Axios Codebook

April 11, 2019
Welcome to Codebook, the cybersecurity newsletter that falls asleep in Ubers.
1 big thing: How Heartbleed turned vulnerabilities into brands

Illustration: Sarah Grillo/Axios
Heartbleed, a dangerous security hole in widely used web-security software, made its public debut five years ago this week. It proved a landmark moment for cybersecurity and, perhaps even more so, for the marketing of cybersecurity firms.
Why it matters: Heartbleed was both a security nightmare and a professionally branded marketing event, and that pairing set a new default for how security research makes its way into the world.
Background: When the security firm Codenomicon announced Heartbleed to the public, it came with a professionally designed logo and a standalone website.
- I can't stress this enough: If there were ever a vulnerability that warranted a marketing campaign, it was Heartbleed, a flaw in OpenSSL encryption software used by millions of websites (including, at the time, Google and Facebook) that could cough up critical security or personal data.
- Vulnerability research — the discovery of new security weaknesses in computer systems and software — sits at the nexus of cybersecurity, the practice, and cybersecurity, the business. So once vulnerability branding got started, it began to snowball.
- Later in 2014, when a major vulnerability in the Unix Bash Shell was discovered, researcher Davi Ottenheimer joked on Twitter that the discovery was "nice. but it's not big until there's a logo." Andreas Lindh responded with a logo and a name for the bug that stuck: ShellShock.
- Soon there was Ghost and Stagefright. Recently there has been Meltdown and Spectre. To draw attention to a bug and the researchers who discovered it, logos, websites and PR agents became de rigueur.
The catch: Branding can often overinflate less severe bugs. That might be smart marketing, but it's a problem for people trying to fix what's important.
- "People do prioritize [fixing] branded vulns when they don’t have a mature prioritization process," said Chris Wysopal, co-founder and CTO of Veracode. "They do this because if they get asked a question about it from customers or partners, they want to be seen as on top of the issue.”
The ethics can get hazy. There have been instances of overhyped branded vulnerabilities apparently being marketed to manipulate stock prices, or vastly overstated vulnerabilities shifting the security conversation.
- "I think many people wish that 'vuln branding' had never become a thing," said Cris Thomas, global strategy lead for IBM's security audit team X-Force Red. "It reeks of marketing, salesmanship and pop culture, and all those things you don't want serious critical things to become."
The big picture: The obvious alternative to using clever names would be to use the ID numbers registered in vulnerability databases.
- Microsoft lists vulnerabilities it is aware of with the letters MS followed by a numeric code. The National Vulnerability Database does the same with the letters CVE.
- In all fairness, it's much easier to discuss a bug named "I am root" than to worry you've mistaken CVE-2019-0123 for CVE-2019-0132.
- Neat idea that'll never happen: In 2015, a blogger for Fortinet suggested adopting World Health Organization naming standards — finding names that describe a specific problem without exaggerating it.
The bottom line: "We rarely find Heartbleed vulnerabilities in systems anymore. The same goes for most of the other 'branded' vulnerabilities. And yet we do still find boring old MS08-067 and MS17-010 all the time," said Thomas.
2. Julian Assange was arrested, but press freedoms aren't at stake
WikiLeaks editor-in-chief Julian Assange was arrested at Ecuador's London Embassy Thursday after the country withdrew its offer of asylum.
- The U.S. Department of Justice subsequently released its indictment of Assange — importantly focusing on his technical assistance helping Chelsea Manning hack State Department cables rather than in publishing leaks.
Why it matters: That the indictment focuses on Assange the hacker, not Assange the reporter, blunts a long held press freedom argument not to charge him with crimes. All journalists rely on leaks, and many relied on classified information publicized by WikiLeaks, making a river of journalists guilty of whatever Assange was guilty of.
- Codebook predicted this was how Assange indictments would work in November.
Why it matters (to my mom): If charges had been focused on being an intelligence asset of Russia by publishing leaks (they aren't), that'd be a blow to, well, me specifically. I directly received and reported on documents from Guccifer 2.0, the avatar of Russia's hacking efforts in the 2016 election.
Go deeper: Assange's previously reported upon activities appear to have gone far beyond journalistic practice into what most reporters would consider criminality. He potentially:
- Hacked a website of an anti-Trump PAC and shared the password with the Trump campaign.
- Directed hackers to attack a specific target — transcripts show that a request was brought to those hackers by an intermediary they believed was sent by Assange.
- Provided hackers with technical assistance in the form of a search algorithm to sift through hacked documents.
All of those things would appear to be illegal. No, it doesn't matter if the password on a website is easy to guess.
3. Stuxnet components were older than previously thought
Stuxnet, malware thought to be created by the United States and Israel to hinder the Iranian nuclear program, has a more interesting history than we previously thought. So say Chronicle researchers Juan Andres Guerrero-Saade and Silas Cutler, who posited new breakthroughs at a Kaspersky Lab conference in Singapore.
Why it matters: Stuxnet is perhaps the most important malware of all time. The 2010 effort was the first introduction to true potential of cyberwarfare, causing physical damage to the chemical procedures to develop nukes in Iran.
But, but, but: Stuxnet wasn't an all new weapon. Components of malware were repurposed from other attacks. It had generally been thought Stuxnet drew from the efforts of the three programming teams behind Fanny, Flame and Duqu malware.
- Enter Guerrero-Saade, Cutler and a previously unknown fourth programing team.
- Guerrero-Saade and Cutler discovered a connection between Stuxnet and the code used for Flowershop, modular malware used by spies between 2002 and 2013, initially reported by Kaspersky.
- The code was used in a component the Chronicle team has dubbed Stuxshop, which was only used in early iterations of Stuxnet.
Be smart: A new programming group doesn't necessarily mean new nations were involved. "Additional frameworks points us to additional distinct teams and development resources. Whether that’s additional groups, institutions, or countries is beyond our ability to track in the code," said Guerrero-Saade.
Also: The team made new discoveries about Flame and Duqu, celebrity espionage malware in their own right.
- Flame, once thought to have ceased being used in 2012 after its operators called up a "Suicide" module to delete evidence of the infections, was actually resurrected in 2014, with a new version.
- Chronicle also outlined a new version of Duqu.
4. In case you missed last week
1. Notorious TRITON malware resurfaces:
The attackers who launched TRITON, a notorious industrial-system-focused malware only known to have been used once, have struck a second target, according to researchers at FireEye presenting at the Kaspersky Lab SAS Summit in Singapore.
- Why it matters: FireEye was the first to discover TRITON, which startled researchers by amassing an uncommon amount of control over industrial systems. Due to a mistake in the attack, it inadvertently led to a plant shutdown and nearly caused a deadly explosion. While no one expected TRITON to be a one-time affair, its resurgence is jarring.
2. A city-sized network of hackers was ousted from Facebook:
Cisco's Talos research team announced Friday it had discovered 74 Facebook groups where hackers bought and sold cybercrime tools and services. The groups networked together as many as 385,000 members speaking a bevy of different languages.
- What they're saying: "Tampa — it was basically the size of Tampa," said Craig Willams, director of outreach for Talos.
3. DHS head Kirstjen Nielsen resigns:
Nielsen's chapter in history will almost definitely be written about her immigration activities. But she had unmistakable successes in cybersecurity, particularly the following.
- Election security: There were a ton of problems in the relationship between states, who run elections, and the Obama DHS — only some of which were caused by partisan friction between Republican secretaries of state and a Democrat in the White House. That was certainly a component; Georgia accused DHS of hacking its networks after the 2016 election, which most agreed, was objectively ridiculous.
- Most of the problems came from DHS not being built for election security. Nielsen saw massive improvements on that front and on state outreach, including increasing budgets and staffing and ensuring state officials had security clearances to receive intelligence briefings.
- Georgia went from chief DHS antagonist to accepting DHS help in 2018. That's a big step forward.
- The elevation of CISA: Nielsen saw the completion of an Obama priority that Congress had failed to see through, promoting DHS' badly named critical infrastructure and cybersecurity agency the National Protection and Programs Directorate within the Homeland Security organization chart. It is now the better named (and more powerful) Cybersecurity and Infrastructure Security Agency.
5. Odds and ends
- Hotels may be leaking guests' personal information. (Symantec)
- The nonprofit Global Cyber Alliance launched a $1 million effort "to help provide critical cybersecurity protections for the media and journalists, and for elections offices and community organizations" funded by Craig Newmark Philanthropies. (Global Cyber Alliance)
- The Justice Department goes deep on the CLOUD Act, the law allowing cross-border data warrants. (DOJ)
- Companies take aim a spousal surveillance software. (Washington Post)
- FireEye is expanding into northern Virginia. (FireEye)
- Raytheon hired Teresa Shea to head its newly designated Cyber Warfare and Mission Innovations business. Shea is a former NSA director of signals intelligence who later served as executive vice president of technology for In-Q-Tel, the CIA's venture capital arm. (Raytheon)
- DHS sent an alert on new North Korean malware it's calling Hoplight. (US CERT)
- Kaspersky Lab researchers discover a dark web market that sells thorough identity profiles — enough to trick advanced behavioral security models — and a previously unknown nation state surveillance group they've named TajMahal. (Kaspersky)
See you on Thursday (remember, we're now weekly)