Welcome to Codebook, the cybersecurity newsletter that will withhold good content unless you watch Axios' new HBO show Sundays in November.
Tips? Send me a note by replying to this email.
John Carlin. Photo: ZACH GIBSON/AFP/Getty Images
John Carlin wants you to know that the U.S. is much better at investigating cybersecurity-related crimes than people seem to think. And he'd be the person to ask: Carlin was the assistant attorney general for the Department of Justice's National Security Division until 2016.
The big picture: Carlin's new book, "Dawn of the Code War," released Tuesday, is a recollection of his time in government, first at the FBI and then the DOJ. Throughout that time, he saw people and organizations struggle to grasp what both agencies do in information security. "Part of getting these stories out is for people to see investigations in context," he tells Codebook.
Here are three key insights from Carlin:
Always come forward. Carlin, now a partner at Morrison & Foerster, says most executives don’t understand the gravity of not alerting authorities about seemingly minor breaches until they learn about Ardit Ferizi.
Government attribution works. It's tough for private cybersecurity pros to attribute attacks to the responsible parties. It's less tough for government agencies with multilayered investigations.
"Name" matters more than "shame." The DOD often indicts or files charges against foreign intelligence hackers it has little chance of actually arresting.
Twitter is releasing all the content associated with 4,611 accounts it has tied to two previously announced misinformation campaigns by Russia and Iran — 3,814 accounts linked to Russia's Internet Research Agency, which meddled in the 2016 elections, and 770 that were linked to state-backed activity from Iran, Axios' Shannon Vavra reports.
Why it matters: Twitter says the release is part of an effort to be more transparent about the "information operations" it identifies on the platform and to assist researchers.
Codebook's thought bubble: Though they get portrayed as such, it's dangerous to think of social media campaigns like the IRA's as a purely election-related phenomenon.
McAfee discovered new malware targeting Korean speakers, and it appears to have infected a few U.S. corporations.
Why it matters: "OceanSalt" seems to be performing reconnaissance on its targets. What makes it particularly interesting is that it appears to be sharing code with a long dead threat actor known as APT 1.
Targets include universities, South Korean public infrastructure stakeholders and the Inter-Korean Cooperation Fund.
The intrigue: McAfee doesn't think that APT 1 is back, due to severe differences in other components and code in the attack. But the code is coming from somewhere.
Photo: Martin Barraud/Getty Images
At their best, commercial Virtual Private Network (VPN) services make it nearly impossible for eavesdroppers to tell what sites users visit. At their worst, they log users' traffic, inject ads, offer minimal security protections and make it unclear how much data they hand over to the Feds. If only someone could help parse the privacy and security of the competing services.
Enter CDT: The Center for Democracy and Technology is now trying to answer which VPNs offer what security and privacy features. They are hosting answers to a questionnaire that clearly outlines critical components and policies.
And some big name VPNs are playing ball. At its Wednesday launch, the program included answers from ExpressVPN, Golden Frog, Tunnel Bear and others.
One key question beyond security practices in the questionnaire is, "What is the service’s business model?" It costs money to run these things, and users of free VPNs sometimes fall victim to privacy abuses from "free" VPNs trying to turn a profit.
Among the evidence collected against Treasury employee Natalie Mayflower Sours Edwards, accused Wednesday of leaking secret FinCEN reports related to the Russia investigation to BuzzFeed, were a series of encrypted chats with the reporter on her phone.
A teachable moment: Encrypted chats are nearly impossible to decrypt as they travel from one person to another. But anyone who can unlock the sender's or receiver's phone can read those messages.
Delete! If you share information a hacker might want to steal using an encrypted chat account, delete the message when you're done. Make sure the recipient does that, too.
Codebook will see you next week, when we will break down the privacy implications of the Houston Astros.