May 30, 2019

Axios Codebook

Welcome to Freedom Codebook, the cybersecurity newsletter of liberty that isn't quite sure what the Department of Energy was going for, but is totally willing to play ball.

Tune in: "Axios on HBO” Season 2 will feature exclusive interviews with Sundar Pichai, Jared Kushner, Lisa Monaco, Janet Napolitano, Leon Panetta and more. Tune in Sunday 6 pm ET/PT.

Smart Brevity count: 1,472 words/<6 min. read

1 big thing: NSA's rogue hacking tool sparks debate

Illustration: Sarah Grillo/Axios

Security experts are drawing differing lessons from the latest report of the alleged use of secret NSA hacking tools by a criminal group. Some argue the NSA needs more oversight, while others say that organizations need to be more vigilant about updating the systems the NSA tools target.

The big picture: These two remedies aren't mutually exclusive. But neither is easy to achieve. 

Driving the news: The debate flared after the New York Times reported that attackers responsible for Baltimore's recent ransomware incident used a program believed to be created by the NSA.

  • The same program was at the center of WannaCry, a landmark global malware disaster in 2017.
  • All it takes to stop that program's line of attack is to update Windows.

Background: The NSA code, known as EternalBlue, leaked in 2017 as part of a year-long dump of agency files online by a cryptic hacker group called the Shadow Brokers.

  • EternalBlue can be used to turn Windows malware into worms — malicious code that spreads by itself from machine to machine.
  • By the time of the WannaCry outbreak, Microsoft had already released a patch that protects Windows systems from EternalBlue.

Between the lines: Whether the NSA needs more oversight in developing tools has no bearing on whether people should patch, and vice versa. And fully achieving either solution alone might not be possible.

  • While there are a ton of bad reasons organizations delay patching systems, there are good reasons, too. Installing untested updates can create chaos for niche software and hardware.
  • And there's already more oversight in place for agencies than most people realize.

Details: The executive branch does have an oversight structure in place, known as the vulnerabilities equities process. Any time agencies want to keep a vulnerability they discover secret so it can be used for surveillance, they have to make their case in front of a special interagency panel.

  • "The VEP is meant to be a risk minimizing process, but that doesn't mean there is no risk," said Michael Daniel, current president and CEO of the Cyber Threat Alliance and the former cybersecurity coordinator at the Obama White House when the VEP was created.
  • The process takes into account the possibility that a vulnerability might be leaked, stolen or discovered, but that will always be a risk, since there's always a chance a target will intercept a tool.
  • Nonetheless, Daniel argues, most Americans wouldn't want to place severe limits on the use of such tools that the intelligence community couldn't do its job.

Where it stands: After WannaCry, it's likely that the VEP has already adopted a stricter approach toward approving "wormable" tools.

  • We know from WannaCry and subsequent attacks that organizations are slow to apply patches. That's a consideration in the process.
  • When the Trump administration posted the criteria for the VEP in 2017, one of them read: "Will enough [U.S. systems] actually install [a] patch to offset the harm to security caused by [adversaries using a] vulnerability?"
  • Daniel notes that even pre-WannaCry, wormable tools don't mesh well with the U.S. intelligence philosophy. Security researchers outside the government often comment on the relative restraint observed by modern U.S. government-built malware to avoid hitting unintended targets.

The bottom line: Ultimately, there may be less room to build out oversight than critics hope and a ceiling to how much applying updates can improve security.

2. Mueller's message: Don't forget about Russia

Mueller walks away from the podium after making a statement about the Russia investigation, May 29. Photo: Chip Somodevilla/Getty Images

Special prosecutor Robert Mueller closed his statement yesterday — his first and only public remarks about his conclusions in the Russia investigation — with a plea for the public to remember how we got into this mess. Meanwhile, President Trump argued that the Russia narrative doesn't matter as long as he didn't participate in the swindle.

What they're saying: "I will close by reiterating the central allegation of our indictments — that there were multiple, systematic efforts to interfere in our election," said Mueller. "That allegation deserves the attention of every American."

  • Trump tweeted today: "Russia, Russia, Russia! That’s all you heard at the beginning of this Witch Hunt Hoax...And now Russia has disappeared because I had nothing to do with Russia helping me to get elected."
  • Shortly after the tweet, he clarified to reporters that Russia didn't help him get elected.

The big picture: Mueller's saying we need to focus on two things instead of one — and we've only done a good job of focusing on one.

Why it matters: Placing Trump at the center of the controversy has allowed Russia to escape punishment commensurate with the crime, while stalling Congress from passing comprehensive election security measures with enough time to institute them before the 2020 election.

  • There's no question that it's important for Americans to be confident that their president, who the Mueller report describes as enthusiastic about receiving Russian assistance in the 2016 election, did not have a quid pro quo in place before forcing a reversal in the United States' Russia policy.
  • But while social media networks, agencies like Homeland Security and the Election Assistance Commission, and even many states have made strides in strengthening defenses, the public has been largely absent from that process.

The bottom line: It's easy to get angry about a physical attack against America. Sometimes patriotism also calls for getting angry at a less tangible attack on the American idea.

3. Report: Twitter tries to prove it reduces white supremacy

Twitter is funding research into white supremacy on its platform, including whether or not dialogue on Twitter might actually be de-radicalizing white supremacists, according to Motherboard.

What they're saying: "[C]ounter-speech and conversation are a force for good, and they can act as a basis for de-radicalization, and we've seen that happen on other platforms, anecdotally," Vijaya Gadde, Twitter's head of trust and safety, legal and public policy, told Motherboard. "So one of the things we're working with academics on is some research here to confirm that this is the case."

Context: Social media is typically regarded as prime recruitment and radicalization ground for hate groups.

  • Twitter generally argues that free speech trumps nearly all other concerns.
  • The service did, however, previously ban Islamic State content from its site, rather than count on counter-speech and conversation to defuse the propaganda.
  • Critics and even some of the site's own employees accuse Twitter of dragging its feet on handling the white supremacist problem on the platform.

Details: The counter-speech research is, per Gadde in Motherboard, one of a few lines of research on white supremacy Twitter is funding, including looking at whether removing extremists from the site would be beneficial to users.

4. Exposed data rose by more than 50% in the past year

The amount of data exposed by online file storage and sharing protocols rose by 50% since 2018, according to Digital Shadows.

The big picture: Many of the largest events reported as data breaches aren't data breaches at all — they're instances where a security researcher notices that data in a cloud server or another file sharing protocol hasn't been secured when the company absolutely should have secured it. In those cases, the data is exposed to the internet for anyone who knows where to look.

Details: It's disheartening that the amount of exposed data still appears to be expanding.

  • This year, Digital Shadows clocked around 2.3 billion exposed files.
  • Certainly, not all of the new data was exposed by accident. People sometimes make data public on purpose.
  • However, protocols like SMB (Server Message Block) included in the study aren't generally intended to communicate outside a private network.

Notably, exposures of S3 buckets, data stored on Amazon's cloud service, dropped to a "nearly unrecognizable amount" since last year, down from 16 million to around 2,000.

5. In case you missed last week

First American exposure: A web design flaw in First American Financial Corporation's document transfer system left around 885 million files exposed on the web with no security. (Axios)

  • Independent reporter Brian Krebs, who broke the story, noted that the documents, which date back to 2003, include "bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images."

China threatens rare earth elements over Huawei: China threatened to cut off the U.S. from its supply of rare earth elements over the Huawei export bans, most recently with a veiled threat from a spokesman at the Chinese Commerce Ministry. (Reuters).

  • Rare earth elements are critical to green energy, electronic devices and battery manufacture.
  • Also: Engineering sciences group IEEE banned Huawei from peer reviewing papers. (Science)

Facebook deactivated Iranian disinformation accounts disguised as (among other things) U.S. Representatives' official accounts. (Axios)

Deepfakes are getting so good that it's hard to tell if that video of the Mona Lisa talking to you is authentic. (Vice)

6. Odds and ends

Codebook will be back next week.