Welcome to Codebook, the only newsletter that actually got paler during its vacation.
Tips? Don't hesitate to reply to this email address.
Illustration: Sarah Grillo/Axios
Cybersecurity insurance — financial protection against breaches and other kinds of digital threats — is rapidly emerging as a new industry, Axios's Shannon Vavra writes.
Why it matters: If you're unfamiliar with cybersecurity insurance — fiscal protection against breaches and other issues — expect to hear a lot more about it.
But even if you've already heard of this kind of insurance, Shannon's story will also help you understand how it differs from almost any other kind of insurance: The threat is so new and quick to evolve, insurance companies don't have the same kind of data to evaluate the risk — and how much to charge — as they do with, say, life insurance.
How it's priced: Shannon writes: Firms interested in obtaining cybersecurity insurance can go through an intermediary firm that helps them assess their cyber risk with a score, similar to a credit score. Some firms work on behalf of insurers to assess risk in potential client companies.
Where things get murky: The cybersecurity insurance marketplace is young and fragmented. Not all formulas for premiums are equal, and there’s no consensus in the market about how to price them.
Go deeper: Read Shannon's full story.
Photo:Douglas Sacha via Getty
Mark Terpin made headlines two weeks ago after suing AT&T for $224 million after he says an AT&T store employee gave hackers access to his phone account, in turn allowing them to steal $24 million in cryptocurrency. He tells Codebook that the headlines were intentional.
"Someone has to get the attention of these guys," he told Codebook. " Someone has to strike a nerve with the industry."
Why it matters: At its core, Terpin's complaint describes a low tech crime — an insider threat, not a technical one. And that's something every organization can learn from.
The complaint: According to Terpin's account, which AT&T disputes, Terpin has been hacked twice.
Strip away technical terms like SIM swapping and buzzwords like cryptocurrency and the crux of his argument is that AT&T offered a security service it couldn't live up to because it gave any employee the ability to override it.
The lessons: Insider threats, threats where employees through malice or accident reveal data that is supposed to be kept internal, catch a lot of companies off guard. Terpin believes there are two key things mobile services should learn from the suit. And they are applicable to anyone.
File this one under "attacks that are probably not practical in the wild, but involve cool science."
A research team primarily at Lancaster University detailed how to use the speakers and microphones on Android phones to steal the phone's unlock code. The trick is essentially sonar, leading to the name SonarSnoop.
How it works: On Android phones with two microphones and two speakers, SonarSnoop detects whether someone's hand is moving toward or away from each mic. Combining data together, it's possible to reduce the number of potential passcodes to something small enough to try every option.
Is this going to affect you? In its current form, almost definitely not. Sometimes things are just cool because they're cool. The attack only works on phones with multiple speakers and microphones, and has only been demonstrated to work on the Android pattern lock login screen.
Google announced Friday that it plans to restrict tech support advertisements from its ad platform.
Why it matters: Tech support scams are a widespread technique used to con people with low technical sophistication. When criminals say they are from Microsoft, it's easy to scare people into installing dodgy software or buying things.
In an important interview published during Codebook’s vacation last week, CyberScoop talked with Christopher Wlaschin, vice president of systems security for the voting machine firm ES&S.
An overlooked quote: Wlaschin tells CyberScoop that, while the company has no formal system for researchers to submit security flaws, it may soon develop one, adding “we value security researchers. We use the third parties that we work with, we’re getting ready to enter into an agreement with DHS to submit our hardware to one of the government test labs.”
Why it matters: Voting machine manufacturers have traditionally been hostile toward third party researchers looking for flaws in their systems. ES&S has been particularly hostile toward the DEF CON security conference, which holds a yearly public voting machine hacking specticle.
The bottom line: As internet-connected device manufacturers have grown more comfortable with third party security research, voting machine makers are one of the last holdouts. That may be coming to an end.
Facebook is setting up a war room to fight election meddling. (ZDNet)
Google released an open source tool to fight child pornography. (The Verge)
A glitch on a Freedom of Information Act site left “dozens, maybe hundreds” of Social Security numbers visible to the public. (CNN)
Plaintiffs in a data breach lawsuit accuse Premera Blue Cross of destroying evidence. (ZDNet)
Old-school cryptography celeb Bruce Schneier has a new book out. (Schneier on Security)
Codebook will return Thursday, but it will be in our hearts forever.