🎓 Vulnerable U: #024

Threat Modeling for Depression, Teen Hackers Breach Tech Firms, Rapid7 Layoffs, and Hackers Rig Casino Card-Shuffling Machines

Read Time: 5 minutes

Howdy friends!

Writing to you from my hotel room in Las Vegas. I’m out here for BlackHat and DEFCON. I’m exhausted from all the socializing and walking miles of hotel floors a day, but its fantastic to see so many friends. I’ve even met a few folks who told me they love the newsletter randomly which absolutely made my week.

Decided to do a side by side of last year’s Blackhat to this years. A year of sobriety, and working with an amazing health and fitness coach has really been life changing.

Sneak Peak at the Blog of the Week:

Cybersecurity uses threat modeling to identify potential risks, vulnerabilities, and attack vectors within complex systems. This proactive approach allows fortification of defenses and safeguard against potential breaches or cyber-attacks. But what if we could apply this same concept of threat modeling to mental health, specifically focusing on the enigmatic and often debilitating condition some of us know all too well?

In this blog, I conceptualize depression as a system, akin to a digital infrastructure susceptible to threats. We’ll explore the various components and stakeholders involved in the "depression system" and analyze how these factors contribute to the overall experience of depression. By identifying the threats that surround depression, we aim to shed light on the complexities of this condition and advocate for a more comprehensive and empathetic understanding of mental health.

The purpose of this blog is not to trivialize the profound struggles individuals face due to depression but rather to explore a perspective that might aid in reducing stigma and enhancing support systems. By drawing parallels to cybersecurity's threat modeling, I hope to provide a new framework for discussing depression, one that promotes awareness, compassion, and proactive mental health care.

In this episode:

  • Threat Modeling for Depression

  • Homeland Security report details how teen hackers exploited security weaknesses in some of the world’s biggest companies

  • Rapid7 announces sweeping layoffs

  • Hackers rig casino card-shuffling machines for “full control” cheating

  • ProtonMail Search led FBI to a suspect threatening a 2020 election official

  • EvilProxy phishing campaign targets 120,000 Microsoft 365 users

  • Microsoft Visual Studio Code flaw lets extensions steal passwords

  • CardioComm takes systems offline following a cyberattack

  • White House offers prize money for hacker-thwarting AI

  • Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards

  • CrowdStrike 2023 Threat Hunting Report


🖊️ Something I wrote: Did you miss my blog last week on mental health in cybersecurity? I’ve been getting a lot of people reaching out thanking me for it which means a lot to me.

🎧️ Something I heard: As I mentioned in a few posts, clinical use of Ketamine saved my life. Imagine my excitement to see Andrew Huberman cover it on his recent podcast episode.

🎤 Something I said: Last week’s news in a new and improved format. Here’s the video! Growing a brand new YouTube is rough, appreciate any likes, subscribes, comments, shares, etc. It really helps get this off the ground.

🔖 Something I read: Things like this give me life - you have no idea how much they mean to me. On the occasion that I get to wake up to a few of these Friday morning, I know it’s going to be a good weekend.

Vulnerable News

When hacking group activity escapes our echo chamber and into the mainstream, in this case CNN, it’s always something that intrigues me. This news is about DHS investigating the Lapsus$ breaches of recent years, and calling them “teen hackers” is a bit of a downplay of their skill and persistence. The main attack vector discussed here is how easy SIM swapping is, which is true and why SMS based 2fa is frowned upon generally.

I’ll take this all a step further and state that our entire identity management system across the internet, and even SSO usage like Okta for corporations is totally broken and in need of serious disruption. I do like that .gov is pointing a finger at telcoms on SIM swapping and hopefully pressuring them to level up their verification requirements before they hand over control of your phone number to an adversary. (read more)

18% of their workforce. Over 400 employees. A lot of great security talent hitting the market if you’re hiring. This comes after NCC just laid off a ton of pentesters as well. I’m hearing its because they’ve both lost some big security testing contracts. Both NCC and R7 tend to be on the short list of “blessed” vendors to use for pentests at big corps. Are we seeing a shift in the industry that is going to be demanding higher quality results from external testing vendors? It seems just checking the “we did an external test” box isn’t cutting it anymore. I’m interested to see where this goes. (read more)

This might be the most “spirit of Blackhat” talk I’ve ever seen. IOActive researchers have hacked a card shuffling device used at many casino tables. They even developed a mobile app that would receive the current order of the deck over bluetooth. You can tell the app where you’re sitting at the table and it could vibrate to let you know when you have a winning hand. I heard you like hacking in Vegas so I hacked Vegas while I was in Vegas. (read more)

Turns out even on ProtonMail if you’re enough of a criminal, the feds can get your info. Proton is used heavily for its privacy features and is based in Switzerland so it is normally not beholden to US authorities so this story is interesting since the FBI must’ve found a way to work with Swiss law enforcement to get info on a Proton user who threatened Claire Woodall-Vogg, executive director of the Milwaukee Election Commission about the 2020 election. (read more)

If you’ve been paying attention to my writing, you know how big phishing has been lately. Proofpoint put out some great data on a campaign that uses EvilProxy and has targeted 100+ orgs, sending over 120,000 phishing emails. If you’re unfamiliar Proofpoint is a major email security vendor who would have a unique view into this attack campaign, many large companies use their solution. These proxy tools make phishing easy for attackers by serving up the legit login page to victims and even replay MFA tokens. So the user looks like they’re logging into their real portal, because they are. It just happens to be on a different domain monitored by the attackers. (read more)

Extensions are a major security problem not only in your browser (as I highlighted over a decade ago with my Hacking ChromeOS talk) but also in VSCode which many developers use to write their code. When you install an extension it is given special privileges, if the extension is malicious in intent, or has a vulnerability that can be leveraged, it can use those special privileges to steal info or manipulate the victims machine. Cycode wrote a cool PoC here and Microsoft can’t (won’t?) fix it because it is an issue with extensions not being sandboxed, not an issue with VSCode natively. (read more)

You know what grinds my gears? Hackers hitting medical providers with attacks and ransomware. CardioComm is a Canadian company that monitors patients heart and EKG info and they had to take the whole system offline to recover from an attack. They also didn’t share info on the attack so we can only speculate that it’s probably ransomware which generally requires this kind of large scale shut down to recover from. They say no patient data was stolen. If you’re a hacker putting people’s lives at risk to try to extort a quick buck, you’re the lowest of the low. (read more)

$18.5 million in prizes on the line from .gov for anyone who can help us get ahead of the AI arms race. “This competition will be a clarion call for all kinds of creative people in organizations to bolster the security of critical software that American families and businesses and all of our society relies on,” the director of the White House Office of Science and Technology Policy, Arati Prabhakar, told a briefing. (read more)

Bug bounty is big business! I’ve got a lot of friends who make a good living bug hunting, and so I love reading the transparency reports on how much big corps are paying out for security researchers reporting vulnerabilities they find. These payouts have gotten more generous over the years. For comparison, I got $1000 for a bug from Google in 2010 that nowadays would be a six figure payout. (read more)

I’ve said it before, I’ll say it again. I love when companies with unique piles of data publish reports. CrowdStrike is one of the most widely used pieces of security software and so their view of the world is always going to be valuable. Check out some of the data slices, key findings I enjoyed:

  • 62% of interactive intrusions involved the abuse of valid accounts

  • 34% of breaches involved the use of domain or default accounts

  • 160% increase in attempts to collect secret keys and other credentials through cloud instance metadata APIs

  • Pass-the-hash attacks increased by 200% year-over-year

  • 80% of intrusions used compromised identities.

Good report that I’m glad they’re putting out. (read more)

Miscellaneous mattjay

I wholeheartedly endorse way more than 3,2,1 rule

Made a bunch of Vuln U swag. Stickers and shirts! I’ll find a way to get them out to folks not in Vegas this week

If you aren’t aware, I lost my house to wildfires in 2021. The news and videos out of Maui are heartbreaking. Consider donating if you can:

Upcoming Appearances

Don’t miss this one that’s happening today! 👇️ 

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen