Welcome to Codebook, the only cybersecurity newsletter with a collection of Archie Comics.
If you've got tips or story ideas, I'd love to see. Just reply to this email.
Terracotta soldiers guard the mausoleum of Emperor Qin Shi Huang. Photo: Pete Saloutos via Getty Images
When it comes to cybersecurity research, the not-for-profit lab MITRE has traditionally maintained neutrality toward commercial products. But last week, it released its first security product evaluations. Here's why and how MITRE made the leap into what might at first sound like Yelp territory (but really isn't).
Why it matters: MITRE is best known for its role in assisting the government in public/private partnerships. In cybersecurity, until now, a lot of its high-profile work was more as an archivist than an active defender.
What MITRE released last week were the results of simulated attacks from the believed-to-be-Chinese espionage group known as Gothic Panda or APT3 using the information collected for that ATT&CK framework. MITRE plans this release of product evaluations to be the first of many, with other tests gauging products against other attackers.
But, but, but: "We're not Consumer Reports," said Frank Duff, lead engineer for the evaluations program.
Techniques, not malware: Before the MITRE tests were announced, there were already a lot of places for antivirus companies to test whether they could detect malicious programs that hackers installed on a system. But as CrowdStrike's Scott Taschler, director of product marketing, noted, "When it comes to advanced, targeted attacks, malware is only a part of the problem." A hacker might not use any malware, and security products still need to be tested on how they respond to those attacks.
Vendors paid for their tests, with the first cohort including Carbon Black, CounterTack, CrowdStrike, Endgame, Microsoft, RSA and SentinelOne.
The bottom line: Scott Lundgren, chief technology officer at Carbon Black, said, "If the community rises up and documents and positions their security posture with ATT&CK in mind, we are all raising the bar and making it more expensive for adversaries to operate."
Quora, the crowdsourced question-answering site, announced Monday a breach that may affect as many as 100 million accounts.
Marriott revealed Friday that it's Starwood hotel group suffered a breach that may affect as many as 500 million accounts. The initial breach took place in 2014, before Marriott purchased Starwood, but continued through September.
Be smart: Despite the timing of the two announcements, breaches involving more than 100 million accounts are still rare — that's only happened about a dozen times ever, including Yahoo (twice) and other landmark breaches like Equifax, Adult Friend Finder, Myspace and Target.
The bottom line: European Union laws emphasize fast reporting of breaches, typically too quick to complete a full investigation into how many actual accounts may be breached. Experts believe this may lead companies to estimate higher figures in their initial announcements rather than face the wrath of regulators and the public for being wrong on their first guess.
Since French President Emmanuel Macron announced the anti-hacking initiative last month, 93 more countries, companies and other stakeholders have signed the Paris Call for Trust and Security in Cyberspace.
Why it matters: The Paris Call is an attempt to work toward international cybersecurity norms by taking a unique approach — asking for agreements of not just nations but also companies and civil liberties groups.
Ghana became the most recent nation to sign on, when it did so on Sunday.
The U.S. still hasn't signed. It's tough to kennel government-led hacking attempts when the biggest dog won't heel.
But, but, but: Australia has now signed on, meaning the U.S. is the last holdout among the close-knit Five Eyes alliance (U.S., U.K., Canada, Australia and New Zealand).
Don't try to pull an email scam on a company that specializes in detecting email scams.
Agari is reporting it discovered that a fraud group they've nicknamed "London Blue" attempted to trick Agari's chief financial officer into a fraudulent transfer of $22,650, using a fake email that looked as if it was from the CEO.
Details: London Blue is a Nigerian group with collaborators in Western Europe and the U.S.
It's funny, to a point: It's a little goofy that scammers tried to beat Agari. But business email compromise (BEC) scams are (usually) no laughing matter. The FBI estimates BEC is a $12 billion global industry.
Garfield the Cat floats down Broadway during the annual Macy's Thanksgiving Day Parade, 2005. Photo: Timothy A. Clary/AFP/Getty Images
Tumblr announced Monday it would no longer allow pornography on its blogging platform, an attempt to get Apple to restore the Tumblr app to its app store. Apple had banned the app after finding child pornography on the site.
In doing so, Tumblr also inadvertently banned Garfield.
No question, getting rid of child pornography is objectively good, and it's the law. Getting rid of all pornography is one way to do that.
But screening porn isn't simple, and Tumblr's algorithm to detect pornography is flagging any cartoon image with large eyes (not a euphemism). That turns out to include Garfield.
The bottom line: One way or another, AI-based content moderation still has some bugs to work out.
Codebook will return Thursday. Jughead's Diner was our favorite.