Welcome to Codebook, the cybersecurity newsletter whose biggest social media fear 5 years ago was its parents sending a friend request on Facebook (see below).
Tips? Please reply to this email.
1 big thing: Online propaganda, from ISIS to Trump
In 2013, when Peter Singer started writing a new book about online propaganda, the topic was largely speculative for U.S. readers. Singer and co-author Emerson Brooking watched in horror as their research merged with America's reality in 2016.
- If anything, says Singer, our election-focused taste of misinformation might minimize the breadth of the problem.
The big picture: "Russia is not the full story," Singer tells Codebook. "Russia is just a chapter in a larger book."
Singer, a researcher at the New America think tank, means that both figuratively and literally. His and Brooking's book, "LikeWar: The Weaponization of Social Media," comes out today. It may be the first study to link Mexican cartels, ISIS and reality TV villain Spencer Pratt.
- These disparate actors all follow the same basic rules for spreading self-promotional messages for mass impact.
Singer interviewed Pratt for the book. He has also briefed various intelligence agencies. "Spencer Pratt gets it. The government doesn't," he said.
It's Trump's playbook: "LikeWar" isn't about President Trump; he's just another chapter. But Singer tells Codebook that Trump is a good distillation of the tactics others use to make online propaganda work:
- Push to extremes. Like Moscow's social media campaigns, Trump tweets about issues that distract from more substantive or less flattering news and he strengthens both edges of a culture war, eliminating the center.
- Roughness over polish. Trump, a man of grammatical errors and rage, connects with voters by improvising something they perceive as authentic rather than presenting polished messages or a command of issues. While ISIS is best known in the West for its propaganda videos, Singer pins much of its recruitment successes on its more candid videos linked to the news of the day — like those showing members mourning the death of Robin Williams.
- Address your followers. Trump's outreach to "forgotten" Americans or "deplorables" has taken advantage of the internet's capacity to build niche communities.
- Be relentless. @realdonaldtrump never stops, producing multiple battle fronts every day while reinforcing messaging (including messages that others have persuasively debunked). There's no one thing to hold on to.
The bottom line: These tactics aren't secret sauce any more. Singer cites an example in Israel, where the approach has been institutionalized.
- The Israeli military currently recruits content creators. (The work counts toward the nation's military requirement.)
- A nonmilitary group is also now using a smartphone app to send international volunteers assignments, like praising Conan O'Brien on Instagram during his visit to Israel.
2. Why we don't know what we don't know about Facebook
Four days after the Facebook breach announcement, we still don't know who the perpetrator was or how the access to accounts was used, and there's some reason to suspect that the numbers of affected users is less than the 90 million who had to log in a second time. We may be able to thank domestic and international notification laws for any confusion.
Obviously, for consumers and governments, there are real advantages to knowing right away about a breach.
But, but, but: The EU's Global Data Protection Regulation, as former Facebook CISO and current Stanford academic Alex Stamos pointed out on Twitter, gives only 72 hours to notify authorities about a breach. That means companies have to announce security flaws to the public before completing a full investigation.
Why it matters: There's a good chance Facebook will have more information about the attack as internal investigations have time to gather facts. Companies now have to go public without those facts.
- Facebook is a company investing heavily in security. There's every chance nothing they've released to the press will be proven wrong. But, over time, it won't be surprising to see more companies having to revise their initial announcements after investigations uproot their assumptions of a breach.
- Remember, Equifax had to repeatedly change its estimate of who was impacted by its breach months after its public announcement, and it had more than 72 hours to prepare for that first announcement.
3. Is that scary statistic useful?
A bevy of news stories and researchers will tell you that hackers sell personal data for frighteningly small amounts of money on the dark web. According to a new report from Terbium Labs, those statistics might be well-intentioned but are almost certainly not helpful to understanding the issue.
Why it matters: Reports about how much money credit cards cost in criminal markets don't tend to use consistent definitions — there's no way to draw any meaning from a report last year saying card information costs $5 and one today saying it costs $10.
- Costs vary for any number of reasons, Emily Wilson, Terbium fraud intelligence manager, tells Codebook.
- Shoppers can buy in bulk. The older the cards are, the more likely they are to have been canceled. There are Black Friday sales. "There are markets that are more like big box stores and more like boutiques," says Wilson.
Adding rigor: Bringing scientific rigor and consistent definitions could be really useful. We don't know, notes Wilson, if the prices go back up after Black Friday or how law-enforcement actions or service disruptions change costs.
- Until there's more consistancy, Wilson will see these studies more as a marketing tool than a useful fact-finding operation.
- "We need to stop doing what's easy and start doing what's right. Right now these are selling fear," says Wilson.
4. Twitter bans distribution of hacked materials
Twitter announced new "election integrity" rules for its platform Monday, including stricter rules against fake accounts, punishments for accounts associated with banned accounts and a prohibition against sharing hacked materials.
Why it matters: The first two rule changes likely conform with what people assume Twitter's rules already are. The third rule is a little more complex.
The announcement: "Our rules prohibit the distribution of hacked material that contains private information or trade secrets, or could put people in harm’s way. We are also expanding the criteria for when we will take action on accounts which claim responsibility for a hack, which includes threats and public incentives to hack specific people and accounts. Commentary about a hack or hacked materials, such as news articles discussing a hack, are generally not considered a violation of this policy."
Twitter was the platform used by reporters and other folks to communicate with Russian cut-out persona Guccifer 2.0 about the 2016 election hacking scandal. It's also a common venue for other hackers to announce activity. Given the rate links to files get shared on Twitter, it will be interesting to see how it is enforced.
5. Happy National Cybersecurity Awareness Month!
This is your yearly reminder that October is National Cybersecurity Awareness Month, and that you can go back to being oblivious about cybersecurity in 29 days.
How to celebrate: Homeland Security will be hosting events up and down the Eastern Seaboard, including symposia in the D.C. area and an event with NASDAQ in New York. Various private sector groups will host events as well.
6. Odds and ends
- Google is banning Chrome apps that use tricks to hide the true purpose of their computer code. (Google)
- Hackers swiped business contact information on 200 million people from the sales engagement firm Apollo. (Tech Crunch)
- The U.S. pitched a new international conversation on global cyber espionage rules. (Cyberscoop)
- The DOJ is suing to stop California’s net neutrality law. (Ars Technica)
- GoDaddy researched attacks against small business sites on its service. (GoDaddy)
- The Reaper botnet is using DOGCALL’s new tricks. (Palo Alto Networks)
- Those traffic signs that tell you how fast you go may actually be license plate scanners. (Quartz)