View profile

The Cybers Are Weird - Issue #2 - Hidden Until It's Not

Ian Campbell
Ian Campbell
“When a storm is at its peak, and the world outside seems on the verge of tearing itself apart, a kind of radical openness comes briefly into view, as if, with each blanching of the view out the front window, something else, a more essential state of existence, draws that much closer to being unveiled.” - John Langan, Bor Urus, The Year’s Best Weird Fiction
It’s been a long week in the information technology space. We’ve been dealing with a Windows print spooler vulnerability, details on a major LinkedIn breach, a massive supply chain attack, a major security industry conference posting block chain snake oil, and more. The deeper I move into security the more it can feel at times like an unending storm that peaks, recedes, and peaks again. Multiple storms sometimes merge and microbursts can appear with little warning. But as Langan states above there’s a sort of unveiling at each flash and crack. We’re able - if only for an instant - to see the nature of the thing rather than its form.
It occurs to me that these moments of overlapping storms of all sorts, in their intense and destructive flashes, illuminate a landscape we traverse mostly by feeling our way through it in the dark, tripping and trying not to curse loudly. And so even as I pivot from Chrome 0-day to print spooler vulnerability to ransomware threat I try to keep perspective by listening to my senses and learning what I can amidst the sound and fury.
Philosopher Eugene Thacker has developed a fantastic body of work in the horror of philosophy - he presents horror as a way humans think about the unthinkable and understand where the limits are in our ability to comprehend and interact with the world. “Whereas traditional occult philosophy is a hidden knowledge of the open world,” Thacker writes in In the Dust of This Planet, “occult philosophy today is an open knowledge of the hiddenness of the world.”
So it is with security. The more learned about the tea, the emptier the cup - and the less solid. As with notional spaces mentioned in Issue #1, the boundary of the cup is nullified by everything moving in and out of it. Information security becomes a kind of occult practice shared (often ecstatically) with others about what we know, what we don’t know, and what we can’t know. And how to deal with it. Because, as Thacker continues, “The hiddenness of the world… puts forth the greatest challenge, which is how to live in and as part of such hiddenness.”

Item 1: Hope you had a backup of your backup
Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices [Updated] | Ars Technica
This was quite something to behold. Folks far and wide with Western Digital MyBook Live hard drives began reporting their devices were self-wiping and all their data was lost. Everyone began to suspect a Western Digital compromise but there were no direct indications, and WD denied this. What sort of cad would go about wildly wiping folks’ stored data?
Turns out, a very focused cad.
The drive reset followed an earlier attack in which a bad actor had infected some of the drives with software to form a botnet. After that, the botnet command & control platform could issue instructions of all sorts, including causing the infected drives to assist in carrying out other attacks.
So was the mass-erasing some gray hat hacker burning a black hat’s botnet? Or another black hat enacting revenge on the botnet owner? Could it have been the botnet owner burning their own network to cover their tracks once a goal had been achieved?
Lots of hypotheticals, not a lot of hard facts. But it’s fun to think about.
Item 2: Irish I had never downloaded that file
VirusTotal ordered to reveal private info of stolen HSE data downloaders
A May ransomware attack resulted in files being leaked from the Irish healthcare system and subsequently uploaded to security site Virustotal for security scans. Once uploaded they were available to download by any user - 23 of whom apparently did so. Irish courts have now issued an order requiring VirusTotal to turn over data on all the users that uploaded or downloaded the data.
Uploading’s one thing, of course; but once something’s available for download and of acute interest to security researchers, should those researchers run the risk of their own data being turned over to authorities, or further measures?
This seems like an incredibly sticky issue - the public interest in protecting nationally-held health data versus the public interest in security research (in this case, understanding the threat and scope of an ongoing ransomware incident).
Item 3: The trainings will continue until click rates improve
Masha Sedova lays out in ninety seconds one of the reasons the security landscape is so constantly fraught with hazards: security training is only effective up to a certain point, and then suffers a precipitous falloff. Coming from a user support background it’s so very clear to me that both training and security warnings/advisories contribute to a certain ‘security fatigue’ after which users just get numb or nihilistic.
Psychology professor and research Paul Slovic has done a whole lot of work around risk perception intimately tying information and novelty to what kind of weight events carry internally and whether they cause change.
If it brings new information to the subject, it’s processed differently - and ends differently - than if novelty doesn’t accompany the experience. Without new information to process there isn’t any actual reprocessing or prioritized memory storage.
The same is so very true for most people’s risk perception around cybersecurity. Even fear-based training and incentives (“you’ll lose your job if x”) won’t be internalized nearly as much as something presented with novelty and signal potential.
And I'd be remiss if I didn't mention...
Meme with Will Smith from Independence Day shouting "I could have been at a bbq!" at the Kaseya logo instead of an alien
Meme with Will Smith from Independence Day shouting "I could have been at a bbq!" at the Kaseya logo instead of an alien
If you haven’t seen mention of the massive supply-chain based ransomware attack spreading out from Kaseya’s VSA software, you might as well start reading here. This is a big one - with about as much import as the Colonial Pipeline incident, SolarWinds, or the Exchange proxylogon attacks earlier this year. A whole lot of Managed Service Providers use Kaseya VSA, so the second-order effects of this attack are massive; for instance, about a 20% cut to Sweden’s food retail system, among other things.
Malicious hackers compromised VSA, which is used to push software updates, to then serve REvil ransomware to all the various clients. It appears Dutch security researchers had disclosed a VSA vulnerability to Kaseya and were in the process of coordinating a fix and communications around that when the ransomware gang beat them to the punch, probably timed for the July 4th holiday weekend in the US.
If that vulnerability is the one that made this attack possibly… whoo, boy. One patch - that was apparently ready - could’ve prevented this? But instead, Incident Response teams are scrambling across the world, and hundreds (maybe thousands) of businesses are currently frozen out of their systems. Interestingly enough Kaseya didn’t mention any of this in their CEO’s self-laudatory statement.
I’ve developed a little personal tinfoil about this attack, in that it reminds me more of the disruption operation that Russia carried out with the “notPetya” ransomware (primarily directed at Ukraine) than any conventional ransomware deployment. I’ve got no evidence, just a hunch, but luckily this newletter is free so you get the level of analysis you pay for.
Links that didn't make the cut
DoubleVPN servers, logs, and account info seized by law enforcement
Microsoft admits to signing rootkit malware in supply-chain fiasco
Amazon Acquires Encrypted Messaging App Wickr
Wrapup
On the blog, I wrote about 1500 words on the practical reasons why I’ve moved all my productivity to Apple products, and why in a lot of circumstances I suggest regular folks do too. Not fanboy malarkey or techno-jargon, just the practical reasons why.
Thanks for reading, folks. Please feel free to hit me up on twitter or email me at igcwrites at gmail with thoughts or suggestions. No pitches, no ads.
As best I can tell I have no conflicts of interest regarding anything above, but if I write up something where I do, I’ll make sure it’s clear.
Please keep yourselves safe, stay masked up, get vaccinated when you can, and be kind where you can.
-ian
Did you enjoy this issue? Yes No
Ian Campbell
Ian Campbell @neurovagrant

Unique items of note in information security/cybersecurity, privacy, and technology

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.