Welcome to Codebook, Axios's cybersecurity newsletter.
Codebook is pleased to announce AXIOS on HBO debuts 6:30 p.m. on Nov. 4. Catch all four episodes on Sundays in November. It's a news program with an Axios twist, meaning they rejected my proposal to make it a Sopranos spinoff. In episode 2, I would totally have shot a guy.
Tips? Please reply to this email.
Photo: Alfexe/via Getty Images
Last Thursday Bloomberg reported that authorities were investigating server motherboard manufacturer Supermicro for shipping equipment implanted with chips that China could use to spy on users.
The piece was a bombshell, but a raft of vehement denials from everyone involved — including Apple and Amazon, which Bloomberg claimed discovered the secret chips in their own servers — has made the story increasingly hard to believe.
Why it matters: If the piece is a mistake, it is not a small one. Shares in Supermicro stock dropped more than 50% after the story, wiping away nearly $600 million in market cap. But this isn’t just about one firm’s fortunes. The kind of sabotage described in the story, if real, could compromise major institutions.
It's hard to believe that Amazon, Apple and Supermicro are all fabricating their emphatic denials of the Bloomberg story.
The big question: Flustered cybersecurity pros have been left wondering how much of the story is accurate. The expert consensus is that it's more likely that Bloomberg is wrong than the companies and government agencies are lying.
Around Washington: Early Friday, one lawmaker’s office hinted to Codebook that Bloomberg's article might be accurate — but backtracked later in the day. Also on Friday, Sen. Gary Peters (D-Mich.) sent a letter to Secretary of Defense Jim Mattis asking about armed forces’ knowledge and exposure.
Bloomberg stands by its story, per this statement: "Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews.
Our thought bubble: It’s possible that well-meaning sources confused malware Apple reportedly found in Supermicro firmware with a hardware-based espionage campaign. The two are not equivalent — the firmware problem was quickly dealt with.
Glass houses disclaimer: Reporters make mistakes. Codebook makes mistakes. Sources are sometimes wrong. And good journalism often necessitates anonymous sources.
Google confirmed Monday that its largely forgotten social media network Google+ had a security flaw that exposed data on 500,000 users. An earlier Wall Street Journal report claimed the company had opted not to publicly disclose the data leak out of fear regulators might crack down on the site.
The big picture: The data leak, it appears, was not the huge security problem it sounds like and got portrayed as on social media. That doesn't mean hiding the leak was the right thing to do.
Optics aside, this doesn't appear to have impacted any of the 500,000 users in any way.
The details: The Google+ post-mortem of the incident — in which it says that it's shuttering Google+ for consumers — explains that the flaw was in a data-requesting interface for developers known as an API.
This isn't a data breach. Codebook has discussed in the past that this isn't what most people would consider a data breach. It does not appear that anyone's data was maliciously accessed.
This isn't as bad as those security lapses where data on cloud storage sites get exposed due to misconfigured settings.
Google avoided EU GDPR disclosure rules since it discovered the security issue before GDPR took effect.
Go deeper: Brian Fung at the Washington Post makes a good point that the security surrounding unused accounts, like inessential social media networks, is no laughing matter.
Photo: Josh Edelson/AFP/Getty Images
In the same blog post, Google announced that it would crack down on developers accessing Gmails and private communications information on Android cell phones.
Why it matters: Tons of web applications and phone apps (more than you'd expect) ask for permission to read or write emails, SMS messages, phone logs and phone calls. If you didn't take note of the warning screen saying the apps could do this, you might not realize the permission you gave away.
The details: Google will only allow apps to read Gmail if they enhance the mail experience. They will limit the number of apps that can access the phone calls and SMS messages and bar certain details about interactions with contacts.
A new report by CrowdStrike notes that Chinese industrial espionage has increased in the last quarter, although the increase is in line with what they’d been seeing in previous quarters.
“There was no giant spike. There’s a very consistent commercial espionage growth rate,” says Jen Ayers, vice president of CrowdStrike’s OverWatch team, whose data makes up the report.
Also interesting: OverWatch is seeing cryptominers take more of a “hands-on" approach to infecting computers.