Jul 17, 2020

Axios Login

By Ina Fried
Ina Fried

Good morning.

You can join me today at 12:30pm ET with New York Rep. Grace Meng, Stand for Children CEO Jonah Edelman, and Center for Connected Health Policy executive director Mei Kwong for a conversation on how the coronavirus is hastening the shift to telemedicine and remote education.

Today's Login is 1,374 words, a 5-minute read.

1 big thing: Twitter hack presages a bumpy election season

Illustration: Sarah Grillo/Axios

Buckle up, more hacks ahead: That's the loud message Wednesday's wild attack on Twitter is sending to public officials, business executives and leaders of political campaigns, Axios' Scott Rosenberg, Ashley Gold and Margaret Harding McGill report.

Why it matters: With the election less than four months off, the takeover of high-profile Twitter accounts provided a grim reminder of the vulnerability of our communications platforms, government systems and business networks.

Driving the news: On Wednesday, messages promoting a bitcoin scam started appearing on prominent Twitter accounts, including those of Barack Obama, Joe Biden, Mike Bloomberg, Elon Musk, Jeff Bezos and Warren Buffett.

  • Experts immediately assumed, and Twitter later confirmed, that this wasn't a series of individual account break-ins, but rather a compromise at its administrative level.
  • The company said Thursday night that the accounts the attackers were able to tweet from were a "small subset" of roughly 130 accounts targeted in all. It's working to assess if any account data was compromised and promised to share details on any long-term steps it takes to shore up security in the wake of the hack.

The big picture: Four years ago at this time, the Clinton campaign was reeling from a public dump of pilfered Democratic party emails that turned the 2016 election cycle upside down.

  • Partly as a result of that fiasco, potential hacking targets are more aware than ever of the potentially catastrophic consequences of losing control of their online accounts.
  • More people are taking precautions, and fewer people are likely to fall for the most obvious threats.

But attackers have learned a lot since 2016, too. And the pandemic's work-from-home era has created fresh vulnerabilities for users who are adapting to new online work arrangements without ready access to onsite support.

What they're saying: Thursday saw both the FBI and the New York state attorney general announce investigations into the incident, and a wave of demands by members of Congress for information and remedies.

  • "This hack bodes ill for November balloting," said Sen. Richard Blumenthal (D-Conn.) in a statement. "Count this incident as a near miss or shot across the bow. It could have been much worse with different targets."
  • Sen. Mark Warner (D-Va.), vice chairman of the Senate Intelligence Committee, issued a statement warning that the hack revealed "a worrisome vulnerability in this media environment — exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief."
  • Sen. Ron Wyden (D-Ore.) wants Twitter to encrypt direct messages. (It's worth remembering that a number of his colleagues want to make strong encryption illegal.)

Be smart: Many observers noted that the attackers' apparent goal of fleecing gullible users of their bitcoin was relatively low-key compared to the kind of mayhem they could have pursued, like manipulating markets, triggering international crises, or falsifying voting information on election eve.

There's a lot we still don't know, including:

  • whether the Twitter attackers also gained access to the direct messages in the compromised accounts;
  • whether the "social engineering attack" aimed at Twitter employees had any inside help;
  • who the attackers are and what their goal was. (Here's some good detective work from Brian Krebs.)

One thing we know: For the moment, at least, the attack paid off.

  • If the attackers aimed just to make money, they appear to have collected north of $100,000 worth of bitcoin.
  • If they aimed to sow further confusion and doubt about the communications network relied on by the U.S. president, they did a pretty good job of that, too.

Our thought bubble: You'd think Twitter would have hardened its defenses by now, as well as tightened its controls on administrative access.

  • After all, there was that time in 2017 when a rogue employee deactivated President Trump's account, "inadvertently due to human error," for 11 minutes.
  • Nearly a decade ago, the company entered into a settlement with the Federal Trade Commission over similar issues surrounding administrative security.

What's next: The FTC could get involved again.

  • Steven Bellovin, a former FTC chief technologist, said that when the agency previously investigated high-profile account hacks over a decade ago, Twitter had failed to properly train administrators on password security.
  • That led to a 20-year settlement, finalized in 2011, in part requiring Twitter to maintain a comprehensive information security program assessed by an auditor every other year for 10 years.
  • "Given that this appears to be an abuse of administrator accounts again, I suspect the FTC is going to investigate to see if Twitter was actually living up to the agreement," Bellovin told Axios. Violations could lead to fines for the company.
  • An FTC spokesperson declined to comment on whether the agency is investigating.
  • Yes, but: The FTC's powers are limited to imposing fines and rules. And any action it takes is unlikely to help protect the election in November.

Editor's note: This story has been corrected to fix the name of the Virginia senator quoted. It was Sen. Mark Warner, not Sen. John Warner.

2. T-Mobile takes on robocalls

Illustration: Aïda Amer/Axios

T-Mobile announced Thursday it will offer ScamShield, a free scam-blocking service, to all T-Mobile, Metro and Sprint customers.

Why it matters: Robocalls remain the scourge of the industry, with billions of unwanted calls pummeling customers last year.

  • "People are being robbed. People are being scammed," CEO Mike Sievert said on a call with reporters on Thursday. And yet, he said, some rivals make customers pay for spam protection, calling out Verizon for charging many customers $7.99 per month for the service.
  • "This industry shouldn't be profiting from this phenomenon," Sievert said.

The big picture: T-Mobile's moves are a mix of industry-wide efforts as well as things it is doing on its own, including:

  • Using network patterns to identify spam calls and allowing users to get a warning or, if they choose, block such calls from ringing.
  • Offering customers a free second phone number they can give out to businesses so they can save their main number for their close friends (or vice versa).
  • Allowing customers to change their number if they are getting too many spam calls.
  • Free ID monitoring and alerts from McAfee.

"This is no easy task, but we're making real headway," network head Neville Ray said on the call.

Meanwhile: Sievert and Ray said the company is ahead of schedule on its 5G rollout, including turning on the mid-band spectrum it acquired as part of its Sprint deal.

  • T-Mobile already uses low-band spectrum to cover much of the country with 5G service, but the mid-band spectrum allows for faster speeds than are possible with low-band 5G.
3. Barr accuses U.S. firms of "bowing to Beijing"

Attorney General Bill Barr on Thursday accused U.S. tech and entertainment firms — several of them by name — of collaborating with the Chinese Communist Party (CCP), Axios' David Lawler reports.

What he's saying: "[I]f Disney and other American corporations continue to bow to Beijing, they risk undermining both their own future competitiveness and prosperity, as well as the classical liberal order that has allowed them to thrive."

Excerpts:

  • "Over the years, corporations such as Google, Microsoft, Yahoo and Apple have shown themselves all too willing to collaborate with the CCP."
  • "America's corporate leaders might not think of themselves as lobbyists. You might think, for example, that cultivating a mutually beneficial relationship is … necessary to do business with [China]."
  • "But you should be alert to how you might be used, and how your efforts on behalf of a foreign company or government could implicate the Foreign Agents Registration Act."

Background: Barr's was the third in a series of speeches from top Trump administration officials on China.

What to watch: The New York Times reports that the administration is considering a sweeping travel ban on CCP members and their families.

Go deeper: Pompeo announces visa restrictions on Huawei employees

4. Netflix appoints content chief as co-CEO

Ted Sarandos, formerly Netflix's chief content officer, is now its co-CEO. Photo: Charley Gallay/Getty Images for Netflix

Netflix has named head of content Ted Sarandos as co-CEO of the company, alongside chief executive Reed Hastings, it said Thursday when it released its quarterly earnings.

Why it matters: Co-CEO arrangements often prove unsustainable as long-term plans for running companies. It's likely this is a step toward Sarandos eventually heading the company on his own.

Meanwhile: Netflix shares fell following Netflix's earnings report, as the video service warned of slower growth ahead. For the third quarter, Netflix said it expected to gain 2.5 million new subscribers, just half of what Wall Street was expecting.

5. Take Note

On Tap

ICYMI

  • Microsoft cut some jobs this week, a move it typically makes each July, following the end of its fiscal year. Business Insider pegged the number of jobs cut at fewer than 1,000. (Reuters)
  • Instacart sued Cornershop, a grocery delivery service recently purchased by Uber. (Axios)
6. After you Login

If someone won't wear a mask, it's important to enforce social distancing, though not all of us can do it this impressively.

Ina Fried