July 18, 2019
A Russian government-backed hacking operation known as Turla now names two of its code modules "TrumpTower" and "RocketMan." (CyberScoop)
Welcome to Codebook!
Today's Smart Brevity: 1,120 words, ~4 minute read
1 big thing: The path to free campaign cybers
It just got easier for cybersecurity toolmakers to offer campaigns help — but only by a little.
The big picture: Cybersecurity firms have flocked to provide free services to state election authorities, and some want to help protect political campaigns, too. But those efforts have been in legal limbo thanks to the complexities of election finance law.
Driving the news: The Federal Election Commission issued its final of a series of clarifying decisions last week: Firms may offer political campaigns the same discounts they offer other customers, but only nonprofits can provide campaigns with free services or deals special to the campaigns.
Why it matters: Though much of the political focus has moved to voting machines, that wasn’t what Russia hacked in 2016. Rather, it targeted campaigns and political groups — and getting their defenses correct in 2020 is critical.
Details: The FEC had been weighing whether Area 1, a phishing security company, and Defending Digital Campaigns, an election security nonprofit, could offer free services to campaigns.
- Last week, the FEC decided that Area 1 could offer the same discounts to campaigns it offers to everyone.
- In May, the FEC said Defending Digital Campaigns (DDC), as a non-profit, could offer free services.
- Companies that want to cut prices for campaigns still generally can’t.
The intrigue: Several firms already offer free services to state election groups — including Microsoft, Cloudflare, Google and Synack — and it’s easy to think democracy would be better served if campaigns could get security tools for free, too.
- But the way campaign finance laws are written, this would open the door for analogous groups to argue they too should be able to offer free services.
- Smith & Wesson, for instance, could start offering free physical security.
- The FEC’s position is that any kind of carve-out from regulations for a specific industry like cybersecurity is a matter for Congress to decide.
Area 1's case was unique, because both the FEC and Area 1 agree that offering the same pricing to campaigns as to everyone else is explicitly legal. But Area 1's unusual pricing scheme made campaign lawyers nervous, Area 1 CEO Oren Falkowitz told Codebook.
- Some campaign security advocates had hoped that a broader Area 1 decision would allow companies to offer campaigns special discounts.
Agari, which provides a different type of email security than Area 1, adjusted plans to offer its wares for free to campaigns. It will now offer free services via nonprofits like DDC.
- Agari chief marketing officer Armen Najarian believes the restrictions in the FEC ruling will actually benefit both campaigns and companies.
- The deluge of free services in 2016 posed a problem for election officials who didn't have the industry savvy to know which products were snake oil and which were legit.
- That led many states to turn down useful freebies.
- As Najarian sees it, the FEC decision will inadvertently allow nonprofits to work as a kind of snake-oil filter.
2. Microsoft sees early warnings of election hacking
Microsoft has seen a key early indicator of looming attempts to hack candidates and election systems.
Context: In a blog post Wednesday, the software giant said it regularly observes a spike in attempts to hack think tanks and nongovernmental groups (NGOs) that work with U.S. and European candidates before hackers attempt to go after the candidates and election systems. And, they say, they've seen that start to play out in advance of 2020.
Background: Here's the pattern, per the blog post: "We saw such attacks in the U.S. presidential election in 2016 and in the last French presidential election. In 2018 we announced attacks targeting, among others, leading U.S. senatorial candidates and think tanks associated with key issues at the time. Earlier this year we saw attacks targeting democracy-focused NGOs in Europe close to European elections."
Between the lines: Not all hacking is about interfering in elections — NGOs and think tanks provide insight about what a candidate will do in office. But this is one sign that nations have taken an interest in the election.
3. FaceApp is dumb, but not because of privacy concerns
A viral app that ages people's faces is not actually uploading all of a user's stored photos to some mysterious server, the guy who started that rumor admits. It appears to be a legitimate case of a wrong conclusion being drawn from various data points.
What actually happened: FaceApp requires users to give permission to access photos, take pictures and upload them to a server — where image processing converts what you look like now into a prediction of what you'll look like as you face the ravages of the inevitable to human mortality (Fun!).
- The app was designed by Russians, which people read way too much into.
- It only uploads the photo it needs to age.
The scarefest worked its way to D.C. insiders, when the Democratic Party told candidates not to use the app and Sen. Chuck Schumer (D-N.Y.) asked the FBI and FTC to investigate the whimsical reminder that all things must decay.
The bottom line: FaceApp is no more a risk than any other app on your phone. But no less a risk, either.
4. In case you missed last week
Sprint customers' accounts breached (ZDNet): Sprint issued letters to impacted customers after hackers exploited a security flaw on Samsung's "add-a-line" website.
- The hackers netted personal information on certain customers, including contact information, phone numbers and PINs.
- It's unknown how many customers were affected.
Former Justice Stevens passed away (Axios): John Paul Stevens was 99. Stevens earned a bronze star for work as a cryptographer during World War II, and he wrote an oft-cited opinion in 1995 promoting he right to anonymity.
Fernando "Corby" Corbató, too (TNW): There's a dispute over who first invented the password, but Corbató, an influential MIT professor, had a legitimate claim. Corbató was 93.
Medical biller breach affects 2.2 million more (TechCrunch): A previously announced breach at a defunct medical collections group affected even more people than previously known.
- AMCA went bankrupt after QuestDiagnostics and LabCorp each announced the biller had been hacked, with millions of records stolen.
- Now Clinical Pathology Laboratories has begun notifying patients that they, too, may be affected.
5. Odds and ends
- Just under a million systems are still vulnerable to BlueKeep, a dangerous Windows vulnerability Microsoft begged users to patch. (BitSight)
- Business email compromise scams now account for $300 million in losses a month. (FinCEN).
- A bipartisan horde of senators led by Tom Cotton (R-Ark.) introduced legislation to codify President Trump's recent actions against Huawei. (Sen. Cotton)
- BitPaymer ransomware learns some new tricks. (Morphisec)
- The ACLU and Electronic Frontier Foundation head to court today over laptop searches at airports. (EFF)
- Bulgaria and the Netherlands made big cybersecurity arrests. (Reuters, Netherlands' Openbaar Ministerie)
- The StrongPity group is only as sophisticated as it needs to be. (AT&T Alien Labs)
- 1,400 mayors agree to never pay ransomware demands. (U.S. Conference of Mayors)
- A JetBlue bomb scare was really just a jerk sending passengers photos of bombs. (Threatpost)
Codebook will be back next week, unless something goes horribly wrong.