Former Uber CISO Appealing His Conviction

Joe Sullivan, Uber’s CEO during their 2016 data breach, is appealing his conviction.

Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company’s data security and privacy practices. The government argued that Sullivan should have informed the FTC of the 2016 incident, but instead went out of his way to conceal it from them.

Prosecutors also accused Sullivan of attempting to conceal the breach itself by paying $100,000 to buy the silence of the two hackers behind the compromise. Sullivan had characterized the payment as a bug bounty similar to ones that other companies routinely make to researchers who report vulnerabilities and other security issues to them. His lawyers pointed out that Sullivan had made the payment with the full knowledge and blessing of Travis Kalanick, Uber’s CEO at the time, and other members of the ride-sharing giant’s legal team…

Continue reading Former Uber CISO Appealing His Conviction

How Attorneys Are Harming Cybersecurity Incident Response

New paper: “Lessons Lost: Incident Response in the Age of Cyber Insurance and Breach Attorneys“:

Abstract: Incident Response (IR) allows victim firms to detect, contain, and recover from security incidents. It should also help the wider community avoid similar attacks in the future. In pursuit of these goals, technical practitioners are increasingly influenced by stakeholders like cyber insurers and lawyers. This paper explores these impacts via a multi-stage, mixed methods research design that involved 69 expert interviews, data on commercial relationships, and an online validation workshop. The first stage of our study established 11 stylized facts that describe how cyber insurance sends work to a small numbers of IR firms, drives down the fee paid, and appoints lawyers to direct technical investigators. The second stage showed that lawyers when directing incident response often: introduce legalistic contractual and communication steps that slow-down incident response; advise IR practitioners not to write down remediation steps or to produce formal reports; and restrict access to any documents produced…

Continue reading How Attorneys Are Harming Cybersecurity Incident Response

SolarWinds Detected Six Months Earlier

New reporting from Wired reveals that the Department of Justice detected the SolarWinds attack six months before Mandiant detected it in December 2020, but didn’t realize what it detected—and so ignored it.

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020­—but the scale and significance of the breach wasn’t immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it’s not clear why the software maker was also brought onto the investigation…

Continue reading SolarWinds Detected Six Months Earlier

SolarWinds and Market Incentives

In early 2021, IEEE Security and Privacy asked a number of board members for brief perspectives on the SolarWinds incident while it was still breaking news. This was my response.

The penetration of government and corporate networks worldwide is the result of inadequate cyberdefenses across the board. The lessons are many, but I want to focus on one important one we’ve learned: the software that’s managing our critical networks isn’t secure, and that’s because the market doesn’t reward that security.

SolarWinds is a perfect example. The company was the initial infection vector for much of the operation. Its trusted position inside so many critical networks made it a perfect target for a supply-chain attack, and its shoddy security practices made it an easy target…

Continue reading SolarWinds and Market Incentives

LastPass Breach

Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse:

While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

[…]

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service…

Continue reading LastPass Breach

Twitter Exposes Personal Information for 5.4 Million Accounts

Twitter accidentally exposed the personal information—including phone numbers and email addresses—for 5.4 million accounts. And someone was trying to sell this information.

In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability. …

Continue reading Twitter Exposes Personal Information for 5.4 Million Accounts

US chip maker Nvidia says hackers breached company, stole data

Hackers stole employee user logins and proprietary company data from Nvidia last week, the U.S. chip maker said Tuesday, but added that it has not seen evidence of a ransomware attack. A ransomware group known as Lapsus$ claims to be leaking Nvidia data. “We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict,” a company spokesperson said. “We are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online.” The spokesperson did not answer questions about a Telegraph report that the incident partially shut down operations for two days. Nvidia says it has notified law enforcement about the Feb. 23 breach, contacted cyber incident response experts and bolstered its defenses. It was a tumultuous February for the company. On Feb. 7, with regulatory hurdles mounting, the company […]

The post US chip maker Nvidia says hackers breached company, stole data appeared first on CyberScoop.

Continue reading US chip maker Nvidia says hackers breached company, stole data

State Department sounds alarm over Red Cross breach

The U.S. State Department said the hack of the International Committee of the Red Cross last month was a “dangerous development” that has harmed the organization’s family re-unification mission. The commentary from Foggy Bottom comes in response to a Jan. 19 announcement from the Red Cross that a cyberattack compromised personal data for more than half a million people from at least 60 Red Cross and associated Red Crescent national organizations across the globe. “Targeting the Red Cross and Red Crescent Movement’s sensitive and confidential data is a dangerous development,” said Ned Price, a spokesman for the State Department. “It has real consequences: this cyber incident has harmed the global humanitarian network’s ability to locate missing people and reconnect families. This is why it is so vital that humanitarian data be respected and only used for intended purposes.” Price also called on other nations to join the State Department and […]

The post State Department sounds alarm over Red Cross breach appeared first on CyberScoop.

Continue reading State Department sounds alarm over Red Cross breach