ShmooCon highlights, T-Mobile’s API security woes and the government’s unfinished cyber business
Welcome to Changelog for 1/22/23, published by Synack! Hello from ShmooCon 2023! Nate Mott here, delivering you a special edition from the celebrated hacker conference in Washington, D.C., which ends today. We’ll get right to it:
The payload
This year’s ShmooCon marks the first time I’ve attended a major conference in-person since I covered Microsoft Build in 2017 — which means it’s also the first time I’ve needed to fly since my son was born in 2018 or the pandemic brought life to a halt in 2020.
Somehow I’ve made it three days into the conference without coming any closer to finding out what a “shmoo” is. But I’ve learned plenty of other things as ShmooCon’s speakers have talked about the various intersections of security and open source software; the policy changes that most affected security researchers in the U.S. throughout 2022 and what we can expect from upcoming regulations; and how the computer industry stands on the shoulders of the textile industry, among other topics.
ShmooCon’s timing in January means it can be a bellwether for other 2023 security conferences, so I’d expect to see some of these subjects come up again later this year in places like RSA and Black Hat. But I doubt the atmosphere at those conferences will be as laid back as ShmooCon, or feature as many organizers, speakers and volunteers reminding attendees to hydrate approximately every 15 minutes. That’s exactly what I needed from my first conference in years, and I’m probably not alone in that.
This might also be the only conference where open source software would be compared several times not to “free as in freedom” or “free as in beer” but instead to “free like a box of puppies”—in that it’s free, sure, but it requires a commitment of both time and resources to prevent it from becoming a problem in the future, as Aeva Black put it in ShmooCon 2023’s first true talk, “Open Source Software, Y U No Secure?” (Stay tuned for more on that talk this week from README.)
The week, compiled
As much as I’ve enjoyed ShmooCon, plenty of other things happened throughout the week.
For starters, T-Mobile has been hacked… again.
The telecom giant said in a Jan. 19 filing with the Securities and Exchange Commission that it “identified that a bad actor was obtaining data through a single [API] without authorization” on Jan. 5, and that this unknown attacker was able to access the “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features” of approximately 37 million T-Mobile customers.
“As soon as our teams identified the issue, we shut it down within 24 hours,” T-Mobile said in a press release. “Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”
That might actually be the most surprising thing about hearing T-Mobile’s been compromised again despite agreeing to spend $150 million to improve its security practices in the wake of a 2021 breach. BleepingComputer reported that this is the eighth time T-Mobile has disclosed a security incident since 2018. Before this API snafu, the most recent incident was the Lapsus$ cybercriminal group obtaining access to T-Mobile source code in April 2022. Whether or not the personal data of 37 million people being exposed by an abusable API is an improvement over that episode — or the six that preceded it — is hard to say.
Here are some other takeaways from the week:
The Record: PayPal notified “nearly 35,000 customers” that their personal information was compromised by a recent credential stuffing attack, through which threat actors use leaked passwords to access their victims’ accounts. The Record reported that this attack “allowed hackers to access names, addresses, Social Security Numbers, individual tax identification numbers and dates of birth” of affected PayPal users; the company itself doesn’t appear to have been compromised.
TechCrunch: Hackers leaked “a huge cache of data taken from the internal servers of ODIN Intelligence, a tech company that provides apps and services to police departments,” on Jan. 21 following a series of incidents that started earlier this month, TechCrunch reported. The leaked data included “detailed tactical plans for imminent police raids, confidential police reports with descriptions of alleged crimes and suspects and a forensic extraction report detailing the contents of a suspect’s phone,” among other things.
A message from Synack
Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.
Flash memory
ShmooCon took a break at the start of the pandemic, but it made a comeback in 2022. README editor-in-chief Blake Sobczak attended ShmooCon 2022 and reported five of his takeaways from the conference, so now that this year’s installment is wrapping up, I thought we’d stroll down memory lane.
ShmooCon 2022 included sessions on the difficulty of attributing cyberattacks, how graph theory can help secure our devices, the not-so-magic reality of virtual private networks, why “wardriving” to gather information about wireless networks is in a never-ending cycle and what Synology making it through two hacking competitions without being pwned by security researchers implies about the industry.
This year’s conference focused more on influence operations; the importance of policy changes; the risks posed by firmware, peripherals and other everyday aspects of computing many people overlook; and of course, open source software.
Local files
CyberScoop: The Government Accountability Office reported this week that of the 335 cybersecurity-related recommendations it’s made since 2010, only 40% of them had been implemented as of December 2022. “Until these are fully implemented,” GAO said, “federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.”
AP: Yum Brands temporarily closed approximately 300 of its KFC and Taco Bell locations in the U.K. — nearly a third of the total franchises it operates in the U.K. and Ireland — this week due to a ransomware attack. “The company said it alerted law enforcement and hired cybersecurity professionals to conduct an investigation,” the AP reported, and that it “also took some systems offline and installed enhanced monitoring technology.” All of the affected locations reopened a day after they closed.
ZDNet: Flights across the U.S. were grounded on Jan. 11 because of a Federal Aviation Administration computer outage that many assumed was caused by some kind of cyberattack. The reality turned out to be much less exciting, with the FAA saying on Jan. 19 that “contract personnel unintentionally deleted files while working to correct synchronization between the live primary database and a backup database” used by the Notice to Air Missions (NOTAM) system upon which U.S. pilots rely. Horses, not zebras.
Off-script
Bloomberg reported this week that Nintendo plans to increase production of the Switch console this year. That’s astounding to me, because the company launched the device in March 2017. It’s nearly six years old, and despite the launch and recently increased availability of Sony and Microsoft’s next-gen consoles, it seems we aren’t any closer to Nintendo hardware that runs on something other than an Nvidia system-on-a-chip (SoC) released in 2015. The SoC in my iPhone is more powerful than that.
I bought a Switch the night it launched so I could review it for Tom’s Hardware. That device is still running — barely. The kickstand has fallen off, the Joy-Con will constantly disconnect if I try to use them wirelessly and within the last week the fan has started to make a slightly concerning sound every time I turn on the device. (To say nothing of the analog stick in the right Joy-Con no longer working properly.) I’m worried that I’ll have to replace this six-year-old console with an identical device sooner than later.
I’m used to waiting for things to improve. In this installment of Changelog alone, I’ve written about one company being owned eight times in five years and people continuing to re-use passwords across multiple accounts even though they’ve been told not to for decades. Right now I’m just hoping the wait for a new Nintendo console proves to be a little more fruitful than the wait for either of those things to improve.
That’s all for this week — please send any tips or feedback to nmott@synack.com or bsobczak@synack.com. See you next Sunday!