Robin’s Newsletter #323

25 August 2024. Volume 7, Issue 34
US intel says Iran behind Trump campaign hack. Man hacks death register to get out of child support payments. How not to run a phishing test.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

US intelligence points finger at Iran for Trump campaign hack

  • US intelligence officials have confirmed that Iran was behind the breach of the Trump campaign emails. The media response to this ‘hack-and-leak’ operation seems to be more mature and considered than Russia’s of the Democratic National Committee and Hilary Clinton’s campaign in 2016. But I wouldn’t be surprised if someone ends up publishing them, even if it’s an Iranian sock puppet. LINK

Man compromises systems to fake his death and avoid child support payments

  • A father has been sentenced to almost seven years in prison for breaking into state systems to fake his own death in an attempt to avoid paying $116,000 in child support payments.
  • Jesse Kipf was charged with computer fraud and aggravated identity theft for compromising the state death registries of Arizona, Hawaii, and Vermont. He also attempted to sell access to these systems on the dark web and stole the identities of two people to open lines of credit so he could continue to live while ostensibly being dead. LINK

UCSC ran an awful phishing test centred around a campus ebola outbreak

  • Please don’t do this: The University of California Santa Cruz (USCS) ran a phishing simulation using an ebola outbreak on campus as the topic. The University has issued an apology for causing unnecessary panic and undermining trust in public health messaging (not to mention their security team, I suspect). LINK

Interest stats

The endpoint security market, estimated to be worth $12.6 billion and growing at over 21% a year, is dominated by Microsoft and CrowdStrike:

26% (+41%) endpoint security market share for Microsoft,  18% (+25%) share for CrowdStrike,  <6% each for Trellix, Broadcom, Sophos*, Trend Micro and SentinelOne*,  according to analyst firm IDC LINK, REPORT ($)

  • Sophos and SentinelOne stand out in this pack by growing by 29% and 43% year-on-year.

Microsoft and CrowdStrike dominate IDC’s 2023 Worldwide Modern Endpoint Security market share report; outside of Trellix, Broadcom, Sophos, Trend Micro and SentinelOne, the ‘rest of the market’ still accounts for one-third. It’s a crowded market. (Source: IDC)

25% of global companies with standalone cyber insurance were able to detect and respond to incidents within seven days, compared to  19% who had no coverage, or  18% where cover was built into another policy, according to Forrester. LINK

Other newsy bits / in brief 

🤓 Interesting reads:

  • Microsoft is stepping up talks with partners over how it can make Windows more resilient in the wake of the CrowdStrike botched update. LINK
  • French authorities have arrested the founder of messaging app Telegram. LINK

⚠️ Incidents:

  • A flight-tracking platform exposed users’ information following a misconfiguration in January 2021. FlightAware discovered the error in July this year and has written to users advising that they may have “inadvertently exposed your personal information”. The exposed data may include full name, billing and shipping addresses, IP address, social media accounts, telephone numbers, year of birth, and some other pilot and aircraft data. LINK
  • National Public Data had published internal credentials that gave access to its databases in a file hosted on its website. The data broker — the source of the leak of millions of social security numbers featured last week — also set the same six-character password for users of one of its services, with many not changing from this default. The information was in an archive called ‘members.zip’ that was publicly accessible via its website. Brian Krebs has some great reporting on this and the wider NPD breach. LINK
  • The City of Columbus, Ohio, says that cybercriminals have stolen data on the victims and witnesses of crimes during a ransomware attack. City Attorney Zach Klein acknowledged that there are “probably people that are out there that are maybe trying to escape an abuser, that are trying to escape a situation that could be violent for them.” LINK
  • Toyota says that 240GB of files, including data on US employees and customers, was stolen from a third party. LINK
  • A cryptocurrency company lost access to its Google Workspace account for four days after attackers gained access to their tenant and reset all their passwords. Included here for consideration in your next incident response exercise: how would you promptly contact Microsoft or Google, prove your identity, and access your business collaboration tools? LINK

🏴‍☠️ Ransomware:

  • Energy services giant Halliburton has confirmed unauthorised access to “certain parts of its systems” this week. The company took systems offline as a precautionary measure. Sounds like ransomware. LINK

🕵️ Threat Intel:

  • Progressive Web Apps (PWAs) mimicking online banking applications and AppStore install screens are being used to phish the credentials of banks in Czechia, Hungary, and Georgia. LINK
  • The Qilin ransomware group are now stealing credentials from Google Chrome on systems that they compromise, according to Sophos. LINK
  • New Android malware abuses the device’s NFC reader to essentially clone payment cards and replay their details to attackers. ’NGate’ was discovered by researchers from ESET. LINK

🪲 Vulnerabilities:

  • GitHub has fixed a critical vulnerability in GitHub Enterprise Server. CVE-2024-6800 (9.5/10) is an authentication bypass issue that could allow attackers to gain administrative privileges due to a problem with how SAML authentication requests are signed. LINK, ADVISORY
  • The LiteSpeed Cache plugin for WordPress can allow attackers to brute force access the admin accounts of these websites. CVE-2024-28000 (9.8/10). LINK, MORE

🧰 Guidance and tools:

  • The ICO has launched a privacy notice generator. It’ll step you through and seems pretty comprehensive. It is useful for new businesses, but also to sense-check that your existing privacy policy covers all the correct bases. LINK

🛠️ Security engineering:

  • Microsoft is mandating multi-factor authentication (MFA) for all sign-ins to the Azure portal, Entra admin centre, and Intune admin centre starting in October. You hopefully have already turned on MFA, but if not, you’ll receive a notice from Microsoft about the change and what you need to do. LINK

🏭 Operational technology:

  • Researchers have uncovered flaws in Shimano’s gear shifters. While ‘they are just bikes’, there’s a lot riding [sorry] on success in major cycling tournaments like the Olympics or Tour de France. Being able to control or block gear shifts could easily affect the outcome of a race. LINK, PAPER (PDF)
  • Ecovacs says it will fix vulnerabilities in its robot vacuum cleaners that allow attackers to spy on their owners through webcams and microphones on the devices. LINK

🧿 Privacy:

  • Google failed to gain consent from users when it collected data during Chrome private browsing sessions, according to an appeals court ruling. LINK
  • Someone has built a site that lets you take a selfie using New York’s traffic cameras. (You need to be on mobile and in NYY, obviously). LINK

📜 Policy & Regulation:

  • Equality Trust Company has agreed to pay $850,000 over charges from the Securities and Exchange Commission that it mishandled two cyber security incidents in 2022 and 2023. LINK
  • The Federal Aviation Administration has proposed new cyber security rules to help standardise certification requirements and “protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI) that could create safety hazards.” LINK

👮 Law Enforcement:

  • The US Department of Justice (DOJ) is suing the Georgia Institute of Technology and its affiliate Astrolabes Lab for failing to meet Department of Defense contractual cyber security requirements. In particular, “Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan,” and when this plan was implemented, it didn’t properly cover all laptops, desktops, and servers in scope. I suspect Georgia Tech isn’t alone and that this will be a wake-up call for DOD contractors. LINK
  • Argentinian police have arrested a Russian national for laundering money on behalf of the North Korean Lazarus group. LINK

🗞️ Industry news:

  • The UK civil service is launching a cyber track to the Fast Stream programme. LINK
  • Cisco has announced a second round of layoffs to reduce its workforce by 7%. It follows a similar round in February this year, where 4,000 employees were let go. LINK
  • CrowdStrike is salty that competitors are using its recent outage to sell their own solutions. This week, a ‘cloud service issue’ caused performance problems for European customers of CrowdStrike’s Falcon endpoint solution (h/t Paul). SALT, PERFORMANCE
  • CISA is getting a dedicated, centralised headquarters scheduled for completion in 2027. LINK
  • NCSC has opened the Cyber Resilience Audit Scheme to applicants. LINK

And finally 

  • The developer of the Styx Stealer info steal malware suffered a massive opsec blunder when their own malware stole and shared their own identity. LINK
Robin

  Robin's Newsletter - Volume 7

  Data broker National Public Data Social securtiy number Donald Trump Iran Hack and leak Phishing Health Endpoint security Insurance