Axios Codebook

May 15, 2018
Welcome to Codebook, the only newsletter reporting on cybersecurity until our band takes off. Tips? Comments? Please reply to this email.
Situational awareness: The National Security Council is delaying releasing an official cyber security strategy because of disagreements over the use of offensive tactics (Cyberscoop).
1 big thing: State department bug bounty gets rare thumbs up

Illustration: Sam Jayne/Axios
Congress has struggled so far to write bug bounty legislation — which incentivizes independent testing of federal security — that the small handful of thought leaders in the field can embrace. But Casey Ellis, founder and chief technology officer of the bug bounty firm Bug Crowd, says that the new State Department bounty bill might pass muster.
In fact, said Ellis, it's kind of good. "It's an incremental improvement over past ones, but lawmakers are getting close," he said.
The Hack Your State Department Act, which just passed the House Foreign Affairs Committee, requires State to offer a bug bounty — a reward program that pays independent researchers who report security flaws in public facing infrastructure.
Why It matters: While the programs are increasingly considered part of a well-balanced security diet, they are easier to get wrong than right.
Bug bounties take work: The most successful federal bug bounty programs have been those run by the Department of Defense, which made it look easy. Too easy.
- Before a bug bounty program takes flight, a lot of things need to happen: Agencies need to restructure staff to be able to patch the influx of new bugs, create legal waivers to prevent good guys from being arrested for bad-guy hacking, and address all outstanding bugs to make room for the new ones coming.
- "The problem with past bills is they saw Hack the Pentagon, that didn't take much time after being announced to launch, and told agencies to establish programs within 90 days," said Ellis.
- But while the public didn't find out about Hack the Pentagon until late in the process, the Pentagon devoted two years to it before going public.
- Hack Your State Department, introduced by Reps. Teds Lieu and Yoho (D-Calif. and R-Fla.) would give State a full year to set up the program, including a preparatory period where the department would accept and patch bugs but offer no reward.
2. "Efail" could have been much worse for email encryption
"Efail," a hyped flaw in venerable email encryption protocols PGP and S/MIME, turned out to be not as bad as it sounded at first.
That said, anyone who depends on those protocols should check to make sure the programs they use for email and encryption are safe.
Messy rollout: Extremely early Monday morning, the Electronic Frontier Foundation alerted users to either uninstall or disable PGP or S/MIME encryption programs, without giving much additional information. Researchers from three European universities had originally planned to release their work Tuesday morning but released it early to meet sudden demand.
What Efail does and doesn't do:
- Efail did not break the PGP or S/MIME algorithms: The encryption algorithms remain sound. Email messages are completely secure until they are decrypted. Any encrypted message that hasn't been decrypted is completely safe.
- Efail works by altering the HTML multimedia elements in the email surrounding the encrypted message to send a copy of the decrypted email back to the attacker once it's readable.
- It doesn't work on all decryption programs: Different decryption programs handle those elements in different ways. Yours might be totally safe — you can check on the Efail site.
3. Kaspersky moving data processing out of Russia

Photo: Sergei Savostyanov/TASS via Getty Images
Moscow-based Kaspersky Lab is moving its data processing and storage for many customers, as well as its software assembly, to Zurich "to address the growing challenges of industry fragmentation and a breakdown of trust."
Why it matters: The beleaguered security company, still a major international player in antivirus and security research, has come under fire in the United States over the past year for possible links to the Russian government.
- Kaspersky is currently suing the U.S. government for banning its software from federal systems.
- Though there have been media reports that Kaspersky products have been used by Russian intelligence as a backdoor to search and steal sensitive documents, the public case for the ban has always been that Russian laws would allow the Kremlin to easily access data from any company with servers in its borders.
- This move would directly address that issue.
Who it affects: The customers whose data storage and processing will move to Zurich include those in North America, Europe, Singapore, Australia, Japan and South Korea.
Meanwhile: The Dutch, too, have banned government use of Kaspersky wares, Cyberscoop reports.
4. Pakistan hacks hit rights workers, government officials
Two reports released Tuesday show the Pakistani government may be involved in a variety of different hacking campaigns.
Mobile campaign: Lookout, a mobile device security company, discovered a campaign for Android and iOS phones that it's calling StealthMango and Tangelo.
- The hackers appear to have failed to secured the infrastructure behind the campaign, making it possible for Lookout to gather evidence about the perpetrators as well as victims. That includes data from when the attackers tested the malware used in the attack on their own devices.
- Files — including the standard array of mobile device surveillance techniques, like audio recording and screen caps — suggest that Pakistani military hackers targeted Pakistani military and government officials with access to sensitive information, as well as Afghani, Indian and UAE targets.
- The files included sensitive information about military operation, including letters from U.S. central command.
- The name StealthMango comes from text strings found in the code of the malware used ("Also, it appears Pakistan is known for it's mangoes," Lookout Security analyst Michael Flossman told Codebook). Tangelo appears to be the name the attackers called the iPhone malware.
Human rights victims: Amnesty International released a report covering an array of different attacks against activists in Pakistan, including new Android malware "StealthAgent" that appears to be the same as StealthMango.
Attacks used fake social media profiles and email phishing campaigns to get victims to install StealthAgent or the already discovered Crimson malware.
Both StealthAgent and StealthMango use a command and control server at the same Canadian internet address. and the reports on both attacks say their discoveries contains links to the commercial spyware TheOneSpy.
We vote for StealthMango as the name. It's a better name. StealthMango.
5. Brookings launches underutilized tech expert list
The Brookings Institute launched Sourcelist, a service designed to help conference bookers and reporters put more diverse voices on their panels and in their stories.
"The hope is that, when conference organizers or reporters would say they've contacted a women but none were available, they'd know where to look," said Susan Hennessey, who spearheaded the project.
Why it matters: In April, when it turned out that only one of the 20 keynote speakers at the RSA conference was female (and that one was the less-than-technical Monica Lewinsky), attendees didn't just get mad — they launched a counter-conference of mostly female speakers that by many accounts upstaged the larger showcase.
The details: The first resource Sourcelist is offering is a list of women, with other sets of marginalized experts (including by race and geography) under consideration for the next such offering.
- After internal deliberations, Sourcelist decided that it would allow anyone to sign up, vetting only to make sure that enrollees were real, rather than institute a standard of expertise.
- In tech fields, especially cybersecurity, there's often no single way to perform expertise checks — experts come from military programs, grad schools and self-training.
6. Boots to Suits to graduate to jobs
All 20 graduates of the Boots to Suits cybersecurity training program from NS2 Serves enter Tuesday's graduation ceremony with a job lined up.
Why it matters: The program, which gives veterans paid training in IT, is looking to expand. Gen. John Campbell (Ret.), chairman of NS2 Serves and former commander of United States forces in Afghanistan, makes a pretty good case to Axios.
- There is a cybersecurity skills shortage.
- There are lots of vets transitioning to civilian life.
- Boots to Suits "basically guarantees them a job," noting that the curriculum in this episode of the program was specifically chosen by Deloitte, which guaranteed hiring any graduates. Though the classes are employer-agnostic, "more companies absolutely should do that."
- The program doesn't take up vets' G.I. Bill benefits, leaving them with the option of getting further training or passing the benefits to another family member.
7. Odds and ends
- FEMA's CIO resigned. (FCW)
- Another Facebook quiz app stirred privacy concerns. (New Scientist)
- Facebook, meanwhile, has blocked around 200 apps during its investigation into data security. (Facebook)
- Chili's suffered a credit card data breach. (Chili's)
- So did Rail Europe. (ZDNet)
- A new bill would provide lifetime credit monitoring to those affected by the OPM breach. (GovExec)
- Off-the-shelf surveillance malware FinFisher isn't FinFinished. (Access Now)
Codebook will return when you least expect it, in its regularly scheduled Thursday slot.