Now that Fortune’s Brainstorm Tech summit and the security world’s Black Hat conference have concluded, it’s time to commence that obligatory post-elbow rubbing ritual: adding connections on LinkedIn. (If you’re into that sort of thing.)
As you swap digital business cards and extend e-handshakes across the self-described professional network, remember not to let your guard down. Social media isn’t just an ideal place to make contacts. It’s also a great place for nation states and other adversaries to conduct espionage. Really.
Recent research from Dell SecureWorks, an Atlanta-based cybersecurity firm, suggests that Iranian hackers have been using phony online personas to lure phishing targets, sending them seemingly benign messages that contain computer-compromising code. According to the report, the attackers created bogus profiles for a supposedly young photographer from London, “Mia Ash,” who enjoyed traveling and listening to Ed Sheeran. The spies used the forgery of a femme fatale to seduce and ensnare technicians based in the Middle East who worked in industries of strategic interest to Tehran, ranging from energy to aerospace to telecommunications, the researchers said.
LinkedIn wasn’t the only attack vector. The spooks created a similar persona on social networks such as Facebook, WhatsApp, and Google’s Blogger. The campaign was reminiscent of another Iran-linked operation that came to light a couple of years ago, which involved secret agents posing on LinkedIn as recruiters for big tech companies like Northrop Grumman and General Motors.
Other countries use social media to spy too. This week we learned that Russian agents attempted to track members of French President Emmanuel Macron’s election campaign using bogus Facebook profiles.
Here’s my trick. Whenever I receive an invitation to connect, I call to mind a meme that made the rounds on the web in 2015. The premise is that LinkedIn’s generic connection request tagline pairs exquisitely well with any New Yorker cartoon. The rib below always stuck with me.
Strange. I don’t remember a meeting a horse.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Flash in the pan. Abode said Tuesday it is finally canning Flash, a notoriously buggy and security hole-ridden piece of software used to produce multimedia. The sunsetting will come by the end of 2020, a full decade after late Apple CEO Steve Jobs wrote a diatribe against the technology and barred it from working with company's devices. Google, Microsoft, and Facebook have also hastened Flash's demise with plans to adopt its default replacement, HTML5. (Fortune, Fortune, Fortune)
Coins rule everything around me. The mania surrounding ICOs, or initial coin offerings, a snazzy new way for blockchain startups to raise money, continues to heat up. Lack of regulatory scrutiny over so-called token sales has allowed entrepreneurs to raise immense amounts of capital—four times more in one year than they've received from years of traditional VC investments. Tamping down on the enthusiasm: The SEC recently classified a batch of tokens issued by The Dao, a failed venture based on the Ethereum blockchain network, as securities. (Fortune, Fortune)
Defiling an airline. Hackers broke into the computer network of Virgin America and compromised the login information for thousands of employees on March 13, the airline, recently acquired by Alaska Air, disclosed in a letter. More than 100 workers may have had additional personal information accessed, including addresses, social security numbers, and health records. IT admins forced a company-wide password reset in response. (ZDNet)
Looking for work? There's no shortage of job opportunities in cybersecurity. Whether you're defending IT systems, filing reports to bug bounty programs, or finding vulnerabilities in a public company's code and then shorting its stock, employment abounds. The non-profit Center for Cyber Safety and Education forecasts 1.8 million cybersecurity job openings worldwide in 2022. (Reuters)
And another career path:
🎵 Workin' at the car wash, girl 🎶
🎶 Come on and sing it with me 🎵
Share today's Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Here's Fortune's Jeff John Roberts with a look at what the Securities and Exchange Commission's recent decision regarding crypto tokens really means.
ICO skeptics have long warned that, in many cases, the tokens for sale are simply a new form of shares—and that selling them without a license violates federal securities laws. In its ruling this week, the SEC confirmed just that: The agency said that, in the case of one recent ICO, the tokens in question are indeed securities. As some of the experts suggest, The Dao ruling is likely only the first shoe to drop. Read more on Fortune.com.
Meet the Millennials Who Started Ukraine's Twitter War with Russia, by Linda Kinstler
Google: Ransomware Costs Surpass $25 Million Mark, by Barb Darrow
Inside the Dark Mind of AlphaBay's Alleged Founder, by David Z. Morris
Billionaire Howard Marks Thinks Bitcoin Is a 'Pyramid Scheme', by Madeline Farber
ONE MORE THING
Netflix DDoS'd itself for the greater good. Netflix security engineer Scott Behrens and some colleagues devised an API-based distributed denial of service attack, which floods sites with bogus Internet traffic (in this case, in a uniquely damaging way), in order to pummel the company's own infrastructure. By doing so, the team demonstrated the feasibility of this assault, thereby gaining them time to find a fix before hackers could exploit the same vulnerability. Behrens and his team created and released a set of open source tools to protect against attacks of this sort at Black Hat this week. (Wired)