Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
As if last month’s revelations about Twitter’s whistleblower former CISO weren’t enough, this month the cybersecurity community was rocked by the conviction of Joe Sullivan, former CISO (Chief Information Security Officer) of Uber and the up-until-very-recently CISO of Cloudflare. Joe was part of a coverup of a cybersecurity breach at Uber. In a nutshell, someone broke into Uber’s network and exfiltrated data. They then told Uber they had their data and would expose it unless Uber paid up. Instead of reporting the breach, Uber paid the cybercriminal a $100,000 “bug bounty” as hush money. The problem here is that bug bounties are paid to researchers that find an exploit in a company’s software (or perhaps the company’s infrastructure) and then tell the company about it so that it can be fixed. This is not what happened to Uber. Uber got hacked, data was exfiltrated, and the cybercriminal that hacked them threatened to leak Uber’s data unless Uber paid. This is the literal definition of extortion, and extortion is a crime. Paying a bug bounty is not a crime, but if the bug bounty is really an extortion payment, then the legal issue here shifts from extortion to covering up a crime, and that is exactly what Joe Sullivan was accused of doing. Much like the Watergate scandal and Clinton’s impeachment in the ‘90s, the coverup is often much more damaging than the crime itself.
Joe Sullivan was prosecuted for this crime, and much to my surprise, he and he alone was convicted of the coverup. He now faces up to 8 years in prison. Joe has a very long history in cybersecurity at many companies that everyone has heard of, such as Facebook, Ebay and Paypal. He was formerly a federal prosecutor, adding to the irony of the situation.
I want to say up front that I did not follow this trial closely until the verdict was delivered. That being said, I have a couple of issues with the notion that Joe and Joe alone is responsible for this coverup. His conviction makes a number of assumptions: First, Joe found out about this breach (or his team did) and no other leader in the company knew about it. This sounds plausible to me. Second, Joe made the decision to cover up this breach and chose not to involve any other Uber executives in that decision. This does not sound plausible in my experience. In every single breach that my company has worked, there is collaboration between many executives in a company to make important decisions on how to handle the situation. Third, he and he alone had the authority to write a $100,000 check from an Uber account to a cybercriminal without anyone else giving the go-ahead. This feels like a reach.
There is a growing concern in the cybersecurity community of “CISO scapegoating”, where CISOs are the cannon fodder for a corporate decision to handle a cybersecurity incident a certain way. If things go badly, just blame the CISO. Is this going to be a widespread problem? I have no idea. The Joe Sullivan case is unusual, but it presents a concerning picture of how the role of a CISO could be treated going forward. I want to say in very plain language that I have never been in a situation where covering up a blatant breach was a consideration by anyone involved. I don’t know what it is like to be in Joe Sullivan’s shoes. Perhaps he really did “go rogue” as his conviction would suggest. Perhaps he is the scapegoat for a crime that many (most?) executives at Uber back in 2016 were complicit with, or even made the final decision on. I don’t know.
California Adds Digital License Plate Option
In other news, interesting examples of technology inserting itself into areas where no technology is needed abound. This one is especially fun because it involves cars, and I’m a car guy. California has just authorized the use of digital license plates. Let’s take a step back for a moment. A car is a physical device. Virtual cars do not exist and will likely never exist. Cars need an infrastructure to work (roads/bridges), and the government decided to tax cars to pay for that infrastructure, which seems reasonable. The trouble is that you can’t tax an actual car – you tax the owner of the car. In order to easily determine which car belongs to a person, license plates were invented. Makes sense. Now, California residents have the option of paying for “digital” license plates, which allow you to automatically pay taxes for your car, which does sound convenient. That being said, these digital license plates cost almost $1000 extra over the life of the car, so the convenience of automatically paying taxes for your car comes at an astonishingly high price. In addition, “digital” license plates use technology to transmit/receive data, and the methods of transmission of this data are often found to be insecure, as TLS 1.0, SSL 2/3, RC4, POODLE, and other encryption algorithms have demonstrated. Any technology needs care and feeding, and this care/feeding has a cost. In many cases, the care/feeding is well worth the benefit that the technology in question provides. In the case of digital license plates, this appears to me to be a wonderful solution to a non-existent problem. Steel stamped license plates work well. They are reasonably hard to reproduce. They are difficult to hack. Sometimes technology isn’t the best solution to a given problem.
Until next month, stay safe!
Upcoming Speaking Events
Live events are back in action! Here is a list of the cities that I will be in for 2022/2023. Please feel free to reach out if you have an event in mind.
Oct 31st-Nov 2nd, Portland, OR
November 7th-10th, Atlanta, GA
November 28th-Dec 2nd, Key West, FL
December 12th-15th, San Francisco, CA
February 22nd-24th, Ames, IA
March 7th-8th, San Diego, CA
March 13th-15th, Salt Lake City, UT
Based on what I'm reading, is this just a hack or is it a case of responsible disclosure in the hopes of implementing positive change?
Has anyone seen an article on what the penalties for not complying with this are? Laws do not change behavior. Laws + enforcement of those laws + sufficient penalties for breaking those laws = change in behavior.
October is National Cybersecurity Awareness Month and even though it’s nearly over, now is a great time to reflect on some general best practices for improving the strength of your personal cybersecurity, courtesy of CISA (Cybersecurity & Infrastructure Security Agency):
Think Before You Click: Recognize and Report Phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
Update Your Software: Don't delay -- If you see a software update notification, act promptly. Better yet, turn on automatic updates.
Use Strong Passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember different, complex passwords for each of your accounts. A passwords manager will encrypt passwords securing them for you!
Enable Multi-Factor Authentication: You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked.
Be sure to check out the CISA website linked below for additional cybersecurity resources and follow them for more content related to National Cybersecurity Awareness Month!