Aug 9, 2018



Welcome to Codebook, coming to you from Black Hat and DEF CON in Las Vegas. Strangest slot machines I've seen so far: Goonies, Seinfeld and National Lampoon's Vacation.

Tips? Please reply to this email.

1 big thing: Google's Parisa Tabriz on turning knowledge into action

Parisa Tabriz speaks at the Silicon Valley Comic Con in 2016. Photo: Kimberly White/Getty Images for AMC

In 1994, Netscape Navigator developed the secure browsing standard — HTTPS — that is still used today. For more than 20 years, cybersecurity pros knew that needed to be what every site used. And yet, it wasn't.

It's a common scenario in the security world: Knowing how to protect billions of users isn't enough to force the cultural shift it would take to accomplish it.

The latest: Parisa Tabriz, head of Google's Project Zero, and an accomplisher of big things (including forcing sites to use HTTPS by default), outlined an operable battle plan at the Black Hat conference to make those kinds of shifts from knowing what needs to be done to actually getting it done.

  • "I want people to leave optimistic," Tabriz told Codebook before her keynote speech at the huge security conference this week. "Black Hat tends to focus on doom and gloom."

The doom and gloom comes from presentations on security problems that could have been solved if only products met very minimal security standards. It's easy to lose heart when, year after year, presentations boil down to "keep software up to date" and "enable two-factor identification."

Project Zero is tasked with finding security flaws in any vendor's product. If the vendor doesn't provide a solution in 90 days, or at least show considerable progress, Google will publish the flaw.

  • When it was announced, there was a lot of pushback. Vendors worried that they wouldn't have time to fix vulnerabilities, and users worried that Google publishing unpatched vulnerabilities would be a how-to manual for hackers.
  • "We’ve actually seen people investing in improved processes to handle disclosure," said Tabriz. About 98% of the companies the project contacts currently make the deadline.

How to change something: During her keynote, Tabriz suggested focusing on three things:

  • Tackle the root cause of the problem. This limits the total number of difficult problems you have to solve.
  • Pick milestones and celebrate achieving them. This breaks down solutions into achievable goals and lets the broader culture catch up with the new reality.
  • Build coalitions. This may be the most difficult.

How to build coalitions: "Broaden your perspective. Leave your office more to meet other types of people and learn to articulate to other stakeholders," she told Codebook.

  • "We used to have a red lock with an 'X' to denote that a site was not secure. That made sense to us. When we asked users, they thought it was a purse," she said.
  • Cybersecurity pros often spend more effort learning their craft than learning how to explain it to someone who hasn't been hacking since they were 8. The jargon divide can get frustrating.
  • So ..."Don't be a jerk. There will be times you will need other people to keep a project afloat despite times getting tough."
2. Symantec's race to keep up with new threat groups

Every week, Symantec discovers 10 new groupings of events that may indicate new teams of hackers committing crimes, new nation state threats gearing up for attacks or new clusters of especially active teenagers.

Though Symantec believes it can block the tactics of those groups, that's to0 many to do deep dive research on each of them to better understand if those attacks are related and — if they are —what they are trying to accomplish.

"Even with 150 malware researchers, it's too many to keep up," Liam O'Murchu, director of security technology and response for Symantec, told Codebook at Black Hat.

Why it matters: While it doesn't mean that those bad guys are winning, it does give a sense of the struggle throughout the industry to fully appreciate what's going on.

The back story: Symantec doesn't discover the groupings entirely by hand anymore. They use an automated system to find potential groups, allowing them to discover connections humans would miss.

  • Symantec prioritizes full research treatment for particularly sophisticated groups or those attacking sensitive targets, like the military.
3. Cybercrime is organized, but not mob-run

Photo: Tim Carman / The Washington Post via Getty Images

In his Black Hat talk Wednesday and his upcoming book "Industry of Anonymity: Inside the Business of Cybercrime," Jonathan Lusthaus argues that cybercrime isn't as connected to traditional mafias as you — or even criminals — might expect.

Lusthaus, the director of the Human Cybercriminal Project at Oxford, did a seven-year study over 20 countries. While criminals seemed to believe the mob is heavily tied to cybercrime, few could offer concrete examples.

Why not? Because cyber criminals don't have turf wars — there's plenty of opportunity for crime to go around. Because of that, Lusthaus determined, there was no need for the physical protection the mob could provide.

That said, the criminals are still organized. While they may not be connected to a broad, violent network of criminals, they still work in hierarchical groups to maximize attacks.

4. Why Fortnite's exit from Play Store could be trouble

Mobile security experts Codebook spoke to at Black Hat were not impressed by Epic Games' decision to offer an Android version of its blockbuster game Fortnite without using the Google Play store.

Why this is bad: The Google Play store is a "walled garden," a tightly controlled environment that allows Google to check all apps for malware. By default, the only app store Android phones can use is Google's.

  • But Android is meant to be an open platform. Users are allowed to shut off the Google Play-only requirement, at their own peril.
  • Many off brand stores are full of malware-laden knock-offs of popular apps.

So, why do it? The Google Play store charges a 30% commission for sales on its store. Epic can enjoy far more profits by circumventing the Play store.

What they're saying: "If other major developers follow Fortnite's lead, there could be a collapse of the 'walled garden' system," said one mobile security expert. "That would be a disaster."

5. Odds and ends

Codebook returns on Tuesday.