Feb 27, 2020

Axios Codebook


Welcome back to Codebook. This is the final edition of the newsletter I'll be hosting for you. It's been a great pleasure to bring you this coverage over the past several weeks.

  • Codebook will be back soon in an exciting new configuration! Till then, tune in to Axios.com for coverage of cybersecurity news and all things tech.

Situational awareness: A new season of “Axios on HBO” starts this Sunday at 6 pm ET/PT!

This week's Codebook is 1,321 words, a 5-minute read.

1 big thing: Fear of a hackable planet

Illustration: Aïda Amer/Axios

As the tech industry weaves its products into the fabric of the physical world, it's also extending the insecurities and dangers of digital systems in perilous new ways.

Why it matters: Just as we're finally getting used to the idea of protecting our online accounts and data, we have to start thinking about the vulnerability of the spaces and objects around us to small acts of trickery and sabotage that mess with computers' heads.

In the most dramatic recent demonstration of this technique, artist Simon Weckert "created" a faux traffic jam on Google Maps by filling a little red toy cart with 99 smartphones running the Maps app and rolling it down the sidewalk past Google's Berlin office.

  • Maps read the incoming signals to mean there were a lot of cars stuck on that street and marked it red.

The big picture: Cybersecurity experts have long been sounding an alarm over the industry's failure to build proper security into "internet of things" products. But physical-world hacks won't only happen through the digital lock-picking of internet-connected devices. They will also increasingly take the form of people tampering with the physical world in order to trick, defeat or bypass machines.

Recently, researchers at McAfee tricked a Tesla into accelerating 50 mph by adding a small piece of black tape to a speed limit sign.

  • The tape fooled the vehicle into reading the speed limit as 85 instead of 35.
  • The vulnerability was in Tesla models from 2016. The manufacturer has since switched to a different camera.

Clothing and makeup to defeat facial recognition tech and other surveillance systems may sound like a joke or a gimmick, but "adversarial fashion" is real.

  • Protesters are the early adopters. In Hong Kong last year they used masks and lasers to counter police face-recognition equipment.
  • As surveillance in public places increases, countermeasures will grow more popular — think of them as an incognito browser mode for the physical world.

We're beginning to turn surveillance technology on one another — with, for instance, parents and school systems wiring up kids in parole-style location trackers.

  • By putting this technology in the hands of youngsters and giving them an incentive to explore techniques for evading or defeating it, we're accelerating the process by which it will be redeployed in unpredictable ways.

Between the lines: Science fiction author William Gibson, who introduced the term "cyberspace" to the world back in 1981, defined it as "a consensual hallucination," an alternate reality composed of data "where the bank keeps your money."

  • Today, cyberspace and physical space intermingle, providing new opportunities for bad actors and new threats for the rest of us.
  • Gibson also famously wrote, "The street finds its own uses for things." Every new twist in surveillance is likely to inspire a new turn in countermeasures.
2. Huawei makes its case at RSA

Illustration: Aïda Amer/Axios

Two top Huawei U.S. executives are at the RSA event this week, hoping the crowd of security experts will be more receptive to its position than the increasingly hostile reception the Chinese giant has been getting in Washington, Axios' Ina Fried reports.

The big picture: Huawei's business has been under all manner of attack from the U.S. government, from trade sanctions to criminal charges to efforts to persuade allies not to buy its gear.

What they're saying: Huawei argues that it is being unfairly targeted because it is a Chinese company.

  • "This country of origin issue is something that needs to be considered," says Huawei U.S. VP Tim Danks. "It’s one factor you should look at — it's not the only [one]."
  • The whole global supply chain is an issue, Huawei contends, noting that many of Huawei's non-Chinese competitors get their components and manufacturing from some of the same suppliers as Huawei.

Some of those suppliers are U.S. companies, Huawei notes.

  • The campaign against Huawei is "hurting Americans at this point more than it's hurting Huawei," Danks said.

Yes, but: U.S. officials and many in the security community have argued that there are specific concerns with Huawei beyond its nationality. The company faces criminal charges in the U.S. over trade secret theft and violation of U.S. sanctions.

Go deeper: The new tech cold war between China and U.S.

3. Report: NSA's phone-monitoring program produced minimal results

A National Security Agency surveillance program of Americans' phone calls and text messages that lasted four years and cost $100 million yielded only one significant investigation, according to a newly declassified study reported by the New York Times Tuesday.

Context: From the 2003 "Total Information Awareness" program to the present, the post-9/11 U.S. law enforcement and intelligence communities have pursued one mass data-monitoring scheme after another in the name of tracking terrorists.

  • Edward Snowden revealed the existence of a gigantic NSA phone-record monitoring program in 2013.
  • In the wake of that controversy, Congress passed the USA Freedom Act in 2015 to extend a similar program under new legal cover.
  • That act will expire in March unless it's extended, as the Trump administration has urged.
  • The NSA shut down the phone-monitoring program last year, the Times reported, citing technical problems and meager results.

Be smart: These efforts involve needle-in-a-haystack sifting of massive amounts of everyday communication, making them fundamentally different from targeted, warrant-driven evidence gathering.

  • Civil libertarians have long argued that such programs pose unacceptable threats to individual privacy.
  • This new report simply suggests that they are ineffectual.

What to watch: An extension of the 2015 law sought by Attorney General William Barr and other Trump administration officials is in jeopardy thanks to bipartisan discontent with the FISA warrant process.

4. RSA roundup: Hacked baby monitors, vulnerable WiFi chips

The annual RSA conference in San Francisco is the cybersecurity industry's biggest conclave. But this year participation has been decidedly dampened by concern over the coronavirus epidemic, and several major companies decided to pull out of the event.

But there are still plenty of announcements! Here's a few of the most interesting:

  • A bug in Cypress and Broadcom WiFi chips used in billions of devices could allow some encrypted communications to be decoded, according to findings from Eset. (Ars Technica)
  • Researcher Patrick Wardle presented a case study of malware reuse by North Korea's Lazarus Group hackers, who developed their Mac-targeting "loader" using code lifted from antivirus researchers at Cylance. (Wired)
  • Equifax, the credit-reporting giant that was the victim of one of the largest breaches of consumer data ever in 2017 (an attack the U.S. government recently attributed to hackers in the employ of the Chinese military), is now presenting itself at RSA as a cybersecurity leader. (Protocol)
5. Data theft at face recognition firm Clearview AI

Controversial facial recognition startup Clearview AI told its customers that its complete list of clients was stolen in a data breach, The Daily Beast reported Wednesday. The clients include law enforcement agencies all over the country, Axios' Margaret Harding McGill reports.

Why it matters: An intruder gaining access to Clearview's client list will likely trigger alarm bells for both would-be customers and privacy advocates, who have already denounced the company following a New York Times report on Clearview culling more than 3 billion images from websites like Facebook to create its database.

Details: The Daily Beast obtained a notice Clearview sent to customers reporting that an intruder gained access to its list of customers, the number of user accounts and the number of searches the customers conducted, according to the report.

  • Clearview told The Daily Beast the vulnerability has been fixed and that law enforcement search histories were not revealed, nor were the company's servers compromised.
  • "This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses," Sen. Ed Markey (D-Mass.) said in a statement in response to the news report.

Go deeper: Clearview brings privacy concerns from facial recognition into focus

6. Odds and ends
  • Hacker One, the bug bounty platform, reported its user base of 600,000 white-hat hackers earned $40 million last year. That's double the number of participants from the previous year, earning nearly as much as hackers earned in the entire previous history of the organization since 2012. (ZDNet)
  • In a vivid example of the damage ransomware attacks can cause to local jurisdictions, a Florida police department that lost data in such an attack had to drop cases against a half-dozen drug dealer suspects. (ZDNet)
  • Expect the Barr Justice Department to stop asking for tech companies to build encryption back doors and start pushing for legislation mandating them. (Washington Post)
  • The Open Cybersecurity Alliance has published the framework for a new language intended to allow better integration of competing security tools. (ZDNet)
  • Former Pentagon officials call for a new secretary-level position to run "influence operations" for DOD. (Defense One)
  • Flaws in the Bluetooth protocol leave medical devices vulnerable. (Wired)

Thanks for reading Codebook!