The CyberWire Daily Podcast 12.4.20
Ep 1227 | 12.4.20

2021 may look a lot like 2020 in cyberspace, only moreso. Cold chain cyberespionage. Cybercriminals are also interested in COVID-19 vaccines. And beware of online dog fraud.


Dave Bittner: Predictions for 2021 focus on ransomware. It'll be better, more aggressive, bigger and a greater problem in every way. Cyber-espionage and the cold chain - cybercriminal interest in COVID-19 vaccines extends to both theft and fraud. Johannes Ullrich on the .well-known directory. Our guest is Michael Magrath from OneSpan on what the financial sector needs to consider now that we're in post-election season. And what's one effect of the pandemic? Dog fraud - ask the Better Business Bureau.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 4, 2020. 

Dave Bittner: The increase in ransomware and its now-routine combination with data theft and doxxing formed one of the bigger trends of 2020. "Terrible" is an adjective that rightly appears in StateScoop's account of the discussion of ransomware at this week's Aspen Institute's Cyber Summit. The ransomware operators have increased both their determination and rapacity. The addition of data theft adds bite to the extortion. Not only are the criminals denying the victims access to their data, but the criminals have another opportunity to monetize the results of their attack by selling stolen information on criminal markets. It's the threat of releasing the information that has now rendered the classic defense against ransomware - regular, secure backup - as imperfect protection. And it's unreasonable to expect criminals to keep their word when they promise to destroy stolen data if they're paid off. 

Dave Bittner: So in many respects, 2021 is expected to be a lot like 2020, only more so. Continuity Central has five ransomware-centric predictions for the coming year, and they're representative of what we're hearing. First, cybercriminals will concentrate attacks on the most critical industries, including health care and manufacturing organizations. Organizations that depend upon high data availability will continue to be particularly attractive to attackers. The deep pockets of the financial services sector will always be targets. But those pockets are also among the best-protected. Health care and manufacturing - not necessarily so. Second, attacks will find more sophisticated ways to get into your data center. Attacks will adapt to defenses. Third, CISOs are going to focus more time and budget on recovering from an attack. The ransoms demanded are rising, and while it may soon be illegal to pay them in many jurisdictions, the increased sophistication of the attacks will increase recovery costs. Fourth, cyberattacks will put a renewed focus on data governance. This prediction is related to the now-routine data theft ransomware gangs will continue to commit. It also adds considerable regulatory risk to the victim's headache. And fifth, backup infrastructure will look very different and see a noticeable transformation. Backup is no longer a complete fix, but it remains a vital one. It will evolve into more secure, more routine, easier-to-use forms. 

Dave Bittner: Randori offered a similar set of predictions to eWEEK. The first three apply directly to ransomware, the final pair to national policy. Their first prediction involves a projected advance in criminal technology. Deepfakes and voice fakes come to the enterprise. These will enable more effective social engineering and the production of falsified records that could cause considerable reputational damage to the victims. The second prediction is ransomware evolves to enterprise extortion. This is a step up from the threat of doxxing. As Randori put it, quote, "Ransomware attacks will shift from, I've stolen all your data - now pay me - to, I'm going to extort your CEO with information I've found in the data I've stolen from you. And if you don't pay, we'll devalue your stock on Wall Street," end quote. And third, expect more cloud infrastructure ransom attacks. Enterprises are in the cloud. Criminals will be, too. Fourth, a leadership crisis in IT talent will hit the US government. Maybe high senior turnover will stop, or maybe not, but its effects may continue to be felt. We note in passing here that the acting director of the US Cybersecurity and Infrastructure Security Agency, the Washington Examiner reports, is standing by his predecessor's conclusion that the U.S. elections were secure. And finally on the list, expect an antitrust, anti-tech reckoning in 2021. There's bipartisan interest in some form of tech regulation in the US, and the situation is similar in the EU. 

Dave Bittner: This week's announcement by IBM that its researchers had discovered a concerted campaign directed at compromising the cold chain was widely taken as a warning about state-directed cyber-espionage effort. The cold chain is that part of the supply chain that's used to transport biomedical material under temperature-controlled conditions. SecurityWeek summarizes the case for classifying the effort as the work of an intelligence service. It's difficult to see how a socially engineered intrusion into a vaccine supply chain could be easily monetized, but it would yield information an intelligence service would find interesting. Some experts, Reuters notes, sees this as a general attempt at supply-chain espionage that's only accidentally connected with COVID-19 vaccine research. And IBM's own conclusions suggest the activity they observed was consistent with battlespace preparation. SC Magazine reports that big pharmaceutical company Eli Lilly's CISO sees a risk in the vaccine supply chain's lack of awareness that it's a target. It's not that the links in the chain are oblivious but rather that the chain is, as IBM pointed out, extraordinarily complex. Many of the links may not be fully aware that they're in the COVID-19 vaccine supply chain at all. One reason for thinking espionage against the cold chain is state-directed is, as we've mentioned, the absence of any obvious way in which criminals could cash out on their take. But there are strong criminal motives for vaccine fraud, too. Vice points out the dark web drug dealers are pushing bogus COVID-19 vaccines, including counterfeits of legitimate emerging treatments. The Wall Street Journal adds that vaccines will be attractive targets of theft, too. They are liquid gold. 

Dave Bittner: And finally, how much is that doggy in the window? In Bitcoin, maybe? Here's one odd effect of the pandemic, at least in the US - a rise in dog purchase or adoption fraud. WBBM cites a caution from the Better Business Bureau to the effect that criminals are bilking people trying to get a dog. Why? It's supply and demand. It's because people want dogs around while they're locked down at home. And who wouldn't? We note that the dog rescue outfit that sprung the CyberWire's official editorial pooch from a South Carolina slammer a little more than three years ago has been out of dogs for a couple of months. Demand is high, and the grifters have noticed. We hope to be able to write a dog-bites-man story about these hoods soon. Pack forward and go get them, doggos. 

Dave Bittner: With the U.S. election in the rearview mirror and a new administration and Congress preparing to take their place, banks may find themselves facing new regulatory challenges. Joining us to discuss this possibility is Michael Magrath. He's director of global regulations and standards at OneSpan, a company that provides digital identity and anti-fraud solutions. They recently published their OneSpan Global Financial Regulations Report. Michael Magrath, thanks for joining us. 

Michael Magrath: Yes, it's a pleasure. Happy to be here, and thanks for having me. 

Dave Bittner: So today, we're going to be talking about what banks should be doing to prepare for the post-election challenges they may be facing, looking at perhaps some new regulatory landscapes. Let's start off with some high-level stuff here. Can you give us a little bit of a lay of the land? I mean, where do we find ourselves in terms of where the banks are and what they're dealing with in terms of potential regulations on the horizon? 

Michael Magrath: Sure. Sure. I'd be happy to. So, you know, where things are - we're right in the middle of a pandemic. And, you know, things have really changed over the - over this year. The fraudsters - they kind of know what's going on out there. And cyberattacks against banks increased - there was a report done earlier this year - 238% during the pandemic. A lot of this is done through, you know, social engineering and phishing attacks and those types of things. But I think where the banks are right now, they have put things in place to secure - not all banks, but a lot of the banks have. And those that haven't, the fraudsters have, you know, realized this and attacked them. But, you know, just some interesting statistics that have come about - account takeover fraud has grown over 72% this year over 2019. And banks reported a seven-fold increase in suspicious business loan activity. And that's on top of what was happening at the state level, where the - it was very well-documented. The state unemployment offices were getting inundated with false claims for unemployment when the pandemic hit. And that was really from nation-state attacks. So that's the lay of the land right now, as I see it is. You know, the banks are really fast-tracking their plans to digitize and have been forced to. 

Dave Bittner: Yeah. So, you know, we just made our way through the election cycle here in the U.S. Where do the banks stand in terms of anticipating the possibility of new regulations with a new administration coming into power? 

Michael Magrath: I think what you're going to see with the Biden administration is a more prominent role or prominent focus on cybersecurity. The Trump administration did do some good things. But one of the key things that the Trump administration did is that they eliminated the role of the cybersecurity coordinator at the national level. And I would expect the Biden administration to restore that role. On a side note, there's a - within Congress, there's a - they established what they're calling a Solarium Commission that kind of goes through a whole host of different cybersecurity initiatives at the national level. And one of the initiatives or recommendations coming out of that commission is to create a formal national cybersecurity director within the White House. 

Michael Magrath: And then on the legislative front, there was a lot of good legislation introduced this year. One was called the National Biometric Information Privacy Act. So that - if it was passed, it would prohibit businesses in the private sector from collecting a wealth of biometric data, you know, including fingerprints and face and retina scans, voice prints without having consumer consent. And there was also a data protection act that was introduced this year. And that would create a federal data protection agency. We really don't have one today. We have - the Federal Trade Commission does some of that work. The Consumer Financial Protection Board does some of that work. So I think you're going to see legislation like that come into play. 

Michael Magrath: And then the other big one is really what happened during the election. The state of California - they had a ballot initiative to, I would say, update or replace the current California Consumer Privacy Act with a new version called the California Privacy Rights Act, or CPRA. And that legislation was overwhelmingly passed by the voters. And that - one of the key provisions in that is that it's all about protecting individuals' most personal information and allowing that individual to prevent businesses from using or sharing what they define as sensitive personal information. So that was just passed. That's not going to come into play. But I wanted to mention that because I think you're going to see more states roll out their own similar legislation. And so there's a lot going on in Washington both as it relates to the Biden - the incoming Biden administration but also within the next congressional session. 

Dave Bittner: That's Michael Magrath from OneSpan. Don't forget we have extended versions of many of our CyberWire interviews as part of CyberWire Pro. You can find out more about that on our website, 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, always great to have you back. We want to touch today on some files that are sort of - I don't know - is hiding in plain sight a good way to say it, or perhaps lesser-known (laughter)? 

Johannes Ullrich: Lesser-known, yeah (laughter). That's a good... 

Dave Bittner: Yeah. 

Johannes Ullrich: That's actually a very good way to put it. 

Dave Bittner: OK, what do we - what's going on here today? 

Johannes Ullrich: Yeah, so thanks for having me. It's actually a little security feature that you have in your web server. And, yes, you called it lesser-known. Actually, the directory is called .well-known. And this is a directory that really has sort of evolved in a collection of - I don't want to call it random file, but various files. And people keep adding sort of to that collection of files that you have in there. And some of them are certainly interesting and files that you should have there or that you should consider supporting. 

Johannes Ullrich: And it sort of all started out with the good old robots.txt file, which is a file that has existed on web servers forever to sort of tell search engines how to index your page. Now, people wanted initially to add similar files but then decided, hey, instead of littering your document root with them, let's set up this .well-known directory for it. 

Johannes Ullrich: And there's sort of two features in particular that have become more popular recently that I think have some real neat sort of security implications. The first one is, well, the file's just called security.txt. And it's a text file, as the name implies, similar to robots.txt. But its purpose is to tell a researcher, to tell a security professional that finds a vulnerability in your website, how do they get in touch with you? 

Johannes Ullrich: So you can leave, like, an email address in there for your security contact. You can even indicate that you're participating in a bug bounty program or such because I myself ran into this trying to contact websites about a security vulnerability. And it's hard. It's hard, and it's a lot of work to figure out who to send the email to. And often, you end up at the wrong address and it bounces or they don't know what you're talking about. And, you know... 

Dave Bittner: Right. 

Johannes Ullrich: ...Often, I've given up and said, hey, let them worry about it. 

Dave Bittner: Yeah (laughter). 

Johannes Ullrich: But yet, I'm doing a lot of free work for them. So here you make it actually easier, and you sort of make that - it's pretty much automatable at that point, where someone could automatically think about... 

Dave Bittner: I was going to say, it's important to keep that one up to date as well. 

Johannes Ullrich: Yeah, it's important to keep that up to date so it goes to a valid email address. And there are a couple different options you have. But more or less, it's just a simple text file. So it's very easy to maintain, too. It's easy to install. So you don't need to enable any big features on your web server. And you probably already have that .well-known directory because Let's Encrypt use it for their ACME protocol to set up certificates, and that's how usually that directory is created in the first place. 

Dave Bittner: Oh, I see. Now, there's another one that's related to passwords. What's going on with that one? 

Johannes Ullrich: Yeah, and that's where they change password. The problem they're trying to solve here is that these days, people use password managers. So the problem then comes up once you want to change that password, you have to go to a website. You have to find the page where you change the password. You change the password. And then you have to go to your password manager and make sure everything is in sync. And, of course, if that fails, then passwords get lost and costs happening because of reset passwords and such. 

Dave Bittner: Yeah. 

Johannes Ullrich: A changed password really just points to the URL that you use to change the password on your site. And a couple of password managers - like, for example, the one that's built into Safari and Google Chrome, also 1Password - started to support this feature now. 

Johannes Ullrich: So it actually works where I can now tell my password manager, hey, I want to change the password for this site, and it will automatically open a browser on the right page and then, as I change the password, remember the new password. And so a lot less friction in changing passwords, which, yeah, probably users should do occasionally. So you don't want to make it too hard on them. 

Dave Bittner: Yeah. And it seems like all this is really about making it easier for the users - like you said, reducing friction. 

Johannes Ullrich: Correct. It's all about reducing friction, making it easier. And all of these features are very easy to implement, so there isn't really any big tools or anything like this that you need to install. It's just simple files or, like - that redirect - you can do that in various ways, depending on what web server you're using. 

Dave Bittner: Yeah. All right, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Yeah, thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Quality is remembered long after the price is forgotten. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out this weekend's episode of "Research Saturday" and my conversation with Deepen Desai from Zscaler. We're going to be discussing the Ryuk ransomware. That's "Research Saturday." Don't miss it. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.