Robin’s Newsletter #263

2 July 2023. Volume 6, Issue 27

SEC issues noticed to SolarWinds CFO, CISO. Apple opposed Online Safety Bill. US Supreme Court rejects cyberstalking case.

Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

SEC issues notices to SolarWinds CFO, CISO

The US Securities and Exchange Commission (SEC) has issued ‘Wells notices to SolarWinds’ chief financial officer and chief information security officer over the 2020 compromise of it’s Orion software (vol. 3, iss. 51).

“The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws,” — SolardWinds’ SEC filing.

A Wells notice is a letter sent by the SEC after its investigation where it intends to bring a civil action against the individual. Typically the recipient has 30 days to respond and explain why they should not face charges.
SolarWinds indicated that it intends to “vigorously defend” any enforcement action and other charges, with CEO Sudhakar Ramakrishna citing “extraordinary measures” they have taken to cooperate and feeling that the SEC has taken a “position we do not believe match the facts”. Details explaining the SEC investigation and its conclusions have not been made public.
On social media, CISOs have been voicing concerns that they could be subject to similar situations and feeling they lack authority to affect change in their organisations. I think, on the whole, these concerns are overblown: many aren’t company officers (see below), and their roles don’t have the level of authority, so it would be highly punitive for a regulator to take action against them. Generally, where CISO roles fall into those categories, they also come with enhanced protections in their employment contracts (as with other officers).

Interesting stats

Verizon DBIR 2023:

$26,000, the median losses from ransomware (up from $11,500 in 2021) within an 80% confidence interval of $526 and $699,000, while the median transaction size paid to halved to $10,000 in 2023 (down from $20,000 in 2021) suggests that recovery costs drive these increases. Interestingly, 93% experienced no losses (up from 90%), based on the data from the FBI:

Ransomware incident costs (source: Verizon DBIR 2023)

10x more breaches come from stolen credentials (49%) than the exploitation of vulnerabilities.

32% of all Log4j scanning activity in 2022 occurred within 30 days of release. How much of this scanning activity is for cyber security vendors and security researchers rather than a huge volume of malicious interest?

Verizon DBIR 2023 report (PDF).

40% of CISOs report that their company does not have a succession plan for the role, with 76% open to changing companies in the next three years. 30% of CISOs say they sit on a corporate board (up from 14% the year prior), according to Hendrick & Struggles (PDF)

20 years since GCHQ first responded to a foreign state hacking a British government department.

6,558 arrests and €740 million in criminal funds seized since law enforcement gained access in 2020 to the EncroChat encrypted phone system used by criminals (vol. 3, iss. 27).

Other newsy bits

Risk management toolbox

NCSC has refreshed its guidance on managing cyber risk. While advocating for a variety of data sources in risk management, it’s also good to see an introduction to cyber risk quantification that aims to dispel some of the common myths. All of it’s worth a read.

The battle for control of the Internet’s plumbing

Almost 1.4 million kilometres of fibre optic cable provide the Internet connectivity that brings countries and continents together. The industry that lays and maintains these cables is relatively small: around 50 ships, each capable of laying around 200km of cable per day, at a cost of $25,000/km.
France and the United States have dominated this market for decades, with Japan making inroads since around the year 2000. China is keen to get a slice of the action, and the US, concerned over potential tampering with cables for espionage or disruption, is attempting to keep China out through policy and the threat of sanctions and financial ‘training grants’ to telcos.
China, Russia and some other states have been vocal about building a more centralised, controlled Internet infrastructure. Pushing them out may lead to separate infrastructures (sometimes called ‘splinternets’).
But is that really what China wants? Or is it to control the infrastructure enabling transactions and trade that is crucial to its economy? An interesting read from the FT.

US Supreme Court rejects cyberstalking case over First Amendment rights

The US Supreme Court has been busy recently, including telling a lower court its logic was flawed and should review a case because it violated First Amendment rights of the defendant. Billy Raymond Counterman, from Colorado, had been convicted of stalking after he sent what may have been a thousand messages to a musician telling her to “Fuck off permanently,” and “You’re not being good for human relations. Die.” Counterman’s lawyer argued that he suffered from mental illness and was not aware that his messages were threatening.

In brief

Online Safety Bill: Apple is the latest technology company to come out against the UK’s Online Safety Bill, saying that end-to-end encryption (E2EE) “helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches,” and adding the bill “poses a serious threat to this protection, and could put UK citizens at greater risk.”
[UNREDACTED]: Sony used a black Sharpie to obscure sensitive company information for its PlayStation platform, including budgets and revenues. However, the figures were visible when the documents were scanned and presented to the court as part of the FTC v Microsoft hearing about the acquisition of Activision Blizzard.
MOVEit: The Clop ransomware group has added both Siemens Energy and Schneider Electric to their leak site of victims of the vulnerability in the MOVEit file transfer system. Clop has added more than 100 victims to the site since the beginning of June.
TSMC: LockBit ransomware gang added Taiwan Semiconductor Manufacturing Company (TSMC) to their breach site this week, demanding $70 million not to release the data it has stolen. TSMC has around 60% of the world’s foundry (chipmaking) market. TSMC says the compromise was at a supplier, relating to some IT server configurations, and that the incident “has not affected TSMC’s business operations, nor did it compromise any TSMC’s customer information”.
Wagner: Dozor-Teleport CJSC, a Russian satellite telecommunication company, has confirmed that part of its cloud infrastructure was compromised. A group claiming affiliation with private military company Wagner said it was behind the attack.
Proton, known for the encrypted ProtonMail service, has released a password manager.

And finally

The Password Game: Much frustration from, and entirely fair roasting of, password requirements in this game, plus a bit about the ‘mess of RegEx’ behind the scenes.
Make sure you don’t use “Ch@ngeme!” like one school in Illinois did this week when it reset everyone’s accounts to the same password at the same time.

Robin

Robin's Newsletter - Volume 6

Clop Ransomware MOVEit EncroChat Security and Exchange Commission (SEC) SolarWinds Solorigate Online Safety Bill Apple Cyberstalking US Supreme Court Verizon Data Breach Investigations Report Cyber risk Splinternet Wagner Log4J Password complexity

Robin’s Newsletter #264

Robin’s Newsletter #262