CyberWire Daily - The online stresses of the COVID-19 pandemic. APT41’s backdoor campaign. Contact-tracking and privacy. Virtual court is now in online session. Zoom’s fortunes. And tax-season online fraud.
Episode Date: April 14, 2020Demand for online services during the pandemic stresses government providers. APT41’s backdoor campaign aimed at information theft. Contact-tracking apps and privacy. Some courts move to hear cases ...online. Zoom’s continuing mixed success. And did you file your tax return? The crooks might have done so for you. Ben Yelin from UMD CHHS on Microsoft’s reaction to Washington State’s new facial recognition law, guest is Francis Dinha from OpenVPN on remote working during the COVID-19 pandemic. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_14.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Demand for online services during the pandemic stresses government providers.
APT41's backdoor campaign is aimed at information theft,
contact tracking apps and privacy.
Some courts moved to hear cases online.
Zoom's continuing mixed success.
And did you file your tax return?
The crooks might have done so for you.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 14th, 2020.
As COVID-19 drives more public services online, the Wall Street Journal reports that the state agencies involved in providing them,
especially those agencies that administer unemployment claims, are struggling to maintain or achieve enough capacity to handle demand.
The Journal singles out New York, Colorado, and Oregon as particularly hard hit,
but adds that other states are feeling similar pressure.
Palo Alto Network's Unit 42 has amplified earlier reports by FireEye researchers
on an APT41 campaign that targeted
Citrix, Cisco, and Zoho network appliances.
The effort exploited recently disclosed vulnerabilities, and it ran between January and March of this
year.
Unit 42 is particularly interested in the Citrix campaign, which used a free BSD-based
backdoor the researchers call Speculus against healthcare, higher education, manufacturing, government, and technology service targets.
The campaign appeared to be opportunistic,
seeking to take advantage of the exploits before patching reduced their value.
APT 41 is generally regarded as a Chinese government threat actor.
Development of contact tracking tools proceeds with interest from both government and tech
companies. Privacy hawks are skittish. Apple responded to an inquiry from a group of U.S.
senators about the implications of the contact tracking tools Cupertino is working to develop.
The company said its agreement with the U.S. Department of Health and Human Services specifies that the COVID-19 triage tools it develops will have strong privacy safeguards.
Any sharing of data or analytics with the Centers for Disease Control will be anonymized,
aggregated, and delivered only with the expressly given consent of the user.
Information will be further disclosed to third parties only when such disclosure is required by law.
Apple's screening site and the associated app are not, Apple thinks, subject to HIPAA, the Health Insurance Portability and Accountability Act.
This is mostly because the users enter their own data and no covered entity, like a health care provider, health insurance company, or health care clearinghouse, is touching the data.
a health care provider, health insurance company, or health care clearinghouse, is touching the data.
That said, Apple claims that it intends to, quote,
meet some of the technical safeguard requirements of HIPAA,
such as access controls and transmission security, end quote.
Apple says it collects only the information necessary to support the operation of the COVID-19 website and app,
such as users' usage of the tool and app.
This information does not include information entered by individuals.
Apple only retains this information for so long as necessary to support the operation of the COVID-19 website and app.
Information no longer needed is deleted or rendered permanently unrecoverable
in accordance with industry standards.
The company says that users can access their personal information through Apple's global
privacy portal.
There won't, however, be much personal information there.
As Apple says, it's strongly committed to data minimization.
And Apple says it will refrain from using any data it collects with the tools for commercial
purposes, and it will not sell any of those data to third parties.
purposes, and it will not sell any of those data to third parties.
In answer to the senator's questions about cybersecurity, Apple repeated the standard sorts of reassurances that could be offered with respect to its products generally.
Data transmitted between users' devices and Apple is encrypted with transport layer security
to protect it during transport.
The company's formal change management process will ensure that new
versions of its code will be appropriately tested for security before fielding, and access to both
data and source code will be restricted to authorized personnel only. Foreign Affairs has
a long and exasperated op-ed that presents a contrarian view of the conflict between privacy
and public health. The author argues that seeing such tension
as an insurmountable obstacle to tracking the pandemic presents a false dilemma and amounts
to a lazily drawn dichotomy. There's no devil's pact necessarily involved, the essay says,
and clear-eyed application of sound practices should enable governments, companies, and
individuals to slip between the horns of this false dilemma.
As employees embrace teleworking, organizations are finding themselves needing to up their remote security game.
And an area that's seeing unsurprising attention is the VPN,
the virtual private network that provides an encrypted connection over the Internet.
Francis Dinha is founder and CEO of VPN provider OpenVPN.
Well, the response has been kind of more of a,
I would say, a wave, a tsunami for us of demand coming in,
especially the couple of weeks, the last couple of weeks,
because a lot of companies are moving toward
more remote workforce and more virtualizations.
And we're seeing that basically in the demand that's coming in and a lot of purchases and
basically a lot of need for the support. So we had to actually rush because we have customer
success team reps that they deal with our customers sometimes on
the tickets or technical support. So we have to actually staff and we were very lucky to find,
you know, a couple, I mean, just the last two weeks, we've hired about four more people in
Philippines to support, to really cope with all the support tickets and all that. At some point, we saw a demand that typically we used to see.
And I would say in one week or 10 days, we saw the demand in one day.
That's how crazy it was.
However, right now, it's kind of getting normalized,
but still it's high demand than the normal.
So we're continuing to see that.
So it was a wave, kind of a tsunami.
And then you see this aftershocks and then it's getting normalized right now.
Everybody is realizing, you know, we're going to have to virtualize our operations.
We have to basically have more of a
remote workforce and so on. So definitely a VPN specifically for businesses, of course,
it's in a big demand right now. What is your advice for those organizations that find themselves,
you know, suddenly having to ramp up their use of VPNs. What sort of things can you suggest?
Well, my advice is really to start rethinking
about your strategy in terms of your infrastructure
and the remote workforce,
because this is an important...
I mean, I want to do some kind of correlation
between what happened with the coronavirus,
because we talked about
social distancing, right? So social distancing, apparently it's helping because you're not
exposing yourself to the virus, basically. And then somehow we're taking that curve down,
so there's less and less people infected. So I think that analogy applied to the internet.
When you have everybody is using just the Internet and deploying their services over the public Internet and using all these public services,
in a way, you're really socializing.
You're basically somehow more vulnerable to the actually, I would say, the viruses.
Now it's the cyber attacks.
So what I would tell, you know, to a lot of businesses is do the same thing here.
Let's call it more network distancing. So network distancing is really try to isolate
your resources, try to basically protect the asset that you have using the VPN technologies,
because this is the time to really to rethink and start thinking outside the box.
That's Francis Dinha from OpenVPN.
Telework has even entered the courthouse.
Law 360 says the U.S. Supreme Court will begin hearing oral arguments via teleconferencing,
and the New York Law Journal reports that New York state courts will expand their virtual courts
even as they place a hold on new filings.
Military.com reports that Zoom's now well-known struggles with privacy and security
have induced the U.S. Department of Defense to place most versions of the service off-limits
to most of its organizations.
And GCN says that the Department of Homeland Security's Immigration and Customs Enforcement
has cautioned its personnel and contractors not to rely on Zoom.
Zoom itself has scrambled to close security and privacy holes,
and The Verge says that the company has decided to give paying customers
the option of choosing the call center through which their traffic will be routed.
That is, they can opt to keep their traffic out of China.
CTO Vision, for its part, sends Zoom a mash note. It's still their favorite business-grade
collaboration tool. The article praises Zoom for the work it's done to address security and
privacy issues, and argues that it's better to trust a responsive company than one that never
gets around to fixing things. It's true that Zoom has been responsive, but some of its issues,
notably the involvement of Chinese companies
in producing its code,
are tougher to untangle.
Zoom's exploding market share
has drawn a plague of hackers.
Leaping Computer says
that over half a million Zoom accounts
are on offer in dark web markets.
Some are free and some go for pennies.
Others are pricier but still affordable
as these things go. More expensive are the exploits on offer. Mashable reports that these
can command as much as $30,000 on the black market. Zoom's troubled success has also drawn
the attention of competitors. Microsoft, according to the Wall Street Journal, is pushing its teams as a superior alternative.
And finally, it's income tax season in the U.S., despite some COVID-19-based forgiveness about filing deadlines.
Tax season is drawing the customary attention of criminals, CyberScoop notes,
filing returns with stolen taxpayer data in order to illicitly obtain refunds. In one noteworthy case, they were able to
use data stolen from a large California accounting firm, Weber & Company, to file the fraudulent
returns. The firm's disclosure said the data the hackers got may have included names, addresses,
social security numbers, W-2 and 1099 forms, and bank account information,
including routing numbers.
Both the FBI and IRS are investigating.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose,
and showing the world
what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Ben, always great to have you back.
I had an interesting article come by.
This is via a publication called GeekWire,
written by Monica Nicholsburg.
And the title of the article is
Microsoft President Calls Washington State's
New Facial Recognition Law a Significant Breakthrough.
Of course, Microsoft, a Washington State company,
and Microsoft, a big player when it comes to things
like online digital privacy.
What are they getting at here? So this is a groundbreaking facial recognition regulation
or new law in Washington State signed by the governor, Jay Inslee. The law has a number of
elements in it. I think most importantly, law enforcement has to obtain a warrant before
using facial recognition software
in any legal investigation, except if there were some sort of exigent circumstances like a hot
pursuit. It also requires all public agencies to regularly report on their use of facial
recognition technology. They are required to test the software for fairness and accuracy,
you know, to make sure that we're not generating a lot of false positives. And it establishes an oversight body, a task force,
to study how various state agencies are using facial recognition software. Any agency that
makes what they call decisions that have, quote, legal effects has to ensure that a human reviews the
results. So any decision that could affect a person's job, financial services, housing,
insurance, and education, if an entity is using facial recognition software,
whatever method they've used has to be reviewed by a human being. So I think that is a very
progressive and groundbreaking step that Washington state has
taken. It's appropriate that Washington state took that measure. As you mentioned, Microsoft
is headquartered there. I'm sure the lawmakers in Washington state don't want to do anything that
upsets one of their largest employers. But it's also interesting that Microsoft, which sells
facial recognition software, is on board with this. They think this achieves a good balance between protecting privacy, but also enabling state
agencies, particularly law enforcement, to use facial recognition for legitimate purposes.
Now, there were some folks who feel as though this came up short. Some of the folks from the ACLU of Washington felt like it didn't go far enough.
Yeah. So one of their leaders was disappointed that the law didn't establish a working group of community leaders to weigh in.
So the task force is a government task force. I think that's a very valid criticism.
You want community buy in and you want the public to have a say, even if it's representatives of various
public interest groups like the ACLU, you know, it's always good to get a third set of eyes on
a government policy, you know, from people who are not directly involved with the policy itself.
And, you know, I think that's particularly important as it relates to the effect of facial
recognition on disfavored groups.
And this article mentions African-Americans, indigenous communities, which, you know,
have faced prejudice as a result of this type of technology in the past. This technology can
amplify human biases. And, you know, that's something we've talked about on our podcast
and on the Cyber Wire. So I think it's certainly a valid criticism that people who are representing these groups,
people who represent civil liberties interests, should have a seat at the table here.
But, you know, I think because the law is groundbreaking and it's among the first of
its kind in the country, there's certainly room to improve it.
And perhaps legislators will take this criticism into
consideration as they amend it. Or other states who want to institute similar regulations can
listen to the complaints of the representatives of the ACLU and try and integrate the community
into its oversight structure. Yeah, interesting to see Washington State leading the way here.
Yeah, interesting to see Washington state leading the way here.
It's that laboratory of the states, right?
It sure is.
And, you know, it's nice to see Washington state in the headlines for something that's not the COVID-19 outbreak. So that was refreshing after what's gone on over the past couple of months.
That's right.
That's right.
All right.
Well, it'll be an interesting one to follow to see how other states follow in their own privacy laws with facial recognition or not.
We'll have to watch this one play out. Ben Yellen, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.