Robin’s Newsletter #288

24 December 2023. Volume 6, Issue 52
Predatory Sparrow disrupts 70% of Iran's petrol pumps. New SEC breach rules come into force. Authories seize APLHV dark web site.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Happy Holidays! I hope you’re all set for a relaxing and enjoyable end to 2023.

This week

The SEC’s new 4-day reporting requirements came into force

  • The SEC’s new data breach disclosure rules came into effect this week. Publicly traded US companies must report cyber security incidents on Form 8-K reports within four business days, in the same way that significant disruption — think fire, flood — to operations would. It includes incidents at third parties, meaning notification clauses will be needed in outsourcing and service contracts.
  • Pushback from companies has led to an exception to the deadline where disclosure of a vulnerability or incident can be granted if the US attorney general determines that it “would pose a substantial risk to national security or public safety.” 
  • Smaller companies, such as those with less than $100 million in annual revenues or a float (shares traded on the open market) of less than $250 million, get a 180-day disclosure extension. (That seems a significant jump, but I understand it aligns with other reporting requirements.)
  • What is material? That is the question worth spending some time establishing, if you’re regulated by the SEC. Their guidance doesn’t make the distinction between cyber and non-cyber incidents:

“Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information made available to investors.” — Broad definition of materiality from US securities law.

  • In November, ALPHV tried to turn the rules into leverage with a ‘triple extortion’ attack: encrypting data, threatening to leak it, and writing to the SEC about the lack of disclosure. The cybercriminals had jumped the gun though, as the rules hadn’t taken effect. I don’t buy it as a viable tactic, though, because increasing regulator and law enforcement involvement increases pressures not to pay the ransom, and drastically reducing the share price may make it more difficult to raise or release the funds demanded. (Interestingly, while companies that suffer data breaches underperform markets by around -4.2%, they generally were already underperforming by -1.7% (vol. 3, iss. 20). Poor governance and risk management typically lead to poor company performance.)

Interesting reads

Interesting stats

4/5 Apache Struts 2 downloads are of versions susceptible to the recent critical remote code execution vulnerability (CVE-2023-50164), according to Sonatype.

443 e-commerce sites were notified by Europol over the presence of card skimming JavaScript on their checkout pages.

Other newsy bits / in brief

And finally

  • Pit yourself against GCHQ’s Christmas Challenge to see how you fare against the puzzles set by the contemporaries of the Government Code and Cypher School. (Technically, it’s aimed at schools, so it should be a doddle for all of you!)
  • Iron Maiden opening act, or cyber attack? Test your knowledge of heavy metal and newsworthy cyber security incidents in this quiz (h/t Z). I got 93%, mainly confusing bands for potential threat actors or campaigns (and reaffirming that we should celebrate people who defend, not fetishising adversaries!)

  Robin's Newsletter - Volume 6

  Securities and Exchange Commission (SEC) Breach notification Regulation ALPHV Card skimming Predatory Sparrow Isreal Iran Federal Bureau of Investigation (FBI) Computer Games Lapsus$ Porsche SSH (Protocol) Artificial Inteligence (AI) Child Sexual Abuse Material (CSAM) Ivanti MobileIron Mobile Device Management (MDM) Qakbot Citrix Citrix Bleed Payment Systems Regulator (PSR) Fraud Interpol Stolen Device Protection Ransomware