The online stresses of the COVID-19 pandemic. APT41’s backdoor campaign. Contact-tracking and privacy. Virtual court is now in online session. Zoom’s fortunes. And tax-season online fraud.

Dave Bittner: [00:00:04] Demand for online services during the pandemic stresses government providers. APT41's backdoor campaign is aimed at information theft. Contact-tracking apps and privacy. Some courts move to hear cases online. Zoom's continuing mixed success. And did you file your tax return? The crooks might have done so for you. 

Dave Bittner: [00:00:31]  And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:01:55]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 14, 2020. 

Dave Bittner: [00:02:04]  As COVID-19 drives more public services online, The Wall Street Journal reports that the state agencies involved in providing them, especially those agencies that administer unemployment claims, are struggling to maintain or achieve enough capacity to handle demand. The Journal singles out New York, Colorado and Oregon as particularly hard-hit but adds that other states are feeling similar pressure. 

Dave Bittner: [00:02:29]  Palo Alto Networks' Unit 42 has amplified earlier reports by FireEye researchers on an APT41 campaign that targeted Citrix, Cisco and Zoho network appliances. The effort exploited recently disclosed vulnerabilities, and it ran between January and March of this year. Unit 42 is particularly interested in the Citrix campaign, which used a free BSD-based back door the researchers call Speculoos against health care, higher education, manufacturing, government and technology service targets. The campaign appeared to be opportunistic, seeking to take advantage of the exploits before patching reduced their value. APT41 is generally regarded as a Chinese government threat actor. 

Dave Bittner: [00:03:15]  Development of contact-tracking tools proceeds with interest from both government and tech companies. Privacy hawks are skittish. Apple responded to an inquiry from a group of U.S. senators about the implications of the contact-tracking tools Cupertino is working to develop. The company said its agreement with the U.S. Department of Health and Human Services specifies that the COVID-19 triage tools it develops will have strong privacy safeguards. Any sharing of data or analytics with the Centers for Disease Control will be anonymized, aggregated and delivered only with the expressly given consent of the user. Information will be further disclosed to third parties only when such disclosure is required by law. 

Dave Bittner: [00:03:58]  Apple's screening site and the associated app are not, Apple thinks, subject to HIPAA, the Health Insurance Portability and Accountability Act. This is mostly because the users enter their own data. And no covered entity, like a health care provider, health insurance company or health care clearinghouse, is touching the data. That said, Apple claims that it intends to, quote, "meet some of the technical safeguard requirements of HIPAA, such as access controls and transmission security," end quote. 

Dave Bittner: [00:04:27]  Apple says it collects only the information necessary to support the operation of the COVID-19 website and app, such as users' usage of the tool and app. This information does not include information entered by individuals. Apple only retains this information for so long as necessary to support the operation of the COVID-19 website and app. Information no longer needed is deleted or rendered permanently unrecoverable in accordance with industry standards. The company says that users can access their personal information through Apple's global privacy portal. There won't, however, be much personal information there, as Apple says it's strongly committed to data minimization. And Apple says it will refrain from using any data it collects with the tools for commercial purposes, and it will not sell any of those data to third parties. 

Dave Bittner: [00:05:17]  In answer to the senators' questions about cybersecurity, Apple repeated the standard sorts of reassurances that could be offered with respect to its products generally. Data transmitted between users' devices and Apple is encrypted with Transport Layer Security to protect it during transport. The company's formal change management process will ensure that new versions of its code will be appropriately tested for security before fielding. And access to both data and source code will be restricted to authorized personnel only. 

Dave Bittner: [00:05:47]  Foreign Affairs has a long and exasperated op-ed that presents a contrarian view of the conflict between privacy and public health. The author argues that seeing such tension as an insurmountable obstacle to tracking the pandemic presents a false dilemma and amounts to a lazily drawn dichotomy. There's no devil's pact necessarily involved, the essay says, and clear-eyed application of sound practices should enable governments, companies and individuals to slip between the horns of this false dilemma. 

Dave Bittner: [00:06:18]  As employees embrace teleworking, organizations are finding themselves needing to up their remote security game, and an area that's seeing unsurprising attention is the VPN, the virtual private network. That provides an encrypted connection over the internet. Francis Dinha is founder and CEO of VPN provider OpenVPN. 

Francis Dinha: [00:06:40]  Well, the response has been kind of more of a - I would say a wave, a tsunami for us of demand coming in, especially the couple of weeks - the last couple of weeks, because a lot of companies are moving toward more remote workforce and more virtualization. And we're seeing that basically in the demand that's coming in and a lot of purchases and, basically, a lot of need for the support. So we had to actually rush because we have customer success team reps that - they deal with our customers sometimes on the tickets or technical support. So we have to actually staff them. We were very lucky to find, you know, a couple - I mean, just the last two weeks, we've hired about four more people in Philippines (ph) as the support to really cope with all the support tickets and all that. At some point, we saw a demand that, typically, we used to see in - I would say in one week or 10 days. We saw the demand in one day. That's how crazy it was, you know? However, right now, it's kind of getting normalized. But still, it's high demand than the normal. So we're continuing to see that. So it was a wave, kind of a tsunami. And then you see this aftershock. And then it's getting normalized right now. Everybody is realizing, you know, we're going to have to virtualize our operations. We have to basically have more of a remote workforce and so on. So definitely, a VPN, specifically for businesses, of course, is in a big demand right now. 

Dave Bittner: [00:08:26]  What is your advice for those organizations that find themselves, you know, suddenly having to ramp up their use of VPNs? What sort of things can you suggest? 

Francis Dinha: [00:08:39]  Well, my advice is really to start rethinking about your strategy in terms of your infrastructure and the remote workforce because this is important. I mean, I want to do some kind of correlation between what happened with the coronavirus because we talk about social distancing, right? So social distancing - apparently, it's healthy because you're not exposing yourself to the virus, to - basically. And then, somehow, we're taking that curve down so there's less and less people infected. So I think that analogy apply to the internet. When you have everybody is using just the internet and deploying their services over the public internet and using all these public services, in a way, you're really socializing. You're basically, somehow, more vulnerable to the - actually, I would say the viruses. Now it's the cyberattacks. So what I would tell, you know, to a lot of businesses is do the same thing here. Let's call it more network distancing. So network distancing is really try to isolate your resources. Try to basically protect the assets that you have using the VPN technologies because this is the time to really - to rethink and sort of thinking outside the box. 

Dave Bittner: [00:09:57]  That's Francis Dinha from OpenVPN. 

Dave Bittner: [00:10:01]  Telework has even entered the courthouse. Law360 says the U.S. Supreme Court will begin hearing oral arguments via teleconferencing. And the New York Law Journal reports that New York state courts will expand their virtual courts even as they place a hold on new filings. 

Dave Bittner: [00:10:19]  Military.com reports that Zoom's now well-known struggles with privacy and security have induced the U.S. Department of Defense to place most versions of the service off-limits to most of its organizations. And GCN says that the Department of Homeland Security's Immigration and Customs Enforcement has cautioned its personnel and contractors not to rely on Zoom. Zoom itself has scrambled to close security and privacy holes, and The Verge says that the company has decided to give paying customers the option of choosing the call center through which their traffic will be routed. That is, they can opt to keep their traffic out of China. 

Dave Bittner: [00:10:56]  CTOvision, for its part, sends Zoom a mash note. It's still their favorite business-grade collaboration tool. The article praises Zoom for the work it's done to address security and privacy issues and argues that it's better to trust a responsive company than one that never gets around to fixing things. It's true that Zoom has been responsive, but some of its issues, notably the involvement of Chinese companies in producing its code, are tougher to untangle. 

Dave Bittner: [00:11:23]  Zoom's exploding market share has drawn a plague of hackers. BleepingComputer says that over half a million Zoom accounts are on offer in dark web markets. Some are free, and some go for pennies. Others are pricier but still affordable, as these things go. More expensive are the exploits on offer. Mashable reports that these can command as much as $30,000 on the black market. Zoom's troubled success has also drawn the attention of competitors. Microsoft, according to The Wall Street Journal, is pushing its Teams as a superior alternative. 

Dave Bittner: [00:11:57]  And, finally, it's income tax season in the U.S., despite some COVID-19-based forgiveness about filing deadlines. Tax season is drawing the customary attention of criminals, CyberScoop notes, filing returns with stolen taxpayer data in order to illicitly obtain refunds. In one noteworthy case, they were able to use data stolen from a large California accounting firm, Weber and Company, to file the fraudulent returns. The firm's disclosure said the data the hackers got may have included names, addresses, Social Security numbers, W-2 and 1099 forms and bank account information, including routing numbers. Both the FBI and IRS are investigating. 

Dave Bittner: [00:12:46]  Hey, everybody. Dave here. And I want to tell you about CyberWire's new subscription program CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great and something my entire organization can benefit from. We think so, too. With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape. Save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit thecyberwire.com/pro and click on the Contact Us link in the Enterprise box. That's thecyberwire.com/pro, and then click Contact Us in the Enterprise box. And we will help you become that office hero. 

Dave Bittner: [00:13:52]  And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Ben, always great to have you back. Had an interesting article come by. This is via a publication called GeekWire, written by Monica Nickelsburg. And the title of the article is "Microsoft President Calls Washington State's New Facial Recognition Law 'a Significant Breakthrough.' " Of course, Microsoft, a Washington state company, and Microsoft, a big player when it comes to things like online digital privacy. What are they getting at here? 

Ben Yelin: [00:14:25]  So this is a groundbreaking facial recognition regulation, or new law, in Washington state signed by the governor, Jay Inslee. The law has a number of elements in it. I think most importantly, law enforcement has to obtain a warrant before using facial recognition software in any legal investigation, except if there were some sort of exigent circumstances, like a hot pursuit. It also requires all public agencies to regularly report on their use of facial recognition technology. They are required to test the software for fairness and accuracy, you know, to make sure that we're not generating a lot of false positives. And it establishes an oversight body, a task force, to study how various state agencies are using facial recognition software. Any agency that makes what they call decisions that have, quote, "legal effects" has to ensure that a human reviews the results. So any decision that could affect a person's job, financial services, housing, insurance and education - if an entity is using facial recognition software, whatever method they've used has to be reviewed by a human being. 

Ben Yelin: [00:15:39]  So I think that is a very progressive and groundbreaking step that Washington state has taken. And it's appropriate that Washington state took that measure. As you mentioned, Microsoft is headquartered there. I'm sure the lawmakers in Washington state don't want to do anything that upsets one of their largest employers. But it's also interesting that Microsoft, which sells facial recognition software, is on board with this. 

Dave Bittner: [00:16:02]  Yeah. 

Ben Yelin: [00:16:02]  They think this achieves a good balance between protecting privacy but also enabling state agencies, particularly law enforcement, to use facial recognition for legitimate purposes. 

Dave Bittner: [00:16:15]  Now, there were some folks who feel as though this came up short. Some of the folks from the ACLU of Washington felt like it didn't go far enough. 

Ben Yelin: [00:16:26]  Yeah. So one of their leaders was disappointed that the law didn't establish a working group of community leaders to weigh in. So the task force is a government task force. I think that's a very valid criticism. You want community buy-in, and you want the public to have a say. Even if it's representatives of various public interest groups like the ACLU, you know, it's always good to get a third set of eyes on a government policy from people who are not directly involved with the policy itself. 

Ben Yelin: [00:16:56]  And, you know, I think that's particularly important as it relates to the effect of facial recognition on disfavored groups. And this article mentions African Americans, Indigenous communities, which, you know, have faced prejudice as a result of this type of technology in the past. This technology can amplify human biases. And, you know, that's something we've talked about on our podcast and on the CyberWire. So I think it's certainly a valid criticism that people who are representing these groups, people who represent civil liberties interests should have a seat at the table here. 

Ben Yelin: [00:17:31]  But, you know, I think because the law is groundbreaking and it's among the first of its kind in the country, there's certainly room to improve it. And perhaps legislators will take this criticism into consideration as they amend it. Or other states who want to institute similar regulations can listen to the complaints of the representatives of the ACLU and try and integrate the community into its oversight structure. 

Dave Bittner: [00:17:57]  Yeah. Interesting to see Washington state leading the way here. It's that laboratory of the states, right? 

Ben Yelin: [00:18:04]  It sure is. And, you know, it's nice to see Washington state in the headlines for something that's not the COVID-19 outbreak. So... 

Dave Bittner: [00:18:12]  (Laughter). 

Ben Yelin: [00:18:13]  ...That was refreshing after what's gone on over the past couple of months. 

Dave Bittner: [00:18:16]  That's right. That's right. All right. Well, it'll be an interesting one to follow to see how other states follow in their own privacy laws with facial recognition or not. We'll have to watch this one play out. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:18:31]  Thank you, Dave. 

Dave Bittner: [00:18:37]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:18:55]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:06]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. I'm Dave Bittner. Thanks for listening. See you back here tomorrow.