Jun 6, 2019

Axios Codebook

Welcome to Codebook, a strange newsletter — the only way to win is not to play.

Today's Smart Brevity: 1,454 words, ~5 minute read

1 big thing: Lessons from history's great hacker groups

Illustration: Axios Visuals

The best way to solve today's unprecedented problems in cybersecurity is to learn from the problem-solving hacker groups of the late '80s and '90s, according to Joseph Menn, author of the just-released "Cult of the Dead Cow," a chronicle of one of the most legendary of those groups.

The big picture: The Cult of the Dead Cow (cDc) began as a group of mostly Texans, mostly teenagers, communicating over telephone-based bulletin boards in an era before the web existed, becoming pioneers of hacking in the public interest. Menn's book covers the heyday of the group and some of its contemporaries, including The L0pht and W00W00 (note the zeros in place of Os).

Details: "They were critical thinkers. They didn’t give up when the problems were bigger than they thought," Menn told Axios.

  • Menn had access to communications between group members in writing the book, and he explores the group's real-time debates over how best to solve ethical problems they came across.
  • Working on the fly, the cDc and L0pht groups solved some of the fundamental problems of cybersecurity ethics in lasting, practical ways — with an innovative, sometimes dangerous spirit Menn hopes can be applied to today's problems.

So why write about the cDc now? "We need to celebrate the good things that happen in infosec [information security] — there aren’t a lot of them — and celebrate the things that can be emulated," said Menn.

  • There are any number of books that cover the looming dangers of cybersecurity — Menn wrote one of them himself.
  • "Since then, there’ve been a ton of books — we’re screwed in this way, we’re screwed in that way. I didn’t want to do that again," he said.

Between the lines: Here's just a sample of the broad impact of cDc, The L0pht and W00W00.

  • Members of cDc went on to run DARPA, and at least one held national office before recently announcing a run for president. Others became the prototypes for the ethical CISO as an ombudsman for the customer. A third group, cited as inspiration for Tor and the Citizen Lab, developed the ethical basis for hacktivism.
  • The L0pht developed the idea of responsible disclosure — disclosing vulnerabilities to a company, giving them the opportunity to fix a security flaw in a product before the researchers publicly released it at a predetermined date. Until responsible disclosure, and the threat of hackers seeing unpatched attack techniques, companies often ignored researchers.
  • cDc released the "Back Orifice" hacking tool in 1998, which marked a turning point in Microsoft starting to take operating system security seriously.
  • W00W00 hackers created Napster, and more recently, WhatsApp.

The bottom line: While factionalized hacker groups similar to those of the '80s and '90s don't exist anymore to take the mantle of the cDc, companies and nonprofits could adopt the same deliberative, ethical approach to problems.

  • "Some things have been lost in terms of these cross-cultural groupings, but there are more avenues. Facebook and Google are hiring ethicists," Menn said. "Companies need to look to cDc."
  • Startups and small organizations have opportunities to start with ethics from the ground up.
  • "It’s hard to bolt on morality after the fact," said Menn.
2. DHS to re-evaluate potential election hacking in North Carolina

The Department of Homeland Security will re-evaluate potential election hacking in North Carolina, whose electronic poll books may have malfunctioned in 2016.

To be clear: The state may already have been through an investigation of the same issues. North Carolina's general counsel told the Washington Post that Homeland Security first audited North Carolina's systems 18 months ago.

The big picture: Former intelligence contractor Reality Winner, now in prison for leaking classified documents, was first to reveal that Russia hacked Florida-based electronic poll book-manufacturer VR Systems in the run-up to the election. It then used information from that attack to spear phish states using the firm's poll books.

  • North Carolina used those poll books, which appeared to malfunction on election night 2016 by marking some voters as already voting before signing in. The state decided to switch to manual poll books, causing long lines at polling places.
  • It's likely, though not certain, that VR systems was the unnamed Florida-based election vendor mentioned in the Mueller report. Details in Mueller's report match documents Winner provided The Intercept.

Why it matters: If Russia did in fact cause long lines in North Carolina, it may be the first concrete example of a foreign nation materially affecting vote totals rather than just influencing public opinion. Long lines dissuade voters from voting.

Threat level: North Carolina voted for President Trump in 2016 by a narrow margin, roughly 3.7 %.

  • If Russia did impact the North Carolina vote — which is still speculative at this point — it's unclear whether the intent was to get Trump elected or just cause chaos.
  • But the state would be among the most realistic targets for election interference. Heading into the election, according to RealClearPolitics, Trump's lead was under 1% in North Carolina polls, which could have been shored up with help.
  • States like Wisconsin, which partisans claimed to be a potential location for election hacking, were not anticipated to be as close, making dirty tricks harder to pull off. Wisconsin's 2016 voting ultimately emulated the county-by-county results of its earlier election for governor.
3. How a phone scam tied up a police call center

In a previously unreported event demonstrating both the risks all organizations face from threats to the telephone system and how to mitigate them, an Arabic-speaking phone scammer tied up the nonemergency police call centers in Maryland's Howard County with a flood of calls over two days in August, briefly disrupting services.

Why it matters: The scam was against the phone company, not against Howard County, a target picked at random. So while the county didn't lose money, it briefly lost use of its nonemergency call center.

Background: Howard County normally gets between 300 and 400 calls a day to the nonemergency number. That's where citizens might be routed "if there's a cat stuck in a tree, but the cat's not on fire," said James Cox, the county's network-server team manager.

  • Suddenly, in August, the call center started receiving 2,500 direct calls a day. That call volume made it impossible for legitimate callers to reach the system.
  • "We got to the point we had to actually turn off the numbers," Cox said.

Howard County was fortunate. It had a relationship in place with a security group that could help mitigate and investigate the attack, in this case Cisco.

  • Cisco recommended a telephone firewall provider to thwart the attack, and Cisco's Talos research group, in conjunction with the police, determined that the caller was taking advantage of a loophole in the international phone system.
  • When calls transfer from one network to another, the connecting network exacts a fee. In this case, the caller and the phone network had a kickback agreement to share that fee while placing as many calls as possible. The caller made pennies on the dollar in the scam, between $2,000 and $3,000 total.
  • While the calls appeared to be from the U.S., they were actually being routed through Europe.
  • Talos was able to help in the investigation by piecing together evidence the police had already collected and providing additional services, including an Arabic linguist, according to Matt Olney, Talos threat detection and interdiction manager.

The intrigue: Cox will publicly discuss the event for the first time at the upcoming Talos Threat Research Summit on June 9. He says there are a few important lessons.

  • Don't expect help from the phone company or social media networks to research an attack without a warrant. That makes mitigating the attack without a security expert near impossible — you need to know what an attacker is trying to do to prevent it.
  • Have a plan in place before the attack happens. Know at what call volume you can afford to expand operations to handle on the fly — or if you can live without phones for the duration of an attack.
4. In case you missed last week:

Doubts that an NSA tool was used in Baltimore: After the New York Times reported that a leaked NSA tool had been used in the Baltimore city government attack, one incident-response team and Maryland government officials both contradicted that report. (SC Magazine, CyberScoop)

  • The New York Times claim resparked a debate over the NSA's development of hacking tools. And while the NSA did develop hacking tools eventually leaked and used in attacks, the Baltimore incident does not appear to have been one of them.

Medical biller breach may affect millions: American Medical Collection Agency was breached last year, potentially affecting 11.9 million patients at its customer, Quest Diagnostics, and 7.7 million at another customer, LabCorp. (Axios, Krebs on Security)

IEEE reverses ban on Huawei: After an academic backlash, and receiving clarification from the Department of Commerce, the engineering research association IEEE reversed a ban on Huawei personnel being used as peer reviewers. (The Register)

5. Odds and ends

"WarGames" circa 1983. Photo: Hulton Archive/Getty Images

Codebook will inevitably return next week.