Ransomware struggles, a SolarWinds retrospective and a safety win for location trackers
Agence Olloweb / Unsplash
Welcome to Changelog for 5/7/23, published by Synack! Nathaniel Mott here with the latest security news and… pickleball? Let’s talk about it.
The payload
Remember when SolarWinds got hacked? It’s been a while: We learned of the incident in December 2020, but roughly two-and-a-half years later, there’s still a lot to unpack from the most sophisticated software supply chain attack to date.
Renowned cybersecurity journalist Kim Zetter turned her attention to SolarWinds in a Wired feature, “The Untold Story of the Boldest Supply-Chain Hack Ever.” The report last week offers a new look at just how early the U.S. government knew something was up with SolarWinds — late May 2020 — as Zetter also covered in a breakout piece.
There’s bound to be some debate about whether the SolarWinds hack or the revelation of the Log4Shell vulnerabilities that came nearly a year later will be the defining security incident of the early ’20s. Even the Cyber Safety Review Board established specifically to study the SolarWinds hack opted instead to investigate the long-lasting implications of Log4Shell. Either way, this report is a must-read for anyone curious about the SolarWinds hack, which breached some big-name organizations.
In addition to the Justice Department, “among the infected were at least eight other federal agencies, including the US Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms, including Intel, Cisco, and Palo Alto Networks — though none of them knew it yet,” Zetter reported. “Even Microsoft and Mandiant were on the victims list.”
The week, compiled
A few months ago, I wrote about how location trackers have offered stalkers a cheap, easy-to-access way to harass their victims, and how some companies have failed to take these concerns seriously. (See: Life360 making it easier for its Tile product lineup to be used for this purpose.)
Apple and Google announced this week that they had “jointly submitted a proposed industry specification to help combat the misuse of Bluetooth location-tracking devices for unwanted tracking.” The draft specification can be found on an Internet Engineering Task Force website.
Apple said “the first-of-its-kind specification will allow Bluetooth location-tracking devices to be compatible with unauthorized tracking detection and alerts across iOS and Android platforms,” with “Samsung, Tile, Chipolo, eufy Security, and Pebblebee” reportedly supporting the proposal.
This probably won’t solve the inherent risks associated with commercial location trackers, but it still seems like a win, and those are rare enough these days that we should probably celebrate them when we can.
Also last week:
Axios: CISOs don’t have to worry too much about raising the Federal Trade Commission’s ire, it seems, with a judge sentencing former Uber chief security officer Joe Sullivan to three years of probation for covering up a 2016 data breach with a $100,000 payment disguised as a legitimate bug bounty.
FFTF: Fight for the Future announced that more than 40 organizations have signed a letter “demanding that democratic governments around the world commit to protecting encryption, privacy and ensure a free and open Internet” rather than approving censorious legislation being considered in many jurisdictions.
The Verge: Google rolled out support for passkeys to give users a way to securely access their accounts without faffing about with passwords and multi-factor authentication. (Apple, Microsoft and other companies have signaled their support for passkey-based authentication as well.)
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
Politico revealed in May 2022 that the Supreme Court planned to overturn Roe v. Wade by way of a leaked draft opinion characterized as “a full-throated, unflinching repudiation of the 1973 decision which guaranteed federal constitutional protections of abortion rights and a subsequent 1992 decision — Planned Parenthood v. Casey — that largely maintained the right.”
Activists immediately started to protest the Supreme Court’s decision—and question the safety of continuing to use period tracking apps, unencrypted messaging services and other digital tools from which law enforcement could obtain data to use against people seeking abortions. Those questions stopped being theoretical when Roe v. Wade was overturned in June.
Granitt founder Runa Sandvik published in January an overview of how law enforcement uses data to prosecute abortions. Mitigating these risks is no easy feat: The Electronic Frontier Foundation’s recommendations for abortion seekers include using entirely separate browsers, email addresses and in some cases burner phones, among other things.
Local files
BleepingComputer: A ransomware attack reportedly forced 911 operators in Dallas, Texas to write reports by hand rather than using automated systems. The cyber incident also brought down the IT network used by the city’s court system and temporarily disrupted the Dallas County Police Department’s website.
WaPo: The U.S. Marshals are reportedly struggling to bring a crucial system “that handles a vast amount of court-approved tracking of cellphone data, including location data,” back online more than 10 weeks after it was disrupted by a ransomware attack.
CNN: The White House announced this week that policymakers (and tech companies) will have to find a way to manage the risks posed by artificial intelligence as large language models like ChatGPT, Bard and others simultaneously become increasingly accessible and powerful.
Off-script
I find it hard to believe that pickleball is a thing. It sounds like the kind of game someone would play in the frontier when they got sick of chorin’. But apparently—and I learned this via the why-is-this-so-excellent Apple TV+ series “Shrinking”—pickleball is the fastest-growing sport in America.
Pickleball, which is pretty much always described as a combination of badminton, ping-pong and tennis, is such a phenomenon that The New York Times gifted us with this lede in a Sept. 2022 piece about why it’s so popular:
“Now that their son is grown and their water-loving Labrador retriever has passed away, Kristen Miller and her husband, Scott Miller, have decided to fill in their San Diego swimming pool. ‘No one uses it, there’s a drought and we’re in our 60s,’ she said. ‘We decided YOLO, like the kids say. We’re gonna put in a frickin’ pickleball court.’”
I’ve been looking for something new for outdoor exercise, and finding a frickin’ pickleball court now tops my list.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. We’ll be back next Sunday!