Ransomware recovery in Louisiana. DPRK phishing for aerospace jobseekers? Cybercrime campaigns. Notes on current legal matters.
Dave Bittner: [00:00:03] Louisiana recovers from a ransomware attack against state servers. North Korea appears to still be interested in Indian industry. Compromised CMS is distributing info-stealing Trojans. HydSeven mounts a cross-platform spear-phishing campaign. Macy's and Magecart - thoughts on supply chain security and cyber deterrence and some legal updates including some alleged academic money laundering.
Dave Bittner: [00:00:33] And now a word from our sponsor ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:50] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 19, 2019. There's a good news, bad news story out of Louisiana today. The bad news is that the Pelican State was hit by a ransomware attack yesterday. What variety of ransomware isn't yet known, but the incident is believed to be similar to the one that hit school districts in Morehouse, Sabine, Monroe City and Ouachita this past July. A number of state agencies and services were affected including, Bleeping Computer reports, all 79 of Louisiana's Office of Motor Vehicles locations. The good news is that the state's Cybersecurity Commission, established in 2017 against just this sort of eventuality, was activated and appears to have been working effectively to contain and remediate the damage. The commission includes law enforcement personnel, cybersecurity professionals from both the public and private sector and academic specialists.
Dave Bittner: [00:02:50] Affected agencies began restoring service soon after the attack hit. Recovery is expected to be substantially complete in about two days. The Office of Motor Vehicles, for example, thinks it will be back in business this afternoon, KPLC reports. ZDNet says the state's Office of Technology Services contained the infestation quickly and that the commission took appropriate action. None of this would have been possible without effective preparation. It's still early to call victory, but so far, it does seem that Louisiana, unlike too many other state and local governments, had a sound plan that's been executing effectively. An after-action review with lessons learned that might be shared with other states would be interesting, and we hope Louisiana's Cybersecurity Commission holds one and publishes the results.
Dave Bittner: [00:03:38] India continues to receive the attention of North Korean cyber operators. A phishing campaign is underway that poses as a job opportunity at Hindustan Aeronautics, the Herald-Publicist says. Little else has been reported, but the Lazarus Group seems to have been leaving its spore across the subcontinent recently, with incidents reported at both the Kudankulam Nuclear Power facility and the Indian Space Research Organization.
Dave Bittner: [00:04:06] Zscaler has discovered two campaigns that use compromised WordPress sites to distribute to remote-access Trojan. Malicious redirector scripts in the compromised content management systems do the work. One campaign uses a bogus Flash Player update as the vector. The other deploys an equally phony font updater. The font it helpfully offers to update is PT Sans. The payload is essentially an information stealer.
Dave Bittner: [00:04:32] We often address the serious issue of insider threats, the vulnerabilities your organization faces from employees or close partners. There are many technical countermeasures to insider threats, but it's important to remember there is a human side to this as well. Tom Miller is CEO at employee risk management firm ClearForce.
Tom Miller: [00:04:52] The earlier that an organization can become aware of issues, the more options they have to address those issues, hopefully in a positive and productive way. But one of the challenges of early discovery is, you have to make sure in every case that you're carefully protecting the rights of the employee and the privacy of the individual. And so privacy and civil liberties really need to be the foundation for any type of insider risk or employee risk management program. Once you start from that, then you're in a position to have a shared objective between the workforce and leadership within the organization to really create a more safe and secure environment.
Dave Bittner: [00:05:35] Yeah. I think nobody likes to have that feeling that someone's always looking over their shoulder. How do you establish that sort of culture of security without it feeling adversarial?
Tom Miller: [00:05:47] Well, and I think to the - in today's workplace, there is a basic requirement for organizations to deliver safety and security to their employees. We just see and hear so many negative and violent acts that occur, both inside and outside the workplace, that I think there's a basic assumption today that when you go to work, your employer will take the appropriate steps to keep you safe and secure. And so when you start from that perspective, then it becomes much easier as an organization to really put together the kind of approach and the kind of policy and technology to achieve that objective.
Tom Miller: [00:06:30] And again, I go back to transparency - often capturing and making sure that you've got explicit consent from your employees to be able to evaluate certain information about misconduct, about criminal activity, as examples, become really important. Typically, it's not a one-size-fits-all approach. Different jobs, different positions lend themselves to different levels of physical and information access inside virtually every organization. And so from an employer's perspective, it's really important to create your policy and define those risk policies specific to each job role and not try to come up with a - you know, an overarching single solution across the board.
Dave Bittner: [00:07:20] Are there any typical red flags that stand out where - that - you know, an employer should say, hey, perhaps this employee needs a little more of my attention?
Tom Miller: [00:07:31] It really is identifying this disengaged individual. And what we find time and again is, when somebody becomes disengaged, whether it's from their job or quite frankly in the community, if you become disengaged and nobody notices, then bad things tend to happen. And so from an employer's perspective, you have to find these early indicators that that employee that you brought into the organization - a trusted, productive part of the corporate organization - all of a sudden has issues. They have stress. They have problems either inside or outside of work that have created this situation. And so, you know, oftentimes, that can range from arguments or problems that they're having with their colleagues, so let's say internal incidents. Perhaps it's with customers, perhaps it's with co-workers, but having an efficient and effective way of having those incidents communicated into leadership becomes really important.
Tom Miller: [00:08:34] Perhaps another common indicator would be identifying individuals that are under financial stress. And so for an organization to be able to then pair employee-assistant (ph) programs, counseling or other wellness opportunity, again, is a good opportunity to create a positive outcome through some preemptive action.
Dave Bittner: [00:08:56] That's Tom Miller from ClearForce.
Dave Bittner: [00:09:00] U.S. department store giant Macy's is the latest retailer to suffer a data breach. Computing, Bleeping Computer and others are calling the incident a Magecart attack. Macy's mailed breach disclosures to affected customers on November 14. The compromised information includes customers' first and last names, complete physical address, phone number, email address, paycard number and security code, and paycard expiration month and year. Macy's says it believes it's unlikely someone could open an account in a customer's name, but it's warning people to stay alert. The department store chain has brought in an unnamed security company to assist with investigation and remediation, and it says its engaged law enforcement as well.
Dave Bittner: [00:09:44] Fifth Domain quotes a senior U.S. Marine general on an interesting question; who has more to lose if cyber deterrence moves toward a countervalue balance - authoritarian or open societies? Lieutenant General Eric Smith, head of the Marine Corps Combat Development Command, suggested at a recent AFCEA meeting that it's the former. In some respects, he may have a point. Consider networked surveillance cameras. They occupy a much bigger, more important place in Chinese national policy than they do in American national life. Would taking them out be irritating? Sure, but crashing them in China would be more seriously disruptive. Of course, a cyberattack that took down a power grid or a nation's financial system would be a disaster, much worse than just getting your hair mussed. So perhaps this perspective on deterrence works best at the lower- to mid-ranges of the spectrum of conflict, up at the levels that the nuclear-deterrence think tanks used to call spasm war, or as Major "King" Kong put it in the movie "Dr. Strangelove..."
0:10:48:(SOUNDBITE OF FILM, "DR. STRANGELOVE")
Slim Pickens: [00:10:49] (As Major T.J. "King" Kong) Well, boys, I reckon this is it - nuclear combat toe-to-toe with the Ruskies.
Dave Bittner: [00:10:58] Speaking of cyber conflict, Huawei has received a 90-day reprieve from the U.S. as the government continues to work toward the ejection of Huawei gear from U.S. networks. China hawks are concerned that the U.S. administration has gone wobbly, The Washington Post reports. But in any case, this is going to be a long dance.
Dave Bittner: [00:11:18] And finally, two stories of crime and punishment - first, Sweden is discontinuing its investigation of WikiLeaks impresario Julian Assange for alleged sexual offences, accusation of which prompted Mr. Assange to decamp to the U.K. in 2010. The Swedish Prosecution Authority says that, quote, "the evidence has weakened considerably due to the long period of time that has elapsed since the events in question", quote. The Register reports that Mr. Assange, long resident in Ecuador's London Embassy until his ejection earlier this year, remains in British custody at Her Majesty's Prison Belmarsh in southeast London. The U.S. has asked that he be extradited to face charges of conspiracy to commit computer intrusion. As The Register puts it in their lead, U.S. Department of Justice books one-way plane ticket in his name.
Dave Bittner: [00:12:11] And second, in what sounds allegedly like either a case of physician heal thyself or one cannot touch pitch and remain undefiled, a Miami academic and expert on money laundering has been charged in the U.S. with laundering money from the failed state of Venezuela, allegedly pocketing a cool quarter of a million greenbacks for his troubles on behalf of clients trafficking in dirty money. Bruce Bagley, age 73, is a professor of International Studies at the University of Miami. He's been a frequently quoted expert on money laundering and drug cartels. The University of Miami's only comment has been to say that Professor Bagley is on administrative leave. We note that Professor Bagley, like Mr. Assange, is entitled to the presumption of innocence.
Dave Bittner: [00:13:02] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today, and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:14:04] And joining me once again is Ben Yelin. He's the program director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. More importantly, he is my co-host on the "Caveat" podcast. Ben, it's always great to have you back.
Ben Yelin: [00:14:18] Good to be here, Dave.
Dave Bittner: [00:14:19] Ben, you and I are going to talk today about strip clubs. Now, I know you and I have run into each other many times at the local strip club.
Ben Yelin: [00:14:27] You're not supposed to say that live on the podcast.
Dave Bittner: [00:14:31] (Laughter) Actually, before we recorded, you and I were both saying how we sort of scratch our heads and don't really understand the appeal of strip clubs. But that's a whole 'nother thing. This...
Ben Yelin: [00:14:39] Yes.
Dave Bittner: [00:14:39] We're talking today about...
Ben Yelin: [00:14:41] You can hear about that on our private podcast.
Dave Bittner: [00:14:42] Right, exactly. But today, we're talking about an interesting legal case. This was from Bloomberg Law. And the title of the article is "Strip Club Cases Show How Little Your Image is Protected Online." What's going on here?
Ben Yelin: [00:14:56] So this case arises from 11 plaintiffs. They are models. Ten of them, you would have never heard of. The 11th is Carmen Electra.
Dave Bittner: [00:15:05] Oh, I've heard of her.
Ben Yelin: [00:15:06] Which, you know, if you were alive in the mid-2000s, you've probably heard of her.
Dave Bittner: [00:15:10] She was on "Baywatch."
Ben Yelin: [00:15:11] She was on "Baywatch." She was married, I believe, to Dennis Rodman. They sued a strip club, and their cause of action was under what's called the Lanham Act, particularly the false endorsement provision of the Lanham Act. So basically, what happened is, the strip club found online photos of these individuals in, like, cat costumes and other, like, suggestive photos.
Dave Bittner: [00:15:34] Right.
Ben Yelin: [00:15:34] ...And used them to promote events at their strip club.
Dave Bittner: [00:15:36] Oh.
Ben Yelin: [00:15:37] And this violates the statute of the Lanham Act which prevents companies from using one's personal likeness for advertising purposes without that person's authorization.
Dave Bittner: [00:15:46] So these were photos that these people had posted online of themselves. So it wasn't like the strip club broke into someone's phone to gather these images. They were out there.
Ben Yelin: [00:15:55] No, it was like somebody took a Facebook picture of a sexy costume...
Dave Bittner: [00:15:59] Right.
Ben Yelin: [00:15:59] ...And posted it on their own Facebook page, and then the strip club, in order to promote the event, took this photo without the consent of the models themselves. Now, even though the rest of these models weren't Carmen Electra, it seems from what we can glean about the case that they all did have significant social media followings. So they're sort of social media celebrities, if not real celebrities.
Dave Bittner: [00:16:21] Right, OK.
Ben Yelin: [00:16:22] What was interesting is that only Carmen Electra was actually able to succeed. She won the case, the ban against the strip club from using her image. And one of the reasons she won is because her image is actually worth something because she's a famous person. That's sort of the nature of the Lanham Act, is, it's very difficult for a normal person - somebody who's not famous - to reclaim one's image once it gets on the internet because the Lanham Act is specifically about commercializing somebody's image. And if that image doesn't have any commercial value, then you're generally, in most cases, going to be barred from recovery.
Ben Yelin: [00:16:59] Now, there are other courts that are a little more lenient in these cases. They talk about, in this article, courts that don't actually try to gouge the plaintiff's fame, and they only look about whether a company like the strip club would intend to commercialize somebody's persona, so somebody's online images. But, you know, when we're dealing with the Lanham Act, it's going to be very difficult for a non-famous person who doesn't already have a commercial presence, a commercial image, to gain relief. And I think that's scary for people.
Ben Yelin: [00:17:29] You know, for one, it's a reminder that posting images online is not safe, no matter the privacy protections of the specific social media application that you're using. Just think; once the image is out there, it's really hard to reclaim it. You're going to be compensated if you win this type of case based on your own commercial value. So if you don't have any commercial value, there's not going to be much compensation, which means it's not really going to be worth it for somebody to pursue a lawsuit. Now, you can talk about intangible things like, you know, effects to your reputation.
Dave Bittner: [00:18:00] Right.
Ben Yelin: [00:18:01] But if you're, you know, a person who doesn't have any commercial fame, then that - it's hard to put a dollar amount on that hit to one's reputation.
Dave Bittner: [00:18:12] Yeah.
Ben Yelin: [00:18:12] And downstream from that is, it's going to be very difficult for plaintiffs' attorneys - or not difficult, but plaintiffs' attorneys are going to be reluctant to take up one of these cases because the contingency fees aren't really going to be worth it for them if there's not a lot of money at stake. So, you know, I think that's a big problem with our right-of-publicity statutes now that we're in a digital age and more people are becoming internet famous. You know, this law was drafted in an era where - you know, this was 1946, so television was just coming into prominence.
Dave Bittner: [00:18:44] (Laughter) Right.
Ben Yelin: [00:18:45] Probably most famous people were...
Dave Bittner: [00:18:47] The internet was not even a gleam in someone's eye so far. It was...
Ben Yelin: [00:18:50] No, it was not.
Dave Bittner: [00:18:51] Yeah, futurists were probably wondering about just sharing images, yeah (laughter).
Ben Yelin: [00:18:56] So, you know, perhaps we need to have more robust legislation that protects people's online integrity and protects those - somebody's images that they post on their own social media, whether they're famous or not, they can have a cause of action against a company who tries to use that photo for commercial purposes.
Dave Bittner: [00:19:14] Yeah, that is - it's really interesting that this - I guess I'd never considered that a picture that you put out there could be used in a commercial situation and you have very little relief against that. What about even just a copyright claim?
Ben Yelin: [00:19:29] The copyright claim applies to creative work, so it would be like somebody who actually took the photo...
Dave Bittner: [00:19:35] I see.
Ben Yelin: [00:19:35] ...And posted it on social media for creative purposes. You can't appropriate that for commercial value. This is generally a trademarks case, where the value is not necessarily artistic or creative, but it's in the commercial value of the image itself.
Dave Bittner: [00:19:48] I see.
Ben Yelin: [00:19:49] I mean, it's scary that there isn't more recourse.
Dave Bittner: [00:19:52] Yeah.
Ben Yelin: [00:19:53] ...Particularly when, you know, you think about instances where somebody's photo is posted without their consent. That's particularly scary to a lot of people.
Dave Bittner: [00:20:01] Yeah. All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:20:04] Thank you.
Dave Bittner: [00:20:09] And that's the CyberWire.
Dave Bittner: [00:20:11] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.