Andrew Kalat
A 1.5 hour time lapse of DTW ramp operations captured from the Westin Hotel on a foggy and misty morning. Captured from 6:30am to 8am on Saturday, August 29th, 2015.
updated 9 years ago
Links:
• microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing
• tenable.com/blog/cybersecurity-snapshot-employees-are-oversharing-work-info-with-ai-tools-cybersecurity
• go.theregister.com/feed/www.theregister.com/2024/10/07/american_water_cyberattack
• theregister.com/2024/09/24/ultraav_kaspersky_antivirus
Links:
• microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing
• tenable.com/blog/cybersecurity-snapshot-employees-are-oversharing-work-info-with-ai-tools-cybersecurity
• go.theregister.com/feed/www.theregister.com/2024/10/07/american_water_cyberattack
• theregister.com/2024/09/24/ultraav_kaspersky_antivirus
Links:
• cybersecuritydive.com/news/crowdstrike-mea-culpa-testimony-takeaways/727986
• bleepingcomputer.com/news/legal/ireland-fines-meta-91-million-for-storing-passwords-in-plaintext
• thehackernews.com/2024/09/critical-linux-cups-printing-system.html?m=1
• arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel
• industrialcyber.co/cisa/cisa-alerts-ot-ics-operators-of-ongoing-cyber-threats-especially-across-water-and-wastewater-systems
Links:
• cybersecuritydive.com/news/crowdstrike-mea-culpa-testimony-takeaways/727986
• bleepingcomputer.com/news/legal/ireland-fines-meta-91-million-for-storing-passwords-in-plaintext
• thehackernews.com/2024/09/critical-linux-cups-printing-system.html?m=1
• arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel
• industrialcyber.co/cisa/cisa-alerts-ot-ics-operators-of-ongoing-cyber-threats-especially-across-water-and-wastewater-systems
Additionally, they explore new tough cyber regulations in the EU under NIS2, and a Google security flaw from a Black Hat presentation concerning dependency confusion in Apache Airflow. The hosts share their thoughts on industry responses, regulations, and how enterprises can improve their security posture.
00:00 Introduction and Podcast Setup
00:59 First Story: CISA Boss on Insecure Software
03:26 Debate on Software Security Responsibility
11:12 Open Source Software Challenges
15:20 Cloud Imposter Vulnerability
22:22 Disney’s Data Breach and Slack
27:37 Slack Data Breach Concerns
29:26 Critical Infrastructure Vulnerabilities
35:21 EU’s New Cyber Regulations
43:42 Global Regulatory Challenges
48:42 Conclusion and Sign-Off
Links:
• https://www.theregister.com/2024/09/2...
• https://www.tenable.com/blog/cloudimp...
• https://www.cnbc.com/2024/09/19/disne...
• https://www.cybersecuritydive.com/new...
• https://www.cnbc.com/amp/2024/09/20/e...
00:00 Introduction and Podcast Setup
00:59 First Story: CISA Boss on Insecure Software
03:26 Debate on Software Security Responsibility
11:12 Open Source Software Challenges
15:20 Cloud Imposter Vulnerability
22:22 Disney’s Data Breach and Slack
27:37 Slack Data Breach Concerns
29:26 Critical Infrastructure Vulnerabilities
35:21 EU’s New Cyber Regulations
43:42 Global Regulatory Challenges
48:42 Conclusion and Sign-Off
Links:
• theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains
• tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package
• cnbc.com/2024/09/19/disney-to-ditch-slack-after-july-data-breach-.html
• cybersecuritydive.com/news/cisa-critical-infrastructure-attacks/727225
• cnbc.com/amp/2024/09/20/eu-nis-2-what-tough-new-cyber-regulations-mean-for-big-business.html
Links:
• bleepingcomputer.com/news/security/tfl-requires-in-person-password-resets-for-30-000-employees-after-hack
• securityweek.com/google-introduces-air-gapped-backup-vault-to-thwart-ransomware
• arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have
• cybersecuritydive.com/news/global-cyber-workforce-flatlines-isc2/726667
• cybersecuritydive.com/news/moveit-wisconsin-medicare/726441
Transcript:
Jerry: [00:00:00] Here we go. Today is Sunday, September 15th, 2024. And this is episode 279 of the defensive security podcast. My name is Jerry Bell and joining me today as always is Mr. Andrew Kalat.
Andrew: Good evening, Jerry. Happy Sunday to you.
Jerry: Happy Sunday, just a reminder that the thoughts and opinions we express on the show are ours do not represent those of our employers or.
Andrew: present, or future.
Jerry: for those of us who have employers, that is not that I’m bitter or anything. It’s,
Andrew: It’s, I envy your lack of a job. I don’t envy your lack of a paycheck. So that is the conflict.
Jerry: It’s very interesting times right now for me.
Andrew: Indeed.
Jerry: All right. So our first story today comes from bleeping computer. And the title here is TFL, which is transportation for London requires in person, password [00:01:00] resets for 30, 000 employees. So those of you who may not be aware transportation for London had suffered what I guess would has been described as a nebulous security incident.
They haven’t really pushed out a lot of information about what happened. They have said that it does not affect customers. But it apparently does impact some back office systems that did take off certain parts of their services offline, like I think. They couldn’t issue refunds. And there were a few other transportation related things that were broken as a result.
But I think in the aftermath of trying to make sure that they’ve evicted the bad guy who, by the way, apparently has been arrested.
Andrew: That’s rare. Somebody actually got arrested.
Jerry: yeah. And not only that, but apparently it was somebody local.
Andrew: Oops.
Jerry: In in the country which may or may not be associated with an unknown named [00:02:00] threat actor, by the way, that was involved in some other ransomware attacks.
Andrew: Kids don’t hack in your own backyard.
Jerry: That’s right. Make sure you don’t have extradition treaties with where you’re attacking. So what I thought was most interesting was the, their, the approach here to getting back up and going they, they had disabled. So TFL had disabled the access for all of their employees and the requiring their employees to show up at a designated site to prove their identity in order to regain access.
This isn’t the first. Organization that’s done this, but it is something that I suspect a lot of organizations don’t think about the logistics of, in the aftermath of a big hack. And if you’re a large company spread out all over the place, the logistics of that could be pretty daunting.
Andrew: Yeah. It’s wild to me that they want in person. [00:03:00] Verification of 30, 000 employees. But given the nature of their company and business, I’m guessing they’re all very centrally located. Used to going to physical offices, but man, can you imagine if you were a remote employee and you don’t have any office anywhere near you, how would you handle that? I’m not, I’m probably not going to get on a plane to go get my password re enabled.
Jerry: Exactly.
Andrew: You know what it did, remind me of though is, remember back PGP and PGP key signing?
Jerry: Oh, the key parties. Yes.
Andrew: Yes. Where, You basically, it’s a web of trust and people you trust could verify and sign another key. Like at a key signing party, because we were fun back then, that’s what nerds used to do. And then that’s how you had the circle trust. So maybe they could do something similar where verified employee could verify another employee, then you’ve got the whole insider threat issue, et cetera. Yeah. It
just reminded me of,
Jerry: No, nobody trusts Bob’s.
Andrew: [00:04:00] It’s true. Your friend, Bob, how many t...
Links:
bleepingcomputer.com/news/security/new-eucleak-attack-lets-threat-actors-clone-yubikey-fido-keys
bleepingcomputer.com/news/security/verkada-to-pay-295-million-for-alleged-can-spam-act-violations
cybersecuritydive.com/news/iran-cyberattacks-us-critical-infrastructure/725877
theregister.com/2024/09/05/security_spending_boom_slowing vs cybersecuritydive.com/news/infosec-spending-surge-gartner/726081 cybersecuritydive.com/news/deepfake-scam-businesses-finance-threat/726043
Transcript
Jerry: All right, here we go. Today is Saturday, September 7th, 2024. And this is episode 278 of the defensive security podcast. And my name is Jerry Bell. And joining me today as always is Mr. Andrew Kalat.
Andrew: Good evening. Jerry, how are you? Kind sir.
Jerry: Doing fantastic. How are you?
Andrew: I’m great. Just got back from a little vacation, which was lovely. Saw a lot of Canada, saw some whales, saw some trains. It was
Jerry: Did you see any moose?
Andrew: Oddly we did not see a single moose, which was a bummer. We crossed from Toronto to Vancouver on a train and didn’t see a single moose.
I saw a metric crap ton of ducks though. I couldn’t believe literally in the thousands. I don’t know why.
Jerry: The geese are ducks. Cause
Andrew: We saw a
Jerry: geese are pretty scary.
Andrew: We were sealed away from them, so we were protected.
Jerry: I don’t know.
Andrew: hard to
Jerry: I don’t know. I w I wouldn’t I wouldn’t bet my life on that.
Andrew: But yeah, we saw a decent chunk of gooses, but mostly ducks.
Jerry: Good deal.
Andrew: Indeed. I’m good. Now, catching back up on work.
Jerry: And you’re back.
Andrew: And you are apparently the Southern Command Center.
Jerry: I am for another another day or two.
Andrew: Nice. Never sucks to be at the beach.
Jerry: It definitely does not. No, no bad days at the beach.
Andrew: Nice.
Jerry: All right. A reminder before we get started that the thoughts and opinions we express in the show are ours and do not represent those of our employers.
Andrew: Past, present, or future.
Jerry: That’s right. So our first topic or first story from today comes from bleeping computer. And this one was a bit of a, Oh, what’s the best, a bit controversial, best way to say it, controversial on on the social media sites over the past week. And the title is new leak. I’m not even going to try to pronounce that attack.
Let’s threat actors, clone, Yubikey, Fido keys.
Andrew: Shut down the internet. Shut
Jerry: Shut it down, just throw away your Yubikeys, it’s over.
Andrew: And apparently it can happen from 12 miles away with trivial equipment, right?
Jerry: No, actually, they the bad actor here actually has to steal it and it takes some pretty sophisticated knowledge and equipment. But apparently the equipment they allege are about, costs about 11, 000. However, the the YubiKey actually has to be disassembled, like they actually have to take the protective cover, protective covering off, and they have to instrument it and, and then they’re able to leverage a vulnerability in an Infineon chip that’s contained in these YubiKeys to extract the private key. And so it’s not a, it’s not a trivial attack. You have to lose physical possession of the token for some period of time. But if you were, The victim of this, it is possible for someone, some adversary, who was willing to put in the time and effort could clone your key unbeknownst to you, and then find a way to reconstitute Packaging and slide it back into your drawer, and you would be none the wiser.
Andrew: All seriousness, I think this has a very low likelihood of impacting the average listener t...
Links:
cybersecuritydive.com/news/insurance-cyber-risk-reduction/724852
arstechnica.com/information-technology/2024/08/crowdstrike-unhappy-with-shady-commentary-from-competitors-after-outage
cnbc.com/2024/08/23/microsoft-plans-september-cybersecurity-event-after-crowdstrike-outage.html
arstechnica.com/security/2024/08/nashville-man-arrested-for-running-laptop-farm-to-get-jobs-for-north-koreans
darkreading.com/vulnerabilities-threats/why-end-of-life-for-applications-is-beginning-of-life-for-hackers
cybersecuritydive.com/news/snowflake-security-responsibility-customers/724994
Transcript:
Jerry: Here we go. Today is Saturday, August 24th, and this is episode 277 of the defensive security podcast. My name is Jerry Bell and joining me today as always is Mr. Andrew Kalat.
Andrew: Good evening, my good sir Jerry. How are you?
Jerry: I am awesome. How are you?
Andrew: I’m good. I’m good. I’m getting ready for a little bit of a vacation coming up next week So a little bit of senioritis. If I’m starting to check out on the show, you’ll know why
Jerry: Congrats and earned. I know.
Andrew: Thank you, but otherwise doing great and happy to be here as always
Jerry: Good. Good deal. All right. Just a reminder that the thoughts and opinions we express on this show are ours and do not represent anyone else or including employers, cats, relatives, you name it.
Andrew: various sentient plants
Jerry: Exactly. Okay. So jumping into some stories today. First one comes from cybersecuritydive. com, which by the way, has a lot of surprisingly good content.
Andrew: Yeah, I have enjoyed a lot of what they write. We’ve a couple good stories there
Jerry: Yeah. Yeah. So the title here is insurance coverage drives cyber risk reduction for companies, researchers say that the gist of this story is that there were two recent studies done or reports released one from a company called Omeda and another one from Forrester, which I think we all know and love.
And I’ll summarize it and say that they’re both reports indicate that companies which have cyber insurance tend to be better at quote, reducing risk more likely detect, respond, and recover from data breaches and malicious attacks compared to organizations without coverage. So I thought that was a little interesting.
On the other hand it to me feels like a bit of availability bias, so by that, what I mean is if you go and take a survey of people who go to the gym and work out at the gym on their diet, you will probably will find out that Eat a healthier diet than the public at large.
Andrew: But I go.
Jerry: you just go.
Andrew: I, look,
Jerry: I’m not saying, I’m not saying everybody, right?
Andrew: least I show up, right? And I’ve been told showing up is half the battle.
Jerry: It is half the battle, that’s right. Knowing is the other half.
Then doing is the other half.
Andrew: I will say, speaking of G. I. Joe quotes, I thought catching on fire was going to be a far bigger problem in my life than it turned out to be.
Jerry: That and quicksand.
Andrew: I, we were
Lot about that as children of
Jerry: quick, quicksand.
Andrew: Heh.
Jerry: QuickSand was, I, I lived in fear of QuickSand, but it turns out it’s really not that big of a concern.
Andrew: For as much as I heard stop drop and roll done it
Jerry: Yet.
Andrew: That’s true. The day is young. Anyway back to your story. I think you’re right I will also say having worked with a number of these companies do interestingly have their own towards trying to keep you from getting hacks. They have to pay out So they do push certain things like and I’ve seen myself and I won’t say it You know, it doesn’t matter where, when, but if you have things like one of the well known EDR tools well deployed, they might cut y...
Summary:
In episode 276 of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat delve into a variety of security topics including a ransomware attack on a Swedish farm’s milking machine leading to the tragic death of a cow, issues with patch management in IT industries, and an alarming new wormable IPv6 vulnerability patch from Microsoft. The episode also covers a fascinating study on the exposure and exploitation of AWS credentials left in public places, highlighting the urgency of automating patching and establishing robust credential management systems. The hosts engage listeners with a mix of humor and in-depth technical discussions aimed at shedding light on critical cybersecurity challenges.
00:00 Introduction and Casual Banter
01:14 Milking Robot Ransomware Incident
04:47 Patch Management Challenges
05:41 CrowdStrike Outage and Patching Strategies
08:24 The Importance of Regular Maintenance and Automation
15:01 Technical Debt and Ownership Issues
18:57 Vulnerability Management and Exploitation
25:55 Prioritizing Vulnerability Patching
26:14 AWS Credentials Left in Public: A Case Study
29:06 The Speed of Credential Exploitation
31:05 Container Image Vulnerabilities
37:07 Teaching Secure Development Practices
40:02 Microsoft’s IPv6 Security Bug
43:29 Podcast Wrap-Up and Social Media Plugs-tokens-in-popular-projects/
Links:
• securityaffairs.com/166839/cyber-crime/cow-milking-robot-hacked.html
• theregister.com/2024/07/25/patch_management_study
• cybersecuritydive.com/news/misguided-lessons-crowdstrike-outage/723991
• cybenari.com/2024/08/whats-the-worst-place-to-leave-your-secrets
• theregister.com/2024/08/14/august_patch_tuesday_ipv6
Transcript:
Jerry: Today is Thursday, August 15th, 2024. And this is episode 276 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat.
Andrew: Good evening, Jerry. Once again, from your southern compound, I see.
Jerry: Once again, in the final time for a two whole weeks, and then I’ll be back.
Andrew: Alright hopefully next time you come back, you’ll have yet another hurricane to dodge.
Jerry: God, I hope not.
Andrew: How are you, sir?
Jerry: I’m doing great. It’s a, it’s been a great couple of weeks and I’m looking forward to going home for a little bit and then then coming back. How are you?
Andrew: I’m good, man. It’s getting towards the end of summer. forward to a fall trip coming up pretty soon, and just cruising along. Livin the dream.
Jerry: We will make up for last week’s banter about storms and just get into some stories. But first a reminder that the thoughts and opinions we express are those of us and not our employers.
Andrew: Indeed. Which is important because they would probably fire me. You’ve tried.
Jerry: I would yeah. So the the first story we have tonight is very Moving.
Andrew: I got some beef with these people.
Jerry: Great. Very moving. This one comes from security affairs and the title is crooks took control of a cow milking robot, causing the death of a cow. Now, I will tell you that the headline is much more salacious than the actual story that the. When I saw the headline, I thought, oh my God, somebody hacked a robot and it somehow kill the cow, but no, that’s not actually what happened,
Andrew: Now, also, let’s just say up front, the death of a cow is terrible, and we are not making light of that. But we are gonna milk this story for a little while.
Jerry: that’s very true.
Andrew: I’m almost out of cow puns.
Jerry: Thank God for that. So, what happened here is this farm in Sweden had their milking machine, I guess is a milking machine ransomware and the farmer noticed that he was no longer able to manage the system, contacted the support for that system. And they said, no, you’ve been ransomware.
Actually, the milking machine itself apparently was pretty trivial to get back up and running, but apparently what was lost in the attack was important health information about the cows, including when some of the cows were inseminated. And because of that, they didn’t know that one of the pregnant cows was supposed to have given birth, but actually hadn’t.
And so it. What had turned out to be the case is that the cow’s fetus, unfortunately passed away inside the cow and the farmer didn’t know it until they found the cow laying lethargic in it stall, and they called a vet. And unfortunately, at that point it was too late to save the cow.
This is an unfortunate situation where a ransomware attack did cause a fatality.
Andre...
• crowdstrike.com/wp-content/uploads/2024/08/Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf
• theregister.com/2024/08/05/crowdstrike_is_not_at_all
• theverge.com/2024/8/6/24214371/microsoft-delta-letter-crowdstrike-response-comments
• linkedin.com/posts/alexstamos_why-crowdstrikes-baffling-bsod-disaster-activity-7224046054076243969-1An8?utm_source=combined_share_message&utm_medium=ios_app
• linkedin.com/posts/choff_why-crowdstrikes-baffling-bsod-disaster-activity-7224078879445958658-ymuc?utm_source=combined_share_message&utm_medium=member_ios
• securityweek.com/thousands-of-devices-wiped-remotely-following-mobile-guardian-hack
• bleepingcomputer.com/news/security/stackexchange-abused-to-spread-malicious-pypi-packages-as-answers
• bleepingcomputer.com/news/security/hunters-international-ransomware-gang-targets-it-workers-with-new-sharprhino-malware
Transcript:
Jerry: Today is Wednesday, August 7th, 2024. And this is episode 275 of the Defensive Security Podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat.
Andrew: Good evening, Jerry. How are you? Good, sir.
Jerry: I am amazing. It is blistering hot at the beach, but it’s awesome.
Andrew: recording from your southern compound.
Jerry: I am.
Andrew: Nice.
Jerry: Yeah, Bell Estate South.
Andrew: And Debbie was not an issue.
Jerry: Debbie not here. We got probably 45 minutes worth of rain.
Andrew: Yeah, it seems, at this point, in real time, stalled out over South Carolina
Jerry: Yeah, it looks several feet of rain hitting like Savannah and That is nuts. But no, it was not a big issue here. I was pretty worried. I packed up all my Milwaukee batteries with lights and whatnot in preparation for the worst got extra tranquilizer for my dog who hates storms.
But no, it’s been absolutely amazing here.
Andrew: So you took the tranks instead? Is that what I’m hearing?
Jerry: Absolutely. You gotta sleep somehow.
Andrew: That’s fair. I’m glad it was a non event, at least for your little neck of the
Jerry: Yeah, it was Nice you could actually see some of the storm clouds off in the distance. And that was the best way to watch a hurricane is when it’s far away.
Andrew: That’s true. That
A few I’ve been through. Stuck on islands, but
Jerry: Yeah, that’s right. since I’ve been here, I have been in the building for two hurricanes, and the building’s been hit by three tornadoes. And then there was also a unsuccessful base jump.
Andrew: So we’re saying you are cursed. Is that what we’re saying?
Jerry: am the human equivalent to a plastic flamingo.
which attracts tornadoes for those who don’t know. Anyway.
Yeah.
Andrew: after that meteorological update,
Jerry: Yeah. just a reminder that the thoughts and opinions we express on the show are ours and do not represent those of our employers past, present, or future.
Andrew: maybe even our
Jerry: Or our pets. my pet is licking me right now and she says, nope, it’s not her opinion.
Andrew: fair,
Jerry: Okay I would say that this is going to be a CrowdStrike heavy episode.
Andrew: three weeks in a row.
Jerry: Yeah, it continues to get more and more interesting. Obviously the main event itself is largely behind us and now we are in the lawyer up phase of the party.
Andrew: the blamestorming
Jerry: blamestorming has indeed begun. The first topic we have to talk about here is the actual formal full root cause analysis was released yesterday by CrowdStrike and it is a 12 page long document. It has lots of marketing fluff in it.
And only I would say a little bit of substance. I don’t think there’s anything that is remarkably telling or revolutionary in the document, but it does indicate technically what went wrong. And it gives some indications of the, potential improvements for their quality assurance, which I think is where a lot of this went wrong.
So the, I’m not going to go through the details in uber technical specificity, but the net is that this channel file update is for this inter process communication agent, for lack of a better term, I’ll call it. And that agent, expects configuration files that have
20 parameters, but through some unfortunate
bad planningtheir test harness actually was Marking the 21st as a catch all, as an asterisk. It was effectively being marked as not used. And so in this particular update, they actually started using it, and that ended up causing their parser to perform what ultimately ended up being an out of bounds read.
Because that parser wasn’t set up to actually read it. And so when that read attempted to happen in kernel space, it tried to access memory. It wasn’t allowed to access, wasn’t allocated. ...
blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers
darkreading.com/cybersecurity-operations/crowdstrike-outage-losses-estimated-staggering-54b
cdn.prod.website-files.com/64b69422439318309c9f1e44/66a24d5478783782964c1f6f_CrowdStrikes%20Impact%20on%20the%20Fortune%20500_%202024%20_Parametrix%20Analysis.pdf
darkreading.com/vulnerabilities-threats/unexpected-lessons-learned-from-the-crowdstrike-event
Summary:
Episode 274: Malware on GitHub, North Korean Developer Scam & Secure Boot Failures In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss several notable security stories and issues. They start with a malware distribution service that leverages compromised GitHub accounts and WordPress sites. They then cover a security warning from KnowBe4 about hiring a supposed North Korean agent as a senior developer. They dive into the significance of two separate vulnerable firmware signing keys affecting over 500 hardware models. Lastly, they explore the massive financial impact of the recent CrowdStrike outage, with losses estimated at $5.4 billion. Throughout the episode, the hosts provide insights, potential solutions, and share personal experiences related to these cybersecurity challenges.
00:00 Introduction and Casual Banter
00:30 Funemployment and Retirement Reflections
01:54 Disclaimer and First Story Introduction
02:17 Malware Distribution via GitHub
04:24 WordPress Security Issues
8:09 North Korean Developer Incident
14:36 Lessons Learned and Recommendations
23:27 Secure Boot Vulnerabilities
29:19 Cloud Providers and Firmware Security
30:47 The Epidemic of Leaked Keys on GitHub
33:35 Challenges in Development and Security Practices
35:36 CrowdStrike Outage and Its Financial Impact
39:16 Legal and Technical Implications of the Outage
57:33 Concluding Thoughts and Future Plans
Transcript:
Episode 274 274
===
jerry: [00:00:00] Today is Wednesday, July 31st, 2024. And this is episode 274 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat.
Andrew: Good evening, Jerry. How are you? My good sir.
jerry: So good. It hurts. How are you?
Andrew: I’m doing good. it’s Wednesday, which is halfway through the week. So I can’t complain too much.
jerry: It’s just another day to me though.
Andrew: I, how are you enjoying your funemployment?
jerry: It is awesome. funny story, when my dad retired, he told me something sad. He said, one of the things that you don’t realize is that the weekend starts losing its appeal,
Andrew: Because every day is the weekend.
jerry: because it’s just another day and, holidays are just another day.
jerry: There’s not really something to look forward to when you’re working. You typically look forward to the weekend. It’s just another day. I am finding that to be true. I’m going to be [00:01:00] spending some time coming up down at the beach, which will be a whole different experience, not having to work and actually be at the beach, which will be cool.
Andrew: So you don’t have to wrap your laptop in plastic when you take it surfing with you anymore.
jerry: That is very true. No more conference calls while out on the boogie board.
Andrew: I will say the random appearance of sharks behind you on your zoom sessions will be missed.
Andrew: Of course, we’ll have to find a way to bring that back. I live in jealousy of your funemployment. I will just say that. But not that you didn’t work your ass off and earned it, right? This is 25 years of blood, sweat, and tears given to this industry to get you to this point. So you earned it
jerry: I’m going to have to be responsible again at some point, but I am having fun in the meantime.
Andrew: as well. You should
jerry: before we get into the stories for today I just want to remind everybody that the thoughts and [00:02:00] opinions we express on the show are ours and do not represent anybody else, including employers cats, farm animals, spouses children, et cetera, et cetera.
Andrew: there’s that one Lama in Belarus though, that agrees 100 percent with what we have to say.
jerry: Very true. Getting into the stories, we have one from bleeping computer and this one is titled over 3000 GitHub accounts used by malware distribution service. I thought this one was particularly interesting and notable. There is a malware distribution as a service that leverages both, let’s call them fake or contrived GitHub accounts, as well as compromised WordPress sites.
jerry: And the, what they’re effectively leveraging is the brand reputation of GitHub. And so they ...
Fujitsu Details Non-Ransomware Cyberattack (webpronews.com) (webpronews.com/fujitsu-details-non-ransomware-cyberattack)
5 Key Questions CISOs Must Ask Themselves About Their Cybersecurity Strategy (thehackernews.com) (thehackernews.com/2024/07/5-key-questions-cisos-must-ask.html)
Sizable Chunk of SEC Charges Vs. SolarWinds Dismissed (darkreading.com) (darkreading.com/application-security/solarwinds-charges-tossed-out-of-court-in-legal-victory-against-sec)
CrowdStrike CEO apologizes for crashing IT systems around the world, details fix | CSO Online (csoonline.com/article/2872861/crowdstrike-ceo-apologizes-for-crashing-it-systems-around-the-world-details-fix.html)
Summary:
Cybersecurity Updates: Uber’s Legal Trouble, SolarWinds SEC Outcome, and CrowdStrike Outage
In Episode 273 of the Defensive Security Podcast, Jerry Bell and Andrew Kalat discuss recent quiet weeks in cybersecurity and correct the record on Uber’s CISO conviction. They delve into essential questions CISOs should consider about their cybersecurity strategies, including budget justification and risk reporting. The episode highlights the significant impact of CrowdStrike’s recent updates causing massive system crashes and explores the court’s decision to dismiss several SEC charges against SolarWinds. The hosts provide insights into navigating cybersecurity complexities and emphasize the importance of effective communication and collaboration within organizations.
00:00 Introduction and Banter
01:52 Correction on Uber’s CISO Conviction
04:07 Recommendations for CISOs
09:28 Fujitsu’s Non-Ransomware Cyber Attack
12:13 Key Questions for CISOs
32:47 Corporate Puffery and SEC Charges
33:15 Internal vs External Communications
33:52 SolarWinds Security Assessment
36:36 CrowdStrike CEO Apologizes
37:16 Global IT Systems Crash
37:57 CrowdStrike’s Kernel-Level Issues
40:55 Industry Reactions and Lessons
42:58 Balancing Security and Risk
49:26 CrowdStrike’s Future and Market Impact
01:03:46 Conclusion and Final Thoughts
Transcript:
defensive_security_podcast_episode_273 ===
jerry: [00:00:00] All right, here we go. Today is Sunday, July 21st, 2024, and this is episode 273 of the Defensive Security Podcast. My name is Jerry Bell, and joining me tonight as always is Mr. Andrew Kalat.
Andy: Good evening, Jerry. I’m not sure why we’re bothering to do a show. Nothing’s happened in the past couple of weeks.
Andy: It’s been really quiet.
jerry: Last week was very quiet.
Andy: Yeah, sometimes You just need a couple quiet weeks.
jerry: Yeah. Yeah, nothing going on so before we get into the stories a reminder that the thoughts and opinions We express on this podcast do not represent andrew’s employers
Andy: Or your potential future employers
jerry: or my potential future employers
Andy: as you’re currently quote enjoying more time with family end quote
jerry: Yes, which by the way Is highly recommended if you can do it.
Andy: You’re big thumbs up of being an unemployed bum.
jerry: It’s been amazing. Absolutely [00:01:00] amazing. I I forgot what living was like.
jerry: I’ll say it that way.
Andy: Having watched your career from next door ish, not a far, but not too close. I think you earned it. I think you absolutely earned some downtime. My friend, you’ve worked your ass off.
jerry: Thank you. Thank you. It’s been fun.
Andy: And I’ve seen your many floral picks. I don’t, I’m not saying that you’re an orchid hoarder, but some of us are concerned.
jerry: I actually think that may be a fair characterization. I’m not aware of any 12 step programs for for this disorder here.
Andy: There’s a TV show called hoarders where they go into people’s houses who are hoarders and try to help them. I look forward to your episode.
jerry: I yes, I won’t say anymore. Won’t say anymore. So before we get into the new stories, I did want to correct the record on something we talked about on the last episode [00:02:00] regarding. Uber’s CISO that had been criminally convicted. Richard Bejtlich on infosec. exchange actually pointed out to us that it was not failure to report the breach that was the problem. It was a few other issues, which is what Mr. Sullivan had actually been convicted of. So I’m going to stick a story into the show notes. That has a very very extensive write up about the issues and that is from cybertheory. io. And in essence, I would distill it down as saying again, I guess he was convicted so it’s not alleged. He was convicted of obstruction of an official government investigation. He was convicted of obstructing the ongoing FTC investigation about the 2013 slash 2014 breach, [00:03:00] which had been disclosed previously.
jerry: The FTC was rooting through their business an...
darkreading.com/cybersecurity-operations/a-cisos-guide-to-avoiding-jail-after-a-breach
csoonline.com/article/2512955/us-supreme-court-ruling-will-likely-cause-cyber-regulation-chaos.html
sansec.io/research/polyfill-supply-chain-attack
securityweek.com/over-380k-hosts-still-referencing-malicious-polyfill-domain-censys
tenable.com/blog/how-the-regresshion-vulnerability-could-impact-your-cloud-environment
Transcript
===
[00:00:00]
jerry: All right. Here we go. Today is Sunday, July 7th, 2024, and this is episode 272 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat.
Andrew: Good evening, Jerry. This is a newly reestablished record twice in a week or
jerry: twice in a week. I can’t believe it.
Andrew: I know. Awesome. Yeah. You just had to, quit that crappy job of yours that provided income for your family and pets and you know everything else but now that you’re unemployed house But now that you’re an unemployed bum.
jerry: Yeah, I can podcast all I want 24 7 I think i’m gonna become an influencer like i’m gonna just be live all the time now
Andrew: you could I really I look forward to you asking me to subscribe and hit that notify button.
jerry: That’s right. Hit that subscribe button
Andrew: Like leave a rating and a comment
jerry: like and subscribe All [00:01:00] right getting with the program we’re we’re getting back into our normal rhythm. As per normal, we’ve got a couple of stories to talk about. The first one comes from Dark Rating and the title is, A CISO’s Guide to Avoiding Jail After a Breach.
Andrew: Before we get there.
Andrew: I want to throw out the disclaimer that thoughts and opinions do not reflect any of our employers, past, present, or future.
jerry: That’s a great point. Or, my cats.
Andrew: Unlike you, I have to worry about getting fired.
jerry: I still have a boss. She can fire me.
Andrew: That’s called divorce, sir. But true.
jerry: Yeah.
Andrew: Anyway, back to your story.
jerry: Anyway, yeah. CISO’s Guide to Avoiding Jail After a Breach. So this is this is following on a upcoming talk at, I think it’s Black Hat talking about how CISOs can try to insulate themselves from the [00:02:00] potential legal harms or legal perils that can arise as a result of their jobs. It’ll be interesting to see what’s actually in that talk, because the article itself, in my estimation, despite what the title says, doesn’t actually give you a lot of actionable information on, How to avoid jail. They do they do a quote Mr. Sullivan, who was the CISO for Uber.
jerry: And they give a little bit of background and how it’s interesting that he he is, now a convicted felon. Although I think that’s still working its way through the the appeals process. Though he previously was appointed to a cybersecurity board by president Obama.
jerry: And before that he was a federal prosecutor. And in fact, as the article points out, he was one of the process, he was the prosecutor who prosecuted the first DMCA case, which I thought was quite interesting. You didn’t know that about him, but what’s interesting is this article at least is based a lot on [00:03:00] interviews with him and including recommendations on things like communicating with your your board and your executive leadership team. But I’m assuming that He had done that at Uber.
Andrew: Yeah, this is such a tough one for me, and it makes, I think a lot of good people make references in the article. I want to shy away from being a CISO if there’s this sort of potential personal liability. When, there’s a lot of factors that come into play about why a company might be breached that aren’t always within the control of the CISO, whether it be budget, whether it be focus, whether it be company priorities, and you have an active adversary who is looking for any possible way to get into your environment.
Andrew: So what becomes the benchmark of what constitutes a breach? Negligence up to the point of going to jail is the one that [00:04:00] I’ve struggled with so much and I think those who haven’t really worked in the field much can very easily just point to mistakes that are made, but they don’t necessarily understand the complexity of what goes in to that chain of events and chain of decisions that led to that situation.
Andrew: Every job I’ve been in where we were making serious decisions about cybersecurity was a budgetary trade off and a priority trade off and a existential threat to the company if we don’t do X, Y, and Z. Coming from five or six different organizations at the same time coming up to that CFO or the CEO and they have to make hard calls about where that those resources go and those priorities go to keep people employed. And you pair that with a very hostile, third party intentionally trying to breach you it’s a tough situation an...
bleepingcomputer.com/news/security/hackers-scan-for-vulnerabilities-within-15-minutes-of-disclosure
https://www.techcircle.in/2022/07/31/paytm-mall-refutes-cyber-breach-report-says-users-data-safe
Stories:
scmagazine.com/feature/incident-response/why-solarwinds-just-may-be-one-of-the-most-secure-software-companies-in-the-tech-universe
computerweekly.com/news/252522789/Log4Shell-on-its-way-to-becoming-endemic
bleepingcomputer.com/news/security/hackers-impersonate-cybersecurity-firms-in-callback-phishing-attacks
cybersecuritydive.com/news/microsoft-rollback-macro-blocking-office/627004
jerry: [00:00:00] All right, here we go today. Sunday, July 17th. 2022. And this is episode 268. Of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kellett.
Andy: Hello, Jerry. How are you, sir?
jerry: great. How are you doing?
Andy: I’m doing good. I see nobody else can see it, but I see this amazing background that you’ve done with your studio and all sorts of cool pictures. Did you take those.
jerry: I It did not take those. They are straight off Amazon actually. It’s.
jerry: I’ll have to post the picture at some [00:01:00] point, but the pictures are actually sound absorbing panels.
Andy: Wow. I there’s jokes. I’m not going to make them, but anyway, I’m doing great. Good to see ya..
jerry: Awesome. Just a reminder that the thoughts and opinions we express on the show are ours and do not represent those of our employers. But as you are apt to point out, they could be for the right price.
Andy: That’s true. That’s true. And that, and by the way, what that really means is you’re not going to change our opinions. You’re just going to to hire them.
jerry: Correct. right. Sponsor our existing opinions.
Andy: Someday that’ll work.
jerry: All right. So we have some interesting stories today. The first one comes from SC magazine dot com. The title is why solar winds just might be one of the most secure software companies. In the tech universe.
Andy: It’s a pretty interesting one. I went into this a little.
Andy: Cynical. But there’s a lot of [00:02:00] really interesting stuff in here.
jerry: Yeah there, there is, I think
jerry: What I found interesting. A couple of things. One is very obvious. That this is a. Planted attempt to get back into the good graces of the it world. But at the same time, It is very clear that they have made some pretty significant improvements in their security posture. And I think for that, it deserves a.
jerry: A discussion.
Andy: Yeah, not only improvements, but they’re also.
Andy: Having these strong appearance of transparency and sharing lessons learned. Which we appreciate.
jerry: Correct. The one thing that I so we’ll get into it a little bit, but they still don’t really tell you. How. The thing happened.
Andy: Aliens.
jerry: Obviously it was aliens. They did tell you what happened. And so in the. Article here they describe this the [00:03:00] CISO of solar winds describes that the attack didn’t actually. Change their code base. So the attack wasn’t against their code repository. It was actually against one of their build systems.
jerry: And so they were the adversary here. Was injecting code. At build time, basically. So it wasn’t something that they could detect through code reviews. It was actually being added as part of the build process. And by inference the head. Pretty good control. At least they assert they had good control over their
jerry: source code, but they did not have good control. Over the build process and in the article they go through. The security uplifts they’ve made to their build process, which are quite interesting. Like they I would describe it as they have three parallel. Build channels that are run by three different teams.
jerry: And at the end of, at the [00:04:00] end of each of those, there’s a comparison. And if they don’t. They don’t match, if the. They call it a deterministic build. So there are like their security team does one, a dev ops team does another and the QA team does a third. And all building.
jerry: The same set of code. They should end up with the same final. Final product. All of the systems are are central to themselves. They don’t commingle. They don’t have access to each others. So there should be a very low opportunity for for an adversary to have access to all three.
jerry: Environments and do the same thing they did without being able to detect at the end, when they do the comparison between the three builds, whether it’s a novel approach. I hadn’t thought about it. It seems.
jerry: My first blush was, it seemed excessive, but as the more I think about it, It’s probably not a huge amount of [00:05:00] resources to do so maybe it makes sense.
Andy: Yeah.
Andy: And also, they mentioned that three different people are in charge of it. And so to corrupt it. Or somehow injected. Into all three would take. Somehow corrupting three different individuals, somehow some way.
jerry: Yeah, they would have to clue the three teams would have...
Links:
justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity
us-cert.cisa.gov/ncas/alerts/aa22-187a
zdnet.com/article/these-are-the-cybersecurity-threats-of-tomorrow-that-you-should-be-thinking-about-today
jerry: [00:00:00] Alright, here we go. Today is Sunday, July 10th, 2022. And this is episode 267 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always. Is Mr. Andrew Kellett.
Andy: Good evening, Jerry, how are you? Good, sir.
jerry: I’m doing great. How are you doing?
Andy: I’m good man. It’s hot and steamy in Atlanta. Tell you that much.
jerry: Yeah. I ‘ve been back for a month from my beach place. And I think today’s the first day that we’ve not had a heat advisory. [00:01:00]
Andy: Yeah, that’s crazy.
jerry: which it has been brutally hot here.
Andy: Now, when you say beach place, you might have to be more specific, cause you’ve got one like seven beach houses now.
jerry: Well, the Southern most beach house. Yes.
Andy: Yeah. One is the Chateau. One’s technically a compound.
jerry: One’s an island,
Andy: that’s.
Andy: We’re going to have to probably name them because. They’re tough to keep straight.
jerry: They definitely are. Yup.
Andy: But, I, for one. Appreciate your new land barronness activities. And look forward to.
Andy: Jerry Landia being launched and seceding from the United States.
jerry: Hell. Yeah. That’s right.
Andy: I’ll start applying for citizenship whenever I can.
jerry: Good plan. Good plan. All right. A reminder. We should probably already said this, but the thoughts and opinions we expressed on the show are ours and do not represent those of our employers.
Andy: But for enough money, they could
jerry: yeah. Everything is negotiable. [00:02:00] All right. Couple of really interesting stories crossed my desk. Recently and the first one comes from the US department of justice of all places. And the title here is Aerojet , Rocketdyne agrees to pay $9 million to resolve false claims act allegations.
jerry: Of cybersecurity violations in federal government contracts. So the story here is that there’s this act, as you could probably tell by the title called the false claims act that permits an employee of a company who specifically does business with the US government to Sue the company under the false claims act claiming that the company is misrepresenting itself in the execution of its contracts. And if that [00:03:00] lawsuit is successful, the person making the allegation, basically it’s a whistleblower kind of arrangement. The person making the allegation gets a cut of the settlement. And so in this particular case the whistleblower received $2.61 million dollars of the $9 million.
Andy: Wow. So his company. In theory was lying on their security controls. And he found out about it or knew about it. And was a whistleblower. About it is getting 2.61 million.
jerry: Correct. Correct.
Andy: Have to go check everything in my company. I’ll be right back.
jerry: I’m guessing that his lawyers will probably take about 2 million of the 2.61, but, Hey, it’s still.
jerry: still. money, right?
Andy: That’s crazy. It reminds me, it’s probably a lot of our listeners are too young for this, but. The days of the business software Alliance about turning in your employer for using pirated software, that you could get a cut of that, but not in the you [00:04:00] know seven figure range.
jerry: Yeah, this is really quite interesting. And what’s more interesting is that there is apparently some indication that the US government may expand the scope of this to include non government contracts and including. Perhaps even like public companies. Under the jurisdiction of the securities and exchange commission. I don’t think that’s ah codified yet.
jerry: Probably just ah hyperbole at this point, but holy moly. It really really drives home the point that we need to, do what we say and say what we do.
Andy: So what were the gaps or what were the misses that they said they had.
jerry: have done a little bit of searching around. I didn’t go through all of the details in that case. Because it was a settlement, there may not be an actual Details available, but I’ve not been able to find the specific details of of what they were not doing.
Andy: Yeah. did [00:05:00] go and I cause. I was very curious about this and did do a bunch of searching and found some summaries of the case and some of the legal documentations, and it looks like. The best I was able to get into is there was a matrix of 56 security controls. Or something around those lines, don’t quote me on that and that the company only had satisfactory coverage of five to 10 of them.
jerry: Oh, wow.
Andy: And there was another one where they did a third-party pen tests who got ...
thehackernews.com/2022/06/conti-leaks-reveal-ransomware-gangs.html?m=1
bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems
doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
Okta says hundreds of companies impacted by security breach | TechCrunch (techcrunch.com/2022/03/23/okta-breach-sykes-sitel)
Okta: “We made a mistake” delaying the Lapsus$ hack disclosure (bleepingcomputer.com) (bleepingcomputer.com/news/security/okta-we-made-a-mistake-delaying-the-lapsus-hack-disclosure)
Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code | TechCrunch (techcrunch.com/2022/03/23/microsoft-lapsus-hack-source-code)
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction – Microsoft Security Blog (microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction)
Sabotage: Code added to popular NPM package wiped files in Russia and Belarus | Ars Technica (arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/2)
President Biden Signs into Law the Cyber Incident Reporting Act (natlawreview.com) (natlawreview.com/article/president-biden-signs-law-cyber-incident-reporting-act-imposing-reporting)
SEC Proposes Rules On Cybersecurity Risk Management, Strategy, Governance, And Incident Disclosure By Public Companies – Technology – United States (mondaq.com) (mondaq.com/unitedstates/security/1173760/sec-proposes-rules-on-cybersecurity-risk-management-strategy-governance-and-incident-disclosure-by-public-companies)
Malware now using NVIDIA’s stolen code signing certificates (bleepingcomputer.com) (bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates)
NSA report: This is how you should be securing your network | ZDNet (zdnet.com/article/nsa-report-this-is-how-you-should-be-securing-your-network)
helpnetsecurity.com/2022/02/11/cloud-security-training
bankinfosecurity.com/massive-breach-hits-500-e-commerce-sites-a-18492
darkreading.com/cloud/linux-malware-on-the-rise-including-illicit-use-of-cobalt-strike
darkreading.com/attacks-breaches/google-cuts-account-compromises-in-half-with-simple-change
bleepingcomputer.com/news/security/fbi-shares-lockbit-ransomware-technical-details-defense-tips
csoonline.com/article/3648991/dhs-announces-the-creation-of-the-cyber-safety-review-board.html
darkreading.com/application-security/disclosure-panic-patch-can-we-do-better-
blog.f-secure.com/insight-from-a-large-scale-phishing-study
darkreading.com/attacks-breaches/log4j-proved-public-disclosure-still-helps-attackers
csoonline.com/article/3647756/how-to-prioritize-and-remediate-vulnerabilities-in-the-wake-of-log4j-and-microsofts-patch-tuesday-b.html
csoonline.com/article/3646613/cybercrime-group-elephant-beetle-lurks-inside-networks-for-months.html
zdnet.com/article/when-open-source-developers-go-bad
bleepingcomputer.com/news/microsoft/microsoft-resumes-rollout-of-january-windows-server-updates
arstechnica.com/gadgets/2021/07/feds-list-the-top-30-most-exploited-vulnerabilities-many-are-years-old
securityweek.com/hospital-network-reveals-cause-2020-cyberattack
csoonline.com/article/3628331/recent-shadow-it-related-incidents-present-lessons-to-cisos.html
natlawreview.com/article/another-court-orders-production-cybersecurity-firm-s-forensic-report-data-breach
secureworld.io/industry-news/ciso-lawsuit-solarwinds (http://\)
blog.erratasec.com/2021/07/ransomware-quis-custodiet-ipsos-custodes.html?m=1
databreachtoday.com/how-mespinoza-ransomware-group-hits-targets-a-17086
krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-backups
arstechnica.com/gadgets/2021/07/kaseya-gets-master-decryptor-to-help-customers-still-suffering-from-revil-attack
securityweek.com/continuous-updates-everything-you-need-know-about-kaseya-ransomware-attack
databreachtoday.com/kaseya-raced-to-patch-before-ransomware-disaster-a-17006
databreachtoday.com/cisa-firewall-rules-could-have-blunted-solarwinds-malware-a-16919
wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told
bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco
zdnet.com/article/hackers-are-trying-to-steal-admin-passwords-from-f5-big-ip-devices
csoonline.com/article/3564726/privilege-escalation-explained-why-these-flaws-are-so-valuable-to-hackers.html#tk.rss_all
arstechnica.com/information-technology/2020/06/theft-of-top-secret-cia-hacking-tools-was-result-of-woefully-lax-security
databreachtoday.com/insider-threat-lessons-from-3-incidents-a-14312
zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software
zdnet.com/article/ransomware-mentioned-in-1000-sec-filings-over-the-past-year
bankinfosecurity.com/attackers-increasingly-using-web-shells-to-create-backdoors-a-14179
bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-los-angeles-county-city-leaks-files
bankinfosecurity.com/blogs/learn-from-how-others-get-breached-equifax-edition-p-2870
zdnet.com/article/microsoft-how-one-emotet-infection-took-out-this-organizations-entire-network
microsoft.com/security/blog/wp-content/uploads/2020/04/Case-study_Full-Operational-Shutdown.pdf
businessinsider.com/coronavirus-apple-secrecy-work-from-home-difficult-2020-3
csoonline.com/article/3531963/8-key-security-considerations-for-protecting-remote-workers.html
zdnet.com/article/microsoft-99-9-of-compromised-accounts-did-not-use-multi-factor-authentication
zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong
sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf
businessinsider.com/phishing-scams-getting-more-sophisticated-what-to-look-out-for-2020-2#hackers-will-start-by-targeting-low-level-employees-then-moving-laterally-to-compromise-executives-accounts-1
krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months
clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf
zdnet.com/google-amp/article/new-york-state-wants-to-ban-government-agencies-from-paying-ransomware-demands
bankinfosecurity.com/nist-drafts-guidelines-for-coping-ransomware-a-13679
arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage
bankinfosecurity.com/doppelpaymer-ransomware-threatens-to-dump-victims-data-a-13683
securityweek.com/court-approves-equifax-data-breach-settlement
infosecurity-magazine.com/news/equifax-breach-settlement-could
natlawreview.com/article/ico-issues-fine-against-national-retailer-security-failings
inews.co.uk/inews-lifestyle/travel/travelex-hack-cyber-attack-ransomware-sodinokibi-travel-money-uk-firm-data-breach-explained-1358454
securityaffairs.co/wordpress/96046/hacking/microsoft-rdp-brute-force-study.html
zdnet.com/article/company-shuts-down-because-of-ransomware-leaves-300-without-jobs-just-before-holidays
arstechnica.com/information-technology/2019/11/hackers-paradise-louisianas-ransomware-disaster-far-from-over
csoonline.com/article/3488816/how-a-nuclear-plant-got-hacked.html
csoonline.com/article/3454443/how-a-bank-got-hacked-a-study-in-how-not-to-secure-your-networks.html
csoonline.com/article/3452747/what-you-need-to-know-about-the-new-owasp-api-security-top-10-list.html
securityweek.com/pci-dss-compliance-between-audits-declining-verizon
krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks
arstechnica.com/information-technology/2019/10/the-count-of-managed-service-providers-getting-hit-with-ransomware-mounts
zdnet.com/article/city-of-johannesburg-held-for-ransom-by-hacker-gang