Sep 18, 2018

Axios Codebook


Welcome to Codebook, the cybersecurity newsletter that was once again overlooked for "Outstanding Actress in a Drama Series."

Tips? Hit reply to this very email.

1 big thing: A new way to game out election cybersecurity

Photo: Justin Sullivan/Getty Images

Cybersecurity firm Cybereason will host on Thursday a unique tabletop experiment on election security from its Boston headquarters. Some players will represent a hacker group trying to disrupt the election, while others will play city emergency responders trying to stop it. But these play-hackers won't be allowed to attack the election itself — they will have to disrupt it by disrupting the city, finding ways to keep people from voting.

Why it matters: There are dozens of ways to interfere with an election without touching voting equipment, ranging from causing traffic jams to blasting air conditioning in a polling place on an already cold day. Nearly all of our attention to election security has focused on attacks Russia has already tried or on the most obvious target — the voting machines themselves. But the next wave of attacks won't play by the rulebook we expect bad guys to use.

Tabletop exercises are group games that are sort of like a two-team Dungeons & Dragons — no computers, just paper and brains. It's an interesting scenario to play out in your head. What needs to happen ...

  • Voters need to know where and when to vote. A hacker could conceivably depress voter turnout by uploading false stories about polling place changes or extended hours for polls that plan to close on time.
  • Voters need to get to the polls. Hackers could close a major bridge, preventing people from getting to the polls. They could tie up transportation by informing bus drivers they've been given an extra day off.
  • Voters need to wait in line to cast a vote. False reports of gun violence near polling places or a nearby explosion might reduce the amount of time someone might be willing to wait.

Handicapping the race: These war games split players into a red team of attackers and a blue team of defenders. "I would say the blue team has a fighting chance, but I wouldn’t put it greater than 50%," says Ross Rustici, Cybereason's senior director of intelligence services.

  • The red team has an asymmetric advantage in agility. They get to pick the targets from an endless list of vulnerable systems. And they get to prepare in advance.
  • Defenders have an advantage in terms of nearby and on-the-ground resources from all levels of government, but they are forced to mobilize without preparation or planning. Ed Davis, the former Boston police commissioner known for his leadership during the Boston Marathon bombing, will head up the blue team.
  • "This might be a painful simulation for the blue team," said Rustici, "but if it's painful during the tabletop, they might start coming up with ways to make it less painful in November."
2. Report: Russians tried to hack lab testing Skripal poison

The Netherlands announced Friday it had deported two Russian intelligence agents for attempting to hack the laboratory testing the poison used against former Russian spy Sergei Skripal and his daughter Yulia.

The attack was reported Friday by Joep Dohmen of the Dutch newspaper NRC Handelsblad and by Thomas Knellwolf and Titis Plattner of the Swiss newspaper Tages Anzeiger (and reported on in English by Sean Gallagher of Ars Technica on Monday).

The details: The attempted hack against the Spiez Laboratory allegedly took place this spring as the lab was investigating whether Skripal had been poisoned using a Russian-specific nerve agent.

3. Symantec opens its fake-site buster to public

Symantec is asking websites likely to be mimicked for phishing attacks or to propagate false information, particularly election-related websites, to contact the security firm about a newly public anti-phishing initiative.

The details: Project Dolphin stops Symantec product users from falling for phishing scams through an AI system trained to detect visually similar fake websites.

  • Dolphin checks each site that product users visit against a database of snapshots of authentic sites.
  • Humans then determine if potential look-alike websites are phishing sites.
  • Future users are blocked from visiting the phishing sites.

Dolphin has been an internal tool at Symantec for a while, but it will now accept public submissions of sites to check.

What they're saying: "We named it Project Dolphin because we were trying to take down a lot of phishing scams," Eric Chien of Symantec's Security Technology and Response team told Codebook. "Dolphins eat a lot of fish."

4. Judge slams Georgia's election security but won't force '18 change

Georgia Secretary of State Brian Kemp celebrates a primary win for governor earlier this year. Photo: Jessica McGowan/Getty Images)

U.S. District Judge Amy Totenberg ruled Monday evening that Georgia would not have to change its paperless balloting system in time for November's elections, but not before saying that state officials had "burried their heads in the sand" about the issue.

The ruling provides a temporary end to a lawsuit demanding Georgia overhaul its voting system over security concerns — though the ruling notes there will likely be an appeal.

What was at stake: Georgia relies on direct-recording electronic (DRE) voting — touch-screen voting machines that do not produce a paper record of votes. Experts agree that these systems are less secure than systems that produce a paper record, as paper records give a chance for recount on a medium that cannot be hacked.

Totenberg agreed with the plaintiffs that Georgia's voting system was dangerously insecure against hacking. But she also noted the catch-22 that changing the voting machines in September for an election in November would be chaotic.

Go deeper: The Atlanta Journal-Constitution has a good overview of the ruling, while Ars Technica has reprinted the ruling in full.

5. Rapid increase for internet of things malware

Researchers at Kaspersky Lab tabulate that so-called "internet of things" devices (basically everything connected to the internet that isn’t a traditional computer) face an alarming growth of new malware.

The numbers: In all of 2017, by Kaspersky’s count, IoT devices faced a little more than 30,000 distinct modifications of malware. In the first half of 2018, that number grew to 120,000 — a nearly fourfold increase.

Why it matters: IoT devices often have less security than traditional computers, meaning that weaker security is being saddled with the deluge of new attacks.

6. Odds and ends
  • The State Department's unclassified email system was breached earlier this month. (Axios)
  • A weird botnet is scrubbing cryptocurrency miners off of its victims. (ZDNet)
  • The payment portal, used by 2,000 state agencies, left 14 million payment records visible to attackers who knew where to look. (Krebs On Security)
  • Experts are split on the value of California's IoT cybersecurity bill. (Washington Post)
  • Other experts are split on the value of the DOJ's North Korea actions. What do experts know anyway? (Cyberscoop)
  • On Friday, FCC Chief Ajit Pai called California's net neutrality bill "illegal." (FCC)
  • Rep. Doug Collins (R-Ga.) wants to tear down the DOJ's paywall around judicial records. (Ars Technica)
  • Early cryptocurrency Ponzi scheme earns CEO prision time. (ZDNet) Joe wrote about the GAW miner scandal here, in 2015, before the arrest. (Passcode) Joe is old.