Oct 24, 2019

Axios Codebook

Axios

Welcome to Codebook, the only cold brewed cybersecurity newsletter.

Tips? Gripes? Lonely? Feel free to reply to this email.

Today's newsletter is 1,871 words, a 7-minute read.

1 big thing: 2020 may be cybersecurity's "year of the platform"

Illustration: Aïda Amer/Axios

Vendors and cybersecurity pros anticipate businesses may finally pivot from using dozens of independently working products to using integrated platforms built with coordination in mind. It's a small-seeming tweak with the power to completely reshape the industry.

Why it matters: Business users currently layer sometimes dozens of unconnected security products on top of each other, creating overlaps and gaps in coverage. It's like building a pile of loose string when what you really want is a net.

But, but, but: A lot of the innovation in cybersecurity comes from its sprawling ecosystem of products designed to solve single problems. If clients begin to demand one-stop, one-provider solutions, the industry could contract, losing its research and design finesse along the way.

Large enterprises use 20 security products on average from nine different vendors, according to Forrester Research. Ask around, and it's easy to find companies using two or three times as many.

Vendors and their clients have long anticipated this change, but now they say it's here.

  • "2020 will be the year of the platform," said Nicole Eagan, CEO of Darktrace.
  • "This is the way the pendulum is swinging," said Kiersten Todt, managing director of the Cyber Readiness Institute (CRI), a nonprofit that works with small businesses to bolster cybersecurity.

Vendor fatigue: Cutting down the number of security products an enterprise uses is most often seen as a way to boost efficiency and save money.

  • The more vendors a company has, the more products staff members have to be trained to use.
  • "We found talking to customers that the most important factor in picking products is customer service," said Kevin Simzer, COO of Trend Micro, talking about why he expected a shift toward platforms. "They want to work with a single trusted vendor."
  • More overlapping products means more overlapping alerts to investigate.

Cost: Typically, when businesses cut down the number of products they're using, they cut costs. And, at least according to Eagan, there are a number of solutions sold as products that would be more appropriate as features in larger packages.

Security: It isn't just an efficiency issue.

  • It's easy for a business not to notice when a crateload of security products has a gap. But hackers search for systems vulnerable to their preferred gaps.

An integrated platform could be one built by a single vendor designing a unified system. Or it could be built out of products from separate vendors designed to piece together without overlaps or gaps.

For businesses, cybersecurity products tend to accumulate over time.

  • "Very few companies would create a network the same way if they started from scratch," said retired Maj. Gen. Earl Matthews, of Verodin, a company that helps clients integrate disparate cybersecurity products into more cohesive units.
  • Some products, he says, come from trying to solve an emerging problem like ransomware right away with ransomware-specific solutions. Over time, other products add ransomware protection to their capabilities, eliminating the need for the specific product, but companies are slow to eliminate its use.
  • "Also, some salesmen are very good," said Matthews.

The catch: Todt worries that a move toward platforms might encourage smaller companies to overlook the occasions when they do need specialized products.

  • "You actually have to have the appropriate functionality," she said. "You’re starting to see mobile security become part of platforms. But not all mobile security is alike."
2. Hackers targeted UN, NGOs that watch North Korea

Hackers targeting nongovernmental humanitarian groups, including UN groups like UNICEF, sought to steal login credentials using sophisticated phishing sites, according to a new report by mobile security firm Lookout.

Why it matters: Lookout doesn't attribute attacks to specific actors, but the lures used to draw targets to the phishing sites were links only of interest to workers following issues involving North Korea. That suggests North Korea is a likely suspect here.

What they found: The phishing sites used a number of clever tricks.

  • For one, if users reached the phishing sites through any path other than the phishing URL, it forwarded the user to a legitimate site. That limits the hackers' exposure.
  • While most people believe a site won't see the login data they type into a website unless they hit submit, the sites used key loggers to steal login data even if they didn't.
  • Like many modern phishing campaigns, the site used SSL certificates — the encryption measures that produce the lock icon in the URL bar, which less sophisticated users are sometimes told to look for to thwart phishing. Also, the sites used long URL names, making it harder for people on mobile phones to notice inconsistencies there.

The sites were hosted by the Malaysian firm Shinjiru, Lookout's Jeremy Richards told Axios.

  • Shinjiru is a so-called bulletproof hosting service offering technical and legal protections for hackers. Using providers like Shinjiru raises an automatic red flag in Lookout's machine learning system.
3. Facebook takes down Russian accounts playing IRA's greatest hits

Facebook announced the removal of four networks of troll accounts on Monday, one Russian and three Iranian. While you may have heard the Russian accounts attacked Democratic candidate Joe Biden and praised President Trump, that's an oversimplification of what the 93 Internet Research Agency-linked accounts were up to.

Why it matters: Less than half of the malicious accounts focused on the 2020 election, according to a Graphika report. The accounts, on the whole, were very similar to the 2016 campaigns largely focused on fracturing the nation over divisive issues — so similar that they appeared in many cases to be reposting lightly modified versions of posts from 2016.

Due to the "cut and paste" nature of the new campaign, Graphika has dubbed the new campaign from the Internet Research Agency "IRACopyPasta."

IRA reposted content from pro-confederacy accounts. Images via Graphika.

By the numbers: Graphika noted 40 accounts in the IRACopyPasta campaign. 25 of them did not focus on the 2020 election. Instead:

  • 9 accounts focused on African American rights issues, including police brutality.
  • 3 conservative accounts focused on gun rights.
  • 3 LGBTQ accounts.
  • 3 feminist accounts.
  • 2 pro-police accounts.
  • 2 Confederate accounts.
  • 1 environmentalist account.
  • 1 Muslim account.
  • 1 Christian account.

That leaves 15 accounts (11 backing Trump, 4 backing Sanders) focused on 2020.

Nearly half the accounts claimed to be from swing states.

The intrigue: When accounts that were primarily focused on dividing Americans commented on 2020 candidates, they had preferred candidates in mind.

  • Conservative accounts praised Trump, and accounts on both ends of the political spectrum attacked Joe Biden and (to a lesser extent) Kamala Harris and Elizabeth Warren.
  • That's similar to how most researchers view the IRA efforts in 2016 — a primary goal of causing chaos, with a secondary goal of influencing the election.

Amplifiers, not originators: Even more than repurposing the IRA's own past work, the accounts largely cut and pasted authentic posts from American users.

  • "One really important point is that repeated Russian operations have masqueraded as hyper-partisan American users," Graphika's Ben Nimmo told Codebook via email. "In other words, if you didn’t have American trolls, the Russian operators wouldn’t have anyone to pretend to be."
4. Competition takes aim at cybersecurity's stock art problem

One of the winning images. Image: Claudio Rousselon

The Hewlett Foundation and OpenIDEO announced winners in a competition to solve one of cybersecurity's stranger problems — how the field appears in the press.

The big picture: If you've ever read a news story about cybersecurity, you've probably seen a stock picture of a figure wearing a dark hoodie typing on a keyboard in gloves (how do you type in gloves?), maybe punctuated with neon green binary.

  • That's not what hackers or hacking looks like, and the pervasive hacker stereotype only serves to scare and confuse.

"Cyber issues are complex," Eli Sugarman, program officer for Hewlett's Cyber Initiative, told Codebook. "What does green binary actually tell anybody?"

Artists competed to create graphical representations of specific, hard to visualize cybersecurity issues, like encryption and geopolitics.

  • The five winners stem from all over the world, from India to Australia. The above image is by Claudio Rousselon, a Mexican artist. Each received $7,000.
  • Axios managing editor Scott Rosenberg served as one of five judges.
5. Republicans raid secure facility, order pizza

Dozens of Republican lawmakers interrupted a House committee's impeachment inquiry Wednesday, forcing their way into the secured area holding the proceedings, known as a SCIF (Sensitive Compartmented Information Facility), and throwing a pizza party.

Why it matters: Though the Republicans treated it as a prank as well as a protest — they sat in and ordered pizza — violating the security of a SCIF is a huge deal that came across to current and former national security personnel Codebook spoke to as a slap in the face.

Republicans claimed they wanted access to "secret" proceedings, although more than 40 Republican members, including 13 of the protesters, already had access to them, as members of relevant committees.

What is a SCIF, anyway? SCIFs are secure facilities used by intelligence personnel to keep a lid on classified or sensitive information.

  • Unauthorized folks entering the SCIF, including the Republicans who came in with cellphones (a SCIF no-no), put the entire security of the SCIF at risk, whether they intended that or not.
  • Because of the representatives' stunt, security officials had to sweep the room for bugs lawmakers may have unwittingly carried in or cellphones they may have left behind that could be used by hackers as recording devices.
  • This matters. Strict security protocols are what keep these places safe.

Why hold these proceedings in a SCIF? Both parties understand this logic. In the final report of one of the Benghazi investigations, lawmakers, including Republicans Trey Gowdy (now a Trump lawyer), Mike Pompeo (now secretary of state) and Jim Jordan (still a representative) wrote:

  • "The Committee’s preference for private interviews over public hearings has been questioned."
  • "Interviews allow witnesses to be questioned in depth by a highly prepared member or staff person. In a hearing, every member of a committee is recognized — usually for five minutes — a procedure which precludes in-depth focused questioning."
  • "Witnesses have no incentive to run out the clock."
  • "Likewise, Members have no need to interrupt witnesses to try to ask all their questions in five minutes."
  • "Perhaps more importantly, political posturing, self-serving speeches, and theatrics serve no purpose in a closed interview and, as a result, the questioning in interviews tends to be far more effective at discovering information than at public hearings."
  • "For these reasons, nearly all Executive Branch investigations are conducted in private and without arbitrary time constraints."
6. Last week in review

Internal memo claims White House is setting itself up for a breach: Axios' Alexi McCammond broke news yesterday: An internal memo on cybersecurity, obtained by Axios, warns that "the White House is posturing itself to be electronically compromised once again."

  • The memo served as a resignation letter from Dimitrios Vastakis, who was the branch chief of the White House computer network defense, who warned that several moves by the administration dramatically increased the risk the White House would be breached.
  • That includes the departure of at least a dozen top- or high-level officials from the Office of the Chief Information Security Officer who have resigned or been pushed out.
  • In July, that division was folded into the Office of the Chief Information Officer.
  • A White House source familiar with the plans told Axios: "'You have an entire section who’s dedicated to providing counter threat intelligence information' and 'if you remove that, it’s like the Wild West again.'"

Trend Micro buys Cloud Conformity: Acquiring the Australian cloud security provider means Trend Micro can help clients prevent problems stemming from misconfiguration — currently a major cause of cloud security flaws.

  • "We're not just buying the product, we're buying the team," said Trend Micro COO Kevin Simzer, who noted they intended to keep all staff — not just engineering staff — on after the merger. The Cloud Conformity product will be available right away.
7. Odds and ends
Axios

The Browns are a lost cause. We wasted $5.

Codebook will return next week.