CyberWire Daily - Dream a FunnyDream of me. US CISA Director dismissed. Facebook, Twitter CEOs virtually visit the US Senate. Huawei CFO extradition update. Bad passwords.
Episode Date: November 18, 2020FunnyDream? No, it’s real: a cyberespionage crew operating against Southeast Asian governments. President Trump fires US CISA Director Krebs. Twitter and Facebook CEOs testify before the Senate as l...egislators consider Section 230. The extradition hearing for Huawei’s CFO continues in Vancouver. Joe Carrigan looks at fleeceware on the Google Play store. Rick Howard speaks with Tenable’s Steve Vintz on communication between C-Suites and security teams. And the most common passwords in 2020 are now out, and “password” only comes in at Number 4. We’re not sure that really represents progress, because wait ‘til you hear Number 1. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/223 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Funny dream?
No, it's real.
A cyber espionage crew operating against Southeast Asian governments.
President Trump fires CISA director Krebs.
Twitter and Facebook CEOs testify before the Senate as legislators consider Section 230.
The extradition hearing for Huawei's CFO continues in Vancouver.
Joe Kerrigan looks at fleeceware on the Google Play Store.
Rick Howard speaks with Tenable's Steve Vince on Zero Trust.
And the most common passwords in 2020 are now out,
and password only comes in at number four.
Just wait till you hear number one.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary
for Wednesday, November 18th, 2020.
Bitdefender researchers described the activities
of a hitherto little-remarked Chinese cyber espionage group.
It's called Funny Dream, after one of the tool sets it uses.
Most of the group's infrastructure is located in Hong Kong,
but with one additional server each in Vietnam, China proper, and the Republic of Korea.
Bitdefender is cautious about attribution, not going much
farther than Chinese or Chinese-speaking, and is also reticent about the targets,
which it characterizes as potential government sector victims in Southeast Asia.
This isn't the first time Funny Dream has come to researchers' attention.
ZDNet points out that a Kaspersky report this past spring found funny
dream activity mostly directed against Vietnam, with additional targets in Malaysia, Taiwan,
and the Philippines. As an aside on nomenclature, may we say we miss the pandas? Are we out of
adjectives for pandas? They couldn't have called this one, say, Next Door Panda or Karen Panda or Takeout Panda.
I love pandas. Last night, President Trump fired Cybersecurity and Infrastructure Security
Director Christopher Krebs. In the two-tweet thread he used to announce the dismissal,
President Trump called Director Krebs' assurance that the recent U.S. elections were secure
highly inaccurate and gave that assessment as his grounds for the firing.
The move had been expected for several days, with speculation that Director Krebs was in
White House hot water, having circulated since the middle of last week at least.
At issue, apparently, were repeated assurances by the CISA director that there was no evidence of any systematic large-scale hacking of voting systems.
Krebs' work at CISA had received good bipartisan international and industry reviews.
He was generally well-regarded in the cybersecurity sector.
The Wall Street Journal and SC Media are among the publications that summarize reactions to his dismissal.
We've seen few comments that approve of the firing.
Most of those in and around the cybersecurity sector think he'd been doing a good, focused, and nonpartisan job throughout his tenure.
It's worth noting that Krebs had long publicly explained before and during Election Day
that unofficial results reported by the media were
just that, unofficial. He had also publicly insisted, right up to the 11th hour, that the
election wasn't going to be over until any necessary recounts had been conducted and all
the votes certified. Everyone should expect, he said, that process to take weeks. These have been,
at least, as clearly the themes of his public statements
as have his reassurances about security.
In fairness, this seems hardly the sort of thing a shill for hostile partisans
would be likely to emphasize.
May all honest counting and recounting continue.
Matthew Travis, who had been deputy director, is also reported to have resigned.
CISA hasn't updated its leadership page yet,
but it would appear that the agency will be run on acting basis by its executive director, Brandon Wales.
Good luck, Mr. Krebs. Many will miss the quiet voice and the loud socks.
Twitter's CEO Dorsey and Facebook CEO Zuckerberg described their platform's approach to election season disinformation before a Senate panel yesterday.
The Wall Street Journal says both gave their companies good marks, but they signaled their openness to further regulation.
The hearings are considering the future of Section 230 of the Communications Decency Act,
a law which many legislators of
both parties believe the Internet in general, and social media platforms in particular,
have outgrown. Section 230 presently gives social media the protections of both publishers and
public squares. Exemption of liability for what's said on them, combined with the ability to
moderate the content they permit. Those sets of protections have long been in tension.
They may be reaching the point of contradiction.
Both Mr. Dorsey and Mr. Zuckerberg testified remotely.
Their video appearances show one leveling effect of technology.
Even captains of industry look as bad as the rest of us do when we're on Zoom.
The Vancouver extradition hearings for Huawei CFO Meng Wanzhou continue.
Reuters reports that a Canada Border Services Agency official testified
that he was not pressured into improper actions by the U.S. FBI.
Ms. Meng's counsel had maintained that the bureau strong-armed the CBSA
into violating Canadian legal norms.
And finally, you'd think people would have moved towards stronger passwords
after all the nudging in that direction from, well, just about everywhere.
Not necessarily.
Here are the top 10 passwords of the year 2020 as reported by NordPass.
Let's go a little old school with this.
as reported by Nordpass.
Let's go a little old school with this.
Counting backwards from 10, we have...
Which is Portuguese for password.
Thanks, Brazil.
10 digits, but all digits, and counting numbers to boot.
Number 8.
1, 2, 3, 4, 5.
Only half as good as number 9.
Number 7.
1, 2, 3, 1, 2, 3.
Number 6.
1, 1, 1, 1, 1, 1.
We have nothing to add to those two.
Number 5.
1, 2, 3, 4, 5, 6, 7, 8.
Number 4.
Password.
You saw that one coming, right?
Number 3.
Picture 1.
Number 2.
1, 2, 3, 4, 5, 6, 7, 8, 9.
And coming in at number 1, up one place from last year,
is the ever-popular 1, 2,6, now used by 2,543,285 users.
That NordPass could find, that is. You know who you are. Thank you. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies,
like Atlassian and Quora,
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Cloak. Learn more at blackcloak.io. The CyberWire's Chief Analyst and Chief Security Officer Rick Howard recently checked in with Tenable's Chief Financial Officer Steve Vince for his insights
on Zero Trust. Here's their conversation. We are joined by Steve Vince. He's the Chief
Financial Officer for Tenable. Welcome to the show. Thanks, Rick. Thanks for having me.
You wrote an essay in CFO Australia last month about how the CISOs are becoming more important
to people like you at the senior executive staff. Why don't you give us a rundown on what that essay
said? Sure. We talked a lot about the
maturation of the role of the chief security officer, the chief information security officer,
and how the security team needs to evolve their strategy and become better partners with the C-suite. In turn, I believe the C-suite needs to also evolve and recognize the
value and the contributions of the chief security officer as an important executive on the team.
And I believe there's a disconnect in how businesses understand and manage security risk.
Well, I totally agree. And I've been part of that problem myself in my former CSO roles, right?
That my peers and I have always had trouble conveying or transforming cyber risk into
business risk.
We just didn't have the language to do it.
And I was wondering if the CFOs of the world could help us figure that out.
In terms of business leaders, what I can tell you is business leaders want a clear picture of their organization's cybersecurity posture.
But their security counterparts struggle to provide one.
And so when we look at security, I think the problem today is that there's no common language.
When you pose that question, how secure are we, you don't typically get an answer that's based on the maturity framework of an organization and a couple of key metrics.
There's not a clear articulation of that.
I would pose to you that that's the wrong question, all right, or at least a hard question to answer. I would rephrase it, and I've been on a glide path to try to get this out there,
but the real question that CISO should be answering to people like you, the CFO,
is what's the probability that we are going to be materially impacted by a cybersecurity event in,
say, the next three years?
I think that's an answerable question.
I don't know.
What do you think about that?
Rick, I agree with where you're coming from because I'm not proposing that you can eliminate security risk.
By the way, I'm the CFO.
I'll stay in the shallow end of the pool when it comes to technical matters on security.
shallow end of the pole when it comes to technical matters on security.
But I do think that I understand business risk.
And you can't – the only thing you can do, I believe, is do a series of things that reduces risk to a relatively acceptable level.
I don't think there's a clear articulation.
I think we're becoming better as an organization.
I think boards are becoming better.
But I think there's a long ways to go in that regard.
All good stuff, Steve.
Thanks for joining us on this interview with the Cyber Wire.
And hope to come back with us.
And I'd love to talk to you again about the progress you're making there.
Thank you, Rick.
Thanks for having me.
That's our own Rick Howard speaking with Tenable's Steve Vince.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
and joining me once again is joe kerrigan he's from the johns hopkins university information security institute also my co-host over on the hacking humans podcast joe great to have you back
hi dave uh interesting article caught my eye this is from the folks over at threat post this one's
written by tara seals and it's titled minecraft on Google Play, Fleece Players out of Big Money.
What's going on here, Joe? What's going on here, Dave, is someone has realized that it's perfectly
legitimate within the ecosystem of these app stores to have a very high cost for a subscription
to an app, and that's what they've done.
So they've built these apps.
There's like seven of them that they've built.
And Avast thinks it's all the same developer who's done this.
And these are apps like mods and maps for Minecraft,
PE, skins for Roblox, live wallpapers, HD,
and 3D backgrounds, these kind of apps.
And what happens is when you install this, you get a free three-day trial period. And after that, the app starts charging you $29.99 a week for the app.
Okay.
Right.
All righty.
So what's interesting is that it's – in order to see this in the Google Play Store,
when you look at the app, you know, you first, you have to search the app and you find the app,
and then you have to click on a little arrow to, on the right-hand side to read the entire
description all the way down at the bottom of that description. It talks about the terms and
conditions that we're going to bill you 30 bucks a week for the trial after the trial period.
conditions that we're going to bill you 30 bucks a week for the trial after the trial period uh that that's anywhere from 120 to 150 bucks a month that's a lot of money uh yes the article points
out rightly so that one of the biggest issues here is that this is something that children
will install because minecraft is very popular with a very wide age group of people i have a
copy of it i play it i don't play it on my phone, but I do play it sometimes.
I haven't played it lately, but I have played it on my PC for a long time. And it's a fun game.
It's also a game that's perfectly fine for children to play, right? Sure. And they're the
ones that are not going to read the terms and conditions or understand what they're applying
to or what they're agreeing to. And they're just going to click the yes button because, you know,
they're young. And then their parents are going to see these charges coming through
on their credit card from Google play. And they're going to be like, what is this? What's going on
here? Uh, of course you can request a refund from this, but you know, I don't know how you stop this
aside from Google saying, okay, this is fleeceware because I can imagine a situation. And we were
talking about this before we started recording a good example of this is Adobe. Adobe charges $70 a month
for a business to have a license to all their products. Right. So, yes, it's expensive for
what it is, but there are legitimate business cases where you can have an app that's in high demand by a specific group of people that provides a real benefit but is not cheap.
Right.
And that's a good business model.
But in this case, they're calling it fleeceware because it doesn't match the rest of the market.
Right.
In order to buy Minecraft PE, that is a one-time $7 purchase from Mojang, which is now owned by Microsoft.
Right. that is a one-time $7 purchase from Mojang, which is now owned by Microsoft. But in order to have an app that augments or allegedly augments the other game, it's $30 a month or a week, rather. $30 a
week. That's not right. That's not what this business model is meant to, that it's certainly
outside of the spirit of what Google Play and even the Apple Store. And the article talks about the Apple Store having similar issues.
Google has, as of this recording, not removed these apps from the store.
They're still available.
I just found one and did the search on it.
That's how I know that you had to hit that little arrow to read the entire description.
Yeah.
It strikes me that there's a couple ways that these scammers come at this.
You know, they're the ones who, they all start out with something that's free. So for X number
of days, you get this thing for free. Right. And it seems like a lot of times they'll come after
you or they'll lure you in with something where it's an app of limited utility, but when you need
it, you need it.
You know, something like a QR code reader or something like that. Yeah, something that doesn't
do a whole lot, but the thing it does is useful and you need it now. And so you're probably not
being, you're not shopping around all that much and you see free QR code reader and you say,
aha, that's for me. And you download it. But then afterwards, it strikes me that there's a couple
ways that they come at this. They either try to hit you with something big, like in this case, 30 bucks a week,
and hope that it's just too much of a pain to try to claw back the $30 or the $60 or however
much they get. And so they just take that money and run. The other way they come at it is they
charge you something like a dollar a week, and they hope to fly under the radar for as long as possible.
It's more of a numbers game, right?
Yes, yes.
That's the way I'd do it.
I'd try it with a low amount if I was doing this.
I'm not doing this.
Okay, fair enough, fair enough.
So I guess the take-home here is what?
If you've got kids, take a look at it.
Make sure that, well, I guess, first of all, tell them,
don't just install anything. Make sure they understand what's going on. Educate them.
And when that doesn't work. Yeah, when that doesn't work, if you have kids that don't listen
to you, who has kids that listen to everything they say? I'd like to be that parent. You can
create a user account on the device for the kid that prevents them from installing apps.
But also, you know, keep an eye on that credit card that, you know, makes sure.
And generally, actually, generally speaking on the phone, that's not really something you can do.
If a kid says, can I play with your phone?
And they start installing these apps, they're going to be doing it as you, right?
So then you're going to keep an eye on the credit card.
You can request refunds and you can say, you know, my kid installed this and it wasn't met.
And that's actually in the Google refund policy that, you know,
if a family member installs something, let us know and we'll refund your money.
Yeah.
Well, it's interesting.
Security is a competitive advantage.
Right.
Exactly.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Something special's in the air.
Listen for us on your Alexa smart speaker, too.
the air. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation
of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.