News Wrap: Dentist Offices Hit By Ransomware, Venmo Faces Privacy Firestorm

From new ransomware attacks to privacy issues around Venmo and Ring, Threatpost editors break down the top news of this week.

In this week’s news wrap podcast, editor Lindsey O’Donnell and Tara Seals break down the top news of the week – from ransomware attacks to companies responding to outcry over privacy issues. Top stories include:

  •  Ring announced it is working with more than 400 US police departments to streamline their access to user videos, ushering fears over privacy
  • Speaking of privacy, the Mozilla Foundation and EFF penned an open letter this week scolding Venmo for its privacy policies; while Apple and Google stepped up their game with newly-announced steps they would take against data abuse.
  • Ransomware attacks hit several U.S. dentist offices this week, while a report also came out about how more cyber insurance providers are encouraging users to pay the ransom.
  • A webinar hosted by Tara Seals this week where a panel of experts offered enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to listen to the recorded webinar.

Below find the Threatpost Podcast; for direct download click here.

Lindsey O’Donnell: Hi, everyone, welcome back to the Threatpost podcast. This is Lindsey O’Donnell and I’m joined today by editor Tara Seals with Threatpost. Tara, how’s your week going?

Tara Seals: Pretty good Lindsey, how are you?

LO: I’m good. You had a big webinar this week that you were actually hosting about IoT security and 5G, I feel like that was kind of the staple of the week, because you’ve been preparing for that for a while, how did that go? What were some of the big takeaways?

TS: Oh, it went great. And so, IoT security in general is obviously a really hot topic, and one that that continues to grow with people’s awareness, because we have more and more of these consumer devices out there, and there have been a lot of stories around privacy and security concerns with those. But with 5G, what you’re going to get to is much more of a business enterprise type of scenario. So you know, it’s a lot faster, there’s a lot lower latency. And so there are new use cases that are going to come to bear, things like remote telesurgery and self driving cars eventually, and things like that. And so obviously, the stakes are a little upped when it comes to cybersecurity. A cyber attack can have deadly consequences, quite literally, in an application like that.

LO: Right. I feel like IoT security is something that we’ve written about a lot, and that we’ve heard a lot about, particularly as it relates to the consumer side. So you know, we had everything from that 2016 DDoS attack to how it impacts smart watches to even children’s toys. But you know, I feel like a lot of coverage doesn’t pay justice to the enterprise angle of it. So I thought that was really interesting that you guys talked about that. And would that specifically be around surveillance devices, or what specifically would the enterprise aspect encompass?

TS: Well, one of the one of the things that 5G does is, there’s a profile for extremely low-power sensors that have like a 10-year battery life, so you can throw them out there on the field, and you never have to really update them or do anything with them. And if they’re not locked down, obviously, they’re going to be ripe for the hacking. In that in that particular scenario, you’d have things like supply-chain tracking, logistics and fulfillment, you can have smart-grid types of deployments, where you have energy on demand. You could have water and waste management for cities, all of these things could be enabled by these sensors that can pick up all of this information in real time, transmit it back to a central location and then, which in turn, takes that intelligence and decides what to do with it, i.e., spin up the grid to create more electricity because demand is on the rise, that sort of thing. So, sensors are going to be extremely important when it comes to making things more efficient and more operationally sound I think for enterprises going forward, whether that’s private enterprise, or the scenario that I just mentioned, which would be more of a smart city.

LO: It sounded like a lot of people were participating too, and that there’s just a lot of interest there.

TS: Yeah, we had some good questions. We had a couple of angry people that were pretty sure that 5G’s never going to happen. But there’s always the naysayers. And, we’ll see, but security certainly has to be a thought now.

LO: Right, absolutely. And I know you’ve covered 5G a lot, especially with some of the conferences you’ve gone to this year. So I’m sure you have a really good grasp of where we are in terms of security for 5G and what we need to do to, as you say, get ahead of the curve. Going back to more of the consumer angle of IoT, did you see that Ring news that broke this week, that was making headlines later in the week around Wednesday and Thursday?

TS: Yeah, I read something about that. I know that it was definitely one of those things where you have cyberattackers that can literally surveill you, through your through your own device. You know, that’s certainly an alarming headline. Did you delve into the details on that at all?

LO: Yeah, I looked at it a bit. But it sounds like Ring has at this point released an official map detailing how they partnered with various police departments, which shows how Ring as a whole has been making more partnerships with law enforcement. And the map lets you see if your a local police force is one of the 405 police departments that are partnering with Ring.

TS: Well, in terms of what that partnership looks like, does that mean that if there’s some sort of incident, they can gather the information, or the video or whatnot, that’s been collected on a Ring device in someone’s home?

LO: It sounds like through the partnership, that these police departments can essentially post alerts and request footage from residents.

TS: Yeah, I mean, I can see how people could probably take it the wrong way, particularly if you’re paranoid.

LO: Right. Well, it kind of begs the question, who really owns what, when it comes to IoT devices. Does Ring own the footage or do you, if it’s you in your home? So who has onus there and who has  the right to give out that type of personal information?

TS: That’s something that sort of came to the forefront on the story that you wrote Lindsey about Venmo. I have to say, when I was reading that I was a little bit horrified in terms of the privacy practices, even though I guess consumers would know that this information is public. But but maybe they haven’t thought about the implications.

LO: Yeah, no, for sure. And for the listeners, there was some news around Venmo, which is a popular transaction application, where you can use it to pay back friends if they if you split food with them etc. through a transaction. And there’s been some backlash this week from the Mozilla Foundation and from the Electronic Frontier Foundation, who basically penned Venmo a public letter, saying that they need more privacy around their transaction details. Because what happens is when you post a transaction, it essentially shows your username, picture, a list of your friends and who you’re sending money to. And you can also include a message for what you’re paying for. So that was concerning to Mozilla and the EFF because they said that these transactions are public by default. And also that public list of users’ friends that users can interact with on the app is also public. And there’s not even an option there to hide that group of friends.

So even if you don’t have a Venmo account, essentially what you can do is you can scrape the transactions of millions of payments. And researchers say that they were able to work out several unsavory details about Venmo users, like if they were dealing drugs, or if they had like an alcohol habit, or even if there was a public argument between a boyfriend and girlfriend or something like that. So I know a year ago, one researcher tracked a Venmo user who was selling weed, and he showed how you could see all the transactions between this user and his customers, because they were basically captioned with different marijuana emojis and had mentions of weed in them. And yeah, it’s pretty eye-opening. And I mean, there was one disturbing example to have a programmer who scraped data of Venmo users actually created a bot called “Who’s Buying Drugs on Venmo.” And, that bot would scrape all the users who were making transactions using a drug keyword or drug emoji, and they would tweet out their usernames and photos.

TS: Who came up with the idea, well, I guess PayPal, the owner of Venmo came up with the idea, the idea that you want your financial transactions to be flooded with a social networking aspect, so you want all your friends to be able to see what you’re paying for and who you’re paying it to and everything. I mean, it just seems really invasive. I don’t know, maybe I’m just too old school.

LO: Well, what’s kind of disturbing is that I was using this app. And then I was writing this and I was like, Oh, my God, this is not crossed my mind that it could be – I’ve always thought about Venmo, from a security standpoint, but even just small pieces of data like this, that you wouldn’t think would make a difference. You know, it really could make a difference. And another piece of what researchers were saying was, they were saying that the public list of friends who you’re talking to are so easy to find that that you could, if I were to Venmo you, then someone could see that and be like, Oh, so Lindsey has a friend named Tara. And she Venmoed her for going to this coffee place down the street, and then they could email me and pretend to be you and say that free coffee yesterday, actually would more than what you send me. Can you send me more money or something like that?

TS: That’s crazy, though. And I can see how that would be very easy to do, as well. So I mean, you have enough of those transactions across enough people with enough volume. I mean, that’s it. That’s a nice little revenue stream.

LO: Right, for sure. But and yeah, just another privacy issue.

TS: And I feel like there were a lot of things that we reported on this. I mean, you you have that great update to the Apple Siri, grading process about how they train their AI algorithm.

LO: Yeah, no, it’s it seems like every single story that we’ve been writing about, and every single company has just been talking about privacy policies and what how privacy is retained and how data is collected; such as Apple, as you mentioned, this week, they responded to some backlash that they got earlier in August, where they let contractors listen into Siri conversations. And they came forward the promising that they would no longer retain that audio and made some other improvements to that program. So yeah, they did that. And then, there was, Google came out with a new bug bounty to find data abuse vulnerabilities that were affecting apps by Google Play. So there’s just there’s a lot there every week, and I think that it does go to show, it’s not all bad. There are some companies who are trying to get to the forefront of this in terms of privacy. But I don’t know if Venmo is one of them at this point.

TS: It doesn’t seem like it, I think you had a quote an article actually saying that they weeks ago, a few months ago, when they were asked about this, they basically said, Well, we like to make it fun for users, right?

LO:  Yeah, exactly. They basically were like, this is a functionality for the social aspect of it, and it makes you scratch your head and be like, Well, what about the security and privacy? One’s going to outweigh the other soon. Did you see that ransomware dentist office news, by the way, that broke, late afternoon yesterday on Thursday.

TS:  Yeah. So I, that that’s another one, because I was in the throes of webinar planning. But yes, I saw the story, I did not delve too much into it. But it was hundreds of dentists offices across the country right? They got locked up.

LO: It was I think it was various offices in the US. And it just kind of was reminiscent of the ransomware story that we wrote about last week, which was a targeted attack against several city offices within governments within Texas. And I really feel like we’ve been writing a lot about ransomware lately, there’s been a lot of attacks. I’m not sure if it’s an increase over the previous years, or what, and I don’t think that this ransomware dentist story gave too much detail about whether this was a coordinated attack. But I do think that it goes to show that there’s still tons of vulnerable systems out there. And there’s still a lot of kind of niche markets that still need to be updated and need to be further educated about the threats of ransomware.

TS: Yeah, I know. It’s interesting. I mean, I think the dentist’s office situation, I think had to do with there was a software back end. So it’s a supply chain issue, basically, where there’s this one software back end that all of them are using, it was vulnerable. And so the threat actors basically targeted that vulnerability. And so they were able to do like, a one and done type of thing.

The Texas ransomware case that you talked about, that certainly seems coordinated. And then of course, there was, this was a couple weeks ago, but in Louisiana, all the school districts that were targeted there by ransomware, we wrote about that as well. And so this seems to be a snowballing trend. And it seems to be that the adversaries are looking to target many different locations at once, which is kind of a new wrinkle in terms of whether or not the volume is increasing. Everything that I have read everything that I’ve seen, every report that comes across the desk says that enterprise ransomware is totally increasing though, on the consumer side, it’s waning, for sure. That’s pretty rare at this point. But for enterprises and businesses, that’s where these hackers are sort of moving their sites over to that segment, because it’s so much more lucrative.

LO: Well, I’m sure that the companies or cities or dentist office or whatnot, who end up paying the ransom, it probably doesn’t help. I mean, a lot of researchers who I’ve talked to say this isn’t good, but it really depends on the situation and what’s at stake. But I’m sure in the cyber criminals’ eyes, who are looking to potentially launch these types of attacks, seeing someone pay the ransom, who’s a victim, I’m sure that further incentive for someone to go forth and launch this type of attack to so I’m sure that doesn’t help as well.

TS: Yeah, there was actually a ProPublica investigative report that came out this week talking about that, and talking about the role of cyber insurance and all of this, and how a lot of municipalities in particular decided to use their cyber insurance to pay the ransom, as opposed to just trying to remediate it and mitigate it and deal with the backups and everything else, because that ends up being much more expensive than simply paying the ransom. And how, the article was postulating that this could be putting some wind in the sails of this trend, because attackers know that certain segments, certain verticals, that might be more resource-constrained, like municipalities, like school districts, things like that would be more apt to pay, because it’s just the cheaper option. So, and when you have cyber insurance companies that are out there saying, yes, you know, we’ll cover the cost of the ransom, we’d rather do that, because it’s cheaper than probably cheaper than the cost of all of mitigation or remediation. You know, obviously, this is creating an extortion economy in some ways,

LO: Right. Yeah. That’s really pretty interesting and somewhat disturbing for sure. Did you talk to any experts for that story of and kind of what was their reaction to that?

TS: Yeah, it was kind of a mixed bag. And a lot of the people that I talked to, were saying that, yes, this is theoretically the case. But in terms of being able to quantify the role of cyber insurance to actually be able to pinpoint it and say, yes, this is absolutely a causal factor for why ransomware is escalating. In these particular verticals. You know, there’s no hard evidence for that, but anecdotally, certainly, it seems that way.

LO: Yeah, good. It’s interesting you mentioned that because I remember, Lake City, Florida, which I believe we wrote about, I think it was two or three months ago, they were one of the Florida cities, that got hit by ransomware and ended up paying, but I remember,  when I was writing the story, they were using their cyber insurance provider for part of the cost. So you know that that was interesting, for sure. And sounds like other cities, you’re gonna start looking at that, too. So hopefully, that’s not a trend moving forward. But you know, we’ll see.

TS: That’s interesting, because that is the exact case that that kind of sparked ProPublica to delve further into this and do their investigative reporting on it. So that’s kind of where it all started, because they’re one of the few that have gone public with the fact that they paid the ransom and the fact that they use their cyber insurance use them. You know, it’s interesting. It’s developing story, for sure.

LO: Yeah, definitely. Well, on that note, I’m sure that everyone listening is itching to start their their long weekend. It’s Labor Day weekend here in the US. So, Tara, thanks so much for coming on to talk about some of the big stories of the week like ransomware, like Venmo and Ring. Hopefully you have a great weekend.

TS: Thanks, Lindsay to enjoy the long weekend.

LO: Great. Thank you and catch us next week on the Threatpost podcast.

 

Suggested articles