A master lock with ones and zeroes instead of the regular numbers.
Oct 25, 2018

Axios Codebook

Welcome to Codebook, Axios' cybersecurity newsletter. If you have a tip or story idea for the newsletter, just hit reply.

1 big thing: Poker, games could be North Korea's weak spot

North Korean soldiers attend a mass rally. Photo: Kim Won-Jin/AFP/Getty Images

Neither cozying up to Kim Jong-un nor charging an alleged North Korean agent involved in the disastrous WannaCry malware fiasco has stopped Pyongyang from orchestrating digital bank heists. The best bet to stopping North Korea's misbehavior might be to start with petty crime.

The big picture: North Korea relies on money from cyber crimes to compensate for sanctions. But they aren't all $81 million heists. "North Korean hackers spend most of the day doing low-level crime — cheating at online poker, cracking video games, committing low-level financial crime. That's where most of the money comes from," said Priscilla Moriuchi, director of strategic threat development at threat intelligence firm Recorded Future.

Recorded Future released a new overview of North Korean hacking and internet usage Thursday, including recent developments in online crime, like sham cryptocurrencies.

What they're saying: "Start thinking of North Korea as a mob family," said Moriuchi. As with the mob, the nation's day-to-day petty crimes provide a foundation for the bigger efforts, like the bank heists and cryptocurrency market looting.

  • "We know from defector interviews that North Koreans who operate outside the country need to earn a salary to stay abroad," said Moriuchi. Most of that salary is sent back to the regime. Cheating at poker is certainly one way to accomplish the goal.
  • Hackers often operate outside of North Korea because the country has such poor connectivity to the rest of the world.
  • One way to slow Pyongyang's more flashy crimes — one that developers outside the government could participate in — is to incorporate better security practices into video games or poker. "That technology already exists," said Moriuchi.

Details: One interesting note from the Recorded Future report is that the few elite households that have access to the external internet within North Korea are using it more for business and less for entertainment than they were only a short while ago.

  • The amount of streaming video, video games and entertainment content being accessed is down. But surfing using secure, virtual private networks during the work day is up.

That's intriguing for a number of reasons, not the least of which is the creation of potential targets for American cyber warriors.

  • Few countries have the same amount of infrastructure online as the United States. As such, we will always be easier to target with cyber warfare than Russia or China, who simply have less stuff to fire at.
  • But North Korea is particularly elusive in the cyber arena because for so long it has had so little in the way of online connections.
  • Most of North Korea uses an internal intranet.
  • "We can't say the online computers are, say, missile testing systems. But knowing that they are increasingly reliant on the internet realistically means more targets," said Moriuchi.
2. Report: Chinese, Russians listen to Trump calls

We've written before about President Trump's reported insistence on keeping his old cellphone, rather than exclusively use specially made secure ones. That news was first reported by Politico in May.

The other shoe dropped on Wednesday, when the New York Times reported that U.S. intelligence agencies are aware Russia and especially China snoop on personal calls made with his unsecure phone.

  • China is allegedly interested in better understanding how to sway Trump, either through recruiting influential friends or seeing how other people sway Trump's decisions.

Trump denies the story. On Twitter, natch.

The big picture: The fact that the president will not cave to national security requests as simple as using a secure phone probably offers as much insight into his decision-making process as anything he says on the phone.

3. Research thieves favor the University of Washington

Academic thieves using phishing websites target American universities more than those of any other country, with the University of Washington at the top of the list, according to Kaspersky Lab. Go Huskies!

The big picture: Stealing academic research and intellectual property via hacking is a very real problem, as 9 Iranians were indicted for such a scheme in March.

By the numbers: Kaspersky tracked attacks that used look-alike webmail portals to steal email credentials for 131 universities in 18 countries.

  • 11.6% of the attacks were targeted at UW — almost as much as the next 2 universities combined: Cornell (6.8%) and the University of Iowa (5.1%).
4. Have a security flaw? I hope you have 4 months

According to a new report by CA Veracode, a company that automatically scans for security flaws, 50% of the vulnerabilities they discover remain unpatched after 121 days.

Why it matters: Think of it as the computer security equivalent of the inspirational poster, "It's not how hard you fall, it's how fast you get back up.” Flaws in computer code are inevitable, but companies need to have processes in place to fix them.

By the numbers: By Veracode’s stats, around 75% of known security vulnerabilities persist after 21 days; 25% persist after 472 days.

  • It gets a little better for higher severity bugs, which are fixed within roughly 95 days. That’s still 3 months.

Interestingly, the most “mission critical” apps appear to take longer to fix than many less critical ones.

  • It takes 108 days for half of “medium critical" applications to be fixed, 9 days longer for half of “highly critical" apps to be fixed, and 24 days longer for the most critical apps to be fixed.
  • That could be in part because it’s hazardous to tamper with the most critical software without the risk of disrupting business.
5. DOD adds $34 million to bug bounty program

Photo: Fernando Trabanco Fotografía/Getty Images

The three major crowd-sourced penetration testing companies — Bugcrowd, HackerOne and Synack — will split an expansion of the Department of Defense's "Hack the Pentagon" bug bounty program that could be worth up to $34 million.

Why it matters: Bug bounty programs offer incentives, like cash rewards, to third-party researchers to independently search for security flaws and report bugs to manufacturers and organizations so they can be fixed.

Details: The new effort represents a more than 7-fold increase in funding.

6. Odds and ends
  • Financial fraudsters Carbanak are Carban-back! (Palo Alto Networks)
  • Up to 9.4 million passenger records were leaked in a Cathay Pacific breach (Axios)
  • Congressmen call in the inspector general on DOD's cloud plans (FCW)
  • Facebook fined £500,000 over Cambridge Analytica (The Guardian)
  • Apple closed the security hole private security firms used to break into iPhones. (ZDNet)

Codebook will return Tuesday.