Robin’s Newsletter #267

30 July 2023. Volume 6, Issue 31
SEC approves breach disclosure rules. Weak ciphers on export-versions of TETRA radios. Over 500 victims of Progress Software's MOVEit vulnerability.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

SEC approves breach disclosure rules

  • The US Securities and Exchange Commission (SEC) approved rules this week requiring publicly traded companies to disclose cyber-attacks posing a material risk to their bottom lines. 
  • Once the rules come into force, firms experiencing such an attack will have four days to file an ‘8-K form’ with the regulator that will be made public.
  • Broadly, the move has been welcomed, with some warning that such public notices may alert other attackers to weaknesses in the victim’s systems before response and recovery efforts have concluded.

Researchers find TETRA radios built for export have weakened encryption

  • Quite a lot of folks are getting worked up this week by the news that the encryption cipher used in TErrestrial Trunked RAdios (TETRA), used by law enforcement, emergency services, critical infrastructure providers and some military or intelligence agencies, contains a deliberate weakness.
  • That’s because governments exporting these devices would quite like the ability to intercept these communications. Kim Zetter’s write up for Wired acknowledges this targeting, citing examples from Wikileaks. Restricting encryption ciphers isn’t new, and those on the ‘unfriendly side’ of export requirements will be aware they’re buying a radio with a weakened cipher.
  • Authorities also need to make sure they configure the radios correctly: a man was handed a suspended prison sentence in 2016 for ‘attempting to hack’ Slovenian police communicants that were misconfigured to send messages unencrypted over the internet.
  • The effort to extract the (until now) secret encryption algorithms is solid research, though, and the researchers will publish technical details will be published at Black Hat in August.

Interview with Clare O’Neil and Ciaran Martin

  • A really interesting interview from Risky Business: Patrick Gray speaks to Australia’s Home Affairs and Cyber Security Minister Clare O’Neil and NCSC founding director Ciaran Martin about the Australian government’s upcoming cybersecurity strategy, ‘releasing the hounds’ and lessons learned from the streak of high-profile attacks against Australian businesses.

Interesting stats

40% of Ubuntu users are running vulnerable versions of the operating system, according to Wiz, though both of the kernel vulnerabilities (CVE-2023-2640 (7.8/10) and CVE-2023-32629 (5.4/10)) require local access. 

$37,300,000 of cryptocurrency was stolen from Estonian payments service provider CoinsPaid, which the company blames on North Korea’s Lazarus group

Other newsy bits / in brief

Investments, mergers & acquisitions

A few significant deals this week…

  • Thales is acquiring Imperva from private equity firm Thoma Bravo in a deal worth $3.6 billion. Thoma Bravo took the network and application security outfit private four years ago for $2.1 billion.

  • Protect AI has raised a $35 million Series A (double their seed round) to build tools to secure artificial intelligence and machine learning systems.

  • Crowdstrike is rumoured to be close to acquiring cloud security posture firm Bionic.AI for between $200 million and $300 million.

And finally

  • A Florida man faces fresh charges for attempting (and inducing others) to destroy evidence and another violation of the Espionage Act. There is plenty of sass from El Reg on the latest federal prosecutors case against former President Donald Trump. Surprisingly, it’s also a case study in disaster recovery planning: “By some extraordinary coincidence… a Mar-a-Lago employee drained the resort’s swimming pool and somehow flooded “a room where computer servers containing surveillance video logs were kept.”

  Robin's Newsletter - Volume 6

  Securities and Exchange Commission (SEC) Breach disclosure TETRA Australia Clare O'Neil Progress Software MOVEit Cl0p National Health Service (NHS) Microsoft Barracuda Networks Insecure Direct Object Reference (IDOR) Shadow IT Foreign Intelligence Surveillance Act (FISA) Children's Online Privacy Protection Rule (COPPA) Children and Teens Online Privacy Protection Act Kids Online Safety Act Online Safety Bill