The CyberWire Daily Podcast 11.25.20
Ep 1222 | 11.25.20

Influence the gullible, and maybe others will follow. Event site sustains a data breach. Contact tracing and privacy protection. Ransomware, again. Social media used to intimidate witnesses.

Transcript

Dave Bittner: Today, I want to reach out to those members of our audience who are students or serve in the military. Did you know that the CyberWire has special CyberWire Pro subscription offers just for you? Well, you do now. Because of your student or military status - that's active or reserve military status - you are able to subscribe to CyberWire Pro or CyberWire Pro Plus at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit thecyberwire.com/pro and click on the Contact Us button in the Academic or Government and Military box. That's cyberwire.com/pro, and then click Contact Us and the box that applies to you. And we'll hook you up.

Dave Bittner: Observers see a shift in Russia's influence tactics, but prank calls are probably not among those tactics. An event site suffers a data breach and warns customers to be alert for spoofing. COVID-19 contact tracing continues to arouse privacy concerns. Joe Carrigan has tips for safe online shopping during the holidays. Our guest is Dmitry Volkov from Group-IB with insights from their latest Hi-Tech Crime Trends report. Ransomware hits another U.S. school district, and social media are being used to intimidate cooperating witnesses. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 25, 2020. 

Dave Bittner: While Russian influence operations during the U.S. election seem to have fizzled, the Voice of America reports that Moscow appears to be laying the foundations of subsequent campaigns. Instead of troll farming and inauthentic social media, the new Russian approach to disinformation involves establishing mindshare fringe U.S. media, far left and far right, using feeds from state-controlled outlets like RT, Sputnik, TASS and Izvestia TV. One of the pathologies of intense political commitment apparently is heightened gullibility. 

Dave Bittner: Some Russian operators - and they say they're comedians, funsters, not agents of the state - continued to enjoy success with prank calls made to various world leaders. The BBC says that the two performance artists Vladimir Kuznetsov and Alexei Stolyarov have released a recording of an exchange they had with Canadian Prime Minister Justin Trudeau back in January. They pretended to be young climate change activist Greta Thunberg, which is perhaps more plausible than using one of the traditional gag names like I.P. Freely or Amanda Hugginkiss. And they got the PM to pick up the phone. 

Dave Bittner: He was polite and diplomatic, listening to advice that he should "leave NATO, drop your weapons, pick flowers, smile at nature." Mr. Trudeau's office said, in a statement, "The Prime Minister determined the call was fake and promptly ended it. 

Dave Bittner: The BBC notes that while these two gents have been accused for working for the Russian security services, they themselves deny it, saying, we only choose the subjects we are interested in ourselves. So who knows? Maybe they're right. Anyway, they're funnier than TASS, so they got that going for them. 

Dave Bittner: Peatix which describes itself as a global event discovery and ticketing platform, has disclosed a data breach that exposed user data. The company is working to contain the damage. Threatpost reports that some stolen data have appeared in Instagram and Telegram posts. Peatix warns users to watch out for spoofed communications. 

Dave Bittner: Some collection of COVID-19 data for contact tracing has been inadvertently intrusive as, for example, with the apparently unintentional harvesting of data by Australian intelligence services. The country's Inspector General of Intelligence and Security has reported to the Information Commissioner that some collection of data from the COVIDSafe contact-tracing app did occur, but that the data did not seem to have been decrypted or used by those unnamed agencies. 

Dave Bittner: Coincidentally, the United Nations has issued a general warning about the threats to communications and data privacy management the COVID-19 pandemic presents. The U.N. is in favor of contact tracing, but it wants it done without putting potentially repressive and intrusive policies in place. Five aspirational guidelines are offered. The U.N. hopes they'll serve as a template for responding to future crises - be lawful, limited in scope and time and necessary and proportionate to specified and legitimate purposes in responding to the COVID-19 pandemic; ensure appropriate confidentiality, security, time-bound retention and proper destruction or deletion of data in accordance with the aforementioned purposes; ensure that any data exchange adheres to applicable international law, data protection and privacy principles and is evaluated based on proper due diligence and risk assessments, be subject to any applicable mechanisms and procedures to ensure that measures taken with regard to data use are justified by and in accordance with the aforementioned principles and purposes and cease as soon as the need for such measures is no longer present and be transparent in order to build trust in the deployment of current and future efforts alike. 

Dave Bittner: Chances are you're doing some online shopping this season. Of course you are. There's no shame in it, but of course, there's always concerns about the possibility of fraud. What does fraud cost? It depends. And holidays or not, in part, it seems to be a generational thing. Atlas VPN has worked through U.S. Federal Trade Commission data and concluded that millennials lose between $200 and $300 per fraud case, while elderly people, those aged 80 and above, lose up to $1,200. On the other hand, the millennials are scammed more often than their elders, possibly because they simply do more online and present the grifters with more targets of opportunity. By the way, we just bought some Girl Scout cookies online ourselves, and you should feel free to do the same. Those girls are no grifters. 

Dave Bittner: Two stories come today from Greater Baltimore. In one, the Baltimore County Public Schools have canceled instruction today. The Baltimore Sun reports that the system has come under a ransomware attack, and all classes have been canceled. The school district is working to remediate the problem but has no estimate as to when it might be able to resume operations. The disruption comes at a particularly unfortunate time, as schools attempt to shift more instruction online. 

Dave Bittner: Also in the Baltimore Sun is an account of an unusually ugly form of online intimidation. Criminals are posting images of people who cooperate with police investigations to Instagram. It's not only intimidation and threat, but it's often extortion, as well, as the criminals demand money in exchange for taking down the pictures. Only Cash App will get you off this page, says one representatively subliterate post. May the hoods receive the attention from the police they richly deserve. 

Dave Bittner: You might be experiencing some difficulty accessing our site today. Amazon Web Services, which we use, have been clobbered with outages today that appear to have been particularly severe along the U.S. East Coast, roughly between New York and Washington. Amazon is working on the problem, which ironically has affected their own Service Health Dashboard. We regret the inconvenience and hope to be back to you soon. 

Dave Bittner: CyberCrimeCon 2020 is a virtual threat hunting and intelligence conference being held November 25 through the 27, 2020. The program for the three-day event, powered by Group-IB, includes an all-star speaker line, up, as well as a full-day threat-hunting competition. The CyberWire is a media partner for the event. Dmitry Volkov is from Group-IB. He'll be presenting at CyberCrimeCon. He joins us with insights from their latest "Hi-Tech Crime Trends 2020/21" report. 

Dmitry Volkov: Well, it's our annual report, where we're trying to explain, what are key threat trends that we've observed within the year? And usually, we're always able to find something new that was not covered by other reports, basically because we have our own incident response, our threat intelligence and, of course, our investigation department. To be honest, all these threat actors who were active within the year - it's always possible to detect their activity. All recommendations will be the same. You need to pay more attention about your security or network perimeter. You need to pay attention for how you patch (ph) your software and deliver. Of course, you need to be able to deploy some additional security controls that allow you to track network traffic, do sandboxing and, of course, end-point solution, where it will track the activity of threat actors on the behavioral level. Sometimes, EDR could be helpful. And of course, you need to find someone who will do active threat hunting because not everything is possible to detect by existing security solutions tech. And that's why, actually, all these penetration tests - external penetration tests - are quite successful. But meanwhile, on (inaudible) stage of attack, usually, there are artifacts that allow you to detect the malware or even threat actor - not just detect but, of course, to be able to attribute it. 

Dave Bittner: Was there anything that was surprising in this year's report, anything that bubbled up that that you hadn't expected? 

Dmitry Volkov: Well, we didn't thwart protecters (ph) who did targeted attacks against financial institutions. We will stop the activity, so we don't attack banks to harm them (ph). But also stop this activity and begin to participate in affiliate programs to earn somewhere (ph). Sometimes it's closed activated programs; sometimes it's open. But like - gangs like Silence, Cobalt, MoneyTaker - we don't see them any more active. They're doing attacks against financial institutions. So we have the experience how to get access to the corporate network, how to completely compromise it, get full control over it. And then we just deploy it somewhere. We don't need to do money laundering to get access to financial systems. So much more easier money. 

Dave Bittner: That's Dmitry Volkov from Group-IB. He's one of the presenters at the upcoming CyberCrimeCon. That's being held November 25 through the 27. Be sure to check out CyberWire Pro on our website thecyberwire.com. You can find extended versions of many of our interviews. That's thecyberwire.com. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Joe, it is that time of year. It is... 

Joe Carrigan: Yeah, it is. 

(LAUGHTER) 

Dave Bittner: The - we are heading in a steep - jumping off the cliff toward the holiday season. And that means... 

Joe Carrigan: Yep. 

Dave Bittner: ...Lots of shopping. It means I'm officially OK with - you know, after this weekend, after we get through Thanksgiving, that's when it's OK to put up your decorations and play your Christmas music and all that kind of stuff. 

Joe Carrigan: Got a little bit of information for you, Dave. The decorations are already up inside my house. 

(LAUGHTER) 

Dave Bittner: Oh, my. Oh, my. All right. Well, that's cheating. I call foul (laughter). 

Joe Carrigan: You'll have to take it up with Lisa (laughter). 

Dave Bittner: Yeah, I'm sure I'll have a lot of luck with that. 

Joe Carrigan: Right (laughter). 

Dave Bittner: But getting to our point here, Black Friday, big shopping day and, of course, followed by Cyber Monday. 

Joe Carrigan: Yeah. 

Dave Bittner: Saw an article come by from the folks over to the Naked Security blog by Sophos. The great Paul Ducklin wrote this one up. And it's basically some good guidelines for staying safe with this rush to shop online. I mean, certainly this year more than ever, that's the way folks are going to do it. 

Joe Carrigan: That's right. Black Friday is not going to be waiting in line at a crowded store this year for obvious pandemic-related reasons, right? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So the retailers are not going to just let this day go by. It's a big cash-money day for them. So they're going to just offer these deals online, which means that there's all kinds of issues that come along with that for both Black Friday and Cyber Monday this year. And the article makes the point that whatever you do for your cybersecurity for Black Friday is good to do all the time, right? These are just good practices that they have. And Paul has put down some tips in here that are really good tips. Some of them are things that I've said multiple times, but here's a good one that I have never said before. 

Dave Bittner: (Laughter). 

Joe Carrigan: Write down the contact details for your financial providers, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Make - he says make an old-school written copy of the emergency contact numbers and email addresses for organizations such as your bank and credit card issuers or insurance companies. That way you'll have access to them, even if you lose access to your payment card or your phone gets stolen, right? Because all that information is on the back of your credit card. 

Dave Bittner: Right, right. 

Joe Carrigan: So if your wallet gets physically stolen from you, how are you going to call that number? Write it down. 

Dave Bittner: Yeah. Well, it also helps you resist the urge when someone sends you a fake email or a fake text message that says, hey, this is your bank, call this 800-number right now... 

Joe Carrigan: Yeah, if... 

Dave Bittner: ...You know, then they give you a fake number. 

Joe Carrigan: If you get that information, if you get that text, just flip the credit card over and call that number. 

Dave Bittner: Yep. 

Joe Carrigan: Don't call the number that anybody ever sends you. That's another bit of advice I've been giving for a long time. Call a number that you know is the bank. Either look it up online, go to the phone book or use the back of your credit card. But if you've lost your credit card, you should have written it down. And Paul makes a good point - write it down before you wish you had written it down. 

(LAUGHTER) 

Dave Bittner: Right, right, right. What else does he list here? 

Joe Carrigan: He says learn about account lock features offered by your bank or credit card issuer. Some of these card companies have ways to just quickly lock and unlock your credit card so that nobody else can use it. Some don't. But, you know, I think that's going to become more of a differentiator in the marketplace over time. Learn how to clean up your browser's autofill storage. That's really good advice because maybe you don't want your credit card information being stored in your browser's auto-fill storage space. So just learn how to clean that out. 

Dave Bittner: Do a little audit. 

Joe Carrigan: Right, do a little audit - exactly. In the U.S. - this is for our U.S. listeners. Apparently, there's a federal law that allows consumers to apply a credit freeze, which stops people from applying for new loans in your name. It's a way to put the brakes on identity theft. It's a little bit inconvenient because if you need to go out and apply for any debt, then you have to first release the credit freeze. But you can do this at your leisure, and the credit companies have to oblige you. It's a law. 

Joe Carrigan: Paul says, consider using a prepaid debit card for one-off purchases, and that's a good idea. There are also other services out there that will let you have a virtual credit card number. I don't want to endorse anybody in particular. But if you listen to other podcasts, you'll hear the name of at least one of them. But it gives you a fake and temporary credit card number that you can use to go out and make a purchase, and that - you can actually tie that credit card number to a single merchant so that nobody else can use it. So even if that merchant gets breached, that credit card information is useless to anybody unless they go to the merchant that you were using it at. And then... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...Again, you can set up a limit for it. So... 

Dave Bittner: Right, and they can be single use. So one... 

Joe Carrigan: And you can - exactly. Good point. You can make disposable ones... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...That you only use once. 

Dave Bittner: Right. 

Joe Carrigan: Finally - and this is my No. 1 point right now - turn on two-factor authentication wherever you can. Wherever you can, use whatever you can - most secure kind you can that's available. So the three most common types of multifactor authentication are the text message, the SMS. That's more secure than nothing but not very secure. The next one is the time-based password. You see these apps like Google Authenticator, and Microsoft has one, as well. It's the same technology that's in the little tokens that you get from your employer if they have multifactor authentication. And finally is something that's like a physical token, like a FIDO key, like YubiKey. Or Google has their - I can't remember what it's called, but Google has something that's based off the same infrastructure. 

Dave Bittner: Yeah. 

Joe Carrigan: Those are the most secure. 

Dave Bittner: Yeah, yeah. You know, I think this is one of those articles that - you know, those of us in the biz probably do most of this stuff already. But first, it's a good reminder. But second, this is a great article to send around to your friends and family - just lays it all out in a nice, approachable way for them to - if they haven't thought about some of these things, it's a great way to get them started. 

Joe Carrigan: I think I'll post this article on Facebook, Dave... 

Dave Bittner: Yeah, it's a good one. 

Joe Carrigan: ...So that everybody can get some advice from me because I like telling people what to do. 

Dave Bittner: (Laughter) No kidding. (Laughter). 

Joe Carrigan: Nobody listens, but I still want to tell them. 

Dave Bittner: It's all right. It's all right. It's good to know your limits, Joe. All right, well, again, the article is titled "Black Friday – Stay Safe Before, During And After Peak Retail Season." It's over on the Naked Security blog with Sophos, written by Paul Ducklin. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. A Happy Thanksgiving to all, and many thanks to you for listening and reading. We'll be taking the next two days off for the holiday. We'll be back, as usual, on Monday. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The best of all is Butterball. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Research Saturday is taking a break this week for the Thanksgiving holiday, but we will be back with more research the following Saturday. We hope you'll join us then. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.