Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

July 31, 2018

Welcome to Codebook, the cybersecurity newsletter that got into a Twitter argument about centaurs over the weekend.

Today we are coming live from the Department of Homeland Security's National Cybersecurity Summit in New York, where the business community will discuss security issues with DHS. We'll have coverage in the Axios stream and more in Thursday's edition.

Tips? Please reply to this emai.

1 big thing: Feds are on supply-chain security tear

Illustration: Sarah Grillo/Axios

Federal officials are doubling down on sounding alarms about the risks of supply-chain security threats — attacks where hackers sabotage software or hardware before it's sent to the customer — with warnings to businesses up against the theft of intellectual property, federal contractors up against espionage and telecoms who will soon face large-scale buildout of 5G networks.

Why it matters: It's difficult to extract supply-chain-vulnerable products from the market. Many devices and networks include components from a variety of companies from all over the world, providing ample opportunity for bad actors to interfere. Banning certain products can combat such threats, but can also cause friction: Just look at the recent call to remove ZTE and Huawei products from the telecom networks.

Driving the news: Last week, the Office of the Director of National Intelligence issued a report Thursday that supply chain attacks used for economic espionage were on the rise. On Friday, the Department of Defense told reporters that it was compiling a list of software manufacturers with Chinese and Russian ties it thinks military branches and contractors should avoid.

  • This comes on the heels of scandals at ZTE, Huawei and Kaspersky, where the government alleges foreign-made products were used to spy on domestic agencies and companies.

Why now: The United States is about to go through a massive infrastructure expansion project as mobile carriers and equipment firms roll out 5G technology. Meanwhile, rural communities are still building their first broadband networks.

  • The U.S. has instructed telecom companies not to use products from the Chinese firms Huawei and ZTE — both of whom are suspected of sabotaging their own products to enable Beijing’s spying efforts.
  • But telecom execs say that for smaller communities, low-cost Chinese equipment is the only economically viable way to expand infrastructure. Chinese equipment is not just cheaper, it’s also often the only one-stop shopping solution for telecommunications hardware and tend to offer affordable financing packages.

The government could dig its way out of the hole, but likely won't. Jim Lewis, currently of the CSIS think tank and formerly a Department of Commerce official specializing in high tech issues involving China, estimates that the government could even the playing field and solve the telecom supply chain problem for a little over a billion dollars.

  • That would involve funding rural providers purchasing less vulnerable equipment and issuing grants to ZTE and Huawei competitors for research, helping them compete with China's massive state research budget.
  • But, said Lewis, Congress loathes spending money, even when it is the only solution.

2. Amazon dampens ACLU's scary facial recognition test

Last week, the ACLU demonstrated that, using the default settings on Amazon's Rekogition system, 5% of the members of Congress would be misidentified as criminals. According to an Amazon blog post, that data is skewed by the ACLU's use of default settings not intended for law enforcement use.

Why it matters: It'd obviously be bad if capital police stormed a senator's office looking for a murder suspect, or if any other person was misidentified as a wanted criminal. The issue here is that the ACLU set Rekognition to match faces with 80% confidence — something Amazon describes as useful for a social network to suggest who to tag in a photo.

When Amazon did a similar test with 99% confidence, it generated no false positives.

The bottom line: Accuracy isn't the only reason to be uncomfortable about pervasive facial recognition; activists worry that this will erode any chance of privacy. But its good to know that the accuracy can be set higher than the ACLU tested.

3. Unhackable cryptocurrency wallet is...a cell phone

A much touted "unhackable" cryptocurrency storage system is, more or less, a cell phone with no purpose-specific security hardware added on. Also, the phrase "unhackable" doesn't mean what you think it means, according to the manufacturers.

Why it matters: The Bitfi wallet, loudly backed by the ever-colorful John McAfee, claims to be so unhackable that that it will give $100,000 dollars to anyone that can prove it wrong.

  • Unhackable, according to Bitfi, means if you pay them $50 to mail you a wallet with $100,000 in cryptocurrency in it, you won't be able to remove the prize.

That's not what unhackable means: Assuming Bitfi is right, you can't get money off a wallet they mail you. That's not the only way to hack a device — it isn't even the place most hackers would look first. Every time a user checks the Bitfi's balance or transfers money on or off of the device, that data decrypts. That's when it would be most vulnerable.

The intrigue: When researches broke down the wallet, they found it relied on Mediatek MT6580 internals — just like this low-end cell phone — likely removing some of the unnecessary features. Though Bitfi jousted with researchers on Twitter, they didn't argue with that assessment of the hardware.

The bottom line: Bitfi might be a secure device, it even may be more secure then it's competitors. But the underlying claim that the device is unhackable is reckless.

4. Phone-hijacking college student steals $5 million

Motherboard details the arrest of 20-year-old Joel Ortiz, who tricked several cell phone companies into transferring other people's phone numbers into his control. He leveraged that phone number to a $5 million ill-begotten bounty.

SIM swapping: The technique, known as SIM swapping, gives an attacker access to not just the phone number but to any account that uses that phone number to change a password. That allegedly gave Ortiz the ability to steal several million dollars from cryptocurrency investors and additional money by selling off other accounts.

5. Iran waylaid Telegram messages

Telegram logo
Telegram logo is seen in an Android mobile device. Photo: Omar Marques/SOPA Images/SOPA Images/LightRocket via Getty Images.

Messages sent on the instant messanger app Telegram routed through Iran yesterday due to a glitch in a fundamental internet routing system many suspect was orchestrated by Tehran.

What happened: The glitch used the Border Gateway Protocol to reroute messages through Iranian servers.

Here's how BGP works and why it's vulnerable.

  • The internet isn't a single network. It's actually a network of networks connected through the largely unsecure BGP.
  • In the same way you can't always get a direct flight between two airports, you can't always get from one network directly to another network. BGP lets the networks coordinate how many hops away one network is from another.
  • Due to accidents or hijacking, sometimes networks claim to be closer to popular servers than they actually are, re-routing all the traffic through their own systems.

Activists in Iran note that a protest on Tuesday was being planned on Telegram, raising fears that the hijacking was intentional.

6. Odds and ends

We'll be back on Thursday.