Welcome to Codebook, the only cybersecurity newsletter with no Memorial Day plans. Hit us up.
Tips? Comments? Please reply to this email.
Photo: Pau Barrena AFP via Getty Images
The FBI has long made the case that it needs access to encrypted cell phones to stop crime. But one of the key statistics the agency has recently cited to support that case was grossly inflated thanks to a programming goof, the Washington Post reported Tuesday.
Why it matters: Supporters of strong encryption will likely see this screw-up — the second of its kind that we’ve learned of in two months — as a problem of honesty. But there's a chance there may be a more material effect on the encryption debate in changing how risk gets balanced with safety.
The bottom line: The deeply entrenched sides of the public debate will continue their standoff, but behind closed doors, where real compromise is being discussed, the calculations may shift.
By the (wrong) numbers: FBI director Christopher Wray has claimed there were around 7,800 phones related to crimes being investigated that the bureau could not access due to unbreakable security measures. It turns out that, while an exact tally is still being calculated, the accurate figure is somewhere between 1,000 and 2,000.
"This is a pretty bad mistake," said David Kris, former assistant attorney general for national security and founder of Culper Partners.
But, but, but: You can’t do good risk management with bad data.
Go deeper: Read the full story in the Axios stream.
Early Wednesday, Cisco's Talos lab reported that more than 500,000 routers in 56 countries had been infected with malware reusing computer code from past Russian state-lead attacks. By Wednesday evening
The details: The attacks particularly focused on Ukraine, and shared code with BlackEnergy, malware believed to be used by Russia to attack critical infrastructure in Ukraine. Cisco nicknamed the campaign VPNFilter.
The tech: VPNFilter has been found in Linksys, MikroTik, NETGEAR, and TP-Link routers and network storage devices. It can survive rebooting the device — that's rare among internet-of-things malware.
Ray Rothrock, chief executive of RedSeal, launched his book "Digital Resilience" on Wednesday evening at the Carnegie Foundation. He spoke to Codebook before the event about resiliency — the art of being prepared for worst-case scenarios.
Why it matters: Savvy organizations already know that hackers will breach even well-defended networks — part of the war is designing networks to catch and expel malefactors who gain entry. But resilience goes one step further, preparing organizations to adapt to and recover from a catastrophic event.
"It's more than understanding that the perimeter is vulnerable. It's thinking ahead to what can go wrong," said Rothrock.
Why be resilient: "A network being down for four days could mean the end of a business," said Rothrock. He ran down some examples of how a resilient approach could have helped in famous breaches: "Yahoo knew it had been breached but didn't have a plan in place to disclose it, and lost money in its sale to Verizon. Target could have shut down the stores that were under attack [in its 2013 breach] as soon as it was alerted to a potential breach."
According to new research from Tenable, it takes 13 days for security teams to patch security problems after new exploits are released — 7 days longer than it takes criminals to weaponize them.
Why it matters: Seven days is more than enough time to do some damage.
Friday marks day one of the EU's General Data Protection Regulation (GDPR), a broad ranging privacy law that could fine international firms as much as 4% of annual revenue for storing personal data without consent or proper security.
In celebration of a regulation that around half of companies are not yet prepared to follow, here are the best recent GDPR jokes we've found on Twitter:
'Tis the season:
All Your Base:
Raging for the Machine:
Codebook will return on Tuesday.