CyberWire Daily - Hackers for hire. A bulk power distribution risk? An Executive Order on social media is under consideration. COVID-19 and cybersecurity.
Episode Date: May 28, 2020Hackers-for-hire find criminal work during the pandemic. The US Department of Energy is said to have taken possession of a Chinese-manufactured transformer. US President Trump may be considering an Ex...ecutive Order about the legal status of social media. Contact-tracing apps in France and the UK are scrutinized for privacy. Ben Yelin from with the latest iPhone cracking case between the FBI and Apple. Our guest is retired CIA master of disguise Jonna Mendez on her book The Moscow Rules. Canada’s Centre for Cyber Security assesses current risks, and Huawei’s CFO loses a round in a Vancouver court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/103 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's join delete me dot com slash N2K code N2K. The U.S. Department of Energy is said to have taken possession of a Chinese-manufactured transformer.
U.S. President Trump may be considering an executive order about the legal status of social media.
Contact tracing apps in France and the U.K. are scrutinized for privacy.
Ben Yellen with the latest iPhone cracking case between the FBI and Apple.
Our guest is retired CIA master of disguise, J Mendez on her book The Moscow Rules.
And Canada's Center for Cybersecurity
assesses current risks
and Huawei's CFO loses a round
in a Vancouver court.
From the CyberWire studios
at DataTribe,
I'm Dave Bittner
with your CyberWire summary
for Thursday, May 28, 2020.
Google's threat analysis group says that various hack-for-hire outfits, most of them based in India,
are spoofing World Health Organization operators using thinly disguised Gmail accounts.
The campaigns are for the most part spear phishing efforts, and they use COVID-19-themed fish bait.
It's not entirely clear for
whom the hired skids are working. Google's report comes wrapped in a discussion of how national
espionage services are trying to take advantage of the pandemic, but the activity it ascribes to
the hackers for hire, credential harvesting, identity theft, and so on, are at least as
consistent with ordinary criminal activity. While espionage services have used criminal hired guns in the past,
there's certainly enough conventional crime underway to keep the hirelings busy.
By the way, a study by Inky finds that an awful lot of the COVID-19 fishing traffic
and circulation seems to come from US IP addresses.
So we can all climb down off of those high horses, fellow Yankees.
The US executive order on securing the United States' bulk power system
described itself as a cybersecurity measure,
but was noteworthy for its concentration on hardware, including transformers,
as opposed to the more usual concentration on networks.
This seemed curious to many observers and prompted speculation that the risky foreign
hardware the order was concerned to keep out of the U.S. grid involved the clandestine
insertion of backdoors that could be used in subsequent attacks.
A Wall Street Journal story may offer a partial explanation as to why this was so.
Last summer, the U.S. Department of Energy diverted a Jiangsu Huapeng-produced transformer
destined for Denver to Sandai National Laboratory,
where it's been under study since,
presumably for whatever security risk it represents.
Neither the Department of Energy nor Honeywell,
the contractor that runs Sandai National Laboratory
for the department,
was willing to comment to the journal.
But Sandai has long been concerned with supply chain risks.
According to the Wall Street Journal and others, President Trump is considering another executive order,
one that would change legal protections social media companies currently enjoy under Section 230 of the Communications Decency Act.
The proposed measure would move toward treating social media platforms not as a protected public square,
but rather as a monopoly that exerts substantial control over individual speech.
The rumored executive order is generally being received as connected with Twitter's recent fact-check of a presidential tweet,
in which Twitter added a fact-check link to two of
President Trump's tweets about problems he saw with mail-in ballots. The fact-check link text
was a restrained get-the-facts-about-mail-in-ballots, and Twitter CEO Jack Dorsey explained yesterday
that, quote, this does not make us an arbiter of truth. Our intention is to connect the dots
of conflicting statements and show the information in dispute so people can judge for themselves. More transparency from us is
critical so folks can clearly see the why behind our actions, end quote. The National Assembly and
the Senate yesterday approved Stop COVID, the exposure notification app developed for voluntary
deployment to French users' smartphones.
The CNIL, the National Privacy Watchdog Agency, had approved the app on Tuesday, according to SecureWeek.
Euronews says that the contentious debate that surrounded the vote focused on privacy concerns
and on getting assurances that stop COVID would be independent of Apple and Google,
so big tech couldn't become Big Brother.
Over in the UK, computing has been close-reading
the National Health Service's Test and Trace website.
What they've extracted from the text of the British government site
isn't especially reassuring with respect to privacy protections.
Sure, it's in beta, so take what comfort you may from that,
but computing sniffs that the appearance of such Americanisms as personal identifying information
suggests that the whole thing was rushed out.
The site reads in part, quote,
If you have had a positive test for COVID-19, we will ask for information about your illness,
recent activities you did, and people you met whilst you were potentially infectious.
If you are a contact of a person who tested positive, we will ask about your health and
provide health advice to keep yourself and others safe."
You can ask the government to delete your data, but you've got no absolute right to
such deletion, and the government plans to hang on to your information for 20 years. Jonna Mendez enjoyed a long and fascinating career in the CIA,
including serving as master of disguise for the agency. Along with her husband, Antonio Mendez,
she's co-author of the book, The Moscow Rules, which describes some of the cat and mouse games
played between U.S. and Russian intelligence agencies throughout the Cold War. Tony had been writing down the rules over the years. He didn't make them up. We didn't invent
them. They were just out there. They were the things that you knew or you would learn if you
were getting ready for an assignment to Moscow. It was the strategy and the tactics for how you would comport yourself,
how you would carry yourself in order to be able to do your job. This was a terrible place to work.
There was so much surveillance on us. It was suffocating. Our job was to collect intelligence.
job was to collect intelligence. The KGB's job was to keep us from collecting intelligence.
So it was a really hard place to work. Tony had been just jotting down, as he would recognize them or think of them, the Moscow rules. It was a running list.
And at the same time, Tony got Parkinson's. He was diagnosed with Parkinson's,
which is a very slow but deadly disease.
So it's like once you find out that you have it,
there's a clock ticking.
You don't know how long this is gonna last.
And that was sort of the impetus
to maybe put this in writing.
Well, let's go through some of them together.
Can you share some of the rules
that are specifically applicable to the spy craft
that you were all using while you were over there?
You've got to know your enemy.
You have to know the opposition
and their terrain intimately.
And if you don't, it's not gonna work because they know it. This is for Moscow.
So we would have our officers in training for over a year before they went to Moscow,
and we'd hand them a map, like on day three, here's a map of the city. You have to learn this
map. You have to know every subway stop. You have to know how the city works because you're going to be on foot. You're going to be out there in that city. You're going to walk more than you've ever walked in your life.
that meant to a CIA officer in Moscow is if you were within 100 yards of the meeting place where you were going to step forward and your agent was going to be sitting on a park bench and you were
going to actually have a face-to-face meeting with him, if you had surveillance at that moment,
your agent was basically going to die. They would arrest him and they would execute him. And they did that over and over. We lost a lot of agents. So at CIA, never go against your gut, Mint. You can always abort.
And there's no shame in it. And nobody is going to try and second guess you.
If you come back to the office and say, it didn't feel something, something was wrong,
something was off. That's a perfectly adequate reason to not move forward.
But as CIA, you were obliged to do that because you really were playing with people's lives.
That's retired former CIA operative, John Amendez.
The book is titled The Moscow Rules.
There's more of my interview with John Amendez in this week's episode of Hacking Humans.
Check it out.
Canadian security authorities warn that foreign intelligence services are exploiting the pandemic.
The CBC reports that Canada's Centre for Cybersecurity,
a unit of the communication security establishment,
has issued a cyber threat bulletin in which the center offers an overview
of how cyber threats have been shaped by the COVID-19 pandemic. The bulletin is dated April
27th but was posted only this Tuesday. The Center for Cybersecurity notes that the global health
sector is under extreme pressure during the pandemic and that this has made it an even more
attractive target for ransomware extortionists than usual.
That same pressure has served to draw the attention of espionage services,
who are interested not only in stealing intellectual property related to COVID-19 treatments, but in assessing the effects of the pandemic on adversaries' economies and military readiness.
Both criminals and state espionage services have been using spoofed versions of Canadian government websites to collect information or install malware.
The National Post reports that more than 1,500 such bogus websites have been identified during the pandemic.
The Centre also notes that state-sponsored threat groups are themselves facing staff reductions and adopting a lower operational tempo and seems to represent the center's assessment of the probable effects
the global economic downturn is having on intelligence services.
The bulletin mentions another probable effect of economic pain.
Intelligence services may well turn to revenue-generating cybercrime
to make up their budget shortfalls.
Another caution in the bulletin pertains to expatriate and immigrant communities.
These are likely to come under pressure as authoritarian regimes tighten their own domestic controls.
The hostile influence campaigns the center alludes to are very much in the Russia-disruptive style.
The CBC observes that one such campaign has been active in Eastern Europe,
where the Canadian-led battle group in Latvia has been fodder for rumors that it's a hotbed of COVID-19 infection.
And finally, the Supreme Court of British Columbia yesterday ruled against Huawei CFO Meng Wanzhou
in her fight to avoid extradition from Canada to the U.S.
The court found that the U.S. request met the double
criminality standard, that is, the bank fraud and sanctions evasion the U.S. has charged her with
would be crimes if committed in Canada. Her next hearing will be in June, CyberScoop says.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Good to be with you once again, Dave.
An article came by, this is from NBC News,
and it's titled, The FBI Cracked Another iPhone,
But It's Still Not Happy With Apple.
This is something you and I have been discussing over on Caveat. This article
is from Kevin Collier and Cyrus Farivar, who I've interviewed before. So Apple has cracked another
phone here. Give us some of the details. So this case involves a shooting that took place in Pensacola, Florida last year.
And it involved a Saudi Air Force officer accused of killing several classmates.
The FBI was doing an investigation.
They wanted access into this person's device.
Apple, once again, as they typically do, told the FBI to pound sand.
We're not going to break our own encryption for you. We're not going
to help you with this. And the Attorney General of the United States, William Barr, has been a
longtime advocate of these backdoors that would allow law enforcement to gain special access to
these encrypted devices. The problem is that Apple keeps saying no, but the FBI keeps figuring out
ways to get into these phones anyway.
So like, I sort of imagine somebody saying, I need a special lock to get into your house.
You need to produce that. Give it to me. It's for your own safety. But then they're like,
I've been able to get in every time I've needed to, because, you know, I picked the lock with
my finger and then I found the garage door opener.
Yeah, exactly. And then I came in through the window.
It sort of begs the question, naturally, why does the FBI need one of these back doors
if they are able to get into these devices anyway?
The other thing noticeable or notable about this article is that for once,
they actually found useful information on the device that they
were searching. They found out that this terrorism suspect actually had ties to international
terrorist organizations like Al Qaeda. And that, you know, I don't know how that's necessarily
going to be useful for us going forward, but it's certainly useful information in the context of
this investigation. So oftentimes they'll crack these phones and there'll be nothing
on there. You know, it's like, I tried to find out who this terrorist was communicating with and I
got his, you know, Snapchat photos or something. But here we actually have useful information.
But yeah, I mean, the upshot of this is Apple has been steadfast in refusing to allow these
backdoors.
Law enforcement keeps criticizing them, saying,
you are jeopardizing public safety by not giving us this access.
Yet law enforcement keeps finding ways to get into these devices anyway.
It's just a very interesting dynamic.
Well, and also, I think it's worth pointing out that one of the points Apple is making is that we don't have a backdoor.
We can't unlock this for you.
The way we have built this technology,
even we can't get in there.
So stop asking.
Stop asking and stop asking us
to destroy the own security apparatus
that we've created for our customers
because we're not going to do it.
And yeah, I mean,
as we've talked about a million times,
there's a reason Apple didn't create a backdoor.
It's in the security interests of its users.
It's also probably in the security interests of the government in the long term
because these backdoors, of course, could make their way to bad actors,
whether they be state actors or non-state actors.
We're talking about a terrorism case.
What if a terrorist organization figured out how to breach these devices? So, you know, that's certainly something that's
worthy of consideration. So from a policy point of view, do you think this weakens law enforcement's
case that they need a backdoor? The fact that repeatedly they've been able to get what they
need without one? I certainly think it does. Now, they could say there's going to come a point
where we're not able to crack the device,
we're going to need critical information,
and we're going to need Apple's help.
But until we actually find that case,
and we really have not to this point any high-profile case,
then Apple's going to say,
you've already figured it out without our help.
So why don't you figure it out all by yourself? So I think, you know, that's going to be the
takeaway coming from this incident as well. All right. Well, this cat and mouse continues,
right? Back and forth. It will, yeah. Feels like it's never going to end. We're going to be in our 70s and there'll still be a battle going on between the FBI and Apple.
Right, right.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Thank you. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.