Huawei and the Five Eyes. Report on Russian trolling finds fluency in American. Boomstortion scammers turn to new threats. PewDiePie followers hack printers, again.

Dave Bittner: [0:00:03] The Five Eyes coordinate to contain Huawei's potential for espionage. Huawei and ZTE both continue their charm offensive to convince international customers it's safe to use their gear. The Senate-commissioned report on Russian influence operations finds the St. Petersburg troll farmers fluent in American trolling. Boomstortion scammers now threaten acid attacks, and PewDiePie followers again hack printers. But this time, they say it's for the public good.

Dave Bittner: [0:00:39] Now a word from our sponsors, Shape Security. Last year, 2.3 billion usernames and passwords were reported as compromised. It says everyone in America had passwords stolen for not just one, but seven online accounts. And that's just the data reported last year. It can take years for a credentials spill to be reported, if it's discovered at all. Why do these spills matter? Two words. Credential stuffing. Attackers take those spilled usernames and passwords and try them on every login form imaginable. Because users recycle passwords, up to 3 percent of stolen credentials will be valid on a typical website or mobile app. Once they're in, attackers steal whatever they can get, from gift cards to frequent flyer miles. And it adds up. This year, credential stuffing will pull nearly $9 billion from our banking, travel and e-commerce accounts. But there's hope, as consumers use unique passwords, as organizations join Shape Security's collective defense platform - because together, we can defeat account takeovers. To learn more, visit shapesecurity.com That's shapesecurity.com. And we thank Shape Security for sponsoring our show.

Dave Bittner: [0:01:55] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [0:02:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 17, 2018. The Five Eyes are said to have agreed this July during a SIGINT summit in Canada that Huawei represented a threat that would need to be contained. The governments view the company with varying degrees of alarm. The U.S. and Australia have taken a generally hard line. The U.K., a relatively softer one. But their consensus is that the company's potential to collect intelligence on behalf of Chinese services is troubling. That line is hardening in the U.K., as well, as members of Parliament call on the government to conduct an inquiry into how using Huawei equipment might place British critical infrastructure at risk. Huawei continues to lose partners in Europe as both BT in the U.K. and Deutsche Telekom in Germany shy away from the Chinese hardware manufacturer on security grounds.

Dave Bittner: [0:02:57] Huawei has said it's determined to do whatever it takes to allay security concerns. Huawei's CFO Meng Wanzhou is still in Vancouver awaiting the outcome of hearings that could see her extradited to the United States, where she faces charges related to fraudulent evasion of sanctions against Iran. Chinese authorities confirmed over the weekend that they have indeed detained two Canadian nationals on suspicion of endangering national security. Those arrests are widely seen as retaliation for Canada's detention of Ms. Meng.

Dave Bittner: [0:03:31] Huawei's smaller rival, ZTE, is in a similar position, also troubled by security concerns and suspicion of evading international sanctions. In an effort to shore up its business and reassure potential customers that its equipment is safe to use, the company has engaged former U.S. senator and vice presidential candidate Joseph Lieberman to lead what ZTE calls an independent security audit of the firm's products.

Dave Bittner: [0:03:59] A report on Russian information operations commissioned by the U.S. Senate Intelligence Committee was released this morning. The study focuses on the Internet Research Agency's output and confirms the St. Petersburg troll farms' opportunism and cultural fluency. WIRED says the study is also bad news for both Facebook and Google, since it suggests the two companies dissembled in their responses to congressional inquiries. The report was produced by New Knowledge, a brand protection firm that specializes in deflecting disinformation pushed across social media.

Dave Bittner: [0:04:35] Their report was based, according to WIRED, on a review of 10.4 million tweets, 1,100 YouTube videos, 116,000 Instagram posts and 61,500 unique Facebook posts, published from 2015 through 2017. That's not an exhaustive sample, but it's a large one. They found that the Internet Research Agency was fluent in American trolling - very far from the stereotypical crude propaganda often in broken English that some still imagine. For their part, lawmakers in Russia's Duma are urging enactment of closer controls over the internet and Russians' access to it. This is being framed as a response to an increasingly aggressive U.S. posture in cyberspace. That their response is tighter censorship suggests an appreciation of the risk propaganda poses to closed societies as much as open ones.

Dave Bittner: [0:05:33] You do find the stereotypically crude come-ons - obvious non-native speaking English, of course - in criminal enterprises, and that's unlikely to change in the near future. One such campaign is phishing in British waters this month, with badly written emails inviting the recipient to (reading) please explore your payroll down the page. Your Christmas Day bonus gift is 286. This month, wage will be paid usually before Christmas. Text like that pretty much screams, don't click the link. But alas, some probably will. The link offered goes to a file on Google Docs that contains a malicious payload.

Dave Bittner: [0:06:13] The boomstortion scammers who made false bomb threats across much of the English-speaking world last week haven't really scored. Graham Cluley calls the folks behind the caper cockwombles. And so far, they've pulled in chicken feed - no more than a couple of bucks - which seems a sorry return on even their low-level investment, and far, far short of the $20,000-a-pop they were asking. They're also turning to a new bogus threat, acid attacks. None of this is funny, of course, but it's also, in all likelihood, not a serious threat. That sound you hear, oh, cockwombles, is the approach of the police with blood in their eye. This sort of genius doesn't tend to remain at large for long.

Dave Bittner: [0:06:57] Finally, for your consideration, it's long been a truism that the sleazier precincts of YouTube, the backwater carnival midways and geek shows infested by those we've curiously come to call YouTube stars, are as unedifying as they are strangely attractive to a certain kind of follower. One of the stars, a kind of Howard Stern of the internet, only without the maturity and sensitivity of Mr. Stern, is PewDiePie. Mr. Pie's followers made some noise a couple weeks ago by hacking unprotected networked printers to spit out messages encouraging everyone to follow Mr. Pie.

Dave Bittner: [0:07:34] Late last week, they returned. But this time around, they come with a more high-minded purpose. They're still hijacking printers. Only now they say they're not trying, say, to encourage you to take the Tide Pod challenge. So eating laundry detergent isn't the goal. Rather, they say they're hacking printers to raise security awareness. So, actually, now they're a force for good. Our apologies to Mr. Pie's followers for underestimating them - maybe. But somehow, we don't think this latest caper will earn them the service learning credits they're hoping for. Stay in school, kids.

Dave Bittner: [0:08:15] It's time to tell you about our sponsor, privacy.com. If you're a longtime listener, you've probably heard me mention privacy.com on the CyberWire before. In fact, when I was a guest on another cybersecurity podcast, privacy.com was my pick of the week one week for something that everybody should check out, and here's why. Privacy lets you buy things online using virtual card numbers instead of using your real ones. Think about it. You don't use the same password everywhere, so why would you use the same card number everywhere when you shop online? What's great is that it's super-fast and easy to use. Privacy.com gives you a brand-new virtual card number for every purchase you make with just one click. And we've got a special offer for CyberWire listeners. New customers will get $5 for a limited time to spend on your first purchase - five bucks, free money. So go to privacy.com/cyberwire and sign up now. That's privacy.com/cyberwire. And we thank privacy.com for sponsoring our show.

Dave Bittner: [0:09:22] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. Today I wanted to touch on mergers and acquisitions targets and how you go about assessing their cyber resilience. What can you share with us?

Justin Harvey: [0:09:38] So companies are not appropriately evaluating the risks of the companies they're buying in many cases. A small data point here, Dave - and that is global and U.S. merger and acquisition activity has hit an all-time high here in the first half of 2018. And we're seeing the same thing amongst our clients here at Accenture. And one of the things that has historically been looked at from a risk perspective of companies that are going to be acquired is how much money or how much effort needs to be poured into to shore up the to-be-acquired company's infrastructure to be at the same level of the mother company?

Justin Harvey: [0:10:25] But it's not only about how much money you have to pour in to bring it up to speed. But it's also about the latent risks that may already be lurking within the network or system. So it's essential that the buyer be able to perform, essentially, a cyber resilience diagnostic against that to-be-acquired company to be able to look at things like the cyber hygiene of the systems and workstations, the ability for their security operations or incident responders to perform their jobs.

Justin Harvey: [0:11:01] The next one would be, are there latent threats or indicators of compromise or indicators of attack that are already present in the environment? And clearly, when you buy an acquired company, I would say probably 80 percent of the time, you're going to want to connect their network to yours in order to speed productivity, in order to increase the security of your communications. And then you want to start merging the user directories. Clearly, you want the same email addresses and the same usernames across the enterprise. But that in itself comes with some risk.

Justin Harvey: [0:11:39] There could be adversaries that have been present in that network that then can ride that highway that has now been connected between the organization and the acquired. We've seen and actually responded to several cases where this has, in fact, happened. And we've also been working a lot with our clients to make sure that during the due diligence process, we can not only give them an estimate or help them better budget how much it's going to cost to bring up their level of resilience - of their cyber resilience but also let them know, has there been any threat activity in that network? - or even - maybe it's not even in their network.

Justin Harvey: [0:12:21] Perhaps the dark web has remnants of customer records or personal data that has been leaked from that organization, which could be a liability in the future. So our iDefense team has been able to build some content and build some capabilities to bring those risks surfaced to the buyer.

Dave Bittner: [0:12:43] Now, how often does this bubble up and become a roadblock, a speed bump to a mergers and acquisition process?

Justin Harvey: [0:12:51] Well, typically, unless there is a large-scale loss of customer records or cardholder data or PHI, it typically becomes a blip on the screen of the company acquiring the other company. So it does weigh into the financials. But to my knowledge, I've never seen an organization say, we're not going to purchase you because you have latent threats or a low cyber resilience maturity. It just factors into the overall price. And perhaps, it can even impact the price that has been negotiated with the organization.

Dave Bittner: [0:13:30] I see. All right, Justin Harvey, thanks for joining us.

Justin Harvey: [0:13:34] Thank you.

Dave Bittner: [0:13:39] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [0:13:58] And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [0:14:07] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [0:14:35] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.