Welcome to Codebook, the only newsletter reporting on cybersecurity until our band takes off. Tips? Comments? Please reply to this email.
Situational awareness: The National Security Council is delaying releasing an official cyber security strategy because of disagreements over the use of offensive tactics (Cyberscoop).
Illustration: Sam Jayne/Axios
Congress has struggled so far to write bug bounty legislation — which incentivizes independent testing of federal security — that the small handful of thought leaders in the field can embrace. But Casey Ellis, founder and chief technology officer of the bug bounty firm Bug Crowd, says that the new State Department bounty bill might pass muster.
In fact, said Ellis, it's kind of good. "It's an incremental improvement over past ones, but lawmakers are getting close," he said.
The Hack Your State Department Act, which just passed the House Foreign Affairs Committee, requires State to offer a bug bounty — a reward program that pays independent researchers who report security flaws in public facing infrastructure.
Why It matters: While the programs are increasingly considered part of a well-balanced security diet, they are easier to get wrong than right.
Bug bounties take work: The most successful federal bug bounty programs have been those run by the Department of Defense, which made it look easy. Too easy.
"Efail," a hyped flaw in venerable email encryption protocols PGP and S/MIME, turned out to be not as bad as it sounded at first.
That said, anyone who depends on those protocols should check to make sure the programs they use for email and encryption are safe.
Messy rollout: Extremely early Monday morning, the Electronic Frontier Foundation alerted users to either uninstall or disable PGP or S/MIME encryption programs, without giving much additional information. Researchers from three European universities had originally planned to release their work Tuesday morning but released it early to meet sudden demand.
What Efail does and doesn't do:
Photo: Sergei Savostyanov/TASS via Getty Images
Moscow-based Kaspersky Lab is moving its data processing and storage for many customers, as well as its software assembly, to Zurich "to address the growing challenges of industry fragmentation and a breakdown of trust."
Why it matters: The beleaguered security company, still a major international player in antivirus and security research, has come under fire in the United States over the past year for possible links to the Russian government.
Who it affects: The customers whose data storage and processing will move to Zurich include those in North America, Europe, Singapore, Australia, Japan and South Korea.
Meanwhile: The Dutch, too, have banned government use of Kaspersky wares, Cyberscoop reports.
Two reports released Tuesday show the Pakistani government may be involved in a variety of different hacking campaigns.
Mobile campaign: Lookout, a mobile device security company, discovered a campaign for Android and iOS phones that it's calling StealthMango and Tangelo.
Human rights victims: Amnesty International released a report covering an array of different attacks against activists in Pakistan, including new Android malware "StealthAgent" that appears to be the same as StealthMango.
Attacks used fake social media profiles and email phishing campaigns to get victims to install StealthAgent or the already discovered Crimson malware.
Both StealthAgent and StealthMango use a command and control server at the same Canadian internet address. and the reports on both attacks say their discoveries contains links to the commercial spyware TheOneSpy.
We vote for StealthMango as the name. It's a better name. StealthMango.
The Brookings Institute launched Sourcelist, a service designed to help conference bookers and reporters put more diverse voices on their panels and in their stories.
"The hope is that, when conference organizers or reporters would say they've contacted a women but none were available, they'd know where to look," said Susan Hennessey, who spearheaded the project.
Why it matters: In April, when it turned out that only one of the 20 keynote speakers at the RSA conference was female (and that one was the less-than-technical Monica Lewinsky), attendees didn't just get mad — they launched a counter-conference of mostly female speakers that by many accounts upstaged the larger showcase.
The details: The first resource Sourcelist is offering is a list of women, with other sets of marginalized experts (including by race and geography) under consideration for the next such offering.
All 20 graduates of the Boots to Suits cybersecurity training program from NS2 Serves enter Tuesday's graduation ceremony with a job lined up.
Why it matters: The program, which gives veterans paid training in IT, is looking to expand. Gen. John Campbell (Ret.), chairman of NS2 Serves and former commander of United States forces in Afghanistan, makes a pretty good case to Axios.
Codebook will return when you least expect it, in its regularly scheduled Thursday slot.