Crypto heists, TLP updates and emergency alert system vulnerabilities
Chris Rycroft/Flickr
Welcome to Changelog for 8/7/22, published by Synack! The Black Hat and DEF CON cybersecurity conferences are taking place this week in Las Vegas, and I have serious FOMO. The last time I attended either event was back in 2018, when Parisa Tabriz of Google Chrome fame gave Black Hat’s keynote address, and DEF CON’s Voting Village — then in its second year — made waves in the runup to the 2018 U.S. midterm elections. I hope everyone attending the conferences this week can stay cool and COVID-free!
The payload
The cryptocurrency and Web3 communities gritted their teeth through another difficult week, as back-to-back breaches affecting a major “bridge” and a few crypto wallet providers drained millions in funds.
Thousands of digital wallets offered by the Web3 companies Slope and Phantom were robbed Wednesday, raising questions about the security of the Solana blockchain. Two days earlier, the Nomad bridge protocol — a tool to transfer crypto tokens among blockchains — saw a hacking free-for-all sap away nearly $200 million, catapulting the breach into the top-ten list of the all-time biggest crypto heists.
The hacks offered a timely, if unfortunate, backdrop for Jackie Singh’s latest exploration of Web3 security for README. She interviewed three security practitioners with experience on the front lines of defending crypto networks from seemingly ubiquitous cyberthreats.
As Katelyn Perna, a security VP at BlockFi, told Singh: “these problems are HARD.
“It is not easy to build new money, platforms, and culture. It is even harder to do it safely and securely,” she said.
Nomad bridge developers and roughly 8,000 Solana walletholders would agree.
The week, compiled
A cybersecurity researcher is ringing alarms about the risk of false alarms sent through the Federal Emergency Management Agency’s Emergency Alert System (EAS), which is used to notify the public of natural disasters or other threats.
The fear is that malicious hackers could breach the EAS and use it to their own nefarious ends, instilling panic in the general public or, perhaps more likely, broadcasting some spam message about everyone’s car warranty.
Ken Pyle, a partner at the CYBIR cybersecurity and incident response firm, told CNN that the software vulnerabilities he found in the EAS represent “a big critical infrastructure problem everyone needs to own.”
He’s literally owned it, presenting “compelling evidence” that the systems are vulnerable, as one FEMA branch chief put it.
Here’s what else happened last week:
CyberScoop: Twitter disclosed a security incident that would have allowed for bad actors to match emails and phone numbers to specific Twitter usernames, posing a major threat to anonymous accounts on the platform.
SC Media: A vendor charged with managing medical records for small eye care providers is alleged to have covered up a series of ransomware attacks that disrupted access to critical healthcare data.
Bleeping Computer: The Forum of Incident Response and Security Teams released a new version of the “Traffic Light Protocol” standard for sharing security sensitive information, adding a new category for TLP:AMBER+STRICT, meaning info sharing should be confined to within the given organization. I’m disappointed they didn’t add TLP:REDPANTS.
A message from Synack
In today’s threat landscape, everyone agrees “it’s a jungle out there.” At Black Hat, Synack will share our cybersecurity expertise to help attendees survive this jungle. Visit us in booth #2328, where we’ll serve jungle juice in the tiki bar and host other events in our penthouse suite. You’ll gain a deeper perspective on adversary tradecraft from our live cyber talks in the Synack Cave, featuring experts from our elite Synack Red Team. Learn more here.
Flash memory
Remember when ransomware payments rarely eclipsed $750?
John Sakellariadis looked back at the history of ransomware in an in-depth article for the Atlantic Council, from those halcyon pre-2016 days to today’s multibillion-dollar cybercriminal industry.
He offered several recommendations to policymakers looking to tackle the persistent problem, including a requirement for companies paying ransoms to report that information to the U.S. government. He also urged Congress to instate a tax relief program to boost cybersecurity hygiene at small- and medium-sized organizations that can struggle most to stop cyber extortionists.
Incidentally, the Institute for Security and Technology also released a blueprint for ransomware defense last week with 40 recommended safeguards aimed at small- and medium-sized enterprises.
Sakellariadis was not so optimistic his own recommendations would solve the problem: “Even though it is tempting to hope that we are just one diplomatic agreement, one technological leap, or one regulation away from its elimination, targeted ransomware is here to stay,” he wrote.
Local files
The Register: Taiwan’s defense ministry and presidential website were hit with DDoS attacks surrounding U.S. House Speaker Nancy Pelosi’s (D-Calif.) visit to the East Asian country last week. China does not recognize Taiwan and cut off contact with the U.S. on several military and climate issues in response to Pelosi’s trip.
Reuters: The head of Greece’s main intelligence agency has resigned amid an unfolding scandal over the alleged use of surveillance software against socialist opposition party leader Nikos Androulakis. The outgoing spy chief, Panagiotis Kontoleon, stepped down “following mistaken actions found during lawful wiretapping procedures,” according to an official statement.
Off-script
French scientist Etienne Klein caused a fracas on Twitter when he shared the photo of a distant “star” below.
But the image is not, in fact, Proxima Centauri, the closest star to our own Sun (as Klein claimed). Nor was it taken by the James Webb Space Telescope, a technological marvel that recently released its first batch of intergalactic imagery.
Rather, it depicts a slice of chorizo sausage.
Klein went on to apologize for the “scientist’s joke.” In our era of online disinformation, I still found it funny:
That’s it for this week — good luck to all attending Black Hat and DEF CON! Please send your top takeaways from the cons, tips and feedback to bsobczak@synack.com. I’ll see you next Sunday.