Feb 5, 2019

Axios Codebook

Welcome to Codebook. Breaking: This year's State of the Union is Wisconsin.

1 big thing: Lives of the great hackers

Marcus J. Carey, CEO of Threatcare, realized there was no book collecting the wisdom of cybersecurity's most legendary names. So he self-published one. It's now Amazon's 3rd bestselling book on security and encryption.

The big picture: "Tribe of Hackers," co-edited with Jennifer Jin, collects the essay questionnaire responses of 70 big-name hackers and information security pros. For nearly all of them, it's the first time they've put their personalities out for public view alongside their professional skills.

The questions probe everything from security myths to greatest regrets to book recommendations. The interviewees mix their musings on the philosophy of cybersecurity with mentorship and security advice.

  • Neophytes can benefit from veterans' experience — be it in fighting impostor syndrome or catching more attackers by focusing on basic security hygiene than on the latest nation-state threat.
  • With this many experts differing on the field's big questions, there's also plenty to challenge even the most hardened worldview of long-time pros.

Background: The project (and title) takes inspiration from 2017's "Tribe of Mentors" by Timothy Ferriss, a compendium of pithy advice. (The genre stretches back to Jessica Livingston's 2001 "Founders at Work.")

  • "I’ve been doing cybersecurity for 20 years, and I've never seen something like this for us," Carey tells Codebook.
  • The book's roster includes Fortune 500 security pros, security firm founders, former federal and military team leaders, several internet personalities, and keynote regulars.

There's a lot of practical security knowledge in "Tribe of Hackers," but there's equally as much humanity in it.

  • "When you see one of the hackers on TV, it’s usually just someone saying 'Don’t do this,' and then they disappear," says Carey. "You don’t hear the personal struggle, like losing jobs or being a single mother. That’s what I really like about it."
  • Cloud security expert Ian Coldwater writes in the book: "I’ve lived my script out of order, had kids too young, dropped out of school, became homeless, went on welfare. When I was younger, I used to tell people I made a good cautionary tale. But I also think I’ve made a damn good tale of resilience."

Carey says one thing he learned was how much agreement there was on the question, "Do you need a college degree or certification to be a cybersecurity professional?"

  • The consensus answer is no. Even as help wanted ads ask for credentials, most security pros believe there are more informal ways to prove skill.
  • That may surprise people outside the industry. Practitioners are very frequently self- or military-trained; only recently have schools begun focusing on cybersecurity.

The book's proceeds will benefit four charities: Bunker Labs, Sickle Cell Disease Association of America, Rainforest Partnership and Start-Up! Kid’s Club.

Also: Many contributors answer the "which is the best hacker movie" question incorrectly. It's "Sneakers."

2. Exclusive: Scammers use Gmail's dots

Photo: Chesnot/Getty Images

An email scam outfit is taking advantage of Gmail's "dot" feature to streamline operations, according to email security firm Agari.

Gmail dots? Gmail allows users to add or subtract periods in their email addresses at will. If you own the right to someusername[@]gmail.com, you will receive emails sent to some.user.name[@]gmail.com and s.o.m.e.u.s.e.r.n.a.m.e[@]gmail.com.

  • That may seem like a minor feature, but the vast majority of email providers treat each of those as different accounts. That allows you to sign up for multiple accounts on most websites in each of those email addresses.

Here's where the crime comes in. BEC (business email compromise) scams run many operations in parallel. If they target a government agency offering grants or tax refunds, usually that means they have to use a different address for each instance of the scam.

  • "Using the dots feature is the difference between creating 20 accounts on a website or monitoring one inbox," said Crane Hassold, senior director of threat intelligence at Agari.

The criminal group discovered by Agari, according to the official writeup, used the Google dots approach to:

  • Apply for 48 credit cards at 4 "U.S.-based financial institutions," netting at least $65,000 in fraudulent credit.
  • Register for 14 trial accounts with sales leads sites, to use those leads in other scams.
  • Fake 13 tax returns with a tax filing service.
  • Submit 12 postal change of address requests.
  • Apply 11 times for fraudulent Social Security benefits.
  • Fake 9 identities for unemployment benefits in a "large US state."
  • Submit 3 applications for FEMA disaster assistance.

All of these attacks have taken place in 2018 or 2019.

"We're not calling Google out with this report," said Hassold.

  • Rather, he said, he thinks searching for multiple accounts under differently dotted Gmail accounts can be a useful security tool.
  • Agari has recommended the technique to several of its clients, who they say report it has been useful in finding fraudulent accounts.
3. Tibetan activists face government-led hacking campaign

Cisco's Talos labs reports that a likely government-sponsored hacking campaign has recently targeted the Central Tibetan Administration — the current, activist incarnation of the exiled 1951 government.

Why it matters: It always matters when dissident groups are targeted by a government. While Cisco is not attributing the attack to a specific government, China, which considers Tibet part of its territory, has been in conflict with the Tibetan exile movement for decades.

The intrigue: Malware used by the attackers is "too complex" for hackers not affiliated with a government to create without help, Craig Williams, Talos director of outreach, told Codebook.

  • Cisco has dubbed newly discovered malware in the campaign ExileRAT (RAT stands for "remote access trojan"). ExileRAT isn't the complicated malware — that comes later.

Details: The campaign spreads malware through phishing emails containing tainted PowerPoint presentations on China-Tibet relations.

  • Save for the malware, the PowerPoint document is the same as a file taken from the CTA website.
  • ExileRAT can upload and execute additional malware.

In investigating ExileRAT, Talos saw it uses the same infrastructure as a different, previously undiscovered, ongoing campaign using an updated version of the LuckyCat malware. LuckyCat is the complex one.

  • LuckyCat targets Android phones and has among other surveillance functions the ability to steal encrypted messages from Tencent's WeChat app.
  • An earlier version of LuckyCat was used against Tibetan activists in 2012.
4. 80% of federal agencies now use DMARC

80% of federal agencies now use DMARC to protect the public from fraudulent emails sent in their names, Valimail reported on Friday. All agencies, save for defense and intelligence ones, were required by Homeland Security to implement DMARC by October of last year.

Why it matters: 80% is actually a pretty substantial improvement from Valimail's last public statistic — when the deadline passed, only 57% of agencies met the DMARC requirement.

5. Odds and ends
  • Your Thursday must read: Bloomberg observes a Huawei sting operation from a gelato stand 100 feet away. (Bloomberg)
  • In an update to last week's news that Europol was targeting clients of a website-crashing service, British authorities plan action against 400 such clients. (BBC)
  • Two hacker groups are responsible for 60% of cryptocurrency exchange hacking, netting nearly $1 billion. (ZDNet).
  • Criminals are still exploiting a GoDaddy flaw. (Krebs)
  • "Japan has officially requested Mega Man to be the face of cyber crime prevention." (Destructoid)
  • Federal courts overturn FCC's revoking tribal broadband subsidies. (Ars Technica)
  • U.S. intelligence agencies held a classified workshop for state election officials. (Director of National Intelligence)

Codebook will return on Thursday.