Robin’s Newsletter #225

9 October 2022. Volume 5, Issue 41
Ex-Uber CSO found guilty of obstructing justice. Microsoft is botching 'ProxyNotShell' Exchange vulnerabilities. Australian man arrested in connection with Optus breach.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Joe Sullivan convicted in Uber data breach cover-up case

I’ve seen many hot (lazy?) takes on social media that misrepresent the verdict in the case of Uber’s former Chief Security Officer, Joe Sullivan case this week.

I haven’t watched all the testimony, but I have read pieces in the FT, Washington Post, BBC and other reputable outlets, as well as the DoJ’s statement, and: no, Joe Sullivan hasn’t been prosecuted for Uber getting breached. Nor for paying a ransom demand.

Sullivan has been found guilty of obstruction of justice and misrepresentation of a felony.

He’ll be familiar with these things from his earlier career as a federal prosecutor. He is far more legally savvy than most CSOs/CISOs.

While I do disagree with the States Attorney’s characterisation that Sullivan was a ‘rogue executive’ (the CEO knew), and some security investigations do need to be conducted with tight control over who is in the loop, it appears (and the jury found) this went beyond typical ‘need to know’ control and into the realms of a cover-up.

The evidence shows him telling his team, “this investigation does not exist,” and editing emails when forwarding them to new CEO Dara Khosrowshahi. He removed specific details like the amount the attackers were paid (which exceeded the bug bounty policy) and the number of records that had been compromised. And that’s separate to the questions over responsibility to report it to the FTC.

The “CISO is a scapegoat” crowd appears to be missing that Sullivan had that (oft-request) seat at the top table: the two most senior executives involved were Kalanick (CEO) and Sullivan (CSO). Other executives weren’t told and were excluded from the decision-making process.

And the Washington Post reports that it was Sullivan’s strategy: he proposed the direction and executed the plan. While it was approved by (then CEO) Travis Kalanick, it’s Sullivan who was both the cyber security and legal expert.

The case didn’t find sufficient evidence of wrongdoing to prosecute the Kalanick, and so they pursued the second in command: Sullivan. The jury, I suspect, thought that he should have known better.

While the intention and negotiation may have been in good faith to progress an investigation and to protect user data, the evidence shows a less well-meaning side to the activities.

So do CISOs need to worry?

This doesn’t set a precedent that getting breached or paying a ransom will end up in prison. Instead, if you take it upon yourself to withhold details from key stakeholders and act unethically, there are consequences.

If you’re lucky enough to sit on the board, most companies have D&O insurance to protect officers from claims arising from their decisions and actions. You probably won’t need to negotiate a unique employment contract.

Finally, it reaffirms to me that if you don’t already, you need to start maintaining clear records: who made the decision, on what basis, and following what process?

If you’re reading those notes back thinking, “I wouldn’t want this to appear in court”, then you’re probably doing something wrong.

Interesting stats

44% increase in monthly incident reports over the last ten years. $266,000 the typical financial costs reported for a cyber event, rising to  $52 million in the top 5% of loss events, according to the Cyentia Institute’s IRIS 2022 report (PDF) (There is lots of other interesting and valuable stuff in the IRIS reports. Well worth a read if you’re a data geek!)

28% of debt rated by Moody’s is with organisations in ‘high’ or ‘very high’ cyber-risk exposure sectors ($22 trillion out of $80 trillion global rated debt)

Other newsy bits / in brief

  • Microsoft has updated its ‘ProxyNotShell’ guidance for the Exchange zero days (CVE-2022-41040 and CVE-2022-41082). Redmond’s handling of the vulnerabilities has been pretty poor, notes Kevin Beaumont (@GossiTheDog), as the advice that wouldn’t work if you followed Microsoft’s installation guidance, firewall rules that didn’t prevent the issues, and more. It looks like there aren’t many resources being devoted to on-premise Exchange, @GossiTheDog

Attacks, incidents & breaches

  • An “IT security issue” is impacting services at CommonSpirit Health, a Chicago-headquartered nonprofit healthcare provider that operates 140 hospitals amongst over 1,000 facilities in the US
  • Australian staff at outsourcing firm G4S may have had their personal information, including banking and medical details, stolen and posted online following a ransomware attack in July
  • The RansomEXX group claimed to have stolen 7 GB of data from Ferrari and added the company to their list of victims. The Maranello-based car manufacturer and racing team says they have “no evidence of a breach”
  • CISA has uncovered an intrusion into a US defence contractor that had “persistent, long-term” access to the company’s enterprise network
  • Shangri-La Group has confirmed a personal data breach for guests staying with the hotel chain “between May and June 2022”. The timeframe coincides with the ’Shangri-La Dialogue’ event, a high-profile Asian defence conference
  • Chase UK’s banking app has suffered an outage lasting over 30 hours. Customers of the online-only service were logged out and couldn’t access their card details, which aren’t printed on the physical card
  • Lloyd’s of London has ‘reset’ its systems following a potential cyber incident. The insurance market told The Register that “[as] a precautionary measure, we are resetting the Lloyd’s network and systems. All external connectivity has been turned off, including Lloyd’s delegated authority platforms.”
  • The world’s largest cryptocurrency exchange, Binance, has lost approximately $570 million in a security breach

Threat intelligence

  • Fortinet says you should patch its FortiGate firewalls and FortiProxy web proxies to mitigate a critical authentication bypass vulnerability. The vulnerability, CVE-2022-40684, “should be dealt with the utmost urgency,” the company said
  • **The Cheerscrypt ransomware has been linked to the Chinese threat actor group dubbed ‘Emperor Dragonfly’ (aka Bronze Starlight, DEV-00401). While the group appears to operate like a criminal ransomware operation, the victims are all potential espionage targets for the Chinese government. The NSA has published an advisory over the activity of Chinese state-sponsored attackers, noting that they “obfuscate their activities and target web-facing applications to establish initial access.”,
  • The BlackByte ransomware gang is using a vulnerability in a Windows graphics driver to carry out ransomware attacks stealthily. Sophos says that CVE-2019-16098, a vulnerability in RTCorec64.sys, is being used by the group to disable ETW (Event Tracing for Windows) — a “front gate” for many EDR agents — and switch off routines used by antivirus software
  • Mexican journalists and human rights activists were targeted with NSO Group’s Pegasus spyware, despite Mexico’s president’s commitment that the government would not use the spyware. NSO Group simultaneously denies the claims while also maintaining that the company “does not operate Pegasus, has no visibility into its usage, and does not collect information about customers or who they monitor” 
  • A modified version of the Tor Browser was distributed via a Chinese-language YouTube channel with 180,000 subscribers. The modified software harvested browsing history and identifying information, as well as disabling automatic updates
  • A live support widget from Comm100 was trojanized and used to spread malware

Public policy

  • A new Data Access Agreement (DAA) between the US and UK will allow law enforcement to request digital evidence directly (via the Home Office) from technology companies for the first time. Previously US law prevented its domestic technology companies from disclosing data to foreign governments, meaning UK police had to request it via a lengthy and error-prone mutual assistance process. The bilateral agreement prohibits either side from requesting data on persons located in the other country and is the first under the US Clarifying Lawful Overseas Use of Data (CLOUD) Act
  • The White House has released a blueprint for an artificial intelligence ‘bill of rights’ that would protect against algorithmic “discrimination”, allow users to “opt-out” in certain cases, and request human review (all things covered this side of the pond under GDPR)
  • Limits on the collection of data for US intelligence purposes and a redress system for EU citizens in new EU-US data privacy framework to replace the defunct Privacy Shield

Law enforcement

  • Australian Federal Police has arrested a 19-year-old man for allegedly sending blackmail messages to 93 people whose personal data was in the Optus data breach. The Sydney resident demanded AUD$2,000 ($1,300) to not sell their data to other cybercriminals via SMS
  • Sebastien Vachon-Desjardins, a 34-year-old from Quebec involved in the NetWalker ransomware group, has been sentenced to 20 years in prison. The Canadian, who pled guilty (vol. 5, iss. 27), was extradited to the US to face charges after already being sentenced to seven years following his arrest in January 2021. Vachon-Desjardins’ role in the group had netted him $21 million (vol. 4, iss. 5), [

Mergers, acquisitions and investments

  • ‘No code’ security automation platform Tines has raised an extended $55 million Series B round to support go-to-market, research, partnership and hiring efforts
  • IriusRisk, a threat modelling tool, has announced a $29 million Series B funding round to expand sales and marketing activities in the US and EMEA
  • Detection and response firm Arctic Wolf has secured $401 million financing for product development, M&A and growth in Australasia

And finally

  • A former NSA information security systems designer, who worked at the agency for just over three weeks, has been arrested while trying to sell classified documents. Jareh Sebastian Dalke was looking for a buyer for the National Defense Information (NDI) and, little known to him, the agent he approached was working for the FBI rather than a foreign intelligence agency. Dalke was picked up by the FBI while connecting to a wifi network at a dead drop location in Denver. He is also allegedly the only employee to have accessed all three documents supplied as proof in advance of the $85,000 sale

  Robin's Newsletter - Volume 5

  Optus Microsoft Exchange Uber Joseph Sullivan Data breach ProxyNotShell Binance Bring Your Own Driver BlackByte Data Access Agreement (DAA) Privacy Shield Artificial Intelligence (AI) NetWalker