Welcome to Codebook, the only cybersecurity newsletter celebrating Wednesday's NotPetya anniversary in a bunker.
Tips? Please reply to this email address.
Photo: Lluis Gene / AFP via Getty
Last week, Chinese telecom manufacturer ZTE paid $1 billion to the Commerce Department to settle charges it sold banned technology to Iran and North Korea. Until the Trump administration intervened, that penalty was way tougher: a ban on the company's access to U.S. tech exports that would likely drive ZTE out of business. The Senate has voted to restore the original punishment, using an amendment to a must-pass defense appropriations bill.
What happens if that bill makes it into law is anyone's guess — from what ZTE's next steps are to how exactly the government might return that billion dollars.
"The nitty gritty of this is hard to imagine because nothing like this has happened before," said Brian Fleming, a lawyer for Miller & Chevalier specializing on trade-based regulatory issues and former counsel at the Department of Justice.
ZTE has legal options: Paying the fine does not take the original penalty off the table — geopolitics does not have a "no backsies" rule. There are, however, some constitutional issues that may work in ZTE's favor.
Would Trump veto the NDAA? The National Defense Authorization Act, the defense bill the Senate used to ZTE's penalties, is the yearly budget and priorities package for the military. It hardly ever gets vetoed; American leaders don't try to sabotage the military budget. But Trump has shown a penchant for brinksmanship.
Why it matters: No matter what, said Fleming, the United States has done considerable harm to its bargaining power: "Reversing the White House deal could be a big credibility problem. But the White House deal has already done that" — it reversed things first.
Meanwhile, although there's no telling whether the ZTE deal rollback will survive the legislative process (the Senate's version of the NDAA has to be reconciled with the House's), the Senate is gearing up for a showdown.
"How exactly does helping save #ZTE give us leverage in broader negotiations with China? Giving in to their demands doesn’t create leverage, it emboldens them to see us as bluffers," tweeted Sen. Marco Rubio (R-Fla.) last week.
Did you notice which letter in the headline is actually a Russian character? It's the "В." If you didn't notice, there's a chance you would also have clicked a phishing link to ВankofAxios.com. (Don't worry. There is no such bank.)
So-called homographic characters — letters that look the same to the eye but are read differently by machines — are a known problem in phishing attacks. A new study from Farsight Security quantifies the problem.
The details: Farsight looked at 466 of the top 500 websites. It found 8,000 unique, reachable domains that used such character substitution to masquerade as better-known brands' websites.
The problem: The problem is that this shouldn't be a problem. ICANN, which governs which companies can sell domains, contractually bans those companies from selling domains that mix two languages. But the organization doesn't enforce the rule.
Paul Vixie, founder of Farsight, said it may now be too late for ICANN to start.
Where does that leave us? Vixie suggests multiple layers of response. Just as Google runs a service sifting out websites that spew malware, someone could offer a service that sifts out websites confusable with common brand names. And security firms could better protect clients by filtering out likely problems as well.
Tuesday morning, the Wi-Fi Alliance announced Wi-Fi Protected Access 3 (WPA3), the first update to the widely used wireless networking protocol since 2004.
WPA3 offers some meat and potatoes security enhancements (including increasing the key length for enterprise applications) and a nifty new way to connect devices without screens to a network — essentially using one connected device to authenticate another.
Why it matters: You may not know what WPA2 or WPA3 is, but you use it every time you connect in the office or a coffee shop.
Radware, a cybersecurity firm protecting one of Russia's largest telecommunications providers and others in the region, says that during the ongoing World Cup competition in that part of the world, it has seen a jump in distributed denial of service attacks (DDoS) — not only in frequency but also in sophistication. A denial of service attack floods targeted servers with so much traffic that they crash.
More sophistication: "We have been seeing more burst attacks in Russia, with attacks particularly targeting the travel and transportation sectors," said Yoav Gazelle, vice president for Europe, the Middle East, Caribbean and Latin America.
Go deeper on hacking at the World Cup.
Mandiant, the firm that first detailed the Chinese hacking group called APT 1 (and later merged with FireEye), says it never hacked into Chinese computers while identifying the group. New York Times' reporter David Sanger's new book, The Perfect Weapon, alleges it did.
Why it matters: Sanger is a good reporter and the people Codebook spoke to at FireEye seem to think, on the whole, the book is an important chronicle of cybersecurity history. But there's a live debate in Washington today over whether hacked individuals should have the right to "hack back" to confound attacks or identify attackers. Mandiant's adoption of a hack back approach in its successful attribution effort could be a point in that approach's favor — if it actually happened.
The intrigue: In the book, Sanger writes "[I]nvestigators reached back through the network to activate the cameras on the hackers' own laptops. They could see their keystrokes while actually watching them at their desks."
Sanger told Cyberscoop this kind of passive monitoring was a "reasonable explanation."
Photo: Jaap Arriens/NurPhoto via Getty Images
A group targeting systems in Japan and South Korea now appears to be trying to infect a specific South Korean brand ofsecure USB drives. That may signal it's trying to attack "air-gapped" networks — networks kept separate from the internet, whose users often employ USB drives to carry data back and forth between systems.
Why it matters: Air-gapped networks are often extremely sensitive, critical infrastructure networks among them. Stuxnet, the malware that sabatoged Iranian nuclear centrifuges, famously used the same USB trick.
The details: According to a new Palo Alto Networks report, the group known as Tick is specifically targeting systems using Microsoft Windows XP or Windows Server 2003, even though the malware it uses was created well after newer Windows operating systems were available. That could mean an attempt to target specific networks.
Codebook will return Thursday.