I won’t do this much, but I wanted you to know that I appreciate you being here. As someone who has worked in IT and InfoSec long enough, I know it’s tough up-leveling your knowledge and keeping up to date on what’s happening. If you’re not from that background, even better! This newsletter was started as something that could help folks working in the industry or those we’ll call ‘cyber-curious’. (please don’t have another connotation - I’m too afraid to google)

I’ll try to keep these emails to the point, sent once a week, with some bonuses of hopefully being fun to read. If you have feedback or advice, hit this link!

Big News

M.O.A.D.B - The ‘Mother of all data breaches’

Welp, one more time for the people in the back: ‘DONT USE THE SAME PASSWORDS ACROSS MULTIPLE SERVICES’

Researchers have discovered a leak containing over 26 billion records. They have been amassed from leaks from well-known companies: LinkedIn, X, Adobe, Tencent, and many more.

Look, folks, I get it. Passwords generally suck and can be a challenge to manage. Only about 34% of people use password managers (link). Some people might look at this and say “It’s not a new breach, it’s usernames and passwords gathered over time from old leaks” They’d be perfectly correct in saying that, but the truth is: we don’t change our passwords often and we frequently reuse passwords across services. At the very least, if this hasn’t convinced you to change your password, did you know using MFA on your high-value (high-value = highly targeted) accounts can stop about 99.9% of attacks? (link)

Side note: Microsoft needs to take its research to heart. Check out the ‘Beware the Bear’ article further in the newsletter.

More: CyberNews | Yahoo | Mashable

Surprise, Surprise - The NSA is buying your online data

This is one of those things that seems fairly obvious that’s happening but is more concerning when it’s officially out in the open. It’s the NSA, we’ve all seen the movies of them honing in on someone’s whereabouts and tracking them through social media, their phone location, etc. Turns out, that may not be that far off. But where is the data coming from? Welp, the data they’re buying is commercially available, which is even more concerning considering anyone can buy it. Websites, apps, and other services all collect and sell your data to brokers, who aggregate and sell it primarily for targeted ads. If you don’t want the NSA snooping on your web traffic, what about private companies with other potential motivations? What would stop a bad actor from acquiring that data for nefarious reasons? (Side thought: maybe you consider the NSA a bad actor)

The NSA released a statement that it “does buy and use commercially available netflow data related to wholly domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad.” (link)

What that means is:

1. They’re buying the data without a warrant and it will include those not under any investigation

2. The data they’re acquiring can be used to determine what sites you visit and by way of that "This could include websites that offer resources related to mental health, assistance for survivors of sexual assault or domestic abuse, and telehealth providers who focus on birth control or abortion medication." (link)

I don’t know about you, but that sh*t is concerning.

This isn’t the first time either, check out what happened in 2021 when the Defense Intelligence Agency was buying location data from smartphones.

Not concerned you say? Take a second to think about those highly targeted ads, so targeted that you think “My phone must be listening to me." It’s scarier than that. It’s more likely that they’re using this data, coupled with data of those around you to target you with ads.(link)

More: TechCrunch | TheHackerNews | InterestingEngineering Related: ArsTechnica

Beware the Bear - that password spray hits differently when it’s you, doesn’t it Microsoft?

Ok, so, for those not listening, go back to the first article in this newsletter and read why MFA and a good password management policy are important. Ahem, Microsoft, ahem.

So, what happened with a bear? Advanced Persistent Threat 29 (APT 29), lovingly referred to as Cozy Bear, is the Russian state-backed hacking group responsible for several highly effective and highly visible cyber attacks. One you may remember, which affected over 18,000 businesses, was the SolarWinds hack. If you don’t remember it, you were a lucky one who may have worked for an unaffected company. I was on the defensive side of that hack working at a managed services cybersecurity company, and let me tell you, that hack was wildly effective. The extent of the attack was so effective, that SolarWinds’ CISO is facing criminal charges. (link)

Bringing it back to the incident at Microsoft, this group was able to use a relatively simple and immature method of entry to Microsoft’s email system: password spraying. Password spraying, at its simplest, is inputting as many username and password combos until one works (or many!). In some scenarios, once the attackers get access to a mailbox or account and depending on the motivation for the hack, they may try to email someone an invoice with their bank account number, maybe spam their contacts with malware, steal documents, or in Microsoft’s case, gain access to an old ‘Test’ account. Once they had that access, they used it to gain access to more valuable accounts.

I suppose the relatively good news is that it was limited in scope, based on what they know so far. According to Microsoft “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.” (link) Oh, cool. Didn’t think about AI getting hacked, I’ll just go prep my doomsday shelter. It appears, based on current evidence, that the attackers primarily looked for information on themselves.

There are finer details at the links below, but it’s not a good look for Microsoft. The only potential good to come from this is that it may kick-start the government drawing hard lines on security practices for vendors. Microsoft and other companies may need to think harder about the basics.

More: InsuranceJournal | TheHackerNews | ComputerWorld

Weird Cyber

When forgetting your password costs 300 Million dollars

Picture this: you have 300 million dollars. You can quit working, provide for your wife and two kids, their kids, their kids kids, etc. The only problem, they’re in Bitcoin and you don’t have the passcode to get them off of an encrypted USB drive. You get 10 cracks at it, you’ve tried 8 of them unsuccessfully. Then the drive wipes and it’s gone forever. This isn’t a unique scenario. It’s estimated that about 20% of all bitcoin may be lost forever.

If this sounds like a horrifying scenario, think how Stefan Thomas feels. He’s a programmer, who in 2011, made a video called ‘What is Bitcoin’ and was paid 7,002 bitcoins, which at the time was about $7K but has now ballooned to 300 million. That same year, he inadvertently wiped two backup drives and then misplaced the passphrase to his encrypted drive. Talk about f-ing up a golden ticket.

For those who aren’t very familiar with Bitcoin and cryptocurrency, there are a few ways to store your crypto: hot and cold wallets. There are nuances to both, but we’ll stick to the basics. Hot wallets are connected to the internet and available online, think of something like logging into your wallet in a web browser, or trading cryptocurrencies on an exchange like you would stocks. Cold wallets are not online. Cold wallets can be in several forms but the most popular is a hardware wallet. Essentially, it’s a password-protected USB stick that you only connect to your computer for transactions, but otherwise stays locked away (hopefully). Many people will use passphrases for these wallets and then store those as well. Essentially, you are your bank with a cold wallet. If you lose it, destroy it, or forget the password, there is likely no recovering the contents.

That is, until technology catches up. Stefan had the foresight to store the USB drive somewhere secure until a point in time when the code may be able to be cracked. It turns out, a group named ‘Unciphered’ appears to have done so. They have found a way to crack the passkey on his exact drive (IronKey) without tripping the attempts limit and wiping the drive. The new problem? He had already agreed with two other hacking groups he would let them try first, giving them a year to do so. ‘Unciphered’ even posted an open letter to Stefan offering their services but he’s declined. Talk about a man with the strength to stand by his word.

More: NewYorkTimes$ | Wired$ | CCN

Not-so-unimportant news

• Stop thieves from stealing more than your iPhone with Apple’s new anti-theft technology.

• Ransomware gangs must not take a summer vacation. It turns out, March - July are the most popular months for them.

• Going from streaming illegal movies to amassing 2 Billion in Bitcoin, then transferring it to German authorities. What a ride.

• Fulton Country, GA has had a rough week. Government services were hacked while their schools had their own problems to deal with.

Cool Sh*t Corner

A spot for cool and potentially completely unrelated things to cybersecurity.

Finally, I can do something unique in VR that I can’t do in the real world, like walking.