Jul 11, 2019

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter telling you to subscribe to Axios' new Cities newsletter.

Situational Awareness: President Trump is currently hosting his social media summit.

Today's Smart Brevity: 1,425 words, ~4 minute read.

1 big thing: Using a privacy law to filch data

Photo: ValeryBrozhinsky/Getty Images

A researcher has demonstrated how to exploit Europe's privacy protection laws to violate other people's privacy — and new privacy rules on the way in the U.S. could be vulnerable in the same way.

The big picture: Privacy laws, including Europe's mammoth General Data Protection Regulation and California's recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.

Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.

Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.

  • He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly 1/4 of those provided it to him, no questions asked.
"Companies are afraid under GDPR of telling you no."
James Pavur

"The very big companies did an excellent job fighting fraud and told me to access that information through my profile or email from the account I used to sign up," Pavur, who will present his research in August at the Black Hat conference, told Codebook. "The small companies — like a podcast company in the U.S. — knew the law didn't apply to them."

  • Many midsized companies took the bait. They knew they had to respond to the requests, but hadn't adopted processes for doing so safely.
  • Pavur has not released any names of the companies he tested.

Between the lines: "These laws focus upon the user, not the company," said Matthew McCabe, senior vice president and assistant general counsel for cyber policy at Marsh.

  • More robust regulations would outline acceptable identity verification practices. "They would not just consider end points, but process as well," said Pavur. "And they would say it's OK to say 'no.'"

What's next: "The same problem in GDPR is in the California Consumer Privacy Act," which goes into effect at the start of 2020, said Shannon Yavorsky, data security and privacy partner at Venable.

  • Yavorsky hopes the California attorney general will clarify best practices for fighting fraud in upcoming commentary on the law.

Why it matters: Without a concerted effort to mandate fighting fraud while protecting privacy, these experts agree, new U.S. privacy laws are likely to create similar new vulnerabilities.

2. Credit card thieves compromise thousands of websites

Amazon's cloud-shaped tent at the 2016 CeBIT international computer expo in Hanover, Germany. Photo: Peter Steffen/picture alliance via Getty Images

A hacker group known as Magecart appears to have inserted credit-card-stealing code at more than 17,000 websites that did not secure their Amazon Cloud storage accounts.

Why it matters: Companies use cloud servers to streamline website operations, but misconfigured cloud servers leave both the websites and customers vulnerable.

Details: RiskIQ, a cybersecurity firm, announced Thursday that Magecart is using an automated process to find javascript web code left exposed in Amazon cloud and insert their own malicious code.

  • Magecart's automated process roped in 17,000 sites.
  • The group is one of the internet's most prolific credit-card thievery outfits.
  • "The most concerning thing for us is the scale," RiskIQ's Yonathan Klijnsma told Axios. "We didn’t expect that many people would have public write access set."

It's not just small companies: Klijnsma noted that the victims include sites in the top 2000 of web rankings service Alexa.

What happens next: RiskIQ is working with Amazon to notify affected sites.

3. NIST refines privacy framework

The National Institute of Standards and Technology held its third public meeting Tuesday on the Privacy Framework it is currently developing.

The big picture: NIST is the Commerce Department agency that wrote the immensely popular Cybersecurity Framework, a set of general guidelines for conceptualizing cybersecurity that has been translated into multiple languages and become popular the world over.

Why it matters: In a perfect world, the Privacy Framework would have a similar impact, said Kent Landfield, the head of standards and technology policy at McAfee and an active participant in the meetings.

  • It's unclear if that's feasible, as many companies internationally have begun turning to Europe's privacy regulations as the guiding light of privacy protection.
  • Landfield said he'd prefer the NIST approach take precedence, because a policy setting out minimum standards is less thorough than creating a situationally comprehensive strategy. "We need to change from compliance to risk management," he said.

Details: The difference between a guide for standards and a guide for strategy was an issue at the NIST meetings as well, said Landfield, as some participants had hoped for a guide to navigate GDPR. This meeting marked the first time all participants were on board with what NIST intended to do.

  • One major point of contention is still being worked out: whether NIST should remove all security content from the draft to make it a fully separate document from the security framework.
4. In case you missed last week

Mozilla ends alleged spy's web bid (Axios): Mozilla, the creator of the Firefox web browser, denied a United Arab Emirates firm's request for authority to issue security certificates to websites without the supervision of a more trusted group. The UAE firm is accused of assisting that nation's global cyber espionage operations.

  • Web certificates are a key part of encrypting traffic to and from websites. A malicious group issuing those certificates could snoop on data to the sites it serves.
  • "We are confident this is the right decision, but it was not made lightly," Mozilla's statement said.

Cyber Command warns of attacks with potential Iran tie (Axios): United States Cyber Command issued a warning Tuesday about hackers using a security flaw in Microsoft's Outlook email program. They uploaded new malware to an archive used by cybersecurity researchers that one expert believes is connected to an infamous Iranian attack.

  • The malware appears to be connected to Shamoon 2, a disk-wiping attack used against Saudi entities in 2016, said Brandon Levene, head of applied intelligence at Chronicle. Shamoon 2 is widely believed to be the work of Iran.
  • If the malware and warnings are linked, Iran may be using the Outlook security vulnerability in an active hacking campaign.
  • "This [may] shed some light on how the Shamoon attackers were able to compromise their targets," Levene said. "It was highly speculated that spear phishes were involved, but not a lot of information [more specific than that] was published."

New commercial government spyware emerges (Kaspersky Lab): Kaspersky Lab detailed the latest versions of FinSpy, off-the-shelf spyware sold to governments to surveil mobile devices.

  • The makers of militarized spyware, including U.K. outfit Gamma (makers of FinSpy and the prominent FinFisher) and the Israel-based NSO Group (Pegasus), argue that their software is only sold to governments and is critical for law enforcement and legitimate government surveillance. U.S. law enforcement groups have purchased such products in the past.
  • Opponents note widespread abuse by oppressive regimes. Among the targets of the new FinSpy samples discovered by Kaspersky were people in Myanmar.

Mozilla named, then unnamed, internet villain (ISPAUK): A U.K. trade organization of internet service providers nominated Mozilla to its list of "internet villains" last week, in response to Mozilla's Firefox web browser allowing use of DNS over HTTPS (DoH), a fancy way of saying the browser can encrypt the web addresses people want to visit. The group subsequently has withdrawn its nomination.

  • The U.K. government and several anti-child exploitation groups dislike DoH because it makes it harder to identify attempts to download unlawful content.
  • ISPs dislike DoH for one of the reasons users do like it — it blocks one way that ISPs monetize user browsing habits.

PGP poisoners gonna poison: Two researchers found their public PGP (Pretty Good Privacy) profiles had fallen victim to a "poisoning" attack.

  • PGP users publish encryption keys in public databases that other people can use to contact them.
  • Those databases don't check to make sure the poster owns the account. A poisoning attack means someone uploaded so many fake encryption keys purportedly from the victim accounts that no one could reasonably guess which one was real.
  • It's sort of amazing this never happened before.
5. Odds and ends

Codebook will return next week.