Axios Codebook

Cybersecurity insurance — financial protection against breaches and other kinds of digital threats — is rapidly emerging as a new industry, Axios's Shannon Vavra writes.

Why it matters: If you're unfamiliar with cybersecurity insurance — fiscal protection against breaches and other issues — expect to hear a lot more about it.

But even if you've already heard of this kind of insurance, Shannon's story will also help you understand how it differs from almost any other kind of insurance: The threat is so new and quick to evolve, insurance companies don't have the same kind of data to evaluate the risk — and how much to charge — as they do with, say, life insurance.

• People have been dying, robbing each other, and dealing with extreme weather for all of recorded history (presumably before that, too). It's much easier to draw actuarial conclusions from 100 years of that data than 5 years' experience with the current landscape from a niche crime.

How it's priced: Shannon writes: Firms interested in obtaining cybersecurity insurance can go through an intermediary firm that helps them assess their cyber risk with a score, similar to a credit score. Some firms work on behalf of insurers to assess risk in potential client companies.

• Some of these firms simultaneously offer services to help mitigate companies’ risk or respond to cyber incidents.
• The market is already seeing some coordination, like the jointly offered Allianz-Aon-Apple-Cisco cybersecurity insurance package that simultaneously assesses risk and offers insurance and incident response.
• Pascal Millaire, CEO of CyberCube, a firm offering insurers assessments, tells Axios his company thinks about risk in a relatively traditional way, multiplying frequency by severity.

Where things get murky: The cybersecurity insurance marketplace is young and fragmented. Not all formulas for premiums are equal, and there’s no consensus in the market about how to price them.

• The result: 26% of U.S. companies reported this year they don’t believe their cyber insurer priced their premium based on an accurate analysis of their risk, per a survey run by Ovum and commissioned by FICO.
• That’s in part because actuarial data isn’t available yet, which results in a patchwork of assessments.
• Pricing cyber insurance premiums can be even more challenging than underwriting other premiums because cyberattacks can happen at any time, regardless of geography or seasonality. And most disasters warranting insurance, like floods and fires, exhibit more predictable behavior than hackers.

Go deeper: Read Shannon's full story.

Mark Terpin made headlines two weeks ago after suing AT&T for $224 million after he says an AT&T store employee gave hackers access to his phone account, in turn allowing them to steal $24 million in cryptocurrency. He tells Codebook that the headlines were intentional.

"Someone has to get the attention of these guys," he told Codebook. " Someone has to strike a nerve with the industry."

Why it matters: At its core, Terpin's complaint describes a low tech crime — an insider threat, not a technical one. And that's something every organization can learn from.

The complaint: According to Terpin's account, which AT&T disputes, Terpin has been hacked twice.

• He signed up for AT&T's "celebrity" phone security service in 2017 after criminals cajoled AT&T to issue them a new SIM card for his phone account. That trick — known as SIM swapping — made it possible to turn any cell phone into a clone of his, letting them access his accounts.
• The celebrity security service adds an additional password to the account to issue a new SIM card.
• This year, criminals did it again, when an employee at a New Jersey store overrode the celebrity password protection to issue a new SIM card and ignored the AT&T system when it asked for a scan of a photo ID.
• Terpin is suing over this 2018 incident.

Strip away technical terms like SIM swapping and buzzwords like cryptocurrency and the crux of his argument is that AT&T offered a security service it couldn't live up to because it gave any employee the ability to override it.

The lessons: Insider threats, threats where employees through malice or accident reveal data that is supposed to be kept internal, catch a lot of companies off guard. Terpin believes there are two key things mobile services should learn from the suit. And they are applicable to anyone.

• "If you offer a service, you should provide that service," he said. In other words, AT&T's system shouldn't have relied on employee's judgement to decide when to scan an ID or when to ask for a password.
• Not every employee needs access to all information. Terpin posits that the whole ordeal could have been avoided if users had the option of requiring a supervisor outside the store sign off on any replacement.

File this one under "attacks that are probably not practical in the wild, but involve cool science."

A research team primarily at Lancaster University detailed how to use the speakers and microphones on Android phones to steal the phone's unlock code. The trick is essentially sonar, leading to the name SonarSnoop.

How it works: On Android phones with two microphones and two speakers, SonarSnoop detects whether someone's hand is moving toward or away from each mic. Combining data together, it's possible to reduce the number of potential passcodes to something small enough to try every option.

Is this going to affect you? In its current form, almost definitely not. Sometimes things are just cool because they're cool. The attack only works on phones with multiple speakers and microphones, and has only been demonstrated to work on the Android pattern lock login screen.

• There are much easier ways to break into a phone. For the attack to work, someone would need to install malware on a target's phone before the target logged in. Then, they'd need to steal the phone.

Google announced Friday that it plans to restrict tech support advertisements from its ad platform.

Why it matters: Tech support scams are a widespread technique used to con people with low technical sophistication. When criminals say they are from Microsoft, it's easy to scare people into installing dodgy software or buying things.

In an important interview published during Codebook’s vacation last week, CyberScoop talked with Christopher Wlaschin, vice president of systems security for the voting machine firm ES&S.

An overlooked quote: Wlaschin tells CyberScoop that, while the company has no formal system for researchers to submit security flaws, it may soon develop one, adding “we value security researchers. We use the third parties that we work with, we’re getting ready to enter into an agreement with DHS to submit our hardware to one of the government test labs.”

Why it matters: Voting machine manufacturers have traditionally been hostile toward third party researchers looking for flaws in their systems. ES&S has been particularly hostile toward the DEF CON security conference, which holds a yearly public voting machine hacking specticle.

• But despite the company's distaste for DEF CON’s methods, taking ES&S at its word, DEF CON may be more or less getting what they want — an ecosystem of voting machine makers receptive to third party researchers finding and reporting bugs with the hope they will be patched.

The bottom line: As internet-connected device manufacturers have grown more comfortable with third party security research, voting machine makers are one of the last holdouts. That may be coming to an end.

Facebook is setting up a war room to fight election meddling. (ZDNet)

Google released an open source tool to fight child pornography. (The Verge)

A glitch on a Freedom of Information Act site left “dozens, maybe hundreds” of Social Security numbers visible to the public. (CNN)

Plaintiffs in a data breach lawsuit accuse Premera Blue Cross of destroying evidence. (ZDNet)

Old-school cryptography celeb Bruce Schneier has a new book out. (Schneier on Security)