Hackers for hire. A bulk power distribution risk? An Executive Order on social media is under consideration. COVID-19 and cybersecurity.
Dave Bittner: [00:00:00] Hey, everybody. Dave, here. And I want to tell you about CyberWire's new subscription program, CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great and something my entire organization can benefit from. We think so, too. With the CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape, save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit thecyberwire.com/pro and click on the Contact Us link in the Enterprise box. That's the thecyberwire.com/pro, then click Contact Us in the Enterprise box. And we will help you become that office hero.
Dave Bittner: [00:01:02] Hackers-for-hire find criminal work during the pandemic. The U.S. Department of Energy is said to have taken possession of a Chinese-manufactured transformer. U.S. President Trump may be considering an executive order about the legal status of social media. Contact-tracing apps in France and the U.K. are scrutinized for privacy. Ben Yelin with the latest iPhone cracking case between the FBI and Apple. Our guest is retired CIA master of disguise Jonna Mendez on her book "The Moscow Rules." And Canada's Centre for Cyber Security assesses current risks. And Huawei's CFO loses a round in a Vancouver court.
Dave Bittner: [00:01:43] And now a word from our sponsor, the University of San Diego. Cybersecurity newsflash - in addition to gumming up the works with malware, phishing expeditions and DNS attacks, the black hat hackers of the world are also creating jobs. Let me explain. Cybercrime is causing so many headaches and financial losses for many CEOs that companies everywhere are paying top dollar for cybersecurity talent. By some estimates, the financial damage caused by the global cybercrime epidemic each year is about to hit $6 trillion. That's why employers across all industries are paying six-figure salaries for cybersecurity pros with the right experience and training. University of San Diego and its online cybersecurity engineering master's degree program are doing a lot of reporting on this. They also offer an outstanding online training program if you're interested in sharpening your skills to advance your career or to transition into cybersecurity. Connect with the team at sandiego.edu/cyberwire. Mention this podcast, and they'll waive the fee to apply. That's sandiego.edu/cyberwire. And we thank the University of San Diego for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:03:26] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 28, 2020.
Dave Bittner: [00:03:35] Google's Threat Analysis Group says that various hack-for-hire outfits - most of them based in India - are spoofing World Health Organization operators using thinly disguised Gmail accounts. The campaigns are, for the most part, spearphishing efforts, and they use COVID-19-themed phishbait.
Dave Bittner: [00:03:54] It's not entirely clear for whom the hired skids are working. Google's report comes wrapped in a discussion of how national espionage services are trying to take advantage of the pandemic, but the activity it ascribes to the hackers-for-hire - credential harvesting, identity theft and so on - are at least as consistent with ordinary criminal activity. While espionage services have used criminal hired guns in the past, there's certainly enough conventional crime under way to keep the hirelings busy.
Dave Bittner: [00:04:23] By the way, a study by INKY finds that an awful lot of the COVID-19 phishing traffic and circulation seems to come from U.S. IP addresses. So we can all climb down off of those high horses, fellow Yankees.
Dave Bittner: [00:04:37] The US Executive Order on Securing the United States Bulk-Power System described itself as a cybersecurity measure but was noteworthy for its concentration on hardware, including transformers, as opposed to the more usual concentration on networks. This seemed curious to many observers and prompted speculation that the risky foreign hardware the order was concerned to keep out of the U.S. grid involved the clandestine insertion of backdoors that could be used in subsequent attacks.
Dave Bittner: [00:05:06] A Wall Street Journal story may offer a partial explanation as to why this was so. Last summer, the U.S. Department of Energy diverted a Jiangsu Huapeng-produced transformer destined for Denver to Sandia National Laboratory, where it's been under study since, presumably for whatever security risk it represents. Neither the Department of Energy nor Honeywell, the contractor that runs Sandia National Laboratory for the department, was willing to comment to The Journal. But Sandia has long been concerned with supply chain risks.
Dave Bittner: [00:05:41] According to The Wall Street Journal and others, President Trump is considering another executive order, one that would change legal protections social media companies currently enjoy under Section 230 of the Communications Decency Act. The proposed measure would move toward treating social media platforms not as a protected public square but rather as a monopoly that exerts substantial control over individual speech.
Dave Bittner: [00:06:05] The rumored executive order is generally being received as connected with Twitter's recent fact-check of a presidential tweet, in which Twitter added a fact-check link to two of President Trump's tweets about problems he saw with mail-in ballots. The fact-check link text was a restrained get the facts about mail-in ballots, and Twitter's CEO Jack Dorsey explained yesterday that, quote, "This does not make us an arbiter of truth. Our intention is to connect the dots of conflicting statements and show the information in dispute so people can judge for themselves. More transparency from us is critical so folks can clearly see the why behind our actions," end quote.
Dave Bittner: [00:06:45] The National Assembly and the Senate yesterday approved StopCovid, the exposure notification app developed for voluntary deployment to French users' smartphones. The CNIL, the national privacy watchdog agency, had approved the app on Tuesday, according to SecurityWeek. Euro News says that the contentious debate that surrounded the vote focused on privacy concerns and on getting assurances that StopCovid would be independent of Apple and Google so Big Tech couldn't become Big Brother.
Dave Bittner: [00:07:17] Over in the U.K., Computing has been close-reading the National Health Service's Test and Trace website. What they've extracted from the text of the British government's site isn't especially reassuring with respect to privacy protections. Sure, it's in beta, so take what comfort you may from that. But Computing sniffs that the appearance of such Americanisms as personal identifying information suggests that the whole thing was rushed out. The site reads in part, quote, "If you have had a positive test for COVID-19, we will ask for information about your illness, recent activities you did and people you met whilst you were potentially infectious. If you are a contact of a person who tested positive, we will ask about your health and provide health advice to keep yourself and others safe," end quote. You can ask the government to delete your data, but you've got no absolute right to such deletion, and the government plans to hang on to your information for 20 years.
Dave Bittner: [00:08:12] Jonna Mendez enjoyed a long and fascinating career in the CIA, including serving as master of disguise for the agency. Along with her husband Antonio Mendez, she's co-author of the book "The Moscow Rules," which describes some of the cat-and-mouse games played between U.S. and Russian intelligence agencies throughout the Cold War.
Jonna Mendez: [00:08:34] Tony had been writing down the rules over the years. There was - he didn't make them up. We didn't invent them. They were just out there. They were the things that you knew or you would learn if you were getting ready for an assignment to Moscow. It was the strategy and the tactics for how you would comport yourself, how you would carry yourself in order to be able to do your job. This was a terrible place to work. There was so much surveillance on us, it was suffocating. Our job was to collect intelligence. The KGB's job was to keep us from collecting intelligence. So it was a really hard place to work.
Jonna Mendez: [00:09:21] Tony had been just jotting down as he would recognize them or think of them - the Moscow rules. It was a running list. And at the same time, Tony got Parkinson's. He was diagnosed with Parkinson's, which is a very slow but deadly disease. So it's like once you find out that you have it, there's a clock ticking. You don't know how long this is going to last. And that was sort of the impetus to maybe put this in writing.
Dave Bittner: [00:09:52] Well, let's go through some of them together. Can you share some of the rules that are specifically applicable to the spycraft that you were all using while you were over there?
Jonna Mendez: [00:10:04] You've got to know your enemy. You have to know the opposition and their terrain intimately. And if you don't, it's not going to work because they know it. This is from Moscow. So we would have our officers in training for over a year before they went to Moscow. And we'd had them a map, like, on Day 3. Here's a map of the city. You have to learn this map. You have to know every subway stop. You have to know how the city works 'cause you're going to be on foot - you're going to be out there in that city. You're going to walk more than you've ever walked in your life.
Jonna Mendez: [00:10:42] Another rule was about listening to your gut. Never go against your gut - that's a Moscow rule. And what that meant to a CIA officer in Moscow is if you were within a hundred yards of the meeting place where you were going to step forward and your agent was going to be sitting on a park bench and you were going to actually have a face-to-face meeting with him - if you had surveillance at that moment, your agent was basically going to die. They would arrest him, and they would execute him. And they did that over and over. We lost a lot of agents.
Jonna Mendez: [00:11:17] So at CIA, never go against your gut meant you can always abort. And there's no shame in it, and nobody is going to try and second-guess you. If you come back to the office and say, it didn't feel - something was wrong, something was off - that's a perfectly adequate reason to not, you know, move forward. But at CIA, you were obliged to do that because you really were playing with people's lives.
Dave Bittner: [00:11:45] That's retired former CIA operative Jonna Mendez. The book is titled "The Moscow Rules." There's more of my interview with Jonna Mendez in this week's episode of "Hacking Humans." Check it out.
Dave Bittner: [00:11:59] Canadian security authorities warn that foreign intelligence services are exploiting the pandemic. The CBC reports that Canada's Centre for Cyber Security, a unit of the Communications Security Establishment, has issued a Cyber Threat Bulletin in which the center offers an overview of how cyberthreats have been shaped by the COVID-19 pandemic. The bulletin is dated April 27 but was posted only this Tuesday.
Dave Bittner: [00:12:24] The Centre for Cyber Security notes that the global health sector is under extreme pressure during the pandemic and that this has made it an even more attractive target for ransomware extortionists than usual. That same pressure has served to draw the attention of espionage services, who are interested not only in stealing intellectual property related to COVID-19 treatments but in assessing the effects of the pandemic on adversaries' economies and military readiness. Both criminals and state espionage services have been using spoofed versions of Canadian government websites to collect information or install malware. The National Post reports that more than 1,500 such bogus websites have been identified during the pandemic.
Dave Bittner: [00:13:06] The Centre also notes that state-sponsored threat groups are themselves facing staff reductions and adopting a lower operational tempo and seems to represent the center's assessment of the probable effects the global economic downturn is having on intelligence services. The bulletin mentions another probable effect of economic pain - intelligence services may well turn to revenue-generating cybercrime to make up their budget shortfalls.
Dave Bittner: [00:13:32] Another caution in the bulletin pertains to expatriate and immigrant communities. These are likely to come under pressure as authoritarian regimes tighten their own domestic controls. The hostile influence campaigns the center alludes to are very much in the Russia disruptive style. The CBC observes that one such campaign has been active in Eastern Europe, where the Canadian-led battle group in Latvia has been fodder for rumors that it's a hotbed of COVID-19 infection.
Dave Bittner: [00:14:02] And finally, the Supreme Court of British Columbia, yesterday, ruled against Huawei CFO Meng Wanzhou in her fight to avoid extradition from Canada to the U.S. The court found that the U.S. request met the double criminality standard. That is, the bank fraud and sanctions evasion the U.S. has charged her with would be crimes if committed in Canada. Her next hearing will be in June, CyberScoop says.
Dave Bittner: [00:14:32] And now, a word from our sponsor PlexTrac. PlexTrac is the ultimate purple teaming platform, guiding the healthy collaboration of your red and blue teams through a single web-based interface. PlexTrac does this by first elevating red teams, eliminating the struggle of reporting, and allowing the team to focus on what's important - identifying security issues. Red teams are provided with an easy to use platform that allows reports to be created and then exported with a click of a button, saving the team valuable time. PlexTrac also powers up blue teams by providing them with a platform to consolidate findings and then remediate them in an efficient and timely manner. Gone are the days of 500-page penetration test reports, as PlexTrac streamlines the process with a status tracker, integrations with ticketing systems, dashboards and analytic capabilities and much more. You can visit their website at plextrac.com/demo to learn more. That's plextrac.com/demo. And we thank PlexTrac for sponsoring our show.
Dave Bittner: [00:15:41] And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, always great to have you back.
Ben Yelin: [00:15:50] Good to be with you once again, Dave.
Dave Bittner: [00:15:53] Article came by - this is from NBC News - and it's titled "The FBI Cracked Another iPhone, but It's Still Not Happy With Apple." This is something you and I have been discussing over on "Caveat." This article is from Kevin Collier and Cyrus Farivar, who I've interviewed before. So Apple has cracked another phone here. Give us some of the details.
Ben Yelin: [00:16:19] So this case involves a shooting that took place in Pensacola, Fla., last year, and it involved a Saudi air force officer accused of killing several classmates. The FBI was doing an investigation. They wanted access into this person's device. Apple, once again, as they typically do, told the FBI to pound sand. We're not going to break our own encryption for you; we're not going to help you with this. And the attorney general of the United States, William Barr, has been a longtime advocate of these backdoors that would allow law enforcement to gain special access to these encrypted devices. The problem is that Apple keeps saying no but the FBI keeps figuring out ways to get into these phones anyway. So like, I sort of imagine somebody saying, I need a special lock to get into your house. You need to produce that; give it to me. It's for your own safety. But then they're like, I've been able to get in every time I've needed to because, you know, I picked the lock with my finger, and then I found the garage door opener...
Dave Bittner: [00:17:24] Came in through the window (laughter).
Ben Yelin: [00:17:25] Yeah, exactly - and then I came in through the window.
Dave Bittner: [00:17:27] Right. Yeah.
Ben Yelin: [00:17:28] It's sort of, you know, begs the question, naturally - why does the FBI need one of these backdoors if they are able to get into these devices anyway? The other thing noticeable - or notable about this article is that, for once, they actually found useful information on the device that they were searching. They found out that this terrorism suspect actually had ties to international terrorist organizations like al-Qaida. And that - you know, I don't know how that's necessarily going to be useful for us going forward, but it's certainly useful information in the context of this investigation.
Ben Yelin: [00:18:02] So oftentimes, they'll crack these phones, and there'll be nothing on there. You know, it's like, I tried to find out who this terrorist was communicating with, and I got his, you know, Snapchat photos or something. But here, we actually have useful information. But yeah, I mean, the upshot of this is Apple has been steadfast in refusing to allow these backdoors. Law enforcement keeps criticizing them, saying you are jeopardizing public safety by not giving us this access. Yet law enforcement keeps finding ways to get into these devices anyway. It's just a very interesting dynamic.
Dave Bittner: [00:18:37] Well - and also, I think it's worth pointing out that one of the points Apple is making is that we don't have a backdoor. We can't unlock this for you. The way we have built this technology, even we can't get in there, so stop asking.
Ben Yelin: [00:18:51] Stop asking, and stop asking us to destroy the own security apparatus that we've created for our customers 'cause we're not going to do it. And yeah, I mean, as we've talked about a million times, there's a reason Apple didn't create a backdoor. It's in the security interests of its users. It's also probably in the security interests of the government in the long term because these backdoors, of course, could make their way to bad actors, whether they be state actors or non-state actors.
Ben Yelin: [00:19:21] You know, we're talking about a terrorism case. What if a terrorist organization figured out how to breach these devices? So you know, that's certainly something that's worthy of consideration.
Dave Bittner: [00:19:31] So from a policy point of view, do you think this weakens law enforcement's case that they need a backdoor, the fact that, repeatedly, they've been able to get what they need without one?
Ben Yelin: [00:19:43] I certainly think it does. Now, you know, they could say there's going to come a point where we're not able to crack the device. We're going to need critical information, and we're going to need Apple's help. But until we actually find that case - and we really have not to this point in any high-profile case - then, you know, Apple is going to say, you've already figured it out without our help. So why don't you figure it out all by yourself? So I think, you know, that's going to be the takeaway coming from this incident as well.
Dave Bittner: [00:20:15] All right. Well, this cat-and-mouse continues - right? - back-and-forth - very interesting to follow.
Ben Yelin: [00:20:20] It will. Yeah - feels like it's never going to end. We're going to be in our 70s, and there'll still be a battle going on between the FBI and Apple.
Dave Bittner: [00:20:28] (Laughter) Right, right. All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:20:32] Thank you, Dave.
Dave Bittner: [00:20:38] And that's the CyberWire. For links to all of today's stories, check out our daily news briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:56] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:21:07] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.