This week’s Cyber Security Headlines Week in Review – January 4-8, 2021 is hosted by Steve Prentice, with our guest, Ross Young, CISO, Caterpillar Financial (LinkedIn).
Capitol breach has ‘staggering’ infosec implications (Friday)
We know that they sat in Nancy Pelosi’s chair, put their feet on her desk, and rifled through legislators’ files. But what systems and physical files did they steal, alter or destroy? Figuring it out will be a “staggering” task, cybersecurity observers noted. We should assume that “all systems and physical files were compromised, and catalog what of each” was tampered with, noted security reporter Joe Uchill. Every printer. Every copier. Every nook and cranny. Another security reporter, Marc Ambinder, noted that “Every single computer on Capitol Hill is vulnerable to a USB-mounted attack.
Facebook will ban political ads in Georgia/bans Trump indefinitely/new hashtag rules (Thursday/Friday)
The company announced the ban would go back into effect in the state, covering ads on social issues, elections and politics nationwide. Facebook had eased up on political ad restriction in the state starting December 16th to allow for messaging surrounding the runoff election, even as it kept in place a broader political ad ban in the wider US. On December 10th, Google fully lifted its ban on political ads it put in place after the US election polls closed on November 3rd.It will now require yet more admin review for group posts and will auto-disable comments on group posts that attract a “high rate” of hate speech or that encourage violence. Twitter has threatened Trump with permanent suspension.
Russian SolarWinds hack damage escalates (Wednesday)
Three weeks after the SolarWinds hack came to light, officials are shifting their thoughts about it being election related to something more sinister, involving “backdoor” access into government agencies, major corporations, the electric grid and nuclear weapons facilities. Mark Warner, a ranking member of the Senate Intelligence Committee stated, “It keeps expanding. It’s clear the United States government missed it, and if FireEye had not come forward, I’m not sure we would be fully aware of it to this day.” Recent discoveries of this expanding crisis include that hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on domestic surveillance; that dedicated early warning systems failed; that the government’s focus on election defense may have diverted resources and attention from the software supply chain; and that some of the compromised SolarWinds software was engineered in Eastern Europe.
Wall Street to kick out Chinese telecom giants (Monday/Weds)
The New York Stock Exchange (NYSE) said it will delist three Chinese telecommunications firms based on claimed links with its military. China Mobile, China Telecom and China Unicom Hong Kong have all been targeted by the Trump administration, and shares in these companies will be suspended this week while proceedings to delist them have begun. The delisting is seen more as a symbolic blow amid heightened geo-political tensions between the US and China. On Tuesday, the NYSE canceled this decision and on Wednesday, reinstated it. The exchange will halt trading with the three as of 4pm January 11th.
Thanks to our episode sponsor, Omada
Microsoft source code accessed by SolarWinds attackers (Tuesday)
As part of its ongoing investigation into the SolarWinds supply chain attack, Microsoft discovered its systems were infiltrated “beyond just the presence of malicious SolarWinds code,” with the attackers able to view source code in a number of repositories. While able to view the code, the attackers did not gain permission to modify any code or systems. The company said it did not see any production systems or customer data accessed, or found any indication its systems were used to attack other organizations.
UK judge denies Assange extradition to US (Tuesday)
The judge ruled that WikiLeaks founder Julian Assange cannot be extradited to the United States to face trial on charges of violating the Espionage Act. The judge ruled that extradition would be “unjust and oppressive,” citing Assange’s mental health would put him at extreme risk of suicide if extradited to the US. The judge rejected Assange’s defense that the charges were an attack on press freedom, saying that the US brought the case in “good faith.” In 2019, Assange was charged with 17 counts of violating the Espionage Act resulting from the publication of documents provided by former U.S. Army intelligence analyst Chelsea Manning.
Google, Alphabet employees unionize (Wednesday)
Dubbed the Alphabet Workers Union, it will be open to employees and contractors. Although its current membership, at 227 people, is less than one-thousandth of Alphabet’s working population, its press release points out that more than half of the people who work at Alphabet companies are contract workers and therefore lack many benefits. Additionally, workers take issue with hefty payout packages to executives accused of harassment, as well as with some of the company’s government contracts, such as the one around military drone targeting.
US Army launches new bug-bounty program (Friday)
The Defense Digital Service (DDS) and HackerOne have launched a new bug bounty program that’s meant to dig out vulnerabilities in the US Army’s digital systems. Called Hack the Army 3.0, this will be the 11th bug bounty program from the DDS and HackerOne and the third one that focuses on the US Army. It runs from Jan. 6 until Feb. 17, is by invitation only, and will include cash for military and civilian participants who successfully uncover bugs.
Disgruntled, now jailed former VP hacked PPE supply for healthcare workers (Friday)
A former company vice president is facing a year and a day behind bars for disrupting shipping of crucial equipment to healthcare workers. The company, Stradis Healthcare, fired Christopher Dobbins in March 2020. But Dobbins had set up a secret, fake staff account and used it to tamper with Stradis’ electronic records. He edited more than 115,000 records and deleted over 2,300 entries. It took months for Stradis to mop up, leaving those fighting the pandemic stuck without the PPE, medical supplies, and surgical kits they so desperately need. Dobbins will pay restitution of $221,200.