PrivacyCon updates, OpenSSL vulnerabilities and a potential $1.2B in ransomware payouts
Federal officials are warning of potential privacy risks attached to virtual reality and augmented reality technologies. Photo credit: Adrià García Sarceda
Welcome to Changelog for 11/6/22, published by Synack! Blake here, delivering you the past week’s news with help from Nathaniel Mott. Congratulations to the 50,000+ runners who took on today’s New York City Marathon, which is back in full force after a 2020 pandemic cancellation and depressed turnout in 2021. Here’s what’s happening in the world of cyber:
The payload
The Federal Trade Commission may not be the first agency to spring to mind when you hear the word, “cybersecurity.”
But the FTC has a sweeping mandate to require companies to keep user data safe, including from malicious hackers. And it’s starting to hold more senior executives accountable: The independent agency late last month issued a rare order against alcohol delivery service Drizly and the company’s CEO, James Rellas, over a 2018 data breach that exposed the personal information of 2.5 million individuals.
So what’s next for the FTC under chairperson Lina Khan? The agency’s annual PrivacyCon event last week offered clues, as Cynthia Brumfield reported in her inaugural story for README. The consumer protection agency is eyeing the burgeoning field of virtual reality for privacy and data security pitfalls. That means tech giants like Meta and Alphabet could face greater FTC scrutiny.
While PrivacyCon spotlights academic research rather than enforcement actions, previous events have been prophetic. The inaugural PrivacyCon in January 2016 keyed in on privacy risks from direct-to-consumer genetic tests. Speakers back then also warned about the dangers of the Internet of Things, months before the Mirai botnet made international headlines by harnessing millions of IoT devices for powerful DDoS attacks.
If past is precedent, we could be hearing a lot more about the cybersecurity perils of VR and augmented reality in the next few years.
The week, compiled
The internet was supposed to break on Tuesday. The OpenSSL Project said it would announce the first critical vulnerability in its ubiquitous cryptographic library since 2016, and instead, the group announced two high-severity vulnerabilities that are widely believed to have minimal impact on real-world systems.
Nate reported Wednesday on the vulnerabilities for README. It felt surreal to wait with bated breath for The OpenSSL Project’s disclosure alongside infosec Twitter… only to be let down (albeit partly relieved) when everyone found out the group wasn’t actually going to reveal the next Heartbleed.
It was technically A Good Thing that the OpenSSL issue was limited to a pair of humdrum vulnerabilities. (A more serious threat to the protocols that enable a secure internet would have been A Very Bad Thing.) Yet riling up the security industry by teasing a critical flaw a week in advance — only to announce halfway into the “reveal window” that the issue wasn’t nearly as worrisome as expected — was, well, not cool.
Here are some other things that came down the pike:
CNN: The Financial Crimes Enforcement Network said U.S. banks reported more than $1.2 billion worth of potentially ransomware-related payments in 2021 — more than double the amount from 2020. It also said that “roughly 75 percent of the ransomware-related incidents reported to FinCEN during the second half of 2021 pertained to Russia-related ransomware variants.”
Bloomberg: A Freedom of Information Act (FOIA) lawsuit revealed a report from the NSA Office of the Inspector General related to an analyst who “developed a surveillance project about a decade ago that resulted in the unauthorized targeting and collection of private communications of people or organizations in the U.S.” despite restrictions on the NSA’s ability to gather information about Americans.
A message from Synack
There is a better way to pentest that meets compliance requirements, ensures vulnerabilities are remediated and augments existing security teams, allowing them to focus on other risk management projects. Learn how continuous pentesting achieves all that in a webinar featuring Adam Keown, global CISO of Eastman Chemical Company; David R. Hale of Brownstein Hyatt Farber Schreck LLP; and Synack co-founder and CEO Jay Kaplan. Learn more and view the webinar on-demand here.
Flash memory
What do you do when the FBI says it has reason to believe your network has been compromised? Many people would probably assume the warning was a prank or phishing attempt that had nothing to do with the feds. But what if the alarming email was actually sent via the bureau’s infrastructure?
Sysadmins had to grapple with this question in November 2021 when they received emails from the Law Enforcement Enterprise Portal (LEEP) that, according to a statement issued by the bureau, “is FBI IT infrastructure used to communicate with our state and local law enforcement partners.”
The emails were a hoax. Brian Krebs reported that BreachedForums founder “Pompompurin” discovered a flaw in LEEP that allowed him to send emails from the FBI’s infrastructure. Rather than disclosing the issue to the FBI — or exploiting it for more nefarious purposes — Pompompurin used the opportunity to continue trolling cybersecurity researcher Vinny Troia by declaring he’d hacked various organizations.
Local files
CyberScoop: U.S. Cybersecurity and Infrastructure Security Agency director Jen Easterly said this week that the agency has “no information credible or specific about efforts to disrupt or compromise” the midterm elections on Nov. 8.
Microsoft: Microsoft announced it is extending another $100 million in aid to Ukraine, bringing its total commitment to the country to $400 million since Russia invaded in February. “We recognize that many people, particularly across Europe, will make sacrifices this winter to support the defense of Ukraine,” Microsoft vice chair and president Brad Smith said in a blog post. “The war has upended energy markets and disrupted access to food. We’re confident that other tech companies will similarly step forward to sustain support that is vital not only for Ukraine, but for international stability and the protection of fundamental rights across Europe and around the world.”
The Record: Leaders from 37 countries — as well as representatives from private firms like CrowdStrike, Mandiant and Microsoft — convened at the White House on Nov. 1 for the second meeting of the Counter Ransomware Initiative dedicated to combating this particularly vexing form of cybercrime.
Off-script
Most of us in the U.S. gained an hour of sleep last night thanks to our annual “fall back” to standard time. I’d sooner do away with the ritual altogether.
Experts warn a permanent shift to daylight saving time would mess with our biological clocks by pushing winter sunrises too late. But a legislative bid to “spring forward” forever has made headway in Congress, while no such bill exists for crowning standard time.
Let’s flip a coin and choose either daylight or standard time forever. I never want to fiddle with microwave and coffeemaker clocks again.
That’s it for this week — see you again soon! Send tips and feedback to bsobczak@synack.com or nmott@synack.com.