CyberWire Daily - Mustang Panda needs to repent. Not the FBI. Dodgy consumer routers and smart doorbells. Prospective Presidential appointees and cyber. Crime and investigation.
Episode Date: November 24, 2020Mustang Panda goes to church, but not in a good way. Hoods are trying to spoof the FBI with Bureau-themed domains. Dodgy routers and suspect smart doorbells. A quick look at the incoming US Administra...tion, from a cybersecurity point of view. Someone’s allegedly swapping iPads for concealed carry permits--say it ain’t so, Santa Clara County. DHS investigates Windows help desk scammers. Ben Yelin on a Massachusetts ballot initiative involving connected cars. Our guest is Larry Roshfeld from AffirmLogic on the pros and cons of a Treasury Dept advisory that could put companies who facilitate ransomware payments in legal jeopardy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/227 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Mustang Panda goes to church, but not in a good way.
Hoods are trying to spoof the FBI with bureau-themed domains,
dodgy routers, and suspect smart doorbells.
A quick look at the incoming U.S. administration from a cybersecurity point of view.
Someone's allegedly swapping iPads for concealed carry permits.
Say it ain't so, Santa Clara County.
DHS investigates Windows help desk scammers.
Ben Yellen on a Massachusetts ballot initiative involving connected cars.
Our guest is Larry Rochfeld from Affirm Logic on the pros and cons of a Treasury Department
advisory that could put companies who facilitate ransomware payments in legal jeopardy.
And some more advice about safe shopping during the holidays.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 24th, 2020. Researchers at Proofpoint have detected a resurgence of Mustang Panda activity.
The Chinese intelligence service threat actor has long been active against ethnic and religious
minorities. Its current campaign, which features an upgraded PlugX malware loader written in Golang,
is directed against Chinese Catholics.
CyberScoop notes that the group is using spoofed email headers
purporting to belong to Catholic journalists as part of its fish bait.
Mustang Panda's present efforts represent a resumption of targeting
Recorded Future called out in July.
The FBI yesterday warned of another trend in spoofing. This one opened to a range of
unattributed actors, both state-directed and straightforwardly criminal, phony domains
recently registered that can give the inattentive the impression that they're visiting a bureau
site. The FBI's real one and only domain is fbi.gov,
not.com,.org, and so on.
Nor does the bureau use prefixes like Agencia FBI
or suffixes as in FBI Australia within its domain.
Sure, these aren't particularly plausible,
but they could catch you if you're unwary.
Cyber News reports that a number
of Chinese-manufactured home routers, including models available from Walmart and Amazon, come
with back doors. The Walmart model named in the report is Jetstream. The device available from
Amazon and also from eBay is Wavelink. Walmart says it's looking into the matter and that in
any case Jetstream is out
of stock and the retailer has no plans to reorder it. British consumer group Witch says that it's
tested 11 smart doorbells and found them wanting. In addition to unbranded ring knockoffs, the models
included systems from Kihu Seatronics, and Victor.
The BBC reports that Victor's smart video doorbell was found to send users' home network names and passwords unencrypted to servers in China.
The other marks tested were accused of other lesser but still serious security misdemeanors.
President-elect Biden's transition is entering its formal stage.
Some of the incoming administration's senior appointments will have significant responsibility for cybersecurity and related matters.
Prospective appointees mentioned by NPR include Alejandro Mayorkas to the Department of Homeland Security,
Janet Yellen to Treasury, and Avril Haines to Director of National Intelligence.
We had occasion to hear Mr. Mayorkas a few times during and shortly after his earlier tenure as Deputy Secretary of Homeland Security.
At the Billington International Cybersecurity Summit in April 2016,
during his service at DHS,
he singled out information sharing among government and private actors
as the centerpiece of the department's cybersecurity work.
He regards this as curative as opposed to an accountability function.
He also expressed the opinion that such sharing should go on internationally as well as domestically
and that it should include the private sector,
where companies should generally follow what he took to be the good example of the financial and utility sectors,
where businesses don't all compete on security,
and where they generally held that the cure of one should be the cure for all.
A couple of notes on the long arm of the law, one positive, the other sort of a downer.
Let's take the downer first, and it comes from Silicon Valley.
Three people have been indicted in Santa Clara County on bribery charges.
They include two members of the Sheriff's Department,
Under Sheriff Rick Sung and Captain James Jensen,
who are accused of soliciting a bribe,
and the head of security at Apple, Thomas Moyer,
who's alleged to have offered the sheriff's office 200 iPads in exchange
for four concealed carry permits. The Wall Street Journal says that Moyer and Sung have denied any
wrongdoing. Mr. Jensen's attorney declined to comment, and that Apple representatives have said
that, yes, Apple was interested in donating iPads to the county sheriff's training facility, and that,
yes, Apple did request concealed carry permits,
but that there's no connection whatsoever between the two.
But who knew that Apple was packing around Cupertino?
Allegedly.
The other, the good news story, comes to us from our editorial staff,
one of whom was visited this morning by two Homeland Security Investigations agents.
They were at the staffer's door, not as you might expect to take him or her away in irons,
but rather to follow up on a complaint he or she had made to the DHS online hotline
about Windows Help Desk support scam calls he or she had been receiving.
So take heart, you who are tired of scam calls.
The authorities are listening.
You can make your reports to uscert.gov slash report
and good hunting DHS.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time
with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The U.S. Department of Treasury recently released an advisory stating that companies who facilitate ransomware payments could face fines.
Larry Rochfeld is CEO at AffirmLogic.
He joins us to discuss some of the pros and cons coming from that advisory.
Well, I think this is essentially an analogy
to the situation with terrorism in the real world. So the U.S. government has always had a policy
not to negotiate with terrorists or hostage takers, and that's been relatively effective.
And I think they're just trying to extend that into the cyber world, though with all good
intention, I think there's some repercussions of that decision that haven't been thought through
completely. And what do you suppose some of the repercussions might be?
Well, let's imagine a situation where you've got a community hospital.
It's the only hospital within 250 miles from any of its patients, which is a very typical situation in parts of the U.S.
And they become the unfortunate victims of a ransomware attack.
If they don't have the appropriate IT systems in place to be able to recover, you're putting them in a very difficult position because basically if they pay the fine so that they can recover their ability to function as a hospital, then they're at risk of being shut down by the government because a fine could put them out of business.
If they don't pay the ransom, then they've been shut down by the terrorists.
So they're kind of in between in a situation where with all good intention, the government may have repercussions to their decisions that they never intended in the first place.
Have we been at this long enough to be able to track the difference between companies who are transparent
and putting out information to their constituents throughout the process and folks who keep everything closer to their vest?
Is one likely
to have a better outcome than the other it's a great question the challenge is you don't
necessarily know the people who are doing such a good job that it doesn't become public at all
so it's hard to measure because you know there is the philosophy that says sunshine's the best
disinfectant you should disclose anything that happens. On the other hand, are there organizations who have disclosed absolutely nothing and have therefore become safer because no one knows that
they were having a problem? Now, the issue may be that they're violating even outside the U.S.
regulations like GDPR. So they may be taking a risk, but it becomes a business risk of, well,
do I disclose, which I'm required to do, and potentially have a huge catastrophic problem,
or do I not disclose and take my chances that government finds later?
And so depending on kind of the impact, I think a lot of business people will make a decision
essentially weighing out what the risk is versus the reward.
I wonder, too, if there were a strict prohibition on it, you know, from the government.
I mean, would that, would that almost,
there are situations where that could be helpful to the organizations to be able to say, well,
our hands are tied. We're simply not allowed to pay the ransom. It could be, to a certain degree, it resolves one problem, but it doesn't resolve the other, right? So, you know, you're basically
saying to your, let's use that hospital example. You're saying your patients, hey, there's nothing
I can do about this. I'm not allowed to prevent this.
But then the patients could say, well, wait a second, why didn't you do something in the
first place?
I'm never going to trust you people again.
I'm not going to go to you.
I'm going to tell my friends not to go to you.
So the end result may be that their reputation is protected because they can say it's not
my fault.
The government made me do this.
But effectively, if you're client-based, patient-based disappears. Or if
you're a physician, say, hey, we don't want to work here because what's next, you know, what's
going to come out next? My malpractice history or my other information? And so there's a perception
issue in addition to the reality issue. That's Larry Rochfeld from Affirm Logic. Thank you. a partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting article.
This is from the folks over at Ars Technica.
This one's written by Jonathan M. Gitlin,
and it's titled,
Connected cars must be open to third parties, say Massachusetts voters.
Looks like we got a ballot initiative that passed up in Massachusetts, huh, Ben?
Yeah, so Massachusetts back in the early 2010s, a long time ago, passed what's called a right to repair law. So any sort of connected car platform or any really any mechanical
issue with a car, it can't be proprietary to the dealer. So there can't be like if you buy a Honda,
they can't have it so that
only a Honda dealer
could potentially fix that problem.
That's what the right to repair essentially is.
I think we've talked about this in other contexts.
My brain is reminding me of a
John Deere tractor.
Yep, that's right.
So what this new ballot initiative
does is extends that law
to connected car platforms and telematics services.
So Apple CarPlay, the Android equivalent, any other electronic system you might use in your car.
The voters of Massachusetts approved an amendment to this law saying that these vehicles, telematics-equipped vehicles,
have to be accessible via a standardized open data platform where you can bring it to any
repair shop, your uncle down the street, your local repair shop in your small town and not
just the dealer, to access that data and fix any problems. I think this is the first of its kind
in the country extending this right of repair to telematics-equipped vehicles.
And to me, it seems like a very wise policy choice.
I know in the economics world,
we kind of refer to this as rent-seeking behavior
where somebody like a car dealer
configures their car in such a way
that only they can fix it.
So they're giving themselves an economic opportunity
by shutting everybody else out of the market.
So I think it's good, in my opinion, to cut against that.
And the automakers were not pleased about this.
They lobbied hard to not have it.
And they were saying that this opens up some security issues
as so much of what's going on in our cars these days
is all software.
I like to joke that my favorite iPhone accessory is my car.
Yeah, that's a wonderful iPhone accessory.
It's probably the one I use the most throughout the day.
Right.
Yeah, I mean, you know,
I think there's certainly justified skepticism at what the car companies would say here
because their dealers are going to end up
losing out on a lot of money
that's now going to be going to third-party mechanics.
So there's certainly a reason to be skeptical.
I don't know exactly the merits
of the security concerns with the software. I don't know exactly the merits of the security concerns with the software.
I don't know how legitimate they are
and how much risk would be presented
by allowing third parties to fix those glitches.
So it's certainly a legitimate concern,
but I think we have to cast a skeptical eye on it
considering that they are looking out
for their bottom line here.
And one of the ways that car dealers make money
is luring their customers back in to use them for mechanic services.
That's why they say, your first oil change is free,
next time you come in we'll give you a free box of donuts.
They make a lot of money through that.
So we have to look at what they're saying with a bit of a skeptical eye here.
No, no, no doubt the service centers at auto dealers are a huge profit center for them.
I suppose part of what's going on here is you have companies like Tesla,
who I think led the way in this notion of doing software updates over the air,
this notion of doing software updates over the air,
of indeed adding capabilities to the vehicle remotely via software upgrades.
And I think we're seeing other manufacturers follow suit as more and more cars come to you with internet connectivity built in.
And I suppose I could see the car manufacturers saying,
hey, it's going to add complexity,
it's going to add expense for us to do this.
I guess that's an argument that's not without merit,
but to your point, the other side of this is
it's not fair to consumers to be locked in.
Right, exactly.
I think the car companies would have to make a pretty compelling argument
to convince me that there are real security issues at play here.
Just because in all other contexts,
we trust third-party mechanics to fix things
in a million different circumstances.
If my MacBook Air got broken,
I could bring it back to the Apple store
and go to the Genius Bar,
or I could bring it somewhere else
and somebody else could fix it.
Right, and this has broad implications as well, I suppose,
because the car manufacturers aren't going to come up with special models
just to be sold in Massachusetts.
They're going to build this into probably everything they sell in North America.
Right, we see this very frequently with state laws.
We've talked about it in the context of the California Consumer Privacy Act, where you can end up
setting the standard for the whole country. Because as you say, these car dealers aren't
going to manufacture Massachusetts-only cars.
That's probably one of the reasons why they fought this ballot initiative so hard
is this is going to add some level of cost to their production
for all domestic vehicles.
So, yeah, I mean, I think this really might set the new standard
once this comes into place for the 2022 model year.
Although I remember as a kid growing up
and watching The Price is Right when they give away cars,
and I always wondered, what were California emissions?
Oh, yes. Now you know.
You must have been sick a lot to watch that many episodes
of The Price is Right to have that memorized.
Yeah, I was a game show aficionado.
Look where it led me.
All right. Ben Yellen, thanks so much for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you informed, the one and only.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.