A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! After the tragic theft of a shipped pillow outside my place, a reimbursement place to rest my head has arrived. So far, so good. Might need to put some more foam stuffing in it, though; if anything, it errs a bit too much on the side of too soft.
Below: Researchers discover a Russian influence operation ahead of the midterms, and the SEC wants to take enforcement action against SolarWinds. First:
Elon Musk purchased a version of Twitter with plenty of built-in cybersecurity woes. Some cyber experts are worried the world’s richest man might only make matters worse.
Certain Musk plans that could affect security at Twitter, such as workforce cuts that could reduce the company’s cybersecurity staff, pose a more immediate risk. Other changes could improve security on the social media platform. Some of this depends on whether the mercurial Musk follows through on his publicly-stated plans for the platform.
“For cybersecurity, for me, I think it’s a quite reasonable prediction that it will be a net negative,” Peter Singer, a strategist at the New America think tank who wrote about the cyber risks of Musk’s purchase, told me.
It’s important to remember that Musk inherits a host of security problems at the social media giant, including a history of hacks and allegations from whistleblower Peiter “Mudge” Zatko, a major figure in cybersecurity who filed a complaint and testified before Congress.
Here are things cyber experts are watching as Musk takes the reins:
Even before Musk threatened to cut the company’s personnel, Twitter was already headed toward big personnel reductions. That’s “a change likely to have major impact on its ability to control harmful content and prevent data security crises,” my colleagues Elizabeth Dwoskin, Faiz Siddiqui, Gerrit De Vynck and Jeremy B. Merrill reported last month.
The size of Musk’s planned cuts, though, are expected to be larger in scope than those the company was facing. Those layoffs, which Faiz reported began Thursday night and were set to take further shape today, could lead to users being exposed to hacks and offensive materials, said Edwin Chen, a data scientist formerly in charge of Twitter’s spam and health metrics and now CEO of the content-moderation start-up Surge AI.
Musk says he wants to charge people a monthly fee for blue check marks that verify their identities. He has pledged to make the company profitable, after years in the red.
That opens up a number of potential security vulnerabilities, experts say.
If prominent Twitter users abandon the platform over the charges, that could allow criminals to pretend to be them or even take over their handles and use them for funny business, Singer wrote. It also could allow bad people to pay for verification and use handles for hoaxes and scams.
“You don’t want a situation where Twitter becomes a place where it is easy to impersonate public officials” because people won’t know when there are “genuine security warnings or misleading information,” Center for Democracy and Technology Policy Director Samir Jain told Inside Cybersecurity’s Sara Friedman.
On the other hand, Musk bills the verification changes as a way to combat bots and spam on Twitter.
Yes, this will destroy the bots. If a paid Blue account engages in spam/scam, that account will be suspended.
Essentially, this raises the cost of crime on Twitter by several orders of magnitude.
Johns Hopkins’ Thomas Rid:
Musk & team are right: the current verification system is badly broken. If they turn the checkmark into a proper name/ID verification system *open for everyone,* plus the premium feature of muting non-verified (trolly, likely more hateful) anon accounts—I’d be delighted to pay.
One area where cybersecurity wonks have good things to say about Musk is about his stated belief that Twitter should encrypt direct messages. They’ve been calling for such a change for a long time.
If the U.S. had a privacy law with teeth, or if Twitter encrypted DMs like I urged years ago, Americans wouldn’t be left wondering what today’s sale means for their private information. The protection of Americans’ privacy must be a condition of any sale.
Whether Musk’s plan to cut personnel could lead to a short-term increased risk of insider threats — because those exiting employees, knowing they’re on their way out, might use their access to unencrypted DMs — is a separate issue.
Why now in particular? The insider threat was already significant before this announcement; this makes it much worse https://t.co/mEYAeoIgnO
Hacking Tesla vehicles has been a staple of security conferences for years, as Singer pointed out. Everyone gets hacked, but what’s concerning is that Tesla “still hasn’t moved into a more proactive stance,” Singer said. Musk did put some emphasis on cybersecurity at Tesla, though dating back years, and one prominent attempt to maliciously hack the company in real life fell short.
His other major company SpaceX has no doubt exposed Musk to more advanced cybersecurity requirements due to its work with the government, and it’s another area where Musk has been outspoken about countering cyberthreats.
Musk is dependent on one of the top U.S. cyber adversaries, China, for both sales and production, Singer notes. And Musk has faced accusations of carrying messages for Russia, another top U.S. cyber adversary, even as he has lent use of his Starlink satellite constellation to Ukraine (with some reimbursement).
Musk’s vow to open up Twitter’s algorithm to public scrutiny earned some praise for its transparency, but “exposing code to the world also exposes potential vulnerabilities that criminals and disinformation operators can use to sow havoc,” wrote CyberScoop’s Tonya Riley earlier this year.
The campaign pushed racist talking points about several Democratic candidates in the midterm elections but didn’t get much traction on the right-wing sites they were posted on, Gab and the patriots.win forum, Bloomberg News’s Jeff Stone reports. The campaign was associated with a group that had been previously linked to the Internet Research Agency, a Russian troll farm that the U.S. government says tried to interfere in the 2016 election.
“A lot of these narratives emanate from alternative platforms that are already popular with fringe groups,” Graphika vice president of intelligence Jack Stubbs told Bloomberg News. “We know the same Russian group active in elections in 2016, 2018 and 2020 are on the same platforms pushing inflammatory narratives and now directly targeting Democratic candidates in these midterm races.”
The Russian Embassy in Washington didn’t respond to the outlet’s request for comment. Russia has denied being involved in cyberattacks and influence operations.
Train operator DSB’s security chief, Carsten Dam Sonderbo-Jacobsen, said the cyberattack hit an IT subcontractor’s software testing network, Reuters’s Nikolaj Skydsgaard reports. Subcontractor Supeo turned off its servers, which impacted locomotive drivers’ ability to use trains on Saturday, DR reported.
“It hasn’t targeted infrastructure or DSB, it was economic crime,” Sonderbo-Jacobsen told Reuters. The identity of the hackers isn’t clear and investigations are ongoing, he said.
Hackers have taken aim at rail industries outside of Denmark. In Belarus, saboteurs this year disabled or disrupted critical rail links connecting Russia and Ukraine, my colleagues reported. Suspected Chinese hackers hit New York’s networks last year, the New York Times reported. U.S. regulators have issued rail cybersecurity rules in an attempt to boost rail systems’ defenses and quickly detect hacks.
SolarWinds says the Securities and Exchange Commission sent it a Wells notice alleging that the firm broke the law “with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures,” Reuters’s Jody Godoy reports. It came as SolarWinds said it had tentatively agreed to settle a shareholder lawsuit over its cybersecurity disclosures for $26 million while not admitting wrongdoing. A judge still has to approve the settlement.
“The company was at the center of a cybersecurity crisis in December 2020, after hackers compromised SolarWinds software updates and used them to access the data of thousands of companies and government offices that used its products,” Godoy writes. “The U.S. government has attributed the hack to Russia.”
SolarWinds said it “maintains that its disclosures, public statements, controls and procedures were appropriate.” It plans to respond to the SEC’s notice, Godoy reports.
‘Project Merciless’: how Qatar spied on the world of football in Switzerland (SRF)
Ukraine war, geopolitics fuelling cybersecurity attacks -EU agency (Reuters)
Warner calls for cybersecurity workforce development, incentives for health sector (SC Magazine)
parenting is hard
(thegoldengalsct IG) pic.twitter.com/0ZySzVuvXd
Thanks for reading. See you next week.