June 26, 2018

Welcome to Codebook, the only cybersecurity newsletter celebrating Wednesday's NotPetya anniversary in a bunker.

Tips? Please reply to this email address.

1 big thing: ZTE's on-again, off-again penalty upends the trade game

Photo: Lluis Gene / AFP via Getty

Last week, Chinese telecom manufacturer ZTE paid $1 billion to the Commerce Department to settle charges it sold banned technology to Iran and North Korea. Until the Trump administration intervened, that penalty was way tougher: a ban on the company's access to U.S. tech exports that would likely drive ZTE out of business. The Senate has voted to restore the original punishment, using an amendment to a must-pass defense appropriations bill.

What happens if that bill makes it into law is anyone's guess — from what ZTE's next steps are to how exactly the government might return that billion dollars.

"The nitty gritty of this is hard to imagine because nothing like this has happened before," said Brian Fleming, a lawyer for Miller & Chevalier specializing on trade-based regulatory issues and former counsel at the Department of Justice.

ZTE has legal options: Paying the fine does not take the original penalty off the table — geopolitics does not have a "no backsies" rule. There are, however, some constitutional issues that may work in ZTE's favor.

  • For example, said Fleming, ZTE could sue to restore the Trump deal, calling the Senate's move a "bill of attainder," a fancy term for a law meant to single out a specific company. (The U.S. Constitution specifically bars bills of attainder.) Under very different circumstances, Kaspersky Lab recently tried this argument to reverse a federal ban on its products.
  • But, with the White House's investment in reversing the original penalties, Fleming wouldn't be surprised if ZTE let the Trump administration make the first move.

Would Trump veto the NDAA? The National Defense Authorization Act, the defense bill the Senate used to ZTE's penalties, is the yearly budget and priorities package for the military. It hardly ever gets vetoed; American leaders don't try to sabotage the military budget. But Trump has shown a penchant for brinksmanship.

Why it matters: No matter what, said Fleming, the United States has done considerable harm to its bargaining power: "Reversing the White House deal could be a big credibility problem. But the White House deal has already done that" — it reversed things first.

  • Undoing the deal will make it difficult for the White House to negotiate with the rest of the world.
  • Keeping the deal will make it difficult for the Commerce Department, which negotiated the original penalty, to negotiate future deals. Fleming: "It makes it more difficult for lawyers like me to know if we enter into a settlement with the government, will it be blown up on Twitter."

Meanwhile, although there's no telling whether the ZTE deal rollback will survive the legislative process (the Senate's version of the NDAA has to be reconciled with the House's), the Senate is gearing up for a showdown.

"How exactly does helping save #ZTE give us leverage in broader negotiations with China? Giving in to their demands doesn’t create leverage, it emboldens them to see us as bluffers," tweeted Sen. Marco Rubio (R-Fla.) last week.

2. Study: Вrands should worry about non-English letters and phishing

Did you notice which letter in the headline is actually a Russian character? It's the "В." If you didn't notice, there's a chance you would also have clicked a phishing link to ВankofAxios.com. (Don't worry. There is no such bank.)

So-called homographic characters — letters that look the same to the eye but are read differently by machines — are a known problem in phishing attacks. A new study from Farsight Security quantifies the problem.

The details: Farsight looked at 466 of the top 500 websites. It found 8,000 unique, reachable domains that used such character substitution to masquerade as better-known brands' websites.

The problem: The problem is that this shouldn't be a problem. ICANN, which governs which companies can sell domains, contractually bans those companies from selling domains that mix two languages. But the organization doesn't enforce the rule.

Paul Vixie, founder of Farsight, said it may now be too late for ICANN to start.

  • It's tough to convince the internet zealots who vote on such proposals for enforcement to abandon the internet's libertarian ideal. "If they proposed it, people in ICANN meetings would be setting their hair on fire and doing battle with swords," said Vixie.
  • It's also tough to convince firms that already have sold the domains to return the money and take back the name.

Where does that leave us? Vixie suggests multiple layers of response. Just as Google runs a service sifting out websites that spew malware, someone could offer a service that sifts out websites confusable with common brand names. And security firms could better protect clients by filtering out likely problems as well.

3. First Wifi protocol update in a decade boosts security

Tuesday morning, the Wi-Fi Alliance announced Wi-Fi Protected Access 3 (WPA3), the first update to the widely used wireless networking protocol since 2004.

WPA3 offers some meat and potatoes security enhancements (including increasing the key length for enterprise applications) and a nifty new way to connect devices without screens to a network — essentially using one connected device to authenticate another.

Why it matters: You may not know what WPA2 or WPA3 is, but you use it every time you connect in the office or a coffee shop.

4. World Cup sees a spike in DDoS attacks

Radware, a cybersecurity firm protecting one of Russia's largest telecommunications providers and others in the region, says that during the ongoing World Cup competition in that part of the world, it has seen a jump in distributed denial of service attacks (DDoS) — not only in frequency but also in sophistication. A denial of service attack floods targeted servers with so much traffic that they crash.

More sophistication: "We have been seeing more burst attacks in Russia, with attacks particularly targeting the travel and transportation sectors," said Yoav Gazelle, vice president for Europe, the Middle East, Caribbean and Latin America.

  • Burst attacks mix short bursts of traffic with periods of calm. That makes them tougher to track and thus harder to defend against than traditional DDoS attacks, which use a more consistent onslaught of traffic.

Go deeper on hacking at the World Cup.

5. Mandiant might not have hacked China back

Mandiant, the firm that first detailed the Chinese hacking group called APT 1 (and later merged with FireEye), says it never hacked into Chinese computers while identifying the group. New York Times' reporter David Sanger's new book, The Perfect Weapon, alleges it did.

Why it matters: Sanger is a good reporter and the people Codebook spoke to at FireEye seem to think, on the whole, the book is an important chronicle of cybersecurity history. But there's a live debate in Washington today over whether hacked individuals should have the right to "hack back" to confound attacks or identify attackers. Mandiant's adoption of a hack back approach in its successful attribution effort could be a point in that approach's favor — if it actually happened.

The intrigue: In the book, Sanger writes "[I]nvestigators reached back through the network to activate the cameras on the hackers' own laptops. They could see their keystrokes while actually watching them at their desks."

  • Sanger, who writes that he personally observed this, describes the appearance of the hackers, including "leather jackets or undershirts," and browsing habits, including emailing their girlfriends and watching porn.
  • In a blog post Monday, FireEye says Sanger may have misinterpreted what he saw.
  • Hackers sometimes will use one hacked computer as an intermediary to hack another. Chinese hackers had compromised intermediary computers in this way, but Mandiant says it figured out a way to monitor how the Chinese used those computers without compromising them —it simply asked the owners' permission.
  • That meant when the Chinese hackers were hacking, Mandiant would see that. If any of the hackers used their web cameras, Mandiant would have seen that, too. And if the hackers were in fact watching pornography, Mandiant would have been a really awkward place to work.

Sanger told Cyberscoop this kind of passive monitoring was a "reasonable explanation."

6. "Tick" group likely trying to enter air-gapped networks

Photo: Jaap Arriens/NurPhoto via Getty Images

A group targeting systems in Japan and South Korea now appears to be trying to infect a specific South Korean brand ofsecure USB drives. That may signal it's trying to attack "air-gapped" networks — networks kept separate from the internet, whose users often employ USB drives to carry data back and forth between systems.

Why it matters: Air-gapped networks are often extremely sensitive, critical infrastructure networks among them. Stuxnet, the malware that sabatoged Iranian nuclear centrifuges, famously used the same USB trick.

The details: According to a new Palo Alto Networks report, the group known as Tick is specifically targeting systems using Microsoft Windows XP or Windows Server 2003, even though the malware it uses was created well after newer Windows operating systems were available. That could mean an attempt to target specific networks.

7. Odds and ends

  • Tech firms met with the Trump administration to discuss options for protecting the midterms, but left feeling like they were on their own. (New York Times)
  • Financial regulators in the U.S. and Asia want leniency from GDPR so they can keep on regulating. (Reuters)
  • The annoying, Chinese-language robocalls I keep getting are actually a banking scam. (Washington Post)
  • Phone batteries might reveal what letters you type. (The Register)
  • The House passed an industrial cybersecurity bill. (The Hill)
  • India is forcing ATMs using Windows 95 to, well, stop using Windows 95. Don't laugh — U.S. ATMs also often use out-of-date operating systems. (The Register)

Codebook will return Thursday.