The CyberWire Daily Podcast 9.30.20
Ep 1184 | 9.30.20

Opportunistic paydays and soft targets. Crooks use captchas and padlocks, too. Protecting against Zerologon. A microelectronics strategy.


Dave Bittner: Hey, everybody. From the CyberWire studios at DataTribe, I'm Dave Bittner in my new hot tub (laughter). Who's my guest in the hot tub today? (Laughter). It's hot tub time with the CyberWire.

Dave Bittner: Ransomware gangs continue to look for an opportunistic payday. Another exposed database is found and secured. CAPTCHAs and padlock icons have their place, but they're not a guarantee of security. Microsoft explains how to reduce exposure to Zerologon. The U.S. looks to reduce dependence on foreign microelectronics. The U.S. Army thinks about what to call information warfare. Joe Carrigan has thoughts on Facebook running SuperPAC ads. Our guest is Sanjay Gupta from Mitek on how online marketplaces can balance security with biometrics. And there's just one more shopping day before National Cybersecurity Month. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 30, 2020. 

Dave Bittner: Ransomware operators continue to show that their target selection is a matter of high payoff moderated by opportunism. South Africa's Justice Department disclosed that the DoppelPaymer gang attempted an attack on the Guardians fund at the Masters office Pietermaritzburg, Reuters reports. The government-administered fund is held by the courts in trust on behalf of minors, unborn heirs and missing or absent persons. So far, no ransom demand has been received, but some of the data from the fund has been posted to a dark website. The incident is under investigation. 

Dave Bittner: Hospitals operated by Universal Health Services continue to work through the difficulties imposed by the ransomware attack the system suffered over the weekend. The ransomware, probably Ryuk, has forced the hospitals to revert to manual systems and to reschedule surgeries and other procedures. Hospitals are hoping that the incident amounts only to a disruption of IT services and not the theft of data. Ransomware, however, has evolved since last year to the point where data theft and the additional leverage and revenue stream stolen information brings with it are now a routine part of criminal practice. 

Dave Bittner: There's been another case of a large database containing personal information exposed online. Security researchers at Safety Detectives report that Bangalore-based e-learning vendor Edureka was operating an unsecured Elasticsearch server. About 25 gigabytes of personal information belonging to some 2 million users were exposed. The data included first names, email addresses, phone numbers, country of residence, login activity records and miscellaneous authentication token information. The data has now been secured. 

Dave Bittner: Two familiar security design elements should be viewed with a skeptical eye. The first is the CAPTCHA, designed to let you prove you are the natural person that you, your own wonderful self, in fact, are - and not just some mangy bot grifting its sleazy way around the internet. The cyberfirm Menlo Security, investigating a criminal campaign targeting the hospitality sector, found that the gang made extensive use of CAPTCHAs in their spoofed pages to lend credibility to their scam. So remember - just because they ask you to put a checkmark wherever you see a coconut or a parking space doesn't mean they're legit. 

Dave Bittner: The other comforting visual cue, the closed padlock in the browser bar, also means less than many users think. Threatpost draws a lesson from a recent Anti-Phishing Working Group report - criminals can use encryption, too. The padlock means that a site is protected by HTTPS encryption and has a Transport Layer Security certificate. This helps secure data exchange between users' browsers and the website they're visiting. The Anti-Phishing Work Group quotes digital risk protection company PhishLabs as saying, "The number of phishing sites using TLS continues to increase. Most websites, good and bad, now use TLS. Phishers are hacking into legitimate websites and placing their phishing files on those compromised sites", end quote. So have a skeptical eye but a friendly one. It's not that CAPTCHAs and padlocks are bad - they're not. It's just that they don't constitute a guarantee of safety. 

Dave Bittner: The Zerologon vulnerability continues to pose a significant risk, and Microsoft has published clarification of the patching and mitigation guidance it issued last month. As Redmond said at the time, a more comprehensive patch is in the works and is due to be released this coming February 9, when the fix moves to its Enforcement phase. For now, Microsoft wants users to understand that they should respond to the vulnerability in four steps. First, update your domain controllers with an update released August 11, 2020 or later. Find which devices are making vulnerable connections by monitoring event logs. Address non-compliant devices making vulnerable connections, and enable enforcement mode to address CVE-2020-1472 in your environment. As Microsoft points out, the vulnerability is being exploited in the wild, and reducing your exposure is important. 

Dave Bittner: U.S. Undersecretary of Defense for Acquisition and Sustainment Ellen Lord has outlined U.S. plans to disentangle supply chains from Chinese-produced microelectronics, Breaking Defense reports. The Defense Department is working on a microelectronics strategy intended to secure the Defense Industrial Base against both economic and cyber threats. That strategy will be designed not only to keep unfriendly intelligence services from selling the U.S. the rope with which they intend to hang America but also to encourage and foster the development of a robust domestic microelectronics sector capable of supplying Defense Department systems. 

Dave Bittner: And hey, hey, hey, hey, hey - red alert shields up. You've got less than one shopping day left. The U.S. National Institute of Standards and Technology wishes to remind all that National Cybersecurity Awareness Month begins tomorrow. It's a good time to reflect on things you do to make yourself and your organization more cybersecure. 

Dave Bittner: Biometric authentication has drawn attention during the pandemic in part because people don't really want to touch stuff right now. At the bank, at the grocery store, who really wants to enter their PIN number when, say, using face ID will verify your identity? On the other hand, some rightfully point out that the permanence of things like facial scans and fingerprints present their own challenges. Sanjay Gupta is VP and Global Head of Product and Corporate Development from Mitek, and he offers these thoughts. 

Sanjay Gupta: So on the verification side of the house, on the onboarding side, what we recommend and what our best practice is is to really, depending on the type of, you know, marketplace you are - if you're a realtor (ph) selling clothes online, you may let them come to your website but - and then put something in the cart and then ask them to go through kind of the verification process. And typically, we think of it - we think of that process being kind of layers of protection there - so asking for the ID - you know, having them take a picture of the ID, front and back, and being - then being able to provide the selfie. And the selfie would contain two pieces of it, which is, is that person live at the time when they're trying to onboard? And then matching the selfie to the photo really assures the person that's trying to sign up for the account is really the individual at the time when they're going through the process. 

Dave Bittner: You know, it seems to me like a big part of this is removing the friction. You know, if there's - I mean, I suppose study after study has shown that if there's too many steps, people tend to bail. 

Sanjay Gupta: That's correct. So that is the balance that you have to achieve, right? So getting new customers on board faster but also, in this day and age, you know, we've got a pandemic going on and more and more people are transacting online. You want to know that your own information is protected and nobody else is using your credentials to sign up for accounts and then, you know, transact on those. So it's also - from the consumer side of the house, they should be aware that it's actually for their protection, even though you may have to go through an extra step. I think more and more, especially in this day and age, consumers are willing to, you know, have a little friction in that process to ensure that there's some security on the back end. 

Dave Bittner: What about some of the things like behavioral biometrics where, you know, the systems are actually using the way that I do things, the way that I move my mouse? Or even - I've heard of studies where, you know, the way that I walk, my gait, you know, things like that, could be used to verify that I am who I say I am. 

Sanjay Gupta: That's correct. I mean, you have what's called device metrics and then behavioral biometrics associated with that. So how you browse, how you hold your device, how fast you type on your device - those are unique identifiers of you and your interaction with the individual - I mean, with the device. So even if, let's say, your wife or your spouse, you know, got onto the same device - the way they would hold it and the way they would transact on it would be a unique signature. And so companies have employed that. 

Sanjay Gupta: Now, what's interesting is that it's also scary for consumers because if they don't know if that's really happening and all of a sudden you pick up your device and you go into, you know, your front screen and then you get in and you go to your, let's say, bank account, and all of a sudden there's no password or anything that it asks for. There's this feeling of - well, wait a second. What really happened here? Where's my security? So it's too fast. (Laughter). 

Dave Bittner: Right. Right. You can't make it too easy. It's interesting, isn't it? 

Sanjay Gupta: It is. You know, human behavior is very difficult to predict. Right? 

Dave Bittner: Yeah, yeah. 

Dave Bittner: That's Sanjay Gupta from Mitek. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: This is something you and I discussed at length on our next episode of "Hacking Humans" - that 'tis the season for political advertising. 

Joe Carrigan: Yes. Yes, it is. 

Dave Bittner: And we've got an article caught my eye over on CNN. It's titled "Facebook Allowed Hundreds of Misleading Super PAC Ads, an Activist Group Finds." Lead us in here, Joe. What's going on? 

Joe Carrigan: So what is happening here, is there is a group called Avaaz, A-V-A-A-Z. I hope I'm saying that right. And they have found that two super PACs have emerged as what they call the worst offenders. And the first is a pro-Trump group called America First Action... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And then a Democratic group called Stop Republicans. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Right? Very creative names, right? 

Dave Bittner: Right, right (laughter). 

Joe Carrigan: These guys are super PACs, which is a political action committee which can accept money from people and spend it however it wants to benefit whichever candidate they want in terms of advertising. And they don't have to clear it with the Federal Elections Commission because it's a First Amendment issue. Right? 

Dave Bittner: Right, right. 

Joe Carrigan: In the U.S., people are allowed to make their own First Amendment statements, and they're even allowed to buy advertising for that. And I really wouldn't have that any other way, right? 

Dave Bittner: Yeah. 

Joe Carrigan: But once again, we find out that they are producing misleading information and putting it out on Facebook, where it is getting huge amounts of traction. Now, if you look at the amount they spent, the Stop Republicans campaign - or PAC spent $45,000 on 30 ads with misleading information about the United States Postal Service, resulting in 1 million ad impressions. America First Action was a bigger offender here. They had spent $287,000 on 450 ads, making about 9 million impressions. 

Joe Carrigan: So Facebook has said, we're going to take political advertising this year, and Twitter has said they're not. Twitter has just walked away from this issue. They said, there's no way we can control this; there's no way we can vet the information being correct. And in fact, Facebook has even said, yeah, we're not going to vet information as being correct or incorrect when it comes from political candidates, but they still will vet it when it comes from something like a political action committee. That's a different body. But even when they're vetting it, they're not doing a good job of vetting it. 

Joe Carrigan: And this article quotes or paraphrases Fadi Quran, who is the campaign director of Avaaz. And he says many of the surviving ads - in other words, these are the ads that Facebook didn't pull; Facebook pulled the ads it found violated the terms. But many of the surviving ads were virtually identical to the ones Facebook took down, indicating that while the social media giant understands the content to be problematic, it is unable or unwilling to deal with it comprehensively across the platform. 

Joe Carrigan: This is a big problem. And this is why I say, don't get your political news from Facebook. I'd like to broaden that to say, don't get your political news from social media. But really, Facebook is a bigger offender here than any other platform that it competes with simply because of its reach. It's huge, it's massive, and it has this problem where it can't police its own content, and it's financially disincentivized to do so. By taking these ads, they're making money in the amount of upwards of half a million dollars from one of these political action committees. 

Joe Carrigan: Now, what's interesting also is that those - the money that I quoted earlier in the article is a small portion of the money that's spent by these political action committees. These political action committees spend millions of dollars putting these ads out there, and they use the Facebook modeling to push the ads to people that they want to push the ads to. 

Dave Bittner: Yeah, you know, to your point about them either being unable or unwilling to control this sort of thing in any meaningful kind of way, I often say that - in response to the - when you hear people say, oh, but we can't do that at scale, see, well, then maybe you shouldn't do that. 

Joe Carrigan: Right, exactly. 

Dave Bittner: Right? 

Joe Carrigan: Right. And that's what that's what Jack Dorsey and Twitter decided. They decided, we can't do this at scale, so we're just not going to do this. And I think that's the right decision. I agree with that decision a hundred percent. And Facebook should be following suit, but I don't think Facebook's going to follow suit. I mean, there's no way they're going to be able to walk away from the amount of money that they're making on these ads. 

Dave Bittner: Yeah, yeah. Well, it'd be interesting to see - I mean, I suppose it's hard to imagine, you know, regulatory relief here because, as you say, you have those First Amendment issues. And also... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Time and time again, particularly when it comes to political communication, politicians tend to exclude themselves from these sorts of regulations, right? Like, you know, you can't stand on the side of the road and wave your sign - unless you're a politician. Then it's fine, you know? 

Joe Carrigan: Right, yeah. That's exactly right. There's... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I don't want to get political, Dave, so I'm not going to. But (laughter) there are plenty of examples of things where these politicians vote themselves very nice cutaways that they get that the general population does not get or that even people who are challenging them do not get. 

Dave Bittner: Yeah, Yeah. 

Joe Carrigan: It's disconcerting to me. 

Dave Bittner: Yeah. Well, you know, make an effort to break out of your own political bubble there. We've only... 

Joe Carrigan: Right. 

Dave Bittner: ...Got a few weeks to go in this election period, so be sure to spread around your sources of information, trusted... 

Joe Carrigan: Yep. 

Dave Bittner: ...Information. 

Joe Carrigan: And... 

Dave Bittner: Try to... 

Joe Carrigan: ...Don't get your political news from Facebook or any other social media platform. 

Dave Bittner: Right, right. 

Joe Carrigan: Remember their business model is dependent upon engagement, which means they're going to show you something that you want to see. 

Dave Bittner: Mmm hmm. 

Joe Carrigan: That's not conducive to good political thought. 

Dave Bittner: Right - something that's going to get you riled up, for good or for bad, right? 

Joe Carrigan: Right, exactly. 

Dave Bittner: Yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and you'll feel like you just stepped out of the salon. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.