Nov 20, 2018

Axios Codebook

Joe Uchill

Welcome to Codebook, the only cybersecurity newsletter that doesn't like any Thanksgiving foods. Come at me.

Situational awareness: North Korea-linked hackers are suspected in another financial institution heist.

If you've got tips or story ideas, I'd love to see. Just reply to this email.

1 big thing: How California spent its way to more reliable elections

Illustration: Aïda Amer/Axios

Most states can't afford the complete election system overhauls security experts believe they need. But California has budgeted for election cybersecurity at a level most states could never manage without federal funding.

The big picture: California's elections are what those in every state could look like, with enough money.

What they're saying: "Secretaries of state know what the recommendations and best practices are — paper ballots, post election audits — we know all of those things," says California Secretary of State Alex Padilla. "But states and local governments need the resources to implement it."

The investment: Per the secretary of state's office:

  • The state of California allocated $134 million for new voting machines. With a dollar for dollar match from local governments, that's nearly $270 million.
  • California also spent $3 million on an Office of Elections Cybersecurity.

That's about $7 a Californian on top of an election system that this year already abided by the most universal recommendations for running a safe election — ballots that leave a paper trail and auditing to make sure machines are working as intended.

  • The new funding for machines isn't solely about security. It's also about machines at the end of their working lives.
  • Much of the voting infrastructure in the U.S. was purchased during the last wave of federal funding under the Help America Vote Act (HAVA) in 2002.
  • Age is a factor in many of the machine that malfunction. It might not be a hacker changing your vote; it might just be the ravages of time.

The national government did pass legislation before the election to distribute leftover HAVA funds to states for election cybersecurity. But there wasn't much.

  • California received $34 million — less than $1 a person and nowhere near enough to do the type of machinery overhaul planned with state funds.

California's Office of Election Cybersecurity was a platform to head off misinformation about voting procedures and polling places — social media versions of the old dirty trick of sending people to the wrong polling place or giving them the wrong instructions.

  • The state monitored social media, flagging around 276 posts with false or misleading information; 272 were taken down.
  • The office advertised on social media to provide accurate information about voting.
  • It also allowed Padilla to directly email correct information, including how to check registration status, to all California residents with email addresses on file.

Emailing residents is a why-doesn't-everyone-do-this type of move. "We are now the one official reliable source of information about the election," says Padilla.

  • In California, where there appears to have been the most voters in a midterm since 1982, it provided a second benefit: The rate people called voter help hotlines to find out where to vote decreased.
  • That's two wins in most secretaries of state's books — more voters with an easier time voting.

The bottom line: Any state with leaders who honestly aim to maximize security and voter participation could implement all of this, for a price. But the mandate to strengthen the election system, given by everyone from The Incredible Hulk to the vice president, is still unfunded.

  • "If it was easy for states to do, then it'd be done already," says Padilla.
2. Ivanka used personal email for official business

The Washington Post reports that Ivanka Trump used a personal email account hundreds of times for official business of the White House. Keen-eyed readers may notice a few parallels with a Hillary Clinton scandal Ivanka's father made a key point in his presidential campaign.

Both Clinton and Trump claimed they didn't understand the rules for email.

The scandal: Trump's use of personal email accounts was discovered during a public records request.

  • The White House told the Washington Post that no classified information was contained in the emails. As with Clinton, that's not always the only security concern for spies, who use even unclassified private information to gain leverage in negotiations.
  • As with Clinton, there has been no reported evidence that the account was in any way compromised.
  • Unique to Trump, White House employees have to abide by the Presidential Records Act, where even personal emails related to business need to be archived. Trump had not been doing this, per the story, but past emails have now been archived, and she has been coached on email protocol.

President Trump's supporters still chant "lock her up" at rallies. Democrats' schadenfreude can be heard from space.

3. Fancy Bear debuts malware with unusual twist

Putin has a new doorway into systems! Photo: Alexei Druzhinin/TASS via Getty Images

Researchers at Palo Alto Networks discovered new malware being used by the believed-to-be Russian intelligence group Fancy Bear.

Why it matters: The "cannon" malware uses email to communicate with its command and control server. That's not common in malware right now, says Jen Miller-Osborn, deputy director of threat intelligence for the Palo Alto Networks' Unit 42 research team, and doesn't appear to be something Fancy Bear has ever done before.

Details: Cannon is a new early stage for multistage attacks — it communicates basic information with command and control servers and downloads additional malware.

  • It has only been observed in a single campaign, in which malware was sent to government officials in North America, Europe and a former Soviet state, according to Palo Alto Networks.

The intrigue: "So we also don't know if the email technique is a one-off or something they are starting to use," says Miller-Osborn.

4. An Instagram security flaw may point to a larger problem

As The Information first reported Friday, Instagram notified some users that their passwords had been exposed in the web address when they used the site's "Download your Data" feature.

Here's the thing: Typically, passwords don't travel around the internet or even company servers without being encrypted first. This glitch implies that the passwords spend more time at Instagram unencrypted than would be ideal for the Facebook-owned product.

5. We don't know if Russian spies impersonated a State Dept. official

Researchers at FireEye were first to note that a widespread phishing campaign bore resemblance to Cozy Bear, a believed Russian spying operation distinct from Fancy Bear (mentioned above). FireEye reaffirmed Monday that they are not ready to attribute the attack to Cozy Bear.

Why it matters: The campaign, which FireEye still considers likely to be from Cozy Bear, would be the first appearance of Cozy Bear in more than a year. These hackers are a significant threat, and it would be significant to see them return.

FireEye will continue investigating to make a firmer attribution.

The intrigue: This phishing campaign used malware that would be easily caught by an antivirus program. If the attackers are, in fact, Cozy Bear, FireEye tells Axios that might actually be a sign the hackers are using this campaign as a smokescreen for a more covert attack.

Go deeper: FireEye first made the announcement last week and followed it up with new details on Monday night.

6. Odds and ends
Joe Uchill
Happy Thanksgiving from your Codebook family!

We're taking the holiday off. See you in a week!