Week in Review: Microsoft Trust abuse, 23andMe bankruptcy risks, NIST's growing backlog

Rich

From the CISO series, it's cybersecurity headlines. Microsoft Trust Signing Service Abused to code sign malware 23andMe bankruptcy puts millions of DNA records at risk and Troy Hunt has been hoed. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight, some opinion and most certainly some expertise from our returning guest making his second appearance on this show, Jonathan Waldrop, CISO over at the weather company. He came on in the fall. We had to bring him back for the spring. That's just how the equinox works. Jonathan, how was your week in cybersecurity?

Jonathan Waldrop

It was great, Rich. Thanks for having me back. I love being here. The week was great. I spent it or started it off on Monday with a dinner with some fellow security leaders and wrapping it up here and it could not have been sandwiched any better.

Rich

We are happy to be your bookends to a wonderful week in cybersecurity. Also helping us have a wonderful week in cybersecurity. Our sponsor for today, threat locker zero trust endpoint protection platform. Remember to join us on YouTube live, do so go to CSO series.com hit the events dropdown and look for that old cybersecurity headlines Week in review image. If you click on it I guarantee you you will be joining us. You'll be in the chat, you'll be talking with Kevin Farrell, we'll be talking with TJ Williams CC on the big boss man David David Spark himself. Be sure to get in there and contribute help make the show better. Let us know what you think about these stories. I love to see them. I know our producer Steve does as well. Before we get into the news, just a quick reminder that these opinions from Jonathan are his own unnecessarily those of his employer or any loved ones necessarily. They can speak up for themselves. They want to get in the chat. That'll be fun. We got about 20 minutes though, so let's get into the news. First up here, Microsoft Trust Signing Service Abused to Code Sign Malware Researchers at Bleepy Computer report a rise in threat actors exploiting Microsoft's Trust signing service to sign malware with short lived 3 day code signing certificates. These certificates make malware appear legitimate, helping bypass security filters. Extended validation or EV certificates are especially valuable to attackers due to their increased trust and ability to evade smart screen alerts. A researcher by the name of Squibbly Doo suggests attackers prefer Microsoft service for convenience and exploiting User confusion caused by recent changes to EV certificates. So, Jonathan, aside from squibbly doo giving me the name of my next child, the story falls into the same we thought that would work club that we've seen from, you know, passwords way back when to MFA more recently. Namely, that thing that's not supposed to be shared with the bad guys. And it turns out they already have it. I'm curious, what's your assessment of this thriving marketplace for trusted certificates?

Jonathan Waldrop

First of all, I just loved hearing you say squibly Doo. That was squibbly icing on the cake. No, it's really interesting that you talked about MFA and all these other security tools that we've implemented over the years, and it's just indicative of this is still an ongoing journey. Has it been that long ago? Okay, maybe it's been 10 years or so. But hey, are you using HTTPs instead of HTTP? There's always going to be something else to look into and to assess, and it's really getting trickier. To identify what's good and bad, you've really got to know your environment. You've got to know what you're looking at and add it to the steps for your IR plan. Make sure your team knows about this. It's not just, hey, is it signed? Great. Okay, cool. It must be legit then. There's always something new and. Okay, we've got to go update our checklist again.

Rich

Yeah, it turns out that set it and forget it is like, never going to exist in cyber, like, as much.

Jonathan Waldrop

As we want for chicken ovens, but.

Rich

You know, yeah, yeah, yeah. It's that. That desire to be like, we're done is always the most dangerous moment for cybersecurity.

Jonathan Waldrop

And I think, you know, sometimes we get up, caught up in that with, with audit frameworks and, hey, we passed this audit and great, now we're done. Sweet. I'll see you next year. Like, no, we've got to keep going because something is going to change and we're always playing catch up, which is not fun, but that's where we are. So we gotta be able to think a little more proactively about how do we get ahead of this next time.

Rich

And it sounds like job security to me, to be quite honest. There's always a plus there. Next up here, vulnerabilities found in numerous solar power systems. Researchers at cybersecurity firm Forescout warn of multiple vulnerabilities in solar power systems from vendors like Sungrow, growwatt and sma, some posing serious risk to electrical grids Flaws exist in components connecting systems to the Internet, cloud services for monitoring and mobile apps for user interaction. Some allow attackers to upload files for arbitrary code execution, steal data, or even disrupt the power grid. These security gaps highlight the urgent need for stronger protections in the renewable energy infrastructure. JONATHAN we cover many stories about the hidden vulnerabilities in our infrastructure and renewable energies often goes a little less noticed because it just doesn't grab the same headlines as when we say oil system, SCADA systems broke, broken on oil rig or something like that. I'm curious, do you feel that this will be a major stumbling block for this still kind of emerging, you know, renewable industry field, or is this just going to be par for the course for hey, we connected a thing to the Internet.

Jonathan Waldrop

I think it's more Iot, right? Okay, Anytime you're connecting to the Internet, you've got things to worry about. Reference the previous story about tuning malware, right? You know, in this case, it's a new technology, it's a new thing thing, or I shouldn't say it's new technology, but it's more prevalent, more predominant. And so we still have to remember to include security in some of the version ones of the technologies and the devices that we're building and distributing and selling to the general public. I mean, these are connected to the power grid, they're connected to homes. So it certainly does become another attack surface to secure.

Rich

Does this raise any questions? I mean we talk about when it comes to critical infrastructure, right? Like we, we can know exactly how many power plants there are in the US and something like that, that's still an enormous challenge to secure them. There's a, there's a, there's a bevy of reasons why that's an enormous challenge when we start distributing that to like a consumer IoT. Like you said, it's an IoT problem at that point. Is that, is that easier or just like a completely different challenge to solve for from what we're used to thinking with critical infrastructure?

Jonathan Waldrop

Yeah, I don't know if it's easier. I mean I don't personally have any hands on experience with solar panels or solar system. So I assume you've got some sort of control module that is running some form of Linux and it's Linux all the way down. Yeah, you've got some basics that you could do, but how much access does the manufacturer give you into that console to manage it? You, you're probably going to void some warranties if you crack that box open and do your own thing in there.

Rich

Yeah, we know it's a five or six figure investment in there. Not something every consumer is going to want to be their own security engine.

Jonathan Waldrop

Absolutely. Absolutely. And they shouldn't have to. Right. That's part of the responsibility of building and distributing secure systems.

Rich

All right, next up here, NHS software supplier gets a discount on a fine for good behavior. In August 2022, the lock bit ransomware gang attacked Advanced Health and Care Ltd. An IT provider for the UK's NHS. The UK's Information Commissioner's Office, or ICO, has fined the company 3.07 million pounds. Half the original amount assigned. The reduced fine was granted after the company did a couple of nice things. I guess they accepted the decision, they chose not to appeal, and they cooperated with the NHS and regulators as well as taking steps to mitigate the risks. All extraordinarily novel, it seems. Jonathan, we often don't hear about these types of concessions. They fall out of the news cycle pretty quickly. NHS usually gets a lot of coverage here, so not surprising we're hearing about this. I'm curious, do you feel, feel it's fair to industry partners and to consumers, especially those impacted by a health care breach, for suppliers to, you know, get kind of a deal here for kind of doing what they were told to do instead of lawyering up and fighting it tooth and nail?

Jonathan Waldrop

Yeah, you know, a lot of times we don't see. We see the headline of the breach that makes news, but we don't see what happens after the fact with the lawsuits, again, because the news cycle is what it is and we're onto the next breach and we're not thinking about what happened two or three years ago. So I think it's interesting. I'm not sure if this is just the first story that's made reasonably big headlines or if this is something that has. If this is new, for the regulatory bodies to say, hey, we'll come to an agreement. I remember there being a story recently, I can't think of it offhand, but it was where the fine went back to the company and they were required to then implement some other control. So potentially it's something like that. I think there is. There's probably some ideas around. Yeah, I see CCL's comment about recognizing good behavior. I think there is recognition of that good behavior, but there's also. We have to be accountable to the decisions we made that got us here. And I don't know what happened from the hack, if you will, that precipitated the events. But in this case, I think people that are doing the right thing, people that are, hey, you know what? We realize we made a mistake. We can always make a better decision tomorrow. And, and you realize that and you start making strides toward that and you show, show your progression and your maturity. I, I think that's not unreasonable. Again, devil's in the details, but on the surface it's, you know, maybe it's a win win. All right.

Rich

Well, before we move on to our next story, I have to spend a few moments and thank our sponsor for today, ThreatLocker. ThreatLocker is a global leader in zero trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com alright, next up here at 23andMe, bankruptcy puts millions of DNA records at risk. The personal ancestry company 23andMe filed for bankruptcy on Monday this week. And many are asking the question, what's going to happen to all that personal information? Some have raised major concerns that it's a vast database of genetic data that could be sold off to the highest bidder. While the company insists privacy protections will remain intact, court documents make clear that all assets, including customers DNA records are on the table. California's attorney general issued a release ahead of the announcement urging users to delete their data immediately, warning that unlike passwords, genetic information is, you know, permanent. So, Jonathan, although instructions on how to delete the data have been made public and we've included a link to that in our show notes, you've been impacted by this. Do you feel that deleting data truly means deleting? Should we expect this DNA data to just kind of remain in the vast, you know, Internet swimming pool? I guess, does that matter given the scale of, of this potential privacy concern?

Jonathan Waldrop

I mean, we teach, once it's on the Internet, it's, it's, you can't remove it from the Internet. Right?

Rich

Yeah.

Jonathan Waldrop

You know, this is a really interesting story and hopefully from, from the perspective, yes. First of all, if you haven't, if you, if you are 23andMe or you know somebody or you like somebody, please go tell them to help them delete that data. Right. But it's really kind of interesting to see how the courts are going to govern the sale of this data because it's a lot of data, it's very unique and it has potentially widespread impact. I was talking to some privacy friends this week about it. And there are some minor things you could maybe, you know, just can somebody duplicate your, your face id, okay. Or, or is there some, some other kind of, you know, low, low threat risk? But are there ways that some malicious actor could, could, with that genetic information could target populations of groups of, you know, of, of people and, and, and ethnicities and all this kind of stuff? So there's, there's such a wide range of the, the, the risk and the impact here. It's really going to be interesting to see how this, how this proceeds forward. I'm, I'm following it pretty closely but it's, yeah, we'll see where it goes.

Rich

Well and then the other thing I always think about, and this is another can of worms is you know, a company, even without the sale of this data, which inevitably is going to happen over the course of this bankruptcy, this is also a company that needs to remain securing that data. And in a bankruptcy process, yes, you have money for operations is like part of a chapter 11. There's, there's provisions to help keep the, you know, the doors, the lights on and stuff like that. But for in a rapidly changing landscape and knowing that they're kind of potentially at a fixed capacity when it comes to like operational expenses, I always have to wonder how do you continue to, to maintain. Right. A secure posture while you're going through this, this whole bankruptcy process. I think with those privacy concerns on top of that is something that I haven't seen brought up a lot and I'm interested to see like I'd be interested in some perspective on that from some that's gone through that for sure.

Jonathan Waldrop

Yeah, that's, that's not a thought that I had. But, but absolutely. They're certainly not going to make any investments on the security of that over the next, you know, until that, that sale happens. And then again who, whoever picks it up, you know, what are they going to do with it? You know, I appreciate the, the response from the Attorney General's office in California of, of saying, hey, this is, you know, this is a big deal. You know, be careful and, and making some of those PSAs, right those public service announcements.

Rich

So yeah, doing at least that. Good work. Our next story here. Kind of also in the PSA realm here, Troy Hunt has been from the ironic stories too large to contemplate file the founder of have I Been Pwned? Troy Hunt published a blog post detailing how a sneaky fish managed to export his mailchimp account. Hunt received a legitimate looking email purportedly from mailchimp advising that his sending privileges were restricted and offering a button to review his account. Hey, go to your account. Let's, let's resolve whatever these issues are. Hunt entered credentials and a one time password and was almost immediately greeted with a genuine email from mailchimp. The subscriber list was exported. Seems like this whole process was super automated and a very efficient ship here. The list included about 16,000 emails from Hunt's blog, including those unsubscribed which Hunt didn't realize mailchimp still kept. This did not impact have I been pwned subscribers. This was just to subscribers to Hunt's personal blog. Hunt also said the only red flag he really saw kind of looking back was that 1Password didn't auto fill his credentials because he was hitting a different domain with that, you know, with that account button from the email. And he also attributed the attack success to fatigue from jet lag, a moment of weakness we've all experienced. If anyone needs a good example of how to disclose a security incident. Also just by the way, you need to check out Troy's blog which we have linked in our show notes. But Jonathan, Here's I guess three useful buried leads in this story. One, the fact that 1Password didn't autofill that password. Maybe something that we should raise awareness of for some cybersecurity hygiene just in general. Two, jet lag does bad things to people's minds and is evil in all forms. And three for mailchimp unsubscribe does not mean delete my name. I'm curious with all of this, do you think Hunt's self own will encourage people to be more vigilant or are we going to shrug our shoulders and say listen, someone like Troy Hunt can get this. It's only, you know what, what can I do?

Jonathan Waldrop

Yeah, you know the for it's just a wild story. I mean it's hard to like. It's also proof that this can happen to anybody. We're all vulnerable, even those of us that deal with this on a, on a day to day basis. So well done mailchimp for saying hey you just did this big thing, we're going to notify you officially about it and, and, and on the, the, the thread of talking about hey, he was, he was jet lagged. Absolutely have sympathy with that. I think we've all been there. But find me any person, any security professional especially who said yeah, I got plenty of sleep last night. I had nothing going on so I got well rested and all that. So we're all dealing with this on a daily basis. I think again the major win here is somebody with a big security profile that says hey look, it happened to me. It can happen to you too. These are again just another thing to watch out for. And here's how I got caught and we learned from that. Also unsubscribe and delete. Yeah I wouldn't have necessarily thought about that because I don't want receiver emails anymore. So why why would you need my email address?

Rich

I mean yeah, yeah and and backup ccl. Troy Hunt also later tweeted that there there are some like the 1Password thing is not like a immutable thing. If you don't see it doesn't mean you're on a malicious site. My password manager does that all an annoying amount of times. Doesn't quite recognize what dump you know if there's some weird characters in there. But a good reminder that's not foolproof. But it is a good reminder. If you're seeing it, it probably means you're on a legit domain. That being said, threat actors don't listen to this and figure out a way to completely break that because inevitably you will once we start depending on that as a source of verification for sure. Some some some really good stuff in the chat here. Michael Vending if someone is determined enough and willing to put in enough time and money, anyone, everyone and everything can be hacked. If you are a public profile, your risk goes up. That's just the name of the game. Good things to keep in mind. I'm going to suggest some defense in depth for that someone should name a show after.

Jonathan Waldrop

Good tip.

Rich

Next up here, NIST struggles to keep up. This will be our last story for today. The National Institute of Standards and Technology. We know it is Good old NIST is struggling with a growing backlog of CVEs in the National Vulnerability Database. With a 32% increase in submissions last year, NIST anticipates even higher submission volumes in 2025. The delays in processing these submissions are impacting organizations ability to access timely vulnerability data, creating a gap between reported issues and actionable intelligence. Despite efforts and increasing staff, I know they've brought on contractors to help do this as kind of a temporary measure to help clear the backlog and then they can take over. It seems like they're still struggling here. So Jonathan, classic example of overload choking the system. We see it in healthcare as well as pretty much every CISO's desk at this point. Is this a situation where NIST should lobby for expansion should the CVE database system be modified to handle exponential growth? Especially, you know, given that overload is, that's a big advantage to threat actors. Right. If we don't get this threat intelligence in a timely fashion, that's a huge problem.

Jonathan Waldrop

Yeah, I don't see any time in the near future, especially the long term future, that we're going to have fewer vulnerabilities to deal with. Yeah, so that seems like a thing that we should probably plan for. You know, there's lots of advancements in AI and that's not going to be the answer for everything, but perhaps there's some way we can automate some of these processes or work to. You mentioned contractors. I don't think scaling, with what we're doing now, adding more people sometimes solves a short term problem, but it rarely solves the long term problem. We really have to think about process and how this is happening. Maybe there's a way we can better crowdsource some of the data. You know, companies that meet certain criteria, maybe they can disclose their own and add it to the, to the list. I mean there's, there's a lot of ideas here I think that we can come up with. The bottom line is, yes, this is a critical function that happens. A lot of people, a lot of companies, particularly security companies and security professionals rely on this information and we want it to be accurate, we want it to be timely. So it's a big, it is a big problem to solve and I look forward to seeing how they tackle it.

Rich

Yeah, I know when this issue kind of first, when the backlog kind of first came up, there was some talk from nist, I believe, about trying to work out an industry consortium like you were saying, like, hey, maybe we can have some of the larger companies kind of take over a little bit of this. I haven't heard any more details about this. Even as we keep hearing, hey, this problem isn't going away, this is going to be a big problem. And then, yeah, ccl, to your point, does NIST have independent issuing authority, distribute the load? I mean that, that becomes, you know, that that's some of the horse wrangling that they'll have to do. And that may be why we haven't seen an industry consortium kind of step into that void yet, you know, due to a lack of mandate or something like that from nist. So yeah, it'll, it'll be something to definitely keep some tabs on as we're going forward because that, that issue is not going away. Like you said, Jonathan, it's we're never going to be like, yeah, oh yeah, vulnerabilities went down 45%. Yeah, we're down. It's easy. We solve cyber security. I say that and then AGI takes over and, you know, we'll just be sitting in pods of protein liquid just watching TV all day. So it'll all be work out that day.

Jonathan Waldrop

Great.

Rich

Before we move on, big thank you to everybody contributing in our chat this week. TJ Williams getting in there, kind of giving us a nice summary here. I'm seeing, you know, sounding from several stories this week, the vetting and investigation is going to need more effort when it comes to people, machines, vulnerabilities, that kind of stuff. Yeah, I think that's definitely one of the themes that I picked up as well. And a big thank you to Steve Prentice, our producer who always puts together a fantastic rundown of the week's news. But we had Michael Vinding in there with the big boss man, David Sparks, ccl, one of our regulars, as always, Max Tronic showing up again this week and a couple of new people in there as well. Kevin Farrell was in there at the start. So a huge thank you to everybody that contributes super fun to see your thoughts, the conversations that go on there helps make the show better. Thank you so much. Before we get out of here, Jonathan, is there any story that was a this week that was a thumbs up or an eye roller for you, something you reacted strongly to?

Jonathan Waldrop

I think. I think Troy Hunt's story is the big thumbs up. I think it's a great example of how we can embrace what we do and really take a lesson from that. And responsible disclosure and timely disclosure is really, really key. And I think we could all get better at that. So that was a big thumbs up. Not that he himself was impacted by this. That's never good. But the end result is, I think, a generally positive one.

Rich

Absolutely. Well, thank you so much, Jonathan. Ball drop CISO over at the weather company. If people want to see what you're up to on the cyberspace, where can people look?

Jonathan Waldrop

Yeah, find me on LinkedIn. And if you're in the Atlanta area, I'll be at a couple of local events here. One for CrowdStrike in Atlanta and then Sea Vision International CIO CISO think tank sometime in April. We'll, we'll find a link for it. So thank you very much.

Rich

Yeah, we will have that in our show notes and a reminder that the CISO series is in fact hiring. We're looking for a sponsor relations manager to take over some some sponsor relations with our team here. We have a, we have a small but awesome team at the CISO series. I'd love to work with someone from the community. So if you're interested in some more details on that, head on over to CISO series.com, we have some details and the whole job listing and how to apply. So we would love to hear from you. Thanks also to our sponsor for today, Threat Locker Zero Trust, Endpoint Protection Platform. Huge thank you to our audience once again. Can't always get every comment up on the screen, but we love seeing you here each and every week. And remember to join us for another episode of the week in review next week. That's generally when we do them 3:30pm Eastern each and every Friday. To register to join us on YouTube and add your comments live, just go over to that events page@ciso series.com in the meantime, you can still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up until the next time we meet. For myself, for our producer Steve Prentice, for the big boss man, David Spark, for all of us here at the CISO Series Family, and for Jonathan, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to CISO says for the full stories behind the headlines.