Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

June 12, 2018

Welcome to Codebook, the only cybersecurity newsletter offering cash money for a USB fan (see below).

Tips? Please reply to this email address.

1 big thing: Senate acts to undo Trump's deal to save ZTE

ZTE billboard by roadside

Moving quickly to thwart the president's $1.4 billion deal to save Chinese telecom manufacturer ZTE, lawmakers agreed Monday to attach a new provision to a must-pass defense authorization bill.

President Trump's deal is not just a national security problem, said Sen. Chris Van Hollen, who introduced the amendment along with Sen. Tom Cotton (R-Ark.) and a bipartisan posse of cosponsors — it's also bad dealmaking.

"He got rolled," Van Hollen told Codebook.

The details: The new amendment, first introduced last Thursday, will undo any deal for Commerce to reduce its original punishment against ZTE — a ban on U.S. technology that would effectively force one of China's largest firms to shut down.

  • Van Hollen originally had an amendment in the defense authorization that would prevent any new deals with China lessening penalties against a company that had been recently punished. But, as Van Hollen describes it, "the administration wanted to flout Congress’s intent and decided to put its foot down on the accelerator" to finish the deal before the defense authorization could pass.

The administration had been gung-ho about reaching a deal, treating it as a chip in broader trade negotiations."Too many jobs in China lost," tweeted the president.

Problems in the deal: On Sunday, White House trade advisor Peter Navarro told Fox, "It’s going to be three strikes you’re out on ZTE. If they do one more additional thing, they will be shut down."

"They've had their strikes. They already struck out," said Van Hollen.

  • This is the second time in a year ZTE was caught selling to North Korea and Iran, notes Van Hollen, despite agreeing that a second infraction would be met with an effective death penalty — a ban from using US technology, including microprocessors that are critical in the manufacturer's products.
  • ZTE has been accused of sabotaging its products to aid Chinese spies tapping into U.S. communications networks.
  • "This undermines the credibility of sanctions. It shows that if you get caught and get caught again, you only get a slap on the wrist, "said Van Hollen.

Where it stands: The provision will have to survive a full Senate vote on the whole authorization bill and then needs both House approval and the president's signature to become law.

2. Infrastructure security firm Claroty snags $60 million in funding

The industrial infrastructure cybersecurity group Claroty received $60 million in a new round of funding, including investments from a broad array of players in the infrastructure space like Rockwell, Siemens and Schneider Electric.

"We went for fundraising a year before originally planned," Amir Zilberstein told Codebook, attributing the need to unexpected growth.

Why it matters: The industrial infrastructure space, which involves protecting installations like power plants, dams, and factories from cyberattack, is unique. The equipment is unique, the security threats are unique and the market itself is unique. Though there are esteemed companies in the field, there aren't yet the same kinds of security monoliths that exist for general cybersecurity.

"It's a huge market without any of the big players in the market," said Zilberstein.

3. Problem in MacOS may let anyone pretend to be Apple

An Apple store

Photo: NurPhoto / Getty

Researchers at Okta found a severe problem in the way security programs traditionally use MacOS tools to verify which programs were written by Apple — what is known as code signing.

Why it matters: Apple's developer interface, known as an API, can be tricked so anyone writing malware can convince a bevy of security products that the malware was written by Apple. The problem here is that security products are often loath to distrust Apple and will let that malware run unfettered.

  • Josh Pitts, who discovered the bug, said that Okta does not know if any malware is currently utilizing this flaw to circumvent security programs.

Who it affects: There is no way to know the complete list of what products are vulnerable to this bug. But Okta tested a number of products, and some big name ones have problems, including F-Secure, Facebook and Carbon Black. Every software maker that Okta announced had a problem has released a patch.

  • According to Okta, Apple told the firm that developers would be responsible for correcting their implementation of the API. CERT, the government group that coordinates notifying vendors of widespread security flaws, recommended that Okta write a description of the problem to help vendors assess whether they are vulnerable.
  • That's a double-edged sword. Pitts noted that "once the blog is published, it will be easy for someone to weaponize it."
  • It's critical, said Pitts, that everyone update Mac security software.

4. DOJ arrests 74 in business email compromise sting

The Department of Justice announced 74 international arrests for email-based financial confidence scams Monday, including 42 arrests in the U.S. and 29 in Nigeria. "Operation Wire Wire" seized $2.4 million in allegedly ill-gotten gains and reversed $14 million in allegedly fraudulent transactions.

The background: These crimes, known as business email compromises, are the modern incarnation of what used to be called Nigerian scams. They can involve simple schemes, like creating romantic relationships to exploit for fraudulent business transactions, or more complex ones, like hacking one company to send out fake invoices directing wire transfers to the criminals.

5. Adventures in swag: Singapore edition

The Trump / Kim summit created an instant infosec collectible when journalists received gift bags stocked with cheap-looking USB fans.

So? Anything with a USB dongle is a vector into your computer. Its an ideal way to get malware into a target system — Stuxnet, famously, attacked Iranian nuclear centrifuges using malware carried on USB thumb drives.

There's no reason to think that there was actually malware on the USB fan — especially seeing as the gift bag came from Singapore. There probably isn't. It's also apparently very hot in Singapore. It's still a goofy gift.

I've got $25 for one. Call me.

6. Mitt Romney will blab your password

From a New York Times profile on the reemergence of Mitt Romney:

Mr. Romney stood just beyond the finish line, bopping in his jeans-and-flannel finest, smiling back at the runners like a distant relative at a wedding, waiting to be greeted. “Well done, well done, congratulations,” he said, handing medals to participants who may not have won in the end but plainly tried their hardest.
He clapped and shoulder-patted. He whiffed on a high-five. He studied the fingers of a woman unlocking her cellphone to take a picture with him, and guessed at the passcode. “Seven-six-four-three-nine-nine!” Mr. Romney shouted.
He laughed. People seemed confused. The camera clicked. Mitt Romney was back.

Don't tell Mitt Romney your password.

7. Odds and ends

Codebook will return Thursday.

$25. Think about it.