due process.
Dave Bittner: And, finally, Information Security reports the conclusions of researchers at the firm Abnormal Security that criminals are impersonating BTC Era, a widely used bitcoin trading platform. Victims are phished with encouragement to send money to what they're told will be an investment. As an investment scam, it's a little more plausible than the conventional advance fee scams, proverbially run by those purporting to be the bereaved widows of Nigerian princes who've been moved to ask you to deposit a bit of cash - throwing your bread upon the waters, as it were - with the prospect of a big, big payout.
Dave Bittner: This one is, as we've noted, marginally more convincing, especially given the feeding frenzy of pinksheet alt-coin speculation. It's more convincing because the criminals use the entirely legitimate and widely used email marketing provider Constant Contact to distribute their phishing emails. This also makes it easier for them to reach a big contact list without having to craft and spoof persuasive sender email accounts. And the goal seems to be installation of malware as opposed to the direct theft of the old-fashioned advanced-fee scam.
Dave Bittner: The crooks ask for a minimum deposit of $250, which you can ride to wealth. The phishing message includes a link helpfully placed so the investor can follow it and create an account. After a meander through multiple redirections, the investor winds up on a landing page that requests permission to show notifications. Why not, figures the investor who is now ready to get speculating. When the investor clicks allow, that enables adware to run on the now-infected machine. The adware monitors user behavior and enables the criminals to spam from the victim's machine. So speculate if you must, but speculate with caution.
Dave Bittner: There's no question that online merchants like Amazon and Shopify have had an advantage over traditional brick-and-mortar shops when the pandemic shutdown hit. In order to survive, many of those brick-and-mortar shops have accelerated their shift to online sales. Nitzan Miron is vice president of product management application security services at Barracuda Networks, and he shares his insights on securing that transition.
Nitzan Miron: So what I think I've been seeing is this huge change that specifically comes from businesses that were not really set up to do online services before. Retail is probably the biggest service, but, you know, there are many others, whether it's things - real estate, car buying, many other professions, where in-person was really a big part of what they do. And with the pandemic starting, they found themselves in a position where it's either innovate or die.
Nitzan Miron: And what I've seen from the businesses I've spoken to is, there has been a huge amount of innovation in a very short amount of time, people that never thought that within, you know, two, three weeks they could launch a new app and change their business model entirely. But they've been doing it, and there have been amazing innovations, like, you know, video tours for real estate or video tours of cars that you want to buy or contactless delivery of cars, even, locker pickup, curbside pickup and all these things that really - they may have been there before, but not as ubiquitous as they are now.
Dave Bittner: You know, we're a couple months into this now, and as organizations look back at how they did, what are some of the lessons that they're learning?
Nitzan Miron: The number one lesson is, really, secure before you deploy, launching even for a day, even for a week, even just the temporary solution. Cybercriminals are very adept at finding new things and finding updated things and finding weaknesses in them. And if you deploy, say, an open-source version of Magento, which is an e-commerce platform, and you deploy a version that has vulnerabilities, you can expect attackers to find those vulnerabilities within 24 hours.
Dave Bittner: What are your recommendations for organizations now at this stage of the game? Should they have other people come in to take an outside look at what they've done? What sort of things should they do to make sure that they're where they need to be?
Nitzan Miron: You know, a lot of vendors, a lot of security vendors, offer free assessments. And these are automated tools where you log in and you give them some information about your environment and they scan it and they give you kind of the attacker's view, right? Here's what an attacker would have found in your environment. And it's almost always a free service, which is obviously a selling point for the rest of the products that you can buy. But it gives you a really good idea of where you are. And maybe you're in a good spot, maybe you're in a bad spot, and it'll come with specific recommendations for how to fix these problems.
Dave Bittner: Where do you suppose we're going to be when we get on the other side of this? Do you think this is going to have a big impact on how many organizations look at doing business from a broader view?
Nitzan Miron: I really do. And what I've been hearing from a lot of businesses is as soon as they made that shift to online, they found out that customers actually prefer it. Hey, I would love to view a new car from the comfort of my own home using my phone, rather than having to drive all the way to a dealership or to a private party. And, honestly, as a customer, I would love to continue doing that even when the pandemic is over. And I think a lot of businesses are realizing that this kind of expedited digital transformation that they're going through is actually here to stay. It's not just a temporary stopgap measure; it's actually something that they're going to have to keep online.
Dave Bittner: That's Nitzan Miron from Barracuda Networks.
Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, great to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: Interesting article came by. This is from Wall Street Journal Pro in their cybersecurity section, written by David Uberti. And this is about the Massachusetts attorney general creating a unit to police data privacy and security abuses. This is an interesting development here, Ben.
Ben Yelin: Yeah. So a number of states have taken this step, and Massachusetts is the latest to do so. The attorney general appointed an assistant attorney general to lead this department. It's a small group of states that have established these data privacy offices, but it is a growing number of states, and I think it's certainly in reaction to a need. I mean, we've had high-profile data breaches, and states want to be at the forefront of protecting their consumers. And so I think it's certainly a commendable effort on behalf of the state of Massachusetts.
Dave Bittner: What sort of things are they going to be focusing on here?
Ben Yelin: I just think it's a general focus for consumers on protecting their data privacy both from breaches and from malicious actors and looking at deceptive practices that result in the undue collection of consumer data. So you have instances where a company might be misleading a consumer about what data is being collected. This is the type of office that would investigate and potentially levy fines or file lawsuits against one of these companies. So it's kind of like any consumer watchdog organization housed within a state government, where they're going to be proactive and look at potential abuses of consumer privacy and try and take legal action against it.
Dave Bittner: Now, have you been seeing any sort of pattern when it comes to states establishing these offices? Are we seeing these more in blue states or red states, or has it been a pretty even mix throughout?
Ben Yelin: So it tends to be more blue states. You know, they generally have more active governments and are more eager, shall we say, to enact regulations. But it is not solely Democratic states. Your prototypical purple state, Florida, started a similar organization. They built a dedicated privacy and security enforcement team housed within the consumer protection division of the AG's office, the attorney general's office, in the state of Florida. And, you know, they were able to have a robust department - three attorneys dedicated full time to data privacy.
Ben Yelin: I mean, I think part of it is if you were to just have your standard consumer protection agency or subagency of an attorney general's office, it would be difficult to handle the influx of reports that come into these offices about data breaches and privacy breaches. So I think having a dedicated office is something that's going to make a huge difference.
Ben Yelin: Now, as it is always in these situations, it's going to come down to, are sufficient resources being allocated to these apartments - departments? I think they say in Massachusetts it's going to be two attorneys to start. So - you know, so that's relatively limited. And, you know, I think when Attorney General Healey wanted to start up this division, she probably didn't realize that we'd be entering a global recession where, you know, state and local revenues are going to be drying up, and it's not going to be easy to expand state governments. So I think that's going to be the main constraint here in trying to develop an effective agency.
Dave Bittner: What about within the states themselves? In other words, do these - these folks are sort of functioning as consumer advocates, as consumer watchdogs. Are they - is it expected that they would be - within state government, to be reaching out to other departments - you know, you and I have talked about stories, for example, where, like, DMVs are sharing lots of information about people. You know, would these folks be advocating for consumers within the state government itself?
Ben Yelin: Absolutely. I mean, I think that's fully within their purview. Now, there are some state government organizations that are more devoted to internal audits of government agencies, and, you know, so there might be some cross-jurisdictional efforts there. But I think if you're going to have a data privacy effort, you have to realize that data breaches happen, and abuses of data privacy happen at - in both the public and private sectors. So you can't have an effective office if you're not solely focused on one or the other.
Ben Yelin: Another thing I thought is interesting here is a lot of states want to sue some of the big companies where there have been these high-profile data breaches, like Equifax. And if you have an office like this that you've set up, you're really on the front lines in terms of enforcement and regulations. You're going to be best situated to join one of those lawsuits, you know, to be one of the attorneys general who enters into that type of lawsuit. And that's going to be very beneficial for your state's consumers, particularly if there's some sort of large settlement, as we've seen in a number of these data breaches.
Ben Yelin: So that's kind of the tangible benefit I would see from the consumer's perspective, if you live in one of these states because, as an individual consumer, you don't have much bargaining power. You know, you or I - it's going to be tough for us to go one on one with Google (laughter) on a data privacy lawsuit. But if your state has a dedicated team focusing on data breaches and potential privacy invasions, then it's going to be much easier to develop a cause of action.
Dave Bittner: Right. And they're going to even just demand a response from large tech organizations.
Ben Yelin: Absolutely. Absolutely.
Dave Bittner: Yeah. Yeah. All right. Well, interesting stuff. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it stays crunchy even in milk. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.