Beyond the regular drumbeat of security vulnerabilities and patches this week, a slew of stories covered varying topics ranging from NASA to Tinder. The Threatpost team broke down the most interesting stories of the week, including:
- A ransomware webinar hosted by Threatpost editor Tara Seals, which included experts from Recorded Future, Malwarebytes and Moss Adams. The webinar looked at the top ransomware trends and threats, and outlined how enterprises can protect themselves.
- A Florida city hit three weeks ago by a ransomware attack voted this week to pay the hackers a ransom of $600,000.
- A Threatpost feature, that looked at top dating apps like Match.com and Tinder, found that the services are collecting and sharing a disturbing range of data, from chat messages to sexual orientation.
- Rampant security-operations bungling allowed cyberattackers to infiltrate NASA’s JPL network, which carries human mission data.
Below is a lightly-edited transcript of the Threatpost news wrap podcast.
Lindsey O’Donnell: Welcome to the Threatpost News Wrap for the week ended June 21. This is Lindsey O’Donnell, and I’m here today with Tara seals and Tom Spring to break down the top security news of the week. Tara and, Tom, it’s been a busy week. How are you guys doing?
Tara Seals: Good.
Tom Spring: Good.
Lindsey: So I mean, we’ve had everything from ransomware, to NASA to dating apps that we’ve written about this week. And it wasn’t just writing stories for you, Tara, right? You hosted an awesome webinar on ransomware on Wednesday that I was able to listen to part of, how did that go?
Tara: Oh, it went really well. I was really excited to do it. We had experts from Recorded Future, Malwarebytes and Moss Adams, which is a consultancy firm on the West Coast. And all three of those guys just gave killer presentations, just kind of breaking down the state of ransomware for enterprises, to be clear, not for consumers, but all kinds of interesting little tidbits in there. So it was great.
Tom: One burning question I have about ransomware and it’s sort of a hunch of mine is why we’re seeing a peak in the number of ransomware attacks. Is there a direct correlation between you know, cryptocurrencies doing well and ransomware attacks? I’m just wondering whether you guys covered why we’re seeing this, and what might be going on within the space right now?
Tara: Well, what my panelists were saying is that it’s not so much tied to cryptocurrency value, that would be more like a crypto miner-related thing, but for ransomware the movement has been away from attacking your average consumer – that has almost fallen off the maps – but they’re going after what they see is vulnerable, so kind of big fish. So a lot of municipalities, hospitals, you know, kind of verticals that traditionally are lagging in security or have legacy security mechanisms in place. And are notorious for that. So it’s almost a targeted spear phishing expedition, where they’ll zero in on somebody that they know, might not have, you know, proper protections in place, and also probably would be likely to pay the ransom. So we’re seeing more intelligent attacks rather than canvassing attack.
Tom: I’m hearing more and more about companies that are paying the ransom, whether or not that puts a bigger bulls-eye on their back in turn of like, okay, they pay the ransoms. So let’s go after them.
Tara: Well, and it’s interesting, Lindsay, you actually read that story about that Florida town that paid the ransom, and you talked to a few people about that, right?
Lindsey: It’s definitely an interesting question. Because I feel like the general recommendation is obviously not to pay the ransom. Because first of all, you don’t even know if the attackers are going to hold true to their word and unlock the systems or just make away with this money. And then also people are saying that it promotes other attackers and kind of inspires them to launch their own ransomware attacks, like, ‘Oh, they actually got the money. So, you know, this is a great idea for doing the same thing.’ But in the case of the city that I wrote about this week, which was it’s a Florida city that was hit by a ransomware attack three weeks ago: So this week, the City Council voted to pay the attackers the ransom, which was 65 Bitcoin, which is worth around $600,000, a pretty big sum there.
Tara: Especially for a small town. I mean, this was not we’re not talking Miami here. Right? I mean, it’s pretty small retirement community.
Lindsey: Right. Yeah. So I, you know, I talked to a couple of experts. And you know, they were saying that, yes, it is the general recommendation not to pay the ransom. But an expert I talked to you from Carbon Black actually had a really good point, which is that the answer to pay to not or not to pay is really never as black and white as we’d like to think it to be. You have like, for instance, a healthcare organization that is unable to access patient data that’s necessary for actually caring for patients in the moment, and that’s putting lives at risk, I think that they might be more inclined to go and pay the ransom and try to, you know, get a quicker access to data. Whether that works or not is a different question. But it’s definitely different factors that go into situations like that. And in the case of Riviera Beach, which was the Florida city, the ransomware attack impacted systems that were controlling their water utility, government email, and phone lines wouldn’t work, 911 calls couldn’t enter into computer records. So I mean, there were a lot of pretty critical processes that were impacted by the attack.
Tara: Yeah, well, and it’s interesting, because, you know, when you talk about the pay or not to pay, you and I had worked on a feature-ette last week on kind of around this, and you’re right, I mean, sometimes the class remediation is actually more than what the ransom would be, you know, a lot of cases, people’s hands are tied, and they don’t really have a lot of good options. And so the takeaway really, is to have backups, or make sure that you have everything, somewhere, replicated so you can just restore your systems and all as well.
Lindsey: If you’re looking at the question of to pay versus not to pay, I feel like the real question is, how do you prevent this from happening from the get go instead of, you know, kind of arguing about how to deal with it after it happens, got to be proactive there. But, when I was I was doing some background research for that ransomware article we wrote about last week, Tara, and it’s just crazy. And I know, you mentioned earlier the amount of municipalities that were impacted and targeted by ransomware attacks. But even beyond the big ones like Atlanta, or Baltimore, there are a lot of smaller cities that have been hit by this and some that are even local to us here in Boston, like Lynn, MA, Portsmouth, New Hampshire. So, I mean, this sounds like a pretty wide scale issue for even just on a local level.
Tom: I wonder, you know, for everyone that we hear about, there are probably 10 others that are just kind of keeping it quiet to you know.
Tom: I think the practical advice of having backups and being able to, you know, just be able to hit the reset button is such good, fundamental advice. But it’s such good fundamental advice that I’ve been hearing, I’ve been hearing that advice for, 10 years when it comes to disaster recovery. And yet, nobody does it. I mean, you know, just trying to beat some sense into people in terms of having a backup strategy and being able to recover after either a ransom attack or a hardware failure, or some sort of data loss.
Lindsey: Right, for on a completely separate note. One other really cool story that Tara, you wrote about this week was about dating apps. So shifting gear from ransomware, to dating apps here, but you had a really cool story about kind of the privacy implications on dating apps like Match.com, or Tinder. What was kind of the background there of writing this type of story? I mean, what inspired you to write that? And what were some of the key findings there?
Tara: So there’s a there’s a privacy advocacy group called ProPrivacy. And they did a survey of people that use dating apps to find out what kind of information they share. And they found that people are very willing to kind of put their entire intimate being out there online for a lot of these apps, and they answer a lot of really personal questions.
And but at the same time, they’re not really aware at all, in terms of what the privacy policies are, and what these companies reserve the rights to, with that data, how they’re handling that data, who their sharing that data with, etc. So, you know, there’s a gap there, which is pretty interesting. And then at the same time, though, the survey pointed out that people are sort of aware that they need to be concerned about privacy, that they are a bit concerned about it, but not enough to actually go and read the privacy policies themselves. So in tandem with that, ProPrivacy also took a look at the Match Group, which they also own Tinder and OkCupid, Plenty of Fish, and a bunch of other kind of rival dating apps are all under this one umbrella. The holding company is something called InterActiveCorp, IAC. Looking at their actual privacy policies, they’re pretty vague. And they have a lot of sort of legal loopholes, in terms of their lack of specificity. And then I went and started looking at Tinder and Match privacy policies and ended up kind of being a little bit horrified by all of the different things that they collect, they record and then reserve the right to share with third parties. You know, everything from your chats that you have with people on the platform, any personal information out there in terms of your dating proclivities, your likes, your dislikes, even things, like do you use drugs? Have you ever been in prison? Things like this, all of that information, they keep on a file, and then share with people as needed.
Tara: Yeah, and it’s interesting, because some of the information, it’s not even just necessarily what users are voluntarily typing in to create the profile. I mean, obviously, there’s a lot of intimate information there. But they also reserve the right to kind of monitor what you’re clicking on, the other users that you’re interacting with, the time and date of when you’re typically online, all of these things that really create a pretty detailed profile of who you are as a person. And some of that information, they randomize, so things like geolocation and your actual name, and your contact information, they actually do keep that encrypted and hashed. And, you know, they don’t share that.
Tom: I think we’ve heard those claims before in the past, haven’t we? I mean, I don’t mean to be jaded and skeptical. But, you know, I’m jaded and skeptical.
Tara: Yeah, no, it’s true. And so you know, what kind of encryption is it? We don’t know. What kind of hashing mechanism are they using? We don’t know. And one of the scary things about the security part of this is, Tinder actually says says point blank that users should have no expectation that their data would be safe.
Tom: You know, one of the things I thought was so interesting about the story, and again, I think there’s an area that – I don’t know much Match.com’s parent company talked with you about the report. But the one thing I was actually really interested in, I know that you had said that this dating service and services, collected your private messages between users. And I was just thinking of all the things that could go wrong.
Tara: Oh, my gosh, yes.
Tom: I thought it was interesting that they did clarify that no images were even possible to be sent between two people. I was just thinking of, this is like the poster child for what could possibly go wrong with sharing your personal data with website in terms of what’s at stake. It makes sense that they wouldn’t allow images over private messages.
Tara: Yeah. Yeah, they have really strict image policies in terms of where people can upload.
Lindsey: Did you get a sense of whether the actual users of the services had any idea about just how many how much data was being collected on them? And also, was there any sort of opt out policy for these types of things?
Tara: Generally speaking, according to the survey anyway, users kind of have no idea that they’re sharing this much information.
Lindsey: Luckily, don’t have to deal with that.
Tara: Yeah, I haven’t been on a dating service, like ever. I got married a long time ago.
Lindsey: Well, what else was there this weekend? We had, there was a really interesting report on NASA, which Tara, you also wrote about? You’ve been doing all the interesting stories this week.
Tara: Well, I mean, I know it’s the Tara podcast. So I started writing what I thought was going to be a pretty straightforward story on the U.S. Office of the Inspector General did a cyber security review of the Jet Propulsion Laboratory at NASA and found there to be basically kind of horrific cyber security best practices, or poor practices in place, no network segmentation, no patching schedule, no visibility into their inventory, no third party security agreements, you know, just on and on, and on, every single thing that you can think of that is something not to do, JPL is doing it, was doing it. But then I was, I was coming through the report, and they start talking about the cyberattack that happened last April. And that is a direct result of these poor security practices. I was like, hang on, was that ever reported? And I did some Googling and didn’t seem as though anybody had talked about it before. So kind of delved into it a little bit. And yeah, so hackers were able to get onto JPL’s system, and then pivot further into the network. And basically, compromise systems and networks that carry data about human missions, like for the International Space Station, and things like that.
Tom: What was the initial report, again?
Tara: When was the initial report?
Tom: No what was the name of the report? How did this surface? What was a just a disclosure or an annual report?
Tara: Yeah, it just seemed to be one of those sort of run of the mill security reviews that is done on various government agencies on a regular basis, it’s part of the mandate, from the cyber security executive order that came down. And so this was one of them.
Lindsey: So this hasn’t been the first time that NASA has had a security incident, either, right? Because they had something in December to right?
Tara: Yeah, that was actually a database, and we’re not whole lot of details in terms of that, but some had hacked in their HR database, and had managed to collect a lot of information about their employees. But, that’s one dimension of security, another dimension is being able to actually get in on mission systems. And potentially it didn’t happen, but essentially, they could send the wrong information to the Johnson Space Center, in the middle of a mission and wreak all kinds of actual real world physical havoc. And so the level of sort of seriousness, is different in those two instances. But yes both show that their networks are not particularly secure.
Lindsey: Right. And what was disturbing to me about the story was just that there were these – and I don’t know if there continues to be – but there were these IT security control weaknesses that are just like, the issue of network segmentation, come on, these are just things that if you have such mission critical systems and networks, you need to be thinking about these things.
Tara: Absolutely. Well, and the Johnson Space Center in Houston, they actually disconnected – they use JPL data from their various systems to help with Mission Control. And they actually disconnected from JPL, because they’re like, you guys are a huge security risk. So we’re out of here, basically.
Lindsey: Well, we better wrap up here. This concludes our news wrap podcast. Tara and Tom, thanks for coming on today.
Tara: Thanks for having us, Lindsey.
Lindsey: Lots of really interesting stories that we were able to discuss.
Tara: Yeah, so everyone listening to this should go and read all of our stories on our site.
Lindsey: Yes, everything from dating apps to NASA. Well catch us next week on the Threatpost news wrap. Thanks again, Tom and Tara.