The CyberWire Daily Podcast 11.10.20
Ep 1212 | 11.10.20

A look at what’s up in some of the criminal markets. The continued resilience of TrickBot. What you can buy for $155,000.


Dave Bittner: Criminals get the news like everyone else, and online crime continues to follow current events. It's up, it's down, it's up again - forget it. It's TrickBot. A cyber incident affects computer maker Compal. Zoom settles an FTC complaint. Price check on the criminal markets. Ben Yelin on a Canadian shopping mall's collection of over 5 million shoppers' images. Our guest is Ben Brook from Transcend with best practices in privacy and data protections. And spare a thought for a veteran tomorrow.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 10, 2020. 

Dave Bittner: It should come as no surprise, but it remains worth noting that criminal phishbait and pretext for online scams closely track current events. The Wall Street Journal, having talked to a range of security companies, reports that U.S. election-themed spam remains high. It's likely to remain high for the next couple of months. 

Dave Bittner: And TechRepublic, citing Trustwave researchers' scanning of dark web markets, writes that COVID-19 is also a hot brand in the criminal world. Phony COVID cures, counterfeit travel documents and scam call, boiler room services are all being pushed vigorously. 

Dave Bittner: The COVID stuff began to circulate early. Trustwave told TechRepublic they were surprised by how quickly criminals saw opportunity in widespread suffering and moved to monetize the main chance COVID-19 presented them. None of the approaches they've been taking are particularly novel, but they've been effective, nonetheless. 

Dave Bittner: A large number of domains were registered with COVID-themed names. These are useful for water holing or as destinations for phishing links. There have been many cases in many countries of campaigns designed to collect fraudulent claims on government disaster relief programs. 

Dave Bittner: Phishbait has been devised to inveigle employees trying to adjust to new work arrangements into opening malicious attachments or following equally malicious links. 

Dave Bittner: And finally, of course, are traditional scams - quack medicines, bogus treatments and the whole familiar soft array of hoked-up medical charlatanism. 

Dave Bittner: So where some people see suffering and ask, how can I help, and others who don't quite go so far as, how can I protect myself, still, others ask, how can I monetize this? The people in the third category regard the first two classes as their prey. 

Dave Bittner: Prominent among the criminal activity that's continued through the pandemic, of course, is ransomware. A study released this morning by Zscaler finds an interesting wrinkle in the ransomware landscape. They're observing a marked increase in malicious SSL traffic, which suggests that criminals are finding this form of encryption attractive as a way of avoiding inspection and detection. 

Dave Bittner: It's not a foolproof way of evading defenses, but there may be some relaxed vigilance with respect to SSL. It's worth noting that SSL is often used loosely to both the deprecated SSL - that is, Secure Sockets Layer - and its successor, TLS - Transport Layer Security. 

Dave Bittner: In any case, SSL, TLS and the things that mark them online, like the https prefix and the comforting padlock, aren't sure guarantees that there's no badness in the traffic. 

Dave Bittner: TrickBot continues to seem able to take a punch. Intel 471 today outlined how the gang behind TrickBot has managed to recover, shift and work around repeated government and industry disruption of its infrastructure. 

Dave Bittner: The anti-TrickBot campaign began in earnest on September 22, when U.S. Cyber Command is generally believed to have begun interrupting the bots' ability to reach their command-and-control servers. There was a continued back-and-forth until the beginning of November. And by the end of last week, TrickBot activity proper had dropped to negligible levels. The operators had, in the meantime, shifted to Emotet and other tools. 

Dave Bittner: As Intel 471 put it, "between October 28, 2020, and November 6, 2020, we have not seen any new TrickBot infection campaigns in our monitoring, nor in open-source reporting. We observed the number of active and working TrickBot control servers being reduced over time, and we were unable to identify any working TrickBot control servers as of November 6," end quote. 

Dave Bittner: But in a sign of how resilient this sort of criminal enterprise can be, that inactivity lasted about three days - quote, "on November 9, 2020, we did see a new version of TrickBot that was distributed via a spam campaign," end quote. 

Dave Bittner: So back to the grind for those who would take out TrickBot once and for all. Good hunting. 

Dave Bittner: Compal, a Taiwan-based manufacturer that's the world's second-largest laptop maker, is said to have sustained a ransomware attack over the weekend. ZDNet, which sources the news about ransomware to media in Taiwan, also reports that a Compal executive denied any ransomware attack but did acknowledge an unspecified hacking incident, apparently confined to business networks. Compal deputy managing director Qingxiong Lu told news outlets that the company is not being blackmailed by hackers, as it is rumored by the outside world. 

Dave Bittner: Apple, Acer, Lenovo, Dell, Toshiba, HP and Fujitsu are among Compal's customers. The company also makes a large range of peripherals. The company is returning to normal operations. 

Dave Bittner: Zoom has settled a U.S. Federal Trade Commission complaint in which the FTC alleged that the online meeting platform had engaged in a series of deceptive and unfair practices that undermined the security of its users. TechCrunch says that the complaint turned, in part, on suggestions that Zoom's services were, in fact, more secure, more robustly encrypted than, in fact, they were. 

Dave Bittner: The settlement requires Zoom to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users. 

Dave Bittner: The criminal market has its ups and downs. Infosecurity Magazine reports that prices of a batch of RDP credentials belonging to 7,500 educational institutions have dropped in two Russophone criminal markets. Digital Shadows confirmed to the publication that the price fell last week from 25 bitcoins - roughly $387,000 - to 10 bitcoins - about $155,000 - cheaper, but still pricey. For 155 grand, you could buy a decent little bungalow in Florida or a Polestar 1 hybrid sports coupe. But some people think they'd rather spend their jack on, you know, Remote Desktop Protocol credentials for school networks. Sad. 

Dave Bittner: And finally, we'll be taking tomorrow off as we observe Veterans Day. It's sobering to recall that November 11 was chosen for this day in remembrance to mark the end of the first world war and that no veterans of that war remain with us. Other generations are passing. So spare a thought for the veterans tomorrow, and spend some time with any you know, young or old. We will. 

Dave Bittner: The CyberWire will be back, as usual, on Thursday. 

Dave Bittner: Ben Brook is co-founder and CEO at data privacy infrastructure company Transcend. He joins us with thoughts on best practices in dealing with new privacy and data protections. 

Ben Brook: Recently, there were two major privacy laws passed. There was GDPR and CCPA. And these are some of the first laws to encode what we call data rights. And you can think of data rights as the first time that users really have any degree of control over the personal data that companies collect about them. Whereas before, privacy laws were all about just, you know, writing policies and informing users, now users have actual controls in their hands that they can use. 

Ben Brook: And so companies are actually scrambling to adopt, and companies are actually scrambling to comply with these new incoming requests coming from end users. So when somebody says, delete my data, it's a very tall task for a company to go to its hundreds of data systems and vendors and actually execute that erasure process. 

Dave Bittner: What are your recommendations for organizations who are looking to get a handle on this? I mean, what's the best way for them to get started? 

Ben Brook: Yeah, so there's a few key principles that companies can adopt right now. And one of those is just adopting a philosophy of alignment over antagonism between these two departments - the legal and the engineering department. So something that we see that actually works very well is just to set up a working group between these two functions and sort of have them meet regularly to hash out these differences because, inevitably, they're going to come up repeatedly, and having that alignment is key. 

Ben Brook: Another one is to actually think more about the user experience rather than compliance. And this is really interesting because once you start actually taking privacy from a UX perspective, you actually start figuring out how to simplify a lot of the things that the regulations say. And if you think of the core principle of these regulations, it's really about respecting users, right? So rather than trying to, like, go through an itemized list of compliance requirements, it's often a lot simpler to think of it in the perspective of, would my users be mad if we did this, or, like, how do we give them the best privacy controls that we can? And so, yeah, user experience as a priority over compliance, I think, is really helpful. 

Ben Brook: And then lastly, really pushing to achieve technical scale over manual workflows. So companies really need to think about getting to a place where they have set-it-and-forget-it automation, where it's a secure and it's a system-agnostic infrastructure that can be connected once to wherever that personal data lives and then allow for automatic fulfillment of these privacy requests. And once you have that, everything sort of makes sense again and you're no longer sort of, like, running in this hamster wheel of continuously trying to, like, face down systems and put some unique workflow to each one. 

Ben Brook: So just doing those are really actually simple ways of making this an effort that is sane and actually fosters a better sort of collaborative environment around privacy. 

Dave Bittner: That's Ben Brook from Transcend. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: You and I talk a lot about the collection of people's images with or without their consent over on the "Caveat" podcast. You know, privacy issues are something we talk about regularly. We've got a story here from Yahoo Finance. It's titled "Cadillac Fairview" - that's a mall, not a car. 

Ben Yelin: I was so disappointed when I found that out. 

Dave Bittner: (Laughter) Right. They collected 5 million shoppers' images without their consent. What's going on here, Ben? 

Ben Yelin: So this happened in Canada. There are 12 shopping malls where they had this pilot program where they were going to take images of shoppers - and it ended up being 5 million - apparently to analyze the age and gender of the shoppers for their own advertising purposes, to kind of see who was there during what time periods, et cetera. 

Dave Bittner: Right. 

Ben Yelin: It was basically market research. They said they're not doing it to identify individuals. 

Ben Yelin: Now, Canada has a - or at least the provinces of Canada have what are called privacy commissioners. We have that in some states here, or equivalents of that. But they seem pretty robust in Canada. And they are pushing back against what happened at these malls. 

Ben Yelin: The malls are saying that patrons had fair notice because there were decals on the shopping mall entry doors referring to a privacy policy. 

Dave Bittner: OK. 

Ben Yelin: I don't know about you. I have never read a decal on a mall - on the entry to a mall. 

Dave Bittner: Yeah. 

Ben Yelin: I'd assume that if I did read it, it would say something like, you know, no yelling and screaming after 8 p.m., and, you know... 

Dave Bittner: Right. 

Ben Yelin: ...Things that are not related to, we're taking real-time photos of you - you know, 5 million of you - as you walk through our malls. 

Dave Bittner: Yeah. 

Ben Yelin: So what the privacy commissioner said in a release is that shoppers had no reason to expect that their image was being collected by an inconspicuous camera, nor that it would be used with facial recognition technology for analysis. 

Ben Yelin: And the big problem here is meaningful consent, especially in their view, considering how sensitive this data is. It's biometric data, so you can find out a lot of personal information about somebody. 

Ben Yelin: So, yeah, it was a really interesting story. I have to say I'm not generally on the beat of what happens at malls in Canada. But certainly... 

Dave Bittner: (Laughter). 

Ben Yelin: ...A story that's up our alley. 

Dave Bittner: Well, I guess I have a few questions about this. I mean, first of all, just in the pure gathering of images, I mean, how is this different from gathering up just run-of-the-mill security footage? You know, that's - you've got video cameras all over the mall that are always rolling, and that's being recorded and stored for a certain amount of time. We all seem to be - I don't know - at peace with that. 

Ben Yelin: So I think that's a good point. The one thing that I think the privacy commissioner is trying to get across here is that these are more secretive and inconspicuous. So they're in digital information kiosks. People probably don't expect that those are going to exist at a mall, whereas they do expect that there are going to be, you know, closed-caption security cameras. 

Dave Bittner: Yeah. 

Ben Yelin: Not closed-caption. 

Dave Bittner: Closed-circuit. 

Ben Yelin: Closed-circuit security cameras. So, you know, I think that's potentially one difference. 

Ben Yelin: But, yeah, I mean, it is a very public place. It's a place where you probably don't have much of a reasonable expectation of privacy no matter what you're doing. 

Dave Bittner: Right. 

Ben Yelin: You should know that if the camera isn't catching you, there are generally a lot of people there who could see what you're doing. So, you know, I think that kind of cuts against the outrage that one would have about this story... 

Dave Bittner: Yeah. 

Ben Yelin: ...That it's not like they're using this technology outside people's houses. It is a mall, and you are choosing to go there. I think if the mall made it clearer and, you know, had warnings that were a little more accessible to their shoppers, then, you know, maybe the privacy commissioners in Canada wouldn't have had such a problem. 

Dave Bittner: Right. I'm envisioning something like - you know how some malls will have interactive maps of the mall where you can walk up and, you know, say, oh, I want to find all the stores that have shoes? 

Ben Yelin: Yeah. Ooh, Sunglasses (ph) Hut - yeah. 

Dave Bittner: Right, exactly. But while you're facing that sign, I suppose there's a camera in the sign that is then taking this very clear, front-on, well-lit photograph of you. 

Ben Yelin: Smile; you're on camera. 

Dave Bittner: (Laughter) If you don't know that's happening, that could be disconcerting. 

Dave Bittner: I will say, you know, back in a previous life when I was working in the broadcast industry, if we were shooting at a place like a mall, we would put up signage that said, hey, you know, this is a public place, but, you know, be aware we're making a movie today. 

Ben Yelin: Yeah. 

Dave Bittner: And if you walk by, there's a chance you could be in the movie. And if you have a problem with that, please avoid this area. 

Ben Yelin: Get out of here, yeah. 

Dave Bittner: Let somebody know or something like that. So... 

Ben Yelin: And I think they could've gotten away with this. You know, I don't think there's anything inherently, you know - so, you know, it is biometric data, so it is personal. I don't think there's inherently anything wrong with this if customers were given proper warning and, you know, something that said very clearly, not in just a small decal on the entryway door, this is what's happening in the mall. You know, you can opt out of this by leaving. But at least you're aware of it. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: And if you're going to stay, you're consenting to it. 

Dave Bittner: Right. Or click here, and the mall doors will unlock. Otherwise (laughter)... 

Ben Yelin: Otherwise, you got nothing. 

Dave Bittner: ...Stay away. 

Ben Yelin: Yep. 

Dave Bittner: Yeah. What a quaint idea - right? - asking someone's permission before you gather an image of them. What a - oh, that's adorable, isn't it? 

Ben Yelin: I know. I know. So antiquated. 

Dave Bittner: Yeah, yeah. All right, well, interesting story, for sure. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed, like a rock. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here on Thursday.