July 12, 2018
Welcome to Codebook, the only cybersecurity newsletter blowing the lid off the Madison, Wisconsin, McDonald's scene.
Tips? Reply to this newsletter.
1 big thing: Axios' guide to reading the cybersecurity news
Reading cybersecurity news is usually stressful, often misleading and sometimes confusing. That's why Codebook is proud to offer you this guide: what to keep in mind when reading cybersecurity news.
A conceivable attack isn't the same as a likely attack: Over the weekend, a variety of newspapers printed a wire story titled "Why you may want to wrap your car key fob in tin foil." The premise was an attacker could clone your key fob using an undetectable cloning machine and steal you car. The tin foil would serve as a Faraday cage and block the signal.
- Key fobs can indeed be cloned by thieves. But it's unlikely that would ever happen. Among the problems: a bad guy would already need to know which car was yours to use the cloned key. At a certain point, it's easier to steal a car the old fashioned way.
- Attacks can be unlikely for other reasons, too. Some widely reported security vulnerabilities are too complicated to be practical. Others require in-person access or administrator-level accounts.
- Be cognizant of all threats. But if you're spending scarce resources, focus on threats that apply to you.
The apocalypse isn't nigh: Last week, New York Times columnist Nicholas Kristof described cyberwarfare as something strikingly similar to the plot of a "Die Hard" movie: An evil attacker would simultaneously take out the power grid, phones and banks. But that kind of blitz — coordinated across multiple industries and thousands of networks — is both technologically and strategically unlikely.
- Hacking technology hasn't quite reached the level of achieving the much talked-about (and bestselling) catastrophic, nationwide, electric grid failure. In the U.S., the grid is made of several mini-grids and designed for resilience.
- That doesn't mean smaller attacks aren't extremely consequential. Delta lost as much as $50 million due to an airport blackout in December. Blackouts on a more realistic scale still have real consequences.
"Breach" has more than one meaning: Axios discussed last week how some incidents being called breaches were really just databases put online without passwords where no bad guy had accessed the data. That's hardly good — but it's not what most people think of when they think of a breach. Along the same lines:
- Companies often separate systems used differently into different networks. In power plants and factories, that means putting the business computers on a different network than the industrial ones. Don't be surprised if an attack on a power plant turns out to be a breach of the business systems — not good, but not as bad as sabotage.
Think simple before complex: Most breaches start with phishing. News stories often emphasize the scary attack before the basics. Hackers start with the basics.
When companies fix security flaws, that's good: If a headline says that a product has a security flaw, that usually it means that product just got more secure — it was announced because it has just been patched. Don't take it to mean that product is less secure than its competition. All products have vulnerabilities.
- This is why software updates exist. Every story about a new vulnerability is a reminder to keep your systems up to date.
- It's good to fix vulnerabilities. Some vulnerabilities take considerable time to fix, even devoting a full staff. What's bad is when companies know about high-priority security problems but don't fix them — or when they use out-of-date software libraries likely to contain security problems.
Finally: Codebook picked examples based on their visibility, but that everyone, even Axios, makes mistakes. (In the interest of fairness, at the bottom of this newsletter, you will find Joe's second most embarrassing journalism story.)
2. DHS: Russia not hitting midterms as hard as the 2016 election
Russian hackers are not targeting state election systems with a cyber campaign as they did in 2016, two Department of Homeland Security officials told separate Congressional committees yesterday.
Where it happened: Officials Chris Krebs, undersecretary in charge of the National Protection and Programs Directorate, testified before the House Homeland Security Committee. Senior cybersecurity adviser (and elections expert) Matt Masterson testified before the Senate Rules Committee.
What it does and doesn't mean: DHS doesn't have full visibility on campaign systems and Krebs noted that Russia is still launching divisive social media campaigns — DHS's good news solely applies to the state election systems. But it is good news.
- However, without more detail, the testimony's meaning is dealer's choice: Russia might see the midterms are a less attractive target (dozens of separate elections of lower value). It may be letting the heat cool down from 2016. Or we might not be Russia's biggest priority right now.
3. Senators worry processor bugs may have bolstered China's spies
Lawmakers are concerned that chipmakers' strategies to mitigate security flaws nicknamed Spectre and Meltdown may have caused national security issues.
What they're saying: “It's been reported that Intel informed Chinese companies of the Spectre and Meltdown vulnerabilities before notifying the US government. As a result, it's highly likely that the Chinese government knew about the vulnerabilities,” Florida senator Bill Nelson (D-Florida) said at a Wednesday hearing on the issue (as quoted by Wired's Lily Hay Newman).
The theory: Firms involved in the chipmaking process notified all of their clients about Spectre and Meltdown in advance of going public with the vulnerabilities. This gave manufacturers time to patch the problem before hackers were made aware there was a problem to take advantage of.
- The firms failed to notify the Department of Homeland Security.
- Some of the vendors notified were in China.
- Chinese companies have heavy ties to the state, and China has a significant cyber spying operation.
- The Chinese government may have knew abut the vulnerability before the U.S. knew to protect critical systems.
Meanwhile, two new vulnerabilities similar to Spectre have been discovered, affecting any system running Intel, AMD or ARM processors.
Spectre? Meltdown? These vulnerabilities take advantage of a shortcut processors use. If a user tries to access data protected by a password, the computer begins processing the data before the user enters the password. That way, the data is ready whenever the user is done. There were flaws in the scheme to make sure people without a password couldn't manipulate that process to get data anyway.
4. Synack security fellows program opens Friday
The inaugural ThinkCyber cybersecurity fellowship — backed by security testing firm Synack, recruiter Nav Talent and Morgan Stanley — starts Friday, with 22 college students selected from an international applicant pool attending a four-day symposium in Silicon Valley.
Why it matters: Most of the top schools in computer science lack a dedicated cybersecurity component to their programs. To Jay Kaplan, Synack co-founder, that means the challenge is more than just luring top talent to cybersecurity jobs.
"Some of the students will be writing the next generation of applications," he said. "Teaching them at this stage will introduce better security practices."
"I'd love for them to make our jobs harder."
5. Joe's second most embarrassing journalism story
During my first reporting job, at a now-defunct weekly in Madison, Wisconsin, a food section story fell through, and we needed emergency content, fast. I don't have a refined palette, but wanted to be helpful: I offered to find the best McDonald's in Madison.
Why it matters: I ate hundreds of McNuggets in three hours for science.
The details: In theory, we had two days to do the story, but I didn't own a car. My roommate and his girlfriend offered to drive me around late Sunday afternoon.
- There are at around 40 McDonald's in Madison.
- By McDonald's number two we we realized that parents weren't thrilled to see a scraggly 20-something wandering around the FunLand ball pit with a notepad and camera.
- It became clear that I had to order and eat at every restaurant.
- I chose Chicken McNuggets.
By the numbers: Every 40 McNuggets is a day's worth of food. In under three hours I went through that cycle 4 times. I couldn't sleep for days afterwords.
The best McDonalds in Madison has a working fireplace.
6. Odds and ends
- China is spying on Cambodian elections. (Axios)
- You can buy access to an airport security system for $10. (Axios)
- The word Taiwan will no longer crash iPhones. (Axios)
- Spammer-friendly web host Bitcanal has been ousted from the web (Krebs on Security)
- Sens. Marco Rubio (R-Fla.) and Mark Warner (D-Virg.) plan counterprogramming to Trump's Helsinki visit. (USA Today)
- India approved strict net neutrality rules. (ZDNet)
- Facebook was fined $650,000 for the Cambridge Analytica debacle. (Axios)
- The DOD paused the controversial JEDI cloud procurement process. (FCW)
- A man tried to smuggle a snake on a plane in a hard drive enclosure. (Motherboard)
- Timehop breach contained genders and birthdays. (ZDnet)
Codebook will return Tuesday.