😎 TGIF, everyone. Welcome back to Codebook.

• Today's newsletter is especially fun because I'm sending it on my actual birthday! 🥳 That means this edition is automatically perfect; no criticism allowed.
• ... but, actually, if you have critiques, comments or other feelings, my inbox is always open: codebook@axios.com.

Today's newsletter is 1,556 words, a 6-minute read.

Cybercriminals' aggressive targeting of smartphones is weakening the crux of many organizations' security procedures: text-based, multifactor authentication (MFA).

The big picture: Experts have long warned that authentication protocols that rely only on sending a code to someone's phone to confirm their identity are easily manipulated.

Driving the news: Uber said earlier this week that its recent security incident was the result of a so-called "MFA fatigue" attack, where hackers spam someone with authentication requests on their phone until they accept one.

• MFA-fatigue attacks also led to major breaches at Okta and Cisco this year.

How it works: MFA is a process that requires people to provide a second form of identification besides a password. A popular example is having a code texted to your phone.

• 41% of respondents said in a survey last year from S&P Global, commissioned by security tool provider Yubico, that their company's IT staff and network administrators used text messages for MFA.
• Hackers can steal MFA codes when they overtake people's phones in SIM-swapping attacks or by sending phishing emails directing people to fake login pages that collect their one-time codes.
• Cybercriminals can even game app-based authenticators, such as Google Authenticator, says Josh Yavor, chief information security officer at Tessian.

Why it matters: Phishing texts are becoming more and more believable as hackers start to invest more time in targeting people's phones.

• And there's little to nothing that can be done to stop hackers from targeting phones and getting better at persuading victims to give into demands, says Angel Grant, vice president of security at F5.

Between the lines: In the absence of a good solution to stop phishing and spam texts, security experts have been pushing organizations to pursue more device-specific solutions.

• One old-school idea is to issue all employees YubiKeys, which are essentially USBs that users tap to their device to verify their identity. However, physical devices are easily lost and cumbersome for employees.
• Another popular idea is transitioning to devices that enable FIDO Alliance industry standards, an encryption model that requires users to log in from a specific device to verify identities.

Yes, but: It can be challenging for companies to implement an entirely new login protocol — especially if they work with legacy software or built internal applications themselves.

• Upgrading legacy software is often impossible, and company-built applications might have been developed by external contractors.

The intrigue: A middle ground still exists for companies that can't make the investment in physical device authentication.

• Push notifications sent through apps from Google, Microsoft and others are relatively easy to transition to if an organization already uses business products from those companies.
• Organizations can also focus on strengthening their internal controls to limit what information is available to employees, so hackers can't have a free-for-all if they gain access.

Six companies from the telecommunications, finance and energy sectors came together this week to host a cyberattack simulation to get a sense of what is — and isn't — working in their defense strategies.

The big picture: This week's event marked the first time companies across these three critical infrastructure sectors have hosted a live-action simulation together.

• This cyber simulation was entirely run and hosted by private companies. Typically, the federal government has taken the lead in organizing such simulations.

The intrigue: Companies brought in both their defensive and offensive cyber teams, as well as their IT employees, to experience live attacks on actual networks and laptops provided just for this event.

• The typical tabletop exercise is a discussion between executives about a hypothetical event.
• In this case, offensive teams got to pretend to be malicious hackers trying to break into each others' companies, meaning participants didn't have a preplanned simulation to prepare for.

Details: AT&T, Lumen, Mastercard, Morgan Stanley, Southern Co. and Southern California Edison participated in the event, held at AT&T's Dallas headquarters on Wednesday and Thursday.

• Each team received points whenever they successfully blocked attacks or stole data, depending on what side they were on.
• Jason Lish, chief security officer at telecom provider Lumen, tells Axios the simulation was years in the making, with the pandemic postponing plans for the in-person event until now.

Between the lines: On Thursday, company CISOs met with representatives from the Cybersecurity and Infrastructure Security Agency, the U.S. Secret Service and the Department of the Treasury to discuss their takeaways and how the federal government can better assist companies during these incidents.

• Lish says he wants to see if there's a way to host similar events with members of CISA's Joint Cyber Defense Collaborative — a group of companies and federal offices that share cyber threat information with each other.
• Enhancing communication between the government and the private sector during cyberattacks has been a major Biden administration priority.

What they're saying: "It's great to see how others react and coordinate and communicate, and you can take from that to update your own protocols and ensure that you're being as efficient as possible," Bill O'Hern, global chief security officer at AT&T, tells Axios.

What's next: The companies are now looking at repeating the exercise in the future and at ways to broaden the number of participants.

• Mastercard CISO Ron Green tells Axios he is particularly interested in how they can apply the lessons learned from this to help small to midsize companies, too.

A pair of influential senators have devised a plan to beef up the federal government’s approach to securing open-source software, or tools that developers create for free public consumption.

Driving the news: Senate Homeland Security Committee leaders Gary Peters (D-Mich.) and Rob Portman (R-Ohio) introduced a bill Thursday requiring CISA to develop a risk framework laying out how the federal government relies on open-source code.

• The bill comes after researchers discovered a security vulnerability in popular open-source code Log4j in December, which CISA estimates affected millions of devices.
• The Washington Post first reported on the bill before its introduction.

Between the lines: Since last year’s Log4j vulnerability, both the federal government and industry have been scrambling to figure out how to toughen open-source software.

• Open-source developers often don’t have the time to constantly update and patch their creations against new vulnerabilities.
• But companies rely heavily on these free resources when building out their own tools since they cover basics like logging tasks.
• The Open Source Security Foundation rolled out a project to better secure at least 10,000 open-source projects, and the White House hosted a meeting in January with private- and public-sector partners to discuss the issue further.

Details: Peters and Portman’s Securing Open Source Software Act would require CISA and other federal offices to tackle the issue in a few ways:

• CISA would need to develop a risk framework within a year for federal government uses of open-source software.
• CISA would also have to hire a set of open-source security developers to better defend against future cyber threats targeting this code.
• The Office of Management and Budget would issue guidance for how federal agencies secure open-source software.

The intrigue: Peters and Portman have been behind some of the most influential pieces of cybersecurity legislation in the last few years, so this bill could stand a good chance of making it through Congress.

• Earlier this year, President Biden signed into law a bill from the duo requiring all critical infrastructure operators to report cyber incidents to the federal government within 72 hours.
• The lawmakers plan to hold a committee vote on the bill next week, according to the Post.

Yes, but: Congress faces a truncated legislative schedule as the midterm elections approach, leaving little time for the lawmakers to get their bill passed before a new session begins.

Identify and proactively correct risks, meet compliance regulations and protect against ransomware attacks across your IT ecosystem — in two minutes or less.

Here’s how: NetApp scans your data and provides actionable intelligence and risk assessments.

Watch it in action.

@ D.C.

🪖 Several U.S. military branches have purchased an internet monitoring tool that can provide access to people's email data, browsing history and even sensitive internet cookies. (Vice)

✍🏻 Lawmakers are retooling their initial cybersecurity provisions in the annual defense policy bill after industry complaints. (Nextgov)

🗃 The Biden administration has assembled a small study group to determine if the National Security Agency and the U.S. Cyber Command should still share the same leader. (The Record)

@ Industry

🔍 A look inside Chainalysis, the startup helping the U.S. government track cybercriminals' crypto payments. (Bloomberg)

💻 Facebook users are suing Meta for snooping on them via its in-app browser, violating Apple's 2021 iOS privacy rules. (TechCrunch)

👀 Three former TikTok department heads said they left the company after learning they’d be expected to take direction from parent company ByteDance's Beijing office. (Forbes)

@ Hackers and hacks

🇷🇺 Google security researchers said they've spotted apparent coordination between pro-Russian civilian hacking groups and campaigns carried out by Russia's military intelligence agency during the Ukraine war. (Wall Street Journal)

👾 CISA and the FBI estimate that Iranian hackers were sitting in the Albanian government's networks for 14 months before deploying data-wiping malware earlier this year. (CISA)

💰 The ransomware gang behind an attack on L.A. Unified School District is now demanding the district pay a ransom to prevent a possible data leak. (Los Angeles Times)

Ransomware gangs deal with their fair share of drama, just like the rest of us.

• The latest: A disgruntled ransomware developer got upset with his bosses at the LockBit gang, so he leaked a key encryption tool of theirs — making it easier to detect and stop the gang's attacks.

In the past year, $350 million in ransoms were paid. The average downtime due to ransomware is more than 16 days.

Here’s the deal: Ransomware attacks are evolving — protect every access point.

Learn how NetApp helps without taking your hybrid cloud offline.

☀️ See y'all on Tuesday!

Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.