February 07, 2019

Welcome to Codebook, the cybersecurity newsletter heavily invested in new sandwich research.

1 big thing: EU privacy rules hobble online sleuthing

Photo: Martin Konopka/EyeEm/Getty Images

Cybersecurity stakeholders are pushing U.S. lawmakers to rescue WHOIS, a tool for identifying internet domain ownership that's been hamstrung by the European Union's privacy regulations.

Why it matters: WHOIS has been a public address book for domain owners since the earliest days of the internet. A bevy of online investigators — from law enforcement authorities to human rights groups to cybersecurity researchers — have long relied on its data. But the EU's General Data Protection Regulation (GDPR) deems the information in WHOIS to be too personal to share without a thorough consent agreement.

GDPR, which turns 1 in May, applies to any company doing business with Europe. Many registrars, the authorities who dole out domains (names like "axios.com"), have responded by simply not providing data to WHOIS.

This is a feature, not a bug. Before GDPR took effect, ICANN, the governing body for internet domain names, and several researchers told the EU that this was going to be a problem. But EU legislators chose not to fix it.

  • "When investigators interacted with the EU, the EU took the position, ‘Our job is to make the law, your job is to interpret it,'" said Tim Chen, CEO of DomainTools, a cybersecurity firm originally known for simplifying access to tools like WHOIS.

The impact: Online investigators use WHOIS information for more than just contacting a website's owner.

  • Cross-referencing WHOIS data is a good way to find broader criminal activity and prevent attacks. The emails used to register one site used in a phishing campaign can be used to find other sites run by the same party.
  • The same technique can be used to find sites co-owned by someone hosting terrorist propaganda or a website used to control or distribute malware.

But it's not just cybercrime. CINTOC (the Center on Illicit Networks and Transnational Organized Crime) is a charitable group that uses WHOIS to fight organized crime in vulnerable populations, including human trafficking and natural resource and wildlife crimes.

  • "Criminals have web presences. I can use that information to go to a criminal's bank and get financial details," said Kathleen Miles, CINTOC director of analysis. "But when GDPR went through, we lost that connection. We lost it in Africa. We lost it in Europe. We lost it in a lot of the United States as well."

Because the EU is the only jurisdiction with a law that applies to WHOIS, Chen fears ICANN, which is currently updating its WHOIS guidelines, will have nothing to counterbalance GDPR's strictures.

The answer, according to a coalition that includes DomainTools, CINTOC and others, is for the U.S. to pass its own law requiring that websites designed to interact with U.S. citizens participate in WHOIS.

  • That group, called the Coalition for a Secure and Transparent Internet (CSTI), is currently meeting with lawmakers on Capitol Hill about their ideas and is drafting model legislation.
  • CSTI also includes trade associations that protect commercial interests, like legitimate online pharmacies who need WHOIS to thwart phony competitors, and the MPAA and RIAA, entertainment industry groups that use WHOIS as a tool against piracy sites.

By the numbers: A survey conducted by two cybersecurity industry groups showed 80% of investigators who used WHOIS before GDPR began were unable to find an equally useful replacement.

  • "We knew it was going to be a problem," said Chen. "Now we have data to show we were right."

The bottom line: Regulating privacy is a complex balancing act. In this case, an important piece of internet infrastructure has become collateral damage to the GDPR, and eyes are on the U.S. for a fix.

Editor's note: An earlier version of this article incorrectly reported a quotation by Tim Chen of DomainTools about the EU's stance toward investigators.

2. Cisco calls for U.S. privacy regulations

Cisco is calling for a different kind of privacy regulation debate in the U.S.

The big picture: Other companies have called for privacy regulations before — Facebook and Apple come to mind. But the debate has focused in no small part on Facebook and Google-style business models involving data brokerages and ads. Cisco's new call is largely concerned with everything else.

What they're saying: "We’ve been discussing ads for 20 years. It’s an important problem, and I don’t dismiss it," Michelle Dennedy, Cisco vice president and chief privacy officer, told Codebook. "But it’s very different than a comprehensive plan. We can’t be just concerned with the revenue of 2 companies."

Cisco is asking, in part, to better understand how to engineer its own products, which are more business-focused than consumer-oriented, to abide by local and global privacy regimes.

  • Privacy laws are regionally inconsistent — both by state and by country — and siloed in the U.S. between different industries. The technical requirements to protect health care data in one state could contradict the requirements for "internet of things" information in another, even though a wireless pacemaker is both and needs to be operable in both states.
  • Cisco's concerns, said Dennedy, are closer to the infrastructural aspects of the internet, whereas the Big Tech companies tend to be concerned with web services that ride on top of that infrastructure.

The U.S. has never been great about unifying data privacy laws (see the struggles with a national breach notification standard), but Dennedy thinks this is a chance to do something big.

  • "I’ve been in privacy for over 20 years now," she said. "You can’t do my job without optimism."

3. Germany orders Facebook not to merge messaging data

The Bundeskartellamt (Germany's antitrust office) has ordered Facebook not to combine data collected through WhatsApp and Instagram with Facebook accounts.

Germany said Facebook needs to get users' explicit consent before combining the data in those accounts. Axios' David McCabe has more here.

What's interesting is that combining data, something that Europe has frequently ruled verboten for privacy reasons, is now being viewed as an antitrust violation.

4. Alleged Chinese spies hit a Norwegian business services firm

A prolific espionage group, which the U.S. government believes is Chinese, compromised billion-dollar business service provider Visma in August and September 2018, according to a Wednesday report by the threat intelligence firm Recorded Future.

Why it matters: Visma, located in Norway, has more than 850,000 customers. The Recorded Future report, produced in part with data garnered by industry partner Rapid7, also details intrusions into the networks of an unnamed U.S. law firm and unnamed apparel company.

Read more context about the hack here.

Meanwhile, On Wednesday, DHS independently offered a webinar about the group believed to be involved in that attack for industries that may be its future victims.

5. What's happening with Huawei

The English Session Orchestra perform the reveal of Huawei, Unfinished Symphony at Cadogan Hall, Feb. 4, 2019. Photo: David M. Benett/Dave Benett/Getty Images for Huawei UK

There were many new twists Wednesday for Huawei, the beleaguered Chinese telecom manufacturer accused of involvement in Chinese espionage and violating sanctions against Iran, and a sudden flashpoint in the U.S./China trade war.

  • It will take 3–5 years for Huawei to address security concerns raised by the United Kingdom, according to a letter to lawmakers leaked to Reuters.
  • Germany is mulling if and how it should welcome Huawei into its 5G network. The U.S., Australia and others have already barred the company's 5G equipment over security concerns. Italy denied reports it would ban Chinese firms from its 5G infrastructure.
  • Meanwhile, lawmakers mulled restoring sanctions against ZTE if it again violates U.S. rules. ZTE faces many of the same issues as Huawei.

6. Most people aren't as good at security as they think

According to a Google-sponsored poll conducted by Harris and released Tuesday, 69% percent of people believe that they deserve an "A" or a "B" grade for security practices.

Why it matters: Those are particularly nice grades for users who also say they are failing at basic security practices.

  • 65% of users reuse passwords on some or all accounts.
  • While 79% believe updating software is important (they are right), 33% don't update or don't know if they update software regularly.
  • 31% of users did not use two-factor identification or did not know if they used two-factor identification.

We at Codebook are not typically fans of surveys — most of those concerning security are methodologically weak and ask people questions they won't know the answer to, like "have you been breached?" — but this poll is uniquely interesting.

  • If 33% of the survey group don't update software or 65% reuse passwords, mathematically, 69% can't deserve an A or B grade.
  • And while it's possible that the exact 31% who don't give themselves an A or B grade are the ones not using two-factor identification, we're guessing there's some misguided overlap.

7. Odds and ends

Codebook will return Tuesday.