The CyberWire Daily Podcast 11.24.20
Ep 1221 | 11.24.20

Mustang Panda needs to repent. Not the FBI. Dodgy consumer routers and smart doorbells. Prospective Presidential appointees and cyber. Crime and investigation.


Dave Bittner: Mustang Panda goes to church, but not in a good way. Hoods are trying to spoof the FBI with Bureau-themed domains. Dodgy routers and suspect smart doorbells. A quick look at the incoming U.S. administration from a cybersecurity point of view. Someone's allegedly swapping iPads for concealed carry permits. Say it ain't so, Santa Clara County. DHS investigates Windows help desk scammers. Ben Yelin on a Massachusetts ballot initiative involving connected cars. Our guest is Larry Roshfeld from Affirm Logic on the pros and cons of a Treasury Department advisory that could put companies who facilitate ransomware payments in legal jeopardy. And some more advice about safe shopping during the holidays.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 24, 2020. 

Dave Bittner: Researchers at Proofpoint have detected a resurgence of Mustang Panda activity. The Chinese intelligence service threat actor has long been active against ethnic and religious minorities. Its current campaign, which features an upgraded PlugX malware loader written in Golang, is directed against Chinese Catholics. CyberScoop notes that the group is using spoofed email headers purporting to belong to Catholic journalists as part of its phishbait. Mustang Panda's present efforts represent a resumption of targeting Recorded Future called out in July. 

Dave Bittner: The FBI yesterday warned of another trend in spoofing, this one open to a range of unattributed actors, both state-directed and straightforwardly criminal - phony domains recently registered that can give the inattentive the impression that they're visiting a Bureau site. The FBI's real, one and only domain is, not .com, .org and so on, nor does the Bureau use prefixes, like agenciaFBI, or suffixes, as in FBIaustralia, within its domain. Sure, these aren't particularly plausible, but they could catch you if you're unwary. 

Dave Bittner: CyberNews reports that a number of Chinese-manufactured home routers, including models available from Walmart and Amazon, come with back doors. The Walmart model named in the report is Jetstream. The device available from Amazon and also from eBay is Wavlink. Walmart says it's looking into the matter and that, in any case, Jetstream is out of stock, and the retailer has no plans to reorder it. 

Dave Bittner: British consumer group Which? says that it's tested 11 smart doorbells and found them wanting. In addition to unbranded Ring knockoffs, the models included systems from Qihoo, Ctronics and Victure. The BBC reports that Victure's Smart Video Doorbell was found to send users' home network names and passwords unencrypted to servers in China. The other marques tested were accused of other, lesser but still serious security misdemeanors. 

Dave Bittner: President-elect Biden's transition is entering its formal stage. Some of the incoming administration's senior appointments will have significant responsibility for cybersecurity and related matters. Prospective appointees mentioned by NPR include Alejandro Mayorkas to the Department of Homeland Security, Janet Yellen to Treasury and Avril Haines to director of national intelligence. 

Dave Bittner: We had occasion to hear Mr. Mayorkas a few times during and shortly after his earlier tenure as deputy secretary of Homeland Security. 

Dave Bittner: At the Billington International CyberSecurity Summit in April 2016, during his service at DHS, he singled out information-sharing among government and private actors as the centerpiece of the department's cybersecurity work. He regards this as curative, as opposed to an accountability function. He also expressed the opinion that such sharing should go on internationally as well as domestically and that it should include the private sector, where companies should generally follow what he took to be the good example of the financial and utility sectors, where businesses don't all compete on security and where they generally held that the cure of one should be the cure for all. 

Dave Bittner: A couple of notes on the long arm of the law - one positive, the other sort of a downer. 

Dave Bittner: Let's take the downer first, and it comes from Silicon Valley. Three people have been indicted in Santa Clara County on bribery charges. They include two members of the sheriff's department, Undersheriff Rick Sung and Captain James Jensen, who are accused of soliciting a bribe, and the head of security at Apple, Thomas Moyer, who's alleged to have offered the sheriff's office 200 iPads in exchange for four concealed carry permits. 

Dave Bittner: The Wall Street Journal says that Moyer and Sung have denied any wrongdoing - Mr. Jensen's attorney declined to comment - and that Apple representatives have said that, yes, Apple was interested in donating iPads to the county sheriff's training facility and that, yes, Apple did request concealed carry permits, but that there's no connection whatsoever between the two. But who knew that Apple was packing around Cupertino, allegedly? 

Dave Bittner: The other - the good news story - comes to us from our editorial staff, one of whom was visited this morning by two Homeland Security Investigations agents. They were at the staffer's door not, as you might expect, to take him or her away in irons, but rather to follow up on a complaint he or she had made to the DHS online hotline about Windows help desk support scam calls he or she had been receiving. So take heart, you who are tired of scam calls. The authorities are listening. You can make your reports to, and good hunting, DHS. 

Dave Bittner: The U.S. Department of Treasury recently released an advisory stating that companies who facilitate ransomware payments could face fines. Larry Roshfeld is CEO at Affirm Logic. He joins us to discuss some of the pros and cons coming from that advisory. 

Larry Roshfeld: Well, I think this is essentially an analogy to the situation with terrorism in the real world. So the U.S. government has always had a policy not negotiate with terrorists or hostage-takers, and that's been relatively effective. And I think they're just trying to extend that into the cyber world, though, with all good intention, I think there's some repercussions to that decision that haven't been thought through completely. 

Dave Bittner: And what do you suppose some of the repercussions might be? 

Larry Roshfeld: Well, let's imagine a situation where you've got a community hospital. It's the only hospital within 250 miles from any of its patients, which is a very typical situation in parts of the U.S. And they become the unfortunate victims of a ransomware attack. 

Larry Roshfeld: If they don't have the appropriate IT systems in place to be able to recover, you're putting them in a very difficult position because, basically, if they pay the fine so that they can recover their ability to function as a hospital, then they're at risk of being shut down by the government because a fine could put them out of business. If they don't pay the ransom, then they've been shut down by the terrorists. So they're kind of in between in a situation where, with all good intention, the government may have repercussions to their decisions that they never intended in the first place. 

Dave Bittner: Have we been at this long enough to be able to track the difference between companies who are transparent and putting out information to their constituents, you know, throughout the process and folks who keep everything closer to their vest in terms of is one likely to have a better outcome than the other? 

Larry Roshfeld: It's a great question. The challenge is you don't necessarily know the people who are doing such a good job if it doesn't become public at all. So it's hard to measure because, you know, there is a philosophy that says sunshine's the best disinfectant. You should disclose anything that happens. On the other hand, other organizations who have disclosed absolutely nothing and have, therefore, become safer because no one knew that they were having a problem. 

Larry Roshfeld: Now, the issue may be that they're violating even outside-the-U.S. regulations, like GDPR. So they may be taking a risk. But it becomes a business risk of, well, do I disclose, which I'm required to do, and potentially have a huge catastrophic problem, or do I not disclose and take my chances of government fines later? And so depending on kind of the impact, I think a lot of businesspeople will make a decision essentially weighing out what the risk is versus the reward. 

Dave Bittner: I wonder, too, if there were a strict prohibition on it, you know, from the government, I mean, would that - there are situations where that could be helpful to the organizations to be able to say, well, our hands are tied. We're simply not allowed to pay the ransom. 

Larry Roshfeld: It could be to a certain degree. It resolves one problem, but it doesn't resolve the other, right? So, you know, you're basically saying to your - you know, let's use that hospital example. You're saying to your patients, hey, there's nothing I can do about this. I'm not allowed to prevent, you know - I'm not allowed to prevent this. But then the patients can say, well, wait a second; why didn't you do something in the first place? You know, I'm never going to trust you people again. I'm not going to go to you. I'm going to tell my friends not to go to you. 

Larry Roshfeld: So the end result may be that their reputation is protected because they can say, it's not my fault; the government made me do this. But effectively, if your client base, patient base disappears or if your physicians say, hey, we don't want to work here because what's next, you know - what's going to come out next, my malpractice history or my other information? And so there's a perception issue in addition to the reality issue. 

Dave Bittner: That's Larry Roshfeld from Affirm Logic

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting article - this is from the folks over at Ars Technica. This was written by Jonathan M. Gitlin. And it's titled "Connected Cars Must be Open to Third Parties, Say Massachusetts Voters." Looks like we've got a ballot initiative that passed up in Massachusetts, huh, Ben? 

Ben Yelin: Yeah. So Massachusetts back in the early 2010s - a long time ago - passed... 

Dave Bittner: (Laughter). 

Ben Yelin: ...What's called a right to repair law. So any sort of connected car platform or any - really, any mechanical issue with a car, it can't be proprietary to the dealer. So there can't be, like - if you buy a Honda, they can't have it so that, you know, only a Honda dealer could potentially fix that problem. That's what... 

Dave Bittner: Right. 

Ben Yelin: ...The right to repair essentially is. I think we've talked about this in other contexts. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: My brain is reminding me of a John Deere tractor. 

Dave Bittner: Yep, that's right. That's right. 

Ben Yelin: So what this new ballot initiative does is extends that law to connected car platforms and telematics services, so Apple CarPlay, you know, the Android equivalent, any other electronic system you might use in your car. 

Ben Yelin: The voters of Massachusetts approved an amendment to this law saying that these vehicles, telematics-equipped vehicles, have to be accessible via a standardized open data platform, where you can bring it to any repair shop - you know, your uncle down the street, your local repair shop... 

Dave Bittner: Right. 

Ben Yelin: ...In your small town - and not just the dealer to access that data and fix any problems. 

Ben Yelin: I think this is a - the first of its kind in the country, extending this right of repair to telematics-equipped vehicles. And to me, it seems like a very wise policy choice. 

Dave Bittner: Yeah. 

Ben Yelin: I know in the economics world, we kind of refer to this as rent-seeking behavior, where somebody like a car dealer configures their car in such a way that only they can fix it. 

Dave Bittner: Right. 

Ben Yelin: So they're, you know, giving themselves an economic opportunity by shutting everybody else out of the market through that. 

Dave Bittner: Yeah. 

Ben Yelin: So I - you know, I think it's good, in my opinion, to cut against that. 

Dave Bittner: And the automakers were not pleased about this. They lobbied hard to not have it. And they were saying that this opens up some security issues as, you know, so much of what's going on in our cars these days is all software. I like to joke that, you know, my favorite iPhone accessory is my car. 

Ben Yelin: (Laughter) Yeah, that's a wonderful iPhone accessory. It's probably the one I use the most throughout the day. 

Dave Bittner: Right. 

Ben Yelin: Yeah. I mean, you know, I think there's certainly justified skepticism at what the car companies would say here because their dealers are going to end up losing out on a lot of money that's now going to be going to third-party mechanics. So, you know, there's certainly a reason to be skeptical. 

Ben Yelin: You know, I don't know exactly the merits of the security concerns with the software. I don't know how legitimate they are and how much risk would be presented by allowing third parties to fix those glitches. So it's certainly a legitimate concern, but I think we have to kind of cast a skeptical eye on it, considering that, you know, they are looking out for their bottom line here. And one of the ways that car dealers make money is luring their customers back in to use them for mechanic services. 

Dave Bittner: Right, right. 

Ben Yelin: That's why they say, you know, your first oil change is free. Next time you come in, we'll give you a free box of donuts. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: You know, they make a lot of money through that. 

Dave Bittner: Yeah. 

Ben Yelin: So we have to look at what they're saying with a bit of a skeptical eye here. 

Dave Bittner: No, no. No doubt the service centers at auto dealers are a huge profit center for them. 

Dave Bittner: I suppose part of what's going on here is you have companies like Tesla, who I think led the way in this notion of doing software updates over the air of - indeed, you know, adding capabilities to the vehicle remotely via software upgrades. 

Ben Yelin: Right. 

Dave Bittner: And I think we're seeing other manufacturers follow suit as the more and more cars come to you with internet connectivity built in. And I suppose I could see the car manufacturers saying, hey, it's going to add complexity. It's going to add expense for us to do this. I guess that's an argument that's not without merit. But to your point, there's the other side of this - is it's not fair to consumers to be locked in. 

Ben Yelin: Right, exactly. You know, I think the car companies would have to make a pretty compelling argument to convince me that there are real security issues at play here just because, you know, in all other contexts, we trust third-party mechanics to fix things in a million different circumstances. If my, you know, MacBook Air got broken, I could bring it back to the Apple Store and go to the Genius Bar, or I could bring it somewhere else and somebody else could fix it. 

Dave Bittner: Right. And this has broad implications as well, I suppose, because the car manufacturers aren't going to come up with special models just to be sold in Massachusetts. They're going to build this into probably everything they sell in North America. 

Ben Yelin: Right. We see this very frequently with state laws. We've talked about it in the context of the California Consumer Privacy Act, where you can end up setting the standard for the whole country because, as you say, these car dealers aren't, you know, going to manufacture Massachusetts-only cars. You know, that's probably one of the reasons why they fought this ballot initiative so hard is this is going to add some level of cost to their production for all domestic vehicles. 

Dave Bittner: Right. 

Ben Yelin: So I - yeah, I mean, I think they - this really might set the new standard once this comes into place for the 2022 model year. 

Dave Bittner: Although, I remember as a kid growing up and watching "The Price is Right" when they give away cars, and I always wondered, what were California emissions? 

Ben Yelin: Oh, yes. Now you know. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: You must have been sick a lot to watch that many episodes of "The Price is Right" to have that memorized. 

Dave Bittner: Yeah, well, I was a game show afficionado. Look where it led me. 

Dave Bittner: All right, Ben Yelin, thanks so much for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The one and only. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.