Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

July 03, 2018

Welcome to Codebook, the cybersecurity newsletter honoring July fourth like a real American (and not returning with our regular newsletter till next week).

Tips? Please reply to this email.

1 big thing: How a loan scammer clouded the OPM breach

The OPM breach hearings in 2015

The House Oversight hearings on OPM in 2015. Photo: Mark Wilson/Getty Images

Last month, Maryland resident Kavira Cross pleaded guilty to applying for fraudulent loans using personal information stolen in the 2015 U.S. Office of Personnel Management breach. The plea immediately raised some uncomfortable questions about the OPM breach, in which 21 million Americans' personal information was stolen.

The U.S. attributed the breach to a Chinese intelligence operation. But surely China would not have orchestrated an attack on a federal agency just to help an American woman defraud a credit union? Here's where it's important not to jump to conclusions.

Why it matters: It's hard to look at the Cross plea without wondering about the attribution. "All prior public information was that this data breach was caused by Chinese hackers,” Sen. Mark Warner (D-Va.) wrote in a July 21 letter to the Justice Department. “Yet, according to the DOJ, this information is now in the hands of U.S. residents for illicit use, and may have been as early as 2015."

The U.S. has even arrested a Chinese national last year in the case. If Cross, rather than China, had hacked OPM — again, please don't jump to this conclusion — the U.S. would pay a big price in lost credibility. But experts say there are other explanations in play.

The background: Some of this confusion is of the Department of Justice's making.

  • The original June 18 DOJ press release about the Cross case said she had "participat[ed] in a scheme to use the stolen information of victims of the [OPM breach]." It read to many like the scheme involved either stealing or purchasing stolen OPM records.
  • Three days later, after confusion began to mount, the DOJ scrubbed the press release of any mention of OPM. But a note explain the change didn't answer many of the fundamental questions: "Numerous victims of the [Langley Federal Credit Union] identity theft fraud also identified themselves to DOJ as victims of the OPM Data Breach. The Government continues to investigate the ultimate source of the [personal information] used by the defendants and how this [personal information] was obtained. "

Be smart: "The story is weird, and we don’t know the provenance of the data," cautioned Toni Gidwani, director of research operations at ThreatConnect. "We’re in a space where there are multiple, plausible explanations for how she got the data."

  • Criminals tend to use current events as lures in phishing attacks designed to get people to give up personal information. In fact, in 2015, the Department of Homeland Security's U.S. Computer Emergency Readiness Team warned about phishing attacks related to the OPM theft.
  • OPM, as its name implies, stores data on federal employees and those who applied for federal jobs. Any stolen data set rich in names of current and former federal employees — even, say, a list of Northern Virginia residents — might have significant overlaps with the OPM breach data.
  • It's way too early to question the China attribution, said Gidwani and other experts.

2. ZTE shuffles board, but deck remains the same

ZTE completely overhauled its board on Friday, one of the measures agreed to in its billion-dollar bargain with President Trump to avoid more serious penalties for selling banned technology to North Korea and Iran. But the Wall Street Journal notes those changes may make little dent in the company's real power structure.

The details: ZTE's 14-person board of directors resigned, and 8 new directors were named. But:

  • The new directors were selected by ZTE's state-controlled majority-shareholder Zhongxingxin.
  • 2 of the former directors of ZTE were among the 42 minority stakeholders at Zhongxingxin, including outgoing ZTE Chairman Yin Yimin and one of his predecessors, Wei Zaisheng. Also in the Zhongxingxin ownership is Li Guangyong, the ZTE vice president in charge of replacing the board members, and Hou Weigui, the founder of ZTE, who left in 2016 during ZTE's last selling-banned-technology-to-Iran-and-North-Korea scandal.

""The continuing influence of key personnel and Chinese state actors in ZTE’s affairs adds ammunition to critics of the deal," the Journal wrote.

3. Russia gearing up to introduce two cyber resolutions to the U.N.

Russia will introduce two cybersecurity resolutions at the U.N. in September, according to Russian newspaper Kommersant.

Why it matters: Both resolutions ultimately aim to do the same thing — give independent states permission to take more control over their domestic internet. That's a power the West has long been concerned that authoritarian states already abuse.

The two resolutions include an updated version of a governance resolution Russia has tried several times to get passed and a modernized cybercrime initiative.

  • The governance resolution is a general agreement saying states should have broad authority to restrict actions — including free speech — on their segments of the internet. This will almost definitely not pass, though Russia and China have worked to build a coalition to back it.
  • The cybercrime resolution would update a nearly two-decade-old pact on how countries cooperate to fight crime online. While the U.S., the EU, Japan, Israel and Australia are onboard with the old Budapest convention, Russia has not signed — it objects to rules allowing foreign governments to conduct certain anti-crime.operations in its networks without permission. Russia's new offering would update the crimes covered by the bill, but tighten the rules on digital borders for law enforcement.

4. Election hacks? Let us count the ways

Illustration: Lazaro Gamio/Axios

There's still a lot of confusion about elections cybersecurity around the internet. Luckily, Axios' Shannon Vavra has created an Axios primer on election hacking, what can and can't be done.

"Saying 'the election system was hacked' is misleading, and that’s how a lot of people refer to what happened in 2016," Shannon says.

Why the story matters: If you're reading Codebook, you might be pretty well versed in election security. But it takes only a perfunctory look around Twitter to see the issue isn't going away.

5. USB fans given out at U.S. -North Korea summit were entirely safe

It is with profound disappointment that Codebook reports the USB fans given to reporters during the U.S.-North Korea summit did not contain malware.

Anything with a USB dongle can be used to sneak malware onto a victims computer, and while the USB fans given to reporters at the Singapore meet would have been a comically obvious attack, sometimes comedy is all we have.

Why it matters: What good is a USB fan that doesn’t have malware on it?

6. Odds and ends

  • The Trump administration will block China Mobile from entering the U.S. market. (Reuters)
  • Homeland Security subpoenaed Twitter to find out who leaked documents to the press. (ZDNet)
  • A coding error meant 150,000 U.K. citizens had data used in medical research against their consent. (BBC)
  • If someone you don't know tells you to type a system command you don't know into your computer, don't do it. Even if you want to mine cryptocurrency. (BleepingComputer)
  • Codebook chooses to believe in this scientifically-improbable handheld laser gun announced by China. Pew! Pew! (C4ISRNET)

Codebook will return a week from today.