Sigmund / Unsplash
Welcome to Changelog for 7/23/23, published by Synack! Nathaniel Mott here, braving ongoing thunderstorms throughout upstate New York to bring you the week’s most noteworthy goings-on in cybersecurity.
The payload
Google is pulling a Thanos. Not that it’s looking to wipe out half of all life in the universe — at least to my knowledge — but in that it’s seeking to bring an unconventional sort of balance to the security world. Google has explored “securing a system by only giving it access to the web” on one hand and “securing a system by not letting it go online” on the other.
The first approach came to my attention when Nordic Choice Hotels switched its systems from Windows to Chrome OS following a ransomware attack. The second caught my eye last week as CNBC reported that Google was planning to make some of its employees work without internet access.
CNBC said Google was “starting a new pilot program where some employees will be restricted to internet-free desktop PCs” that “will disable internet access on the select desktops, with the exception of internal web-based tools and Google-owned websites like Google Drive and Gmail.”
It makes sense — it’s much harder to compromise a system that isn’t connected to the internet. (Especially if the system’s users are also trained not to insert random USB devices into these systems, of course.)
But it’s interesting that some companies like Nordic Choice Hotels are looking to minimize security concerns by shifting to a cloud-based model while Google, the company that exists primarily to keep people online as much as possible, is experimenting with the opposite approach.
Perfectly balanced, as all things should be.
The week, compiled
When should companies have to pay for additional security features?
It depends: Security vendors need customers to pay for their products, naturally, yet those customers expect a certain level of security at no cost. It’s a balancing act — and Microsoft walked it throughout last week.
Reuters reported on July 13 that some Microsoft customers were unable to launch full investigations into the recent hack that claimed the U.S. Departments of State and Commerce (among others) as its victims because they were “not paying Microsoft for its premium security suite.”
Microsoft eventually relented, with The Wall Street Journal reporting on July 19 that the company would “make 31 critically important security logs available free to licensees of the company’s lower-cost cloud services” and “increase the duration of retention for security logs from 90 to 180 days.”
Those changes are likely to help mitigate concerns that Microsoft double-dips by charging its customers for its services (Windows, Office, Azure, etc.) as well as the measures (access to threat intelligence, log retention, etc.) needed to use them as securely as possible. And they’re unlikely to put much of a dent in Microsoft’s security business, which brings in $20 billion a year.
Also on my radar:
Ars Technica: A pair of actively exploited vulnerabilities wreaked havoc last week. The flaws reside in the Adobe ColdFusion web app server as well as “various Citrix NetScaler products,” and the latter received a severity rating of 9.8 out of 10 because it can be exploited to achieve remote code execution and doesn’t require any form of authentication.
WSJ: The U.S. Department of Commerce added two spyware firms to the Entity List, which makes it difficult for them to do business with American organizations. The firms are Intellexa and Cytrox, both of which are connected to the Predator spyware used to surveil iPhone owners.
BleepingComputer: VirusTotal apologized on July 21 “for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month,” though the data was restricted to users’ names and email addresses.
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
CNN reported in July 2019 that Paige Thompson was “accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information.”
Thompson “used a software tool she built via Amazon Web Services to look for misconfigured accounts” and then “used the accounts to hack and download the data of more than 30 entities, including Capital One,” according to The Seattle Times. She was caught soon after, convicted in June 2022 and then sentenced to time served that October.
It’s not clear what motivated the hack — although Thompson did at one point install cryptocurrency mining software on some of the servers she compromised, earning approximately $10,000 as a result, according to a profile that was published by Seattle Met in April. But one would hope that it at least convinced some companies to look at their AWS settings.
Local files
NYT: Kevin Mitnick, who earned the moniker of “the world’s most wanted hacker” in the ’90s and most recently served as the chief hacking officer at phishing simulation company KnowBe4, died on July 16 of complications from pancreatic cancer.
The Verge: The Biden administration announced on July 18 that the U.S. Cyber Trust Mark, a voluntary program through which the FCC will grant a stamp of approval to Internet of Things products that meet NIST cybersecurity standards, is expected to officially debut in 2024.
TechCrunch: Google fixed a zero-day vulnerability in the Chrome browser that was reportedly discovered and exploited by an Apple engineer during a capture-the-flag competition. The exploit was then shared with Google not by that engineer, but by someone else at the competition, which raised questions about the circumstances surrounding the bug’s disclosure.
Off-script
Nothing reminds you how little content you actually own quite like a thunderstorm.
I lost power for about four hours last Wednesday. Luckily I had my trusty Nintendo Switch for entertainment… or so I thought. When I went to launch a game, the console refused to do so because I wasn’t connected to the internet. (And, you know, that’s the kind of thing you need electricity for.)
I’ve read comments online complaining about how most digital media has no concept of ownership. Providers can remove ebooks and other content from someone’s digital library, and end users have essentially no recourse. This is particularly frustrating when it comes to single-player games requiring an internet connection to launch.
And, yes, I know. Big “old man yells at cloud” vibes over here. But sometimes the cloud needs yellin’ at.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next Sunday!
