Welcome to Codebook, the irregular cybersecurity newsletter that's not as outlandish as it could be.
Today's newsletter is 1,608 words, a 6-minute read.
Illustration: Aïda Amer/Axios
On Tuesday, the U.K.'s Labour Party became the latest in a decade-long line of victims to claim they were targeted by a "sophisticated" cyberattack that wasn't, actually, very sophisticated.
The big picture: It's the latest lexical stretch for an adjective that's widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.
Driving the news: Labour ultimately faced what's known as a denial of service attack, a way of overwhelming servers with a ton of traffic. It's a digital blunt force attack — harmful, yes, but hardly sophisticated. Labour was not alone.
In the last year or so, victims blamed "sophisticated" hackers for breaches at the Australian Parliament; a hamburger chain; a bank; another bank; yet more banks and universities in Australia, the U.S. and UK; a 1,200-student high school; newspapers; Amnesty International; WhatsApp users; a medical center; an electronics supplier; an embassy; and a community college, among others.
Be smart: Some of those hackers were, in fact, sophisticated. Others weren't. But overusing the word dilutes its meaning.
The sophisticate who cried wolf: For network defenders trying to follow what's going on across the industry, it's important to know when actual sophisticated hackers emerge. "There's a boy who cried wolf situation," said Dylan Owen, senior manager for cyber services at Raytheon.
Sophistication's siren song: As soon as a breach is announced, companies are on the defensive, left to justify to users, investors and employees how data that was supposed to be kept secret suddenly wasn't.
But, but, but: Sophistication isn't the only way to breach even high-tech defenses. Persistence is just as powerful as technical acumen.
When experts say "sophistication," they use it very differently from normal people.
Those aren't the same thing. Just consider the first steps in hacking a computer.
The bottom line: Unless the hackers are known to wear cufflinks, you can usually take "sophisticated" with a grain of salt.
Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet, according to new research by the security firm Expanse and 451 Research.
Why it matters: According to Coveware, more than 60% of ransomware is installed via a Windows remote access feature called Remote Desktop Protocol (RDP). It's a protocol that's fine in secure environments but once exposed to the open internet can, at its best, allow attackers to disrupt access and, at its worst, be vulnerable to hacking itself.
What is RDP: RDP is a way of offering virtual access to a single computer. It allows, for example, an IT staffer in one office to provide tech support for a baffled user in a different office.
What they found: The Expanse/451 study found that 53.4% of Fortune 500 companies had an RDP exposure over a two-week period scanning for open RDP ports.
The bottom line: The threat of RDP exposures often fly under the radar. "IT staffs are really good at looking at what they know about, but not at what they don’t," said Kraning.
Roger Stone enters the courthouse for his trial, Washington, D.C., Nov. 13. Photo: Sarah Silbiger/Getty Images)
At the Roger Stone trial, Rick Gates testified that the Trump campaign was aware that WikiLeaks would dump Democrat emails before Trump even secured the nomination.
The big picture: Gates, a former deputy to Trump campaign manager Paul Manafort, said that Stone, a Trump confidant, alerted him that WikiLeaks would be posting hacked Democratic emails in April 2016.
The Democratic National Committee hack wasn't publicly announced until June of 2016.
Trump and his proxies repeatedly denied knowing about the WikiLeaks dumps in advance during the campaign and into the Trump presidency.
When hackers target companies providing services to other companies, it can obviously cause financial damages for everyone involved. But a surprising new study demonstrates that it causes more damage per company when a single service provider with a bunch of dependents is attacked than when an equivalent number of victims are attacked individually.
Driving the news: The study, compiled by the security firm RiskRecon and the research group the Cyentia Institute, looked at 816 different breaches over the last decade. The best-known example of this "ripple effect" is a breach at American Medical Collection Agency earlier this year.
By the numbers: Previous research found that 816 different "ripple effect" breaches affected 5,437 downstream organizations causing median damages for all companies involved of $995,500. That's around 13 times the $77,000 median cost of a breach affecting only one company.
Why it matters: Wade Baker, of the Cyentia Institute, told Codebook that this study could have an impact on how cyber insurance companies evaluate risk and how companies evaluate the insurance protection they need.
Wherein we figure out who to trust in elections (NASS, Brennan Center): The National Association of Secretaries of State launched a new campaign to emphasize that the best place to get information on an election is from elections officials.
Google criticized for health care partnership (per Axios' Ina Fried): The Office for Civil Rights in the Department of Health and Human Services told the Wall Street Journal Tuesday it is investigating the data-sharing relationship between Google and not-for-profit hospital system Ascension.
MITRE launches Center for Threat-Informed Defense (MITRE): Engenuity, a foundation for the public good based at the research foundation MITRE, launched the Center for Threat-Informed Defense. The Center will provide free-to-the-public cybersecurity solutions.
We'll return one more time before thanksgiving.
Browns update: Codebook reader pick to win the Super Bowl, the Cleveland Browns, won against a good Bills team on Sunday, but continue to not be on track to win the Super Bowl.