Unsupervised Learning Newsletter NO. 324

MEMBER EDITION  | EP. 324 | FEB 28 2022

SECURITY NEWS

LAPSUS$:

• Microsoft and Okta acknowledged that they were hit by an extortion-focused hacking group called LAPSUS$. More

• The group has also hit many other companies, including NVIDIA, Samsung, and Vodafone.

• Initially called a "ransomware" group, this group has specifically focused on stealing data like source code and then trying to get the company to pay them to not release it.

• Okta is taking reputation damage for knowing about the issue earlier (January) and being slow to 1) respond, and 2) advise their customers and the public. More

• Their main attack vector seems to be social engineering—specifically, bribing or tricking insiders to share cookies for logged-in sessions with internal systems. This is extremely scary because it bypasses so many infosec controls that companies have in place.

• Brian Krebs says the group has been acquiring insiders since November of 2021. More

• Microsoft says the group has also used SIM Swapping to gain access to key accounts.

• A 16-year-old from Oxford, England has been identified as the ringleader for LAPSUS$, and City of London police say they've arrested 7 teenagers associated with the group. More

LAPSUS$ Analysis:

1. The biggest takeaway for me on this is the targeting of insiders with bribes and tricks to attain their access to internal systems. I predicted this would happen years ago and was wrong. Perhaps this will break that attack vector wide open, which will place significant focus on company Insider Threat programs.

2. There's a separate conversation blowing up on InfoSec Twitter talking about how this is a bunch of teenagers with no official training, and how this is evidence that we shouldn't be gatekeeping people from getting into cybersecurity. In short, these kids could hack the planet without any official credentials, so why are we stopping people from becoming cybersecurity defenders because they don't have those same bona fides? I think that's an interesting discussion, but I think it misses the point of there being a difference between what applies to unique cases of talent vs. what's needed for the general population. If you're an infosec defender genius in the way that these kids are attacker geniuses, you also probably don't have a problem getting a job. Even without a degree or certifications. So the question isn't really about the top 5%; it's about everyone else.

The FCC has added Russian AV company Kaspersky to its bad list, saying it poses an unacceptable risk to US national security. More

The FBI says almost $7 billion was lost to cybercrime in 2021, beating 2020's record by nearly $2 billion. More

CISA has a website called Shields Up that it hopes will help individuals and organizations prepare themselves for cyberattack by Russia. The site includes official statements, lists of known vulnerabilities used in attacks, recommendations, and current TTPs for various threat agents. They recommend using 2FA (preferably tokens), Installing Updates, Thinking Before You Click, and Using Strong Passwords. More

Russia is considering selling oil and gas for Bitcoin. I doubt this will help crypto's reputation as a legitimate project in the eyes of regulators. More

Vulnerabilities:

• Sophos Firewall | Critical | RCE More

• Western Digital My Cloud NAS Devices | Root Access More

TECHNOLOGY NEWS

You can now search for doctor appointments in Google Search and click the "book" button to set an appointment. The service is provided by MinuteClinic at CVS and other unnamed scheduling services. More

The DOJ is saying Google routinely hides emails from litigation by CC'ing lawyers to get attorney-client privilege. More


HUMAN NEWS

A new study in the New England Journal of Medicine shows that immunity gained by Omicron infection is unlikely to protect you against other Covid variants, and that vaccination is advised for broader protection. More | Study

In 2020 deaths outpaced births in most US counties. Demographer Kenneth Johnson says this was unheard of in all of American history. More

Will Smith violently slapped Chris Rock in the face, live in front of millions of people at the Oscars. Rock had told a joke a few moments earlier about Smith's wife, and Smith walked up to him calmly slapped him very hard in the face, and walked back to his chair. He then accepted an Oscar later and gave an apology. Stunning, really. Curious to see what the repercussions are. I'm not sure of my thoughts yet, but they might be that 1) it's admirable to defend your wife's honor, and 2) part of honor has to be accepting the consequences, including being punished by the Oscars and being charged for assault, and 3) it's extremely dangerous to legitimize violence in the name of love. More

Apple won Best Picture for CODA, and they're the first streaming service to have done so. I've not seen it myself, but I'll definitely have a look now.


CONTENT, IDEAS & ANALYSIS

How to Disagree — A summary of Paul Graham's great piece on how to argue. More

The Actual Pronunciation of GIF, from the Creator — I've always been in the hard-g camp, but now I'm switching to "JIF" because of this. Or at least I'll try. More


NOTES

❤️ We had a fantastic book club this week. One of our best ones. Perhaps my favorite part was a discussion we had about the varied beliefs we have within the UL Community. Someone in the call mentioned they'd voted for Trump not just once, but twice. And they mentioned that the UL Community still didn't kick them out. We went on to point out that we have Russian atheists, previous militant atheists, lots of Canadians, a bunch of Europeans, and generally a pretty left-leaning group in a lot of ways—yet we all still love this guy and respect his opinions. It's a wonderful thing. And it's how the internet was supposed to work. It's how communities are supposed to work. It's how the US is supposed to work. We're supposed to be able to disagree but still respect each other, and see each others' common humanity. I'm thankful we have some sliver of that here in the UL Community. And that you to every single one of you for being part of it.

Errata: In a previous issue I said BSI was a German cybersecurity company. It's actually more like the CISA within the US, i.e., a government organization dedicated to improving cybersecurity for the country.


DISCOVERY

Brian Krebs' deeper look at LAPSUS$ More

🔥 Who Imports the Most Russian Oil (Dataviz)? More

🔥 The Covid Datapack: Symptoms, Contagiousness, Incubation, Treatments, Mask Materials, etc. More

There are around 3 trillion trees in on the planet. More

Strong hands evidently lengthen your life. Why? Because they help you fall less often. More

Bashing the Bash — Replacing Shell Scripts with Python. Cool article, but long live Bash! More

The creator of the GIF actually said it's pronounced "JIF", which makes me sad. More

[ OSINT ] ffuf 1.4 — Version 1.4 of one of the best OSINT tools out there, complete with new features and a new logo/mascot! More | Code
 

RECOMMENDATION

Try to schedule some extended in-person time with close friends. I got to hang out with Clint Gibler (HT TL;DRSec!) for a few hours on Sunday before book club, and it was just phenomenal. Nothing replaces spending deep time with a friend without a pressing time constraint. While we're between variants, try to get in some immersive friend time.


APHORISM

"Propaganda doesn't deceive people: It merely helps them deceive themselves."

- Eric Hoffer