Apr 24, 2018

Axios Codebook


Welcome to Codebook! Please reply to this email with tips or Mother's Day gift ideas.

1 Big Thing: The rule-free world of officials' personal accounts

Illustration: Rebecca Zisser/Axios

Federal agencies have no security requirements for federal employees' personal social media accounts. That leaves the door open to mischief and mayhem should one of those accounts gets hacked.

Why it matters: Officials and federal employees often blur the lines between personal and official-business accounts — as when the president announces policy from his personal Twitter account. If hackers took over the account of, say, a regulatory official, they could manipulate the stock market by tweeting regulatory changes. If they took over the account of the president, anything might go.

"Social media, especially the lack of a policy, has become a real national security threat," said James Forster, founder and CEO of ZeroFOX, a company specializing in social media security.

  • The effects could be geopolitical as well as financial. "We crossed a threshold. It was not common more than a year ago for world leaders to tweet at each other."
  • Tweets are different from TV statements: Forster notes that conflicts on social media escalate much faster than those on TV, as back and forth exchanges accelerate.

How to fix it: Forster advocates extending the social media policies governing official accounts to any personal account mentioning an individual's federal role. Those policies are not particularly complex. Typically, they involve two factor authentication, good password hygiene and securing email addresses tied to the account.

Why there's no policy: Tony Scott, formerly President Obama's federal CIO and currently senior data privacy and cybersecurity adviser at Squire Patton Boggs, told Axios the administration had weighed the problem but decided against acting.

  • “This is an important issue and was certainly discussed during my tenure in the last two years of the Obama administration," said Scott. "The consensus at that time was that regulating personal social media accounts for government officials was not advisable, and our main focus was on the official government accounts maintained by the various agencies and officials."
2. Latin America's retro cyber crime culture

Latin America has developed a unique, quirky hacker culture, according to Flashpoint analyst Liv Rowley, who presented on the topic at the recent RSA conference.

Why it matters: “Are we going to see the next WannaCry come out of Chile? Probably not,” Rowley told Axios. But the region is a laboratory for what the rest of the world's hacker culture could have been like with only a few tweaks to its starting conditions.

The details:

  • Latin American hackers are not as technically sophisticated in their craft as the rest of the world, but don’t need to be. “If you can just email someone a link to a phishing site, creating the next great ransomware would have to be an academic pursuit,” said Rowley.
  • But they make up for technical immaturity with other types of ingenuity, including Rube Goldberg-like schemes to steal ATM cards. (“I’m not sure if that even counts as hacking,” said Rowley.)
  • For example, hackers — let’s call them that — created a device that punched out the chips in bank cards inserted into an ATM. Card owners kept using them anyway, apparently oblivious to the potential danger of the holes punched in their cards.
  • Laws against hacking are weak in much of the region, and hackers are more trusting of their peers and less concerned with police monitoring their forums. When a major Spanish-language forum went offline, users were willing to sign up again for the site when it returned a few weeks later, where U.S., E.U. and Russian hackers would likely have assumed they faced a police trap.

How did the industry ignore a continent? Many of the biggest cybersecurity firms and most lucrative potential clients hail from the U.S., Eastern Europe, Russia and China. Meanwhile, Latin American criminals largely target Latin American victims.

3. U.S. mulling sanctions against Kaspersky Lab

Government officials are considering sanctions barring Kaspersky Lab from doing business in the U.S., CyberScoop reports.

Kaspersky's products have already been barred from federal systems as an alleged security risk, with reports the company's computer security software had been hijacked by Russian intelligence operatives to steal U.S. secrets. The company denies knowing involvement in any such scheme.

Why it matters: Barring Kaspersky Lab software from Federal computers is one thing, Barring the firm from doing business in the United States is significantly more onerous. Kaspersky's business in the United States declined after the reputational hit from the federal ban, but it still exists. The firm still employs American researchers in the U.S. and has an American headquarters in Massachusetts.

Go deeper with our full coverage.

4. Naval Academy sees five-fold increase in cyber majors

Almost 10% of first year students at the Naval Academy are majoring in cyber operations, according to the AP. The 110 new students in the major is a hefty rise from last year’s 22.

Why it matters: Inside and outside the military, there is a constant shortage of information security skills and talent. The military can’t compete with the private sector on salary and relies on the kind of mission-motivated people who attend the Naval Academy.

5. Ukrainian ministry hit by ransomware, but not NotPetya

Ransomware took down the Ukrainian energy and coal ministry Tuesday morning, Reuters reports. But it looks like an isolated incident.

Why it matters: This looks like mundane, run of the mill ransomware. Nonetheless, every time a major Ukrainian body gets hit by any form of cyber attack, the rest of the world recalls the massive attacks Russia is believed to have spearheaded in the past — resulting in two power outages since 2015 and devastating losses last year from NotPetya.

6. "Orangeworm" targets health care sector

Photo: Anton Vergun/TASS via Getty Images

Symantec is tracking what it believes to be a longstanding corporate espionage hacking effort against medical manufacturers.

The details: The choice of targets — all manufacturers of medical supplies or companies that served them — and the inconsistent quality of the hackers' work suggest that the campaign is not the work of an intelligence agency, according to Symantec. The cybersecurity firm detailed the campaign it has dubbed "Orangeworm" in a report released Monday.

"It's not often we come across this kind of campaign being used for corporate espionage," Vikram Thakur, Symantec technical director, told Axios. Typically, targeted attacks striking a low enough volume of victims are the work of government actors.

Think pharmaceuticals, not insurance: Thakur cautions that most people's first assumption about hackers targeting health care firms is wrong — they do not appear to be targeting accounts and personal information. Instead, they appear to be looking for manufacturing techniques and intellectual property.

The impact: In 2018, the group has already attacked at least a couple of dozen targets. Symantec tracked nearly 100 attacks since 2015.

Go deeper with our full coverage.

7. Odds and ends
  • President Trump is increasingly using his personal cell phone rather than his official one, raising some security questions and potential issues with presidential records laws. (CNN)
  • The Cambridge University academic who created Cambridge Analytica’s Facebook data-mining app is sorry about that. (Quartz)
  • Nintendo Switches might have an unpatchable security flaw. Exploiting it would require physical access to the device. (Ars Technica)
  • The Atlanta ransomware attack cost $2.6 million. (ZDNet)
  • Counterintelligence groups in 30 countries now track the movements of CIA agents using technology rather than people. (CNN)
  • Isabela Bagueros named the new director of the Tor Project. (Tor)

Codebook will return on Thursday.