iWar and Information Warfare, the Next Phase of Internet Motility: Manipulation Inherent to the Internet's DNA
3:51PM Jul 28, 2020
information warfare disinformation and propaganda persisted since the beginning of recorded history and remain alive, alive and well in the present day. Our next talk will address the challenges surrounding information warfare management. We present Daniel noec role Schoenberg and Alexander Bellis with AI war and information warfare. The next phase of internet motility manipulation inherent to the internet's DNA. Hello,
today's talk is titled I warned information warfare, the next phase of internet volatility manipulation inherent to the internet's DNA. Our agenda will be split into three separate segments, I Daniel noack will do the history and period segment role Sean Burke will deliver the technical summary and Alex herb Ellis will deliver the ongoing operations segment. A brief intro to your speakers is as follows. I genuinely like I've been doing telco and cyber stuff since the mid 90s. I've been involved in coming to hope since later 90s role Schoenberg has been involved in the scene in the culture since the mid late 90s, as well as most of his time was spent reverse engineering spending time tracking actors, as well as large scale malware campaigns across a variety of domains. Alex Bellis is a partner of Blackstone Law Group he's been involved in both hope as well as the scene. Going back 25 years. He's also a frequent contributor to a number of online publications. Now that we're done with the simple stuff. What's more complicated thesis, an introduction to our rules of engagement. We have to accept the fact that propaganda and disinformation are not inherently evil. The, we might not like them, I mean I like their effects, but they simply are tools in order to accomplish something, everything is dual use in our space. And if anyone wants to doubt that just look at crypto consider the crypto wars, the clipper chip of the early 90s. This whole community was busy fighting this war, almost 30 years ago. And interestingly enough, it's happening to us again right the calls for backdooring all crypto technology by their resounding very, very strongly at present. When we're discussing history. There can be no third rails for those who are not familiar with what a third rail is is the third rail in a train line that's electrified you touch it, you're effectively fried, we cannot do that when we're discussing these topics of propaganda disinformation, and anything of that nature, needs to be considered objectively, and from a couple steps back, we need to review history and learn from it rather than just try to erase it and pretend it didn't happen. In terms of history. One of the first things we always cover is a definition of what the 18th century means, so 18th century equals 1700s, the 20th century means 1900s. Next, this is not really a history of propaganda disinformation it's simply a primer as Alex called it it's a transistorized version of history, we're compressing 4500 years of content and attempting to make analogues and analyze what the history has provided us in the current space we live in, when engaging in historical discourse. One of the main points I like to make when talking about history is explaining the history is his story. It is the tale of the victors is the tale of those who have vanquished others in some form of combat via physical warfare economic warfare. Therefore the tale is theirs, and therefore the narrative and the storyline reflects the perspectives, they want to share with the world. Let's talk ancient history. For some ancient history maybe 100 years ago. For others, well let's let's step back and for the purpose of this discussion and go to the 25th century BCE or on 4500 years ago to the advent of the Assyrian Empire. The Syrian Empire operated in a region that was known as modern day Iraq, and it lasted from 2520 2500 BCE until 612 609 somewhere in that window where it collapsed. And then within a couple hundred years their primary city Nineveh was effectively grounded dust and reabsorbed by the desert, complete dissolution of a nation state that had lasted for 1500 years. Now, if anyone here has gone to a bookstore, if you can find a bookstore at this point, everything's online, right, but if you can go to an actual bookstore, go to the history section and take a look around. What you will see is a ridiculous amount of text, wrapped around war, different wars across different periods, across all of written history of mankind. Apparently that's what gets documented and historians tend to like this. So take a look at the bottom left hand side of the screen if you would take note of the archers in combat, and then look on the right hand side of the screen, take note of the men impaled on skewers Assyrians went to Warlock. And they like to impale people a lot. This is simply what they did and they documented it copiously, the question you might ask is why well perhaps they were trying to share a specific narrative, with their adversaries across time that expressed how brutal they were and perhaps prevented them from having to engage in such excess brutality if those They're coming for already knew what was going to happen to them. So while this is occurring in the Middle East. Let's flip to the other side of the world in the Near East and the Middle Kingdom to the sixth century BC with sunsoo. Yet another tactician and strategist, documenting what deception is for right when you look at, and consider these stone tablets, from the Syrians. That is part of a deception plan a propaganda plan. and according to sunsoo all warfare is based on deception
and flash forward 2000 years to the renaissance in the 15th century that's roughly mid 1400s at least in this case in the creation of the Gutenberg press at hope there been a number of discussions regarding the Gutenberg press just simply the way it fundamentally changed our society. Well let's consider what it did in terms of communicating for the mass culture. So the first publications that were called newspapers appeared in Strasburg and Germany around 1609, the printing press, also enabled the mass printing of leaflets political leaflets opinions religious leaflets write various types of propaganda pieces, and you have to remember the context and the time in this window. This is the time of the Reformation This is Martin Luther and the Roman Catholic Church and the Great Schism an argument a fight between two different systems of thought now able to reach the masses, as many say the Gutenberg press was part of the democratization of technology, it indeed was, and it's certainly enabled large scale communication patterns to change, because once again the communicates were written in the local languages. Another interesting topic to discuss is the printing of the King James Bible, the KJV is an interesting political animal to go into a discourse on it now would be foolhardy it's there's simply too much to it. All it's worthy of note is that there were extreme politics, behind the creation of this Bible, and the expression of it, the rapid printing of it enabled the dissemination of a different philosophy of thought that diverge from the Geneva Bible, different concepts regarding the divine right of kings and simply an administrative control mechanism pushed out to the people. Then we flash forward to the 19th century. At the heart of the Industrial Revolution, the second half of the 19th century had three core technologies developed that fundamentally altered how humans communicate telegrams telephone, and radio. The first transatlantic telegraph happened in 1858. This enabled, immediately. The new cycle to change information that would have taken weeks two months to flow from the European continent, made it to the United States. Within minutes, and then was usually turned into newspaper material. Shortly thereafter, the new cycle is now global people carry each other's voices, due to the early telephone technologies developed city to city, eventually across the pond, as well, and towards the very very tail end of the 19th century Marconi his development of the radio brought us into a new wireless era. Three new mediums of communication. All enabling average different types of information to flow from disinformation to propaganda, for example to war propaganda. On the left hand corner we have an image of remember the main ad the statement at the time was remember the main To hell with Spain, and it was blasted across all media outlets in support an American support at the Spanish American War. We enter the 20th century, where the confluence technologies and warring nation states creates a quickening or more occurs in several months than historically would have happened in decades. On the right hand side there's a gentleman in a dapper suit with a very very slick mustache. That is Edward Bernays nephew of Sigmund Freud. He is the creator of the all American breakfast done on behalf of the pork producers of America at the time, just beneath him. There's a little dancing lady, she looks very happy she has some lucky strikes. That was another project of Bernays his PR firm. The concept was smoking those particular brand of cigarettes whomever he was representing enabled freedom and liberty for the women from their previous lives. The gentleman also was the writer of the book propaganda which is a fusion of sociological analysis psychological manipulation techniques, all towards achieving a better and more effective system of public communication. To the left of the Bernays image is the image of a very dour looking man named Joseph gurbles, Joseph Goebbels was the Minister of propaganda the nsdap, otherwise known as the Nazi Party. gurbles had a concept of total war that fuse technology and media understanding. Everything was fair game when it comes to war, so much so that when Germany did the 1936 Olympics, it was a showcase of superior technology. It was also the first broadcast television Olympics that had been done. He also did cinema, because it created a number of films, supporting the nsdap propaganda.
And with the second half of the 20th century, where more of us are aware of what transpired we now have a 24 hour news cycle. Thanks to all these global communication techniques, and then the development of ARPANET, as well as the greater internet globalization shared both technology, as well as communication methods and culture around the world. There's nowhere on the planet, you cannot go that has Coca Cola there may be no running water, but somehow, there will be Coca Cola. The crux of this discussion is that with the new cycle changing so fast the tempo of people's uptake of information changed. So now we have print media we have online media which is certainly faster to consume, whereas the print media can only be done once or twice a day, new media was being printed regularly on a 24 hour basis.
And we have an entire generation of individuals who are born and raised on the internet, the way they consume information is different from prior generations, most of their information is flows, not from CNN or traditional mainstream media sources, but it comes from Facebook it comes from Twitter, it comes through the social media pipeline. Knowing the history of long history of war, and the way information needs to be manipulated and deception is a core component of facilitating the objectives of various nation states or interested parties. A number of domains of expertise have come around to participate in this type of information manipulation. So we have information operations teams we have psychological operations teams. The Eastern European Framework looked at the idea is didn't descend from onsea. And from the Middle Kingdom and the CCP, we have something that we call unrestricted warfare, more accurately translated as unlimited warfare within the schema of unlimited warfare, anything goes. Let's couple that in all these facts with the understanding that our cyber and technical information. Information Systems are inherently faulty and based upon trust. If you understand how to manipulate those trust relationships between all the different endpoints network components and application layers of our infrastructure, it's relatively easy to inject information into them, much less just hacking them which is obviously a simple and very straightforward process, we're talking about injecting information into the stream to change people's perceptions and reshape their understanding of the world around them. With all that being said let's take into context, the advent of hack and leak operations, the various strategically leaks we've seen in the last five years at the national level we're even looking at the financial firms. We can even consider some of these as being sabotage and exfil for cover for action. I'd argue it's even possible to consider them cultural sabotage, to the point that we now as a culture support certain types of leaking and certain types of activity, even though it may not even be in our best interest. It might be in the interest of others who are actually funding and supporting those activities. This new medium of communication enables a whole new level of mass manipulation, where everyone is able to get their five seconds of Andy Warhol fame, but at what cost. 21st century is brought us a variety of postmodern operations. An example of this might be the cold revolutions where you can overthrow a nation without raising the barrel of a gun. These forms a revolution are dedicated study, in and of themselves but for the purpose of this discussion. Let's say that a color revolution is a form of non violent power shift in a nation that leverages the outside manipulation of a protesting populace in conjunction with political economic or other non military measures. This means all actions are covert, and therefore do not appear to be overt acts of war. This is not for a second or third generation warfare, where it's clear who the opponent is is covert warfare that leverage is false flags media manipulation, social media uprisings and sock puppets in order to facilitate the outside interests objectives. Next I'd like to draw your attention to the smoky man at the right side of the screen. This is a lot of swap circles, a power broker within the Russian political superstructure. His specialty is fusing the following domains ideology media political parties religion modernization innovation foreign relations and modern art, tying it all together into one bundle of joy, who also we discussed who leveraged Art Media politics and religion to advance the interest of their political party. gurbles. Both men expressed a keen grasp on what is required to mobilize population. Consider this philosophy in terms of certain hacking leak operations. Perhaps some ransomware operations, they consider the methodologies employed during a number of Russian direct action campaigns from 2007 through this day. Think Estonia, Georgia, Ukraine, going forward, please keep in mind the aphorism, nothing is true and everything is possible, particularly in this post modern age. Lastly, the most esoteric topic of all the mind has no firewall, an article written by Timothy Thomas and parameters magazine spring of 1998, the human body in mind consists of a variety of sensors that are there in order to give us a perspective on the world around us. We have data processing units in order to take the input and create a intelligible output. Garbage in, garbage out like any type of compute system. So what happens when an attacker uses this information to create a cognitive dissonance in the mind of a target, or perhaps uses information overload techniques in order to confuse degrade or deny the signals being received by the target. This is well within scope of modern day information operations, as well as disinformation or unrestricted warfare campaigns.
So to recap
what we need to remember agendas drive disinformation and propaganda nation's corporations, even personal interests of individuals drive their agendas, every entity is driven to facilitate its own success. And we need to understand and be able to disentangle the what the wares and the whys of all those things. In order to understand those pieces we really understand need to understand who benefits and be able to track the money. If we can't understand who funds what and what activities are stemming from where, and then emotion free manner, we're fairly lost in trying to disambiguate all the disinformation campaigns that are going to be run against us, to the rest of this 21st century, the intersection of tech and politics are where things are super interesting. The challenge we face in this area as technologists, is that tech people tend to like the bits and the bytes the binary components for wants to focus on the tech, whereas the reality is tech is using is being manipulated through geopolitical means. So, that means we as species we need to put in the time to become geopolitical experts the 10,000 or so hours that it takes to get generalized expertise in a specific area. This also means single dimensional thinking is fruitless to a degree for specializations that's one thing, but for solving these types of bigger picture problems. We need cross domain experts who can fuse their technical knowledge with geopolitical or biotechnical components, put them together and understand what the problem is that they're trying to solve. And who is actually generating the problem in the first place. There's nothing new under the sun. However, the, we are living in the more malleable time than any generation before us every day we're experiencing people trying to rewrite history, which that's an interesting thing to happen, the Syrians had stone tablets to carve their history, our history is written and spinning discs, which fade over time. So, earlier said there's nothing new under the sun. There's just new modalities to exploit, and we can be assured that this global world of adversaries will take advantage of each and every one.
Hey everyone. Before getting into the segment, I want to quickly touch on the differences between I war term that we don't see used very often these days, and information warfare or information operations. I war is about cyber enabled warfare. Think of DDoS attack it's your the attackers trying to degrade access to a particular capability, you've seen this in conflict in Estonia in 2007, Georgia in 2008, in 2020 very valid iworq targets would be cellular networks or content delivery networks. Meanwhile, information operations are about manipulating information that's intended for human and or machine consumption. We also see these days that IO, the term IO gets conflated with this information or fake news, but we really have to keep in mind that this information fake news psychological operations are really just a subset of information warfare. And we see that a lot of this information warfare is made easy by the fact that the internet is an inherently open and brittle network. We're still running on ancient protocols like BGP and DNS that really weren't designed for authentication or verification purposes, and as a result of that, we see that the offensive teams, really have a leg up on the defensive teams. Not only does the internet run on old protocols and older, old systems. We have added to this complexity by introducing cloud and mobile and all these ecosystems are now constantly consuming and producing information, all these different vendors and services as well are constantly collecting information for security purposes analytics and most certainly advertising purposes. On the more human side we have the issue that, especially as it relates to mobile, we have that constant dopamine, kick, coming in. We always want to check the latest news the latest emails the latest stuff that's happening on social media, the fear of missing out is real, and people or companies are exploiting that. In addition to all of that good stuff right we have seen new players enter the game. Certainly since the last five years or so we started talking about the so called influence operator operator, and we can find those everywhere these days, and it's safe to assume that just about every country on the planet has influence operators, or for the government, but also working in the commercial sector. So really, you should see this as a form of persistent engagement. Wherever we go, which is kind of mind boggling if you take a moment to think about it. And these influence operators aren't just trying to influence our conversations that are overtly political right they want to
influence on any type of level.
Think back to those FCC net neutrality comments that were mostly inauthentic or fake whatever you want to call them, and that wasn't the beginning, that wasn't the end that was daily business. We really have to think about these problems in a little broader terms, other than you know fake accounts on social media. And that really brings me to also to the concept of, you know, these influence operators poisoning datasets, in a way, our social media conversations are just another data set. So, social, these influence operators influence those types of data sets. They can also do to up, others, and three is something very important to keep in mind when we think about these social networks we have to consider if they're closed or open, open networks are great they allow us to talk to anyone on the planet in real time. And that is something that influence operators are now exploiting right and as a counter to that we're now seeing that push to kind of try and turn these open networks into a safe space, but that's inherently impossible. And what we would end up with is an approximation of the Chinese internet, which I don't think anybody actually wants, it's not anyone who has our best interests at heart, and kind of thinking about how these influence operators are working, and there's sort of four different levels or tiers that you can kind of think about think about those fake personas that everybody now knows about those hacking leak operations that you have seen in the guise of Lucifer and some other personas. But it gets more interesting when we start thinking about poisoning open datasets because at that point, you have legitimate well intentioned people publishing information that is tainted without their knowledge. So that's something that is a lot more value in its strategic side for the influence operators versus the first two categories. And the fourth category. When we think about back about when we think back to 2016. There was a lot of talk about the internet research agency operating out of St Petersburg, with their fake personas, doing a lot of stuff on social networks, there wasn't that much talk, however, about how foreign intelligence agencies were trying to manipulate newsrooms directly into writing certain narratives, right that has, for the most part, not been explored to the extent that it should have been. And that's at least in 2020, that is still the prime goal. If you can get a well established reputable reporter to echo your sentiments, then the influence operator has really under job. Kind of continuing on about on that topic. Most of the conversation that we have in public about disinformation of fake news still focused on that more Pac goal short term agitation propaganda we're not really talking about longer term narratives that span years or decades even, and a lot of stuff that we see on the internet today originated as something entirely different. 20 or 30 years ago and that's something we need to keep in mind, we need to get more historians involved in how we're dealing with some of these problems. Moreover, as I mentioned earlier, and we're seeing more and more information or work up there as strictly based on Oakland, can be considered a reality influence operators are poisoning these data sets, you kind of have to reconsider the confidence level we can attribute to research that's strictly derived from Olson, and or big data. Again, this is something that can be manipulated. Certainly when you know what to look for. And when you know what the researchers are looking for. Moreover, we're currently seeing kind of a push, where certain topics are becoming off limits that really doesn't help us either, certainly not in the long run. By making topics off limits, or just making them the domain, or exclusive domain of intelligence agencies and multinational corporations. I don't think I have to explain why that is not in our best interest.
In addition to that, when we think when we see lots of reports out there are a fair amount of reports out there of reporters and other influencers getting harassed on social media on email boggles my mind, it's the second half of 2020 and we still haven't had a public conversation on how authentic these harassments actually are. And maybe the narrative around some of these events needs to change. Moving on to the more malware side of things on the internet warfare side. Right, not Pecha was an attack launched a little over three years ago by Russian intelligence against Ukraine and a lot of companies doing business in our with Ukraine. And this particular sabotage attack that the White House has called the most destructive cyber attack to date was mimicking as a piece of ransomware. But in reality, it was a so called wiper malware that would just delete all data off of the machine would spread across networks. As a result, life in Ukraine, basically stopped. The Western logistics supply chain was crippled for a prolonged period of time, there were major major effects. What's interesting is that the not Pecha orchestrators and planners employed deception on many different layers, kind of exploiting subject matter experts biases, and so you really had to get a team together that had expertise in at least half a dozen different areas to really get a full picture of what not Pecha was all about. In the interest of time, I'm gonna just, you know, plug my own hope 2018 talk. In case you have extra interest in this particular example, as I mentioned, not not Pecha kind of as a blueprint, just like Stuxnet was a blueprint for many follow on operations. What we see in 2020 is lots and lots of ransomware and since 2019 we've seen an increase in ransomware operations that also involve a data exfiltration component. When we take a step back and think about the implications thereof. That means that ransomware is now cover for action for sabotage makes a grid cover for action for espionage, as well as making a potential cover for influence operations, we have already seen a ransomware act or two trying to generate press cycles, that's certainly a very interesting development, and with most of these ransomware groups working with an affiliate model. It's very hard to tell who is actually conducting the operations, is that somebody who is unemployed because of COVID, or is that a foreign intelligence team. So, when all these wonderful problems. What about mitigations or mitigations aren't very easy, certainly not when it comes to this type of scale, but we do have to think about our information supply chain, and where does our information come from, what kind of sources and methods were used. And what are we doing with that information how, you know, we've valuing it accordingly and appropriately. Certainly there are things we can do to make the internet, a little bit more resilient, but on the grand scheme of things, right, we're going to have lots of conflicts of interests, so maybe what we end up doing is keeping the current internet as is more or less, and creating a separate internet where we do our more attributable work, where it's not going to be possible for influence operators just to pretend to be somebody else. Again, we need that would require a lot of considerations. And again, we wouldn't want to give up our freedoms that we have today should absolutely not be up for discussion. You do not want to copy in any way shape or form, the Chinese internet.
That brings me to my last slide. Does before handing it over to Alex because he's going to talk about COVID, a bunch, something to consider here is the COVID crisis really kind of showcased how different countries and other elements can take conductor, your messaging, and I haven't seen any public research on this but this is really a great research area that I would love to see some public work on.
Good afternoon everybody Alex rebels here. Many of you know me co host of off the hook. lawyer hacker Cisco, all that fun stuff. I want to jump right into this since I know we did some, some brief intros at the outset of this presentation, and picking up where roll had left off with respect to technical manipulation and the coronavirus. Well, the situation that we're in, is quite a morass and one way to look at this is the DNS is where all of this comes to a head before delving right into the DNS data. I want to take a rather long step back to the Internet of the mid 90s, that some of us may and some of us may not remember, and that is where we first see the germ of the problems that we're facing today. Jumping back to 1995 we see what Mercedes Benz looked like way back then this was a much simpler time before misinformation was a pervasive problem before the Cambridge analytic a fiasco demonstrated that Facebook was putting our PII into the hands of any idiot who created a quiz, what we have on the right hand side is very interesting as well, the WWF in 2000 was the first organization to follow a udrp that was to reclaim a domain name stands for uniform domain name resolution policy. It's an enforcement mechanism used essentially for brand protection. And it had fallen out of disfavor and DNS enforcement's become a really an issue of a whack a mole and that it created this problem of DNS enforcement being both a legal issue with security implications and a security issue with legal implications meaning it led to a rift of responsibility in many organizations, whereby the DNS was left unattended. And we'd started to grow. We wanted to give you an example of an organization that is the target of a good amount of malicious activity but is in fact a bit asleep at the switch. So this is what is the Trump Organization, looks like from the perspective of the DNS. As you can see almost every single permutation of trump.com is is registered by some actor within or without the United States, the registrar's are all over the place the geo locations are all over the place. And there's little to no enforcement in DNS. This actually is a marked improvement, however from two years ago when we presented at hope along similar lines, a really quick plug for my circle of hope 2018 talk, entitled cybersquatting on the Trump campaign. This was about misinformation activities directed towards the Trump campaign in the DNS and of the 60,000 or so domains about Trump that existed in 2016 that campaign the Trump campaign identified and neutralized these misinformation activities, before they were able to launch quite an interesting talk, I encourage you all to go check it out. Getting right back to the issue of the coronavirus and COVID-19 in the DNS what we saw at the end of February when we started monitoring for new domain registrations was frankly, amazing. To put this in perspective global sporting events, you know things like the World Cup maybe they'll get 10 to 20 domain name registrations per day and it relates to jerseys streaming tickets etc you investigate everything that's quite a lot of activity. In February, we started seeing over 200 registrations per day. Then in March it jumped up to 400 500 600. At its peak, we saw over 3500 domain registrations on a daily basis I mean it was absolutely incredible over 100,000 coronavirus related domains since February,
with respect to COVID-19 over 39,000 COVID 20 domains are popping up now and the strange hope I guess that there's a permutation and in that domain property becomes valuable over 700, of those so this is a pretty massive amount of activity in the DNS, the likes of which I have never seen before. This graph that you see here is a visual representation of the registrations by date with respect to specifically coronavirus domain names This doesn't relate to COVID-19 registrations, however that pattern of domain registrations is very very similar almost an exact match of this particular pattern. What you see is that it started out quite strong This begins at the end of February, early March goes up to around 3500 per day has a really high peak at the end of March, and then begins to taper down. What we're seeing right now though is still a lot of activity, usually between 30 to 60 domain names with respect to the coronavirus every single day putting that into perspective. Again, massive well global sporting events usually maybe 10, a day and at the height of blockchain activity couple of years ago we would see maybe 30 4050 domains so six months out of when the coronavirus left China, and began to run rampant through the world this is still a huge amount of activity we're seeing in the DNS an activity that we saw in March and April. Well never seen anything like that before my life. And a lot of the activity that we saw with regard to the coronavirus didn't specifically relate to coronavirus or COVID-19 domains, some of them related to the World Health Organization, just like this you have who got in, which is the restricted top level domain in which the World Health Organization has its domain. On the left hand side and on the right hand side a domain that we detected on the seventh of July just three weeks ago, Hu dash info dot sight, obviously an exact replica. This is Intel that we had shared previously with the World Health Organization, this isn't news to them. But with this information, this domain was able to be taken down quite quickly we think it related to a scam with regard to the donations button on the right hand side, but obviously could be used for any number of purposes including misinformation, as well as outright fraud. And this leads us to asking additional questions about really, who is the who. And on that note on the left hand side here we have the actual who has information for the who, for who that is. And on the right hand side we have a domain that we had picked up again, just under three weeks ago this time. It looks like Hu dash int.org however when you look at the Whois information it's obvious that that is actually a lowercase l the domain itself is Hu dash l mt.org this was obviously trying to create some kind of visual similarity between who got in that restricted TLD for IGA OHS inter governmental organizations, and the domain on the right, who dash ln t.org a lot of this stuff, obviously very ripe for misinformation and kind of difficult to pick up unless you're specifically looking for this type of of activity in the DNS, and again this is information that we had previously shared with Flavio in the who we encourage you to check out his keynote coming up very soon as well.
What we've been talking about so far is a surface level of the domain name system of the DNS. What is below the surface are sub domains and this is arguably much more concerning because subdomains are unregulated meaning, anybody can create any sub domain on anything on top of any domain, at any time. Because of this, they're much more difficult to track and much more difficult to detect. Unlike domains that are subject to dispute resolution procedures like the udrp that we saw with the WWF. There's nothing, specifically geared towards subdomains and because of this, we are seeing a lot of sophisticated misinformation activity and sophisticated information security threats migrating over to the subdomain space, we're going to show you some pretty interesting examples of that. Right now, a really great example of how subdomains can be used for malicious activity is this particular domain name dub dash survey calm this relates to a group of threat actors that we've been tracking for quite a while. And you see that the subdomains the bits to the left of the domain that they created were very interesting. And obviously, highly malicious in that, in June of 2018. Just ahead of the midterm elections we see this domain. gov death survey.org, with a subdomain on top of it Florida votes that obviously makes it look like Florida votes. gov. It looks like an official.gov We also see the replication of news.treasury.gov. Great domain name for misinformation with respect to United States Treasury we also see the replication of ice Immigration and Customs enforcement.gov as well as ice dot DHS Gov. So this is a great example of how subdomains can be used very maliciously to impersonate. gov sites as well as to push out misinformation. It should therefore come as no surprise that with respect to coronavirus and COVID 19 related sub domains. These are massively out of control and running while they're all over the place. Some of them are pushing out downloads, some of them are just pushing out misinformation. It's become a big problem because of the very fact that subdomains are completely unregulated and can be created by anybody at any time on top of whatever domain, they please. Whether it's a domain that may have been compromised or domain that perhaps was newly registered. It's a space rife for misinformation. As you can see, misinformation has in fact become a compliance issue now quite recently, like somebody waking up from a frat party, looking in the mirror and realizing they have no eyebrows, Congress has very recently come to the realization that there is a major problem now rising from coronavirus misinformation This is of course, many months after coronavirus related misinformation had been identified by people in our community as a major problem. So they they've been Congress wrote a letter to the major online platforms and asked for monthly updates about what they're doing to combat misinformation. All of the domains that you are seeing on this slide right now. Relate to coronavirus related information in Facebook properties, Facebook, Instagram, WhatsApp, the IP dash domains obviously refer to Instagram, and having scoured the DNS for these particular domains that were targeting Facebook properties, we found something that we think all of you will find rather interesting. One of the things that jumped out with respect to the domains that we had investigated concerning Facebook properties WhatsApp, Instagram, Facebook itself. In the coronavirus was that there was, there were very distinct patterns of domains, all of which related to coronavirus information, COVID-19 related information. All of these domains all registered in dotnet.org and com that could be used for misinformation purposes. When, when we began to enrich that data using our DNS our in house with the DNS Intel platform.
What jumped out was very fascinating is that all of these domains were rather the vast majority of these domains. All are associated with registrar sec, LLC that's actually a Facebook registrar that they use to make pre emptive domain name registrations. So all of these domain name registrations that could be used for coronavirus related misinformation campaigns were actually preemptively registered by Facebook, it's quite interesting. I mean, this is, this is a step that Facebook, probably has not been taking for a while, I don't think that this was has been publicly announced or was publicly known. So if I were compliance counsel for Facebook that's something I would definitely put into my responsive letter to Congress and quite honestly, you have to give credit and creditors to making these cramps of domain name registrations as a proactive measure, that's going to make some kind of measurable difference. However, there are nearly an infinite variety of ways that one could register a domain related to a Facebook property, and the coronavirus so monitoring the DNS for such activity is absolutely critical. I mean, not to mention again that domain names themselves are the tip of the iceberg preemptive registrations like this do nothing actually to combat the problem of sub domains, but at least it's doing something, and I think you know we got to give Facebook some credit, some props for doing the right thing and taking steps to counter potential misinformation campaigns. And speaking of subdomains this gets us back to an issue to which we had alluded earlier. Using our DNS intelligence platform we had detected a live state sponsored and very sophisticated attack on the World Health Organization in the middle of March, this was an attack that had existed entirely in the sub domain space, the underlying domain had nothing to do with the who actually alluded more to Active Directory itself. It was also used to target the UN, as well as a Swiss based ISP. That same day. It was a smart slick very sophisticated attack ultimately unsuccessful, we're not giving away this specific domain that issue here that is still highly valued threat intelligence, but do reach out, Alex and Blackstone dash law. COMM or eight or Bellis on Twitter. If you want to follow up and ask some questions about that Intel, your threat researcher and threat Hunter, or just intellectually curious, we're happy to share additional ttps with you, pulling together some of the various threads about which we spoken during this presentation one that should be jumping out is that the DNS, and the internet itself are quite fluid to the extent that misinformation and manipulation can occur quite easily. This is all the more true when there is zero enforcement with respect to terms like the coronavirus and COVID-19 DNS activity is massive but it can yield actionable and critical data and DNS based misinformation campaigns can be identified and can be neutralized. Unfortunately, misinformation is becoming a client's issue. If you, if your misinformation detection campaigns fail, you're probably going to have to be answering to some lawyer at some point soon. This has been a lot of fun. We hope you guys have enjoyed it. We look forward to your questions. Hopefully we can answer them, please do stay in touch, signing off.
This is I we're an information warfare with Daniel Novak Raul Schoenberg, and Alexander Bellis. We'd like to quickly invite audience q&a We have time for maybe one or two questions. So we'll get right into this. Remember, if the audience asks How do you get your feed of new domain name registrations,
I can take that one does that's based off of our our own bespoke in house DNS intelligence platform that we've created within Blackstone Law Group. I actually coded every single line of our Intel platform. And what we do is a lot different from ordinary brand protection and DNS we're looking for early stage indicators of malicious activity. Looking across all cctld Country Code top level domains, as well as the generic top level domains like com net org dot fished on horses these days, and looking not just for matches and strings but indicia of malicious activity. So, be happy to speak more about that with you guys directly. You guys and girls directly offline, again, Alex at Blackstone dash law, calm.
And just as we wrap it up, where can people I guess Blackstone labs.com would be where people should go to find more info on what you're doing.
Yeah, there's absolutely that's definitely a source. A are bellus on Twitter, as well as Dan and roll. No. Roll, Dan, I don't believe is on Twitter, these days right are you I can't tell or just lurking
lurking it exists but I don't do anything with it.
What other questions do we have Do we have a couple of minutes that we can
wait. We've got about a minute. If someone asks, Is regulation of DNS records something worthwhile to look into from a legal perspective.
Yeah, I mean in an ideal world, that would be nice. I mean, the problem with, you know, looking at this from a legal perspective is that if we're going to try to create a legal mechanism to to enforce against these particular type of activities that require the legal process is all about due process due process requires time and an opportunity to be heard by both sides, that's not necessarily the type of system that's best at combating very fast moving threats in the domain name system so the legal process I think could be used for pernicious and perniciously malicious actors of the kind that keep coming back to a pts. But, you know we need better integrity in the DNS we need better enforcement and better identification of threat actor activity in the first instance and I think that's what we do.
The someone asks with every domain registrar offering privacy to hide the actual owner of the domain. What's the point of the public Whois database since it shows much but not actually who is who has access to the actual owner info,
that's, you know, the registrar's and the registry would have the, the owner info. However, even though most of the stuff is master most of the stuff is nonsensical or GDPR mess, there are still certain bits of information that you can tie various actors and activities together with, including information like the registration time of the domain the expiration date of the domain, looking across different registrations and just for registrations you can tie malicious activity together by looking at that, those specific entries in the Whois data so there still is relevance to it. There's still relevance to a lot of the DNS data. If you know how to pivot off.
Hey Alex Daniel unrolled thank you very much for joining us today.
Thank you guys.
Always a pleasure.