The Full Disclosure movement, an open-source oops and Viasat’s Russian hacking woes
The “Bugtraq” GNU/Linux distribution in 2013 paid homage to the famous infosec electronic mailing list of the same name. Illustration: Si Weon Kim.
Welcome to Changelog for 5/15/22, published by Synack! It’s me, Blake, and I’ve followed last week’s cryptocurrency price plunge with grim interest. Investors are still parsing whether this is just another swing in the infamously volatile market, but many individual traders are hurting, badly. Perhaps a few large corporations with ransomware worries will snap up some cryptocurrency now to hedge against future payments. Speaking of large corporations:
The payload
“If you can’t beat them, hire them.”
That’s how one member of the famed L0pht hacking crew described Microsoft’s shifting approach to cybersecurity in the early 2000s, after nearly a decade of sustained pressure from hackers.
Matt Goerzen and Gabriella Coleman detailed Microsoft’s punching-bag status and the historic rise of the professional hacker in an in-depth report for datasociety.net — an edited and abridged version of which we featured on README last Wednesday.
Microsoft products made for easy targets in the 1990s, what Goerzen and Coleman called a “golden age” for hackers. The company’s Windows NT system was so buggy, for instance, that hackers drummed up a standalone cybersecurity electronic mailing list, NTBugtraq, just to catalog and discuss all the software flaws.
NTBugtraq was a spinoff of the better-known Bugtraq mailing list, a pioneer of the “Full Disclosure” approach to cybersecurity vulnerabilities. In its early days in 1993, Bugtraq was completely unmoderated, offering hackers of all stripes a radically transparent venue to air the dirty laundry of emerging tech giants like Microsoft (and hopefully prod someone into taking action).
The Bugtraq list sent its last message in January 2021, after a series of acquisitions and months of inactivity. But the Full Disclosure movement lives on via Twitter and another vulnerability mailing list dubbed, well, Full Disclosure.
The week, compiled
It was a busy week for the open source community, from a hearing on Capitol Hill to the release of the highly anticipated “Open Source Software Security Mobilization Plan” led by the Open Source Security Foundation.
But my favorite OSS saga centered on an intern.
When researchers at software company JFrog unearthed malicious packages in the open source JavaScript code sharing registry npm, they bore all the hallmarks of a sophisticated cyberattack: Customized development, backdoor capabilities and even a set of prominent target companies in Germany. Two other security companies reported the same findings.
But then German pentesting company Code White took responsibility for the suspicious packages, noting on Twitter that “the ‘malicious actor’ is one of our interns 😎 who was tasked to research dependency confusion as part of our continuous attack simulations for clients.”
APT Intern strikes again.
Here’s the rest of your weekly news roundup:
Wired: A group of human rights lawyers is calling for the Hague to pursue unprecedented “cyber war crimes” charges against members of the notorious Russia-backed hacking group Sandworm. But the effort could set an unwelcome precedent at a time when far more consequential physical war crimes are playing out on the ground in Ukraine, and it could open the floodgates for charges against hacking groups outside of Russia. “Be careful what you wish for,” one cyber defense researcher warned on Twitter.
CyberScoop: Five Eyes governments and the Council of the E.U. formally blamed Russia for the cyberattack on satellite communications company Viasat at the outset of the war in Ukraine. The fact E.U. member states could agree on a cybersecurity statement is more surprising than the attribution itself.
README: The Justice Department’s recent takedown of cybercrime emporium RaidForums speaks to the sordid state of trust within the underground hacking community.
A message from Synack
Going to the RSA Conference this year? Stop by Synack’s “Journey by the Bay” experience that includes executive thought leadership sessions, demonstrations of Synack solutions and a showcase of emerging cybersecurity companies. And don’t miss our parties that will rock the City by the Bay with live music, libations and food. Find us anytime at Fogo de Chão — 98 steps from RSAC at the Moscone Convention Center. Find out more here.
Flash memory
Thursday marked the one-year anniversary of President Biden’s executive order on cybersecurity, which set in motion a series of surge efforts to shore up critical infrastructure cybersecurity in electricity, oil and gas, rail transportation and water.
Last May, the threats du jour were the Colonial Pipeline ransomware attack, the SolarWinds supply chain breach, and the sweeping China-linked hack of Microsoft Exchange email server software.
Fast forward a year and Log4j, “wiper” malware and the Incontroller control system cyberthreat are all the rage.
The White House and federal agencies have made headway on many facets of the EO, hosting a “SBOM-A-RAMA” to spur adoption of software bills of materials, releasing a zero-trust strategy for executive departments in January, and naming members to the newly minted Cyber Safety Review Board, among other steps.
But other goals have proven elusive. The age-old struggle to remove barriers to cyberthreat information sharing — listed as the first concrete policy step in the EO — carries on even within the federal government. And a House hearing next Tuesday will unpack challenges in securing federal networks, which continue to face a near-constant stream of hacking attempts.
Local files
NBC News: A predominantly Black college in Illinois is permanently shutting its doors after the one-two punch of the pandemic and a ransomware attack. Lincoln College broke ground in 1865 and held its final commencement last Sunday.
Bleeping Computer: Costa Rica declared a state of national emergency amid an ongoing ransomware attack by the Conti cybercriminal group, which is demanding an eight-figure bounty.
Reuters: The head of Spain’s National Intelligence Center, Paz Esteban, was fired amid questions about the spy agency’s use of the NSO Group’s powerful Pegasus spyware to snoop on leaders in the Catalan independence movement.
Off-script
The only pilot on your single-engine plane is suddenly incapacitated — what do you do?
One level-headed passenger with no prior flying experience grabbed the yoke, started talking with air traffic controllers and managed to safely land the plane in southern Florida last Tuesday.
“I heard somebody earlier today refer to this gentleman as a ‘passenger-pilot,’ that I’m pretty sure that’s not supposed to be a real thing,” WPBF 25 News reporter Ari Hait recounted. “But it was today.”
The Federal Aviation Administration deemed the successful landing a “miracle in the air” in a blog post Wednesday. Kudos to all the aviation workers (not to mention the heroic passenger) who helped ensure this harrowing episode had a happy ending!
That’s all for now — please send tips, feedback and Bugtraq best-ofs to bsobczak@synack.com. Until next week!