Security Bytes - Issue 11
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
I hope you had a great week! I had an absolutely wonderful time in London at the Strategic Connections Conference. I learned a lot and got to meet truly amazing people. And I actually found out some folks read this note! That’s a plus :) It was a fabulous event and I’ve never been more excited about being part of this global team.
Interesting side note. Rick Ferguson, our country manager overseeing Australia and New Zealand, shared with me a video of John Chambers discussing the next big thing. You really need to watch the entire 8min vid, but if pressed for time and want the bottom-line up front… jump to 4.15 min mark. Thank you for sharing, Rick! https://www.bnnbloomberg.ca/investing/video/it-ll-be-a-stock-picker-s-market-former-cisco-systems-ceo-on-inflation-and-rising-rates~2519798
This week it looks like Uber may have gotten hit hard, time will tell; China fraudsters steal $529 million from India; U-Haul’s customer’s driver's license data stolen over a 5-month attack, and what’s going to be the trickle-down effect of US presidential executive order concerning supply chain security.
Enjoy and have a great weekend!
--------------------
This could be Uber Bad
News it quite speculative at the moment, but it appears that Uber’s AWS and G-Suite administrative accounts we’re commandeered by attackers. If true, this is bad on many levels. Again, here we are with a password between a bad guy and all your data. Next, the advent of the cloud has launched digital transformation to where we can have companies like Uber exist, but it means your entire company, not just a server, is exposed to even the smallest of attacks… talk about all your eggs in one basket. The concept of risk – the balance between threats and vulnerabilities – is constantly evolving with respect to level of sophistication in threat capability and how that relates to the complexity of exploiting a vulnerability. But as we adopt evermore consolidated technical infrastructures the evaluation of impact plays far more heavily in the equation. In simple terms – bad guys are smart, vulnerabilities are many and easier to exploit and the potential of impact has exponentially increased due to the scale of the integration in core business functions.
Links:
Article: https://www.theregister.com/2022/09/16/uber_security_incident/
$529 Million
I just had to share this simply because the number is big, and the simplicity of the attack is small. This is a perfect example of how technology has created a layer of obfuscation and abstraction that provides criminals the ability to exploit the human interaction. In this week’s news an investigative report was updated from $378 million to $529 million in theft by Chinese hackers/fraudsters attacking Indi nationals via text apps and instant lending solutions tied to crypto. It’s a shockingly huge number and is directly related to the explosion of various financial service options – too many to list – that are offering greater financial freedoms and capabilities. The popularity is hugely attractive to criminals and in this case hacking gangs are raking in the cash.
Links:
Article: https://www.theregister.com/2022/09/13/chinese_cybercrime_hits_india/
U-Haul'n Data
This week U-Haul, a truck and trailer rental company operating in the US and Canada servicing more than 2 million contracts a year, announced they discovered that hackers were accessing their systems for at least 5 months. Yeah, that’s a long time to go undetected, but the average is still over 230 days! The attackers accessed the customer contracts, which of course have all your personal details – importantly – your driver’s license information. With that in hand there is very little one couldn’t do to cause harm.
In response, U-Haul is offering those they’ve determined to have their information potentially exposed a free one-year identity protection service. Eyeroll. The discovery was based on identification of “two unique passwords” to the system. What does that even mean?… Shouldn’t all passwords be unique, why two and what makes these special, how did you determine this was a hacker, and importantly, how were attackers getting to this point?
I raise this news item not to pick on U-Haul, far from it. It simply is another reminder that personal information is very important and becoming more so in the digital space. So much so that it’s becoming increasingly more difficult to protect and more valuable to hackers. Maybe we need to revisit the concept of making personal information less important in the digital era. Sadly, to function in today’s society you have to provide your personal information to various companies and institutions constantly, and there’s no option not to, essentially nullifying all the work you may have done to protect yourself. There are ways to protect yourself, but it takes hard work and tenacity.
Links:
U-Haul press release: https://www.uhaul.com/Update/
U-Haul letter to customers: https://s3.documentcloud.org/documents/22286634/u-haul-consumer-notification-letter-bc-555.pdf
Article: https://therecord.media/5-month-u-haul-breach-leaked-drivers-licenses-ids-of-customers/
Do as I Say
Over the decades I’ve always have had mixed reactions to POTUS publishing Presidential Directives and especially Executive Orders. It’s not like they’re something new. In the formative years of the of the US, Presidents used such things sparingly and for critical changes. George Washington issued 8 executive orders and John Adams only 1. Conversely, presidents with dramatic change twisted the collective arm of Congress with executive orders, such as FDR pushed over 3700, Wilson 1800, and Ted Roosevelt over 1000. In recent decades it’s somewhat stabilized between 200 and 300 executive orders: roughly 2-3 per month. In short, these executive orders have power and – arguably - can lack representation.
Nevertheless, once in a while one comes through where it will clearly challenge the norm and cause ripples. This week President Biden issued another cyber-founded “memo” (code word for “I’m coming with a hammer”) that specifically calls out that all federal agencies “must ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements and get proof of conformance from vendors.” In a word... wow. Ok, first, this type of expectation is not entirely new and certainly not limited to the US. Of course, the emphasis on supply chain security is developing dynamic and you can thank the fallout of the SolarWinds attack. Yet it’s the last point in that vendors will have to attest on behalf of their product in support of meeting federal agency requirements is where t will get interesting. It’s one thing to attest to what’s written on the tin… the software solution will do “X”. However, attesting to the supply chain in today’s world is going to be an enormous challenge.
If you’re in the federal space now, expect this to materialize into something with sharper teeth. If you’re not providing software solutions for the federal government… expect this to start forming across governments around the world and will rapidly extend into the private sector.
Links:
Article: https://www.fedscoop.com/white-house-publishes-cyber-eo-follow-on-guidance/
Whitehouse memo: https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf
Exec. Order History: https://www.presidency.ucsb.edu/statistics/data/executive-orders
SolorWinds attack article: https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T (There are many articles on this attack, but this one is short, to the point, and non-technical)