August 01, 2019
Welcome to Codebook. One Democratic candidate said "cybersecurity" once during two nights of debates, so I guess we're cool.
Tips? Comments? Feel free to reply to this email.
We'll be Codebooking from the Black Hat and DEF CON conferences next week.
1 big thing: Dems face risks in phone-voting plan
Democrats in Iowa and Nevada want to boost participation in their 2020 caucuses by opening them up to telephone voting. Hacking-spooked Democrats have worked to protect the process from interference, but some experts still see notable risks.
Why it matters: Security concerns have long troubled digital voting systems. Many of the same problems with online voting carry over to telephone voting.
The big picture: Caucuses are a complex process that typically require hours of participation on the part of voters. That’s prohibitive for many, especially those in places like Las Vegas, with a tourism-based economy forcing many to work nonstandard hours.
- The DNC this year issued a directive to allow for absentee voting, which Kevin Geiken, Iowa Democratic Party executive director, called the right decision.
The Democratic Party in each state is taking steps to limit the phone vulnerabilities. Though the process has not been finalized in either case, both states will require in-person signup to receive individualized credentials for the phone caucus.
- ”We are working closely with DNC Tech Team so our planning is informed by the current threat landscape and security best practices,” Geiken said. “Potential technology vendors are being aggressively vetted for their security histories and capabilities.”
- The process will allow for independent vetting of the system, giving the public a chance to demonstrate security flaws in the system before caucus day. That’s more than can be said for most in-person voting machines.
Threat level: No system is without risk. Even paper ballots can be tampered with. The question is whether the risk is low enough to confidently manage.
- For Joseph Lorenzo Hall, an election security expert with the Center for Democracy & Technology, the answer is no. While the call center collecting votes might be secure, and while it's possible to verify users with confidence, there’s room in the telephone network for a hacker to intercede.
- There’s no encryption on phone calls, so a malicious phone company employee, for example, could change votes or link callers to ballots. Likewise, a sophisticated, rarely seen technique known as SS7 hacking, which requires high-level access to a mobile phone company’s systems, can manipulate mobile calls.
- These tactics are very limited — but they are possible.
The bottom line: Doubt in the caucus process wielded by an angry runner-up could be as dangerous to public confidence as actual vote tampering.
2. Inside election security's biggest event
The DEF CON hacker conference's Voting Village event has become a testing ground for our national debate over voting security, referenced by Senate reports, several congressmen and even a presidential candidate (albeit incorrectly, see below). This year's version, happening next week, comes with some upgrades.
The big picture: Now in its third year, the event is traditionally one of the only places where many security researchers get a chance to audit the security of election systems.
Background: Voting Village burst onto the scene in 2017, when it took hackers only a matter of minutes to discover serious problems with voting machines.
- That happened even though hackers were unfamiliar with the systems.
- Restrictive contracts with states bar public third-party audits, but Voting Village beat the contract rules by purchasing flood-salvaged equipment from an insurance company.
This year, Voting Village has expanded its range of equipment, including election software that researchers have not had a chance to audit and the first test of equipment designed specifically for security and public testing.
- Cybersecurity firm Galois will demonstrate a project funded by the Defense Advanced Research Projects Agency, the Pentagon's advanced research arm, to develop hardware that defends against hackers that target memory.
- Galois is publicly revealing system internals to try to aid DEF CON's hackers.
What they're adding: While in previous years state election officials bristled at even well-meaning hackers intruding on their turf, this year Voting Village will launch the "Unhack the Ballot" initiative, pairing state officials with researchers who can offer nuts and bolts advice.
- The conference is also expanding from one day of talks to three days.
For the kids: In last year's DEF CON, Voting Village helped with the conference's program for kids, developing faux election registration websites with errors that were previously seen on real sites for children to learn to hack.
- This tale got garbled in the media with reports that children hacked actual election websites or exact facsimiles of the sites (they didn't). Presidential candidate Rep. Tulsi Gabbard (D-Hawaii) regularly notes that "an 11-year-old girl at DEF CON hacked a replica of Florida’s voting system in 10 minutes."
Voting Village is working with kids again, although this year it's trying to be clearer about what the kids are actually doing.
- This year's faux websites will be campaign finance reporting portals, where kids will create fake news to unleash using bots on a fake version of Twitter.
- They'll also learn about how to use machine learning to create filters that can block the fake news they've spread on that fake network.
3. The Equifax settlement can't handle all the claims
The Equifax settlement was designed to offer the 150 million people affected by the breach a choice between $125 or free credit reporting. It just wasn't designed for the number of people who took them up on the offer.
The bottom line: You aren't getting $125.
Driving the news: Dozens of sites (including us, sorry) published instructions on how to file a claim. But that led to more people than expected filing for claims and more of those people than expected asking for the cash option.
- The pool will dole out even shares of money to those who requested it, but the FTC believes there are just too many people for that to be $125.
- It's suggesting that people sign up for the free credit reporting again.
4. Cisco settles for $8.6 million in false claims case
Cisco has settled for $8.6 million in a False Claims Act case over selling video surveillance cameras to government groups while misrepresenting how secure they are.
Details: While much of the lawyering was handled by the government, the case was originally brought by James Glenn, a former employee of a European Cisco distributor.
- Glenn reported security vulnerabilities in the video system to Cisco in 2008 that went unaddressed, and later sent a letter asking why.
- Glenn claims he was suddenly fired after sending the letter, soon after Cisco executives met with his bosses. He did not make a legal claim of retribution.
- U.S. law allows whistleblowers to bring suit against U.S. contractors over false claims, which government groups can later take over.
Glenn will receive 20% of the settlement, with states receiving 70%.
5. Hexane group targeting oil, gas and telecom
A newly detailed group called Hexane is targeting oil and gas companies in the Middle East and telecommunications companies throughout the Middle East, Central Asia and Africa, according to a report from Dragos.
Why it matters: In the past, most of the hacking groups targeting industrial control systems have specialized in a single industry. Hexane is the second recent example of a group that has a primary industry target and an interest in a second sector.
To be clear: There's a good chance that the second sector, in this case telecom, is being used to better position hackers to enter their primary targets. Hexane, Dragos believes, is likely using access to telecom networks to sneak into the oil and gas firms.
6. In case you missed last week
CapitalOne breach (Axios): Data from 100 million credit card applications was stolen from CapitalOne. A suspect has been arrested.
WannaCry savior gets no additional jail time (Twitter): Marcus Hutchins announced via Twitter he won't serve an additional sentence in his widely watched malware sales trial.
- Hutchins was a global celebrity for cutting off the WannaCry malware before the multibillion-dollar disaster caused more damage. It's because of him the United States was largely unaffected.
- Even before then, within security circles, he was a well-known researcher.
- But Hutchins pled guilty to creating and selling a banking-related malware before starting to use his skills for good.
Wind River plugs 11 holes in IoT operating system (Armis): Wind River, which makes the popular VxWorks operating system for connected devices, issued a patch for 11 critical security flaws identified by the cybersecurity firm Armis.
- Armis dubbed the vulnerabilities the "Urgent11."
- The operating systems are used by 2 billion devices, several hundred million of which are in critical infrastructure, ranging from printers to industrial control systems.
- The vulnerabilities don't affect all versions of the operating system. "Nuclear power plants probably use a [safe] version," Ben Seri, vice president of research at Armis, told Codebook.
- But patching enterprise devices, and knowing to patch them, is often more difficult than, say, patching a telephone. Seri warns that IT departments need to be on top of it.
Phishing campaigns target financial sector (Akamai): A new Akamai report shows that out of nearly 200,000 phishing web domains launched between December and May, more than half of the unique companies being mimicked were financial firms. Two-thirds of the domains targeted consumers. Of those, half of the total sites were fake financial firms.
- To quote Slick Willie Sutton, you rob banks because "that's where the money is."
Financial malware attacks nearly doubled (Kaspersky): A Kaspersky report shows a 93% rise in financial malware in the first half of 2019 over the same period last year.
- Attacks are similarly up against corporate and individual users.
- The report notes an annual cycle where the second half of the year is typically worse than the first, as hackers "go on vacation" January to June.
7. Odds and ends
- Everyone is hacking your phone. (CrowdStrike)
- There are serious questions about the qualifications of President Trump's new nominee for director of national intelligence. (Wired)
- The PCI Security Standards Council, which dictates credit card security standards, and the Retail and Hospitality ISAC issued a joint warning about the credit-card-skimming Magecart group. (PCI)
- Two vulnerabilities were patched in SanDisk solid state hard drives. (Trustwave)
- Some Amcrest cameras (sometimes labeled as other brands) could be turned into audio surveillance devices by hackers. (Tenable)
- The No More Ransom initiative has saved ransomware victims more than $100 million. (Europol)
- Update your iPhone. (Graham Cluley)