🎓️ Vulnerable U | #055

TikTok Ban, United Healthcare saga continues, CISA Ivanti compromise, AI Deepfakes, Major France Data Breaches, Red Canary Threat Report, ChatGPT 0-click plugin exploit, and more!

Read Time: 7 minutes

Howdy friends!

I know this newsletter started as an intersection of cybersecurity and mental health and has slowly started leaning more cybersecurity news since that’s what my audience was hitting on more. But for those of you who enjoyed the mental health content, I’ve got something special brewing. I also plan to keep writing that kind of thing on my blog regularly. Thanks for sticking around.

On that note, any mental health professionals reading this, we’re looking to grow the team for a project and could use you. Reach out to me.

Got to push the limits of “there isn’t a bad seat in the house” at a rock show this week with my wife and our best friend. Worth it, even though we could see the rafters better than the band.

Sing like you think no one’s listening.

ICYMI

🖊️ Something I wrote: I shared some thoughts about security being a factor of Developer Experience.

🎧️ Something I heard: Privacy tips for the non-criminal (great info from Ean Meyer & John Strand)

🎤 Something I said: A lot of engagement on Instagram and TikTok about the Change Healthcare breach. The comments filled with those personally impacted.

🔖 Something I read: My good friend Rich Mogull has been prolific this year (and pretty much every year). Check out the shiny new Cloud Security Maturity Model 2.0!

Vulnerable News

Let’s talk about the TikTok Ban

I'm going to share a bunch of links about this one, so it's breaking from format.

Here is Alex Stamos's take - https://www.cnbc.com/video/2024/03/13/there-are-some-serious-problems-with-a-bill-to-ban-tiktok-sentinelones-alex-stamos.html - TL;DW: Alex see’s a number of issues with the recent TikTok bill. There are some very valid issues with the First Amendment problems this runs into. The bill isn’t enforced on TikTok but actually onto Google/Apple for their ability to carry the app. He’d like a bill passed that would be more privacy-focused and broader, bringing up that there are thousands of pieces of software written by Chinese companies used in the US right now.

Dave and vx-underground also articulate a lot of issues here in a way I liked.

There are the data privacy pieces, but also a lot of folks talking about how China can put its thumb on the scale of the algorithm in any direction it pleases. Stats show huge discrepancies in pro-Israel or pro-Ukranian content when comparing TikTok to Instagram, which leads you to believe some algorithm manipulation is already in place.

I also noticed they pushed a major “call your representatives” notification this week across the app, but a lot of older users didn’t get that pop-up. Again, this shows TikTok’s ability to influence political opinion/action in certain groups.

I’m a TikTok user and creator. My threat model currently allows for this. I don’t love the privacy infringements all the major social companies engage in, and I do see the government’s incentive to differentiate foreign-run data collection and algorithm manipulation from the same thing happening at home.

Where do you all stand on this? I’m genuinely curious about my audience, specifically on this one. Reply to this email or hit me on Twitter

Should the U.S. ban TikTok?

Login or Subscribe to participate in polls.

Can’t believe I’m still talking about this one too. Some new revelations are mind boggling here too.

Who would’ve had “actually ransomware is good for business?” on your bingo card?

Well United Healthcare owned Optum and Change Healthcare who got popped by ALPHV a few weeks back, are still down which is crippling healthcare payments across the U.S. This at first may look like “boo-hoo the big corp is struggling,” but the responses to my twitter thread, and my videos on this topic have been mostly from small providers absolutely hurting from not being paid and people not being able to get meds.

I could take hundreds of these screenshots. And now on top of this, Optum is now going around buying up providers that are on the verge of bankruptcy due to them not being able to get back online from the attack.

You heard me right. They are causing bankruptcies downstream, and are now benefiting from that by acquiring those desperate companies.

The incentives are just ass backwards here. The victim of ransomware is benefiting from the attack, while small fish customers of them are struggling big time. (read more)

Ok I really ranted about TikTok and Change so lets hit some quick news here. Ivanti still causing pain globally but CISA publishing how they had to respond.

CISA put out lots of warnings about the Ivanti vulns and it seems they were the victims of it themselves and discovered evidence of a compromise. (read more)

Two southeastern Colorado ranchers were sentenced for tampering with rain gauges to falsely indicate severe drought conditions, aiming to increase their federal crop subsidies. They must pay $6.6 million in restitution and settlements, reflecting the severity of their actions against federal programs designed to aid farmers facing genuine adversity.

Not all hackers are wearing dark hoodies in a basement. Some are wearing cowboy hats. Not all hardware hacking involves a Raspberry Pi either. (read more)

Researchers bypassed Safari 17's advanced audio fingerprinting protection. Safari 17 added noise to audio samples to prevent tracking through unique audio signatures. The researchers improved their fingerprinting algorithm by reducing noise dispersion, increasing differences between browser identifier numbers, and rounding the fingerprint to stabilize it. They achieved this by generating multiple audio samples and applying statistical methods to estimate the original, un-noised fingerprint.

Sometimes, I feel smart. Other times, I read research like this. (read more)

Have a feeling we’re going to be seeing more and more of this. This creator is the latest victim of AI Deepfakes where this time her likeness and voice were used in an ad without her consent. It was extra triggering for her since the video was taken from a source where she was being super vulnerable and talking about some very personal subjects. That was then turned into her selling erectile dysfunction pills. We’re going to need some better defenses against this soon, can’t just rely on educating the population. (read more)

Last year, the healthcare sector became the prime target of U.S. ransomware attacks, leading the pack in the FBI's critical infrastructure categories. With a staggering 249 reported incidents, healthcare organizations faced unprecedented challenges, including service disruptions and compromised patient information. (read more)

This is a great NPR article for genpop to get a good overview of the cybersecurity problem facing many school districts. They are seen as low hanging fruit by many hacking groups. From ransom to zoombombing, schools nation wide are being absolutely pestered by attacks. Always love when cybersecurity stories like this break mainstream and are actually covered well. (read more)

Crypto, cybercrime, and international law. Goes together like lamb and tunafish.

Tigran Gambaryan, a former US federal agent and top crypto crime investigator for Binance, along with Nadeem Anjarwalla, Binance's Kenya-based regional manager for Africa, have been detained in Nigeria without charges. Their detention, which began on February 26, is part of Nigeria's crackdown on cryptocurrency exchanges amid national currency devaluation concerns. Despite their significant contributions to combating crypto-related crimes, both men are now caught in a diplomatic and legal standoff (read more)

Rough month for France when it comes to cyberattacks. This article linked is talking about data breaches that happened at Viamedis and Almerys, two healthcare payment providers (sound familiar?). Separate breaches a few days apart.

Then I saw this French government unemployment office also get hit this week where an additional 43 million folks data was stolen. “The department's statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed.” (read more)

If you’ve followed for long enough, you know I absolutely love vendors who have a unique pile of data putting the effort in to release a report with delicious data visualizations for us all to learn from. Red Canary fits the bill and I’m glad their team puts this together. (read more)

Speaking of defenders having the edge with AI, as per the Red Canary report, Phil Venables over at Google Cloud agrees. But also drops this truth gem: “The “slightly cynical reason” attackers haven’t extensively added AI to their arsenal of tools thus far is because they haven’t had to, Venables said. Threat actors are achieving their goals without AI.” (read more)

Zero Day Initiative (ZDI) identified a DarkGate campaign exploiting CVE-2024-21412 to bypass Microsoft Windows SmartScreen using fake software installers. These installers, disguised as legitimate applications, deploy a sideloaded DLL to infect users with DarkGate malware. The attack employs PDFs with Google DoubleClick redirects to compromised sites, leveraging trust in Google's domains to execute malware bypassing SmartScreen protections. Microsoft patched this vulnerability in their February security update. (read more)

OAuth is hard. Looks like when OpenAI first launched plugins on ChatGPT there were a lot of them that started integrating with 3rd party sites as helpers. Like “login with GitHub so this plugin can help with XYZ in your code.” - well some folks found vulns in the way that all played out which would’ve allowed attackers to steal your OAuth tokens to and hijack those 3rd party accounts.

“The third vulnerability was found in several ChatGPT plugins, including “Charts by Kesem AI,” which failed to validate the “redirect_uri” link an OAuth token is sent to. This allows the attacker to insert their own domain as the redirect_uri and send the altered authentication link to the target.” (read more)

A significant vulnerability in Kubernetes, CVE-2023-5528, allows attackers to execute code with SYSTEM privileges on Windows nodes within a cluster. This vulnerability affects kubelet versions since 1.8.0 and was patched in recent updates. The flaw arises from insecure function calls and lack of user input sanitization, particularly in handling Kubernetes volumes. (read more)

This was a weirdly general report. Just a lot of exposed devices? Like someone opened Shodan and sorted by country? - But this is actually from a government effort looking at somewhat of a “state of cyber” yearly report to map their trends and get some focus on the important issues they see.

“The vulnerable assets include remote access points, network administration interfaces, insecure network devices, and open file sharing systems, according to newly published findings in the "State of the UAE Cybersecurity Report 2024." While exploitable public-facing applications account for less of the attack surface, insider threats have increased their share, according to the report, published by cybersecurity firm CPX.” (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay