May 3, 2018

Axios Codebook

Welcome to Codebook, the only cybersecurity newsletter that guarantees a plot twist at the end. Tips? Comments? Reply to this email address.

1 big thing: Why EU privacy rules keep security pros up at night

Illustration: Lazaro Gamio / Axios

May 25 is a date long-circled in the calendars of information security and privacy officers worldwide because it marks the advent of the European Union's General Data Protection Regulation (GDPR).

Why it matters: The new rules impose strict penalties for improperly collecting or storing user's personal information. But the devil is in virtually every detail, from what actually constitutes personal information to how to define "collect" and "store" — and the resulting confusion could impact everything from criminal investigations to the blockchain industry.

What GDPR is trying to do: GDPR requires global businesses to receive explicit consent to store the personal data of any European citizen and provide a mechanism for users to delete any stored information. It also tightens security practices, including encouraging encryption.

  • In the worst case, the EU will fine businesses 4% of global revenue, or a minimum of €20 million.

Where the problems begin: Personal information can be anything from the obvious (names, addresses, credit card information) to some more obscure pieces of data (users' internet addresses). But the law didn't foresee many of the instances where the public interest might be served by technology that doesn't follow its privacy rules.

  • Blockchain is one. The WHOIS database, the internet's long-running public record of who owns which web site domain, is another — and is facing a likely shutdown as a result of GDPR.
  • Smaller firms are less prepared for GDPR than larger ones, so they'll be in for some rude surprises.

Read the whole story here.

2. Inventive scammers already using GDPR in new phishing schemes

Researchers at Redscan (reported by ZDNet here) are already picking up phishing scams disguised as common websites asking for GDPR-required consent forms to store personal data.

Why it matters: Since all websites must now double-check whether customers are comfortable storing their information under the new EU privacy laws, users are going to be inundated with these requests — and will likely let their guard down.

The details: The scam caught by Redscan looks like an Airbnb notification about complying with GDPR rules. Anyone who clicks through will be asked for personal data, account credentials and credit card info.

3. Schneider patches critical infrastructure bugs

Tenable announced Wednesday it had discovered a security vulnerability in two applications used by Schneider Electric, a global maker of industrial control systems for power plants and factories with $30 billion in revenue. Schneider has released a patch.

Why it matters: This sort of news is a call for firms that run industrial systems like Schneider's to keep them up to date.

Hacking critical infrastructure is tough, and the threats are often inflated by the media. This problem wasn't the one thing preventing Russian hackers from blacking out the U.S. But it was, potentially, one link in a chain of events that could lead to a plant shutdown. Those things are important to fix, too.

4. ZooPark is ZooSpying on Mideastern ZooDevices

An Egyptian driver uses the Uber app. Photo Khalid Desouki /AFP via Getty Images.

Kaspersky Lab has detailed a new advanced cyberespionage campaign — dubbed "ZooPark" — that targets Android devices in the Middle East.

The details: In a report released Thursday, Kaspersky said ZooPark is targeting devices in Egypt, Jordan, Morocco, Lebanon and Iran and has been active since at least 2015.

  • The intended victims appear to have an interest in Kurdish elections and voting.

The capabilities: The latest of four ZooPark versions, released in 2017, offers the ability to perform several kinds of surveillance, including recording calls, logging key entry and taking screen grabs. It can also send texts and place calls.

In 2016, in a brief departure, ZooPark built a version based on commercial spyware known as Spymaster Pro — but has since switched back to its inhouse version.

How to be infected with ZooPark: The attackers install malware through Telegram channels and through malware embedded on legitimate websites, what is known as a watering hole attack.

  • The watering hole attacks used two news sites, one popular in Egypt and one popular in Jordan and Lebanon. These attacks used the 2016 Spymastye Pro version.
  • Several of the Telegram attacks were meant to appear to be apps related to Kurdish elections and referenda.
5. China is even worse at email protection

We've had some fun at the expense of the U.S. government and federal contractors that have yet to adopt the email fraud blocking protocol DMARC (here, and here, and probably some other places too). But Chinese adoption of DMARC is even spottier.

The details: According to the firm 250ok, only 2% of the top 100 Chinese firms use DMARC. In a study last year, around a third of the Fortune 500 used DMARC — and that was before a rapid increase in adoption over the last year.

Why it matters: Clever phishing attempts will make scam emails appear to come from trusted firms — say, asking for your Gmail account details in an email that appears to come from "" Using DMARC, Google prevents those emails from ever showing up in a user's inbox. China's low adoption makes Chinese citizens — and firms doing business with Chinese entities —prime targets for scammers.

6. Odds and ends
  • Australia's Commonwealth Bank lost track of tape backups with details on 20 million accounts. (Reuters)
  • Cambridge Analytica and its parent company suddenly closed operations, possibly to rebrand as a different company. (Wall Street Journal)
  • Dutch researchers adapted Rowhammer for Android devices. Rowhammer is an attack that uses electric currents to manipulate memory. (Wired)
  • Facebook has fired a bunch of employees over the years for stalking using their access to the service's data, including one this week. (Motherboard)
  • A group of companies once accused of collaborating with the U.S. on surveillance — including Apple, Microsoft, Google, and Facebook — now wants to thwart encryption backdoors. (Reform Government Surveillance)

Codebook will return Tuesday. Bruce Willis was dead the whole time.