Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

November 14, 2019

Welcome to Codebook, the irregular cybersecurity newsletter that's not as outlandish as it could be.

Today's newsletter is 1,608 words, a 6-minute read.

1 big thing: The myth of the sophisticated hacker

Illustration: Aïda Amer/Axios

On Tuesday, the U.K.'s Labour Party became the latest in a decade-long line of victims to claim they were targeted by a "sophisticated" cyberattack that wasn't, actually, very sophisticated.

The big picture: It's the latest lexical stretch for an adjective that's widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.

Driving the news: Labour ultimately faced what's known as a denial of service attack, a way of overwhelming servers with a ton of traffic. It's a digital blunt force attack — harmful, yes, but hardly sophisticated. Labour was not alone.

In the last year or so, victims blamed "sophisticated" hackers for breaches at the Australian Parliament; a hamburger chain; a bank; another bank; yet more banks and universities in Australia, the U.S. and UK; a 1,200-student high school; newspapers; Amnesty International; WhatsApp users; a medical center; an electronics supplier; an embassy; and a community college, among others.

Be smart: Some of those hackers were, in fact, sophisticated. Others weren't. But overusing the word dilutes its meaning.

The sophisticate who cried wolf: For network defenders trying to follow what's going on across the industry, it's important to know when actual sophisticated hackers emerge. "There's a boy who cried wolf situation," said Dylan Owen, senior manager for cyber services at Raytheon.

Sophistication's siren song: As soon as a breach is announced, companies are on the defensive, left to justify to users, investors and employees how data that was supposed to be kept secret suddenly wasn't.

  • "No one is going to say they were breached by average hackers," said Chris Scott of IBM's X-Force IRIS incident response team.
  • Sophisticated often gets used as a synonym for "our organization shouldn't be blamed for missing this."

But, but, but: Sophistication isn't the only way to breach even high-tech defenses. Persistence is just as powerful as technical acumen.

  • "We see relatively simple attacks able to get by good defenses all the time," said Owen.
  • Some of the most effective hacking groups in history — including all but the most recent of Iran's efforts in hacking — were not considered particularly technically skilled.

When experts say "sophistication," they use it very differently from normal people.

  • For experts, a sophisticated attack is one that's layered, bespoke and studied — one that cleverly and efficiently achieves its goals. It can refer to work before or after a breach, how an attacker maneuvers inside a network, speed or stealth.
  • For the public, sophistication sounds like someone is simply using unbeatable technology, one part wizardry and another part ninjutsu.

Those aren't the same thing. Just consider the first steps in hacking a computer.

  • The most sophisticated attackers almost always start with methods the public doesn't think of as sophisticated. The U.S., China and Russia — the most advanced hackers in the world — typically start an attack with phishing or exploiting security flaws vendors have already released a patch for.
  • Even so-called zero-days, previously undiscovered vulnerabilities that can't yet be patched, are not always the sign of a sophisticated attacker. "You can have a group that uses a lot of zero-days that isn't technically skilled, just willing to spend a lot of money to purchase them from the black market," said Ben Read of FireEye.

The bottom line: Unless the hackers are known to wear cufflinks, you can usually take "sophisticated" with a grain of salt.

2. Exclusive: Over half of Fortune 500 exposed to remote access hacks

Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet, according to new research by the security firm Expanse and 451 Research.

Why it matters: According to Coveware, more than 60% of ransomware is installed via a Windows remote access feature called Remote Desktop Protocol (RDP). It's a protocol that's fine in secure environments but once exposed to the open internet can, at its best, allow attackers to disrupt access and, at its worst, be vulnerable to hacking itself.

What is RDP: RDP is a way of offering virtual access to a single computer. It allows, for example, an IT staffer in one office to provide tech support for a baffled user in a different office.

  • But RDP becomes a problem when it's not being used securely.
  • "We compare exposed RDP to leaving a computer attached to your network out on your lawn," Matt Kraning, co-founder and CTO of Expanse, told Codebook.
  • It's an opinion shared by experts at McAfee and Sophos, who note that in the absence of multifactor authentication, the protocol can often be hacked into with only a few hours of guessing common passwords.
  • Even in ideal circumstances, when passwords are strong, a malicious actor could overwhelm an RDP connection with traffic in what's known as a DDoS attack.

What they found: The Expanse/451 study found that 53.4% of Fortune 500 companies had an RDP exposure over a two-week period scanning for open RDP ports.

  • The technical skills of the companies didn't seem to have much impact on RDP exposures. For example, around 80% of hospitality industry companies and just under 80% of defense and aerospace companies had at least one exposure, even though defense and aerospace are among the most security-conscious sectors.
  • Cybersecurity budget, either as a percentage of the annual budget or total spending, also had no consistent effect on exposure. By percentage of budget, 43% of companies in the lowest-spending quartile had exposures, compared to 53% of those in the top spending quartile.

The bottom line: The threat of RDP exposures often fly under the radar. "IT staffs are really good at looking at what they know about, but not at what they don’t," said Kraning.

  • "If Fortune 500 companies have exposures, what chance do smaller companies have?" he added.

3. Trial testimony: Trump team knew WikiLeaks email dump was coming

Roger Stone entering the courthouse

Roger Stone enters the courthouse for his trial, Washington, D.C., Nov. 13. Photo: Sarah Silbiger/Getty Images)

At the Roger Stone trial, Rick Gates testified that the Trump campaign was aware that WikiLeaks would dump Democrat emails before Trump even secured the nomination.

The big picture: Gates, a former deputy to Trump campaign manager Paul Manafort, said that Stone, a Trump confidant, alerted him that WikiLeaks would be posting hacked Democratic emails in April 2016.

  • “Mr. Stone indicated that WikiLeaks would be submitting or dropping information, but no information on dates or anything of that nature,” Gates said, as quoted in Politico.

The Democratic National Committee hack wasn't publicly announced until June of 2016.

Trump and his proxies repeatedly denied knowing about the WikiLeaks dumps in advance during the campaign and into the Trump presidency.

4. The surprising cost of hacking payment processors

When hackers target companies providing services to other companies, it can obviously cause financial damages for everyone involved. But a surprising new study demonstrates that it causes more damage per company when a single service provider with a bunch of dependents is attacked than when an equivalent number of victims are attacked individually.

Driving the news: The study, compiled by the security firm RiskRecon and the research group the Cyentia Institute, looked at 816 different breaches over the last decade. The best-known example of this "ripple effect" is a breach at American Medical Collection Agency earlier this year.

  • That breach affected all the doctors, hospitals and medical services that used AMCA, including 12 million patients of Quest Diagnostics.
  • AMCA ultimately declared bankruptcy.

By the numbers: Previous research found that 816 different "ripple effect" breaches affected 5,437 downstream organizations causing median damages for all companies involved of $995,500. That's around 13 times the $77,000 median cost of a breach affecting only one company.

  • Most of that cost is incurred by the company at the center of the breach — the median cost for a downstream company is only around $32,000.
  • Breaches at collection agencies, banks and lenders, credit bureaus, government offices, and IT firms cause roughly half the ripple effect breaches.

Why it matters: Wade Baker, of the Cyentia Institute, told Codebook that this study could have an impact on how cyber insurance companies evaluate risk and how companies evaluate the insurance protection they need.

5. The Department of Justice's busy week

The DOJ ...

6. Other news from last week

Wherein we figure out who to trust in elections (NASS, Brennan Center): The National Association of Secretaries of State launched a new campaign to emphasize that the best place to get information on an election is from elections officials.

  • One likely form of social media election interference is actually an extension of an old technique — lying to people primed to vote for an opposing candidate about where and when to vote.
  • Average people are accidentally wrong about this stuff too. That makes elections officials the safest source of information.
  • Meanwhile: The Brennan Center believes the U.S. should exert more oversight over election vendors, a prime target for cyberattacks.

Google criticized for health care partnership (per Axios' Ina Fried): The Office for Civil Rights in the Department of Health and Human Services told the Wall Street Journal Tuesday it is investigating the data-sharing relationship between Google and not-for-profit hospital system Ascension.

  • That relationship, part of an effort at Google called Project Nightingale, was the subject of a Journal investigation published Monday.
  • Per Axios health care business reporter Bob Herman, exchanging patients’ health information is legal under federal privacy law, and this data sharing is common, even when patients aren’t aware.
  • Civil Rights Office director Roger Severino said in a statement to the WSJ the federal regulator "will seek to learn more information about this mass collection of individuals' medical records."

MITRE launches Center for Threat-Informed Defense (MITRE): Engenuity, a foundation for the public good based at the research foundation MITRE, launched the Center for Threat-Informed Defense. The Center will provide free-to-the-public cybersecurity solutions.

  • Corporate and non-profit partners will propose projects for the center to take on and divvy up the cost of research between partners backing a project.

7. Odds and ends

We'll return one more time before thanksgiving.

Browns update: Codebook reader pick to win the Super Bowl, the Cleveland Browns, won against a good Bills team on Sunday, but continue to not be on track to win the Super Bowl.