Sep 27, 2018

Axios Codebook

Axios

Welcome to Codebook, Axios' cybersecurity newsletter. All of this stuff actually happened.

Tips? Reply to this email.

1 big thing: Trump's bogus "Chinese election meddling" charge

President Trump chairs a UN Security Council meeting, Sept. 26. Photo: Spencer Platt/Getty Images

At the UN on Wednesday, President Trump repeatedly claimed that China is meddling in the U.S. midterm elections. But his administration has provided no evidence that that's true, according to any useful definition of "election meddling."

In three different stage appearances, the president conflated predictable tactics triggered by his trade war — including tariffs targeted by China at influential states and a clearly labeled "advertorial" about the farm bill in an Iowa newspaper — with Russian-style interference of the sort that clouded the 2016 U.S. elections.

Why it matters: These are serious times, with serious threats. If the accusation of election meddling is to mean anything, it has to mean actions that are covert, illegal or violating an international norm. Unless the Trump administration has intelligence that it hasn't revealed, China's moves are none of those things.

Without offering details, Trump told the UN Security Council: "Regrettably, we found that China has been attempting to interfere in our upcoming 2018 election — coming up in November — against my administration. They do not want me —or us — to win because I am the first president ever to challenge China on trade."

The rest of the day: The administration soon followed with a press call from a "top administration official" that focused on the ad and tariffs. Trump mentioned the ad and tariffs in a tweet and subsequent appearances before the press.

To be clear: The United States also targets tariffs in order to achieve political goals. Trump may not like it when China does the same, but it's neither covert nor illegal.

  • The ad, which Trump singled out as "[ads] that don't look like ads, that look like editorials," was a four-page insert clearly identified as "sponsored by China Daily" on the top of the page. It was more an argument in favor of bilateral trade than a political advertisement aimed at electioneering.

The scoreboard: Despite being accused of what sounded like a minor act of war, China likely leaves New York happy with Trump's general posture. On Tuesday, Trump offered a speech before the General Assembly emphasizing the importance of national sovereignty.

  • "Around the world, responsible nations must defend against threats to sovereignty not just from global governance, but also from other, new forms of coercion and domination," Trump said.
  • China regularly makes the same point about "cyber sovereignty" to promote a fragmented, locally governed internet that lets it control information domestically.
  • The U.S. and other nations have always treated that idea in the past as an attempt to legitimize crackdowns on free speech and freedom of protest.

Codebook reached out to lawmakers interested in cybersecurity, law enforcement, state secretaries of state (who oversee elections) and cybersecurity firms — including those who have traditionally been hawks on China. No one would confirm the administration's charge of Chinese election interference.

A flustered Sen. Mark Warner (D-Va.) pointed out to reporters that the White House has a history of trying to divert attention from scandals and that, if the president really wanted to do something to protect election integrity, he could back the Senate's bipartisan election security bill.

Chinese Foreign Ministry spokesperson Geng Shuang responded Thursday, "We advise the U.S. to stop this unceasing criticism and slander of China. Stop these wrong words and deeds that damage bilateral relations and the basic interests of both countries' peoples."

Facebook using authentication info for ads

Users who give Facebook phone numbers as part of a two-factor authentication process can be targeted for ads on the basis of those numbers, according to researchers at Northeastern University and Gizmodo reporter Kashmir Hill. Facebook is also taking the phone numbers of friends that users upload and linking them to those friends' accounts.

Why it matters: It isn’t readily apparent to most people that the phone number they’ve provided solely for security purposes would be treated as content for the social media firm’s advertising mill. It may be even less apparent that phone numbers users don’t upload themselves — that their friends uploaded — would still be linked to them.

Julian Assange steps down as WikiLeaks editor-in-chief

Julian Assange. Photo: Jack Taylor/Getty Images

Wikileaks figurehead Julian Assange stepped down as editor-in-chief Wednesday, naming Kristinn Hrafnsson his replacement. Assange will remain publisher.

Why it matters: Assange no longer has internet access after burning bridges at the London Ecuadorian Embassy, where he remains sequestered. He first took asylum in the embassy after being accused with sexual misconduct, claiming he feared extradition.

Fancy Bear using fancy new malware

Researchers at ESET discovered that Fancy Bear, hackers associated with Russian intelligence best known for hacking the Democratic National Committee and other targets in the 2016 election, can now infect a process that is used to allow operating systems to interact with hardware.

Why it matters: The security community has long speculated that malware infecting that process, known as UEFI, might become a problem. It is particularly worrisome because most computer security starts at the operating system level — meaning successful infections would be hard to see.

  • There had been proof-of-concept malware presented at conferences but it had never before been seen in the the wild.

ESET is calling the malware "LoJax" based on its use of a tool previously used to infect systems with the LoJack security system.

Should you be worried? UEFI has a defense system against these kinds of attacks known as Secure Boot that, if activated, will repel unrecognized software. ESET says turning on Secure Boot would protect against LoJax.

  • A lot needs to go wrong before an attacker can change UEFI in the first place, meaning this isn't the most practical attack.
More Fancy Bear: New functions in spies' router malware

Cisco's Talos research group announced seven new functionalities in VPNFilter, malware targeting routers that the Department of Justice believes is being propagated by the Russian spy group Fancy Bear.

The background: Talos first announced discovering the malware in May. Soon after, the FBI publicly recommended that Americans using routers from the bevy of affected brands (Linksys, MikroTik, NETGEAR and TP-Link) take action to rid potential infection.

  • Talos said, at the time, at least 500,000 devices worldwide had been infected.
  • It also said the VPNFilter code overlapped with malware used by Russian attackers in the past.
  • The DOJ seized a web address being used by VPNFilter later that week, claiming in the court document the malware indeed came from Russian intelligence.
  • The malware — like Russia — is particularly focused on Ukrainian targets.

The new tools: In a blog post Wednesday, Cisco noted that VPNFilter could be used to do more things than previously thought, including new ways to:

  • Map networks and take advantage of connected systems
  • Disguise traffic and steal data
  • Discover new victims
  • Use the infected devices to disguise other attacks
New York Times' FCC lawsuit may yield new Russia links

The New York Times launched a Freedom of Information Act lawsuit against the Federal Communications Commission last week for technical information about meddling in the net neutrality debate. Researchers cited in the suit say that a Times win could yield further evidence of the culprit's other activities.

The details:

  • The Times suit seeks server logs from the FCC.
  • The lawsuit cites research from GroupSense demonstrating that stolen email accounts linked to Russian disinformation campaigns were used to submit comments to the FCC about the issue.

Tom Richards, GroupSense's chief strategy officer, told Codebook those logs could be useful in determining whether Russia actually submitted the false comments and what else they had been up to if the commenters failed to mask their internet addresses.

What they're saying: "They probably masked their IP addresses [internet addresses], but all it takes is them making a mistake once," says Richards.

Caveat: The FCC argues that providing the logs wouldn't be without peril — any authentic commenters would also see their internet addresses revealed.

Odds and ends
Axios