Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

July 10, 2018

Welcome to Codebook, the cybersecurity newsletter that tries harder.

Situational awareness: AT&T announced plans to purchase AlienVault, a cybersecurity firm focused on small and mid-sized businesses.

1 big thing: Israel case spotlights cyberespionage tool dilemma

A hand holding a cell phone

Pegasus, malware designed to spy on mobile devices, reignited a debate on militarized spyware. Photo: Jaap Arriens/NurPhoto via Getty.

Last week, Israel indicted an ex-employee of a military contractor for stealing the firm's cyberespionage product and trying to sell it on the black market. The incident highlighted a continuing debate over restraining the proliferation of privately sold surveillance tools: One prominent lab called for additional regulation, while another expert told Axios that regulations in this space have caused more problems than they have fixed.

Why it matters: The contractor, Israel's NSO Group, makes real-deal, take-over-your-cell-phone malware called Pegasus that it sells only to governments. Yet even the legitimate uses of Pegasus can veer toward the creepy: Mexico was caught spying on soda-tax activists, lawyers and journalists with the product last year.

Add illicit use from a black market buyer to this mix, and it's certainly tempting to try to curtail this kind of tool. Governments tried to do just that in 2013, but their poorly worded regulation ended up placing crippling sanctions on the legitimate international trade in cybersecurity tools.

The background: NSO isn't the only contractor working in the cyberespionage space. It has competitors, including Gamma International and Hacking Team.

  • These products get purchased by governments that lack programs to design their own digital spying tools, or by law enforcement agencies that need hacking tools but don't have access to their country's own wares.

What they're saying: "The concern about proliferation of spyware and exploit tech is not just about sales to paying customers, it's about the potential diversion and theft of the technology," John Scott-Railton, a senior researcher from the University of Toronto's Citizen Lab, told Motherboard.

  • Citizen Lab is a leading research group in uncovering government use of surveillance tools against inappropriate targets — dissidents, journalists and oppressed minorities. It discovered the Mexican government's use of Pegasus noted above.

Yes, but: In 2013, an international consortium of countries including the U.S. and EU known as a the Wassenaar Arrangement restricted the sale of this kind of spyware for exactly this reason. But it made serious errors in defining what spyware was and inadvertently banned the global sale of key cybersecurity tools and research.

  • Katie Moussouris, CEO of Luta Security and a consultant on the State Department's ongoing negotiations to dig its way out of the Wassenaar debacle, is skeptical about adding more regulations on top of a shaky international system. "We're still not done undoing what's already been done," she said. "Let us finish that first."
  • Moussouris also noted that restricting the trade of these tools wouldn't have much effect on the NSO Group case, which stemmed from an insider threat at the contractor itself. A former employee selling the product illegally isn't likely to be deterred by international trading rules.

2. Two local Democratic campaigns face DDoS attacks

Cyberscoop's Chris Bing reports that two municiple level Democratic candidates were hit by distributed denial of service attacks. Those attacks, usually abbreviated DDoS, flood servers with so much traffic they collapse.

Why it matters: DDoS attacks are unsophisticated but deadly — the digital equivalent of bludgeoning with a hammer. They can be launched by anyone and are hard to trace. But there are services free to campaigns that mitigate DDoS attacks —meaning the attacks could possibly be evidence local campaigns aren't aware of the cyber defense tools available to them, or aren't aware they need them.

Supporting that theory: Cyberscoop reports that the campaigns did not keep server logs, a valuable tool in analyzing such attacks.

Noted: Running for mayor now requires being smart about stuff like denial-of-service attacks.

3. Justice Department walks back its confusing OPM breach claim

The Department of Justice said its June 18 press release implying that a Maryland woman somehow accessed data from the 2015 Office of Personnel Management breach,was a "regrettabl[e] ... premature conclusion." The statement came in a reply to an email inquiry by Sen. Mark Warner (D-Va.).

"Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another common source," the department said.

Why it matters: The U.S. publicly accused Chinese spies of the massive breach in 2015, and arrested a Chinese national for his involvement. But the June 18 press release made it sound like 39-year-old Maryland resident Karvia Cross somehow had access to that data when she fraudulently applied for loans in the names of several OPM victims. The two stories seem incompatible — Chinese espionage wouldn't normally result in an American committing fraud.

What the letter says: "A number of the victims of this scheme identified themselves to the Department of Justice as victims of the OPM data breach. However, at present, the investigation has not determined precisely how their identity information used in this case was obtained and whether it can, in fact, be sourced directly to the OPM data breach."

What's new here: The DOJ already tried to clean up the press release mess by removing all reference to OPM from an updated press release, but it had not suggested that Cross used alternate methods to access the same information, including alternate lists of employer or residential data from different, but overlapping, lists.

Codebook mentioned this was a possibility last week.

4. Espionage group used stolen D-Link certificates

A router

D-Link's stylish AC3200 router (Gavin Roberts/MacFormat Magazine via Getty Images).

The espionage group BlackTech used certificates from networking hardware firm D-Link to make its malware appear to be legitimate software, according to the security firm ESET.

Certificates? Certificates tell computers that programs come from trusted companies. They are cryptographically secured and are tightly guarded secrets.

BlackTech? BlackTech is a group targeting East Asia.

ESET notified D-Link, who revoked the certificates last week.

5. Odds and ends

Codebook will return on Thursday.