Oct 9, 2018

Axios Codebook

Welcome to Codebook, Axios's cybersecurity newsletter.

Codebook is pleased to announce AXIOS on HBO debuts 6:30 p.m. on Nov. 4. Catch all four episodes on Sundays in November. It's a news program with an Axios twist, meaning they rejected my proposal to make it a Sopranos spinoff. In episode 2, I would totally have shot a guy.

Tips? Please reply to this email.

1 big thing: Bloomberg's fraying spy chip story

Photo: Alfexe/via Getty Images

Last Thursday Bloomberg reported that authorities were investigating server motherboard manufacturer Supermicro for shipping equipment implanted with chips that China could use to spy on users.

The piece was a bombshell, but a raft of vehement denials from everyone involved — including Apple and Amazon, which Bloomberg claimed discovered the secret chips in their own servers — has made the story increasingly hard to believe.

Why it matters: If the piece is a mistake, it is not a small one. Shares in Supermicro stock dropped more than 50% after the story, wiping away nearly $600 million in market cap. But this isn’t just about one firm’s fortunes. The kind of sabotage described in the story, if real, could compromise major institutions.

  • Supermicro products — and the web and cloud services fueled by them — are used by defense, banks, hospitals and other groups.
  • A state election official who spoke to Codebook was concerned that state accounts might have been made vulnerable to attack.

It's hard to believe that Amazon, Apple and Supermicro are all fabricating their emphatic denials of the Bloomberg story.

  • Lawyers who spoke to Codebook said the detailed denials wouldn’t just be a public relations issue if incorrect.
  • “The companies [would] risk enforcement by the FTC for engaging in a deceptive act that is likely to harm consumers,” emailed David Vladeck, Georgetown law professor and former head of the FTC’s Bureau of Consumer Protection, adding, “I am strongly disinclined to think they are lying.”
  • Apple would only have compounded its woes Monday by repeating its claims in a letter to two congressional committees.
  • Homeland Security and the British cybersecurity office, the National Cyber Security Centre, also denied knowledge of Bloomberg’s claims.

The big question: Flustered cybersecurity pros have been left wondering how much of the story is accurate. The expert consensus is that it's more likely that Bloomberg is wrong than the companies and government agencies are lying.

  • One key voice disapproving of the piece is security researcher Joe FitzPatrick, who is quoted in the story. According to the Risky Business podcast, FitzPatrick says he emailed Bloomberg before the article was published that their story "didn't make sense."

Around Washington: Early Friday, one lawmaker’s office hinted to Codebook that Bloomberg's article might be accurate — but backtracked later in the day. Also on Friday, Sen. Gary Peters (D-Mich.) sent a letter to Secretary of Defense Jim Mattis asking about armed forces’ knowledge and exposure.

Bloomberg stands by its story, per this statement: "Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews.

  • "Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. ... We stand by our story and are confident in our reporting and sources."

Our thought bubble: It’s possible that well-meaning sources confused malware Apple reportedly found in Supermicro firmware with a hardware-based espionage campaign. The two are not equivalent — the firmware problem was quickly dealt with.

Glass houses disclaimer: Reporters make mistakes. Codebook makes mistakes. Sources are sometimes wrong. And good journalism often necessitates anonymous sources.

2. The Google+ data leak was a small drip from a big pipe

Google confirmed Monday that its largely forgotten social media network Google+ had a security flaw that exposed data on 500,000 users. An earlier Wall Street Journal report claimed the company had opted not to publicly disclose the data leak out of fear regulators might crack down on the site.

The big picture: The data leak, it appears, was not the huge security problem it sounds like and got portrayed as on social media. That doesn't mean hiding the leak was the right thing to do.

Optics aside, this doesn't appear to have impacted any of the 500,000 users in any way.

The details: The Google+ post-mortem of the incident — in which it says that it's shuttering Google+ for consumers — explains that the flaw was in a data-requesting interface for developers known as an API.

  • When a user used an app to access Google+, the app could access information from friends' accounts if the friends allowed API access. With the flaw, certain information was available even if that friend had chosen to keep the vulnerable info private.
  • Google deletes log data after 2 weeks as a privacy measure. The 2-week sample is limited, but enough to provide a good sense of how apps operated. Google's investigation found none of the 400 or so apps using the API were improperly accessing data.

This isn't a data breach. Codebook has discussed in the past that this isn't what most people would consider a data breach. It does not appear that anyone's data was maliciously accessed.

This isn't as bad as those security lapses where data on cloud storage sites get exposed due to misconfigured settings.

  • Those are common, and those lapses theoretically allow bad guys to sift through every exposed file until they find something interesting. The accounts aren't labeled, so that isn't easy, but it's much easier than discovering and weaponizing a vulnerability in a bespoke API.
  • It's unreasonable to expect that companies never have security flaws in their programs. It is reasonable to expect they search for and fix those problems (which Google did) and keep users apprised of problems that affect them (which Google may not have done, depending on how you define "affect").

Google avoided EU GDPR disclosure rules since it discovered the security issue before GDPR took effect.

Go deeper: Brian Fung at the Washington Post makes a good point that the security surrounding unused accounts, like inessential social media networks, is no laughing matter.

3. Other Google announcements

Photo: Josh Edelson/AFP/Getty Images

In the same blog post, Google announced that it would crack down on developers accessing Gmails and private communications information on Android cell phones.

Why it matters: Tons of web applications and phone apps (more than you'd expect) ask for permission to read or write emails, SMS messages, phone logs and phone calls. If you didn't take note of the warning screen saying the apps could do this, you might not realize the permission you gave away.

The details: Google will only allow apps to read Gmail if they enhance the mail experience. They will limit the number of apps that can access the phone calls and SMS messages and bar certain details about interactions with contacts.

4. Chinese espionage up, cryptominers getting clever

A new report by CrowdStrike notes that Chinese industrial espionage has increased in the last quarter, although the increase is in line with what they’d been seeing in previous quarters.

“There was no giant spike. There’s a very consistent commercial espionage growth rate,” says Jen Ayers, vice president of CrowdStrike’s OverWatch team, whose data makes up the report.

Also interesting: OverWatch is seeing cryptominers take more of a “hands-on" approach to infecting computers.

  • Cryptominers — software that surreptitiously uses other people’s computers to mine cryptocurrency — have traditionally been more of an automated, spam everybody and see where the malware is installed kind of affair.
  • Now, hackers are taking more effort to infect multiple computers on the same network, a move requiring manual effort.
  • When hackers move to more labor-intensive processes, it’s typically because the easy method became more difficult. This could be an indication that security against cryptominers has outpaced designers’ abilities to create evasive malware.
5. Odds and ends
  • Google avoided a massive privacy suit over iPhone tracking in the UK. (BBC)
  • Google's dropping out of contention for the Pentagon's $10 billion JEDI cloud system. (Bloomberg)
  • A Trump campaign aide contacted an Israeli social media firm in 2016 to use phony social media accounts to help it win the Republican primary. (NY Times)
  • A viral Russian propaganda video took aim at feminists and men who take up too much space on subways. (The Verge)
  • Someone is archiving banner ads from the early 2000s. I mean, I didn't read them then. (Motherboard)
  • An administrator of a once-vaunted dark web black market pleaded guilty to doing that. (SecurityWeek)
  • Heathrow Airport was fined £120,000 for losing a thumb drive full of employee info. (UK Information Commissioner's Office)