Diplomacy and hybrid war. Heightened cyber tension as Quds Day approaches. Conti in Costa Rica. North Korean cyber operators target journalists. C2C notes.. A guilty plea in a cyberstalking case.

Dave Bittner: Heightened cyber tension as Quds Day approaches. Costa Rican electrical utilities suffer from Conti ransomware. Emotet's operators seem to be exploring new possibilities. North Korean cyber operators target journalists who cover the DPRK. A guilty plea in a strange case of corporate-connected cyberstalking. Ben Yelin ponders the potential Twitter takeover. Mr. Security Answer Person John Pescatore addresses questions about vendors. And cybercrime, run like a business.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bitner with your CyberWire Summary for Tuesday, April 26, 2022.

Dave Bittner: Russia's hybrid war against Ukraine has seen, over the past day, more sabotage and long-range strikes from both sides as Ukrainian forces apparently extend their operations to targets inside Russia proper, and Russia conducts airstrikes against Ukrainian installations well outside the Donbas and the Azov coast. But there are no reports of further cyberattacks in the war, although all parties remain on alert to their likelihood. 

Heightened cyber tension as Quds Day approaches.

Dave Bittner: As Quds Day approaches this Friday, a traditional time of heightened cyber tension between Iran and other nations (especially Israel), the AP reports  that Iranian media say the country has detected and blocked hundreds of cyberattacks against public and private infrastructure. Haaretz r reports that an Iranian hacktivist outfit styled Hackers of Savior has claimed a successful attack against the Bank of Israel. The group claims to have accessed customers' accounts, but both Israel's National Cyber Directorate and the Bank of Israel say they found no indication of any kind of hacking into any banking network. 

Costa Rican electrical utility suffers from Conti ransomware.

Dave Bittner: Conti's ransomware campaign against Costa Rica has expanded to affect the country's electrical power distribution system, the Record reports JASEC, the organization that delivers power to the city of Cartago, said that its administrative and business systems had been disabled by the ransomware. This doesn't, however, represent a direct attack on industrial control systems. Power generation and distribution continue normally, JASEC says. 

Emotet’s operators seem to be exploring new possibilities.

Dave Bittner: Proofpoint point this morning reported that it's seeing unusual activity from Emotet-malware-wielding gang TA542. The criminal group, which has been in a slow period since going into partial hibernation early last year, appears to be conducting low-volume testing of new techniques. Specifically, they're using OneDrive URLs and XLL files to deliver their malicious payloads. The activity may also indicate a shift to more selective and limited-scale attacks in parallel to the typical mass-scale email campaigns. 

North Korean cyber operators target journalists who cover the DPRK.

Dave Bittner: Researchers at Stairwell have released an extensive report on GOLDBACKDOOR, malware deployed by APT37, the DPRK cyberthreat group also tracked as Ricochet Chollima. The researchers say, Stairwell assesses with medium-high confidence that GOLDBACKDOOR is the successor of or used in parallel with the malware BLUELIGHT, attributed to APT37 Ricochet Chollima. This assessment is based on technical overlaps between the two malware families and the impersonation of NK News, a South Korean news site focused on the DPRK. Much of the activity in the current campaign is directed at data exfiltration. BleepingComputer notes that Pyongyang regards new reporting as a fundamentally hostile activity, which would account for the attention being paid to journalists. 

A guilty plea in a strange case of corporate-connected cyberstalking.

Dave Bittner: The U.S. Department of Justice has announced that one of those accused of cyberstalking the couple who ran a mom-and-pop pop e-commerce newsletter has taken a guilty plea. James Baugh, 47, of San Jose, California, eBay's former senior director of safety and security, pleaded guilty to one count of conspiracy to commit stalking through interstate travel and through facilities of interstate commerce, two counts of stalking through facilities of interstate commerce, two counts of witness tampering and two counts of destruction, alteration and falsification of records in a federal investigation. 

Dave Bittner: The stalking seems to have been unusually malign and focused. The U.S. attorney's office explained, the campaign included sending anonymous and disturbing deliveries to the victim's home, sending private Twitter messages and public tweets, criticizing the newsletter's content, and threatening to visit the victims, traveling to their home to surveil the victims and installing a GPS tracking device on their car. Sentencing is expected in September. 

Crime, run like a business.

Dave Bittner: And finally, free trials can be used to attract customers in the criminal-to-criminal market, just like they are in legitimate markets. IT-Markt discusses the case of the Ginzo infostealer, which, while in G G-Data's estimation isn't particularly novel, is wooing clients and building reputation in the C2C market. So the criminals, like many other businesses, aren't selling steak. They're selling sizzle and step right up. They're offering their criminal customers free stuff as an incentive. And who doesn't like free 

Automated Voice: Mr. Security Answer Person. Mr. Security Answer Person. 

John Pescatore: Hello, and welcome back to Mr. Security Answer Person. I'm John Pescatore. Let's get into our question for this week. 

John Pescatore: This week, I'll attempt to answer two related-but-diametrically-opposed questions at once. Security Person A asks, I worked in IT before transferring into the security operations group. In IT, there seems to be relentless market consolidation of vendors, as well as pressure from the CIO to reduce the number of suppliers used. In IT security, it seems there are literally thousands of vendors with new ones showing up each week and almost no pressure to consolidate. What's up with that? 

John Pescatore: Security Person B asks, what can we do to keep small, innovative security vendors alive? It seems like the big vendors spend most of their time trying to lock us into their product line and very rarely innovate or meet our individual needs. But when we find a small vendor with a cool and useful product, within two years, almost invariably they are acquired by a big security vendor. And the product line is either dumbed down or disappears. Will this ever change? 

John Pescatore: Well, this reminds me of one of those optical illusions where half the people see the dress as blue and black, and the other half see it as gold and white. It is hard to get good data, but CompTIA said a few years ago that there were over 525,000 IT product and service companies in the U.S. alone. CyberDB says there are about 3,500 information security vendors in the U.S. This means security vendors are only 0.7% of the overall IT vendor count, which is actually quite low compared to the spending ratio between the two areas, where IT security spending is somewhere around 5% of overall IT spending. So by that metric, it does not really seem like there are too many security vendors. 

John Pescatore: On the other hand - and there's always another hand - every time a new threat comes out, there does seem to be a wave of new security vendors getting funded to create solutions aimed at that threat, which, of course, makes no sense. The Verizon Data Breach Investigation Report has used both the CIS Critical Security Controls and the MITRE ATT&CK framework to show there is a small number of root causes that enable the vast majority of threats. It doesn't matter whether a threat comes from a botnet or is ransomware or a data breach. Good security solutions should work across broad classes of threats. Common sense says you really don't need a different toothpaste or toothbrush for your molars or those pointy teeth up front. 

John Pescatore: But rather than go on yet another rant about vendor marketing, let me try to answer the real question here. How many security vendors do I need? Like all such broad questions, any meaningful answer will start with it depends on. But first, let's establish some edge limits. One security vendor will never be sufficient for all but the smallest of companies - small office, home office and the like. Many security vendors have tried to be one-stop security shopping companies. I call them security department stores. And it has never gone well and never lasted long. Similarly, many big IT infrastructure players like Cisco, IBM, Intel and Microsoft have bought up all kinds of security products and tried to say, we are the infrastructure, and we can secure the infrastructure. This never works. There are a lot of reasons why this will always be true. First off, we know from experience with the IBMs, Microsoft, Oracles and many other big vendors that any time a vendor gets too high a market share, their innovation goes down, and their willingness or ability to meet customer needs drops dramatically. Pricing may stay low or even get lower, but value goes down. So it is kind of a good thing that in security we still usually see two or three vendors with large but nearly equal market shares versus one with 80% market share. Second, Microsoft Windows has conclusively proven over the last 30 years that monocultures are bad for security. This is true in the food chain and it has proven true in the software world as well. But I think most importantly, it's nearly impossible for one security company to be good, let alone great, across the many different technology areas that need protection - one simple division, network security versus host-based security, where nearly completely different technical skills and understandings of differences in managing each technology are needed. When I was with Gartner, I had a $100 bet with a Fortune 100 CEO that no vendor would be a leader in both a network security and a security software Magic Quadrant. And 15 years later, I'm still winning that bet. So what am I saying? Two security vendors is probably okay? Well, not so fast. I've always broken the security markets into three broad segments. Keep the bad guys out - pretty much everything threat or vulnerability facing - firewalls, intrusion detection and prevention, vulnerability management, host-based security, etc. Changes are driven by new forms of attack or discovery of new types of vulnerabilities. Let the good guys in. This is mostly authentication and access control. Changes in this area are driven by business changes, not threats. Keep the wheels on - governance risk, compliance, security management tools, forensics incident response, backup recovery, etc. Efficiency is job one here. These are well-known tasks. We need to do them more efficiently and with lesser-skilled folks. Realistically, Fortune 1000-sized companies will need at least a few security vendors in each of these three areas. That probably means somewhere between 10 and 12 security vendors in use will prove to be the average or maybe even the low end of average. By the way, that doesn't even include the number of open-source security tools in use, a topic for another Mr. Security Answer Person episode. Will this ever change? The movements of business applications to cloud services and on-premise virtualized data centers has the potential to change this because the blurring of network and host in a virtualized environment. But this does require a much more converged virtual admin, security admin, IT admin form of governance that enterprises have been very slow to move to. So the bottom line, if you're using 50 different security vendors, you probably have a problem. If you're using just one or two security vendors, you're likely more focused on compliance than actual security. Moving that security vendor, Goldilocks just-right zone down from a dozen security vendors to a handful requires both high maturity security processes and governance integration across cloud, virtual data center and IT admin. Easy to say. Hard to do. 

Automated Voice: Mr. Security Answer Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Automated Voice: Mr. Security Answer Person. 

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on The CyberWire. Send in your questions for Mr. Security Answer Person to questions@thecyberwire.com.

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: So I don't know if you noticed, Ben - I know you're active on Twitter - Twitter may have a new owner soon. 

Ben Yelin: It sure does. Mr. Elon Musk, eccentric billionaire extraordinaire... 

Dave Bittner: Yeah... 

Ben Yelin: ...Has purchased Twitter for the low price of $44 billion. 

Dave Bittner: The money he found in his couch cushions, no doubt. What do you make of this? What - I mean, from a serious point of view, what are the policy implications we could see of Twitter changing hands here? 

Ben Yelin: So it's unclear at this point. He's spoken broadly in the past about being an absolutist in terms of free speech, which would seem to indicate that he would be for looser content moderation practices. Twitter does do things like shadow bans or diminishing the content of users that post objectionable material. It's also done very high-profile things like permanently banning the account of former President Donald Trump. 

Dave Bittner: Right. 

Ben Yelin: And if Elon Musk is buying this for an ideological purpose, in that he wants to have a platform that is absolutist in its posture on free speech, I think that could have pretty wide-reaching implications for Twitter. President Trump could be back on it. There could be more leeway for people to post content that might have otherwise have been banned because it's offensive, because it's considered abusive, and that might affect the business prospects of Twitter. We talked about on the "Caveat" podcast, it's always a fine line because if you loosen content moderation too much, you're going to end up with a platform full of bots, trolls, neo-Nazis. 

Dave Bittner: Right. Well - and look at some of these other platforms that have spun up that where this has been the thing that they've led with, that, you know, you'll be able to say whatever. They just don't seem to gain popularity because it's no fun. 

Ben Yelin: Right. Nobody wants to be on a platform that's been overrun by these bots, spam, et cetera... 

Dave Bittner: Right... 

Ben Yelin: ...That we just don't want to deal with. 

Dave Bittner: Yeah. 

Ben Yelin: So I think he's going to have to straddle the line on that. I guess I'm confused as to why he's making this purchase. If he's doing it because he thinks he can actually gain some value out of Twitter, make it a more profitable platform, then I think that has interesting potential. I mean, there are certainly things he could do to improve the user experience of Twitter. And maybe because he's introduced innovations in the rest of his entrepreneurial work with Tesla, with SpaceX, maybe that's something that he can bring to the platform. What I worry about is he's doing this as sort of a vanity project, that he was upset by particular Twitter policies that related to content moderation. And that he thought, well, I have a lot of money. If I'm unhappy with these policies, why don't I just buy Twitter? 

Dave Bittner: Right. Buy it and fix it. 

Ben Yelin: Yeah. In that case, I mean, I think we would have to worry about Twitter as we know it devolving into something unrecognizable... 

Dave Bittner: Yeah. 

Ben Yelin: ...Where, I guess putting it this way, we might miss the content moderation that we had. Because there is a reason that many users, even if they say that they're free speech absolutists, don't want to be on a platform with a lot of smut. 

Dave Bittner: Yeah. 

Ben Yelin: And so I think that's the line that he's certainly going to have to straddle. 

Dave Bittner: Now, there's some policy stuff coming out of the EU right now that could intersect with this. What's going on there? 

Ben Yelin: So just as a coincidence, the EU and its member states this weekend agreed on a new digital regulation policy that's going to force tech giants, including Twitter, to better police illegal content on their platforms. Otherwise they'd be risking multibillion-dollar fines. And the structures - the structure of the fines is going to be very similar to GDPR. It would be a percentage of their annual earnings. And it's no chump change. I mean, we're talking about potentially billions of dollars at stake. What this legislation tries to do is a couple of things. One, it would limit how these digital giants target users with online advertisements. So it would stop platforms from targeting users with algorithms based on immutable characteristics like race, gender, religion, et cetera. 

Dave Bittner: Right. 

Ben Yelin: It would ban targeted advertisements aimed at children. The companies are now going to have to implement new procedures to take down illegal material - so things like hate speech, incitement to terrorism, child sexual abuse. And then e-commerce sites - things like Amazon - have to prevent the sale of illegal or illicit - illegal goods or illicit material. Some of those things I think could fly in the United States. Certainly we have an infrastructure where we crack down on things like child sex abuse. 

Dave Bittner: Right. 

Ben Yelin: But when we're talking about incitement to terrorism and hate speech, if you take Elon Musk, literally, and he wants to put his free speech absolutist ideology into his governance of Twitter, then we might run into some problems as it relates to this new European regulation. We have values in the United States that we are more, I guess, gung-ho about our belief in free speech than some of our European counterparts. 

Dave Bittner: Right. 

Ben Yelin: So we are more willing to accept things like hate speech and incitement to violence in service of the idea that we should have a robust marketplace of ideas. So there - that might end up being a conflict. And we already see echoes of this. There was a story in the Financial Times that seems to indicate European authorities saying, look, Elon Musk, if you are going to loosen content moderation practices on Twitter to the point that we start seeing a lot of hate speech, we start seeing a lot of incitements to domestic terrorism, then we won't be afraid to fine you and we won't be afraid to potentially ban Twitter in the European Union. 

Dave Bittner: Yeah. 

Ben Yelin: So we see this clash of ideologies that I think is playing out in a very high-profile way. 

Dave Bittner: You know, it reminds me of something I heard years ago, and this is anecdotal so take it for what it's worth. But I remember seeing someone say, if you want to get the Nazis out of your Twitter feed, tell Twitter you're in Germany, tag your location as being in Germany because, evidently, Twitter, as required, does a really effective job of filtering out that content for German citizens... 

Dave Bittner: Right. 

Ben Yelin: ...'Cause they're - 'cause they have to. 

Ben Yelin: Right. 

Dave Bittner: So it's - perhaps there's a technological solution to this, but it certainly is an interesting intersection timing-wise, you know, at this moment that Elon Musk is trying to buy Twitter, the EU is sort of tightening down their own content moderation guidelines. 

Ben Yelin: Yeah, I mean, I think we might be on a collision course. And if we know one thing about Elon Musk is he likes to push the envelope. He likes to be provocative. 

Dave Bittner: Right. 

Ben Yelin: So we could see him potentially loosening content moderation policies to set up an ideological clash with authorities in the European Union. And he'd bring a lot of power with him. It's not just that he's purchasing a multibillion-dollar company. But we have a political culture in the United States that really does value free speech. So I think it would be a major ideological conflict. I don't think we're going to get to the point where Twitter is banned in Europe because Elon Musk won't institute content moderation policies. 

Dave Bittner: Right. 

Ben Yelin: But I do think we're potentially on a collision course where there's going to be some back and forth ideological battle that might involve billion dollars' worth of fines that maybe Elon Musk is OK paying. 

Dave Bittner: Right (laughter). 

Ben Yelin: If he's willing to purchase... 

Dave Bittner: Again, right. 

Ben Yelin: ...Twitter for $44 billion, what's another billion here or there? 

Dave Bittner: It's just another trip to the couch and rifling through the cushions for some spare change, right? 

Ben Yelin: Exactly. 

Dave Bittner: All right. Ben Yelin, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.