Security Bytes - Issue 6
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
Hi everyone!
T-Mobile is facing a $500M class-action settlement from a breach last year, but does this indicate a change in how fines are levied? Looks like Entrust is investigating a potential breach that occurred last month and speculation is abound, I’m in their corner and hope everything turns out ok – for all our sake. IBM offers a quantum resistant encryption solution, tuning theory into action while making us think about how the future is upon us. NSO Group, the maker of military grade spyware, has everyone talking about how we’re going to deal with this type of open access to cyberweapons. And finally, no big surprise that hackers are scanning the internet for vulnerabilities, finding them, and exploiting then within minutes of the publication of the vulnerability.
-----------------------
T-Mobile Millions
This week T-Mobile settled on a class-action suit to pay $350M to the members of the class-action lawsuit as a result of a breach late last year exposing their personal information. It is estimated that the impact spans more than 76 million US residents. By my math, taking into account the whopping $35M in legal fees, that’s roughly 4 bucks per class member. Ouch. Ok, so who wins other than the lawyers? Well, T-Mobil’s security team, how crazy is that? According to the language in the settlement agreement, T-Mobil must spend $150M incrementally on “data security and related technology” across 2022 and 2023 that is “above its previously budgeted baseline.” Holy smokes.
Could you imagine the conversation between the CEO and CISO? Or the conversations across the security team? The one thing I can assure you of is every cybersecurity vendor on the planet is going to come knocking with a solution to their problem. If I were the CISO, I would create a team just to field all those balls being tossed in. Nevertheless, it’s not over, T-Mobile has until Sep. 6th to agree and within 10 days after that come up with $350M, or else.
So, what does this mean for other businesses out there watching? This isn’t the first time a settlement/fine/court order resulted in requiring improvement of security, but to my knowledge it’s certainly the largest and most specific. I think it represents a shift in social cyber-responsibility. Fines are just that, money out the door, the company’s stock takes a temporary blip, and they’re back to the races. Meanwhile, it’s the millions of individuals out there that are having identities stolen, bitcoin wallets wiped out, and a myriad of other things we’ll never truly know the scope of. However, there are other companies out there taking the hit absorbing fraud: credit card companies, insurance companies, retail companies and the like. And a lot of that “pain” is boiling up to the point where the question becomes, “How are we going to reduce the likelihood of this happening again?” Therefore, in addition to fines, now we’re seeing a scenario where if you’re not going to invest in security on your own, we’re going to make you.
Links:
Article: https://www.cnn.com/2022/07/25/tech/tmobile-data-breach-settlement/index.html
Article from 2021: https://www.vice.com/en/article/akg8wg/tmobile-investigating-customer-data-breach-100-million
Settlement document: https://www.pacermonitor.com/view/VGKTEIA/In_re_T-Mobile_Customer_Data_Security__mowdce-21-03019__0158.1.pdf?mcid=tGE3TEOA
Court filing: https://www.pacermonitor.com/view/U4TNXDA/In_re_T-Mobile_Customer_Data_Security__mowdce-21-03019__0157.1.pdf?mcid=tGE3TEOA
Entrust’s Trust a Bit Shaky
If you don’t know who Entrust is, let me summarize by saying pretty much everything you do online is connected to them in some way shape or form. Every mainstream browser on virtually every system has between 20 and 40 built-in root certificates that are automagically trusted by your computer (aka: you) and Entrust is one of those trusted root certificate providers. This means that every public certificate they issue for things like SSL, secure email, VPN’s, and even software updates are inexorably tied back to that root certificate. While we may have the public key (e.g., certificate), the private key must be protected at all costs. If someone were to get access to it, they could issue all kinds of malicious certificates that could be used to fool your system into doing just about anything.
This week Entrust confirmed it is performing an investigation of a potential breach that occurred on June 18, which resulted in a letter from the CEO on July 6th to specific organizations, such as Microsoft, MasterCard, Visa, Dept. of Homeland Security, Dept. of Treasury, the Dept. of Health & Human Services, Dept. of Veterans Affairs, Dept. of Agriculture and Dept. of Energy… yeah, just a couple organizations. To put it mildly, we should all be very interested in what has actually happened. There are already articles saying they have the inside scoop that it was the work of a ransomware gang, and like most, steal data before encrypting all your systems. While potentially true, I very much doubt this is a ransomware drive-by. Ransomware is trivial to implement, so its presumed existence is not an indication of threat actor type or motivation.
The key for organizations is to start by keeping an eye on this development and track information and activities across a wide range of sources while they continue with the investigation. Additionally, it’s worth looking into how Entrust capabilities are utilized within your environment, and don’t forget to think about your supply chain, software, and access controls. Of course, this is just about gaining awareness, identifying, and quantifying potential risks if this were to be less than welcome news.
Links:
Article: https://therecord.media/it-security-giant-entrust-says-its-investigating-alleged-june-data-breach/
More to the story: https://www.bleepingcomputer.com/news/security/digital-security-giant-entrust-breached-by-ransomware-gang/
Here is a blog I found that gives a basic overview of SSL certificates: https://lform.com/blog/post/ssl-certificates-for-dummies-what-they-are-and-why-theyre-important/
IBM’s Quantum vs. Quantum Quandary
This week IBM announced that it has started offering quantum-resistant encryption. Because quantum computing represents such a huge threat to cybersecurity, the National Institute of Standards and Technology (NIST) started a post-quantum crypto project to develop algorithms that can be used with classical computers and survive decryption attempts made with quantum computers back in 2017. It should be no surprise that IBM produced three of the four algorithms selected by NIST.
It’s interesting to note that IBM has several quantum computers and has taken an active step to reduce concerns relative to security. It’s quite a smart thing… and frankly a smart move. They, like other technology giants, know that quantum is here now, and all this implies. It is the future, whatever that may be. But we know the immediate threat is to cybersecurity and they’re looking to minimize that exposure and thereby concern.
For many organizations quantum’s threat to cyber is palpable and can have irreparable impacts. Everyone should be focused on post-quantum technologies and the realities. I highly recommend listening to “The Post-Quantum World” podcast, and I have the host, old friend and former colleague, Konstantinos Karagiannis on this week’s Security Bytes podcast! You HAVE to listen… it’s awesome. You won’t sleep tonight.
Links:
Article: https://www.theregister.com/2022/07/27/z16_ibm_post_quantum_crypto/
NIST: https://csrc.nist.gov/Projects/post-quantum-cryptography
Podcast: https://open.spotify.com/show/749yXmahoJl0t09mMuLvKQ?si=e9e2e8fb5afc4cd4
Spyware Gone Crazy
Ok, there’s a lot to unpack here and frankly too much to try to put in this newsletter… I’m going to have to do a Security Bytes podcast to get into it. Here’s the short version, The NSO Group is an organization that produces military-grade cyber tools for companies, organizations, and governments with emphasis on spyware, and in this case it’s called “Pegasus”. Pegasus has been around for quite some time and is a highly effective tool in tracking every aspect of a person’s activity; email, voice calls, IM’s, location, transactions, and even listen to the room your phone is in, among other capabilities. It’s pretty obvious why spyware is attractive. It empowers everything from espionage and counterintelligence to blackmail and extortion. There has been a rash of activity globally concerning the banning of the NSO Group from operating in certain countries to lawsuits.
This week there was a hearing in the US where numerous experts and even victims of spyware, such as Carine Kanimba, whose father was the inspiration for Hotel Rwanda and who was, herself, targeted by Pegasus spyware, to discuss the evolution and the interpretation of spyware from organizations such as NSO Group that claim they only sell to governments. Interestingly, you can actually watch the hearing (link below), which I recommend doing. Adding to all this is reports of spyware targeting journalists… the list is long.
Links:
Article: https://www.theregister.com/2022/07/27/us_congress_spyware_debate/
Video of House intelligence meeting: https://www.youtube.com/watch?v=3Q52iuUumAw
Pegasus found on UK and Spanish PMs: https://www.theregister.com/2022/06/24/nso_customers_eu_pegasus/
Goodbye One Day, Welcome 15 Minute Day
When a vulnerability is identified and made public it is published in a global system run by an international community called the Common Vulnerabilities and Exposures (CVE) and a number is assigned to the known vulnerability. This becomes the basis for all communications, tools, technology, and reporting worldwide on the management of that specific vulnerability. Therefore, it is also an announcement to threats that there is a vulnerability: what it is, how it’s being exploited, and recommendations on how to fix or where to get the patch.
With that in hand threat actors start looking for vulnerable systems once they either created or acquired an exploit tool. Some have referred to this as a “one day”, expressing that the time you have to address the vulnerability in days. Now it appears we’re moving to minutes. According to a report from Palo, says threats looking for and exploiting vulnerable systems within 15 minutes of the vulnerability being published. This leaves organization in a very challenging position. Just as you’re just becoming aware of a vulnerability, and before you can get a hand on how much of your environment is exposed, you’re already being scanned and attacked.
For organizations this is all about vulnerability management, reporting, and clear and accurate understanding of the environment. OF course, it’s about having the means to address the needed changing in a timely fashion, which in fact is typically the most difficult part to accelerate.
Links:
Article: https://www.theregister.com/2022/07/27/palo_alto_unit_42/
Report summary: https://www.paloaltonetworks.com/blog/2022/04/2022-asm-threat-report/
About vCISO
The vCISO (Virtual Chief Information Security Officer) practice is comprised of a global community of highly experienced security professionals that we can connect with customers looking to address challenging cybersecurity pressures in a cost effective and resource efficient delivery model. This provides organizations flexible and focused access to cybersecurity expertise in a time when finding, attracting, and affording skills at this level is virtually impossible or impractical.
