The CyberWire Daily Podcast 2.12.20
Ep 1023 | 2.12.20

Facebook takes down coordinated inauthenticity. US says it’s got the goods on Huawei. EU will leave facial recognition policy up to member states. Patch Tuesday. Counting on the caucus.

Transcript

Dave Bittner: [00:00:03] Facebook takes down coordinated inauthenticity from Myanmar, Vietnam, Iran and Russia. The U.S. says it's got the goods on Huawei's back doors - notes on Patch Tuesday. The EU backs away from a five-year moratorium on facial recognition software. Switzerland takes a look at Crypto AG. And the Nevada Democratic caucus, a week from Saturday, will use iPads, Google Forms and some tools to process the results. That's tools, friends - not apps.

Dave Bittner: [00:00:38] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And are you attending RSA Conference 2020 in San Francisco, February 24 through the 28? Well, don't forget to stop by Booth 743 to meet the Recorded Future team in person and pick up a free copy of their new book, "The Threat Intelligence Handbook." Come on by and say hello. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment; insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.

Dave Bittner: [00:02:13]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 12, 2020. Facebook this morning removed inauthentic accounts that were functioning in a coordinated fashion. The accounts emanated from Iran, Russia, Myanmar and Vietnam. The Russian activity focused on the near abroad, the former Soviet republics in Russia's backyard and especially on Ukraine. Menlo Park took down 78 Facebook accounts, 11 pages, 29 groups and four Instagram accounts that it found were in violation of its policy against foreign or government interference. Many of the operators behind these engagements represented themselves as citizen journalists and sought contact with regular media or public officials, but Facebook said they found signs that all of them were connected with Russian military intelligence services - the same people behind, of course, our old animal friend Fancy Bear. 

Dave Bittner: [00:03:12]  The campaigns from Myanmar and Vietnam included 13 Facebook accounts and 10 pages. It was focused on Myanmar, and the activity originated in both that country and in Vietnam. And finally, Facebook removed six accounts and five Instagram accounts in a small network operated from Iran that focused mostly on the U.S. None of these campaigns appear to have had particularly large followings. The Iranian operators, for example, had only about 60 followers, which would be the shame of even a modestly popular middle schooler. But the Iranian campaign is interesting in other respects. Some of the accounts taken down were flagged by FireEye in its continued tracking of the influence operation the security firm calls Distinguished Impersonator. The company began publicly tracking Distinguished Impersonator in May of 2019, when they found Iranian operators assuming personas that impersonated U.S. congressional candidates or used fabricated personas that represented themselves as journalists. The goal of that activity was to solicit interviews intended to, as FireEye puts it, bolster desired political narratives. Distinguished Impersonator has remained in business ever since. 

Dave Bittner: [00:04:24]  The U.S. claims to have hard evidence that Huawei for more than a decade has secretly built back doors into its equipment through which it can access communications that equipment carries. The Wall Street Journal writes that such access is attained through lawful interception interfaces in the systems. Such interfaces are not unique to Huawei equipment. What's unique to Huawei, the U.S. claims, is secret retention of access to those interfaces, which should only be available to legal authorities acting under authority of national wiretapping laws. Huawei dismisses the U.S. allegations, saying that only network operators, not equipment vendors like itself, can access communications. The U.S. has not yet made its evidence public, but it has, according to the Washington Examiner, continued its campaign to persuade allies to exclude Huawei from their 5G infrastructure. 

Dave Bittner: [00:05:14]  Reuters reports that Germany appears ready to follow a risk-management approach similar to that adopted by the U.K. Christopher Hadnagy is well-known in security circles for his expertise on social engineering, and his books are required reading on the topic. He'll be among those hosting the upcoming Human Hacking Conference, presented by the SEVillage, later this month in Orlando, Fla. The CyberWire is a media partner for the conference, and we caught up with Christopher Hadnagy to find out more. 

Christopher Hadnagy: [00:05:44]  I own a company called Social-Engineer, LLC. We basically focus on the human factor of vulnerability. We help companies learn where they may be vulnerable to phishing and vishing scams, impersonation, physical breaches and things like that. That sparked two things. It sparked - one is our conference, which is the SEVillage - the Human Hacking Conference, which is coming up next week - to help people that are not in this field - so people that are not pen testers - you know? - they're not security folks, but they want to know how to use human hacking skills in everyday life, you know, just how to get things done in your life through using these type of communication skills. And then the second thing it launched was a foundation called the Innocent Lives Foundation, where we use people who are experts in OSINT and social engineering to track and uncover people who are preying on children online. And that way, we can turn them over to law enforcement and work closely with law enforcement in getting them apprehended. 

Dave Bittner: [00:06:44]  Can you take us through each of those? What are those efforts about? 

Christopher Hadnagy: [00:06:47]  Sure. So about a decade ago, I came out with my first social engineering class. It was called Social Engineering for Penetration Testers, and it was very limited, in my mind, as a scope for usage to just people who were pen testers. Jumping forward about five years, I started to notice that over half the class weren't pen testers. And I started to ask like, why are you here? You know, why are you in this class particularly? And they would say, oh, my buddy took it, and he works for X company, and he's a penetration tester, but he said it was so amazing, I would learn something from it, so I'm taking it. It was a sales guy. 

Christopher Hadnagy: [00:07:20]  And then I had, you know, psychologists and teachers and stay-at-home parents. And I was like - so eventually, I changed the name of the course to Advanced Practical Social Engineering. And what's occurred over the last, let's say, five or six years is maybe 50 or 60% of my public classes - so not the black hat ones, where everyone's in the industry - but my public classes tend to be non-security-related folks that are just interested in learning these skills for everyday life. 

Christopher Hadnagy: [00:07:47]  So that sparked a thought. Maybe we should hold a conference where we get some of the greatest minds - people who I've personally learned from, people like Joe Navarro, who's, like the body language king, you know, Ian Rowland, who, like, created the science behind understanding cold reading and how to use it - and say, can we invite these people in to do two-to-five-hour training sessions? And we designed it as what we called the Human Hacking Conference. So its whole concept is to teach just everyday people, regardless of what your role is, on how to use the very same skills that social engineer use, but to communicate more effectively, to get things that you want out of life, to be able to accomplish your goals. 

Dave Bittner: [00:08:28]  Now, how about your efforts to help protect children online? 

Christopher Hadnagy: [00:08:32]  That came about because of my corporate work. In my job, I had a couple pen tests where - the first time this happened, really, is where this started - is, I was working with an organization, and we found a guy who was using his corporate computer and phone to film child pornography and then trade it on the dark web. And that guy's in prison right now. And it was the first time in my life I ever thought, man, like, you know, these skills that I have, I never thought about using them that way. I mean, I'm just a hacker. I didn't think about any type of, like, saving people or anything like that. And it came after conversations and a couple more jobs where that happened, where I was talking to some friends and saying, you know, do you think there's others in our industry that would want to join together, band together, join forces and maybe help law enforcement close some of these cases? And I was amazed at how many people were like, yes, I would help with that; I would love to help with that. 

Dave Bittner: [00:09:26]  Can you describe to us what goes into the work that you do from the ethical point of view? And I'm thinking about, you know, you're training people with these techniques and - but there must be - in your mind, you must think that, I really want to guide towards people using these tools for good and not harm, but you only have so much control over that. 

Christopher Hadnagy: [00:09:47]  Yeah. That's - and that's a good point. You know, I think it's like, anybody who creates anything - a car manufacturer doesn't say, man, this is going to be the car that's great for hit-and-runs. You know? 

Dave Bittner: [00:09:57]  Right. 

Christopher Hadnagy: [00:09:57]  They create their cars with the hope that people will use them in the way they were intended. Someone buys that car and uses it for drug deals or murder - the intent was not that. So what I decided a long time ago was, when I was thinking through that - because that very thought process came up, and we were like, how are we going to manage this? All we can do is use this philosophy. So we came up with a mantra, and it's, leave them feeling better for having met you. So our brand of social engineering doesn't use the manipulative tactics. It doesn't use sex. It doesn't use flirtation or lust. It doesn't use extreme fear. So when we're teaching people how to use these skills, our end goal is always, leave them feeling better for having met you. 

Christopher Hadnagy: [00:10:40]  It's a harder way to do the job, especially when you're talking about corporate security, but, sir, the last 10 years, we've successfully been able to accomplish that goal. And then when we educate others with that kind of mindset, we're not teaching them the darkest arts, right? We're not teaching them all the things that maybe the bad guys truly do. We use those in our corporate world when we have to, but we're not training those. We're training the way that we use social engineering while leaving people feeling better for having met you. 

Dave Bittner: [00:11:09]  That's Christopher Hadnagy. The Human Hacking Conference is February 20 through the 22 in Orlando, Fla. 

Dave Bittner: [00:11:17]  Microsoft addressed 99 issues in its products yesterday, making this, in ZDNet's estimation, Redmond's biggest Patch Tuesday ever. Adobe has patched 42 vulnerabilities in FrameMaker, Flash Player, Reader and Acrobat, Digital Editions and Experience Manager. BleepingComputer reports that many of the bugs are rated as critical. Intel fixed an authentication issue, CVE-2019-14598, in its CSME. The flaw, if exploited, could lead to privilege escalation, denial of service and information leaks. 

Dave Bittner: [00:11:52]  The Financial Times says the EU is retreating from a proposed five-year moratorium on deploying facial recognition technology and will leave the matter up to member states.

Dave Bittner: [00:12:01] Switzerland has opened an investigation into Crypto AG, a former encryption company a Washington Post and ZDF report concluded had been a CIA and BND front - effectively, a way of surveilling targets of interest. The BND is Germany's principal intelligence service. The original Crypto AG had been based in Switzerland and closed down some time ago. The present owners of the company's identity stressed that whatever happened back in the day, the current proprietors had nothing to do with it. 

Dave Bittner: [00:12:35]  And finally, in the U.S. presidential campaign season, the next event up now that the New Hampshire primaries have concluded their successful and relatively low-tech voting would be the Nevada caucuses coming a week from this Saturday. The Nevada Democratic Party, which had foresworn the use of a Shadow Inc. app like the one the Iowa party had used less than fully successfully, has said it intends to use iPads, Google Forms and other tools to process and tabulate results in its February 22 caucuses, Washington Post reports. The Post says the Nevada plans remain unsettled, even with less than 10 days to go, and the national party is said to be bracing itself for a repetition of Iowa. 

Dave Bittner: [00:13:23]  And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:14:15]  And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. He is also my co-host over on the "Caveat" podcast, which, if you have not yet done so, you should totally check out. Ben, we are - I think it's fair to say we are deep into election season now. We've got our primaries going, our caucuses going. 

Ben Yelin: [00:14:35]  Or not going, as the... 

Dave Bittner: [00:14:36]  Or not... 

: [00:14:37]  (LAUGHTER) 

Ben Yelin: [00:14:37]  ...As the case may be. 

Dave Bittner: [00:14:38]  ...As the case may be. That is absolutely right. Just yesterday, news came that the Senate GOP has once again blocked three election security bills. This seems to be - like, this is in the regular rotation now, where it seems like the Democrats are putting up these bills for election security; the Republicans swat them down. Are we at the point where this is just theater, or what's the story? 

Ben Yelin: [00:15:02]  So largely, yes. It is just theater. 

Dave Bittner: [00:15:04]  OK. 

Ben Yelin: [00:15:05]  The way the Senate works is generally, everything has to be done by unanimous consent, which, when you have a hundred people with various egos ranging from extremely high to catastrophically high... 

: [00:15:19]  (LAUGHTER) 

Ben Yelin: [00:15:19]  That's going to be exceedingly difficult. And oftentimes senators will bring up what are called unanimous consent requests... 

Dave Bittner: [00:15:26]  OK. 

Ben Yelin: [00:15:26]  ...Knowing that those requests are going to be denied. So this week, Democratic lawmakers on the Senate brought up a unanimous consent request to consider and pass three bills. Two of them would require campaigns to alert the FBI or the FEC, the Federal Elections Commission, if they get any foreign offers of assistance. I can't imagine what this might be referring to. 

Dave Bittner: [00:15:48]  (Laughter) It's a mystery. 

Ben Yelin: [00:15:49]  Exactly. 

Dave Bittner: [00:15:50]  (Laughter) Yeah. 

Ben Yelin: [00:15:51]  And then the third piece of legislation was to provide more election funding and banned voting machines from being connected to the internet. That's less of a partisan-motivated proposal, but it was still blocked by the GOP. Now, generally, there's going to be one member of the Senate from each party on the floor at all times to make sure that they can block these unanimous consent requests, and the senator on the floor at the time for the Republicans was Marsha Blackburn of Tennessee. She objected to the requests, saying that this was just a Democratic effort to, you know, make a political statement; they just want fodder for their ads; they want to be able to say Republicans blocked election security bills. 

Dave Bittner: [00:16:31]  Mmm hmm. Is that plausible? 

Ben Yelin: [00:16:32]  It certainly is. 

Dave Bittner: [00:16:33]  Yeah. 

Ben Yelin: [00:16:33]  You know, I think there are legitimate procedural objections here. I'm always skeptical of procedural arguments because, like, no one really believes in these things. You know, they care about the substance. But there are reasonable arguments. Like, there is a better way to consider legislation than going to the floor and saying, I ask unanimous consent for this to be passed right away. 

Dave Bittner: [00:16:51]  I say. 

Ben Yelin: [00:16:52]  Yeah. So what the Republicans might say is, we might consider this, but it should go through the committee process; you know, it should get - we should be able to vote on amendments; it should come to the Senate floor. And that's, you know, not what's happening here. 

Dave Bittner: [00:17:04]  Right. 

Ben Yelin: [00:17:05]  And I think Democrats know that. You know, if they really wanted to make a more serious bipartisan effort to get this legislation passed, they'd go through regular channels. I do think these unanimous consent requests, you know, they do consider them political messaging. However, Republicans, if they actually believed in the substance of these pieces of legislation, could easily not object. I'm almost certain all three of these pieces of legislation would be passed by the House. Now, given that there's a Democratic majority, who knows what would happen if those bills were presented to the president. 

Ben Yelin: [00:17:37]  So, you know, I think there are certainly procedural reasons why you would object to a unanimous consent request. But, you know, at the end of the day, things that really are non-controversial, like congratulating Alabama on winning the college football national championship - notice I'm not using the Super Bowl as an example. 

Dave Bittner: [00:17:55]  (Laughter) I know, Ben. 

Ben Yelin: [00:17:55]  ...Out of protest. 

Dave Bittner: [00:17:56]  (Laughter). 

Ben Yelin: [00:17:57]  But yeah, I mean, things like that can pass with unanimous consent. 

Dave Bittner: [00:18:00]  I see. 

Ben Yelin: [00:18:00]  And they do all the time. So it does indicate that there is some level of substantive controversy over these issues. 

Dave Bittner: [00:18:08]  Yeah. It's something that the article points out - is that Congress did pass a spending package last year that included an additional $425 million in election security funding. I guess in the grand scheme of things, $425 million is not a huge amount of money for national election security, but it points out that it is possible to get things through. There - this is not a completely ignored issue. 

Ben Yelin: [00:18:33]  Right. And this was an example of using regular channels - in this case, the appropriations process. This presumably went through committee hearings at the appropriate - you know, Appropriations Subcommittee. It got considered along with a bunch of different spending priorities and made it into the bill. In some sense, this was probably part of a grand compromise - that led to the adoption of a spending package - that we wouldn't end up in a government shutdown. But it was in there. And that might be the only way Democrats are able to get any sort of election security legislation passed; just get it saddled up to must-pass spending legislation. Everything else in Congress these days seems to sort of get bottled up. So those are oftentimes the vehicles for getting policy changes. 

Dave Bittner: [00:19:20]  All right. Well, Ben Yelin, thanks for helping us understand it - always a pleasure to have you on. 

Ben Yelin: [00:19:24]  Thank you, Dave. 

Dave Bittner: [00:19:30]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget, you can get the daily briefing as an Alexa flash briefing, too. 

Dave Bittner: [00:19:40]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:52]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.