It's quite a lengthy one this week, but I tried to summarize as best as I could to make it easy for you :-)
Enjoy and have a great day!
Breaches and leaks
- Western Digital confirms that customer data was stolen during March attack: link.
- NextGen Healthcare, a provider of cloud-based healthcare technology, disclosed that a database containing information of over 1 million people was stolen: link.
- Sysco, a food distribution company, disclosed a breach: link.
- Outsourcing firm Capita had an exposed s3 bucket: link.
- Dragos, a Industrial cybersecurity company, had attackers access its Sharepoint data: link.
- Twitter had an incident that exposed private Circle tweets: link.
- A scam site that pretends to offer jobs for the US Postal Service had a database with 900.000 victim's records exposed, including credit card data. Times are weird when scam site security starts to matter to everyone. link.
The Snake network was active for no less than 20 years, used to steal data and transfer it through their botnet towards Russia. The FBI created a tool that was able to communicate with the Snake agents and order them to remove themselves.
In a recent breach of MSI the attackers dumped a trove of data that includes private keys used to sign UEFI firmware upgrades. These are incredibly important in prevent bootkits, malware that can easily go undetected and survive OS re-installs. Not easy to exploit but very hard to detect and get rid of. It doesn't seem like there's an easy solution to this leak either, so it might haunt the Intel ecosystem for years to come.
And has to pay damages of up to $1.5 million. He used his access to steal data from the company, and then tried to extort them while being part of the incident response team. Fun note: he tried to cover his tracks with a VPN, but a temporary outage briefly exposed his real IP.
Some go to jail, some don't. Joseph Sullivan was convicted last year after covering up a cyberattack while Uber was under investigation from the FTC. He's sentenced to three year probation, 200 hours of community service, and a $50,000 fine. You can bet that a lot of CISO's have been watching this closely to find out just how liable they can personally be.
The NotPetya attacks date back to 2017, but if you recall the pharmaceutical company Merck was a major victim. Their insurance didn't want to fully pay up, claiming that this incident fell under the exclusion of acts of war. The judge ruled in Merck's favor, which means the insurer should pay up the remaining $699 million in claims.
I don't see it happening any time soon, there are so many potential downsides, but it's a very interesting thought experiment. The article does a good job of explaining what the caveats might be.
The original vulnerability could be exploited by just sending an email, resulting in the possible disclosure of NTLM hashes to the attacker. The previous patch was not sufficient, so if you were affected by this issue, make sure to patch again.
Very nice. It's a feature that scans your code before the actual push happens, and blocks it if it detects any API keys or secrets. It's available for private repo's that have Github's Advanced Security, but now also for free for public repositories.
Small updates by big corps
Small is relative at their scale of course. There were a few of these this week, so I'm going to wrap them into a single list:
- Gmail brings dark web monitoring to all US-based users, very impressive: link.
- Gmail also launches a blue checkmark, because who doesn't like those. More seriously, it's an extension to the Brand Indicators for Message Identification (BIMI) standard: link.
- Twitter rolls out e2e encrypted DM's for paying users: link.
- Microsoft enforces number matching for 2fa prompts to combat fatigue attacks: link.
- Google will be replacing the lock icon in Chrome with something that doesn't seem to indicate that everything is 100% secure: link.
I didn't realise that voice authentication systems were so widely used by banks. It's definitely a good question to ask, and worth pondering how one might protect themselves from related attacks where an attacker calls you using the voice of your colleague, boss or spouse and asks you to do something.
Interesting project that gathers stories and incidents from security research and disclosures gone wrong: legal threats, over-reactions, etc. Good for researchers to go through and understand what can happen, and for companies on how NOT to react.
Intermittent encryption is something that is seen more and more in ransomware to speed up the process of making files unusable. In some cases though, it means that files might be recoverable.
Beautiful. Well, to a geek like me at least. Gives you a sense of appreciation for all the technology underneath that we take for granted most of the time.
Solid security shouldn't have to come at the expense of a great user experience. That's why Passage by 1Password is building a passwordless auth service that allows you to implement passkey logins in your app or website with just a few lines of code. (Sponsored)