November 21, 2019
Welcome to Codebook, the cybersecurity newsletter that turns down bribes but is offended you didn't even offer one.
Today's newsletter is 1,430 words, a 5-minute read.
1 big thing: Influencer culture comes to cybersecurity
The cybersecurity community is reckoning with influencer culture for the first time after several popular figures ran paid advertisements on their social media accounts.
The big picture: For years, the world of cybersecurity experts has operated more like a scientific community than a commercial one — and, until very recently, more like a counterculture than a service. The paid posts provided a glimpse of a corporate sponsor-driven future for security specialists surprised to find out that corporations knew who they were.
Driving the news: Several follower-rich cybersecurity Twitter accounts ran individualized promotions for Lenovo's secure line of products and security services, ThinkShield (all tagged "#ad #thinkshield"), sparking immediate pushback from the wider community.
- The influencer marketer VizSense, not Lenovo, reached out to influencers. It's not clear how much Lenovo was aware of the plan.
- The influencers who were contacted included a reporter, well-known researchers, a former intelligence operative, executives, a financial tech expert, an AI guru and others. All had more than 10,000 Twitter followers.
- No one who ran the ads has confirmed being part of this campaign; however, several Twitter personalities posted using those hashtags.
- VizSense, Lenovo and seven people who appear to have run Lenovo ads related to this campaign — one of whom ran ads in multiple languages — did not respond for requests for comment.
The campaign prompted immediate criticism online, with several security luminaries seeking out and posting screenshots of paid posts.
- Many also noted a 2015 incident where Lenovo's preinstalled software included a third-party advertising product called "Superfish" that introduced severe security issues in its products.
Between the lines: On Instagram, YouTube and other platforms, influencers with large followers routinely take cash to promote products, often in the fashion industry or entertainment. But this appears to be the first time personality-driven advertisements have been used in cybersecurity.
Several of the influencers who turned down the ads told Codebook that companies could use established, less-controversial methods if they wanted researchers to help increase awareness of security products and initiatives.
- Researchers are often paid to conduct third-party evaluations of products. They can be brought in to assist in relevant research projects or speak at branded events and webcasts on research topics.
- "There's nothing wrong with compensated reviews," said Chris Wysopal, co-founder and CTO of Veracode, who noted that VizSense couched an offer to him in terms of paid evaluations of Lenovo wares. "But it didn't look like the tweets people put out were reviews."
- Wysopal and Jake Williams of Rendition Infosec, who both declined VizSense's offer, noted that they were asked to review Lenovo's ThinkShield based on an information sheet, not a product. Neither felt like they could have evaluated a full product in the time frame VizSense offered.
Zack Whittaker, the security editor for TechCrunch, told Codebook that VizSense approached him over LinkedIn — implying they were at least somewhat aware of his role as a journalist.
- "It's particularly unethical for a company to actively approach journalists, of all people — ergo, to ask them to violate their ethics — to promote something in exchange for payment," he said, via electronic message.
The irony, said Wysopal, is that the backlash might obscure real progress Lenovo has made since the Superfish incident.
- "There's a lot of good to ThinkShield, according to what they sent me," he said, pointing to supply chain protections that could fight future Superfish-style problems. "They didn't need to go with this approach."
2. Russia and China get a big win on internet "sovereignty"
The United Nations adopted an anti-cybercrime pact backed by China, North Korea and Russia Monday, against the wishes of U.S. and pro-civil liberty groups.
The big picture: For years, the United States has squared off with more repressive nations over global internet norms. The U.S. wants countries to offer citizens maximal access to the global internet, while Russia and others argue that countries should have "internet sovereignty" to block websites critical of governments and to punish online dissidents.
Why it matters: The UN resolution could give more legitimacy to the "internet sovereignty" crowd.
Driving the news: The resolution, which passed 88-58 with 34 abstentions, sets up a working group to examine global cybercrime prevention.
- Critics say the pact provides a veneer of legitimacy for the sovereignty concept while allowing governments to shut off cross-border data access as a tool of oppression or to censor websites when used for "criminal purposes," without defining what those criminal purposes are.
All this comes as Russia prepares to test whether domestic networks could survive detaching the nation from the global internet in an apparent attempt to set up a China-style internet filtering system.
- "Russia is hoping the resolution will mean that they will more easily be able to shut down the internet," said Kasey Stricklin, a Russia analyst for CNA consulting. "All of this is them hoping the UN will rubber-stamp those activities."
Losing U.S. leadership on internet could be a symptom of the United States' greater abdication of global leadership to countries like China and Russia, who are expanding their spheres of influence in Africa and the Middle East just as the U.S. is abandoning those regions.
3. Iran cuts internet during, and after, protests
As protests over gas prices erupted this weekend, Iranian officials cut the nation's access to the internet. On Wednesday, according to state media, the government declared victory over the protests. Yet the internet has only begun to trickle back online.
- Keeping the internet off prevented global reporting of police abuses and prevents domestic coordination between protestors, Adrian Shahbaz of the human rights group Freedom House told Codebook. Freedom House recently listed the use of internet shutdowns to quell government opposition as a key threat to internet freedom in its Freedom on the Net report.
- While reporting is spotty, largely because of the internet shutdown, Shahbaz said he has spoken with Iranians, who confirmed that the nation shut down its global internet connections, but left some access to national, internal sites.
- As of Thursday morning on the US East Coast, internet connectivity in Iran was only at 10% of its typical levels, according to connectivity monitor NetBlocks. That's up from 5% during the height of the protests.
4. DHS announces election audits tool
Homeland Security's main cyber division Thursday announced a new tool to help election officials audit voting machines — the first version of which is already deployed in six states.
Why it matters: While a lot of attention gets paid to voting machine security, auditing machines during an election is equally as important: It's the only way to tell whether machines were hacked or malfunctioned.
Details: The tool, which DHS' Cybersecurity and Infrastructure Security Agency calls Arlo, simplifies performing the audits' math.
- Arlo is being developed by VotingWorks, a non-partisan, non-profit voting security engineering group.
- It integrates with all major vendors of voting machines.
5. Other news from last week
IRS-scamming season comes earlier every year (Akamai): Akamai detailed a new phishing campaign designed to swindle victims out of their tax refunds.
- That alone is nothing new — hackers have been stealing tax refunds for years. But this campaign started in August, while activity doesn't typically pick up until closer to tax day in April.
- Akamai notes the targets of this scam number more than 100,000.
Senators worry about state information sharing: Sens. Maggie Hassan (D-N.H.), Gary Peters (D-Mich.) and Chuck Schumer (D-N.Y.) expressed concern that the Department of Homeland Security's proposed 2020 budget underfunded information sharing among states and elections.
- They sent a letter to Homeland Security's main cyber department expressing surprise and dismay that the budget asked for less than 70% of the funding required to "maintain [information sharing for states and elections] at current levels."
Insecure communication everywhere (The Daily Beast): Back when she was UN Ambassador, Nikki Haley sent "confidential" material using an unsecured email system after forgetting her password for her classified email account.
6. Odds and ends
- M-I-C ... see your Disney+ account real soon! ... K-E-Y ... why? because of password reuse. (Axios)
- North Korea's Lazarus group unveiled new Mac malware (TrendMicro)
- The Trump administration, again, extended the deadline for companies to cease business with Huawei. This is extension number three. (The Hill)
- China hawks are concerned with the extensions. (Washington Post)
- China, Iran, North Korea and Russia have long been considered the Big Four foreign cyber threats. It's time to stop ignoring everyone else. (Aspen Institute)
- Cyber criminals are flocking to Phoenix, a hip, commercially available keylogger that all the kids are raving about. But like most trends, this one's a retread. (Cybereason)
- Fake Windows update reminders are dishing out Cyborg ransomware. (Trustwave)
- Google patched a cross-site scripting bug in Gmail that its tech team called "awesome." (ZDNet)
- ProtonMail was blocked in Belarus after a wave of bomb threats. (ZDNet)
We'll be back after Thanksgiving.
The Cleveland Browns, who Codebook readers picked to win the Superbowl, won on Thursday in wildly inappropriate fashion, as Brown Myles Garrett ripped of a Steeler's helmet and tried to hit him with it.
Garrett is an avid poet.