Sep 11, 2018

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter with two new siblings on the way (see below).

Tips? Feel free to reply to this email.

Email awareness: The Axios newsletter family is growing.

  • Axios Edge, Felix Salmon's weekly look at stories that will drive the business world, launches this Sunday. 
  • And on  Sept. 21, we'll launch Axios Autonomous Vehicles. Learn about all the good things autonomous vehicles can do while Codebook tells you how they can be hacked.
1 big thing: Businesses push for national privacy rules

Photo: Martin Barraud/Getty Images

The U.S. Chamber of Commerce has published a list of principles it hopes the government will follow for federal data privacy legislation — marking the rare occasion on which the business advocacy group is proposing, rather than fighting, regulation of its constituents.

The big picture: Tim Day, senior vice president of the Chamber Technology Engagement Center, which compiled the chamber's proposal, acknowledged to Codebook that this is a defensive move.

  • California recently passed its own data protection law, and the chamber worries other states may follow suit.
  • Internationally, countries have begun to model privacy laws on the European Union's restrictive data privacy rules. A U.S. policy could counterbalance the E.U.'s influence.

The Trump administration is also poised to throw its weight in the national privacy policy debate for similar reasons.

The chamber's proposals emphasize simplicity and uniformity across industries and localities. That may not prove easy in a nation that's never been simple or uniform.

  • By definition, a single national policy on privacy would preempt states from having their own policies.
  • That has some clear advantages. For example, right now, each state (plus D.C. and the principalities) has its own law on how companies inform consumers about data breaches, resulting, companies say, in a confusing patchwork of regulations.
  • Individual states' security standards could cause even more confusion if states envision different mixtures of products, personnel and auditing.

But privacy advocates argue that the relative ease with which states can pass these laws is valuable because federal rulemaking is so slow.

"If you lose the state laws, you don’t just lose the substance of those laws. You lose the states' agility," says Laura Moy, executive director of Georgetown University's Center on Privacy & Technology.

  • While industries have asked for a single national standard for breach notification for years, Congress has been unable to agree on one. Meanwhile, according to Moy’s research, 8 states have already passed breach legislation in 2018.

The U.S. regulates privacy differently in each industry, unlike the rest of the world, with a different standard for health care than for retail. The chamber hopes to trim that to a single standard.

The details: The chamber also wants to require any enforcement to be based on “concrete harm.”

  • Focusing on definitive or imminent harm rather than potential problems would limit the government’s ability to force firms to prevent breaches, including statutory fines for not meeting security standards. The Federal Trade Commission's chief role is to combat fraud, not regulate privacy.
  • Alan Friel, partner at BakerHostetler, noted that statutory fines are levers that states normally like to have at their disposal.
  • “The chamber is suggesting a well-accepted federal privacy principle,” says Friel. “The question in the post election-meddling and Cambridge Analytica world is, do we want something more than FTC deception authority?”
2. Tesla mitigates car-stealing key fob problem

Hackers can easily clone key fobs on Model S Teslas sold before June, according to researchers at KU Leuven university in Belgium. To prevent an attack, owners of older Teslas can either now set their cars to require a PIN before starting or replace their fobs with the souped-up new one.

The details: As the researchers outlined to Wired, the old key fobs used 40-bit encryption. "40-bit" describes the size of the cryptographic key used to secure the system. Each bit makes it exponentially more difficult to hack.

  • 40 bits is not enough. The KU Leuven team reverse engineered Telsa's security system, and with the help of a few hundred dollars in technology, their technique can guess the key.

Be smart: If you have a Model S, set up a PIN or get a new fob.

3. New botnets target old Equifax vulnerability

In a unque bit of synchronicity, Palo Alto's Unit 42 research group discovered that a network of hacked computers (known as a botnet) was spreading through the Apache Struts vulnerability used in the massive Equifax breach almost a year to the day of that breach.

The background:

  • Apache Struts is a widely used web application framework.
  • A vulnerability in Struts was used to hack Equifax. That vulnerability had already been patched, but Equifax had not applied the patch.
  • Mirai is a program hackers use to rope together vast networks of hacked computers, which they can use to crash websites. Mirai was famously used to take down Amazon, Twitter, Etsy and The New York Times during one attack in 2016.
  • Mirai is open source, and it is used and adapted by many hackers.

On Sunday, Unit 42 announced finding a first-of-its-kind Mirai botnet targeting unpatched versions of Struts.

4. Schneider Electric shipped hardware with infected USB drives

Photo: Nehru Sulejmanovski / EyeEm via Getty Images

Schneider Electric, a major provider of the systems that control industrial plants, announced last month that some of its products were shipped with malware-infected USB drives containing documentation and non-essential software.

What they're saying: "Schneider Electric has determined that some USB removable media shipped with the Conext Combox and Conext Battery Monitor products were contaminated with malware during manufacturing by one of our suppliers," the firm wrote in an advisory dated Aug. 24.

The details: According to the advisory, the malware appears to be the sort that a typical antivirus program can identify.

  • The advisory doesn't say if the malware was meant to target Schneider customers or just something that was installed on all USB drives from a particular factory.
  • But this is getting a lot of attention now, 3 weeks later, because it is a reminder that supply chains are vulnerable to attacks and that trusting a product means trusting every company that made a component of that product.
5. Odds and ends

Correction: In the previous newsletter, a story on Equifax cited a report by Reuters that the Consumer Financial Protection Bureau halted its investigation in Equifax. The CFPB disputed that report and said the investigation is ongoing.