via Unsplash
Welcome to Changelog for 11/13/22, published by Synack! It’s me, Blake, bringing you the latest news with a boost from README senior editor Nathaniel Mott. I was relieved to see the Nov. 8 U.S. midterm elections go off without a major cyber hitch. Kudos to everyone who worked behind the scenes to make sure the democratic process played out smoothly. Here’s what else happened last week:
The payload
Chaos loves bad cyber company. The recent collapse of the FTX cryptocurrency exchange offers about as much high-stakes turbulence as any malicious hacker could ever hope for.
Around half a billion dollars in suspicious cryptocurrency transfers over the last 48 hours are now coming under scrutiny, according to a filing yesterday by FTX. The bulk of those funds switched hands shortly after FTX declared bankruptcy Friday.
“We have been in contact with, and are coordinating with law enforcement and relevant regulators,” said John Ray, Chief Restructuring Officer and CEO of FTX, in a statement. Ray took the reins from disgraced ex-CEO Sam Bankman-Fried, who resigned from the company last week amid a bank run on his exchange and an ongoing investigation into whether he torched user funds through reckless business practices.
If confirmed, the roughly $477 million hack would go down as one of the biggest crypto heists of all time. For now, FTX is labeling the outflows as “unauthorized transactions” as it scrambles to freeze assets and pick up the pieces from Bankman-Fried’s shattered crypto empire.
As for the potential thief: They would do well to remember that blockchain technology leaves permanent traces, and law enforcement has a long memory. The U.S. Justice Department announced Tuesday it seized a record $3.36 billion in Bitcoin from defendant James Zhong back in November 2021. Zhong has since pleaded guilty to stealing over 50,000 Bitcoins from the now-defunct Silk Road dark web marketplace — way back in 2012.
The week, compiled
Twitter CISO Lea Kissner announced on Nov. 10 that they were leaving the company amid ongoing concerns about Elon Musk’s acquisition, the subsequent firing of nearly half its employees and rampant abuse of a new feature that allows Twitter Blue subscribers to pay $8 per month to be “verified.”
“I’ve made the hard decision to leave Twitter,” Kissner tweeted on Thursday. “I’ve had the opportunity to work with amazing people and I’m so proud of the privacy, security, and IT teams and the work we’ve done. […] I’m looking forward to figuring out what’s next, starting with my reviews for [Usenix].”
All of this came just weeks after Peiter “Mudge” Zatko blew the whistle on Twitter’s security practices — and that was back when the company had a CISO, wasn’t owned by Musk and didn’t find itself down nearly half its workforce based in part on a code review conducted by Tesla engineers.
Now those remaining Twitter engineers will have to “self-certify compliance with FTC requirements and other laws,” according to Casey Newton, who reported that a Twitter employee said, “All of this is extremely dangerous for our users” and “extremely detrimental to Twitter’s longevity as a platform.”
Here are some of the other things that happened in the last seven days:
BleepingComputer: Microsoft’s Patch Tuesday releases included patches for 68 vulnerabilities. That tally includes six actively exploited zero-days, two of which are Exchange bugs that were publicly revealed in September, and a total of 11 vulnerabilities that the company considered “critical.”
The Washington Post: A root certificate authority called TrustCor “has connections to contractors for U.S. intelligence agencies and law enforcement” as well as “the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics.”
The Record: A European Parliament committee released a draft report examining the use of spyware in the EU. The committee concluded that governments have used “spyware on their citizens for political purposes and to cover up corruption and criminal activity,” despite claims that these tools will only be used to protect national security or assist with law enforcement activity.
A message from Synack
APIs are on track to be the most frequent attack vector in 2022, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a Nov. 16 webinar on API security testing, where they’ll break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and sign up to view the webinar here.
Flash memory
WhatsApp announced in November 2014 that it was rolling out end-to-end encryption (E2EE) support with assistance from Signal developer Open Whisper Systems.
The release made E2EE messaging available to WhatsApp’s massive audience — it now has over a billion monthly active users — and highlighted the tech industry’s commitment to securing private communications in the wake of Edward Snowden providing journalists a trove of documents related to NSA surveillance.
Facebook proper was slower to introduce E2EE support in its homegrown messaging app, Messenger, and Wired declared in August that its implementation of E2EE “was built to fail” after the rebranded Meta shared information about a teenager’s efforts to obtain an abortion retrieved from her messaging history.
Meta announced a day after Wired’s report that it would be testing E2EE backups of Messenger chats, release a browser extension called Code Verify to let users make sure they’re connected to Messenger and start an experiment with “automatic end-to-end encrypted chat threads on Messenger.”
Let’s check in again in another eight years, eh?
Local files
FreightWaves: Mexico’s Secretariat of Infrastructure, Communications and Transportation announced that an October cyber incident led it to stop issuing new permits, plates and licenses for commercial truck drivers through the end of the year. In addition to disrupting the country’s supply chain, the move could hinder cross-border trade with the U.S., as drivers go without necessary documents.
Reuters: Greece announced that it would ban the sale of spyware after a local newspaper, Documento, reported that the Greek government had been snooping on at least 30 people using the Predator malware.
TechCrunch: A suspected member of the LockBit ransomware gang was arrested in Canada in October; the arrest was made public on Nov. 10. TechCrunch reported that law enforcement organizations — including Europol, the FBI and the Royal Canadian Mounted Police — “seized eight computers, 32 external hard drives, and €400,000 in cryptocurrencies” from the suspect.
Off-script
Veterans Day was Friday, marked as a federal holiday in the U.S. and commemorated with events, ceremonies and announcements around the country. Other nations formally designate Nov. 11 as Remembrance Day or Armistice Day — signaling the end of hostilities in the Western Front of World War I.
I marked occasion on Nov. 10 by co-hosting a Twitter Spaces discussion alongside Marine Corps. veteran Jeremiah Roe to talk about career transitions into cybersecurity. I’m not a vet, but I wanted to offer my thanks to any Changelog readers who served in the armed forces!
That’s it for this Sunday — see you next week! Send tips or feedback to bsobczak@synack.com or nmott@synack.com.
