Security Weekly News Episode #59 - August 25, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
This week, Dr. Doug talks Zoom crash, Apple insecurities, Dharma, MITRE, Elon Musk is about to eat your brain, and Jason Wood returns with Expert Commentary on Ex-Uber chief security officer charged, accused of covering up theft of personal info from databases by hackers!
Doug White's Content:
- Zoom Crashes on Monday Morning.
- Dharma Ransomware facilitates Iranian Script kiddies and ransomware development for all.
- Google patches CVE-2020-6492 this week.
- Unpatched security vulnerability in Safari.
- Snyk finds an SDK vulnerability in 1200 IoS Apps.
- CISA AC-00131-TT Golden Tax System Update.
- AG Barr vehemently opposed to a pardon for Edward Snowden.
- MITRE Shield, Active Defense Matrix.
- Elon Musk is going to plug in your brain.
Jason Wood's Content:
You may recall when Uber suffered a security breach back in 2016 and there was a scandal in the news about Uber paying the attackers $100,000 to cover the incident up. What you may not know is that the effects of this intrusion are still rippling out four years after the events. Joe Sullivan, the former CSO for Uber was formally charged last week with crimes relating to the breach. He faces charges of obstruction of justice and misprision (or the deliberate concealment of one's knowledge of a treasonable act or a felony) in US federal court. He faces five and three year prison sentences and a maximum $250,000 for each charge.
Sullivan’s trouble is not due to security breach itself, but how he and then-CEP Travis Kalanick handled the breach. Uber was fresh off of a security intrusion in 2014 when the 2016 breach occurred. Extensive PII was disclosed as part of the breach. Sullivan was understandably upset about this, but instead of disclosing the intrusion to the FTC, privacy regulators in California and the FBI, he allegedly made extensive efforts to cover it up. The intruders were paid $100,000 in bitcoin and required to sign NDAs saying they would not disclose information about the breach. (Did they expect the intruders to honor this? Really?) Sullivan and Kalanick agreed to disguise the payment as a bug bounty, instead of an intrusion.
This actually starts to feel like a Shakespearean tragedy here as Sullivan appears to have had a solid career going on and had worked for the US District Attorney for Northern California, the same office that charged him with the crimes. Did you ever get in trouble as a kid for lying to cover up something stupid that you did? This is the same thing, but on a grander scale. Yes, I would have gotten in trouble for what I did, but I got in way more trouble for lying about it. Sullivan did the same thing and now faces the end of his career, prison time, extensive fines, and his reputation is now wrecked.
This brings me to the point for all of us in InfoSec. We have the potential to run into very bad news and no one wants us to share it. But there are definitely legal requirements now for us to do so. Covering it causes way more trouble than it is worth. While it may be very tempting in the moment to not say anything, but we can’t give into that. I haven’t been faced with something this serious in my career, but I have had some really uncomfortable situations occur. Once I had to face off a CTO I worked for over some due diligence work we were doing. It was uncomfortable and I was very aware that this may cause me some immediate job repercussions and financial difficulty. Fortunately, we worked it out. Regardless, I’m sure many of you have been in or know of folks who have been in similar situations. This story about Mr. Sullivan is reminder to all of us that giving into immediate pressures may cause us much greater trouble later.