Welcome to Cyber Security Today. This is the Week in Review for the Week ending Friday, October 13th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of Beauceron Security will be here to discuss recent cybersecurity news. But first a review of headlines from the past seven days:
The U.S. Securities and Exchange Commission may be opening an investigation into the vulnerability that led to the huge hacks of Progress Software’s MOVEit vulnerability. Progress Software is a publicly traded company. David and I will debate whether a financial regulator should be investigating.
We’ll also look at data thefts from the DNA testing site 23andMe, the cybersecurity talent challenges at Canada’s electronic spy agency and the cyber war between Israel and Hamas.
Related to that war, researchers at Flashpoint said organizations that need open-source intelligence into global events like this conflict should keep tabs on the Telegram instant messaging service. For example, the report said, Telegram is an essential public communications hub for Hamas and Palestinian Islamic Jihad.
Meanwhile Reuters reported that the European Union’s industry chief gave Meta Platforms 24 hours to inform him of measures taken to counter the spread of disinformation on its platforms following Hamas’ surprise attack on Israel.
Developers and administrators of web servers were warned to install patches to fix a critical zero-day vulnerability in the HTTP/2 protocol. That vulnerability led to a recent record-smashing denial of service attack.
Patches were released for vulnerabilities in the open-source cURL and libcurl libraries in many Linux distributions. cURL is used to transfer data via URLs. It was first thought the holes were critical, but experts now say they are less serious.
And American authorities issued an update on the AvosLocker ransomware gang. The report has the latest indicators of compromise for cybersecurity teams.
(The following transcript, which has been edited for clarity, covers the first of five topics we discussed. To hear the full conversation play the podcast)
Howard: Progress Software, which makes the MOVEit file transfer software, has been notified the U.S. Securities and Exchange Commission wants documents and information about what will probably turn out to be an investigation into one of the biggest application vulnerabilities and data hacks in history. At least 2,500 organizations around the world have been directly or indirectly compromised this year by hackers exploiting the vulnerability, either through their servers or the servers of their data processing providers. Personal data on perhaps as many as 64 million people may have been stolen by the Clop ransomware gang. Is it good news that a financial regulator is investigating?
David Shipley: Overall, yes, because Progress is a publicly traded company. And it’s an important signal, because a lot of the Progress’ MOVEit customers affected by the breach included publicly traded firms. So it’s not only good that the SEC is investigating, it’s vital that it examine the breach responses through Progress’ client firms that are publicly traded to really understand the context around things.
Howard: This was a zero-day attack — the attackers apparently found a vulnerability the company didn’t know about — so should a financial regulator be looking into this?
David: Absolutely. I would also like to debate the O-day aspect of this breach. It was a series of of SQL injection vulnerabilities that led to this mess, and given that input sanitization is a known defence and best practice this was a known issue. So is it really an O-day? I know that we could debate back and forth. But to me an O-day is something that you couldn’t easily have predicted or defended against. This really was something that should have been prevented. I think it’ll be interesting to see what, if anything, the SEC has to say about the state of Progress Software’s secure software development lifecycle – SSDLC — or just their software development lifecycle and their approach and what deficiencies may emerge from that. This could be a gold mine for other [application development] firms, more specifically the change agents inside firms trying furiously to get them to improve processes or practices in software development. If that comes to pass the pain of this mega breach of 64 million-plus people and 2,500 organizations will at least be put to some good use.
Howard: Certainly one angle to be investigated is supply chain attacks. Many of the victim organizations were third-party data processors — but a number of them were private companies. So a financial regulator won’t likely look into that.
David: I think the SEC scope on this will likely be limited to Progress plus publicly traded client firms. But that’s not to say there won’t be critical lessons for everyone. I’m crossing my fingers that they talk about the responsibility of Progress to its MOVEit clients to have had good data management practices. These secure file transfer systems are for data transfer, not data warehousing. I wonder how many of the 64 million-plus people would have been impacted if good data governance practices and [cyber] hygiene had been in place. In some cases decades-plus worth of data that were sitting in these systems [were stolen]. Did that truly need to be in there if it was intended as a system of transfer not a system of record? And I’d love to see some grounded research that could actually dive into the facts of this breach and say that good data management could have significantly cut the scope down by half or by 80 per cent. It would be fascinating to know.
Howard: The SEC may ultimately decide that it’s not within its jurisdiction to do a cyber security investigation. I wonder if the best investigator is the U.S. Cyber Safety Review Board, which is an independent agency that can look into not only hacks of companies but third-party supply chain hacks. Listeners will recall that earlier this year this board released a report into the data theft of the Lapsus$ gang. The board would have the authority to investigate more broadly, I think, than the SEC — although I’m not sure it has the SEC’s power to subpoena documents.
David: I’m not going to complain if the Cyber Safety Review Board dives into this as well. I think the more investigation the merrier because this is where we can actually get some lessons. But given the SEC does have a role in cyber, particularly making sure that cyber security programs and risk management are appropriately governed inside publicly traded firms I think it’s fine for them to be digging around this file. If anything, maybe it’ll light more of a fire under publicly traded software developers to go, ‘Geez. Maybe we can improve our processes. Maybe we should pay attention to the lessons here. Because we don’t want an SEC investigation in our business.’
Howard: I sent a query to the Cyber Safety Review Board’s overseer, the U.S. Department of Homeland Security about whether the board is going to be investigating the MOVEit hacks. I haven’t received a reply yet.