The CyberWire Daily Podcast 11.18.20
Ep 1217 | 11.18.20

Dream a FunnyDream of me. US CISA Director dismissed. Facebook, Twitter CEOs virtually visit the US Senate. Huawei CFO extradition update. Bad passwords.

Transcript

Dave Bittner: FunnyDream? No, it's real - a cyber-espionage crew operating against Southeast Asian governments. President Trump fires CISA director Krebs. Twitter and Facebook CEOs testify before the Senate as legislators consider Section 230. The extradition hearing for Huawei's CFO continues in Vancouver. Joe Carrigan looks at fleeceware on the Google Play Store. Rick Howard speaks with Tenable's Steve Vintz on zero trust. And the most common passwords in 2020 are now out, and password only comes in at No. 4. Just wait till you hear No. 1.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 18, 2020. 

Dave Bittner: Bitdefender researchers describe the activities of a hitherto little-remarked Chinese cyber-espionage group. It's called FunnyDream, after one of the tool sets it uses. Most of the group's infrastructure is located in Hong Kong, but with one additional server each in Vietnam, China proper and the Republic of Korea. Bitdefender is cautious about attribution, not going much farther than Chinese or Chinese-speaking, and is also reticent about the targets, which it characterizes as potential government sector victims in Southeast Asia. 

Dave Bittner: This isn't the first time FunnyDream has come to researchers' attention. ZDNet points out that a Kaspersky report this past spring found FunnyDream activity mostly directed against Vietnam, with additional targets in Malaysia, Taiwan and the Philippines. 

Dave Bittner: As an aside on nomenclature, may we say we miss the Pandas? Are we out of adjectives for pandas? They couldn't have called this one, say, Next-Door Panda or Karen Panda or Takeout Panda - all the pandas. 

Dave Bittner: Last night, President Trump fired Cybersecurity and Infrastructure Security director Christopher Krebs. In the two-tweet thread he used to announce the dismissal, President Trump called Director Krebs's assurance that the recent US elections were secure "highly inaccurate" and gave that assessment as his grounds for the firing. The move had been expected for several days, with speculation that Director Krebs was in White House hot water having circulated since the middle of last week, at least. 

Dave Bittner: At issue, apparently, were repeated assurances by the CISA director that there was no evidence of any systematic large-scale hacking of voting systems. Krebs's work at CISA had received good bipartisan, international and industry reviews. He was generally well-regarded in the cybersecurity sector. The Wall Street Journal and SC Media are among the publications that summarize reactions to his dismissal. We've seen few comments that approve of the firing. Most of those in and around the cybersecurity sector think he'd been doing a good, focused and nonpartisan job throughout his tenure. 

Dave Bittner: It's worth noting that Krebs had long publicly explained before and during Election Day that unofficial results reported by the media were just that, unofficial. He had also publicly insisted right up to the eleventh hour that the election wasn't going to be over until any necessary recounts had been conducted and all the votes certified. Everyone should expect, he said, that process to take weeks. 

Dave Bittner: These have been at least as clearly the themes of his public statements, as have his reassurances about security. In fairness, this seems hardly the sort of thing a shill for hostile partisans would be likely to emphasize. May all honest counting and recounting continue. 

Dave Bittner: Matthew Travis, who had been deputy director, is also reported to have resigned. CISA hasn't updated its leadership page yet, but it would appear that the agency will be run on acting basis by its executive director, Brandon Wales. 

Dave Bittner: Good luck, Mr. Krebs. Many will miss the quiet voice and the loud socks. 

Dave Bittner: Twitter CEO Dorsey and Facebook CEO Zuckerberg described their platforms' approach to election season disinformation before a Senate panel yesterday. The Wall Street Journal says both gave their companies good marks, but they signaled their openness to further regulation. The hearings are considering the future of Section 230 of the Communications Decency Act, a law which many legislators of both parties believe the internet in general and social media platforms in particular have outgrown. 

Dave Bittner: Section 230 presently gives social media the protections of both publishers and public squares - exemption of liability for what's said on them, combined with the ability to moderate the content they permit. Those sets of protections have long been in tension. They may be reaching the point of contradiction. 

Dave Bittner: Both Mr. Dorsey and Mr. Zuckerberg testified remotely. Their video appearances show one leveling effect of technology. Even captains of industry look as bad as the rest of us do when we're on Zoom. 

Dave Bittner: The Vancouver extradition hearings for Huawei CFO Meng Wanzhou continue. Reuters reports that a Canada Border Services Agency official testified that he was not pressured into improper actions by the US FBI. Ms. Meng's counsel had maintained that the bureau strong-armed the CBSA into violating Canadian legal norms. 

Dave Bittner: And finally, you'd think people would have moved toward stronger passwords after all the nudging in that direction from, well, just about everywhere. Not necessarily. Here are the top 10 passwords of the year 2020, as reported by NordPass. Let's go a little old-school with this. 

(SOUNDBITE OF RADIO JINGLE) 

Unidentified Singers: American Top 40. 

Dave Bittner: Counting backwards from 10, we have No. 10 - senha, which is Portuguese for password. Thanks, Brazil. 

Dave Bittner: No. 9 - 1234567890 - ten digits, but all digits, and counting numbers to boot. 

Dave Bittner: No. 8 - 12345 - only half as good as No. 9. 

Dave Bittner: No. 7 - 123123. 

Dave Bittner: No. 6 - 111111. We have nothing to add to those two. 

Dave Bittner: No. 5 - 12345678. 

Dave Bittner: No. 4 - password. You saw that one coming, right? 

Dave Bittner: No. 3 - picture1. 

Dave Bittner: No. 2 - 123456789. 

Dave Bittner: And coming in at No. 1, up one place from last year, is the ever-popular 1234456 (ph), now used by 2,543,285 users - that NordPass could find, that is. You know who you are. 

Dave Bittner: The CyberWire's chief analyst and chief security officer Rick Howard recently checked in with Tenable's chief financial officer, Steve Vintz, for his insights on zero trust. Here's their conversation. 

Rick Howard: We are joined by Steve Vintz. He's the chief financial officer for Tenable. Welcome to the show. 

Steve Vintz: Thanks, Rick. Thanks for having me. 

Rick Howard: You wrote an essay in CFO Australia last month about how the CSOs are becoming more important to people like you at the senior executive staff. Why don't you give us a rundown on what that essay said? 

Steve Vintz: Sure. We talked a lot about the maturation of the role of the chief security officer and the chief information security officer and how the security team needs to evolve their strategy and become better partners with the C-suite. In turn, I believe the C-suite needs to also evolve and recognize the value and the contributions of the chief security officer as an important executive on the team. And I believe there's a disconnect in how businesses understand and manage security risk. 

Rick Howard: Well, I totally agree. And I've been part of that problem myself in my former CSO roles - right? - that my peers and I have always had trouble conveying or transforming cyber risk into business risk. We just didn't have the language to do it. And I was wondering if the CFOs of the world could help us figure that out. 

Steve Vintz: In terms of business leaders, you know, what I can tell you is business leaders want a clear picture of their organization's cybersecurity posture, but their security counterparts struggled to provide one. And so when we look at security, I think the problem today is that there's no common language. When you pose that question - how secure are we? - you don't get - typically get an answer that's based on the maturity framework of an organization and a couple of key metrics, and there's not clear articulation of that. And... 

Rick Howard: But I would pose to you that that's the wrong question - all right? - or least a hard question to answer. I would rephrase it. And I've been on, you know, a glide path to try to get this out there. But the real question that CSOs should be answering to people like you, the CFO, is what's the probability that we are going to be materially impacted by a cybersecurity event in, say, the next three years? I think that's an answerable question. I don't know. What do you think about that? 

Steve Vintz: Rick, I agree with where you're coming from because you cannot - I'm not proposing that you can eliminate security risk. But I'm the CFO. I'll stay in the shallow end of the pool when it comes to technical matters on security. 

Rick Howard: (Laughter). 

Steve Vintz: But I do think that I understand, you know, business risk. And you can't - the only thing you can do, I believe, is do a series of things that reduces risk to a relatively acceptable level. I don't think there's a clear articulation. I think we're becoming better as an organization. I think boards are becoming better. But I think there's a long ways to go in that regard. 

Rick Howard: All good stuff, Steve. Thanks for joining us on this interview of the CyberWire, and hope to come back with us. And I'd love to talk to you again about the progress you're making there. 

Steve Vintz: Thank you, Rick. Thanks for having me. 

Dave Bittner: That's our own Rick Howard, speaking with Tenable's Steve Vintz. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article caught my eye. This is from the folks over at Threatpost. This one's written by Tara Seals, and it's titled "Minecraft Apps on Google Play Fleece Players Out of Big Money." What's going on here, Joe? 

Joe Carrigan: What's going on here, Dave, is someone has realized that it's perfectly legitimate within the ecosystem of these app stores to have a very high cost for a subscription, like a - to an app. And that's what they've done. 

Joe Carrigan: So they've built these apps. There's, like, seven of them that they've built. And Avast thinks it's all the same developer who's done this. And these are apps like mods and maps for Minecraft: PE, skins for Roblox, live wallpapers, HD and 3D backgrounds - these kind of apps. 

Joe Carrigan: And what happens is when you install this, you get a free three-day trial period. And after that, the app starts charging you $29.99 a week for the app. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Right. 

Dave Bittner: All righty. 

Joe Carrigan: So what's interesting is that it's - in order to see this in the Google Play Store, when you look at the app - you know, first, you have to search the app, and you find the app. And then you have to click on a little arrow to - on the right-hand side to read the entire description. And all the way down at the bottom of that description, it talks about the terms and conditions that we're going to bill you 30 bucks a week after the trial period. That's anywhere from 120 to 150 bucks a month. That's a lot of money. 

Dave Bittner: Yes. 

Joe Carrigan: The article points out, rightly so, that one of the biggest issues here is that this is something that children will install because Minecraft is very popular with a very wide age group of people. 

Dave Bittner: Right. 

Joe Carrigan: I have a copy of it. I play it. I don't play it on my phone, but I do play it sometimes on - I haven't played lately, but I have played it on my PC for a long time. And it's... 

Dave Bittner: Yeah. 

Joe Carrigan: ...A fun game. It's also a game that's perfectly fine for children to play, right? 

Dave Bittner: Sure. 

Joe Carrigan: And... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...They're the ones that are not going to read the terms and conditions or understand what they're applying to or what they're agreeing to. And they're just going to click the yes button because, you know, they're young. And then their parents are going to see these charges coming through their credit card from Google Play, and they're going to be like, what is this? What's going on here? 

Joe Carrigan: Of course, you can request a refund from this. But, you know, I don't know how you stop this, aside from Google saying, OK, this is fleeceware, because I can imagine a situation - and we were talking about this before we started recording. A good example of this is Adobe. Adobe charges $70 a month for a business to have a license to all their products. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So, you know, yes, it's expensive for what it is. But there are legitimate business cases where you can have an app that's in high demand by a specific group of people that provides a real benefit but is not cheap, right? 

Dave Bittner: Right, right. 

Joe Carrigan: And that's a good business model. But in this case, they're calling it fleeceware because it doesn't match the rest of the market, right? In order to buy Minecraft: PE, that is a one-time $7 from Mojang, which is now owned by Microsoft. 

Dave Bittner: Right. 

Joe Carrigan: But in order to have an app that augments, or allegedly augments, the other game, it's $30 a month - or a week, rather - $30 a week. That's not right. 

Dave Bittner: Yeah. 

Joe Carrigan: That's not what this business model is meant to - that is certainly outside of the spirit of what Google Play and even the Apple Store - and the article talks about the Apple Store having similar issues. 

Dave Bittner: Yeah. 

Joe Carrigan: Google has, as of this recording, not removed these apps from the store. They're still available. I just found one and did the search on it. That's how I know that you had to hit that little arrow to read the entire description. 

Dave Bittner: Yeah. It strikes me that there's a couple ways that these scammers come at this. You know, there are the ones who - they all start out with something that's free. So for X number of days, you get this thing for free. 

Joe Carrigan: Right. 

Dave Bittner: And it seems like, a lot of times, they'll come after you or they'll lure you in with something where it's an app of limited utility, but when you need it, you need it - you know, something like a QR code reader or... 

Joe Carrigan: Right, that is another... 

Dave Bittner: ...You know, something like that. Yeah, something - it doesn't do a whole lot, but the thing it does is useful, and you need it now. And so you're probably not being - you're not shopping around all that much, and you see free QR code reader. And you say, aha, that's for me, and you download it. 

Dave Bittner: And - but then afterwards, it strikes me that there's a couple ways that they come at this. They either try to hit you with something big, like in this case, 30 bucks a week... 

Joe Carrigan: Right. 

Dave Bittner: ...And hope that it's just too much of a pain to try to claw back, you know, the $30, the $60 or however much they get, and so they just take that money and run. 

Joe Carrigan: Right. 

Dave Bittner: The other way they come at it is they charge you something like a dollar a week, and they hope to fly under the radar for as long as possible. It's more of a numbers game, right? 

Joe Carrigan: Yes, yes. That's the way I'd do it. 

Dave Bittner: (Laughter). 

Joe Carrigan: I'd try with the low amount if I was doing this. I'm not doing this. 

Dave Bittner: (Laughter) OK, fair enough, fair enough. So I guess the take-home here is - what? - if you've got kids, take a look at - make sure that - well, I guess, first of all, tell them. Don't... 

Joe Carrigan: Right, don't just... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Install anything on... 

Dave Bittner: Right, right. 

Joe Carrigan: Make sure they understand what's going on. Educate them. If you have kids... 

Dave Bittner: And when that doesn't work... 

Joe Carrigan: Yeah, when that doesn't work, you have kids that don't listen to you - who... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Has kids that listen to everything they say? I'd like to... 

Dave Bittner: Right. 

Joe Carrigan: ...Meet that parent. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: You can create a user account on the device for the kid that prevents them from installing apps. 

Dave Bittner: But also, you know, keep an eye on that credit card that, you know... 

Joe Carrigan: Right. 

Dave Bittner: Make sure... 

Joe Carrigan: Actually, generally speaking, on the phone, that's not really something you can do. If a kid says, can I play with your phone, and they start installing these apps, they're going to be doing it as you, right? So then you're going to have to keep an eye on the credit card. You can request refunds, and you can say, you know, my kid installed this, and it wasn't meant - and that's actually in the Google refund policy, you know, that if a family member installs something, let us know... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And we'll refund your money. 

Dave Bittner: Yeah, well, it's interesting. Security is a competitive advantage, right? 

Joe Carrigan: Right, exactly. 

Dave Bittner: (Laughter) All right, well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Something special's in the air. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.