May 1, 2018

Axios Codebook


Welcome to Axios Codebook, Axios's cybersecurity newsletter. Please send tips and comments to this email address.

1 big thing: How to break the encryption deadlock

Illustration: Rebecca Zisser/Axios

The two sides of the encryption debate are so dug in that it's become hard to publicly discuss a compromise: Law enforcement groups insist they need access to encrypted data lest criminals go free; security experts posit that providing such access invites global security disasters and mass hacking. No one wants to to suggest to peers that maybe some criminals should go free —or that some amount of security disasters would be A-OK.

But behind closed doors, a few government and big-tech insiders will talk about what a compromise would take — so long as their names aren't attached. Here's what they say:

Why would tech give up the hard line? Australia is on the verge of enacting an encryption law that mandates law-enforcement access to encrypted messages, and U.S. lawmakers seeking similar measures here are likely to point to it as a precedent. So, while most in the tech community still see any encryption compromise as a disaster, a few feel that it's a smaller disaster than what lawmakers might come up with on their own.

To compromise, be honest about risk: Supporters of backdoors often try to frame the debate as security versus civil liberties, rather than address the inevitable security problems backdoors will create. No compromise will emerge until lawmakers acknowledge and accept the real security dangers they are asking for.

  • There is no new technology coming to solve the problem: Law enforcement often maintains that tech firms can solve any problem by inventing new technology. But the complexity of computer code makes completely secure systems to allow extraordinary access unlikely, and creating backdoor keys at scale means creating systems that are particularly susceptible to abuse.
  • Limiting risk means limiting the use of the system: With thousands of police jurisdictions in the U.S., companies will constantly be retrieving credentials for phones. But the more frequently a system gets used, the harder it is to secure.

Be honest about who the targets are: Though the encryption debate is often framed in terms of national security, groups like ISIS will be among the least successful targets.

  • One ex-government source said, "Terrorism is the wrong argument. ISIS is well organized and smart —they will be able to get around any encryption ban. The people this will be really successful against are dumb, careless or spur-of-the-moment criminals that don't have a support network."
  • Another ex-intelligence source noted that allowing spies to use backdoors might cripple American tech firms by making their products harder to sell abroad, while providing little benefit. Intelligence already has broader capabilities than law enforcement. "We will need to say that the backdoors could not be used for intelligence," that source said.

Putting it all together:

  • Any compromise would have to be extremely narrow in scope — only applying to, say, data on a device involved in a specific crime.
  • The government may need to be prepared to repay users for the security meltdowns backdoors would cause. That may not be cheap. FedEx alone lost hundreds of millions of dollars in the NotPetya cyber attacks that used leaked U.S.-developed hacking tools —in a high-end approximation of the kind of havoc leaked security keys could cause.
2. How the sausage is made: Credential attacks

New research from Distil Networks provides a detailed look at how attackers use bots to test stolen usernames and passwords on websites.

Why it matters: According to Distil's data, 96% of websites with login pages face regular automated attacks to check if usernames and passwords can either be guessed or extrapolated from other sites' breaches.

The details:

  • Only around half of attacks use a "volumetric" approach, testing a flurry of possible usernames and password combinations in short bursts. In those cases the spike in attempts warn the site that something might be amiss. That the other half work at a measured pace — avoiding that spike — means half of all attacks are tougher to discern.
  • After a major breach, all sites see a threefold increase in credential attacks. Attackers count on users registering a the same passwords accross multiple sites. (Don't do that.)
  • Volumetric attacks usually come at the same time each week. Attacks designed to start at 8 a.m. on a Tuesday one week will likely start a new round at 8 a.m. on Tuesday the next week.
3. Moscow-based company selling medical software exploits

Motherboard reports that a Moscow-based company named Gleg is selling previously undiscovered security vulnerabilities in medical software. That has raised eyebrows for hospital administrators — and a few yawns from the security industry.

Why it matters that it might not matter: There are few scarier hacks than those aimed at medical systems. People need them to breathe, which many are wont to do, So any indication the devices are vulnerable is a touch frightening. But most hacking isn't done through the kind of expensive vulnerabilities sold by companies like Gleg.

There is a lot of Gleg: Across the cybersecurity landscape, there are a few different services selling previously unreported vulnerabilities. Typically, it isn't hackers purchasing the bugs but rather security pros , who find them useful in assessing the defenses of a network or developing software to prevent attacks.

Most attacks use freely available exploits: Hackers could pay Gleg $4000 a year for a subscription to its vulnerability service. But for most hackers, it's cheaper and just as effective to use freely available exploits that can already be found online. While the holes used by the free online wares might be patched by the manufacturer, not every hospital is quick to protect its equipment. The massive WannaCry attack last year took advantage of a known computer flaw.

4. DNC, Wickr launch campaign security marketplace

Wickr, a secure messaging app, is teaming up with the Democratic National Committee on a pilot marketplace for campaign security tools. "I Will Run" will offer cybersecurity tools to Democratic candidates in Arizona, Florida, Iowa, Massachusetts, Nevada, Texas and Washington.

Why it matters: The DNC is eager to prevent a repeat of the 2016 election, when Russia's alleged hacking of the Democratic National Committee, John Podesta's email and the Democratic Congressional Campaign Committee weighed heavily in news coverage. Congress has introduced legislation on voting systems security, but parties and campaigns remain very much on their own.

5. New hacking tangles for Trumps

Donald Trump Jr. Photo: Drew Angerer/Getty Images

The New York Times obtained a copy of the questions special counsel Robert Mueller submitted to President Trump's lawyers and among them was this subtle bombshell:

• What knowledge did you have of any outreach by your campaign, including by Paul Manafort, to Russia about potential assistance to the campaign?

Why it matters: The old saw is that good lawyers don't ask questions they don't know the answers to. The phrasing — outreach to Russia rather than outreach from — suggests Mueller may have reason to believe the Trump campaign requested Russian assistance in the campaign.

Manafort started with the Trump campaign in March of 2016. In April, the believed Russian hackers registered the DC Leaks website, a WikiLeaks clone that appears to be the original plan for releasing hacked emails before the group pivoted to Wikileaks. That summer, the Democratic National Committee would announce it had been hacked.

  • Yes, but: The DNC hackers had already burrowed into the DNC network before Manafort joined the campaign, and the question certainly doesn't imply this was Manafort's first move as campaign manager. Reaching out does not mean a Russian plan was already in the works.

Meanwhile: The other Donald Trump, Donald Trump Jr., may have violated the U.S.'s major antihacking law, the Computer Fraud and Abuse Act, writes Orin Kerr in Lawfare.

  • Of an anti-Trump website, Trump Jr. wrote in an email released by Congress: "Guys I got a weird Twitter DM from [W]ikileaks. See below. I tried the password and it works and the about section they reference contains the next pic in terms of who is behind it."
  • Kerr is a leading expert in what the CFAA means and should mean, and has taken a narrower view than some judges about what kinds of activities the law forbids. But he has argued that the CFAA should be taken to ban illicit access to a computer beyond any measures intended to cut off access — like a password prompt.
6. Odds and ends
  • WhatsApp co-founder leaving Facebook over data privacy spat. (Axios)
  • North Korean antivirus software stole large chunks of code from 10-year-old Trend Micro antivirus. (CSO Online)
  • A researcher at Bitdefender found a new way to crash a Windows computer using only a USB drive. (Threatpost)
  • Former NSA and CIA honcho Michael Hayden wonders what happens to intelligence if the president doesn't believe in facts. (New York Times)
  • DEF CON capture the flag registration is now open. (DEF CON)
  • A UK watchdog's website that used to monitor surveillance powers is now selling the "best solution" for premature ejaculation. (Motherboard)
  • Comings and goings: April F. Doss, former associate general counsel at NSA who had taken a one year appointment as Democratic counsel for the Senate's Russia investigation, is returning to Saul, Ewing, Arnstein & Lehr.
  • A look at the companies specializing in hacking back. (The New Yorker)
  • Oscar Mayer released a bacon-based cryptocurrency. (Daily Dot)

Codebook will return on Thursday. Batman Returned in 1992.