Welcome to Codebook, a cybersecurity newsletter you signed up for.
Tips? Feel free to hit reply.
Today's Smart Brevity: 1,249 words, <5 minute read
1 big thing: Why common ransomware attacks could mess with elections
State and city election boards have spent the better part of 3 years hardening their systems for a 2020 hacker invasion. Yet all that work may not be enough to keep out ransomware.
Driving the news: On Monday, Reuters was first to report that the Department of Homeland Security would begin helping elections officials prepare for ransomware attacks.
- Ransomware typically locks users out of their own files until they pay a ransom. Across an election office's network, those files could range in sensitivity from trivial vacation schedules to essential voter data.
Background: DHS has been aiding local officials since 2016, trying to prevent a repeat of that year’s election interference campaigns.
- Voting machines often dominate the public conversations around election security. But DHS and localities have to take a much more holistic view of security. Russia did not attack voting machines in 2016, but it did conduct reconnaissance on accessing and altering voter registration databases.
The big question: Accessing and altering data is technically all that most ransomware does, and the criminals behind ransomware are at least notionally less sophisticated than the militaries and spies that states are gearing up to protect against. So why is ransomware still a problem for elections?
- Many states have made defending against motivated, strategic actors their election security priority. But ransomware is deployed by opportunistic criminals, and fighting it can be more akin to fighting a force of chaos.
When Russia probed voter databases in 2016, it approached them through the easiest access point — vulnerabilities in web applications that connect to the database. So states concentrated on shoring defenses around the web applications and databases, said Dylan Owen, senior manager for cyber services at Raytheon.
- But less critical systems that access the secure database may not be as well protected.
- Elections officials might be left with the time-consuming task of restoring dozens of office systems in their entirety in a ransomware attack. That could impair their ability to provide services, even if the ransomware never reaches the voter database.
- “This is more about defending the [systems] that connect to those databases, in my mind,” Joseph Lorenzo Hall, an election security expert serving as chief technologist of the Center for Democracy & Technology, speculated in an email.
What they’re saying: Homeland Security describes both the databases and the systems retrieving data as potential concerns.
- “Voter registration databases could be an attractive target for these attacks,” said Christopher Krebs, who directs the cyber-focused wing of DHS, in a written statement. “A successful ransomware attack at a critical point before an election could limit access to information and has the potential to undermine public confidence in the election itself."
States have made strides in protecting voter databases, but not all states are entirely there yet.
- “In a utopian world, that’s how the process would work,” said Brian Varner, a researcher at Symantec who recently discovered at least one instance where the utopia never came to fruition.
- Varner presented research at the DEF CON conference about a state that inadequately separated its elections computers and databases from other state systems. Hackers who infected one of those other systems could hypothetically work their way back to the election systems.
2. TrickBot now steals phone accounts, too
TrickBot, a major player in financial malware, now has the ability to steal phone accounts, too, according to a new report from Secureworks.
Background: TrickBot has traditionally been a financial trojan, a class of malware that sends users to fake login pages for financial institutions to pilfer usernames and passwords.
Teach an old bot new Tricks. The latest version of TrickBot uses the same tactic to swindle mobile phone account usernames and passwords.
- Taking over phone accounts is useful for hackers because people often use their phones to verify their accounts in case of lost passwords.
3. Cybercrime to reach $5 trillion a year by 2024
My job appears to be secure.
Driving the news: A new report from Juniper Research pegs cyber crime to grow 11% a year over the next 5 years, from $3 trillion to $5 trillion.
4. In case you missed last week:
Update on telephone primaries (Codebook, Bloomberg): At the beginning of the month, Codebook reported on the potential problems for vote-by-phone caucuses being offered in Iowa and Nevada, part of a Democratic Party national initiative to expand access to the quirky system for primaries.
- Party experts demonstrated they were able to hack into a conference call held by the DNC Rules and Bylaws committee, who met this week to determine if the phone caucuses passed security muster.
- That has led to questions of whether a secure system will be ready in time for the election.
Facebook faces new election woes (Reuters, Facebook, Axios): Nonprofits funding a series of disinformation studies announced by Facebook threatened to pull their funding after allegedly not receiving all of the data they were promised.
- Meanwhile, Facebook released emails on Friday showing the site was aware of a data scraping problem involving Cambridge Analytica as early as 2015.
- Facebook will also now require political organizations placing ads to include more information.
New details to Hexane threat (Secureworks): Secureworks added new information to Hexane, the nation-backed espionage group targeting the oil and gas industry it believes is functioning out of the Middle East. Secureworks calls the group Lyceum.
- The Lyceum report is based on a more "full aperture" of the group, Rafe Pilling, senior security researcher at Secureworks Counter Threat Unit, told Codebook.
- The report details new bespoke malware.
- Pilling notes an interesting quirk with the group: The malware is not particularly sophisticated, though the tradecraft of the human operators of the malware is far more mature.
When do hackers use bots? (Arkose): Arkose, a security firm focused on preventing fake logins, released statistics on attacks on Monday with a few surprising implications.
- It's well-known that attackers often use bots for automated login attacks.
- CEO Kevin Gosschalk tells Codebook that the data shows there are a few occasions when humans are more likely to man an attack than bots.
- "It's profit margin," he said. During tax season, when people are likely to have deposited their refund checks, humans are more likely to be behind attacks. The rest of the time, bots tend to be behind the attacks.
- Similarly, bots are almost always behind login attacks on video game accounts, where in-game equipment and gold can be resold and there isn't a ton of profit. But hacking a retail site account is more likely to get a human touch.
- Ultimately, it comes down to humans being more expensive to rent — high-margin attacks are the only time they pay off.
5. McAfee headed to IPO: Report
Bloomberg reports that McAfee may be headed to an IPO with at least an $8 billion valuation, headed by Bank of America and Morgan Stanley.
$8 billion is a milestone number for the firm, slightly more than former owner Intel paid for the firm. Intel has since spun off the company.
6. Odds and ends
- The accused CapitalOne hacker is also accused of cryptojacking. (Seattle Times)
- Recorded Future charts a steep decline in hacktivism. (Recorded Future; for prior work in the same vein, see Axios)
- A breach at hosting company Hostinger may affect 15 million users. (Hostinger)
- There's a hip new way to use internet of things protocols to launch DDoS attacks. (ZDNet)
- The cybersecurity firm Imperva was breached. (Krebs on Security)
- Researchers found a way to clone Tesla's latest key fobs, ones the car company designed to replace the last ones the same researchers demonstrated how to clone. (Wired)
- French police hijacked a cryptomining malware's control infrastructure, commanding 850,000 computers to delete the malware. (FranceInter)