~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 38
View this email in your browser | RSS

~ ~


Hackers release data after LAUSD refuses to pay ransom
Los Angeles Times ($): Brutal week for hundreds of thousands of students across the Los Angeles Unified School District (LAUSD), the second largest school district in the U.S., which refused to pay hackers following a ransomware attack in September, and saw hackers release a cache of stolen documents from the school district's systems. The full extent of the data drop isn't yet known, but reporters found Social Security numbers and other sensitive student health-related data. Vice Society, the ransomware group blamed for the attack, claimed CISA stalled the release of data; the feds have long advised victims not to pay the ransom fearing it'll lead to more attacks. Motherboard took a deep dive at ransomware affecting U.S. schools by filing dozens of FOIAs to understand how districts and school systems handle ransomware attacks, while the The Guardian looks at the self-taught ransomware hunters who fight back by building decryption tools that can unlock victims' scrambled files for free.
More: TechCrunch | @brettcallow | @LAUSDSup

Russian-speaking group knocks U.S. state websites offline
CNN: Websites of several U.S. states, including Colorado, Kentucky and Mississippi, were sporadically unavailable on Wednesday after Russian-speaking hackers claimed responsibility for the outages while amplifying pro-Russian narratives. The part-hacktivist part-DDoS group, known as Killnet, stepped up their attacks in the wake of the Russian invasion of Ukraine, and in recent months also targeted the U.S. Congress website. Some election websites went down but it's not believed that infrastructure was deliberately targeted, which is a fear since midterm elections are only around the corner. Experts note that Killnet "thrives off of public attention and bravado," putting reporters in a tough spot.
More: StateScoop | Politico EU ($) | @JohnHultquist

Former Uber CSO convicted of covering up 2016 data breach
Washington Post ($): Uber's former chief security officer Joe Sullivan was found guilty this week of covering up a massive data breach at the ride-hailing giant in 2016, after hackers made off with information on 57 million drivers and riders. The case got a ton of attention across the CISO and CSO crowd, with some fearing that this opens up security folk to prosecution in what's already a tough and challenging job. The Record spoke to over a dozen CISOs to survey the land. Some say Sullivan — who was fired from Uber after the breach was discovered and later appointed CSO at Cloudflare (but left citing his ongoing legal case) — was scapegoated. But it wasn't the breach itself that was the issue — it was that Sullivan deliberately tried to hide the incident from federal investigators by making the hackers sign NDAs and paid out $100,000 in a "bug bounty" to stop the hackers from releasing the data. Sullivan will be sentenced at a later date, and faces years in prison for obstruction and misprision.
More: DOJ | BBC News | The Record | Wired ($) | @kimzetter | @josephmenn
Whitney Merrill tweet: "A lot of people are conflating legal issues when discussing the Joe Sullivan/Uber - be careful of the red herrings. It’s not about breach notification, it’s not about bug bounties—it’s about lying to a regulator about information responsive to an open investigation and subpoena."
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


Mexico's military hack exposes abuse
The New York Times ($): A significant breach hit the Mexican military with reams of its data now online. The hack exposes the inner workings of the country's secretive military, including leaked emails that show how Mexico was using the Israel-built spyware Pegasus to spy on journalists. Hackers who go by the name Guacamaya, who released a manifesto about protecting the environment, published the files online, some of which relate to the Mexican president's health, which led to his hospitalization earlier this year. Some 10 terabytes were released, the hackers said, and reveal efforts to evade oversight amid considerable corruption. The Associated Press has more (via @dsosa88, thanks for sending in).

Optus confirms at least 2.1M ID numbers exposed in breach
The Guardian: Australian telco giant Optus said this week that at least 2.1 million ID numbers were stolen in its massive breach, first reported a few weeks ago. That includes 150,000 passport numbers and 50,000 Medicare numbers (remember, this is Australia). Optus already said it would cover the costs of passport replacements, per the government's request, though many of the documents were already expired, according to Optus. Meanwhile, Dark Reading reports that 30,000 employees (as far back as 2017!) at Australian telco rival Telstra had personal information stolen in a separate, unrelated breach.

PG&E publicly exposed partial Social Security numbers
Lucky225: PG&E, one of the biggest power and utility providers in the U.S., exposed Americans' partial Social Security numbers thanks to a buggy implementation of Experian's credit check questions used for verifying a person's identity, which only required a person's name and address to retrieve their partial SSN. @Lucky225 found that the company's site asked for the person's SSN, driver's license or passport number when signing up for service, but the form wasn't validating the input properly, so you could simply enter "123456789" or all-zeros as the ID number and it would result in Experian spitting back their verification questions. This is what the form looked like:
A screenshot showing a passport number field, used (ostensibly) for identity verification but that the box lights up as green with a check even with all-zeros as the passport number.
On CIA informants agent who were compromised in the field
The Brush Pass: Last week we looked at the Reuters ($) report shedding new light on a network of poorly built CIA-run websites that were secretly communications platforms for its informants in Iran. The story is incredible, and builds off work by Yahoo News back in 2019, which first uncovered the websites that had been "shattered" by Iran's intelligence, leading to the arrests of many CIA spies, many executed. @zachsdorfman, one of the authors of the original 2019 report, followed up with his own analysis this week following Reuters' report about how the spies were abandoned by the CIA.

Security bugs found in Ikea's smart lighting gateway
Dark Reading: Researchers at Synopsys found two vulnerabilities that could be abused to hijack and take control of an Ikea Trådfri smart lighting system, such as turning up the bulbs to full brightness (or off) — while preventing users from altering the lights through the app. Per the researchers, "the malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected."
~ ~


Netwalker ransomware jailed for 20 years: Former Netwalker ransomware affiliate Sebastien Vachon-Desjardins is sentenced to 20 years in prison and must forfeit $21.5 million in ransomware proceeds for his role in attacks on several U.S. companies. The Canadian national and former Canadian government employee was extradited from Quebec to face trial in the United States. The judge in the case sentenced the cybercriminal way above the federal sentencing guidelines of 12-15 years, a sign of how seriously the U.S. is taking prosecuting ransomware actors.

IR teamers really need a break: New survey findings from IBM [PDF] show incident responders are absolutely knackered. The survey asked 1,100 incident responders for their views. Two-thirds say they experience stress or anxiety in their daily lives as a result of responding to incidents, with 30% experiencing insomnia, and 29% say it affects their social lives, though 84% say they have adequate access to mental health support (100% would be better, companies!). @techieStef has a good tweet thread on the results. (via The Register)

NSA: Who hacked what now?! Spies snooped inside a U.S. military defense contractor's network for months and stole a cache of sensitive data, according to a joint release by the NSA, CISA and the FBI. The U.S. agencies point the finger of blame at an unspecified APT group, but could be Russia if a since-deleted reference to protecting "against Russian-state sponsored malicious cyber activity" is anything to go by. Whoops?
~ ~


OK, onto the fun stuff. First off, don't forget to thank your friendly neighborhood hackers.
A giant billboard in Liverpool, U.K. that's been taken over with a Notepad window that says, "we suggest you improve your security, sincerely, your friendly neighbourhood hackers"
And major congrats to @tarah, whose multi-year research looking at the mental health of incident responders working to remediate the WannaCry ransomware attack on the U.K.'s NHS services, is now out. The cyberattack caused widespread damage to health services across the U.K. and further afield. @tarah's tweet thread is well worth the read.
Tarah Wheeler tweet: "Information security professionals and incident responders in major cyberattacks *are* the front line. We have little mental health support, and often are blamed for situations outside our control. This leads to trauma and burnout. It's time to provide these resources."
If you have good news you want to share, get in touch at:
~ ~


This week's cyber cat is Bertram, who as you can see is keylogging. But he'll turn the other way if you give him a treat and a scritch. Many thanks to Suse S. for the submission!
Send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Repeat submissions welcome.
~ ~


That's all for this week, thanks for reading. As always, you can drop any feedback you have in the suggestion box or email me.

Wherever you are in the world, have a great one — and see you next week for more. And don't forget to send in your cyber cats (or their friends)! 

Share Share
Tweet Tweet
Share Share