Robin’s Newsletter #114

23 August 2020. Volume 3, Issue 34
Personal liability for CISOs in data breach cover-ups, 'fraudulent data requests' at Experian and mailto: attachment vulnerability.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Bletchley Park announced that a third of their staff are at risk of redundancy following a fall in visits due to Coronavirus. The site was at the centre of code-breaking operations, played a crucial part in shortening World War II and is also home to the National Museum of Computing. Please consider becoming a friend, making a donation or sponsoring a brick so they can continue to inspire tens-of-thousands of school children and care for 450,000 items in their collection.

This week

Ex-Uber CISO charged for role in 2016 data breach cover-up

US Prosecutors say Joseph Sullivan broke the law by paying attackers that stole the personal data of 57 million people $100,000 in crypto-currency and hiding it from regulators as a legitimate ‘bug bounty’ case. He is charged with obstructing justice and misprision (concealment) of a felony.

Then-CEO Travis Kalanick was involved in the payment and is quoted as scything they should “put this to bed.” The affair has already cost Uber $148M (vol. 1, iss. 15) to settle lawsuits brought against the company after Dara Khosrowshahi took over as CEO with a remit to improve the culture and transparency at the company.

While infosec circles often joke that the ’S’ in CSO or CISO job titles stands for “scapegoat” or “sacrificial” (rather than security) officer, because of many being ‘thrown under the bus’ following a serious incident, cases of personal liabilities for negligence appear to be very limited.

The allegations stem from a very specific set of circumstances: Uber experienced a data breach in 2014 that the Federal Trade Commission was investigating, in co-operation with Uber. Ten days after given testimony Sullivan became aware of the second breach and the firm began covering it up. This sworn testimony should have been supplemented when such information came to light during the investigation.

Sullivan’s legal team claim that company policies were clear that data breach notification decisions were the responsibility of Uber’s legal team and not the security team.

Cyber incidents can add significant, unexpected pressure to an organisation’s finances, however, the message is clear that transparency over the occurrence of such issues is paramount to help prevent harm to the individuals affected. Mis-handling a cyber security incident can be far more costly than the direct consequences themselves.

Mishcon de Reya’s team suggest that, if the same happened in the UK, not reporting a personal data breach can carry a penalty of €10M or 2% of global turnover. This is separate to any penalty imposed following an investigation: it solely applies for failing to meet the notification obligations.

I’m sure CISOs around the world will be watching the case unfold with interest. Hearing dates are yet to be scheduled.,,,

Interesting stats

Quite a bit of analysis in this really interesting paper on the value of threat intelligence:

1.3%—13.0% overlap between two paid threat intelligence providers, closing to 2.5%—4.0% overlap when looking explicitly at 22 groups for which providers claimed to provide insights, and <1% overlap between paid and open source threat intelligence feeds, 45 days average between an indicator of compromise appearing in another vendors intelligence feed, according to research by Bouwman et. al (PDF)

Takeaway: The cost and restrictive licence conditions of threat intelligence vendors make comparison difficult, however, the overlap between their services appears to be limited. Multiple feeds may be required to improve coverage as each brings their perspectives (for example the shadow of a cylinder end-on looks like a circle, the same cylinder side-on casts a rectangular shadow.) Open source feeds should not be discounted. Threat intelligence feed costs vary significantly and pricing is not transparent. <$50K for Digital Shadows and EclecticIQ, rising to >$200K for Crowsdstrike and FireEye.

86% of Singaporeans surveyed by the countries cyber agency correctly identified phishing emails offering ‘promising rewards’ though this drops to 57% when identifying suspicious attachments and further to 53% when the phishing email requests confidential information, just 4% identified every phishing email correctly, according to the survey of 1,000 respondents

Other newsy bits

Experian hands over data on 24M South Africans

Business Email Compromise (BEC) or CEO impersonation fraud typically revolves around submitting fraudulent invoices via email in the hope that they will be paid. Experian announced a ‘fraudulent data enquiry’ this week that is an interesting case of adopting similar tactics but for theft of personal data.

Attackers just emailed Experian, pretending to be from a legitimate customer, and requested access to the data via email. No intrusion required. And as The Register point out 24M is approximately 40% of South Africa’s entire population.

Given that individuals struggle to identify phishing emails requesting confidential information (see Interesting Stats above) perhaps we will see a growing number of breaches like this.

The credit reference agency was light on specific details of what data was taken and claims that it has obtained a court order to ‘seize and destroy’ the data.

Describing the unfortunate incident as a “fraudulent data enquiry” may well be the new “sophisticated attack.”,

Click here to email me your password

Vulnerabilities in the ‘mailto’ email hyperlink specification can be used to automatically attach files to email messages. Linux email clients Evolution and Mail as well as IBM Notes for Windows were vulnerable and have now been patched.

Mailto hyperlinks are used in the markup of webpages to display email links. Clicking them opens your email client to compose a new message. It’s useful functionality in a digital world and saves copying and pasting the address. The technical specification also allows the subject and CC lines, as well as the body of the message to be specified. The spec extends to also allowing for (though discouraging!) attachments to be specified too.

Researchers from Ruhr University Bochum and the Münster University of Applied Sciences found that for these three email clients it was possible to specify sensitive operating system files as the attachment (for example the /etc/passwd file containing authentication information for Linux user accounts.)

A user would still have to hit ‘send’ on the email message though many users may not notice or understand the danger of the attachments. It’s a brilliantly simple attack.

In brief

Attacks, incidents & breaches

  • Carnival Cruises has suffered a ransomware incident that involved the theft of customer and employee personal data, according to a regulatory filing this week
  • Details of 8.3M users, including hashes of 3.6M passwords, compromised from graphics company Freepik, via an SQL injection vulnerability in the company’s site
  • University of Utah paid $457K to cybercriminals following ransomware incident in July. The payout was made from the universities insurance
  • Hat tip to Instacart for noticing two outsource support reps that had accessed ‘more profiles than necessary’ and is disclosing the breach. Regular reviews of logs or routine audits are important control to prevent abuse of privileges

Threat intel

  • FBI, CISA warn of rising ‘vishing’ threat, where attackers attempt to socially engineer employees over the phone to gain access to IT systems
  • New DarkSide ransomware operation, seemingly based on code similar to REvil and GandCrab, launched that last steals data


  • Shared memory issue in IBM’s Db2 platform
  • SQL injection and XSS vulnerabilities in Discount Rules plugin for WooCommerce and WordPress being actively exploited

Security engineering

  • Neat! Dice keys generate strong, random master passphrase and crypto material that you can recreate if you lose access,


  • Rushed jobs on contact-tracing apps, like Aura, are creepy when made mandatory for universities, workplaces and may leak your data finds Techcrunch
  • IBM has settled a case with Los Angeles over misleading location data practices of its Weather Channel subsidiary (vol. 2, iss. 1) for $1M of contact tracing technology and changes to its privacy practices
  • Forget covert surveillance, the US Secret Service may just be buying access to your location data

Law enforcement

  • Gang believed to have laundered $42M in criminal proceeds arrested by Ukrainian law enforcement

Mergers, acquisitions and investments

  • raises $29M series B funding, led by Highland Europe, to build out ‘Uber of pen testing’ integration platform

And finally

Microsoft Defender can no longer be disabled by registry key

You would expect security software like Microsoft Defender to not be trivially disabled. Since Windows Vista a single registry key has given the ability to turn it off: Just set ‘DisableAntiSpyware to 1. Job done. It was intended for use in enterprise deployments where IT teams would also be deploying other third-party anti-malware software. Well done Microsoft! :-)


  Robin's Newsletter - Volume 3

  Uber Joseph Sullivan Data breach Cover-up Federal Trade Commission (FTC) CISO Personal liability Threat Intelligence Experian fraudulent data request Mailto Microsoft Defender