Aug 7, 2018

Axios Codebook

Axios

Welcome to Codebook, written this week from the Black Hat and DEF CON conferences in Las Vegas.

Codebook is staying in a hotel that plays music on a 3-hour loop. In case you were wondering, that means everyone at the front desk hears "Africa" by Toto an average of 3 times a shift.

1 big thing: Black Hat turns focus to mental health

Illustration: Sarah Grillo/Axios

At this week's Black Hat cybersecurity conference, panels about hacking automobiles and airplane WiFi are being interspersed with a new focus: mental health.

Why it matters: Issues like anxiety and depression aren't new in the cybersecurity field, and stress is rampant: pros work long hours under enormous pressure to protect critical networks from ever-increasing threats. Black Hat's new focus on the people, not just the technology, may instigate broader industry changes.

The big picture: Black Hat has long had conference tracks like cryptography, forensics and incident response. This will mark the first year the "community" track joins that roster to provide a place to talk about less technical, more human issues.

Black Hat has a large industry presence, and shining a light on topics that tend to be discussed outside the corporate eye — things like suicide, stress load, mental illness and trauma — may force major employers in the field to think about those issues, too.

  • "Good conferences are a reflection of the community," said Black Hat General Manager Steve Wylie. "We have a responsibility to the community."

Mental illness and suicide: "In the past year I know several people in the community have taken their own lives," said Jay Radcliffe of Boston Scientific, who's well known for hacking devices. "With global staffing shortages in information security, we're seeing departments that should have 10 people work with 5. And that increases stress."

Stress: Two NSA researchers, Celeste Paul and Josiah Dykstra, will release data on the effect of stress on operator performance and how to combat it.

Post-tramatic stress disorder: Cybersecurity also draws a wide array of ex-military members, including Dragos Security's Joe Slowik, a Navy veteran who will talk about his experience with PTSD.

  • "The talk itself was a spur-of-the-moment reaction to an article on 'cybersecurity PTSD,' which the author was using to mean burnout from all of the breaches," he said. "Seeing terminology come up in a way that was almost flippant bothered me."

Sexual assault: Cybersecurity, like other industries, has faced a reckoning in recent years as victims of sexual assault and harassment have come forward.

  • Makenzie Peterson, coordinator for wellness programs at Hampshire College, will discuss how communities on the whole move forward after widespread allegations of sexual assault.

The bottom line: The community track is a chance to change the industry. "There’s such a talent shortage right now that companies may need to take advantage of community track to recruit employees," said Radcliffe.

Read the full story.

2. Also in Vegas: 8-year-olds will race to hack voting systems

At this year's DEF CON, the other top-tier cybersecurity conference in Las Vegas this week, children between 8 and 16 years old will race to hack state elections websites with voter registrations — or, at least, a fairly good replica thereof.

Why it matters: The testing systems replicate vulnerabilities used to hack the real websites across the country.

  • "Unfortunately, we're at a place where tampering with elections could be child's play," said Nico Sell, founder of DEF CON's "r00tz" children's program.

The intrigue: At last year's DEF CON, hackers given access to a variety of voting machines took less than five minutes to figure out how to hack them. State websites are obviously different but the recent vulnerabilities used by hackers are less complicated.

  • "We couldn't have the same competition for adults," said Sell, "because it would be way too easy."

R00tz — the adults behind it, not the kids — will be happy to help states looking to bulk up security.

  • DEF CON hosts an entire subconference devoted to election systems security.

What they're saying:

  • "We're hoping, as soon as they realize 8-year-old girls can hack the sites, states will begin to take more responsibility," said Sell.
  • "[The project got] a surprising amount of interest from the community to help kids learn the basics of hacking," said Rita Zolotova, policy director at the encrypted chat app Wickr and a r00tz staffer. Wickr also sponsors the event.
3. Underwriters Labs growing into new cyber role

The century-old consumer safety testing group Underwriters Laboratories is growing into its new role of evaluating cybersecurity.

Next year it plans to launch a physical seal of software security to go along with its physical security seal and a hardware security program, Ken Modeste, the firm's director of connected technologies, told Codebook.

The background: You may not immediately recognize the name Underwriters Laboratories, but you appreciate the work they do. The sticker on the bottom of your microwave or phone charger that says "UL" means the labs tested the device for safety problems. (If it doesn't have that sticker, maybe buy a fire extinguisher.)

  • "A few years ago at Black Hat, [Obama cybersecurity czar] Michael Daniel said we needed a cybersecurity Underwriters Laboratory," said Modeste. "And I thought, 'We're Underwriters Laboratory.'"

Vendors and consumers are still learning what to make of a UL cybersecurity certification. Currently, its certifications are all online (they'll get a sticker next year).

  • A lot of their work so far has been in developing standards to evaluate a cybersecurity program. It's as much about a continuous regimen of updating product security as new vulnerabilities are found as it is focusing on the initial security of the product.
  • "Vendors ask us, will certification make our products secure?" said Modeste. "No, it means you are meeting the standards that make products as secure as we can. It's like with automotive safety. We can't make a car 100% safe, but we can meet an industry standard of safety."
  • Vendors and consumers probably won't immediately understand the nuances of the seal at first, but will grow into it over time. "It took the nutritional labels decades before most people understood what 5 grams of sodium meant"
4. Report: Russia linked to FCC net neutrality commenting bots

Intelligence firm GroupSense explained in a report released yesterday how a network of at least 9.5 million email addresses — which appear to come from high profile data breaches — was used both by Russia for its social media campaign and to send the FCC comments both supporting and opposing net neutrality.

"We're still checking against breaches we hadn’t done before. The number will go up," said GroupSense CEO Kurtis Minder.

Why it matters: If Russia is involved with muddling the debate around net neutrality, it marks the first known instance of Russia manipulating the policy process to create chaos.

The background: GroupSense collects data on breaches and has obtained billions of records. So, after the indictment went public, GroupSense looked to see if the the email addresses mentioned in the indictment were in their databases.

  • They found a match. Moreover, they found that nearly a million accounts used the same password scheme — the word "shark" plus four to six digits, nearly all coming from "shark plus four." Other words, like "chair," also had significant traffic.
  • GroupSense contacted a variety of victims, only to find that the email addresses had the username changed — the address and the name associated with the accounts were real, but the names didn't belong to people whose addresses were being used.
  • They found the email addresses were being used in a variety of different campaigns for different purposes. But many were used in Russian troll-type operations.
  • 9.5 million accounts are far more than Russian intelligence could need to prepare. Minder speculates that the addresses came from a vendor of ready-to-use stolen emails, and the shark1234-type passwords were the default passwords set up by that vendor.

Several accounts were used to post comments to the FCC site during the contentious net neutrality debate nearly. The posts were identical to a handful of templates, often coming multiple times a second. The bots backed both sides of the debate.

It could be Russia or another client behind the FCC bots, if it is indeed a criminal market selling these email addresses.

But Minder notes, "Who else would purchase these addresses?"

5. WV allowing voting via a smartphone app

Photo: Joe Sohm/Visions of America/UIG via Getty Images

West Virginia announced it would allow overseas troops to vote via a smartphone app.

Why it matters: This would be a first of its kind program in the U.S. and not for particularly flattering reasons. Security experts overwhelmingly agree that online voting makes it far easier for hackers to tamper with votes.

6. Odds and ends
Axios

Codebook will return Thursday.