CyberWire Daily - Facebook takes down coordinated inauthenticity. US says it’s got the goods on Huawei. EU will leave facial recognition policy up to member states. Patch Tuesday. Counting on the caucus.
Episode Date: February 12, 2020Facebook takes down coordinated inauthenticity from Myanmar, Vietnam, Iran, and Russia. The US says it’s got the goods on Huawei’s backdoors. Notes on Patch Tuesday. The EU backs away from a five-...year moratorium on facial recognition software. Switzerland takes a look at Crypto AG. And the Nevada Democratic caucus a week from Saturday will use iPads, Google Forms, and some tools to process the results. That’s “tools,” Jack, not “apps.” Ben Yelin from UMD CHHS on the Senate GOP blocking election security bills. Guest is Christopher Hadnagy from Social-Engineer, LLC on social engineering trends they are tracking. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down coordinated inauthenticity from Myanmar, Vietnam, Iran, and Russia.
The U.S. says it's got the goods on Huawei's back doors.
Notes on Patch Tuesday.
The EU backs away from a five-year moratorium
on facial recognition software.
Switzerland takes a look at Crypto AG.
And the Nevada Democratic Caucus
a week from Saturday
will use iPads, Google Forms,
and some tools to process the results.
That's tools, friends, not apps.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, February 12th, 2020.
Facebook this morning removed inauthentic accounts
that were functioning in a coordinated fashion.
The accounts emanated from Iran, Russia, Myanmar, and Vietnam. The Russian activity focused on the
near abroad, the former Soviet republics in Russia's backyard, and especially on Ukraine.
Menlo Park took down 78 Facebook accounts, 11 pages, 29 groups, and four Instagram accounts
that it found were in violation of its
policy against foreign or government interference. Many of the operators behind these engagements
represented themselves as citizen journalists and sought contact with regular media or public
officials. But Facebook said they found signs that all of them were connected with Russian
military intelligence services, the same people behind, of course, our old animal friend, Fancy Bear.
The campaigns from Myanmar and Vietnam included 13 Facebook accounts and 10 pages.
It was focused on Myanmar and the activity originated in both that country and in Vietnam.
And finally, Facebook removed six accounts and five Instagram accounts
in a small network operated from Iran that focused mostly on the U.S.
None of these campaigns appear to have had particularly large followings.
The Iranian operators, for example, had only about 60 followers, which would be the shame of even a modestly popular middle schooler.
But the Iranian campaign is interesting in other respects.
Some of the accounts taken down were flagged by FireEye in its continued tracking of the
influence operation the security firm calls Distinguished Impersonator. The company began
publicly tracking Distinguished Impersonator in May of 2019 when they found Iranian operators
assuming personas that impersonated U.S. congressional candidates or used fabricated personas that represented themselves as journalists. The goal of that
activity was to solicit interviews intended to, as FireEye puts it, bolster desired political
narratives. Distinguished impersonator has remained in business ever since.
The U.S. claims to have hard evidence that Huawei, for more than a decade, has secretly built
back doors into its equipment through which it can access communications that equipment carries.
The Wall Street Journal writes that such access is attained through lawful interception interfaces
in the systems. Such interfaces are not unique to Huawei equipment. What's unique to Huawei,
the U.S. claims, is secret retention of access to those interfaces,
which should only be available to legal authorities
acting under authority of national wiretapping laws.
Huawei dismisses the U.S. allegations,
saying that only network operators,
not equipment vendors like itself,
can access communications.
The U.S. has not yet made its evidence public,
but it has, according to the
Washington Examiner, continued its campaign to persuade allies to exclude Huawei from their 5G
infrastructure. Reuters reports that Germany appears ready to follow a risk management approach
similar to that adopted by the U.K. Christopher Hadnagy is well known in security circles for
his expertise on social engineering, and his books are required reading on the topic.
He'll be among those hosting the upcoming Human Hacking Conference, presented by the SE Village, later this month in Orlando, Florida.
The Cyber Wire is a media partner for the conference, and we caught up with Christopher Hagnagy to find out more.
I own a company called Social Engineer LLC.
We basically focus on the
human factor of vulnerability. We help companies learn where they may be vulnerable to phishing
and vishing, scams, impersonation, physical breaches, and things like that. That sparked
two things. It sparked one is our conference, which is the SE Village, the Human Hacking
Conference, which is coming up next week, to help people
that are not in this field. So people that are not pen testers, you know, they're not security folks,
but they want to know how to use human hacking skills in everyday life. You know, just how to
get things done in your life through using these type of communication skills. And then the second
thing it launched was a foundation called the Innocent Lives Foundation,
where we use people who are experts in OSINT and social engineering to track and uncover people who
are preying on children online. And that way we can turn them over to law enforcement and work
closely with law enforcement and getting them apprehended. Can you take us through each of
those? What are those efforts about?
Sure.
So about a decade ago, I came out with my first social engineering class.
It's called Social Engineering for Penetration Testers.
And it was very limited in my mind as a scope for usage to just people who were pen testers.
Jumping forward about five years, I started to notice that over half the class weren't
pen testers.
And I started to ask them, like, why are you here?
You know, why are you in this class particularly? And they would say,
oh, my buddy took it and he works for X company and he's a, he's a penetration tester, but he said it was so amazing. I would learn something from it. So I'm taking it. It was a sales guy.
And then I had, you know, psychologists and teachers and stay at home parents. And I was like,
so eventually I changed the name of the course to Advanced Practical Social Engineering. And what's occurred over the last, let's say,
five or six years is maybe 50 or 60% of my public classes, so not the black hat ones where everyone's
in the industry, but my public classes tend to be non-security related folks that are just
interested in learning these skills for everyday life.
So that sparked a thought. Maybe we should hold a conference where we get some of the greatest minds, people who I've personally learned from, people like Joe Navarro, who's like the body
language king, Ian Rowland, who created the science behind understanding cold reading and
how to use it, and say, can we invite these people in to do two to five hour
training sessions? And we designed it as what we call the human hacking conference. So its whole
concept is to teach just everyday people, regardless of what your role is, on how to use
the very same skills that social engineer use, but to communicate more effectively, to get things
that you want out of life, to be able to accomplish your goals.
Now, how about your efforts to help protect children online?
That came about because of my corporate work.
In my job, I had a couple pen tests where the first time this happened really is where this started,
is I was working with an organization and we found a guy who was using his corporate computer and phone
to film child
pornography and then trade it on the dark web. And that guy's in prison right now. And it was
the first time in my life I ever thought, man, like, you know, these skills that I have, I never
thought about using them that way. I mean, I'm just a hacker, right? I didn't think about any
type of like saving people or anything like that. And it came after conversations and a couple more
jobs where that happened, where I was talking to some friends and saying, do you think there's
others in our industry that would want to join together, band together, join forces, and maybe
help law enforcement close some of these cases? And I was amazed at how many people were like,
yes, I would help with that. I would love to help with that.
Can you describe to us what goes into the work that you do from the ethical point of view? I'm
thinking about, you know, you're training people with these techniques and, but there must be,
in your mind, you must think that I really want to guide towards people using these tools for good
and not harm, but you only have so much control over that.
Yeah. And that's a good point. You know, I think it's like anybody who creates anything,
a car manufacturer doesn't say, man, this is going to be the car that's great for hit and runs. You
know, they create their cars with the hope that people will use them in the way they were intended.
Someone buys that car and uses it for drug deals or murder. The intent was not that. So what I
decided a long time ago was when I was thinking through that, because that very thought process
came up and we were like, how are we going to manage this? All we can do is use this philosophy.
So we came up with a mantra and it's leave them feeling better for having met you. So our brand
of social engineering doesn't use the manipulative tactics it doesn't use sex
it doesn't use flirtation or lust it doesn't use extreme fear so when we're teaching people how to
use these skills our end goal is always leave them feeling better for having met you it's a harder
way to do the job especially when you're talking about corporate security but sir the last 10 years
we've successfully been able to accomplish that goal.
And then when we educate others with that kind of mindset,
we're not teaching them the darkest arts, right?
We're not teaching them all the things
that maybe the bad guys truly do.
We use those in our corporate world when we have to,
but we're not training those.
We're training the way that we use social engineering
while leaving people feeling better for having that you.
That's Christopher Hadnagy.
The Human Hacking Conference is February 20th through the 22nd in Orlando, Florida.
Microsoft addressed 99 issues in its products yesterday,
making this, in ZDNet's estimation, Redmond's biggest patch Tuesday ever.
Adobe has patched 42 vulnerabilities in FrameMaker, FlashPlayer, Reader and Acrobat, Digital Editions
and Experience Manager, bleeping computer reports that many of the bugs are rated as
critical.
Intel fixed an authentication issue, CVE-2019-14598, in its CSME.
The flaw, if exploited, could lead to privilege escalation, denial of service,
and information leaks. The Financial Times says the EU is retreating from a proposed
five-year moratorium on deploying facial recognition technology and will leave the
matter up to member states. Switzerland has opened an investigation into Crypto AG,
Switzerland has opened an investigation into Crypto AG, a former encryption company, a Washington Post and ZDF report concluded, had been a CIA and BND front, effectively a way of surveilling targets of interest.
The BND is Germany's principal intelligence service. The original Crypto AG had been based in Switzerland and closed down some time ago. The present owners of the company's identity stress that whatever happened back in the day,
the current proprietors had nothing to do with it.
And finally, in the U.S. presidential campaign season,
the next event up, now that the New Hampshire primaries have concluded their successful
and relatively low-tech voting, would be the Nevada Nevada caucuses coming a week from this Saturday.
The Nevada Democratic Party, which had foresworn the use of a shadow ink app like the one the Iowa
Party had used, less than fully successfully, has said it intends to use iPads, Google Forms,
and other tools to process and tabulate results in its February 22nd caucuses, The Washington Post reports. The Post says the
Nevada plans remain unsettled even with less than 10 days to go, and the national party
is said to be bracing itself for a repetition of Iowa.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health
and Homeland Security. He is also my co-host over on the Caveat podcast, which if you have not yet
done so, you should totally check out.
Ben, we are, I think it's fair to say we are deep into election season now. We've got our primaries going, our caucus is going. We're not going. That is absolutely right. Just yesterday,
news came that the Senate GOP has once again blocked three election security bills.
This seems to be like this is in the regular rotation now
where it seems like the Democrats are putting up these bills for election security.
The Republicans swat them down.
Are we at the point where this is just theater or what's the story?
So largely, yes, it is just theater.
Okay.
The way the Senate works is generally everything has to be done by unanimous consent,
which when you have 100 people with various egos,
ranging from extremely high to catastrophically high,
that's going to be exceedingly difficult.
And oftentimes, senators will bring up what are called unanimous consent requests,
knowing that those requests are going to be denied.
So this week, Democratic lawmakers on the Senate brought up a unanimous consent request
to consider and pass three bills.
Two of them would require campaigns to alert the FBI or the FEC,
the Federal Elections Commission, if they get any foreign offers of assistance.
I can't imagine what this
might be referring to. It's a mystery. Exactly. And then the third piece of legislation was to
provide more election funding and ban voting machines from being connected to the internet.
That's less of a partisan motivated proposal, but it was still blocked by the GOP. Now,
generally, there's going to be one member of the Senate from each party on the
floor at all times to make sure that they can block these unanimous consent requests. And the
senator on the floor at the time for the Republicans was Marsha Blackburn of Tennessee.
She objected to the request saying that this was just a Democratic effort to, you know, make a
political statement. They just want fodder for their ads. They want to be
able to say Republicans blocked election security bills. Is that plausible? It certainly is. You
know, I think there are legitimate procedural objections here. I'm always skeptical of
procedural arguments because like no one really believes in these things. You know, they care
about the substance. But there are reasonable arguments like there is a better way to consider
legislation than going to the floor and saying I ask unanimous consent for this to be passed substance. But there are reasonable arguments like there is a better way to consider legislation
than going to the floor and saying, I ask unanimous consent for this to be passed right away.
I see.
You know, so what the Republicans might say is we might consider this, but it should go through the
committee process. You know, it should get we should be able to vote on amendments. It should
come to the Senate floor. And that's, you know, not what's happening here. And I think Democrats know that, you know, if they really wanted to make a more serious bipartisan effort to get
this legislation passed, they'd go through regular channels. I do think these unanimous
consent requests, you know, they do consider them political messaging. However, Republicans,
if they actually believed in the substance of these pieces of legislation, could easily not object. I'm almost certain all three of these pieces of legislation would be
passed by the House, given that there's a Democratic majority. Who knows what would
happen if those bills were presented to the president? So, you know, I think there are
certainly procedural reasons why you would object to a unanimous consent request. But, you know,
at the end of the day, things that really are non-controversial,
like congratulating Alabama
on winning the college football national championship.
Notice I'm not using the Super Bowl as an example.
I know.
Out of protest.
But yeah, I mean, things like that can pass
with unanimous consent.
I see.
And they do all the time.
So it does indicate that there is some level
of substantive controversy over these issues.
Something the article points out is that Congress did pass a spending package last year that included an additional $425 million in election security funding.
I guess in the grand scheme of things, $425 million is not a huge amount of money for national election security.
But it points out that it is possible to get things through.
There's not a completely ignored issue.
Right, and this was an example of using regular channels,
in this case, the appropriations process.
This presumably went through committee hearings
at the appropriate appropriations subcommittee.
It got considered along with a bunch of different spending priorities
and made it into the bill.
In some sense, this was probably part of a grand compromise
that led to the adoption of a spending package
so that we wouldn't end up in a government shutdown.
But it was in there, and that might be the only way Democrats are able
to get any sort of election security legislation passed,
just get it saddled
up to must pass spending legislation. Everything else in Congress these days seems to sort of get
bottled up. So those are oftentimes the vehicles for getting policy changes. All right. Well,
Ben Yellen, thanks for helping us understand it. Always a pleasure to have you on. Thank you, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Leave alerts and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.