Jun 13, 2019

Axios Codebook

Situational awareness: A controversial bill allowing companies to "hack back" in some circumstances will be reintroduced today in the House.

Welcome to Codebook, a perfectly acceptable cybersecurity newsletter.

Today's Smart Brevity: 1,324 words, ~5 minute read

  • We've been including word count and time to read at the top of each of our newsletters. Now, we want to hear from you — love it or hate it? Click here for love and here for hate. We'll share the results next week.
1 big thing: Why hackers ignore most security flaws

Illustration: Sarah Grillo/Axios

A recent study found that only 5.5% of security vulnerabilities discovered by researchers were actually ever used by hackers.

Why it matters: That number makes instinctive sense to experts but can seem counterintuitive to anyone outside the field. That's because all vulnerabilities are not created equal — and in a world with hundreds of bugs released a week, prioritizing the important ones is key to any defense.

The big picture: If the 5.5% statistic sounds jarring, you're not alone. Jay Jacobs, chief data scientist, founder and partner at Cyentia Institute and the lead author of the study, says he thought it'd be higher, too.

  • "When I first started working with vulnerabilities, I had that reaction," he said, "I saw that and thought the data must be wrong. I went to an expert to ask if the data seemed normal, and he said [nonchalantly] yeah, why?"
  • "You want to think it's like animals in the wild, and the vulnerabilities are their food sources. Why wouldn't they take all the food sources?"

The reasons they wouldn't can vary. Most hacking is criminal, not espionage, and criminal hackers tend to make decisions based on hacking the most computers with the least amount of effort. Not all vulnerabilities are easy to use, and not all of the easy-to-use vulnerabilities are in products that are widely deployed.

The impact: The number of vulnerabilities used by hackers matters because there are far more new vulnerabilities each month affecting any organization than any organization can patch.

  • In fact, in research he published in conjunction with Kenna Security, Jacobs found that organizations only patch 10% of newly found vulnerabilities each month regardless of the organization's size.
  • Patching isn't just a matter of hitting the "update" button. Updates, while critical, can sometimes interfere with crucial software and often need to be tested before being applied.

What's needed: That makes prioritizing vulnerabilities key. And that means taking several factors into account.

  • Companies often are quick to assume that the most important factor is the most obvious one: the severity of a bug. But understanding the exposure of a system to attacks and what defenses are already in place are equally important.
  • "Organizations that are more mature will overlay asset management. If a high severity bug is in a server that’s better positioned, it might be able to wait," said Katie Moussouris, founder and CEO of Luta Security.

One factor not to take into account? Us. Or more accurately, media exposure of a vulnerability in general.

  • "If you read the announcements, everything is the end of the world," said Renaud Deraison, co-founder and CTO of Tenable, whose products manage vulnerability patching.
  • Tenable released a study last month demonstrating that there's no correlation between the amount of media attention a vulnerability receives and the urgency of patching it.
  • Take for example the recent series of microprocessor vulnerabilities at Intel and other companies. "Everyone went to patch their CPU. It was a very disruptive, a very invasive thing to patch, and in the end, there wasn’t an attack," he said.
2. Google sibling Jigsaw purchased a Russian troll campaign

Jigsaw, the public service company owned by the parent company of Google, purchased a commercial social media trolling service to study its actions last year, Wired reports.

Why it matters: The campaign, which Jigsaw had conducted in Russia around the least consequential issue they could find, netted some interesting results. But it also raises a question of the ethics of purchasing such a campaign.

Details: The Jigsaw campaign centered on a decades-old Russian debate about whether Joseph Stalin was a hero or an embarrassment.

  • Jigsaw first set up a legitimate looking website called "Down With Stalin," then hired the firm SEOTweet to run a disinformation campaign to discredit the site.
  • SEOTweet offered to take down the site using fraudulent complaints for $500. Jigsaw chose a cheaper option, a 2-week disinformation campaign for $250.
  • The campaign resulted in 730 tweets from 25 different accounts, and 100 forum posts.
  • SEOTweet, "without any guidance from Jigsaw," appeared to assume the campaign was really about Russian politics. Many of the tweets took a pro-Putin stand.

The fallout: The campaign was deliberately small. But the optics of even a small campaign could have consequences, both in terms of U.S.-Russian relations and Russian national politics.

  • Ultimately, this was a U.S. firm interfering in Russia's affairs, something the U.S. claims to be against.

Meanwhile, Twitter released a summary of inauthentic account removals Thursday, including nearly 5,000 accounts from Iran, 4 from Russia and 33 from Venezuela. Perhaps most unexpected, Twitter downed 130 accounts from the Catalan independence movement in Spain.

3. Lessons from 5 years of free cybersecurity for at-risk groups

On Feb. 26, 2014, thousands of pro-Ukrainian activists and Crimean Tatars came to show their support for the territorial integrity of Ukraine. Photo: Pavlo_Bagmut/Barcroft Media via Getty Images

Cloudflare's Project Galileo, which offers free high-tier DDoS protection service to journalists, dissidents, civil liberties groups and other at-risk groups, turned 5 years old this week. The project currently serves over 600 accounts.

Why it matters: An LGBT protection group in the Middle East, for example, does important work on a shoestring budget and cannot possibly afford to block the outsized number of attacks it could face from governments and even citizens.

  • Project Galileo isn't the only commercial cybersecurity service offered to at-risk groups, but it is one of the first and the most successful.

Background: "Project Galileo originally started from a failure to live up to what was originally our mission to make a better internet," Cloudflare CEO Matthew Prince told Codebook.

  • One morning in 2014, said Prince, he was looking over statistics of which customers faced attacks that had exceeded their coverage overnight.
  • "I was walking to work and was reading the report and one of the sites jumped out to me, and I went to pull the site up on my iPhone. It wasn’t loading — so I pulled up the Wikipedia page and it was one of the largest newspapers in the Ukraine," he said.
  • Russia had invaded Crimea earlier that morning.
  • "I felt sick to my stomach," said Prince.

The impact: 5 years later, here's what Cloudflare has learned from offering the service:

  • The at-risk groups are really at risk. In the month before we set up our interview, every Galileo client was attacked. 60% of the sites face daily attacks.
  • It's hard to decide which potential clients are worthy. Prince said Cloudflare's best decision was to take the decision out of its own hands and outsource it to a group of civil liberties organizations.
  • Even meeting his clients puts them at risk. "A civil liberties group arranged for some African journalists in Galileo to meet with me in San Francisco," Prince said. "One was from Angola, one was from Ethiopia and the third couldn't tell me because there were death squads looking for him."
4. In case you missed last week

Huawei cancels laptop: Huawei canceled a Windows laptop launch after being blacklisted from buying products from American companies by the U.S. Department of Commerce. (Axios)

ES&S nixes paperless voting: Election Systems & Software, a voting systems giant, "will no longer sell paperless voting machines as the primary voting device in a jurisdiction," the CEO wrote in an opinion piece. (Roll Call)

  • Voting machines that provide a paper backup of some kind, either as a receipt or as an optical scan ballot, can be audited if there is indication of vote manipulation.
  • The company will also back more "robust" testing of voting machines at a state and federal level, according to the piece.

Gaming industry facing hackers: The gaming industry saw 12 billion credential-stuffing attacks in a 17-month period starting in November 2017. (Akamai)

  • Credential-stuffing attacks use lists of email addresses and passwords harvested from data breaches to find accounts on websites where users reused their passwords.
  • 12 billion attacks is significant because it's more than 1 in 5 of the total credential-stuffing attacks Akamai saw over the period.
5. Odds and ends
  • A DDoS attack that knocked Telegram offline may have been tied to the Hong Kong protests. (Tripwire)
  • The House version of next year's Defense Authorization Bill passed in committee and contains several cyber provisions. (Just Security)
  • Senators inquired about the FBI's investigation of a hacked election contractor in Florida. (Sens. Wyden and Klobuchar)
  • The New York Times rounds up 150 privacy policies. (NYT)
  • S&P warns Huawei ban could hurt the U.S. in the long term. (ZDNet)
  • Crypto-mining hackers develop targeted tools. (Trend Micro)
  • A spy might have used AI-generated faces to add legitimacy to a LinkedIn campaign. (Associated Press)
  • CrowdStrike launched its IPO. (Axios)
  • Facebook is either worried Mark Zuckerberg emails may show he knew about privacy concerns before controversies started, or it isn't. (WSJ, CNN)

Codebook will return next week.