January 31, 2019

Welcome to Codebook, the bad-boy cybersecurity newsletter your mom warned you about.

1 big thing: Russia is paranoid about propaganda

Illustration: Sarah Grillo/Axios

Before the 2016 election, Western nations' worst cyberattack nightmare involved sabotage of the electric grid. Meanwhile, the top digital fear among Russians was propaganda campaigns, according to Lincoln Pigman, an Oxford postgraduate researcher who studies the history of Moscow's political posture on cybersecurity.

Why it matters: The idea for the online information campaign that rolled out against the United States in 2016 wasn't a stroke of genius out of nowhere. In many ways, it was Russia's worst fears manifested into a weapon.

  • In fact, the post-mortem of campaign hacking compiled by U.S. intelligence agencies determined that one of the reasons for the attack was Russian President Vladimir Putin's belief that the U.S. had orchestrated the "Panama Papers disclosure and the Olympic doping scandal as US-directed efforts to defame Russia."

The big picture: "If you ask the Russian political elite, they will tell you they came under threat by Western propaganda. Whatever follows — fake news and influence operations abroad — that's all a response," said Pigman.

Russia's propaganda paranoia was based on fears of regime change that blossomed during the Arab Spring nearly a decade ago, Pigman added. "That experience unified the Russian political elite," he said. "They thought it was all a part of a U.S. effort to remove unfavorable regimes."

  • "Let’s face the truth. They have been preparing such a scenario for us, and now they will try even harder to implement it," said Russian President Dmitry Medvedev, after the fall of Egyptian President Hosni Mubarak in 2011.
  • "One thing they considered crucial to that was that all the protests used U.S.-made tools, like social networks," said Pigman. "They're seen not just as companies that happened to be based in the U.S. but as tools of U.S. statecraft."
  • "The Kremlin sees conspiracies everywhere primarily because they don’t believe in the idea of independent media or civil society," agreed Alina Polyakova, the David M. Rubenstein Fellow in Foreign Policy at the Brookings Institution. "This is how the Russian government justifies its very real interventions in the U.S. and other democracies."

The bottom line: Russia was wrong that the United States rigged the Olympics scandal to discredit Russia. But it's hard to argue it was wrong about the importance of propaganda. To date, Russia has run several successful information campaigns against the U.S. psyche. No one has ever succeeded at taking down a North American electric grid.

2. Apple's FaceTime bug not a great case for privacy bill

Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) used a severe bug in Apple's FaceTime service to promote a privacy bill they co-sponsored.

But, but, but: The FaceTime glitch isn't a great example of a privacy problem covered by their bill or of something that could be reasonably regulated.

The big picture: It's impossible to force companies to produce perfect code. No amount of auditing catches all errors. The best you can do is force companies to properly handle security concerns as they arise.

  • Meanwhile, privacy — used as a term of art — typically refers not to protecting against hackers but to preventing companies from intentionally sharing data with other firms.

The Klobuchar/Kennedy bill largely deals with that kind of privacy and requires notifying users whose personal data was improperly accessed. But that's not what's going on with the FaceTime bug.

  • That bug allowed users to tap into the audio (and sometimes video) of devices they called using FaceTime before the call was answered.
  • Apple appears to have furiously begun patching the problem as soon as they heard about it, and they disabled FaceTime features as a failsafe until the problem was fully solved.
  • While no bug is good, and there's no question some consumers would appreciate the provisions of the senators' proposal, nothing Apple has done ran afoul of their bill.

3. What we're reading: Ex-NSA hackers run UAE spy operations

Reuters' Wednesday report about Project Raven, a hacking operation in the UAE, is a critically important read. It details how ex-NSA employees became entangled in a project that targeted journalists, Americans and Arab Spring activists.

  • We Axiosified the report here.

Why it matters: The report touches on several key issues, including how nations that can't afford homegrown cybersecurity talent build up cyber programs and how an ostensible ally is targeting U.S. citizens.

Credit where credit is due: Christopher Bing and Joel Schectman, who wrote the Reuters piece, substantially advanced the story. But it's also worth checking out Jenna McLaughlin's foundational work on the UAE espionage regime, published in The Intercept and cited in the Reuters story.

4. The Facebook cash-for-research debacle

Photo: Westend61/Getting Images

On Tuesday, TechCrunch reported that Facebook paid iPhone users — including teenagers — $20 a month to be able to see everything they did on their phones.

The intrigue: To see everything on the users' phones, Facebook circumvented Apple's security controls. In fact, the new research app bore some resemblance to an earlier research app that Apple had already banned.

Apple quickly revoked the certificate allowing that app to work on phones. This was a big problem for Facebook, because their employee-only versions of the Facebook apps, like Messenger, used the same certificate and were therefore rendered useless.

Lawmakers weren't thrilled. Sen. Mark Warner (D-Va.) sent Facebook a strongly worded letter with a detailed list of questions to answer about the research app.

  • "Facebook’s apparent lack of full transparency with users — particularly in the context of ‘research’ efforts — has been a source of frustration for me," said Warner.

Everybody's doing it: TechCrunch later noted that Google, too, had circumvented the same controls for a similar research app. Google shut down its app after the story.

5. The DOJ is cleaning up a North Korean botnet

The Department of Justice is infiltrating and dismantling the North Korean "Joanap" botnet — a network of computers surreptitiously controlled by Pyongyang.

The difficulty here is that the department's aims to connect to the botnet and and notify users who have been infected by it requires communications with each of the controlled systems.

  • Joanap is unusual because, rather than use a central server to issue commands, it uses a decentralized, peer-to-peer model where any infected computer can command any other infected computer. The DOJ can't just stop it by taking out a central system.
  • That means the DOJ had to get a warrant under the controversial Rule 41, a recently passed change to investigation procedure that allowed blanket warrants to intercede with huge networks of computers rather than requiring a separate warrant for each one.

6. Odds and ends

  • Remember when we were afraid that Collection #1 might be followed by Collections #2 and beyond? That shoe dropped. Hackers are now circulating Collections #1–5, a combined list of 2.2 billion records of account login credentials. (Wired)
  • Someone has been infecting embassies in Iran with spyware linked to Iran.
    (Kaspersky Lab)
  • Palo Alto Networks’ Unit 42 labs discovered new Mac cryptocurrency-swiping malware. (Unit 42)
  • Facebook is bringing aboard Nate Cardozo, a Facebook critic formerly of the EFF, as part of a wave of new security and privacy hires. (CyberScoop)
  • A fake Cisco job posting is being used to infect South Koreans with malware. (Cisco Talos)
  • The ACLU is suing a California sheriff who blocked critics on social media. (The Verge)

We'll be back on Tuesday. Promise.