US Executive Order aimed at China, and Huawei. Hunting backdoors in Dutch networks. Spyware proliferation. Cipher stunting. Titan key spoofing. Meaconing warning. Exposed PII in Russia.

Dave Bittner: [00:00:03] President Trump declares a state of emergency over the threat from foreign adversaries and the companies they control. And yes, Huawei, he's looking at you. Dutch intelligence is said to be investigating the possibility of back doors in telecommunications networks. Concerns about spyware proliferation rise. Cipher stunting is observed in the wild. Heightened security keys are spoofable, meaconing airlines and misconfigurations expose PII in Russia.

Dave Bittner: [00:00:38] Now, a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 16, 2019. U.S. President Trump yesterday issued an executive order declaring a national emergency with respect to the threat foreign adversaries pose to U.S. technology infrastructure. Authority to issue the order comes from the International Emergency Economic Powers Act. The executive order opens the way to banning the use of products and services produced by companies effectively under the control of such adversaries. The secretary of commerce will take the lead in determining where such threats to national security lie and will do so in consultation with other agencies as appropriate. The secretary of commerce is charged with developing rules or regulations to implement the order within 150 days.

Dave Bittner: [00:02:36] Commerce has already said it will add Huawei and 70 of its affiliates to an entity list of organizations to be banned under the executive order. Huawei knows that it's the company of interest here. American authorities haven't been at all coy over the past year. And Huawei has responded with a mixture of honey and vinegar. It's innocent, The Guardian reports the company is saying, and it will sign agreements to convince skeptical governments that its products represent no threat. Besides, none of you can really afford to do without us. That's the vinegar.

Dave Bittner: [00:03:09] The offer to sign undertakings not to engage in espionage on behalf of the Chinese government has been in play for some weeks. And Huawei has negotiated confidence-building inspection and disclosure agreements with other governments. These haven't always proceeded entirely happily. In the U.S., for example, the Huawei Cybersecurity Evaluation Centre in Banbury - the HCSEC - was established to inspect Huawei kit inbound to Britain. GCHQ, which monitors the British end of things, said earlier this year that Huawei had been unreliable and slipshod in addressing security issues raised by the HCSEC and that, moreover, the company's security was simply sloppy from an engineering point of view.

Dave Bittner: [00:03:54] Those who bet on form will note T-Mobile's experience with Huawei's willingness to adhere to agreements that would protect IP. That experience was not a good one. As we learned two weeks ago at the Global Cyber Innovation Summit, Huawei not only continued to steal IP after signing agreements not to do so, but the company even incentivized employees to snoop on partners' trade secrets. Huawei's case also isn't helped by reports that the Netherlands General Intelligence and Security Service is investigating what it believes may be an espionage backdoor the company insinuated into Dutch commercial telecommunications networks. The intelligence agency isn't speaking publicly, but the Dutch news outlet Volkskrant says it has sources close to the inquiry who've confirmed that an investigation is ongoing. The General Intelligence and Security Service has expressed skepticism of Huawei in the past.

Dave Bittner: [00:04:50] Why are Chinese firms targets? There are three other big adversaries the U.S. has - Russia, Iran and North Korea. But China is a major trading partner. And China makes things people actually want to buy. Russia and Iran don't offer much apart from oil, the value of which increasing U.S. production has undercut. And North Korea, of course, offers nothing much at all.

Dave Bittner: [00:05:14] The Telegraph reports that NSO Group's ownership says it will investigate how Pegasus became the payload in a WhatsApp exploit and promises transparency and more due diligence with respect to its customers. Novalpina Capital, the British private equity fund that has a significant stake in NSO Group, says it's determined to ensure that NSO products like Pegasus aren't abused.

Dave Bittner: [00:05:39] DNS, the domain name system, is one of the foundational underpinnings of the internet, translating domain names to IP addresses so users can reach online resources thereafter. But DNS isn't immune to attack, and lately it's been in the crosshairs of a number of bad actors.

Dave Bittner: [00:05:55] Kris Beevers is CEO at NS1, a provider of managed and private DNS services.

Kris Beevers: [00:06:01] The biggest threats are hijacking and posing - attacks that are about taking over your domain or DDoS attacks that are about disabling your domain and keeping your application offline. A few essential best practices that have emerged around DDoS in particular. First of all, don't power your own internet-facing DNS, right? It now requires, if you want to be defended against these large-scale DDoS attacks, a huge investment in network infrastructure, DDoS mitigation capability and so on. And there are companies in the (unintelligible) space in particular that are making gigantic investments in their network infrastructure and mitigation technologies and DNS software to defend against the scale and complexity of attacks that we're seeing today. So work with them because they are making these investments on your behalf.

Kris Beevers: [00:06:50] Another important thing around DDoS is redundancy. Four or five years ago, what we saw is most domains on the internet were what we would call singly-homed. They lived on a single vendor's set of DNS name servers. The problem with that is if the vendor comes under a major attack or has some other kind of network issue, it takes your domain offline. The best practice that emerged was work with multiple vendors or multiple DNS networks at any one time to service your domain in an active, active fashion, so that if one of them comes under some big attack, the other one picks up the slack. The DNS protocol is designed for this purpose or to work seamlessly in this way. And the technology to do this has improved pretty dramatically in the past couple of years since the big well-known attacks that have happened. There are vendors in the market today that can deploy multiple physically independent networks for you to introduce redundancy and protect against DDoS attack.

Kris Beevers: [00:07:44] Another basic best practice that has emerged is sign your domains, use DNSSEC. And DNSSEC is an extension of the protocol, as we spoke about, that's been around for more than a decade now. But much like, you know, IPv6, it's taken a long time for it to gain adoption. The incentivization hasn't always been there, and in particular, it's been hard to implement in the past. Now we're seeing these active threats, like those identified by the Talos Group at Cisco or by FireEye and CSET at Department of Homeland Security so far in 2019. These threats are real. They're happening. That should provide some incentivization to protect your domains. It's a brand motivation, right? If your domain is hijacked, and your customers' data is stolen, these days it's on you because the technology is there to protect your domain. And in particular, you will find multiple vendors in the managed DNS ecosystem today that make DNSSEC as easy as pushing a button. So go push the button. It's really important now.

Kris Beevers: [00:08:41] And then the final sort of area that I encourage everyone I'm speaking with to go audit and investigate is access controls and management of their domains. This is how some of these hijacking attacks are really happening today. It's weak passwords. It's lack of two-factor authentication on access to DNS management systems or registrars. And the other really important piece of this is, you know, not just access controls but monitoring changes that are happening in your domains. Is somebody changing really important DNS records, like your mail server records or the NS records that point your domain at particular name servers or the signing keys, if you've implemented DNSSEC? And modern managed DNS vendors in particular provide APIs or integrations with your SIM, so that you can get update instantly when changes are happening to those important DNS records in your domain and drive alerts off of those in your SOC or with your security team. So those are the three basic things - redundancy for DDoS, sign your domains with DNSSEC and best practice control plane security and monitoring.

Dave Bittner: [00:09:57] That's Kris Beevers from NS1.

Dave Bittner: [00:10:00] Researchers at security firm Proofpoint have released a study of TA542, which they call a prolific threat actor. TA542's signature project is Emotet, which has gone through four versions. Emotet emerged in May 2014 as a banking Trojan. Since then it's evolved. Now in 2019, Emotet has become a system for delivering other malicious payloads. How is it distributed? It will surprise no one to hear that it spreads by social engineering.

Dave Bittner: [00:10:31] Akamai has observed an increase in cipher stunting, a method by which attackers finagle their encryption traffic in order to avoid detection. The security firm says it's seen that attackers, quote, "on a scale never seen before," end quote, are using automatically varied permutations of the initial handshake request to the Client Hello packet in order to obscure their trail, making it appear that the requests are coming from a large number of distinct systems. This tends to defeat attempts to fingerprint such communications, and fingerprinting has been a useful way of recognizing malicious traffic.

Dave Bittner: [00:11:07] Researchers at Northeastern University point out the possibility that hostile actors could use bogus signals to divert commercial aircraft. Such deception is an old possibility. It's traditionally called meaconing, and it goes back to the earliest days of radio-aided aerial navigation. But the increased dependence of aircraft on such navigational systems does seem to raise the stakes.

Dave Bittner: [00:11:32] Google has warned that its Titan Bluetooth security keys, widely used for two-factor authentication, can be hijacked by attackers within Wi-Fi range. Mountain View is offering replacement hardware, said to be proof against this particular hack.

Dave Bittner: [00:11:48] A joint EU-U.S. investigation has resulted in the indictment of 11 hackers in connection with the use of the GozNym banking Trojan. The gang was widely distributed, but Eastern European - five in Russia, two in Ukraine, two in Georgia and one each in Bulgaria and Moldova. Their U.S. indictment was filed in the U.S. District Court for the Western District of Pennsylvania. Five are in custody, and two of them will face trial in Georgia. Six are on the run.

Dave Bittner: [00:12:17] Call it raskonfiguratsiya (ph). Why not? It's misconfigure in Russian. And that's what seems to have happened to some official Russian databases recently. The Russian NGO Informational Culture says it's discovered the personal data of some 2 1/4 million Russian citizens knocking around on the internet. The people affected range from the ordinary Ivans and Ivankas up to some pretty high-level bigwigs, and their stuff is out there, where any Joe Lunchbucket or Janey Sixpack can scoop it up. Roskomnadzor, the government's information watchdog, is doing a little whistling in the dark, saying that, well, all that info was never meant to be private in the first place. And maybe they're right. But there's really nothing to be ashamed of. The researchers blame inconsistency with respect to document management, poorly skilled IT personnel and failure to implement data loss prevention for the exposures. And that could happen to anyone. It's happened to a lot of people; just ask the U.S. government, which could show you a pretty cageful of similar issues at the Office of Personnel Management back in the day.

Dave Bittner: [00:13:26] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:14:42] And I'm pleased to be joined once again by Emily Wilson. She's the VP of research at Terbium labs. Emily - great to have you back. We had this story come by recently from the folks over at Cisco's Talos unit about work they had done exposing groups on Facebook that were doing shady stuff out in the open. And when I saw this story, I thought, well, I have to talk to Emily about this because in my mind, these are the sorts of things that I would expect to be happening on the dark web. But I was surprised to see them out there in the open like this. What's your take?

Emily Wilson: [00:15:16] When I first started doing dark web work, I was stunned to see how blatantly and how openly some of these criminal markets and some of these criminal groups operate. You know, we have people who are leaking stolen data via Twitter. We have people who are operating crime groups on Facebook. You know, even these carding markets we've talked about before - these specialized markets where people are selling stolen payment cards. I've seen these operating on dot-coms and dot-orgs. I think hiding in plain sight is generous. These people are operating very blatantly, which speaks to the lack of consequences in many cases.

Dave Bittner: [00:15:53] Yeah, one of the points that they made in their research here was that, in particular, these Facebook groups were going after the less-sophisticated users. They were selling tools that were easy to use.

Emily Wilson: [00:16:07] Fraudsters are in business to make money. Cybercriminals are in business, ultimately, one way or another, to make money. And so you have to ask yourself, where can I pick up market share? Where can I go and find new customers for my business? Where are my customers living and working and breathing? If we take away all of the nuance and the spookiness that we tend to hear around some of these criminal groups and remember that they are people just like us - they are us, operating businesses with the intention of getting as much profit as they can while they can, then this makes sense. You're going to go where the people are. You're going to get all of the younger people on Facebook who are looking to make money and turn a profit quickly and maybe don't care too much if - you know, if it's unscrupulous.

Dave Bittner: [00:16:58] You know, one of the fascinating things I saw in their research here was that the way that the algorithms work on Facebook in terms of recommending things - you could imagine a teenager going to look for, you know, cheats on Fortnite. And the algorithm gets spun up and says, hey, we see you're interested in cheats on Fortnite. How do you feel about stolen credit cards?

Emily Wilson: [00:17:21] It's exactly like that. You know, that's a hypothetical, but I think that's a very representative hypothetical. Like, that's the ease of access we're talking about here. You know, there's certainly a variety of broader conversations we could be having about the issues with algorithms. But the use of social media as a marketing tactic for criminal groups or extremist groups - we've seen this play out time and again. You know, it's worked for neo-Nazis and white supremacists. It's worked for ISIS. Of course it's going to work for cybercrime.

Dave Bittner: [00:17:57] Well, I mean, to their credit, the folks at Facebook were very responsive when Cisco's Talos group reached out to them and shut down many of these sites. But I guess we fall into that mode where it just becomes a game of whack-a-mole.

Emily Wilson: [00:18:12] Whack-a-mole is definitely what I would call it or, you know, I think I've said before cutting off the head of a hydra and you have eight more that pop up. Shutting down these groups is a great first step. It doesn't mean that eight more groups won't open up or that these users or these groups that got shut down won't just start over again under new names.

Dave Bittner: [00:18:31] Right.

Emily Wilson: [00:18:31] You know, it's constantly a moving target. And we know that resource allocation is one of the more difficult challenges that these networks face. What do you go after first? And in most cases, cybercrime and, certainly, fraud are not going to be at the top of the list.

Dave Bittner: [00:18:48] Yeah, I suppose it's a good thing, though. Every little bit of friction that you can add here could be helpful.

Emily Wilson: [00:18:54] Every little bit of friction and, I would say, every little bit of publicity - it's a double-edged sword because you don't want to call attention to people who are then going to say, oh, well, that's what I'll do this summer. I'll just go on Facebook and find some fraud rings or some cybercrime rings. And that's how I'll make my money. I won't get a regular summer job. You know, you don't want to market it or make it look good. But you also want to draw attention to the pervasiveness of the issue and the wide spread of the issue and the ease of access of this information in hopes that other organizations, whether we're talking about law enforcement or government or what have you, are going to say, OK. Here's an easy way we can go after some of these groups and shut them down. Here are some things we can tie back into the work that we're already doing to lessen this issue. You want to let people know how bad it is so people can help and, hopefully, not recruit too many new criminals in the meantime.

Dave Bittner: [00:19:46] All right. Well, Emily Wilson, thanks for joining us.

Dave Bittner: [00:19:53] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat-management platform. Learn more at observeit.com.

Dave Bittner: [00:20:06] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.