Changelog: How to lose $2 billion
Jp Valery / Unsplash
Welcome to Changelog for 10/26/23, published by Synack! README senior editor Nathaniel Mott with the week’s top cybersecurity news.
The payload
You’ve probably seen “How to Lose a Guy in 10 Days.” Now get ready for “How to Lose $2 Billion in a Week” or, as most people are calling it, the fallout of Okta’s disclosure that it was hacked.
I said earlier this week that Okta’s share price would probably recover from that disclosure. That’s probably still true in the long term, but in the here and now, the company’s market cap ain’t lookin’ so hot. And that’s probably at least partly because the incident had broader implications than we originally thought—and because this hack in particular appears to have shaken the industry’s faith in the company.
Okta’s entire business is predicated upon trust. Organizations have to believe the company’s identity access management service is a reliable obstacle to would-be hackers, and that it won’t be used against them. Yet this isn’t the first time Okta has been compromised, and despite the pivotal role it plays in securing many organizations, it doesn’t seem to know exactly how it’s going to prevent more in the future.
Wired reported that when it “asked Okta a series of questions about what steps it is taking to improve customer service defenses in the wake of the two breaches, and why there appears to be a lack of urgency when the company receives reports of potential incidents, the company declined to comment.” (Although it apparently plans to “share more information about these subjects soon.”)
That isn’t a good look, especially since its customers were the ones to notice that someone was making their way into their networks with session tokens pilfered from Okta’s compromised system. How long might it have taken the company to respond if BeyondTrust and CloudFlare didn’t reach out to it? And how many additional Okta customers might have been targeted as a result?
We can’t know, of course, but these are exactly the kinds of questions companies want to avoid.
The week, compiled
Researchers have disclosed a vulnerability in the Safari browser on macOS, iOS and iPadOS that can be exploited to “render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” which poses a significant risk to people using Apple hardware.
The vulnerability has been dubbed “iLeakage.” The researchers who discovered it shared a variety of demo videos showing how it can be exploited to harvest the credentials to someone’s Instagram account, view the contents of their Gmail inbox or snoop on their YouTube watch history. (Which seems like far less of a big deal than the first two, but hey, maybe some folks are really sensitive about their bad taste.)
Brett Jordan / Unsplash
Ars Technica reported that iLeakage stems from underlying problems in Apple’s silicon and the WebKit browser engine. That means people using a Mac with an M1 or M2 processor and the Safari browser are at risk and, because even third-party browsers on iOS and iPadOS are required to use the same engine as Safari itself, so is pretty much everyone who browses the web with an iPhone or iPad.
The good news: Apple has released a mitigation for iLeakage… on the Mac… as an unstable feature that Safari users have to manually enable. Lockdown Mode can also defend against exploit attempts. The bad news: There are no other defenses against this attack, which is also “highly unlikely to be detected.” So anyone with a Mac, iPhone or iPad might want to stick to trustworthy sites for a while, eh?
As for the week in README:
README: The vulnerability disclosure systems used in the U.S. are a cornerstone of many organizations’ efforts to secure their networks. They’re also flawed, as regular contributor Cynthia Brumfield reported on Wednesday, and it’s not clear how the groups responsible for managing them can address those issues.
Commit 10_23_2023: A sudden drop in devices running Cisco IOS XE that were known to have been compromised via recent vulnerabilities, a wiretapping campaign targeting Jabber that was thwarted by an expired TLS certificate and China’s struggle to crack down on Southeast Asian scam networks.
Commit 10_24_2023: A record month for ransomware in what’s shaping up to be a banner year for everyone’s favorite cybercrime, the most-loved U.S. agency (cough) renews cyber-related requirements for the rail industry and a former NSA worker pleads guilty for attempting to sell secrets to Russia.
A message from Synack
How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.
Flash memory
Microsoft released Windows XP—affectionately known in some circles as “the last good version of Windows”—on Oct. 25, 2001. It stopped offering support for most installs in April 2009, and by April 2014, even organizations that had paid for the privilege of additional updates were told it was time to upgrade.
I remember Windows XP being… fine. It was the default install on the systems in my middle school’s computer lab, so I mostly associate it with the now-dated versions of Microsoft Office, Audacity and PhotoShop we had to use for assignments. (Along with my introduction to proxying websites that were probably terrible from a security and privacy standpoint but allowed us to bypass the school’s filters.)
Now we’ve gone through so many other versions of Windows that even Microsoft gave up on counting them sensibly, jumping from Windows 8 and the point upgrade to rule them all, Windows 8.1, to Windows 10 and then Windows 11. Each release has been quite different, united perhaps only by the amount of vitriol they prompt longtime Windows users to spew across social media after their debut.
Local files
The Record: Hackers spent at least three months inside Philadelphia’s networks, which The Record reported gave them “wide access to health information stored in email accounts.” The attackers lingered between May and July, according to the city, which discovered the incident in August but didn’t notify residents until late October. (With no explanation as to why the disclosure was so delayed.)
BleepingComputer: Grupo GTD, which BleepingComputer described as “a telecommunications company offering services throughout Latin America,” said this week that an attack disrupted some of its services. BleepingComputer reported that the company was targeted by the Rorschach ransomware, “a relatively new encryptor seen by Check Point Research in April 2023.”
Off-script
I must concede defeat: I have started running Windows on my desktop again.
I wrote in June about how I had switched my setup over to Linux for a variety of reasons—privacy concerns, frustration with mainstream desktop operating systems, etc.—and I stand by those complaints. But a breaking update to my window manager that precluded me from using my graphics card (thanks, Nvidia, for the proprietary drivers!) for several months pushed me back to Microsoft’s ecosystem.
Glenn Carstens-Peters / Unsplash
I’m beyond frustrated. On the one hand, I like having control over my computer, and if it weren’t for that breaking update I probably wouldn’t have gone back to Windows. But on the other, I have to admit that it’s nice when stuff just friggin works—especially when you have a five-year-old asking to play games that don’t run well on your Linux system or require a controller that you haven’t gotten around to setting up.
I guess it’s just a matter of choosing the right tool for the job. When it comes to everyday computing, my plan is to install Linux on a Mac mini that hasn’t seen much use lately, which should complement the Asahi setup I have going on my MacBook Air nicely. Then I can just use Windows for the stuff it does well, which in my case is literally only playing games or streaming with my friends on Discord.