The CyberWire Daily Podcast 9.9.20
Ep 1169 | 9.9.20

Ransomware slows down many students’ return to school, even virtually. Hacking gamers. Patch Tuesday. Notes on election security from CISA.

Transcript

Dave Bittner: Back to school time for everyone - or it would be if it weren't for all that ransomware. The sad criminal underworld stealing from online gamers. Notes on Patch Tuesday. Joe Carrigan considers digital comfort zones. Our guest is Sandra Wheatley from Fortinet with key findings from their new report on the cybersecurity skills shortage. And some thoughts on election security and disinformation from the U.S. Cybersecurity and Infrastructure Security Agency.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 9, 2020. 

Dave Bittner: A number of U.S. school districts already stressed by the unfamiliarity of distance-learning systems, whose use the COVID-19 pandemic has imposed on them, are recovering from a range of cyberattacks. A few, like the distributed denial-of-service attack the Miami-Dade Public Schools sustained last week were essentially cyber-enabled truancy. So easy a teenager could do it, WPLG sniffed haughtily. A lot of teenagers, we should note, have experience with booters, some of it gained in their play of online games. But ransomware seems to have been more common. The case of the Hartford (Connecticut) Public Schools is representative: a ransomware infestation forced a delayed opening. 

Dave Bittner: Schools in Toledo, Ohio, and Clark County, Nevada, were among the larger systems similarly affected. Schools are reopening as they're able, but Tuesday's planned first day was, for many students, disrupted. 

Dave Bittner: It's not difficult to see why schools have been appealing targets. Ransomware operators are attracted to targets during periods of heightened vulnerability, and schools attempting to operate either fully remotely or in some hybrid combination of distance and in-person instruction present criminals an opportunity. They depend upon high availability. They have a large number of users and a difficult-to-control attack surface. And as we mentioned above, remote instruction remains an unfamiliar process - complex and fraught with unfamiliar challenges in planning and execution. 

Dave Bittner: So these attacks are the main thing the kids have to worry about, right? Well, no, not really. If you're a kid yourself or if you know kids or live with kids, you may have noticed that a lot of them spend a great deal of time online, like playing games. 

Dave Bittner: So The Wall Street Journal yesterday summarized the implications of another threat to youth. Online games themselves present a big attack surface, and the players are attractive targets for a variety of reasons. Online vandals simply enjoy interfering with others' ability to play. Online bullies find games another space in which they can threaten and demean others. And, of course, there are things of value, like credentials and skins, to be stolen. 

Dave Bittner: The Journal leads with the story of a teenaged boy who found in April that his credentials for the online game platform Steam were incorrect. After Steam restored his access, he found that some $200 worth of games he'd purchased had disappeared. Further review showed that someone had been signing into his account from an IP address in Moldova. 

Dave Bittner: There are other examples, and The Journal makes its case that online game fraud is widespread. They offer some advice on protecting accounts. Most of it has a familiar ring - use two-factor authentication and strong passwords, for example, check the URL address to make sure you're not following a phishing link, and never click on a link in an email telling you there's a problem with your account. 

Dave Bittner: Two other bits of advice are also good, but as anyone who is or knows a kid will tell amount to counsels of imperfection - never share login information even with friends, still less with "friends." And, finally, set up parental controls to ensure that purchases can't be made without parental approval. To these last, we wish everyone luck. When advising teenagers on such matters, well, as Catullus said, write it on the running water; write it on the air. 

Dave Bittner: Yesterday was September's Patch Tuesday, and the Zero-Day Initiative has a summary of the major fixes. Adobe's three patches addressed Framemaker - out-of-bounds read and stack-based buffer overflow - InDesign - memory corruption problems - and Experience Manager - mostly cross-site scripting issues. 

Dave Bittner: Microsoft's 129 fixes dealt with issues in Microsoft Windows, Edge, ChakraCore, Internet Explorer, SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive and Azure DevOps. Twenty-three of the patches are rated critical, 105 as important and one as being of moderate severity. 

Dave Bittner: U.S. Cybersecurity and Infrastructure Security Agency Director Christopher Krebs sees no serious signs of attempts to hack, in the narrow technical sense, U.S. voting infrastructure. Director Krebs said yesterday during the Billington Cybersecurity Summit, quote, "The technical stuff on networks, we're not seeing. It gives me a little bit of confidence," end quote. Reuters observes that this would seem to qualify remarks made a few weeks ago by U.S. national security adviser Robert O'Brien, who warned of the likelihood of Chinese attempts against election infrastructure. 

Dave Bittner: CISA has been receiving reports from state and local election officials, and Director Krebs hasn't seen anything alarming there, at least not in this respect. Disinformation is another matter. DHS and its CISA unit are seeing enough of that. 

Dave Bittner: One possibility Krebs brought up yesterday involved the probability that election results might well take longer to tabulate than the swift results Americans have become accustomed to over the last few decades. Quote, "This is probably going to take a little bit longer to do the counting because of the increase in absentee ballots," the Voice of America quoted him as saying, "I'm going on to ask for people to have a little bit of patience. Democracy wasn't made overnight," end quote. What conclusions can be drawn from this? For one thing, it's likely that delays in counting votes could be used in hostile disinformation designed to sow doubt about the results' validity. This would be useful in particular for threat actors with the negative goal of exacerbating existing social division and mistrust. So be patient and recognize that we live online, surrounded by a lot of nonsense and confusion. Cultivate your garden. 

Dave Bittner: Depending on who you ask, the cybersecurity skills shortage - that is, the shortage of qualified workers to fill open positions - sits somewhere between the most serious issue facing the security industry today and an overhyped delusion that doesn't match the reality on the ground. Sandra Wheatley is from Fortinet. And she joins us with key findings from their new report on the cybersecurity skills shortage. 

Sandra Wheatley: I believe the skills shortage is one of the biggest challenges that security organizations are dealing with. In fact, from the survey, we found that 68% of respondents reported that their companies are struggling to recruit, hire and retain talent. And in fact, I was talking to a CISO recently. And he was telling this story of how, you know, one of his top people had been hard and had a 100% increase in pay. So it's a constant challenge. And we believe that you would need over 4 million professionals just to close the skills gap alone. 

Dave Bittner: One of the things that your research points out here that caught my eye was the role that veterans could play in closing this skill gap, the important role that they could have. 

Sandra Wheatley: Yes. We started our veterans program about two years ago, and it's been hugely successful. It turns out that veterans have a lot of the skill sets that cybersecurity requires. And if you think about it, cybersecurity started in the armed forces and defense. And that's where it really sprung up. And a lot of those skills map to cybersecurity very well and so our cybersecurity program - not only does it provide our training, but we also do job skills training, mentoring, interviewing skills, resume building. And so far, we've trained 400 veterans in the last two years. Two hundred of those veterans have been hired into technology because what we do is not only once they receive their certifications - we also try to map those to jobs that our channel partners have and really just complete that whole loop. 

Dave Bittner: Is there a sense that we're gaining ground on this? Do you think there's hope that we could actually close this gap? 

Sandra Wheatley: I mean, I think we're doing all of the right things. I see the one thing that's very encouraging that I think is really required is we're seeing more partnerships, private-public partnerships, coming together to tackle this issue. Of all of the initiatives, this one definitely has probably the most support. So I think this is what is required to really improve the situation. 

Sandra Wheatley: I mean, the other area I think we need to tap into is getting more females into the industry. Only 14% of the workforce is female. And I came into cybersecurity four years ago. And I - of all of the IT industries I've worked in, it's the most thrilling and dynamic and interesting industry. So I think there's a lot of opportunities for women to come into the industry, but it does mean breaking some of the stereotypes and really marketing cybersecurity and educating females much earlier and really focusing on how you market to them. 

Dave Bittner: That's Sandra Wheatley from Fortinet. 

Dave Bittner: And joining me once again Is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article from the folks over at Kaspersky. They did some surveying, and they published this article called "More Connected Than Ever: How We Build Our Digital Comfort Zones." That's a new term to me. What do you make of this, Joe? 

Joe Carrigan: Yeah, it's an interesting survey. They have gone out and surveyed over 10,000 people in a bunch of different countries, including the U.S., the U.K., UAE, Turkey, Thailand, Saudi Arabia. I mean, it's a lot of countries. 

Dave Bittner: All over (laughter). 

Joe Carrigan: All over the place. And they've gathered some data. And they're looking at a couple of things. One of the first things they're talking about is how we spend our time now that we're in lockdown. And it turns out the biggest increase among a group of people is among people like us, Dave. People like us are spending much more time online, an increase of about 2 1/2 hours a day. 

Dave Bittner: You mean in our age group. 

Joe Carrigan: In our age group, yes. 

Dave Bittner: Yeah. 

Joe Carrigan: People in our age group. It's broken down by age group. And, of course, they call them Generation Z, Millennials and Generation X. And then they define those age groups pretty rigidly. And, actually, Generation X is generally the generation that you and I fall into. But I don't know that we'd fall into this survey group. 

Dave Bittner: Right. 

Joe Carrigan: Because it's a little younger than us. Interesting. So older people are spending more time online. What are people worried about in terms of their online connectivity and their security of their online information? Sixty percent of people are worried about personal payment and financial details that are saved on their devices. Generally, Dave, I don't use mobile applications for banking. I only use them when I absolutely have to, like, to deposit a check. In the early part of the pandemic, I had to use it to deposit check to - because I couldn't get to the bank 'cause it was closed, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Everything else I do on my PC when I'm doing these payments. I don't do them on a mobile device. And I have all my all my credentials stored in a password manager. I don't stay logged in on that device. So... 

Dave Bittner: Right. 

Joe Carrigan: ...To most of the financial institutions' credits, they will actually lock you out after a short period of inactivity. So... 

Dave Bittner: Yeah. 

Joe Carrigan: On a web browser. But that is not the case on phone apps. They'll keep you logged in on a phone app indefinitely. So I think that's a good concern - being concerned about the ability of people to access your credentials via your phone. Just somebody picking up your phone, if you have your banking app on there, you may very well be giving them access to it unless you have some kind of, like, biometrics like a fingerprint or something on it. 

Dave Bittner: Yeah. A couple of things that struck me in this report - one of them was about sharing of accounts. 

Joe Carrigan: Right. 

Dave Bittner: Things like Netflix. And I think that's very common. But they were pointing out that, for some generations, basically sharing the Netflix credentials with your roommates is quite common. 

Joe Carrigan: Yeah. Yeah. Well, and that's - I think that's within the licensing agreement of Netflix, isn't it? I mean, you're... 

Dave Bittner: I don't know. 

Dave Bittner: You're buying a license for a household. So everybody in that household can watch up to two screens if you pay the two-screen price. Or if you have the four-screen price, you can pay a little bit more. I don't know that I would share credentials. In fact, the Hulu account that we use in our house is my son's Hulu account. And my son lives with me. So this is within the terms and conditions. But he didn't share the credentials, either. He said go ahead and use the online activation. And I'll - just tell me what the code is that shows up on the screen, and I'll activate it for you. And I felt a moment of pride. 

Dave Bittner: Oh, the apple doesn't fall far from the tree, does it? 

Joe Carrigan: That's right. 

(LAUGHTER) 

Joe Carrigan: My chest swelled with pride when he said that. 

(LAUGHTER) 

Dave Bittner: Another thing that struck me here that I thought was kind of funny - they asked who takes that technology lead in the home. And four-fifths of male respondents claimed that they take the lead in making IT decisions for their household. But this is contradicted by three-fifths of women stating that they take the role. 

(LAUGHTER) 

Joe Carrigan: There's some overlap there. There's at least some percentage of people that think they're in charge, while the other person also thinks they're in charge. 

Dave Bittner: Right. Right. (Laughter) Yes, dear. Oh, you're totally in charge, dear. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Here's one thing I found very concerning in the report, and it's just one sentence. It says over a third - 37% of millennials doubt they are of interest - enough interest to cybercriminals to be attacked. This is one of the things - when I give talks, this is one of the things I say - is that you are of interest. It doesn't matter if you think you're not. You are of interest to these attackers. Do you have a bank account with any money in it? Twenty dollars, $5 - it doesn't matter. That's of interest to a cybercriminal. Do you have personal information? Do you have accounts online that people could sell for any value? Yes. Of course, if you're online - if you're a Millennial in particular - you're part of the digital-native generation, right? You've grown up online. You have all these different accounts online. That all has value. You are of interest to cybercriminals, period. If you have any kind of online presence at all, you're of interest. 

Dave Bittner: Yeah. Yeah. All right. Well, again, the report is from Kaspersky. It's titled "More Connected Than Ever Before: How We Build Our Digital Comfort Zones." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed. And it's free of dyes and fragrances. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash (ph), Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson (ph), Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow.