This week
Wrapping up some of the biggest stories of the past few years…
SolarWinds
- Kim Zetter has a great writeup of the SolarWinds attack. In _the untold story of the boldest supply-chain hack ever for Wired, Zetter explains how the incident, which engulfed Mandiant, before being traced back to SolarWinds (vol. 3, iss. 51), unfolded.
- The compromise also began at least six months prior, with incident responders at an American think tank and the US Department of Justice tracing intrusions back to servers running SolarWinds but not identifying the full scale of the incidents.
Merck’s NotPetya insurance claim
- Insurance companies including Allianz and Zurich are ‘on the hook’ to help cover Merck’s $1.4 billion losses from the NotPetya attack. The insurers had been appealing a January 2022 verdict (vol. 5, iss. 4) in favour of Merck.
- The New Jersey appellate court has ruled that the NotPetya cyber-attack wasn’t military in nature and so cannot fall under exclusions for acts of war.
“The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action… Coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit.” — Judges Currier, Mayer and Enright, Superior Court of New Jersey Appellate Division.
- Merck’s claim was brought under its property insurance, which included policies covering “all risks” to a total limit of $1.75 billion, with a $150 million deductible. The eight insurance companies involved originally disputed having to pay out $699,475,000 of the $1.4 billion claim.
Former Uber CISO gets probation
- A San Franciso judge has sentenced Joe Sullivan to three years of probation, a $50,000 fine, and 200 hours of community service for covering up a data breach while CISO at Uber in 2016.
- Sullivan was found guilty of having lied about a data breach, paying a ransom under the guise of a bug bounty scheme, and not informing regulators (vol 3, iss. 34).
- Judge William Orrick commented that his leniency was partly due to this being the first case of its kind and also down to Sullivan’s character. Federal prosecutors had been pushing for a fifteen-month custodial sentence.
TikTok’s surveillance of journalists
- Cristina Criddle recounts her experience after discovering that she was one of the journalists being surveilled by ByteDance, the parent company of TikTok. The Chinese social network admitted ‘inappropriately obtaining’ personal data to cross-reference with the locations of ByteDance employees during an internal investigation into leaks (vol. 5, iss. 52).
Interesting stats
11% of users know what the password icon in a browser address bar actually means, according to Google, which is retiring the icon in a forthcoming release of their Chrome browser (see below).
Other newsy bits / in brief
-
Capita: has warned that some pensions data processed by the firm “is likely to have been exfiltrated”. The communication surrounding the incident has been poor (vol. 6, iss. 17), and the outsourcer continued to hedge its bets in the notification sent to pension fund trustees, saying “to be clear, this does not necessarily mean that your data has been identified as exfiltrated, it means that your data was on [Capita] servers from which some data is likely to have been exfiltrated.” Five weeks have passed since the incident came to light. A security researcher also found a public Amazon S3 bucket which has exposed Capita customer and personal data over a period of seven years.
-
AI ChatBots: OpenAI has implemented age-verification and other privacy controls required by Italy’s privacy regulator. The company’s ChatGPT service was banned in Italy a month ago (vol. 6, iss. 14). In the US, the chair of the Federal Trade Commission (FTC), Line Khan, used an op-ed in the New York Times to talk about using existing laws to regulate AI use and manage risks such as market dominance, collusion, fraud and privacy violations. The UK Competition and Markets Authority (CMA) also announced a review of how the market for models could evolve.
-
Australia plans to reinstate a dedicated privacy commissioner. It’s in the wake of a string of high-profile breaches including Optus (vol. 5, iss. 40) and Medibank (vol. 5, iss. 47). The role was unfilled under the previous government administration as the Office of the Australian Information Commissioner was earmarked to be abolished to save money.
-
Europol seized the dark web ‘Monopoly Market’ in December 2021 and confirmed this week that Operation SpecTor (top work on the name) has generated evidence that’s led to the arrests of 288 people and the seizure of €50.8 million of cash and cryptocurrencies, 850kg of drugs and 117 firearms. Meanwhile, the FBI and Ukrainian police this week seized nine cryptocurrency exchanges that facilitated money laundering and the anonymous conversion of one digital currency to another.
-
1Password experienced a service outage this week which, for 23 minutes, resulted in users receiving an error message suggesting that their “secret key or password was recently changed”. Such an alert might typically indicate that an unauthorised user had gained access to an account, whereas the reality was that a server was unavailable and no customer data was affected.
-
T-Mobile has experienced its ninth data breach since 2018, with 836 customers having their personal data and service plan information taken between 24th February and 30th March.
-
Twitter has confirmed a data breach affecting some user’s tweets sent to ‘Twitter Circles’, which are intended to be private and only shared with specific accounts, appeared in other user’s timelines.
-
A third-party contractor to Orqa, an electronics manufacturer, apparently planted a ‘ransomware time-bomb’ in code they developed for the vendor hoping to cash in years later when the malicious code eventually executed.
-
Ransomware: Clop ransomware gang have stolen the personal data of 783,606 patients from pediatric mental health provider Brightline. RansomHouse has claimed responsibility for an attack on payment processing firm AvidXchange, the second ransomware attack against the company this year. Royal ransomware has attacked the City of Dallas, causing some systems to be shut down, including some used by 911 emergency dispatchers. Avis ransomware group used the emergency alert system of a Virginia, US university to ratchet up pressure on the victims. Staff and students at Bluefield University received an SMS telling them their data was amongst 1.2TB of data stolen during the attack.
-
Cisco is advising customers of its SPA112 adapter — which allows traditional telephones to be used with VOIP systems — to throw the devices out after a critical vulnerability was found in their firmware. CVE-2023-20126 (9.8/10) allows an unauthenticated attacker to execute arbitrary code. Cisco will not release a security update as the devices are considered end-of-life.
-
Russia’s APT28/FancyBear is using Windows update as a lure in phishing emails hoping to get Ukraine government users to run PowerShell commands to protect themselves ‘against hacker attacks’.
-
Passkeys may now be used to authenticate to your Google Account. Previously they were an optional second-factor, but now accounts can be secured just using machined generated and managed credentials. As well as rolling out passkeys this week, Google also announced that it is retiring the padlock icon from Chrome’s address bar. Blue checkmarks are also being introduced in Gmail to some verified senders that have DMARC enabled to help improve trust and confidence amongst users. I like this — a neat idea to provide cues for users.
-
Trackers such as the eponymous Tile or Apple’s AirTags may soon have a cross-platform standard to help combat misuse. Apple and Google have proposed a specification that would allow both iPhone and Android phones to generate alerts when unauthorised tracking is detected.
And finally
- TSB has ‘hit out’ at the UK government after dropping plans to force tech companies to take greater responsibility for fraud originating on their platforms. Instead, a voluntary ‘online fraud charter’ was announced in the fraud strategy released this week. TSB says more than 80% of all purchase, investment and impersonation fraud affecting its customers occurs through platforms owned by Meta, such as WhatsApp and Instagram.