Robin’s Newsletter #206

29 May 2022. Volume 5, Issue 22
Verizon DBIR 2022. ICO fines Clearview AI. Suspected leader of 'SilverTerrier' arrested. Fake IDs for everyone!
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week is interesting stats

It’s the fifteenth Data Breach Investigations Report from Verizon and this year’s report is based on 23,896 security incidents, of which 5,212 were confirmed intrusions covering the period from 1st November 2020 to 31st October 2021.

Threat actors tend to be ‘in it’ for one of three reasons: for financial gain, for national interest or for a cause. Financial gain accounts for the significant majority of incidents while hacktivism seems a distant memory:

  • 93% of attacks were financial motivated 
  • 6% of attacks were rooted in espionage

80% of breaches were external, with evidence suggesting just shy of ~20% being internal. Though the number of records involved is almost diametrically opposed, with internal breaches resulting in ~5x the number of records being exposed.

A chart showing that (stolen) credentials are by far and away the most common source of non-error, min-misuse breaches, followed by phishing, with both being more prevalent than exploited vulnerabilities (Source: Verizon DBIR 2022)

When error and misuse are excluded, credentials are far and away the most common path into an organisation’s network. This is why strong authentication (including things like multi-factor authentication) is so important as a defence. Phishing is the second most common in this situation, though is involved in less than one-in-five breaches. Some of that will be down to anti-spam controls and mail filtering controls, and increasing user awareness. Exploited vulnerabilities come in third and less than one-in-ten breaches. 

In what will be a surprise to very few, given how much ransomware has dominated headlines, this type of incident has seen a 13% increase since the previous report. One of the most interesting parts is the examination of what the economics look like for a ransomware actor (Appendix E). 

”Ransomware is more of a lottery than a business. You gamble on access, win the lottery 40% of the time, and get a payout from a few bucks to thousands of dollars”

There’s plenty of really interesting analysis and commentary in the full report (it’s 107-pages!) plus some nostalgia as they look back on the previous fifteen years of reports. (PDF)

Other newsy bits

  • In the UK, the Information Commissioner has fined Clearview AI for hoovering up images of UK citizens from social media without their permission to develop its controversial face recognition service and algorithm. The £7,552,800 penalty also comes with an enforcement notice requiring the company to cease ‘obtaining and using’ publicly available UK resident’s data and to delete it from their systems. It raises an interesting question around (misuse) of your data that you make publicly available

  • If you’re running a consumer service handling lots of funds, you need strong authentication and account monitoring, as wedding planning site Zoha found out when attackers used credential stuffing attacks to compromise the accounts of happy couples and made off with gifts.

  • … sticking with credential stuff, General Motors has sent notifications to some of their customers after the personal information of customers, including names, contact information and addresses, were exposed. Loyalty points were also exchanged for gift cards by the attackers.

  • Microsoft says criminals engaged in card skimming are using new, server-side techniques that are ‘less noisy’ to steal payment card information from stores running on popular commerce platforms. The PHP code is embedded within image files uploaded to the web servers.

  • H/t to Dave: PyPI module ‘ctx’ was compromised to steal environment variables, commonly used to store authentication keys in development and production environments. It’s the latest in a string of issues affecting popular open source components and package management solutions. Be like Dave and do some checks before running new stuff on your infrastructure, and consider egress filtering from your servers to unusual and uneccessary places.

  • Interpol has announced that Nigerian police have arrested the suspected leader of the Nigerian ‘SilverTerrier’ cybercrime group. Since 2020 it’s believed the group have compromised over 500,000 companies in 150 countries to commit business email compromise (BEC) scams

  • No user interaction vulnerability patched by Zoom

  • Twitter agrees to a $150 million penalty for using mobile numbers collected for multi-factor authentication to target adverts at its users

  • DuckDuckGo faces backlash for allowing Microsoft advertising trackers in their privacy-focused browser due to a ‘search syndication agreement’

  • Cloud search firm Lacework reportedly to cut 20% of staff amidst a “seismic shift” of markets just a few months after raising $1.3 billion

And finally

  • Crack the four-digit pin encrypting the data on New South Wales’ digital driver’s license and you can modify the file, with police and venue checks verifying the manipulated information as authentic. Aussie fake IDs abound!

  Robin's Newsletter - Volume 5

  Verizon Data Breach Investigations Report (DBIR) Clearview AI Business Email Compromise (BEC) Software supply chain Digital Identity