Oct 18, 2018

Axios Codebook

Axios

Welcome to Codebook, the cybersecurity newsletter that will withhold good content unless you watch Axios' new HBO show Sundays in November.

Tips? Send me a note by replying to this email.

1 big thing: What he learned in the code wars

John Carlin. Photo: ZACH GIBSON/AFP/Getty Images

John Carlin wants you to know that the U.S. is much better at investigating cybersecurity-related crimes than people seem to think. And he'd be the person to ask: Carlin was the assistant attorney general for the Department of Justice's National Security Division until 2016.

The big picture: Carlin's new book, "Dawn of the Code War," released Tuesday, is a recollection of his time in government, first at the FBI and then the DOJ. Throughout that time, he saw people and organizations struggle to grasp what both agencies do in information security. "Part of getting these stories out is for people to see investigations in context," he tells Codebook.

Here are three key insights from Carlin:

Always come forward. Carlin, now a partner at Morrison & Foerster, says most executives don’t understand the gravity of not alerting authorities about seemingly minor breaches until they learn about Ardit Ferizi.

  • Ardit Ferizi, one of the first examples in the book, hacked into a retailer's server in 2015 and taunted the system administrator — until he was paid roughly $500 to explain how he hacked the server.
  • But Ferizi was not after $500. He had stolen the details of 100,000 credit card users from that retailer, which he combed for .gov and .mil email addresses, and sent the results to his superiors at ISIS. ISIS then published the results as a kill list.
  • With Ferizi, something that looked like a ransom attempt was actually being used for terrorism. Reporting seemingly inconsequential breaches can impact on other investigations.

Government attribution works. It's tough for private cybersecurity pros to attribute attacks to the responsible parties. It's less tough for government agencies with multilayered investigations.

  • From the outside, you often hear that attribution can be tricky because it's possible for hackers to manipulate digital records.
  • But the government has access to more data, including non-technical data. "You can track them not just through cyber means but through finances," says Carlin.
  • Hackers — even elite, nation-state hackers — make dumb mistakes. Researchers once tracked an attack to North Korea "in part because the hacker had infected his own computer with his own malware," Carlin writes in the book.

"Name" matters more than "shame." The DOD often indicts or files charges against foreign intelligence hackers it has little chance of actually arresting.

  • The tactic, nicknamed "name and shame," can come across as an attempt to embarrass the foreign government, given the slim odds of seeing a target extradited to the U.S.
  • Carlin says "name and shame" is actually a misnomer: "Shame" isn't a major component of the plan.
  • Instead, it's a DOJ tactic to proliferate information to owners of potentially vulnerable systems and the world — communicating a threat and raising the cost of an attack by promoting vigilance against a named attacker.
2. Twitter releases a boatload of banned propaganda tweets

Twitter is releasing all the content associated with 4,611 accounts it has tied to two previously announced misinformation campaigns by Russia and Iran — 3,814 accounts linked to Russia's Internet Research Agency, which meddled in the 2016 elections, and 770 that were linked to state-backed activity from Iran, Axios' Shannon Vavra reports.

Why it matters: Twitter says the release is part of an effort to be more transparent about the "information operations" it identifies on the platform and to assist researchers.

  • By the numbers: The content released includes more than 10 million tweets and more than 2 million images, GIFs, videos and Periscope broadcasts.
  • Timing: The earliest Twitter-based activity from the accounts associated with these campaigns dates to 2009.

Codebook's thought bubble: Though they get portrayed as such, it's dangerous to think of social media campaigns like the IRA's as a purely election-related phenomenon.

  • This was not the most impactful or election-focused part of Russia's campaign in 2016. And it's likely the campaign wasn't actually connected to the election so much as creating general chaos — activity actually increased after November.
  • Because it shouldn't be tied to elections, this kind of campaign is not something to care about just during elections. That's why researchers need this kind of data to understand and ultimately prevent further attacks.
3. OceanSalt implant targets Korean speakers

McAfee discovered new malware targeting Korean speakers, and it appears to have infected a few U.S. corporations.

Why it matters: "OceanSalt" seems to be performing reconnaissance on its targets. What makes it particularly interesting is that it appears to be sharing code with a long dead threat actor known as APT 1.

Targets include universities, South Korean public infrastructure stakeholders and the Inter-Korean Cooperation Fund.

The intrigue: McAfee doesn't think that APT 1 is back, due to severe differences in other components and code in the attack. But the code is coming from somewhere.

  • The code wasn't posted to online hacker forums or put on sale — meaning whoever used it likely put in some effort to get it or had a code-sharing agreement to get it.
  • If the hackers aren't sharing code with someone in APT 1, there's a chance they are hoping the attacks will be confused with APT 1.
4. Think tank untangles varying VPN security

Photo: Martin Barraud/Getty Images

At their best, commercial Virtual Private Network (VPN) services make it nearly impossible for eavesdroppers to tell what sites users visit. At their worst, they log users' traffic, inject ads, offer minimal security protections and make it unclear how much data they hand over to the Feds. If only someone could help parse the privacy and security of the competing services.

Enter CDT: The Center for Democracy and Technology is now trying to answer which VPNs offer what security and privacy features. They are hosting answers to a questionnaire that clearly outlines critical components and policies.

And some big name VPNs are playing ball. At its Wednesday launch, the program included answers from ExpressVPN, Golden Frog, Tunnel Bear and others.

One key question beyond security practices in the questionnaire is, "What is the service’s business model?" It costs money to run these things, and users of free VPNs sometimes fall victim to privacy abuses from "free" VPNs trying to turn a profit.

5. Secure chats are only secure if you delete them

Among the evidence collected against Treasury employee Natalie Mayflower Sours Edwards, accused Wednesday of leaking secret FinCEN reports related to the Russia investigation to BuzzFeed, were a series of encrypted chats with the reporter on her phone.

A teachable moment: Encrypted chats are nearly impossible to decrypt as they travel from one person to another. But anyone who can unlock the sender's or receiver's phone can read those messages.

Delete! If you share information a hacker might want to steal using an encrypted chat account, delete the message when you're done. Make sure the recipient does that, too.

Odds and ends
  • Synack bolsters its pro-bono election security pen testing offering to the tune of $500,000. (Synack)
  • Someone is performing global recon on utilities. ESET thinks its an offshoot of Russia's vaunted BlackEnergy crew. (ESET)
  • Contribution data for 500,000 Tea Party super PAC donors was exposed to the internet due to a leaky cloud account. (Upguard)
  • An Equifax engineer was sentenced to house arrest stemming from insider trading relating to that firm's massive breach. (ZDNet)
  • Google detailed the security features on its latest Titan chip. (Google)
  • Everything you wanted to know about OceanLotus but were afraid to ask because OceanLotus is a nation-state hacking group, and, honestly, you don't really need to deal with an angry nation-state hacking group right now. (Cylance)
  • Cybereason is teaming with chipmaker ARM for IoT security. (Cybereason)
Axios

Codebook will see you next week, when we will break down the privacy implications of the Houston Astros.