Read Time: 5 minutes

Howdy friends!

Out in California this week. Long trip, long days, excited to get home. It is hard to realize the weather out here is just this perfect all year round. I’m still carrying some Texas summer trauma. Oh and got to go see the space shuttle!

ICYMI

🖊️ Something I wrote: Getting hacked isn’t a point in time activity. It is the culmination of a lot of decisions over time. Getting Hacked Slowly.

🎧️ Something I heard: Y’all liked me including a song I was listening to last week so here’s another. Not my usual genre but can’t help but move my body to this one.

🎤 Something I said: Talked about the Okta hack and the SEC/Solarwinds issue

🔖 Something I read: What Being Sober Has Meant to Me by Brené Brown

Vulnerable News

Hackers target Las Vegas plastic surgeons, post patient information, naked photos online

A group of women are suing after their plastic surgeon office got hacked and they were insecurely storing their personal info including nude photos before and after procedures. My question? Why does this stuff need to be stored at all. I can understand needing something to aid in the procedure but can’t imagine a need for long term storage. (read more)

Sumo Logic Security Notice

Sumo Logic had their AWS creds stolen. The incident notification is light on details and doesn’t call it a breach. But they detected some unauthorized use of their AWS accounts. They also say customer data was unimpacted but caution all of their customers to rotate a bunch of secrets.

They issued an updated security notice on November 9, 2023, offering a playbook to guide customers in updating their API access keys following a potential security incident on November 3rd. (read more)

Adding build provenance to Homebrew

A collaborative project involving Trail of Bits, Homebrew, Alpha-Omega, and OpenSSF aims to enhance transparency and security within the Homebrew ecosystem. Over a six-month period, this project seeks to introduce cryptographically verifiable build provenance to homebrew-core. By achieving compliance with SLSA Build L2 (formerly known as Level 2), Homebrew packages will gain the ability to confirm that they originate from the official Homebrew CI/CD. Homebrew, as a widely used macOS package manager and Linux alternative, is a prime target for supply chain attacks, making this initiative pretty f’n awesome. (read more)

Charting China’s Climb as a Leading Global Cyber Power

The Recorded Future report details the evolution of Chinese state-sponsored cyber operations over the past five years. These operations have become increasingly sophisticated, focusing on exploiting zero-day and known vulnerabilities in public-facing security and network appliances.

Overall a great report with tons of data on China’s activities and how they’re evolving with shifting motivations and techniques. (read more)

Mortgage and loan giant Mr. Cooper blames cyberattack for ongoing outage

Not everyday an episode of Mr. Robot plays out. Not that I know for sure these hacks were done by someone trying to wipe out debts but can’t help but notice life imitating art.

Mortgage and loan company Mr. Cooper has reported a "cybersecurity incident" as the cause of an ongoing outage. The Texas-based company, with over 4.1 million customers, took immediate steps to secure its systems after the incident on October 31. While it is actively investigating the event to determine if customer data has been compromised, Mr. Cooper has assured customers they will not incur fees, penalties, or negative credit reporting due to the incident. The company has not provided a timeline for system restoration or details on the extent of the breach. (read more)

From Magoo: Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown

Magoo is a voice I listen to whenever he speaks up. This is a topic I’m glad he chimed in on. I consider it a must read on the topic. Here is his Conclusion:

“The SEC is signaling that they will be performing discovery of internal security processes at investor-held companies that have major breaches.

They will:

• Use legal discovery to match internal processes with public statements

• Verify that those processes are healthy

Those seem reasonable. However, they’ve complicated the role of Security and the CISO in risk disclosure. Disclosure of ongoing risk findings is now an open problem that I believe most, if not all, companies are in debatable compliance with based on the language in the complaint.

I don’t think more disclosure is a bad idea. Rather, I’m not sure that expectations around what should be disclosed will be clear, except in hindsight.” (read more)

23andMe data theft prompts DNA testing companies to switch on 2FA by default

We covered the breach. Well now here is the reaction. MFA roll outs across DNA collecting companies! (read more)

Google launches AI bug bounty program as organizations plan to study risks

Calling all bug hunters!

Google has launched a new AI bug bounty program to address the unique challenges posed by generative AI technologies. This initiative is part of a broader industry and government effort to understand and mitigate the risks associated with AI. The program will cover vulnerabilities such as prompt injections, data leakage, model manipulation, and more. Alongside this, OpenAI plans to study the “catastrophic risk” of generative AI, and the United Nations is forming a panel to report on AI governance. (read more)

Microsoft Authenticator now blocks suspicious MFA alerts by default

This could be huge if it works well and is adopted by more MFA apps. It would make a big dent in phishing success. The MFA apps can block suspicious alerts taking some of the burden in matching to trusted domains and in defense of push fatigue. (read more)

Multi Source Analysis of Top MITRE ATT&CK Techniques

This is an awesome data slice and dice which marries MITRE ATT&CK to real world attack data. They do a few heat maps of most used techniques in the matrix. Worth the read! (read more)

QNAP warns of critical command injection flaws in QTS OS, apps

QNAP Systems has issued security advisories addressing two critical command injection vulnerabilities affecting various versions of the QTS operating system on its network-attached storage (NAS) devices. The first vulnerability, CVE-2023-23368, holds a severity rating of 9.8 and allows remote attackers to execute commands via a network. It affects QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1. The second vulnerability, CVE-2023-23369, rates at 9.0 in severity and carries similar exploitation potential. It impacts QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, along with Multimedia Console and Media Streaming add-on. Immediate installation of available updates is crucial for mitigating these vulnerabilities. (read more)

The EU seeks the ability to undetectably spy on HTTPS communication; 300+ experts say “no” to Article45 of eIDAS

The European Union's latest proposal, Article 45 of the eIDAS regulation, has raised significant concerns among digital privacy experts. In the name of "identity" and "consumer choice," the EU seeks to establish a European HTTPS/TLS/SSL Certificate Hierarchy, a European DNS Service, Digital ID Cards, and an extensive ecosystem of Digital Identity technologies. The objective is to reduce reliance on non-European services and enhance online security. However, critics argue that this move may undermine security and privacy, allowing for undetectable spying on HTTPS communication. This controversial proposal has triggered a call to action, urging individuals to express their concerns and advocate for amendments that align with global internet standards. (read more)

MOVEit cybercriminals unearth fresh zero-day to exploit on-prem SysAid hosts

The gang behind the MOVEit breaches, cl0p, has found a new tool. Now targeting the on-premise versions of the IT service and help desk software SysAid. Microsoft's Threat Intelligence team discovered the exploit, which impacted a limited number of SysAid customers, and reported it on November 2. SysAid promptly developed and released patches for the issue. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay