CyberWire Daily - US Executive Order aimed at China, and Huawei. Hunting backdoors in Dutch networks. Spyware proliferation. Cipher stunting. Titan key spoofing. Meaconing warning. Exposed PII in Russia.
Episode Date: May 16, 2019President Trump declares a state of emergency over the threat from foreign adversaries and the companies they control. (And yes, Huawei, he’s looking at you.) Dutch intelligence is said to be invest...igating the possibility of backdoors in telecommunications networks. Concerns about spyware proliferation rise. Cipher stunting is observed in the wild. Titan security keys are spoofable. Meaconing airliners. And misconfigurations expose PII in Russia. Emily Wilson from Terbium Labs on the surprisingly open nature of online sales of elicit goods and services. Guest is Kris Beevers from NS1 on DNS security and management technology. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
President Trump declares a state of emergency over the threat from foreign adversaries and the companies they control.
And yes, Huawei, he's looking at you.
Dutch intelligence is said to be investigating the possibility of back doors in telecommunications
networks, concerns about spyware proliferation rise, cipher stunting is observed in the wild,
heightened security keys are spoofable, meconing airlines, and misconfigurations expose PII
in Russia.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 16, 2019.
U.S. President Trump yesterday issued an executive order declaring a national emergency with respect to the threat foreign adversaries pose to U.S. technology infrastructure.
Authority to issue the order comes from the International Emergency Economic Powers Act.
The executive order opens the way to banning the use of products and services produced by companies effectively under the control of such adversaries.
products, and services produced by companies effectively under the control of such adversaries.
The Secretary of Commerce will take the lead in determining where such threats to national security lie and will do so in consultation with other agencies as appropriate. The Secretary of
Commerce is charged with developing rules or regulations to implement the order within 150
days. Commerce has already said it will add Huawei and 70 of its affiliates
to an entity list of organizations to be banned under the executive order.
Huawei knows that it's the company of interest here.
American authorities haven't been at all coy over the past year.
And Huawei has responded with a mixture of honey and vinegar.
It's innocent, The Guardian reports the company saying,
and it will sign agreements to convince skeptical governments
that its products represent no threat.
Besides, none of you can really afford to do without us.
That's the vinegar.
The offer to sign undertakings not to engage in espionage
on behalf of the Chinese government has been in play for some weeks,
and Huawei has negotiated
confidence-building inspection and disclosure agreements with other governments.
These haven't always proceeded entirely happily. In the U.S., for example, the Huawei Cybersecurity
Evaluation Center in Banbury, the HCSEC, was established to inspect Huawei kit inbound to
Britain. GCHQ, which monitors the British end of things,
said earlier this year that Huawei had been unreliable and slipshod
in addressing security issues raised by the HCSEC,
and that, moreover, the company's security was simply sloppy from an engineering point of view.
Those who bet on form will note T-Mobile's experience
with Huawei's willingness to adhere to agreements that would protect IP.
That experience was not a good one.
As we learned two weeks ago at the Global Cyber Innovation Summit,
Huawei not only continued to steal IP after signing agreements not to do so,
but the company even incentivized employees to snoop on partners' trade secrets.
company even incentivized employees to snoop on partners' trade secrets.
Huawei's case also isn't helped by reports that the Netherlands General Intelligence and Security Service is investigating what it believes may be an espionage backdoor the
company insinuated into Dutch commercial telecommunications networks.
The intelligence agency isn't speaking publicly, but the Dutch news outlet Volkskrant says
it has sources close
to the inquiry who've confirmed that an investigation is ongoing. The General
Intelligence and Security Service has expressed skepticism of Huawei in the past.
Why are Chinese firms targets? There are three other big adversaries the U.S. has,
Russia, Iran, and North Korea. But China is a major trading partner,
and China makes things people actually want to buy. Russia and Iran don't offer much apart from
oil, the value of which increasing U.S. production has undercut. And North Korea, of course,
offers nothing much at all. The Telegraph reports that NSO Group's ownership says it will investigate how Pegasus became the payload in a WhatsApp exploit and promises transparency and more due diligence with respect to its customers.
Noval Pena Capital, the British private equity fund that has a significant stake in NSO Group, says it's determined to ensure that NSO products like Pegasus aren't abused.
to ensure that NSO products like Pegasus aren't abused.
DNS, the domain name system, is one of the foundational underpinnings of the Internet,
translating domain names to IP addresses so users can reach online resources thereafter.
But DNS isn't immune to attack, and lately it's been in the crosshairs of a number of bad actors.
Chris Beavers is CEO at NS1, a provider of managed and private DNS services. The biggest threats are hijacking and poisoning attacks that are about taking over
your domain, or DDoS attacks that are about disabling your domain and keeping your application
offline. A few essential best practices that have emerged around DDoS in particular. First of all, don't power your
own internet-facing DNS, right? It now requires, if you want to be defended against these large-scale
DDoS attacks, a huge investment in network infrastructure, DDoS mitigation capability,
and so on. And there are companies in the managed DNS space in particular that are making gigantic
investments in their network infrastructure and mitigation technologies and DNS software to defend against the scale and complexity of
attacks that we're seeing today. So work with them because they are making these investments
on your behalf. Another important thing around DDoS is redundancy. Four or five years ago,
what we saw is most domains on the internet were what we would call singly homed.
They lived on a single vendor's set of DNS name servers. The problem with that is if the vendor comes under a major attack or has some other kind of network issue, it takes your domain offline.
work with multiple vendors or multiple DNS networks at any one time to service your domain in an active, active fashion so that if one of them comes under some big attack, the other one
picks up the slack. The DNS protocol is designed for this purpose or to work seamlessly in this way.
And the technology to do this has improved pretty dramatically in the past couple of years since the
big well-known attacks that have happened. There are vendors in the market today that can deploy multiple physically independent networks
for you to introduce redundancy and protect against DDoS attack.
Another basic best practice that has emerged is sign your domains.
Use DNSSEC.
DNSSEC is an extension of the protocol, as we spoke about,
that's been around for more than a decade now.
But much like IPv6, it's taken a long time for it to gain
adoption. The incentivization hasn't always been there. And in particular, it's been hard to
implement in the past. Now we're seeing these active threats like those identified by the
Talos Group at Cisco or by FireEye and CISA at Department of Homeland Security so far in 2019.
These threats are real. They're happening. That should provide some incentivization
to protect your domains. It's a brand motivation, right? If your domain is hijacked and your
customer's data is stolen, these days it's on you because the technology is there to protect
your domain. And in particular, you will find multiple vendors in the managed DNS ecosystem
today that make DNSSEC as easy as pushing a button. So go push the button. It's really important now. And then the final sort
of area that I encourage everyone I'm speaking with to go audit and investigate is access controls
and management of their domains. This is how some of these hijacking attacks are really happening
today. It's weak passwords. It's lack of two-factor authentication on access to DNS management systems or registrars.
And the other really important piece of this is not just access controls,
but monitoring changes that are happening in your domains.
Is somebody changing really important DNS records like your mail server
records or the NS records that point your domain at particular name servers or the signing keys
if you've implemented DNSSEC? And modern managed DNS vendors in particular provide APIs or
integrations with your SIEM so that you can get updates instantly when changes are happening
to those important DNS records in your domain and drive alerts off of those in your SOC or with your
security team. So those are the three basic things. Redundancy for DDoS, sign your domains at DNSSEC,
and best practice control plane security and monitoring.
and best practice control plane security and monitoring.
That's Chris Beavers from NS1.
Researchers at security firm Proofpoint have released a study of TA-542,
which they call a prolific threat actor.
TA-542's signature project is Emotet, which has gone through four versions.
Emotet emerged in May 2014 as a banking trojan. Since then, it's evolved. Now, in 2019,
Emotet has become a system for delivering other malicious payloads. How is it distributed? It
will surprise no one to hear that it spreads by social engineering. Akamai has observed an
increase in cipher stunting, a method by which attackers finagle their encryption traffic in
order to avoid detection. The security firm says it's seen that attackers, quote,
on a scale never seen before, end quote, are using automatically varied permutations of the initial
handshake request, the client hello packet, in order to obscure their trail, making it appear
that the requests are coming from a large number of distinct systems.
This tends to defeat attempts to fingerprint such communications,
and fingerprinting has been a useful way of recognizing malicious traffic.
Researchers at Northeastern University point out the possibility that hostile actors could use bogus signals to divert commercial aircraft. Such deception is an old possibility. It's traditionally called meconing,
and it goes back to the earliest days of radio-aided aerial navigation.
But the increased dependence of aircraft on such navigational systems
does seem to raise the stakes.
Google has warned that its Titan Bluetooth security keys,
widely used for two-factor authentication,
can be hijacked
by attackers within Wi-Fi range.
Mountain View is offering replacement hardware, said to be proof against this particular hack.
A joint EU-US investigation has resulted in the indictment of 11 hackers in connection
with the use of the Gaznim banking trojan.
The gang was widely distributed, but
Eastern European, five in Russia, two in Ukraine, two in Georgia, and one each in Bulgaria and
Moldova. Their U.S. indictment was filed in the U.S. District Court for the Western District of
Pennsylvania. Five are in custody, and two of them will face trial in Georgia. Six are on the run.
trial in Georgia. Six are on the run. Call it Ruskonfiguratsiya. Why not? It's misconfigure in Russian, and that's what seems to have happened to some official Russian databases recently.
The Russian NGO Informational Culture says it's discovered the personal data of some two and a
quarter million Russian citizens knocking around on the internet. The people affected range from the ordinary Ivans
and Ivankas up to some pretty high-level bigwigs, and their stuff is out there where any Joe
Lunchbucket or Janie Sixpack can scoop it up. Ratskum Nadzor, the government's information
watchdog, is doing a little whistling in the dark, saying that, well, all that info was never
meant to be private in the first place, and maybe they're right. But there's really nothing to be ashamed of.
The researchers blame inconsistency with respect to document management,
poorly skilled IT personnel,
and failure to implement data loss prevention for the exposures.
And that could happen to anyone.
It's happened to a lot of people.
Just ask the U.S. government,
which could show you a pretty cage full of similar issues
at the Office of Personnel Management back in the U.S. government, which could show you a pretty cage full of similar issues at the Office of Personnel Management back in the day. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She is the VP of Research at Terbium Labs.
Emily, great to have you back.
We had this story come by recently from the folks over at Cisco's Talos unit
about work they had done exposing groups on Facebook that were doing shady stuff out in the
open. And when I saw this story, I thought, well, I have to talk to Emily about this because
in my mind, these are the sorts of things that I would expect to be happening on the dark web. But
I was surprised to see them out
there in the open like this. What's your take? When I first started doing dark web work, I was
stunned to see how blatantly and how openly some of these criminal markets and some of these
criminal groups operate. You know, we have people who are leaking stolen data via Twitter. We have
people who are operating crime groups on Facebook.
You know, even these these carting markets we've talked about before, these specialized markets,
people are selling stolen payment cards. I've seen these operating on dot coms and dot orgs.
I think hiding in plain sight is is generous. These people are operating very blatantly,
which speaks to the lack of consequences in many cases.
Hmm. Yeah. One of the points that that they made in their research here was that, in particular,
these Facebook groups were going after the less sophisticated users. They were selling tools
that were easy to use. Fraudsters are in business to make money. Cyber criminals are in business,
ultimately, one way or another, to make money. And so are in business ultimately one way or another to make money.
And so you have to ask yourself, where can I pick up market share? Where can I go and find
new customers for my business? Where are my customers living and working and breathing?
If we take away all of the nuance and the spookiness that we tend to hear around some
of these criminal groups and remember that they are people just like us,
they are us,
operating businesses with the intention
of getting as much profit as they can while they can,
then this makes sense.
You're going to go where the people are.
You're going to get all of the younger people on Facebook
who are looking to make money and turn a profit quickly and maybe don't care too much if, you know, if it's unscrupulous.
you could imagine a teenager going to look for cheats on Fortnite and the algorithm gets spun up and says,
hey, we see you're interested in cheats on Fortnite.
How do you feel about stolen credit cards?
It's exactly like that.
That's a hypothetical, but I think that's a very representative hypothetical.
That's the ease of access we're talking about here.
There's certainly a variety of broader conversations we could be having about the issues with algorithms, but the use of social
media as a marketing tactic for criminal groups or extremist groups, we've seen this play out time
and again. It's worked for neo-Nazis and white supremacists.
It's worked for ISIS.
Of course it's going to work for cybercrime.
Well, I mean, to their credit, the folks at Facebook were very responsive when Cisco's Talos Group reached out to them and shut down many of these sites.
But I guess we fall into that mode where it just becomes a game of whack-a-mole.
Whack-a-mole is definitely what I would call it.
Or, you know, I think I've said before, cutting off the head of a Hydra and you have eight more that pop up.
Shutting down these groups is a great first step.
It doesn't mean that eight more groups won't open up or that these users or these groups that got shut down won't just start over again under new names.
You know, it's constantly a moving target.
won't just start over again under new names.
It's constantly a moving target,
and we know that resource allocation is one of the more difficult challenges
that these networks face.
What do you go after first?
And in most cases, cybercrime and certainly fraud
are not going to be at the top of the list.
Yeah, I suppose it's a good thing, though,
every little bit of friction that you can add here
could be helpful. Every little bit of friction, and I though, every little bit of friction that you can add here could be helpful.
Every little bit of friction, and I would say every little bit of publicity.
It's a double-edged sword because you don't want to call attention to people who are then going to say,
oh, well, that's what I'll do this summer.
I'll just go on Facebook and find some fraud rings or some cybercrime rings, and that's how I'll make my money.
I won't get a regular summer job.
rings and that's how I'll make my money. I won't get a regular summer job. You know, you don't want to market it or make it look good, but you also want to draw attention to the pervasiveness of
the issue and the widespread of the issue and the ease of access of this information in hopes that
other organizations, whether we're talking about law enforcement or government or what have you,
are going to say, okay, here's an easy way we can go after some
of these groups and shut them down. Here are some things we can tie back into the work that
we're already doing to lessen this issue. You want to let people know how bad it is so people
can help and hopefully not recruit too many new criminals in the meantime.
All right. Well, Emily Wilson, thanks for joining us.
Thanks for joining us. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.