Cyber insurance vs. cyberwar, a Signal snafu and a music video exploit

The distinctive interior of the Lloyd’s building, which is the center of operations for insurance marketplace Lloyd’s of London. Rawpixel

Welcome to Changelog for 8/21/22, published by Synack! I’m your host, Blake, and I have one programming note before we dive into the week’s top cyber news: This will be the last newsletter edition until September as Changelog takes a summer break. In the meantime, you can keep up with README’s ongoing cybersecurity coverage here, and don’t forget to follow me on Twitter. See you again after Labor Day!

 

The payload

The insurance industry has a cyberwar problem.

Catastrophic cyberattacks like the 2017 NotPetya malware disaster have long vexed insurers. Not only are they incredibly costly, but they are also often traced back to nation-states in ways that could potentially trigger many policies’ exclusions for acts of war.

The Lloyd’s of London marketplace is now making its member insurance sellers spell out cyber warfare exclusions in their policies, meaning the next NotPetya could leave companies on the hook for any losses. That’s bad news for hacking victims.

“[T]he ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” Lloyd’s said in a market bulletin Tuesday laying out the new requirements, which take effect next March.

The U.S. formally blamed Russia for the NotPetya attack, which started in Ukraine before spreading like wildfire and causing at least $10 billion in damages globally. The resulting insurance claims triggered years of legal wrangling and contributed to tightened underwriting scrutiny.

The claimants — including pharmaceutical giant Merck, which bid to recoup $1.4 billion in losses from the attack from its insurers — generally won out in court. But cases like NotPetya have done little to clarify when cyberattacks should trigger act-of-war exclusions, let alone solve the thorny technical challenges in attributing malware to a nation-state in the first place.

Costly premiums, stringent underwriting, act-of-war exclusions: Times are tough for cyber insurance shoppers.

The week, compiled

Use Signal. Use Tor.

Hackers have reflexively doled out this advice for so long that it’s practically become a meme.

But when a threat emerges to either privacy-oriented platform, it tends to turn heads.

 1_VpeYXdgG9y3M-H_FmLJnzQ

So it was last week when Signal disclosed that a phishing attack on cloud communications company Twilio had spilled over to a small slice of the encrypted messaging app’s userbase.

Hackers could have accessed about 1,900 Signal users’ phone numbers or SMS verification codes, enabling them to attempt to re-register accounts to a new device.

The threat has since been shut down, Signal said, but not before the unknown attacker “explicitly searched for three numbers.”

One of the targeted accounts belonged to Vice cybersecurity journalist Lorenzo Franceschi-Bicchierai, who wrote that hackers were able to hijack his number on Signal for about 13 hours after re-registering it. (They could not access his contacts or messages.)

It’s unclear what they did, but the real Lorenzo is requesting you get in touch with him if he sent you a Signal message on the morning of Aug. 7.

As for the overused infosec expression? Yes, you should still use Signal. Just update your settings to enable “registration lock,” which would have blocked the latest threat.

Here’s what else played out last week:

AP: Apple issued surprise security updates for some of its most popular devices after two actively exploited zero-day vulnerabilities cropped up. (If you’re reading this and still haven’t updated your iPhone, you should get on that.)

The New York Times: A cybersecurity researcher claimed the custom web browser tucked into the TikTok app can track user keystrokes. TikTok, which is owned by Chinese technology company ByteDance, pushed back on the findings: “Contrary to the report’s claims, we do not collect keystroke or text inputs through this code,” the social media company said, adding that the feature uncovered by privacy researcher Felix Krause was used for “debugging, troubleshooting and performance monitoring.”

A message from Synack

Cybersecurity professionals face a raft of challenges when it comes to staffing up to meet ever-evolving digital threats. Hear how the U.S. Department of Health and Human Services navigates cybersecurity hiring hurdles in an Aug. 24 webinar featuring Matthew Shallbetter, Director for Security Design and Innovation at HHS. Also presenting at 1 p.m. ET that day will be Synack’s own Scott Ormiston, who will speak to tactics and solutions for augmenting public sector security teams and best practices for setting up continuous penetration testing. Learn more and register here.

Flash memory

In 1989, Janet Jackson released her carefully choreographed hit single “Rhythm Nation.”

Decades later, the music video would get its own CVE for a bizarre reason: the song inadvertently features a natural resonant frequency capable of crashing a 5400 RPM OEM laptop hard drive, popular in 2005-era PCs.

Microsoft developer Raymond Chen noted in a blog post Tuesday that the affected manufacturer added a custom filter in the audio pipeline to weed out the crash-causing frequencies.

“I would not have wanted to be in the laboratory that they must have set up to investigate this problem,” he wrote. “Not an artistic judgement.”

Local files

The Wall Street Journal: In Chattanooga, Tenn., the state’s BlueCross BlueShield health insurer has teamed up with East Tennessee State University to offer an intensive cyber education program aimed at filling an estimated 8,000 open infosec positions in the Sooner State.

Homeland Security Today: The Cybersecurity and Infrastructure Security Agency joined state election officials from across the U.S. to host the three-day “Tabletop the Vote” security exercise last week. “The nation’s election officials face a range of challenges, including cyber and physical risks to their infrastructure, and false election information that weaken voters’ trust in the process,” state and federal officials said in a joint statement on the event. “In the face of this dynamic environment, the election community works closely together to ensure the American people can be confident in the security and resilience of the 2022 elections.”

Off-script

Finnish Prime Minister Sanna Marin, 36, had a rocky week after a video leaked of her dancing at a party, stirring debate about propriety in positions of power. Marin submitted to a drug test but did not apologize — and rightly so, in my view.

 1_gy5PwavIMFpI85OXbI6GpA
Finnish Prime Minister Sanna Marin. Government of Finland

“I hope that in the year 2022 it’s accepted that even decision-makers dance, sing and go to parties,” she told reporters.

Polish Prime Minister Mateusz Morawiecki backed up his Finnish counterpart with a nod to her country’s pending membership in NATO:

“The prime minister has a reason to be happy because Finland joined NATO,” Morawiecki told a news conference, as Reuters reported Friday. “So if on this occasion the prime minister of Finland drank a little more Finlandia (vodka) and because of this danced, there is nothing terrible in that.”

With my birthday coming up later this week, I’ll plan to party like I’m joining NATO.

That’s all for now — send any tips, feedback and Finnish party favors to bsobczak@synack.com. See you in September!