Welcome to Codebook, the only cybersecurity newsletter with no Memorial Day plans. Hit us up.
Tips? Comments? Please reply to this email.
1 big thing: How the FBI's numbers fumble moves the encryption debate
The FBI has long made the case that it needs access to encrypted cell phones to stop crime. But one of the key statistics the agency has recently cited to support that case was grossly inflated thanks to a programming goof, the Washington Post reported Tuesday.
Why it matters: Supporters of strong encryption will likely see this screw-up — the second of its kind that we’ve learned of in two months — as a problem of honesty. But there's a chance there may be a more material effect on the encryption debate in changing how risk gets balanced with safety.
The bottom line: The deeply entrenched sides of the public debate will continue their standoff, but behind closed doors, where real compromise is being discussed, the calculations may shift.
By the (wrong) numbers: FBI director Christopher Wray has claimed there were around 7,800 phones related to crimes being investigated that the bureau could not access due to unbreakable security measures. It turns out that, while an exact tally is still being calculated, the accurate figure is somewhere between 1,000 and 2,000.
"This is a pretty bad mistake," said David Kris, former assistant attorney general for national security and founder of Culper Partners.
- Law enforcement authorities seek legislation mandating “backdoors” in phones and other devices letting them access even encrypted contents in extraordinary circumstances.
- Experts believe nearly unanimously that weakening encryption with backdoors would catastrophically reduce global cybersecurity.
- The public debate on this issue centers around whether it’s possible to find a technological solution that would give law enforcement access to encrypted data without everyone else suffering those catastrophic consequences.
- That technological solution likely doesn’t exist, meaning that the more nuanced debate that proceeds behind closed doors is about risk management. Participants in that debate are wrestling with how to limit the use of back doors by finding a risk/reward balance. The risk to be contained is the impact of a future Wannacry type of event; the reward is the crime-fighting value of accessing a certain number of phones.
But, but, but: You can’t do good risk management with bad data.
- With numbers overinflated between 4- and 8-fold, the FBI was arguing backdoors were 4 to 8 times more important than they actually are.
- Balancing the risk/reward equation, that meant the FBI was giving itself license to justify 4 to 8 times as much risk.
Go deeper: Read the full story in the Axios stream.
2. Huge attack on routers linked to Russia
Early Wednesday, Cisco's Talos lab reported that more than 500,000 routers in 56 countries had been infected with malware reusing computer code from past Russian state-lead attacks. By Wednesday evening
The details: The attacks particularly focused on Ukraine, and shared code with BlackEnergy, malware believed to be used by Russia to attack critical infrastructure in Ukraine. Cisco nicknamed the campaign VPNFilter.
- The FBI took control of a key server in the attack after Cisco's report, according to the Daily Beast.
- Russia denied responsibility for the attack.
- Symantec noted that, unlike other attacks on devices, the malware didn't propagate by randomly dialing other devices and trying to attack. That also suggests deliberate, or at least not entirely random, targeting.
The tech: VPNFilter has been found in Linksys, MikroTik, NETGEAR, and TP-Link routers and network storage devices. It can survive rebooting the device — that's rare among internet-of-things malware.
- The attackers appear to be interested in industrial systems used in factories and power plants, as the malware detects commands sent to control systems.
- The malware can also steal user names and passwords.
3. Resilience is the new security
Ray Rothrock, chief executive of RedSeal, launched his book "Digital Resilience" on Wednesday evening at the Carnegie Foundation. He spoke to Codebook before the event about resiliency — the art of being prepared for worst-case scenarios.
Why it matters: Savvy organizations already know that hackers will breach even well-defended networks — part of the war is designing networks to catch and expel malefactors who gain entry. But resilience goes one step further, preparing organizations to adapt to and recover from a catastrophic event.
"It's more than understanding that the perimeter is vulnerable. It's thinking ahead to what can go wrong," said Rothrock.
Why be resilient: "A network being down for four days could mean the end of a business," said Rothrock. He ran down some examples of how a resilient approach could have helped in famous breaches: "Yahoo knew it had been breached but didn't have a plan in place to disclose it, and lost money in its sale to Verizon. Target could have shut down the stores that were under attack [in its 2013 breach] as soon as it was alerted to a potential breach."
- The alternatives in those cases, said Rothrock, would be positioning back-ups and redundant systems to prevent network downtime, preparing a public relations plan to announce a breach in advance and having a strategy in place to determine when extraordinary measures, like closing a store, would be worthwhile.
- Further, businesses might identify the most critical-to-patch systems in the event of a global catastrophe — say, a WannaCry, which spread faster than companies were able to patch their complete networks.
4. Criminals get a 7-day head start on new vulnerabilities
According to new research from Tenable, it takes 13 days for security teams to patch security problems after new exploits are released — 7 days longer than it takes criminals to weaponize them.
Why it matters: Seven days is more than enough time to do some damage.
5. Your GDPR joke round up
Friday marks day one of the EU's General Data Protection Regulation (GDPR), a broad ranging privacy law that could fine international firms as much as 4% of annual revenue for storing personal data without consent or proper security.
In celebration of a regulation that around half of companies are not yet prepared to follow, here are the best recent GDPR jokes we've found on Twitter:
'Tis the season:
All Your Base:
Raging for the Machine:
6. Odds and ends
- FCC was warned about phone-tracker Securus last summer. (The Register)
- Florida Gov. Rick Scott overruled his elections chief, forcing him to accept $20 million in federal funds for secure voting systems. (Tampa Bay Times)
- A federal court said President Trump can't block Twitter critics. (The Verge)
- BMW smart cars have a 12-pack of security vulnerabilities, reports Tencent. (Axios)
- Facebook allowing two-factor authentication without cellphone numbers. (Axios)
Codebook will return on Tuesday.