November 07, 2019
Welcome to Codebook, the cybersecurity newsletter honing its play-by-play skills just in case hacking becomes a televised sport.
Tips? Ideas? Sandwiches? Hit reply to this email.
Today's newsletter is 1,691 words, a 6-minute read.
1 big thing: All infrastructure is election infrastructure
Protecting elections from hacking threats means a lot more than protecting election systems from being hacked. Malicious hackers can find plenty of other ways to interfere with elections — notably by discouraging voting through election-day attacks on municipal systems.
Driving the news: Security firm Cybereason has been exploring that kind of election tampering in a series of tabletop simulations over the last year. Tuesday, at the third exercise — essentially a Dungeons and Dragons-style game for law enforcement, government employees and security researchers — a "red team" pretended to attack a city, while a "blue team" defended it.
How it works: Imagine a strategically placed traffic jam outside a polling place in a heavily Republican district. A hacker tampering with traffic lights is just one way someone could sway an election by influencing which voters can show up, all without touching the systems most associated with voting.
- With so much focus on voting machines, we may be missing the threat of these kinds of attacks.
Here are additional lessons from Cybereason's games:
1. Everything is a weapon. The red team has used transportation, energy and gas, telecommunications, and government and emergency services networks in attacks. And it's easy to see how any aspect of infrastructure could be weaponized on Election Day, from causing a run on banks or a fire in a strategically chosen factory.
2. A key term to know: asymmetry. The main goal of local law enforcement, the first people who would respond to this type of attack, is to protect public safety. The main goal of someone disrupting an election is to, well, disrupt an election. The goals are asymmetrical — they don't require one group to lose for the other one to win.
- That's something that could be exploited by the attacker. A fire at a factory near a polling place might mean city officials reroute voters to a different polling place. The city wins because people stay safe, yet the attacker wins because casual voters won't put in the extra effort to figure out where they need to go to vote.
3. It's good to have friends. Teams, often composed of law enforcement officials, have struggled to quickly call in federal agencies to handle the problems only federal agencies are equipped to solve or to request state resources when the local police are overburdened.
4. Worry about more than social media: Since 2016, the public has come to realize that social media disinformation is cheap and requires little technical background to launch. But it's not necessarily the most effective way for a sophisticated attacker to shape an election.
- Social media meddling is "low-hanging fruit," said Sam Curry, chief security officer at Cybereason.
- But it's a limited tool for affecting votes in terms of reach, effectiveness and time before being identified. For someone with technical skill, the traffic jam may cause more chaos and affect more votes.
The bottom line: The frightening truth is that all critical infrastructure is election infrastructure. Weak links anywhere can be exploited to shape how voters act.
2. Elsewhere in elections
With a year to go before the 2020 election, and resurgent discussion of election security, let's take stock of the overall election security picture.
Paper trails: If you know only one thing about election security, it's that the most pressing issue has been assuring an auditable paper trail of votes. John Oliver presented a well-received piece on the topic Sunday, and even the star of "CSI: Cyber" is down.
- The crux of the issue: If you can't audit the votes that were cast, we'll never know whether a voting machine was hacked.
- While that problem gets a lot of public attention, the progress states have made on the issue since 2016 does not.
- By 2020, a number of new states will use verifiable methods. Pennsylvania will require verifiable voting machines, as will Virginia, Michigan, South Carolina and Arkansas. Georgia was ordered to replace its old machines by a federal court. Other states, including Colorado, Florida and Nevada, have made progress.
Funding: Elections officials in states where some machines don't have a paper trail tell Codebook that the problem is cost, not will. That's where the federal government could help.
- According to the Brennan Center for Justice, it will cost around $2.2 billion every five years to address election security. Congress has allotted substantially less — hundreds of millions of dollars — as a one-time payment.
- The cost is so high in part because voting machines need to be replaced every 10 years or so.
Beyond voting machines: Voting infrastructure isn't the only infrastructure that could affect the election (see above). But voting infrastructure is also more than voting machines. As a baseline, states need (and are making some progress on):
- Securing voter registration systems.
- Funding the vote audits to make sure the votes are accurate. In fact, Joe Kiniry of the security firm Galois, currently working on a DARPA grant to develop secure voting technology, said a nationwide risk-limiting audit was his top priority for 2020.
- Increasing IT staff.
And beyond that baseline, states are finding plenty of other ways to bolster security, like California's anti-disinformation efforts.
Elections remain harder to hack than a lot of people think.
- One of my nitpicks with the John Oliver piece is that it tries to show how easy it would be to find a machine, unguarded the night before an election, that could be readily hacked in person.
- But the best practices for voting machines is to seal them until the day of elections, making that hacking risk substantially smaller than Oliver describes.
- Though there are other ways to hack some models of machines, hacking machines across a big state, one at a time, during an election does not look like a realistic way to sway a national election.
3. Codebook club: "Sandworm" by Andy Greenberg
Wired reporter Andy Greenberg's new book "Sandworm" is the most detailed account yet of Russia's most destructive government-backed hackers.
That group, known as Sandworm, twice crashed the Ukrainian power grid, attempted to sabotage the South Korea Olympics, hacked U.S. elections boards, and launched the NotPetya malware, often described as the most destructive cyberattack in history.
Why it matters: If Russia ever digitally destroys something in the United States, it would likely be at Sandworm's hands, not Fancy Bear's.
- "I feel like I want to grab people by the lapels to tell them to pay attention to Sandworm," Greenberg told Codebook.
"Sandworm" succeeds where a lot of cybersecurity reporting fails, covering the human cost of cyberwarfare.
- Greenberg takes you inside Maersk, the shipping giant, as NotPetya crippled its awareness of what products were on which boats.
- He tells a new story of how NotPetya put U.S. patients at risk by damaging the transcription company, Nuance, that many doctors use to record notes.
NotPetya was deployed in a way that infected as many computers in Ukraine and connected to Ukrainian networks as possible. That meant a staggering number of international companies lost huge amounts of data.
- Greenberg spoke to a hospital employee who frantically transcribed notes, with little time before surgery. Getting those wrong could have been devastating.
- "That staffer still feels haunted. She can't say for certain if that meant someone was harmed," said Greenberg.
4. Kaspersky finds lost threat group
Researchers at Kaspersky found traces of a threat group that had been identified in leaked NSA documents but that private-sector folks had never seen before.
Why it matters: Two and a half years after the ShadowBrokers leaked NSA documents, researchers are still making new discoveries. While it's unlikely to lead to another WannaCry, the work fills in even more gaps about what the NSA knows and we don't, and what the NSA is able to do that we don't know about.
Background: Documents leaked by the ShadowBrokers, the colorful hacker group remembered for leaking an NSA hacking tool that caused massive devastation, include code used by the NSA to identify whether other hackers reached a server before an NSA hacker did.
- One of the checks used identifiers for attacks the private sector was unfamiliar with.
Enter the DarkUniverse: The group has now been rediscovered by Kaspersky, who nicknamed it DarkUniverse.
- DarkUniverse appears to have been active between 2007 and 2017, and Kaspersky identified targeted systems in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates.
- There are substantial overlaps between DarkUniverse and malware known as ItaDuke, used to surveil Tibetan and Uighur targets.
- The country backing DarkUniverse has not been identified, although it would be tempting to infer that any hackers spying on Tibet and the Uighurs come from China.
5. Other news
Twitter employees arrested for spying for Saudi Arabia (Axios): Federal officials charged two Twitter employees and a third man who supplied dissidents' personal information to Saudi authorities.
- One of the breached accounts belonged to a Saudi dissident, Omar Abdulaziz, who had been close to slain Washington Post columnist Jamal Khashoggi.
Law letting Russia unplug from the internet takes effect (MIT Tech Review, Axios): On Nov. 1, a Russian law went into effect allowing authorities to disconnect the nation from the global internet, ostensibly to test whether or not it could withstand a massive cyberattack.
- That reasoning doesn't ring true to experts.
- The general consensus, given other provisions in the law that require Russia to create a domestically located internet switchboard, known as a DNS, and ISPs to install surveillance software, is that this is Russia's first step toward a China-style massive internet censorship operation.
- "If this gets implemented, it's a huge blow to an open internet," said David Belson, senior director of internet research and analysis at Internet Society.
Smart speakers are dumb to lasers (Light Commands): A global team of researchers has developed a mechanism to command smart speakers using lasers.
- This is, objectively, extremely cool science.
- It's not, however, a very useful form of attack. If hackers are close enough to your smart speaker to fire a laser at its microphone, they can just give it a voice command.
6. Odds and ends
- A Trend Micro employee stole and sold private information from 120,000 accounts. (Trend Micro)
- Phishing pros now use Google Analytics, just like normal web pros. (Akamai)
- 93% of global voters faced election interference from their own country in 2018. (Axios)
- Cloud provider Cyxtera spun off its security holdings. (Cyxtera)
- The company once called Symantec is now known as NortonLifeLock. (Symantec)
- There was a ransomware flurry in Spain. (Ars Technica)
The Browns, who you suckers told me to bet $5 on, were unable to defeat even a struggling Broncos team with a backup quarterback, despite Cleveland quarterback Baker Mayfield's facial hair mysteriously shrinking throughout the day.
We'll be back next week, I hope.