News for the cybersecurity community during the COVID-19 emergency: Friday, April 10th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Telework and contact tracking vs. privacy and security
Data privacy in tension with data utility.
As governments work to deploy technology that would enable them to get a handle on the COVID-19 pandemic, privacy hawks continue to worry that it may be easier to establish collection systems than it will be to roll them back once the emergency passes. But the case for collection and analysis remains strong, and has all the life-and-death urgency one would expect. New Security Beat makes the argument for the lifesaving potential of data.
Criminal activity follows black market pressures.
FireEye blogs that the patterns of cyberattack during the pandemic show a familiar array of bad actors and attack techniques. What's changed are the target sets and the content surrounding the approach.
That familiarity is certainly there, but there are other interesting ways in which the criminals themselves are responding to black market forces. Some of the criminal surge, as Wandera points out, is simply the familiar pattern of criminals being drawn to fresh opportunity: "It’s no surprise that bad actors are taking advantage of the global pandemic; if there was ever a time to target a huge captive audience, it is now."
But not all the criminal activity is driven by increased opportunities and enlarged attack surfaces. The Free Press, for example, says that Mumbai is seeing criminals shift to online crime as street crime becomes harder to pull off (because, presumably, it's more obvious as people stay off the streets, and because the police are on alert for it). Some history sheeters (Indian cop-speak for a repeat offender with what Americans would call a long rap-sheet) are turning their attentions to cybercrime. As criminal tools continue down the path of commodification, making that transition won't be as difficult as it once would have been.
The criminals themselves are also feeling an economic pinch. Some of their own supply chains have been disrupted (mules may be harder to come by, for example) and they're scrambling for ways to make up for lost revenue. InSightCrime has an interesting overview of how this is playing out in Latin America.
One of the security problems the COVID-19 pandemic presents is the sheer volume of noise it introduces, especially for healthcare organizations already stretched by high volumes of demand for medical services. Under such conditions, MedTechDive reports, medical devices themselves might become attractive targets for attack. They share in some of the laggard security that one sees in the Internet-of-things generally, and as targets of opportunity they'll prove irresistible to some criminal hackers whose consciences impose few restraints on their behavior.
Telework, and Zoom agonistes (continued).
Infosecurity Magazine talks with experts who think the shift to telework will probably outlast the coronavirus state of emergency. It brings with it not only greater dependence upon a set of tools whose ease-of-use may exceed their security, but also the heightened risk of those cloud misconfigurations that had already become a common cause of inadvertent data exposure long before COVID-19 was first glimpsed.
One of the experts they talk to is Steve Durbin, managing director of the Information Security Forum, who sees emergency remote work as passing through three phases: the first is the challenge of getting telework tools into workers' hands, the second is parrying targeted attempts against this greatly expanded attack surface, and the third? “Phase three will come about through increased stress and cyber-anxiety which will result in a lowering of vigilance and frankly, the sheer boredom of having to work remotely when the normal routine has been built around social interaction,” Durbin told Infosecurity Magazine.
Teleconferencing specialist Zoom, of course, has been prominent in the current discussion of remote work. Its easy and reliable availability made it a popular choice for enterprises of all kinds and sizes, from storefront churches to the US Department of Defense (the Voice of America points out that FBI warnings haven't affected use by US Government agencies as much as one might expect), but its dramatically increased use exposed troubling privacy and security issues (which Diginomica reviews harshly). Both the German Government and the US Senate have told their people not to use Zoom, ZDNet reports. The US Department of Homeland Security has issued various less stringent cautions, and Federal News Network says these are being received differently by various agencies, many of whom weren't that invested in Zoom to begin with.
Zoom itself has scrambled to put security fixes in place, including, Forbes reports, giving hosts more control over security and restricting the visibility of meeting IDs. They've also closed a hole Citizen Lab found in Zoom's Waiting Rooms that could have enabled unauthorized parties to eavesdrop without permission. The company has created an advisory council of CISOs led by former Facebook security chief Ales Stamos to help it up its privacy and security game. Zoom's CEO told Time in an interview that the company has learned its lesson and hopes to regain users' trust.
Other providers of remote work tools and services are of course interested in capturing as much of this market as possible. Google and Microsoft are, ComputerWorld reports, talking up the security of their offerings. The subtext seems to be, please don't confuse us with Zoom.
The madness of crowds and the wiles of intelligence services.
State actors, notably China (defensively), Russia (disruptively), and to a lesser extent Iran (with conspiracy-mongering whacks at its two bêtes noires, the United States and Israel), have actively pushed various lines of disinformation about COVID-19's origins and propagation. A Military Times op-ed wonders how well prepared the US Department of Defense is to parry large-scale disinformation campaigns and concludes that the answer is "not very." In fairness it's a tough and unfamiliar problem, and there's no easy list of best practices to inform effective counter-messaging.
Some of the difficulty in handling disinformation may be seen in the speed with which misinformation spreads, and the surprising reach even implausible memes can have. WIRED traces the strange conviction that COVID-19 is somehow related to 5G, and that such relationship has been created by some conspiracy or other, to a January interview in a Belgian publication. (A Flemish publication, by the way, so one would expect even less reach than had it appeared in Francophone media, there being many more speakers of French in the world than there are speakers of Dutch.) It's since been picked up by the dreary celebrity tribe of slacktivists and influencers, with regrettably far-reaching effects. Some of those effects have even been kinetic, as cell towers in the English midlands have been vandalized and telecommunications workers threatened.
Free tools on offer, and a useful update on where security conferences stand this week.
Many cybersecurity companies are making their products and services available free or under otherwise attractively discounted terms during the current state of emergency. Here's SC Magazine's list of some recent offers. Today's class includes offers from Qualys, VMWare Carbon Black, NETSCOUT, TrapX, and SentinelOne, and they're all intended to help secure people working from home.
And the pandemic has disrupted the conference industry. Security Magazine has a summary of where things stand in this shifting and difficult to track sector.