News for the cybersecurity community during the COVID-19 emergency: Friday, April 17th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Healthcare attack alert. Contact-tracing for lungs & minds.
Czech intelligence warns that a campaign against hospitals is imminent.
The Czech cybersecurity agency NUKIB told its allies yesterday, according to Reuters, that it expects a major campaign against hospitals to begin soon, possibly as early as today. It's expected to be a destructive attack. “The information we have available has led us to a reasonable fear of a real threat of serious cyberattacks on major targets in the Czech Republic, especially on healthcare systems,” NUKIB said. It's not clear who's behind the attack, and it seems that Czech authorities are unsure of the attribution themselves, but officials speaking on background told Reuters that it was a “serious and advanced adversary.” Battlespace preparation in the form of a spearphishing campaign has been in progress for several weeks.
Google blocks malicious coronavirus-themed emails.
VentureBeat reports that Google is blocking some eighteen-million malicious coronavirus-themed emails daily. The company explained in its Google Cloud blog the measures it's put in place to help secure Gmail users during the current pandemic. The company's Advanced Protection Program has been adjusted to adapt to the new style of threat (ZDNet has some comments on this) and G Suite's phishing and malware controls are enabled by default.
Not everyone is particularly happy with these measures. Colin Bastable, CEO of security awareness training company Lucy Security, thinks Google's response likely to be less than fully successful, in part because Google itself is conflicted:
“On the other hand, hackers use gmail accounts with spoof names in BEC fraud, and to associate gmail accounts with phishing links, in phishing campaigns. Google gets to virtue-signal while playing both side of the fence. Google are also using the “https:” certificate requirement as part of their browser war with Apple and Microsoft, kidding people into thinking encrypted browser sessions keep people secure when using Chrome. Over 80% of phishing sites use certificates. People must always ask themselves what is in it for Google. Relying on email filters, crypto and firewalls to protect remote workers from opening the door to cybercrime is naïve. Hackers only have to get lucky once and they are winning hands down. Patching people is the only way that we are going to win the war on cybercrime.”
In fairness to Google, Mountain View's own explanations of how to combat phishing emphasize training and education as much as they do technical filtering. It's unreasonable to expect technical filtering, no matter how advanced, to cope fully with social engineering. That threat plays on peoples' beliefs and desires, and those are inevitably intensional. The threat actors are after figurative hearts and literal minds, after all. Email is just the avenue of approach.
Targeting budget cuts in the time of pandemic.
PwC released its COVID-19 CFO Pulse Survey at the beginning of this week. It will surprise no one that more than half of the CFOs who responded said they intended to cancel or at least defer some of the investments they'd planned. 53% were considering reductions in IT spending, 25% were throttling back on digital transformation, and 2% were considering cuts to their cybersecurity and privacy budgets. That cybersecurity and privacy scored relatively low suggests the importance they have in Chief Financial Officers' strategic plans, which is a good thing, but cuts in any of the three areas could introduce more risk into an environment where more organizations have improvised remote work systems.
Jordan Rackie, CEO at the identity management shop Keyfactor, said, “Working from home has accelerated the number of connection points in the network and the certificates and keys that ensure authentication and baseline protection. Having visibility to those connections is critical to managing them. The margin for error is slim and mismanagement can cause systems disruptions, outages and even security breaches.”
Both Keyfactor and the CyberWire belong to the cybersecurity sector, so what we've said here is hardly what the lawyers would call an admission against interest, but we would encourage CFOs to choose wisely. As Akamai points out in their blog, residential connections are now business connections, with all that implies for security, privacy, and compliance, so plan accordingly.
Contact tracing for COVID-19 infections.
Apple and Google are proceeding with their work on technology for contact-tracing (and ESET has a quick overview of how Apple's Mobility Trends Reports are working out), but their system, designed in the first instance for US domestic use, may have difficulty attracting enough opt-ins to be effective. A report from the Sinclair Broadcasting Group quotes experts who doubt that Americans are likely to sign on in sufficient numbers to attain the 75% threshold generally thought to be the point at which such contact-tracing tools become valuable. The perception that people generally have become skeptical about Big Tech's privacy record seems to contribute to the pessimistic conclusion.
Contact tracing for COVID-19 misinformation.
Facebook yesterday announced its intention to introduce a kind of misinformational contact-tracing. It will be coupled with a kind of online rumor control Facebook is calling "Get the Facts," and by the introduction of some straight dope about the virus in the news feeds of users who've interacted with dubious content. It will work like this:
"We’re going to start showing messages in News Feed to people who have liked, reacted or commented on harmful misinformation about COVID-19 that we have since removed. These messages will connect people to COVID-19 myths debunked by the WHO including ones we’ve removed from our platform for leading to imminent physical harm. We want to connect people who may have interacted with harmful misinformation about the virus with the truth from authoritative sources in case they see or hear these claims again off of Facebook. People will start seeing these messages in the coming weeks."
The system depends upon Facebook's large troupe of fact checkers, and it's unavoidably a time-consuming process to execute at scale. A study by the content-moderation-friendly advocacy group Avaaz generally had good things to say about Facebook's work against misinformation, but found that it took about twenty-two days, on the average, for correction to catch up with suspect reporting.
Updates on teleconferencing services.
The Wall Street Journal has more on the security heavy hitters Zoom has imported to help it fix the issues the teleconferencing service has experienced during its explosive but troubled growth. The new security measures and processes the company has introduced seem to draw good reviews as far as they go (see, for example, BleepingComputer's account of a new feature that will enable users to report zoom-bombing). But as SecurityWeek points out, they haven't convinced all users: the government of India has joined those who've banned Zoom from their remote meetings.
A new problem has surfaced for Zoom. CNET writes that a researcher has found a vulnerability that could allow Zoom videos to persist in the cloud even after the users had deleted them.
Zoom did receive a strong vote of confidence from the IT sector, however. CRN reports that Oracle's Larry Ellison called Zoom "an essential service for Oracle." Other companies (big ones, too) see an opportunity to surpass Zoom as it stumbles. Reuters says that Google's Meet is getting a "Zoom-like layout" and a link to Gmail. CNBC discerns a desire for secure conferencing tools as being behind a rise in Microsoft's share price. And the Wall Street Journal reports that Verizon has acquired BlueJeans, a Zoom rival.
Two quick notes on US privacy and cybersecurity law and policy during the pandemic emergency.
An op-ed in Law360 cautions against assuming that the privacy protections in HIPAA, the Health Insurance Portability and Accountability Act of 1996, somehow go away during a public health emergency. They don't. Prudent organizations will lawyer up before they get too frisky with healthcare data, no matter how public-spirited their mood and motives may be.
And the Department of Defense has been telling contractors that the Cybersecurity Maturity Model Certification (CMMC) program would not be delayed by the pandemic. That may be true insofar as the policy's effective date is concerned, but the CMMC audits themselves will probably in fact be delayed. FCW reports that Katie Arrington, CISO at the Office of the Undersecretary of Defense for Acquisition who had been prominent among those who said the program would become effective as scheduled, said yesterday that the first audits could be delayed for up to a month. FCW goes on to say that "Arrington suggested that auditors would wear masks and employ social distancing practices to complete their duties, and that company representatives present during the audit would 'respect each other's personal space.'" So should we all.