November 06, 2018

Welcome to Codebook, the cybersecurity newsletter with tons of inside jokes that only people who have already voted will get. You should probably just go vote before you read this.

Story ideas? Feel free to reply to this newsletter.

1 big thing: Lessons from Georgia's hacking debacle

Illustration: Aïda Amer/Axios

Time will tell whether controversial hacking allegations made in the final inning of the Georgia governor's race have any merit. But one thing is already clear: If other officials in other states need to make similar announcements, they can learn a lot from what just went down in Georgia.

The big picture: On Sunday, Georgia Secretary of State Brian Kemp accused Democrats of masterminding a "failed attempt to hack the state's voter registration system." The charge was incendiary: Kemp, who provided no evidence for his claims, is also the Trump-backed Republican nominee for governor, locked in a dead-heat race. The announcement landed with a thud in cybersecurity circles, where election-watchers recall Kemp's past cybersecurity controversies.

Experts pinpoint a number of ways Kemp could have avoided outrage this time around:

ID with caution. The first key lesson from Georgia is to think through publicly naming any supposed hacker, whether a criminal, a nation or a political rival. Unless an arrest has been made, there's a reasonable chance you might not even want to.

  • "Making an attribution public is always a policy decision. There’s nothing about discovery of an attack that requires communicating it," said Andy Grotto, former senior director for cybersecurity policy for Presidents Trump and Obama, and currently a fellow at Stanford University.
  • The executive branch could publicly disclose the names or affiliations of far more hackers than it does. Historically, it only announces an attribution or a suspect when that serves either a policy or a protection purpose. And it has tried to protect its credibility by only doing so after the evidence is in.

Be specific. Extraordinary claims call for extraordinary evidence. Kemp didn't provide any evidence. That makes his charge hard for experts to swallow.

  • "Based on the data available, this doesn't meet any semblance of credibility," said Jake Williams, founder of the Georgian firm Rendition InfoSec.
  • Williams needs more details to even determine what evidence Kemp was missing. "He needs to talk about the techniques used or the damage supposedly done. Once claims are quantified, then we can better understand the type of evidence he needs to provide."

Protect long-term security. While we still don't know exactly what happened, many of the people close to the matter believe Kemp is claiming that a researcher's attempt to alert the state to potential vulnerabilities in its systems was itself an act of hacking.

  • It would be the second instance in the last two years of this sort, where a researcher's effort to help the state triggers hacking accusations.
  • Scaring away people who help bolster your security results in weaker security.

Create norms. Candidates and law enforcement agencies know that some actions during an election are out of bounds. But we don't yet have norms around states announcing election-related hacking attempts — let alone when political rivals are involved.

  • Jamil Jaffer, founder of the National Security Institute at George Mason University and former associate counsel to President George W. Bush, said that there may already be a good model — how we treat things like announcements of suspected ballot stuffing.
  • If secretaries of state haven't recused themselves from overseeing the election (Kemp did not), experts we spoke to largely agree they should at least recuse themselves from decisions to make these announcements.

2. Final notes from the election security front

Photo: Justin Sullivan/Getty Images

  • At least three states have announced activating their National Guard cyber corps to assist with election security: Washington, often seen as the national model for the concept; Illinois; and Wisconsin. Wisconsin did so on Friday. (ZDNet).
  • helps people find election information. redirected people to a site that ran a scam on users, claiming their system had been infected with Pegasus spyware and asking them to contact a fake tech support center. The scam was first noted by Endgame's Amanda Rousseau. (Amanda Rousseau on Twitter)
  • Lots of companies offered free security services to election officials. By and large, that helped — but what would help more now is someone to coordinate the services. (Cyberscoop)
  • Unisyn, a vendor that makes optical scanners for elections, advised its clients to use easy-to-hack passwords and tiptoe around federal password guidelines, according to an expert who found its manual at various sites he was advising. (Motherboard)
  • Did you vote? You should vote.

3. Oracle: China used troubling internet routing "intentionally or not"

In a blog post on Monday, Oracle's director of internet analysis Doug Madory confirmed internet routing anomalies extrapolated on in a controversial paper from the Naval War College.

The War College paper alleged that China had been using a technique known as border gateway protocol (BGP) hijacking to hack international internet traffic.

Background: BGP is a key piece of the duct tape that holds the internet together. The internet isn't one network — instead, its a bunch of massive networks owned by private companies and nations, not all of which link to each other.

  • In order to get traffic from point A to point B, the networks coordinate by telling one another how quickly they can reach other networks.
  • BGP hijacking occurs when an attacker uses their network to tell all the other networks that it found a huge shortcut to get to point B, leading everyone else to route their traffic through the attacker's systems.
  • A lot of the time this happens by accident and is not an attack.

The bottom line: Madory can't confirm the War College's accusations that China Telecom was intentionally rerouting traffic through China in order to monitor it. He can, however, say that traffic was routed through China Telecom, "intentionally or not," throughout 2017.

4. Security companies change hands

  • Symantec acquired Javelin Networks and Appthority. Javelin will add new protections against Microsoft Active Directory attacks to Symantec's arsenal, and Appthority will bolster mobile application security, the companies announced.
  • Veracode, the automated software security bug detection firm, is once again in private hands, the latest move in a busy two years for the Massachusetts company. Chicago's Thoma Bravo purchased Veracode from chip designer Broadcom for $950 million, the firms announced Monday. Broadcom had acquired Veracode as part of its purchase of CA in July. CA purchased Veracode in 2017.

5. Odds and ends

See you Thursday!