News
Hi everyone,
This was quite a heavy week all around, including for the security industry. The resulting issue is longer than I usually like, even after some heavy filtering :-) I hope you get value out of the articles I've picked to share!
I'm really happy to welcome 1Password back as a sponsor! They supported this newsletter for years before my break, and offered to continue doing so now. Thank you so much!
Breaches and leaks
- United Nations data breach exposed over 100k UNEP staff records: link.
- Vodafone's ho. Mobile admits data breach, 2.5m users impacted: link.
- Indian government sites leaking patient COVID-19 test results: link.
- Ransomware gang collects data from blood testing lab: link.
- Nissan source code leaked online after Git repo misconfiguration: link.
- New Zealand Reserve Bank suffers data breach via hacked storage partner: link.
- Dassault Falcon Jet reports data breach after ransomware attack: link.
- Hacker sells Aurora Cannabis files stolen in Christmas cyberattack: link.
- Data from London Counsil ransomware attack leaked online: link.
- Hacker posts data of 10,000 American Express accounts for free: link.
Solarwinds continued
- Sealed U.S. court records exposed in SolarWinds breach: link.
- US government formally blames Russia for SolarWinds hack: link.
- SolarWinds hires Chris Krebs and Alex Stamos as part of security review: link.
- CISA: SolarWinds hackers also used password guessing to breach targets: link.
- SolarWinds shareholder files class-action lawsuit: link.
- Another great essay by Bruce Schneier on the SolarWinds attack: link.
Ryuk gang estimated to have made more than $150 million from ransomware attacks
<insert cynical remark about "crime doesn't pay">. I think it's safe to say that ransomware isn't going away any time soon.
New side-channel attack can recover encryption keys from Google Titan and Yubikey-like security keys
Pretty impressive research. Based on reading the electromagnetic radiation of 6000 operations the researchers were able to reconstruct the primary encryption key. Mind you: they themselves make it very clear that security keys are still extremely effective, and that the attack is very difficult to pull off. It requires prolonged physical access to the keys (in which case you can probably use them anyway), and there are certain server-side mitigations. It's really only a concern for extreme high-profile targets.
Telegram triangulation pinpoints users' exact locations
It's a clever find. Telegram has an opt-in "See who's nearby" feature, that can be abused to know exactly where someone is by spoofing your own location at three different points and then using the resulting distances to pinpoint the exact location. The researcher says that it could be fixed by rounding user locations to the nearest mile and adding a static random noise.
Some ransomware gangs are going after top execs to pressure companies into paying
A new trend in ransomware where they go specifically after work machines of the exec team in the hopes of finding something highly sensitive or emberassing, which they can then use to pressure those same people into approving the ransom.
Scammer extorts site owners using porn backlinks threat
This is a good extortion tactic to be aware off. In this case one was forced to leave positive reviews for a crypto exchange called Coinmama, or else. The campaign backfired quite a bit, although it's worth pointing out that it might also be a smear campaign from a rival exchange.
(Sponsored) Security Risk Management Aide-Mémoire
Julian Talbot, lead author of Security Risk Management Body of Knowledge, has written a new book called Security Risk Management Aide-Mémoire. It’s an overview of the ideas, tools, models, and concepts that underpin security risk management, and absolutely worth checking out.
Disgruntled former VP hacks company, disrupts PPE supply, earns jail term
One of those important cautionary tales. After being fired this person created a fake staff account and used it to edit and delete thousands of shipping records, causing massive disruptions and down time. He'll serve a year in jail and have to pay $200k in fines. Ow, and the company's business is the shipping of protective equipment for the healthcare sector, which is kind of a big deal right now.
Extracting personal information from large language models like GPT-2
This is something I've never previously considered, but makes sense. Machine learning models like GPT-2 are trained on huge data sets, and it's possible to query them for personal information that was part of those data sets.
Biden to appoint Anne Neuberger to National Security Council
Highly capable people in positions of great responsibility. It's amazing how good that feels to read. Anne Neuberger, former Cybersecurity Director at the NSA, will join the newly forming National Security Counsil, President Biden's forum for national security and foreign policy. She'll be in charge of coordinating cybersecurity across federal agencies. With the aftermath of the Solarwinds attacks still in full swing, that's no small first item on the todo list.
State Department creates bureau to reduce 'likelihood of cyber conflict'
There will also be a new bureau, created by Mike Pompeo, inside the US Department of State dedicated to addressing cybersecurity in foreign policy. It will be called the Bureau of Cyberspace Security and Emerging Technologies (CSET). The move is quite broadly critized as being too little too late, and that such an important function should sit above any specific office or bureau.
Feds issue recommendations for maritime cybersecurity
It's a huge challenge to get cybersecurity coordinated in the maritime sector, with a myriad of governements, companies and IT systems all having to work together. The report talks about the US Maritime Transportation System (MTS), but I imagine it's the same everywhere.
NSA shares guidance on securing TLS configurations
There's a certain amount of smirk happening when you read about advice from the NSA on -improving- encryption, but it seems like a very useful share. You can view the information sheet directly here.
(Sponsored) 1Password: Awesome password manager with, for me, the best UX
First of all: please use a password manager. Since you're a subscriber here I'm pretty sure you already do, but just in case. Second: if you're not using 1Password yet, give them a try. I've been using them for many years professionally and migrated my personal Vault over two years ago. The experience was super smooth, and I haven't looked back ever since.