THE CYBYR.COM BLOG
This is a Blog Page covering in-depth analysis of hot topics, controversial ideas and opinions in cybersecurity, networking and AI. (Updated Sept 19th)
See also the breaking news page covering around ten of the top news items each month.
Covered on this page:
- NaaS: A room full of elephants
- GenAI: Show me the intelligence
- National Public Data’s exposure of 3bn personal info items now holds the record. Privaterecords (MC2) is close 2nd.
- Crowdstrike /Microsoft: The biggest IT disaster of all time? Estimated at a cost of $5.4bn.
- Did AT&T open Pandora’s Box?
- NIST’s Cybersecurity Framework has been lauded. We explain why we have a very different view to others about this.
- How and why the Securities and Exchange Commission is attempting to bring accountability globally
- The now infamous breach of the MGM hotel chain shows what happens when you don’t implement holistic cybersecurity.
A Huge Opportunity | A Room Full of Elephants |
Network as a Service
| Developing Story (September 2024): NaaS represents a huge opportunity but there are 5 elephants in the NaaS room:
|
si3t
Discussion | Intelligence Reality Check |
Generative AI | Ahead of several AI Networking events there are a number of discussion points: threats, accuracy, costs, value, adaptability to changing data and the integration of networking and security concepts. From a security perspective the most promising is potential removal of lateral movement attacks that drive ransomware and there are many more that will be developed here. This particular blog is about the myth of with word “intelligence” in AI, a.k.a. “the intelligence fantasy.” In previous iterations of AI human learned experiences and judgements about the future were definitely present. GenAI. CoPilot has some great aspects: aggregating information and providing instant answers to questions such as “how I do X” or “how do I rework code from language X to language Y and other training type info, such as what the top XDR products?. That’s all great, very useful and there’s nothing wrong with it (except when it doesn’t give a valid answer). However, it does not display actual intelligence as we know it. I.e. it lacks these critical qualities
Sure, its very useful, I use it all the time but intelligent, it aint. Agree? Disagree? Thoughts on what GenAI really should have been called. When I have written “Knowledge-based systems” software in the past I programmed in my personal experience, judgments and knowledge as the basis of recommendations and measurement of success. Could GPT have such data input? Possibly. More on AI Networking in October 2024. |
In Depth Analysis | National Public Data |
Biggest-ever Theft of Personal Data and one month later the silver medal goes to MC2 (a.k.a. … | August 2024: Crowdstrike’s “Biggest Ever” didn’t last for long … National Public Data – a service provided by Jericho Pictures of Florida, revealed that almost 3 billion data records have been hacked at first by USDoD over the last several months and made worse by hacker “Fenice.” They leaked 3 billion records with personal details, including full names, addresses, SSNs in plain text and 130 million unique email addresses. This is a massive story – easily the biggest theft of personal data of all time. Visit pentester.com to see if your information is included. You will likely see addresses that you don’t even remember that you lived at. Good grief! More to follow on this but once you have confirmed your personal data is there, you should review your bank accounts, then lock or freeze your credit at the three bureaus. They are free but only protect your credit not your finances. Yes your historical data is there but there is a question of the validity of all of this, so this is to be continued. There’s lots of coverage on this: Troy Hunt’s HIBP, Bleeping Computer. etc. Update: Weeks later there is not a mention of the incident on the NPD website. I suspect they would claim that it’s all public information anyway with plenty of other search facilities are available. No surprise that many class action law suits have been filed. September 2024 update: Cybernews revealed that “background check firm MC2 (privaterecords.net) leaked 106,316,633 records containing private information about US citizens, raising serious concerns about privacy and safety.” Estimates suggest that at least 100 million individuals were affected by this massive data leak. More individual data – beyond that of the NPD leak above – included were IP addresses, email, encrypte passwords, employment history, propert and legal records and much more. In addtion, 2.3m mc2 subcribers had their details exposed. |
News Analysis | Crowdstrike/Microsoft Chaos |
And the winner of the biggest IT disaster of all time goes to … | A systemic supply chain failure appears to be the cause of a major costly outage on July 18/19th. An example of software created to prevent attacks being worse than the attack itself. Several Updates: Once again Trust without Verification was likely the cause of a major outage worldwide today. Crowdstrike’s “Falcon Sensor” extended detection and response software update was seemingly not developed or regression tested with integrity. The nature of the problem was that it immediately crashed 8 million Windows PCs with faulty assembler code that required devices to be manually restarted. I.e. it seems that any testing should have immediately created this as part of the release process. Although reported as a “Cyber Outage” this is only a cyber-incident because this software embedded in Microsoft systems that was designed to prevent attacks and in order to detect issues, this that unlike regular applications it needs to run at the highest privilege levels accessing the OS kernel. Apologies from Crowdstrike’s CEO, George Kurtz are all well and good but 26,000 affected companies, telecom outages, 1000s of servers requiring bitlocker keys inserted to be restarted, media and hospital outages and stock exchange closures are the reality – and hundreds of other stories. It makes us all question the wisdom of trusting automatic updates which have been strongly advocated here and everywhere else as a key defense. Mr. Kurz has been summoned to testify to Congress. It also questions the seemingly weak verification systems that should be contractually required to protect both customers and their suppliers as a joint responsibility. This is not dissimilar from the Snowflake/AT&T issue covered in #76. Let’s hope these lessons will be learned soon. Let’s face it – it could have happened to anyone. Updates continue… Finally, Crowdstrike’s President accepted the “Epic Fail of the Year Award” in Las Vegas’ Defcon event in August and said it will be on display in their headquarters as a lesson for all “Crowdstikers” – now that was a touch of class. P.S. (September 2024). At a “why can’t we all get along event” in mid-September, Microsoft magnamously appreared to provide guidance for companies such as Crowdstrike without Microsoft themselves taking any responsibility for not collaborating with suppliers to endsure that such “proper” processes were being followed. Until customer/distributors like Microsoft do that, it’s going to happen again. |
News Analysis | AT&T Massive Breach |
Massive Breach Revealed – but why now? – July 2024 |
The strange thing about this story is that it’s suddenly news. The question is why? Certainly, the breach involving data giant Snowflake that revealed AT&T customers that occurred in April this year that resulted in theft of “nearly all” customers records. This is on top of others that occurred including the 6-month period in 2022 where all call and text calls (not the content) were stolen as reported by TechCrunch. That’s been known for some time. So why cover it again unless there is new unrevealed info? Embarrassing as all this must be for those in AT&T responsible for customer retention, it appeared to be no coincidence that the timing of these disclosures and revelations are an attempt to ward off potential legal action as they come on the same day that the SEC has further strenghtened its breach reporting regulations as reported by Mintz. Something doesn’t seem quite right here. But wait there’s more … It came that it was the DOJ that told Scripps News that this incident “met the standard” that warranted a delay in releasing information about it, because it posed a “substantial risk to national security and public safety.” Not that AT&T were the only company breached in the Snowflake “incident” that turns out to boast the unenviable distinction of being the largest breach – ever! Looking into this a bit more, I think that anyone who as been called by someone who had an AT&T service during that breach period is now open to a deep fake exploit because the all records of both caller and who they called were stolen. I.e. it’s not just AT&T customers who are at risk but pretty much everyone. Scenario: someone (say person A) in your contact list calls you so you pick up. (They are in your contact list because they called you previously and the hacker knows they called you and you don’t even have to be an AT&T customer). Beforehand the hacker called person A and generated a deep fake from their voicemail. It’s official: you are now toast. One example of many might be: “Hi, Mark, John, here. I have something big to celebrate. I want to buy you dinner. Meet me at Spago’s at 7.30. I have a table reserved. It’s a surprise – see you there.!” (Now you are out of the house we’ll pop by and steal everything.) Another might be: “It’s you father, I’m in trouble and I need your help.” Please tell me I’m wrong about this. |
News Analysis | Analysis of the NIST Cybersecurity Framework 2.0 |
NIST Publication of February 2024. | Drafted in mid-2023 and published in February 2024, there has been plenty of coverage. It is covered here because of the view that differs from others. There is definitely a need for such a framework but CSF 2.0 appears not to address such a need as explained below.
Its abstract states: “It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.”
No FrameworkThere is no guidance in any of the 6 categories and 107 sub-categories of the document. Rather than a Framework, it’s written as a commentary on what you did or should have done (note the past tense) in order to reduce risk. While it is out-of-scope to describe how to implement defense etc., it must surely tell you what to do rather than motherhood statements on what should have happened. For instance, “Continuous evaluation is applied to identify improvements” or “Identities and credentials for authorized users, services, and hardware are managed by the organization” What, who and how? The whole document is missing any kind of detail.No Actions, No MethodologyNext these commentaries are in the vaguest and highest level statements that give no indication on how they should be achieved.Organizational Areas Not Covered
2023-2024 Cybersecurity Topics not covered
Threats not addressed
|
News Analysis | Security and Exchange Commission Requirements and Opportunities |
A deeper look at the SEC rules. March 2024 | This is an ongoing look at the Securities and Exchange Commission reporting rules and responsibilities that came into effect in December 2023, their relationship with the White house Security Strategy and their impact on US and international business operations. The rule of reporting cybersecurity incidents that reasonably be expected to cause material impact on investors is just the beginning. It turns out that the Security Exchange Commission (SEC) regulations that require public companies to disclose material breaches via submission of for 8K only seem to apply to reporting to the SEC but then really only to the FBI. I.e. 4 days can turn into 60 subject to FBI involvement or even 120 if the FBI deems it to be a “substantial security risk” to public safety. However, it doesn’t stop there. Each time further information about the attack occurs, then this too must be reported within 4 days. This sounds like an opportunity for political manipulation but is likely better than what we had before. More on this Bank Info Security Article. Annual disclosure requirements also require disclosure of the kinds of expertise and procedures that are in place to defend cyberattacks, describing the managing programs directly or via third parties. The management of incidents will reveal much about the quality of the organization’s cybersecurity program and more importantly the organizations quality of operation. It begins to be obvious that these disclosures can create a huge competitive advantage if managed well. In terms of defense this level of governance can deflect liability to third parties if responsibility is properly managed. Although the final version of the ruling did not require cybersecurity expertise to be on the board it does not mean that responsibility for cybersecurity can be abdicated to 3rd party service, software, security or indeed any 3rd party in a supply chain. Liability will depend on the reasonable and documented steps to protect the organization and is customers and investors. |
News Analysis | In Depth on the MGM Resorts Breach |
Whatever happened at the MGM?. This story began in 2023 but the ramifications persist into 2024. |
The reason the MGM story holds the attention is the lessons that can be learned. It’s tricky because the hotel chain is saying very little. More than two weeks after the incident access to accounts and room booking were still offline. 4 weeks later and the MGM site allowed you to log in but some information seems not present. The losses for the third quarter were reported to be around $100m it stated on October 6th. MGM revealed that any transactions conducted from ???? to 2019 were also stolen. Bearing in mind that is not just bank, social security and data of birth info but gaming records that may have fallen to the wrong hands. Eventually the MGM said that no ransom was paid. Interesting. The following shows how the events panned out and looks at thirteen (no unlucky gaming pun intended) areas that could be questioned and for you to check in your own organization. |
What could possibly go wrong? | The massive breach of the MGM hotel chain (they have 31 properties) that disabled everything from room key entry, room bookings, use of casino machines and payouts and taken down their website will cost them millions. However, it’s the loss of personal data stored in their MLife system or who stayed at any of their properties providing credit card, email or even bank details or social security details may be the big risk. Typically, your bank (I checked with mine), etc., would protect you from any attempt to directly remove funds that was not from a merchant (e.g. mortgage company, gas or phone company) approved for a direct debit and would raise a security alert. I.e., that applies to compromised MGM data and other merchants with whom you have direct debits. This is not the first time MGM has been breached. 4 years ago the MLife database was compromised but it sounds like the lessons were not learned or weak links not strengthened. This time the FBI have been called in and maybe they can “help” the MGM “learn.” Caesars Palace also admitted being hacked by a different group and paid a multi-million dollar ransom in order to avoid sensitive customer data being exploited. Meanwhile, MGM made a weak statement about the situation and not a word about exposing extremely sensitive customer gaming record information which was possibly the real and most lucrative target for hackers! |
Speculating the cause | “vx-underground” on “X” reported that the cause may have been social engineering exploited by the ALPHV group. This was later denied in a strange, posted message by the hackers. Not only that but “vx-underground” were themselves taken offline with a Denial of Service attack – presumably as a warning to others. |
The scramble to avoid SEC retribution. | Next, MGM jumped on the SEC ruling by the 8-K filing of the outage (how could they not?). For everyone, the breach is another wake-up call to anyone who does not understand the importance of Holistic Cybersecurity – it’s not just the largely unverified IT software, it’s the whole organization. The lack of Insider Threat strategy, social engineering monitoring, lack of Zero Trust thinking and lack of a meaningful third party software verification system, just doesn’t cut it any more. The juggernaut of the SEC is coming and it’s interesting that the good work by CISA’s Secure by Design and Default initiative (April 2023) – but it would not have come close to preventing the MGM issue! Neither would NIST’s upcoming self-attestation initiative. To see how you can be better protected click here. |
What a surprise | It didn’t take long for several class action law suits to be filed but several Las Vegas attorneys have done that against the two hotel chains. |
Avoiding the same fate |
As we said, the reason the MGM story holds the attention is the lessons that can be learned. Frankly, it’s not unique. It’s all rumor but if the hack really began with employee credential theft then the questions begin for them and anyone reading this would be “are you avoiding all of these problems?” Addressing every one of these might have prevent the MGM situation and should be adopted by your organization: |
Some Questions to be Asked and Actions for You to Consider |
||
|
|
Okay. It was a long list and there’s probably more. Any one of the protections could have prevented the incident. The question is: do you have all of these in place in your organization? |