The CyberWire Daily Podcast 10.27.20
Ep 1202 | 10.27.20

Election phishing, without hook, but with line and sinker? Data breaches, and the importance of prompt disclosure. Misplaced hacktivist sympathy.


Dave Bittner: EI-ISAC reports a curious election-related phishing campaign - widespread, but indifferently coordinated and without an obvious motive. Nitro discloses a low-impact security incident. A breach at a law firm affects current and former Googlers. Finnish psychological clinic Vastaamo dismisses its CEO for not disclosing a breach promptly. Ben Yelin and looks at a controversial White House plan to divvy up 5G spectrum. Carole Theriault shares results from Panaseer's 2020 GRC Peer Report. And a terrorist murder finds support online.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 27, 2020. 

Dave Bittner: The Elections Infrastructure Information Sharing and Analysis Center, the EI-ISAC, has alerted local authorities in the U.S. to an apparently widespread phishing campaign in which unknown actors are contacting election officials with spoofed emails. The Wall Street Journal reports that EI-ISAC describes the messages as potentially malicious, although most don't include the malicious links normally used in phishing. 

Dave Bittner: The Journal quotes EI-ISAC to the effect that the emails don't appear particularly sophisticated or highly coordinated. The ISAC said, quote, "while these phishing messages appear to be part of a widespread campaign, the source and motive remain unclear," end quote. So there are a variety of possibilities - bungled criminal or hacktivist work, espionage services trying to habituate targets to opening their emails or just the usual crew of maladjusted skids doing things for the lulz. 

Dave Bittner: Australian document services company Nitro says it sustained a low-impact security incident, but BleepingComputer says researchers at Cyble have found Nitro user and document information for sale on the dark web. 

Dave Bittner: ITWire contacted both Cyble and Nitro about the incident. Since Nitro has a number of large, high-profile users, their response is worth quoting. The company told iTWire, quote, "Nitro continues to investigate an isolated security incident involving limited access to a Nitro database by an unauthorized third party. The database does not contain user or customer documents, which are hosted in a separate database. There is currently no established evidence that any sensitive or financial data relating to customers has been compromised. There is no impact to Nitro Pro or Nitro Analytics. Usage of Nitro's popular free document conversion service does not require users to create an account or become a Nitro customer. Users are required to provide an email address, and common email domains are frequently entered," end quote. 

Dave Bittner: Cyble thinks the incident is more serious than that. They told iTWire and BleepingComputer that they found both user and document databases, as well as a terabyte of documents, up for auction in a dark web market. Opening bids are set at $88,000. That's $112,000 Australian, not that any of you would be in the market for stolen data. The incident remains under investigation. Nitro reported the breach to the authorities and is cooperating with law enforcement. 

Dave Bittner: The law firm Fragomen, Del Rey, Bernsen & Loewy, which provides Google with I-9 employment verification compliance services, disclosed Friday that it had been breached and that some Google employees' personal information was compromised. Which data elements apparently vary with the individual. Fragomen's disclosure letter it sent to affected individuals says that names were compromised, along with other information that depends upon what Fragomen had. 

Dave Bittner: The board of Finnish psychotherapeutic practice Vastaamo has dismissed the clinic's CEO after concluding he'd been aware of a significant data breach for more than a year without disclosing it. Finnish news media report the breach began to come to light last week when people complained to various tabloids that they were being held for ransom. An update from the BBC says the breach included records of therapeutic sessions, which presumably lends urgency to the extortion demands being made of the individual victims. 

Dave Bittner: Victim Support Finland has advice for those affected. It offers both general emotional support as well as some advice specific to the details of how Finnish law handles privacy. Some of its advice, however, is generally useful wherever you might live. If you've become a victim of cyber extortion, take a screenshot if you discover your stolen data posted to the web, and do the same with any demands for ransom. Finally, of course, don't pay the ransom. If it's any consolation, civilized and well-disposed people won't hold it against you that you've sought therapy. 

Dave Bittner: The general lessons for organizations here are familiar. First, bad news doesn't improve with age. And second, whistling past the graveyard is unlikely to be an effective incident response technique. 

Dave Bittner: One would think that the terrorist execution of a schoolteacher by beheading would not be seen as something to celebrate or support. Alas, one would be wrong. 

Dave Bittner: You may recall seeing reports of the awful murder of Samuel Paty 10 days ago in the Paris suburb of Conflans-Sainte-Honorine. He was killed by an Islamist extremist because he had shown some of the cartoons of the Prophet Muhammad that Charlie Hebdo had published in 2015. Those cartoons prompted a massacre at the newspaper's offices shortly after they were published. They've evoked that response again. Monsieur Paty's murderer was shot by police shortly after his crime. 

Dave Bittner: The Dhaka Tribune now reports that Bangladeshi hacktivists identifying themselves as Cyber 71 have taken up the cause of the extremist, may his name be forgotten. Cyber 71 claimed responsibility for the defacement of various French commercial websites in retaliation for perceived insult to the Prophet. Police in Dhaka say they're open to investigating reports of cybercrimes, even though they think this one may fall outside their jurisdiction. 

Dave Bittner: Continuous controls monitoring platform provider Panaseer recently published their 2020 GRC Peer Report, GRC being short for governance, risk management and compliance. Our U.K. correspondent Carole Theriault has the story. 

Carole Theriault: We are here today to try and answer a rather big question. How are the security gurus out there feeling about their defenses in 2020 now that there's this whole new landscape to contend with? I've invited Charaka Goonatilake, CTO of Panaseer, to share some of the insights they've gathered on the cyber pulse of the nation's experts. Thank you for coming on the show, Charaka. 

Charaka Goonatilake: Thank you, Carole. Thank you for having me. 

Carole Theriault: So first, a bit about Panaseer. As I understand it, you guys help big companies better understand their operational risks. So does that mean if you have an employee and they're not cyber trained, they increase your risk? Is that a fair way of explaining it? 

Charaka Goonatilake: What we recognized when we started the business about five years ago was that the vast majority of companies are struggling with some of the most fundamental basics of cybersecurity. They simply don't know what assets they have to protect and whether the various security controls that they've deployed are being deployed correctly to protect those assets. 

Charaka Goonatilake: So you mentioned, you know, users. People are potential risks. And, you know, we have controls like security awareness training to mitigate that. But are those actually being effective to protect the organization? And actually having this visibility into your security posture could actually prevent a vast majority of the cyberattacks. 

Charaka Goonatilake: And also, we're seeing a growing level of scrutiny from the regulators. You know, there's so many regulations that these organizations have to comply with. And the organizations are struggling to measure their security posture and report accurately against all these compliance requirements. 

Carole Theriault: You know, I hate to blow my own trumpet, but I think I'm one of the few thousand people that actually read the entire GDPR regulation (laughter). Now, you guys recently published a report that provides insight into how security professionals in the finance industry are feeling in the face of this new digital landscape. Can you share a few highlights about that? 

Charaka Goonatilake: Yeah, the - what we've seen is that GRC teams in these financial services companies are increasingly subject to time-sensitive requests from the regulators. And there's lots of quite complex and scrutinizing questions. 

Carole Theriault: And just for some of us, what does GRC stand for? It's obviously an acronym. 

Charaka Goonatilake: Yeah, that's right. So it stands for governance, risk and compliance. 

Carole Theriault: OK. 

Charaka Goonatilake: And it's part of the organization that, you know, looks after all of the risks that the organization is facing and helps to manage that, and also looks at all of the compliance obligations that they have and makes sure that the organization is actually being compliant. 

Carole Theriault: Go on with your highlights. Fantastic. 

Charaka Goonatilake: These organizations may well be secure, but what they're struggling with is to prove that they're actually secure. 

Charaka Goonatilake: GRC leaders are frequently unsure if they're actually giving accurate security data to these regulators and auditors. In many cases, this information is likely to be incomplete or out of date or just based on subjective beliefs that they have. 

Charaka Goonatilake: The GRC report, the survey that we ran - there were a couple of key findings that we pulled out from it. First of all, what we're seeing is that the traditional GRC tools are simply not fit for the current challenges. Less than half of the GRC leaders are confident that they can fulfill the security-related requests from the regulators. 

Carole Theriault: Less than half? 

Charaka Goonatilake: That's right. 

Carole Theriault: Wow. 

Charaka Goonatilake: Yeah, yeah. And 92% are looking for quantitative rather than qualitative reporting to assure their security controls. And also, there's a huge overload in the number of requests that they're facing as well. 

Carole Theriault: It sounds like they're, like, neck-deep in the proverbial, you know? 

Charaka Goonatilake: Yeah. 

Carole Theriault: Any main key points you would tell these people, these people that are feeling stressed out? 

Charaka Goonatilake: The main takeaway is that the GRC functions in these organizations need to become more data-driven, as with other departments. You know, if you think about a CFO, they're not relying on manually adding up reports when they're balancing the books. And the same principle applies to security information being given to regulators, auditors and the board. And really, the main thing that these organizations need is a automated way of delivering trusted insights. And we're seeing this is a critical requirement that is emerging for these GRC functions. 

Carole Theriault: Yeah, makes sense. And I wish we had more time to go through more of your highlights. Listeners, you can find out more about this research from Panaseer on their website, Charaka, thank you for giving us your time. I really appreciate it. 

Charaka Goonatilake: Thank you very much, Carole. Thanks for having me. 

Carole Theriault: This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: Interesting story that caught my eye today. This is from CNN, and it's titled "Administration Officials Alarmed by White House Push to Fast Track Lucrative 5G Spectrum Contract, Sources Say." Ben, I don't know if you've been living in a cave or not, but this 5G thing seems to be a... 

Ben Yelin: Pretty big deal, yeah. 

Dave Bittner: (Laughter) Seems to be kind of a big deal, and seems like the White House has their eye on it. And some folks want access to some of that spectrum. What's going on here? 

Ben Yelin: Yeah. I mean, so this spectrum is just an extremely valuable resource, as you can expect. It's going to be - no matter who wins this contract, it's just going to be an enormous financial windfall for that company. 

Ben Yelin: So what some administration sources have been telling the media - there is a large push within the highest reaches of the White House to encourage Pentagon to accept what's basically a no-bid contract from the company Rivada. They want to fast-track Rivada's request for proposal in a way that would preclude the more competitive bidding process you would usually see for something like this. 

Ben Yelin: So obviously, most people are familiar with how this works. But generally, you have this request for proposal. Every company puts in their most competitive bid. The government chooses the one that hopefully will be the most cost-effective to the taxpayers. 

Ben Yelin: That seems to be what is not happening here. There are allegations that allies, political allies of the administration, have been pushing, particularly the chief of staff to the president, Mark Meadows, to have this fast-tracked. One of those individuals is our old friend Karl Rove, who is a Republican political strategist from the George W. Bush era. 

Dave Bittner: Yeah. 

Ben Yelin: He is also an formal/informal adviser to the Donald Trump reelection campaign. And he's a lobbyist for Rivada. And he's apparently been getting in the ear of administration officials trying to push this. Now, he's denied doing that. And, you know, he claims, when he was asked about it by CNN, that he would turn down a no-bid contract. To me, that language leaves a lot of wiggle room. It might not technically be a no-bid contract, but if they were given an advantage in this process, it still would be, you know, an unfair process and would disfavor the interests of the consumers. 

Dave Bittner: Right. 

Ben Yelin: And then there's former Speaker of the House Newt Gingrich, who also seems to have connections with Rivada. He's been advocating for the Pentagon to grant those contracts to the company. Even though he's not officially a lobbyist for Rivada, administration sources have said that he's one of the people that's been pushing this, and he's also a major political ally of the president. 

Ben Yelin: Interestingly enough, former Speaker Gingrich said he never advocated for Rivada. However, if he did it - (laughter) in the words of O.J. Simpson... 

Dave Bittner: (Laughter). 

Ben Yelin: ...He would've done it pro bono as a citizen. And I'm sure we all believe the veracity of that statement. 

Dave Bittner: Out of the goodness of his heart - yes, yes (laughter). Well, and I think it's worth some clarification here that - a couple things. So this is spectrum that currently belongs to the military. 

Ben Yelin: Right. 

Dave Bittner: It's been set aside for them. And so this pushes for them to share that spectrum with private industry for the public good. Obviously, you know, this spectrum can be used for a lot of things, and there are many good uses for it. This article points out that a government auction of 70 megahertz of spectrum back in August went - sold for more than $4.5 billion. And this is for 350 megahertz of spectrum, five times as much. So we're talking about some big dollars here. 

Ben Yelin: Yeah, and this is a great opportunity for the government. I mean, the government controls a lot of resources. This is one of their most valuable resources, having the Department of Defense have domain over the spectrum. So it certainly behooves the administration and the country for, you know, there to be a competitive bidding process to make sure that we are getting our money's worth, that whatever deal is agreed to is in the best interest of the American people and the consumers. 

Ben Yelin: So any effort to sidetrack that competitive bidding process is going to have a really negative impact on, frankly, our bottom line as a country. I don't know if you've heard. Our budget situation isn't exactly in tip-top shape. 

Dave Bittner: (Laughter) No, we're - no, no, it's not. No, not all... 

Ben Yelin: Yeah, you know, this is a small - you know, this is a - certainly a small piece of that. 

Dave Bittner: Yeah. 

Ben Yelin: But, you know, if you are one of those people, like many of us, who think that every dollar counts, if you use this, what's essentially a no-bid process, you not only could be doing something that reeks of cronyism and potentially corruption, but you could be doing something that negatively affects our nation's finances. 

Dave Bittner: Yeah, and worth noting here that there's bipartisan concern about this. There's - this is not - there seems to be plenty of people who want to take a closer look at what's going on here. 

Ben Yelin: Absolutely. I mean, from a Republican, conservative perspective, this is a no-brainer. You want there to be a competitive process that relies on the innovations of the free market. 

Dave Bittner: Yeah. 

Ben Yelin: I mean, that's bread-and-butter Republicanism, and that's been reflected in some of the statements we've seen from Republican senators. My guess is that now that this story has gotten on the radar and has been picked up by the media, you know, we might see more of an organized pushback against this that might force... 

Dave Bittner: (Laughter). 

Ben Yelin: ...The Pentagon to avoid the appearance of impropriety. 

Dave Bittner: Right. Ixnay on the uncompetitive bid (laughter). 

Ben Yelin: Yeah. 

Dave Bittner: (Laughter) Yeah, yeah. 

Ben Yelin: Exactly. They... 

Dave Bittner: Yeah. 

Ben Yelin: ...Tried to pull a fast one on us but couldn't quite make it. 

Dave Bittner: Interesting. 

Ben Yelin: But I think it's incumbent upon all of us to keep our eyes on this because it's really important for the future of 5G. It's really important for the future of good government as well. 

Dave Bittner: Yeah. And I think, as they point out, spectrum is a limited resource. I mean, there's only so much of it, and it's very valuable. So we can't just - they're not making any more of it, right? 

Ben Yelin: No, they're not creating more spectrum. I don't want to get into... 

Dave Bittner: (Laughter). 

Ben Yelin: ...The supernatural here, but that's... 

Dave Bittner: (Laughter). 

Ben Yelin: ...I think that's - I don't think that's something that we can just create more of. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: Yeah. 

Dave Bittner: All right. Well, interesting one. As you say, an important one to keep an eye on. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed, and it kills germs that cause bad breath. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.