May 22, 2018

Welcome to Codebook, the only cybersecurity newsletter bold enough to admit those times I chose to purchase new clothing rather than do laundry.

1 big thing: Equifax's top cyber-cop prizes line to the CEO

Illustration: Sarah Grillo/Axios

A year ago, Equifax got hit with a data breach of historic scale: the Social Security numbers for nearly 150 million people. Jamil Farshchi’s job as the credit-rating firm’s new chief information security officer (CISO) is to rebuild Equifax’s defenses.

Farshchi says Equifax has “taken a stand” on cybersecurity and is spending whatever it needs to, with " open checkbook." But key to the turnaround, or to any security regimen, he said, is something any company can do for free: have the CISO report directly to the CEO and the board of directors.

Why it matters (to most consumers): Americans who still feel burned by the credit bureau worry this kind of attack might happen again. Any steps the company can take to prevent such a disaster are worth pursuing.

Why it matters (to Equifax): The breach spurred talks of regulation on a federal and state level. The firm largely seems to have dodged that bullet for now, but a second breach could bring on more oversight.

Why it matters (to other companies): Studies differ, but somewhere around a third or more of CISOs do not report to CEOs or boards of directors. Instead, they report to chief information officers or other executives further down the chain. These firms could consider a reorg of their own.

Done this before: Farshchi came aboard Equifax in February. He says reworking the organizational chart happened between the breach and his arrival, after poor organizational structure impacted how the breach was handled. It's his second time righting the ship for a company after a historic breach, after a role at Home Depot in 2015, back when 50 million users still counted as historic.

The pitch: Giving the CISO the ear of the CEO can not only bolster requests for resources and changes to procedure, Farshchi said, but also change a company’s culture. It strengthens how other employees view the importance of security and increases the chance other top executives will seek out a security opinion when making other decisions.

Coming in after a breach: Farshchi says a CISO’s role changes dramatically after a breach. “Before a breach, your success is dependent on convincing a people about the value of security. I don’t have to do that."

Age-old question: The debate over the CISO’s org-chart standing dates back at least a decade, but the post’s place in corporate hierarchies remains far from a given.

  • Alberto Yépez, managing director of Trident Capital Cybersecurity, described a number of hurdles CISOs face in a blog post last year: CEOs and CISOs "sport substantially different backgrounds, mindsets and business objectives."

Yes, but: That argument represents the conventional wisdom — CISOs get shut out of board rooms because it seems like they speak a different language. Farshchi argues that doesn’t wash. "Legal people speak in jargon," he said. "If there is an inability for a business to understand technology on a high level, it’s incumbent on them to learn it."

2. L0pht returns to D.C., two decades after first testimony

Hackers from the Boston collective The L0pht testified on Capitol Hill 20 years ago this weekend, in what became a landmark moment for the legitimization of white hat hackers and an altogether surreal event in the annals of the U.S. Senate. Today, four of them return to discuss how things have changed.

What they're saying: L0pht alumni Chris "Weld Pond" Wysopal and Cris "Space Rogue" Thomas emailed Codebook to explain what actually did change:

  • Wysopal: "The biggest change in the tech world and the security industry since the L0pht Senate testimony is that hackers are no longer just outsiders, but insiders. Back in the '90s we were explorers sharing what we saw: new societal scale problems from a growing dependence on technology that was built insecurely. We were security critics. Then in the 2000s, the same folks that were independent security researchers started to help fix and build things right."
  • Wysopal: "The sad thing, however, is the things that haven’t changed. In 1998, we noted that software providers had no liability for delivering insecure software, that there were few industry or government regulations preventing insecure software and devices, and that time-to-market trumped security."
  • Thomas: "Over the last 20 years, security went from being discussed in bulletin boards and backrooms, to the headlines and boardrooms. L0pht's warnings from two decades ago still hold true, and even though we've seen great progress there is a lot of work left to do."

3. Report: President Trump refuses to use secure phone

The President Trump refuses to take simple steps to secure the phone he uses to tweet, reports Politico. Those measures include swapping out his phone every month or using a device without a microphone or camera, which could be coopted by hackers for surveillance.

The reasoning: Trump allegedly has told aides that taking these measures — ones his predecessor willingly undertook — would be "too inconvenient."

Why it matters: For the president of the United States, a man literally tasked with managing a team of rocket scientists as one of his many roles, this shouldn't be rocket science.

4. Palo Alto Networks to demo third-party apps

At its annual Ignite Conference today, Palo Alto Networks will demonstrate the first third-party apps able to run on its cybersecurity platform, a "proof of concept" for a model that CEO Mark McLaughlin believes is the future of the industry.

How the framework works: Palo Alto Networks will allow vetted security companies to use the sensors its platform uses to monitor networks and the data it collects. Vendors demoing today range from the biggest companies in the space, like Microsoft, to smaller upstarts, like Colorado-based ProtectWise.

Why it matters to innovation: The cybersecurity industry is due for contraction — there are currently more vendors than is practicable. But McLaughlin argues that shrinking the industry down to a handful of major players will rid it of a lot of the innovation coming from smaller players.

  • He believes the "application framework," as Palo Alto Networks calls it, will maintain an ecosystem of smaller firms, just as the Apple App Store bolstered the ecosystem of software companies bringing functionality to a specific device.

Why it matters to customers: Many vendors agree that the companies they sell to feel overloaded from running multiple platforms at the same time.

  • In order to get the functionality of six different products that approach security in six different ways — from antivirus to monitoring user behavior to protecting email — administrators need to install six different platforms, each with their own interface, alarms and monitoring systems.
  • This new approach cuts the number of platforms to one while maintaining the functionality of however many products a user wants to use.

What others are saying:

  • "We find three things drive customers: time to detection, inability to hire security personnel and focus on high priority threats, and reducing the number of vendors," said Ann Johnson, vice president of enterprise and cybersecurity at Microsoft. "Fundamentally, the application framework will make people more secure."
  • "It will be good for our company, giving us access to Palo Alto Networks' customers," said Ramon Peypoch, chief product officer at ProtectWise. "It's a great attempt to bring products and solutions together."

5. Turning the tables on Nigerian email scammers

Photo: Jaap Arriens/NurPhoto via Getty Images

The email protection group Agari announced the results of an ambitious and — they promise us — legal project to surveil 78 email accounts belonging to so-called Nigerian scammers, both to rescue victims and study the practice.

"We’re using social engineering on them the way they have used it on other people," Markus Jakobson of Agari told Axios.

Why it matters: Studies have examined data provided by victims of Nigerian scams, but this is the first to look at data collected on the other end.

Legal? Agari did not want reporters to reveal the exact methods used to take over the email accounts. But representatives say they've briefed lawyers and law enforcement agencies, including the FBI, none of whom believed there was a legal problem. As described to Codebook, the methods were certainly more aggressive than most traditional research techniques, but appeared difficult to pin down as outright illegal.

The numbers: Nine out of 10 of the scam-spewing accounts researchers observed were actually headquartered in Nigeria at one point during the observation period.

  • The scammers worked for a total of 10 organized crime rings.
  • Most scammers used low yield scams like romance and rental scams as an everyday source of income, and business email compromise (BEC) as a rarer big payday score. Romance scams use fraudulent romantic relationships to extort money or criminal collaboration. BEC convinces users to transfer money to pay off fake invoices, often for large business purchases or real estate.
  • About a quarter of email scams are BEC scams, with sucessful attacks netting an average of $35,000. Out of more than 1,000 emails sent for BECs, four will be successful. But they can be very convincing when opened — four out of every 100 BEC emails opened lead to successful scams.

6. Two new "Spectre" type bugs plague processors

Researchers at Google and Microsoft discovered two new security flaws in microprocessors similar to the Spectre glitch earlier this year. Patches are available and the U.S. Computer Emergency Readiness Team has alerted stakeholders to the potential problems.

Why it matters: For years, microprocessors did not receive the same kind of scrutiny for security issues as software, despite both being critical parts of systems. That's starting to change. There will be more of these before we're done.

7. Odds and ends

Codebook will return on Thursday.