Axios Codebook

Organizations are closing the skills and preparedness gap between hackers and themselves, improving a picture that's all too often painted as grim.

That means we — at least those of us in the Western Hemisphere — are getting pretty good at cybersecurity, according to the latest numbers from one of the largest cybersecurity firms.

“It’s strange to hear, but things are actually getting better,” said Charles Carmakal, vice president at Mandiant, which released its yearly report yesterday.

The big picture: In a report that contains plenty of potentially alarming material, including multiple sections on the growing Iranian threat, Carmakal said the most important statistics are those on who first noticed data breaches and how they did it.

For all the high profile coverage of massive, often careless breaches, there’s reason to think defenders are outpacing attackers.

The details:

• 64% of North and South American breaches investigated by FireEye are detected by the victim rather than by a third party (like law enforcement).
• That’s a sizable improvement over 2011, when only 6% were detected internally.
• This year was also an improvement over 2016, when 53% of breaches were detected by the victim.
• “There is absolutely an improvement in organizational capability,” said Carmakal.

Why it matters: Who notices hackers makes a big difference in how fast the hackers get caught. Internal detection is much faster, so hackers are in systems for less time than they used to be. In the U.S., it’s a threefold difference.

• The worldwide median dwell time — the time hackers can spend in a system without being caught — is only a quarter of what it was in 2011, but roughly the same as last year.
• According to the report, median dwell time is lower in the Americas: 75.5 days, compared to 175 days in the European, Middle Eastern and African markets, and 498 in Asia Pacific markets.

Based on media coverage, you’d be forgiven for thinking that the majority of unsecured data on the internet was on cloud storage units and online databases. But that's wrong.

A new study from Digital Shadows mapping the internet’s probably-should-be-secured files found that only 7% of those files were from leaky Amazon cloud buckets — the cloud storage system that is frequently misconfigured, allowing anyone password-free access.

The rest of the unsecured files are found via a variety of other protocols, including FTP (a file transfer protocol so primitive, its acronym stands for "file transfer protocol"), the network protocol SMB and a host of backup service systems.

The details: Michael Marriott, who worked on the Digital Shadows report released this morning, says that while some of the protocols are old, many of the documents are new. And those documents — the firm found a total of 1.5 billion, clocking in at 12,000 terabytes of data — contained plenty of sensitive content.

They found:

• More than 2.2 million medical body scan (.dcm) files
• More than 700,00 documents marked "payroll"
• 900 patent applications

Go deeper: Marriott warns that, much of the time, the problem is "a supply chain issue" — a company's files getting exposed by subcontractors.

Senate Judiciary Committee staffers are in discussions with technology companies over mandating some form of law enforcement access to all encrypted data, per Chris Bing at Cyberscoop.

Negotiators from the offices of chairman Chuck Grassley (R-Iowa) and ranking member Dianne Feinstein (D-Calif), along with representatives of the Justice Department, are handling the talks in secret. They're even keeping the details from many on the committee, who claimed to have only heard about the efforts recently.

Why it matters: The long-fought encryption debate has different faces. On one level, it pits the public interest in giving police access to evidence for truly horrific crimes against the likelihood that, from time to time, every computer system in the world will be left wildly unprotected from hackers, malware and spies.

On another, it is an argument over whether the U.S. wants to take a step that will encourage oppressive regimes to pass similar laws, which will undoubtedly be used to crush dissent.

What happens when there’s no answer palatable to everyone? “[This debate] is just going to keep happening,” Rep. Will Hurd (R-Texas) told Codebook last week.

Facebook has increased its worst case estimate number of people it says may have been impacted by the Cambridge Analytica scandal from 50 million in earlier reports to 87 million and will begin telling individual users whether their information may have been improperly shared.

Facebook is also updating its policies to restrict third party data access.

• The main changes are to its back end application programming interfaces (API) that will restrict outside developers from accessing user data collected through Facebook events, groups and pages.
• It's also restricting access to data through Facebook Login, a tool for software developers that lets users of their applications use Facebook credentials to access their products.

From a Wednesday conference call with CEO Mark Zuckerberg:

• Most of Facebook's users could have had data from their public profiles scraped by third parties.
• The company is weighing its legal options against Cambridge Analytica, but waiting for the results of official investigations before any moves.
• Financial impact: Zuck said he has yet to see a meaningful decline in users, usage or advertising. "But look, it’s not good. I don’t want anyone to be unhappy with our services," he said.
• And as Axios power user David McCabe noted on Twitter: "The CEO of Facebook dot com, the social network, also just said that he is a 'power user of the internet.'"

The number of records stolen in breaches globally dropped by more than a billion last year, from 4 billion in 2016 to 2.9 billion in 2017, according to new information from IBM. That's a first: never before has there been a year over year decline in this statistic, which is one yardstick for how many times individuals had their data stolen.

Yes, but: IBM is also pretty sure this has less to do with hackers developing scruples than with the rise of more lucrative forms of cybercrime, like ransomware and cryptocurrency mining.

The security advocacy group Global Cyber Alliance tested the 26 email domains managed by the Executive Office of the President (EOP) and found that only one fully implements a security protocol that verifies the emails as genuinely from the White House. Of the 26 domains, 18 are not in compliance with a Department of Homeland Security directive to implement that protocol.

Why it matters: Imagine the havoc someone could cause sending misinformation from a presidential aide's account: Such fraudulent messages could be used in phishing campaigns, to spread misinformation to careless reporters, or to embarrass White House employees by sending fake tirades under their names.

The technical details: Email was not originally designed with security in mind. Any person can send any message with any email address listed as the sender. The security protocol DMARC allows an email provider to request that another server verify that an email was sent from the claimed sender.

Go deeper: Read the full story at Axios.com.

• An espionage group nicknamed OceanLotus, believed to be Vietnamese, appears to be using a new Mac backdoor. (TrendMicro)
• Tinder was sideswiped by Facebook's security changes. (The Verge)
• North Korea might have attacked a South American online casino. (ESET)
• The courts gave Massachusetts a green light to sue Equifax. (Reuters)
• Cisco Talos found multiple security vulnerabilities in the software for some brain scanning machines. (Talos)