Skip to content

Security Bytes - Issue 12

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

It’s been a bit since my last newsletter. It’s not that there’s not enough news, that I can assure you. Just not enough time in the day! With that in mind, I may share some “old” news because I think it’s interesting, but as usually there is so much happening it’s hard to pick the ones that will help you most in your conversations with clients.

Of course, it’s Cybersecurity Awareness Month! You can expect a lot of things coming out this month, so keep an eye out for some podcasts and other activities.

In this week’s Security Bytes, we cover a lot of ground. IBM offers an insightful study concerning stress and mental health for incident responders, Uber’s CSO gets jailtime, an explosion of fake profiles appears on LinkedIn for nefarious reasons, US and Canadian governments push out heavy sentences to cyber criminals, concerns about biometrics resurfaces, but can it be helpful this time around? Surprise! You download software in China used for privacy gets you malware, and finally CISA, NSA, and FBI list the top 20 vulnerabilities China is targeting, raising interesting questions about the age of vulnerabilities being exploited.

Enjoy!

--------------------

Cyber Burnout and Stress

Having been in this rodeo for nearly 30 years, I feel strongly that the most overlooked aspect of the cybersecurity profession is the level of stress that it puts on people at every level. I experienced this firsthand when I was the COO for a company that provided incident response services and saw just how difficult it was for our responders on a personal level. IBM recently published a study of more than 1,100 incident responders in the US, UK, Germany, Australia, France, Spain, Brazil, Japan, and India highlighting the stress and impacts to mental health and well being – which is significant. One of the aspects my team dealt with, and can be seen in the report, is that the best IR professionals have a deep sense of responsibility to their client. In fact, it’s quite personal. I’ve been in far too many meetings with clients drenched in tears and could see how this affected my team. Not to sound obtuse or belittling, but if you’ve never been the responder of a massive ransomware attack, you just can’t fathom the pressure or how much of it you take home. Definitely take a look at the 25-slide report and if nothing else, just read the summary slide #2 of the report.

Links:

IBM report - https://www.ibm.com/downloads/cas/XKOY5OLO

 

Uber Saga

Uber has been under increasing scrutiny for a breach reported in mid-September where a hacker demonstrated they had access to critical cloud-based systems, essentially able to obtain information and control systems. Uber initially denied such access and eventually it was learned that the hacker used less than sophisticated means to break in. As the investigation continued into how Uber delt with such exposures, a breach from 2016 resurfaced. In the 2016 breach 57 million personal records of Uber drivers and customers were stolen resulting in a $148 million settlement across all 50 states in the US. Now that law enforcement is digging in, this week they’ve convicted Uber’s former CSO for covering up the hack in 2016. We still have yet to truly understand the scope of the impact of the breach last month but based on how things are going – it could not be very good news.

As an additional note, here is what the DOJ stated about the verdict against Uber’s CSO. Very interesting for big tech and CISO’s out there…

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers.... We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”

“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain."

Links:

US DOJ Conviction - https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach

Uber breach article - https://www.cbsnews.com/news/uber-cybersecurity-incident-hacker-breach/

Another article - https://www.cnbc.com/2022/09/16/uber-investigates-cybersecurity-incident-after-reports-of-a-hack.html

The coverup - https://www.theverge.com/2022/7/25/23277161/uber-2016-data-breach-settlement-cover-up

2016 attack - https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data

 

Lost in LinkedIn

A number of reports and articles, especially from Brian Krebs, have highlighted a rash of fake profiles on LinkedIn. First, fake profiles are not new in social media platforms, but LinkedIn has historically avoided such things due to the nature of the network. Granted, there have been a number of high-profile attacks that have used fake LinkedIn profiles to get into government systems back in 2010 called Robin Sage (which is also the name of a Green Beret military exercise for unconventional warfare training, commonly performed here in North Carolina). What started as a slew of fake cyber security executive profiles has now expanded to a wide range of fake profiles. There’s been a lot of speculation on who and why, but it seems to be focused on perpetrating scams, such as pig butchering scams, confidence scams, and hacks via various vulnerabilities.

Links:

Cyber executive profiles - https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/

Executive profiles - https://krebsonsecurity.com/2022/10/glut-of-fake-linkedin-profiles-pits-hr-against-the-bots/

LinkedIn Blog - https://blog.linkedin.com/2022/june/16/working-together-to-keep-linkedin-safe

Pig butchering - https://www.cnbc.com/2022/08/25/pig-butchering-crypto-scam-costing-investors-millions.html

Robin Sage - https://www.networkworld.com/article/2213486/the-robin-sage-experiment--fake-profile-fools-security-pros.html

An article about the “real” Robin Sage - https://www.businessinsider.com/robin-sage-is-final-test-for-army-special-forces-hopefuls-2021-1

 

A Week of Sentences 

This week Canadian national was sentenced to 20 years in prison for his role as a former affiliate of the Netwalker ransomware gang. Not only given 20 years but expected to forfeit $21.5 million gained from victims around the world. This came just after a conviction of a Georgia man sentenced to 25 years for money laundering and fraud from hacking bank accounts to the tune of $9.5 million. And finally, this week hacker “erratic” was sentenced to 5 years of probation for more than $250 million in damages by stealing 100 million records from Capitol One in 2019. Seems exceedingly light considering others are getting 20+ years. “While we understand the mitigating factors, we are very disappointed with the court’s sentencing decision.  This is not what justice looks like,” said U.S. Attorney Nick Brown.

Links:

Netwalker article - https://therecord.media/netwalker-affiliate-sentenced-to-20-years-in-prison/

Netwalker - https://thehackernews.com/2022/10/canadian-netwalker-ransomware-affiliate.html

Georgia conviction - https://www.justice.gov/usao-ndga/pr/georgia-man-who-laundered-millions-romance-scams-business-email-compromises-and-other

Georgia article - https://therecord.media/romance-and-bec-scammer-sentenced-to-25-years-over-9-5-million-fraud/

Erratic sentencing - https://www.justice.gov/usao-wdwa/pr/former-hacker-sentenced-stealing-computer-power-mine-cryptocurrency-and-stealing

Erratic article - https://www.theregister.com/2022/10/05/paige_thompson_sentence_doj_unhappy/

 

What's Old is New Again 

Ok… so many years ago as biometrics for computer-based authentication was becoming more mainstream and an accessible technology, concerns started to surface around what could be learned about you as a human. There are a lot of biometric data that can be used. We typically think of fingerprints, but even in the early days – late 90’s - there was hand geometry, finger tendon tension, facial geometry, iris and retina scanning, gate, facial temperature profile, and even how you type on a keyboard. It didn’t take long to realize that unintended information was being collected. For example, computers could determine if you were at risk of a heart attack, pregnant, have a flu, or, in some cases, serious medical issues, not to mention race. All of these attributes are private and could be used nefariously. As a result, biometrics – especially the more invasive versions – were placed on the back burner. This week researchers at St George's, University of London have conducted what they believe is the largest AI retinal study (70k people) demonstrating the type of information that can be gleaned, which – again – is starting to raise concerns, but is also being looked at as additional methods for evaluating health risks. But I’d prefer my doctor uses it and not my bank!

Links:

Research article - https://www.theregister.com/2022/10/06/ai_retina_scan_health/

The study - https://bjo.bmj.com/content/early/2022/08/23/bjo-2022-321842

 

Yeah, Duh

Sorry in advance, but I think this news item is actually, well, funny. Maybe I just have a weird sense of humor. This week Kaspersky Labs published a report outlining their discovery of spyware bundled inside the ToR browser that is used to access The Onion Router network to anonymize traffic from within China. Ok… so you’re in China and you download software designed to hide your traffic to get past the China’s Great Firewall and you think it’s not loaded with all kinds of bad stuff to track your every moment?

Links:

Article - https://therecord.media/fake-tor-browser-in-china-contained-hidden-spyware-report/

Report - https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/

 

Speaking of PRC

This week a joint advisory was published by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors are using to attack U.S. and allied organizations and companies. Here’s the interesting part. This is a summary of the top 20 CVE’s being used over the last 2 years, nearly 3, and several are from 2019. But what’s interesting to add is that if one looks at the top 5 most active vulnerabilities – the vulnerabilities everyone is trying to kick the door in on – three are from 2017, one from 2018, and one from 2012 (according to Mandiant’s Advantage dashboard report I ran as I wrote this). Basically, the point being is that while things like 0-days are clearly worrisome, we’re seeing that unpatched systems represent a more tangible exposure.

Links:

Advisory - https://www.cisa.gov/uscert/ncas/alerts/aa22-279a

A good article on the most dangerous vulnerabilities of 2022 - https://resources.infosecinstitute.com/topic/most-dangerous-vulnerabilities-exploited/

CISA’s PRC Cyber Threat summary - https://www.cisa.gov/uscert/china

FBI Cyber Alerts - https://www.ic3.gov/Home/IndustryAlerts

NSA Cyber Alerts - https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/