Best Infosec-Related Long Reads of the Week, 5/6/23

Inside the SolarWinds hack, MPS' ransomware attack devastation, Phishing training shortfalls, Sec. 702 outcome should worry CISOs, TikTok's algorithm dangers, Protecting kids from social media

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

The Untold Story of the Boldest Supply-Chain Hack Ever

Kim Zetter in Wired tells an insider story of the supply chain hack of business software supplier SolarWinds attributed to Russia’s SVR intelligence agency, first publicly revealed in December 2020, weaving a tale from the hack’s first undisclosed discovery in May 2020 by a Justice Department unaware of its importance through today, when the massive implications of the widespread incident still remain unknown.

BACK AT MANDIANT, workers were frantically trying to address what to do about the tools the hackers had stolen that were designed to expose weak spots in clients’ defenses. Concerned that the intruders would use those products against Mandiant customers or distribute them on the dark web, Mandiant set one team to work devising a way to detect when they were being used out in the wild. Meanwhile, Runnels’ crew rushed to figure out how the hackers had slipped in undetected.

Because of the pandemic, the team was working from home, so they spent 18 hours a day connected through a conference call while they scoured logs and systems to map every step the hackers took. As days turned to weeks, they became familiar with the cadence of each other’s lives—the voices of children and partners in the background, the lulling sound of a snoring pit bull lying at Runnels’ feet. The work was so consuming that at one point Runnels took a call from a Mandiant executive while in the shower.

Runnels and Scales briefed Mandia daily. Each time the CEO asked the same question: How did the hackers get in? The investigators had no answer.

On December 8, when the detection tools were ready and the company felt it had enough information about the breach to go public, Mandiant broke its silence and released a blockbuster statement revealing that it had been hacked. It was sparse on details: Sophisticated hackers had stolen some of its security tools, but many of these were already public, and there was no evidence the attackers had used them. Carmakal, the CTO, worried that customers would lose confidence in the company. He was also anxious about how his colleagues would react to the news. “Are employees going to feel embarrassed?” he wondered. “Are people not going to want to be part of this team anymore?”

From Campus Rape Cases to Child Abuse Reports, ‘Worst-Case’ Data Breach Rocks MN Schools

The 74’s Mark Keierleber surveys the damage from a devastating ransomware attack by the Medusa gang on the Minneapolis public school system, in which hackers stole and leaked a heartbreaking trove of tens of thousands of students’ records that reveal campus rape cases, child abuse inquiries, student mental health crises, and suspension reports.

The vast records — more than 189,000 individual files totaling 143 gigabytes — also offer a remarkable level of raw insight into the district’s civil rights investigation process for sexual assault and racial discrimination complaints and detailed information on campus security and other district operations that many school systems seek to keep under wraps. In total, they highlight the attack’s severity and the extent to which students’ and employees’ sensitive information is vulnerable to abuse.

Minnesota-based student privacy advocate Marika Pfefferkorn said she’s already heard from multiple concerned parents whose children had their sensitive information caught up in the breach, but that district officials have failed to communicate with them about their concerns.

“One of the reasons we have had so many parents reach out to us is because the information (the district) has posted on their website is just like nothing,” Pfefferkorn said. “It’s like it was an afterthought.”

She’s also struggled to give meaningful advice to anxious parents who need help.

“The conversation that we’re having is like, ‘Your information is going to be out there forever, and the impression of you is also going to be out there forever,’” she said. “I don’t know the advice that I need to be giving them other than, ‘You need to be aware of what’s happening and communicate with the district what your expectations are.”

Can Better Training Reduce the Success Rate of Phishing Attacks?

In Lawfare Blog, Jonathan Cedarbaum, professor of practice for national security, cybersecurity, and foreign relations law at The George Washington University Law School, reviews Arun Vishwanath’s latest book, “The Weakest Link: How to Diagnose, Detect, and Defend Users From Phishing Attacks,” that, among other things, explains how organizational anti-phishing efforts fall short.

Much of the training, he suggests, can be categorized as didactic or embedded. Didactic training consists of educating users on common phishing techniques and strategies. Embedded training involves sending fake phishing emails, seeing how employees do, and then sending corrective explanatory information afterward. Users who do well are praised; users who do poorly are scolded; and the cycle continues, perhaps with somewhat longer or more frequent training sessions provided to users who fall for deceptive messages more frequently. According to Vishwanath, these training strategies typically lead to only ephemeral effects, with users forgetting the lessons in just a few weeks or months.

These approaches fail, Vishwanath contends, because of two linked defects. First, they focus only on outcomes—how users perform—but fail to diagnose the causes of weak performance. That is, they neglect to assess the elements that lead many individuals to fall for phishing emails—particularly the patterns of thinking that incline individuals to be tricked by deceptions. As a result, they do not collect the right kinds of data that can help diagnose and so address what drives users’ failures to evade phishing messages.

Drawing on survey response and behavioral data studies that Vishwanath and colleagues did on test groups during the 2010s, Vishwanath proposes a different approach to assessing phishing susceptibility, one he calls the Suspicion, Cognition, and Automaticity Model (SCAM). In this model, suspicion, that is, “the feeling of unease that is triggered by informational cues in the environment,” is the crucial determinant of susceptibility to the deception involved in phishing emails. Vishwanath groups the forces influencing users’ level of suspicion into two categories: “cyber risk beliefs” and “self-regulation.”

CISOs, Don’t Ignore the FISA Section 702 Debate

Stewart A. Baker, a partner in the Washington office of Steptoe & Johnson LLP, and Richard Salgado, lecturer at Stanford Law School, among other titles, warn that CISOs need to pay attention to the debate over renewing Section 702 of the Foreign Intelligence Surveillance Act (FISA) because if it expires, they argue, their ability to track ransomware attackers will be diminished.

Now here’s why 702 should matter to CISOs. As the Biden administration has recognized, protecting cybersecurity is as much an element of national security as is thwarting terrorists. As such, Section 702 can be used to protect national security by tracking and defeating state-sponsored hackers, ransomware gangs like the ones who took down Colonial Pipeline, and others who threaten network security. In fact, administration officials have said publicly that Section 702 is a major cybersecurity tool. A top Justice official revealed that Section 702 has “prevented ransomware hacks and thwarted cyberattacks by China, North Korea, Iran and Russia.” Public details are scarce, but no classified information is needed to understand how 702 could be used in this context. All you need is an understanding of the law and of how foreign hackers attack U.S. networks.

How would 702 help the U.S. fight ransomware? Broadly, Section 702 allows an intelligence agency to target a ransomware gang located outside the U.S. if it’s using U.S.-based services (as it must to attack U.S. networks). The government is authorized to identify the attacker’s infrastructure (servers, email and IP addresses, and the like) and to collect information being sent to and from that foreign infrastructure. Once the ransomware gang is under surveillance, if it tries to compromise another U.S. network, the government will be able to see the attempt in real time and warn the victim. For systems that are already compromised, the government can also get some idea of the degree of damage based on the amount of data flowing to the attacker from the victim’s system and provide the victim with valuable information about the nature of the attack. Cyber threat actors can change their infrastructure rapidly, but Section 702’s strength is its nimbleness—if a threat actor changes the infrastructure it uses in its attacks, the agency can shift targets just as quickly.

Who Gets the Algorithm? The Bigger TikTok Danger

In another piece from Lawfare Blog, Weifeng Zhong, senior research fellow with the Mercatus Center at George Mason University, makes a case for why TikTok’s recommendation algorithm is a more significant national security threat to the US than Beijing’s simple access to users’ data.

As with every successful big-data algorithm, TikTok’s recommendation engine is so addictive because it collects and learns from an aggressive amount of user information. According to a 2023 report by Internet 2.0, a cybersecurity company, TikTok has twice as many trackers inside its app as other social media platforms like Facebook and Instagram do, and it tops the other 22 apps analyzed in the amount of privacy risks it exposes users to. (TikTok is followed by VKontakte, the controversial Russian social media app, on this metric.) These trackers, technically known as software development kits (SDKs), are snippets of source code developed in-house or by third parties that facilitate the functioning of the app. While all apps use SDKs and they can be legitimate tools, some of these trackers are more intrusive than others in peeping into private information about the user or the device that has downloaded the app, including, in TikTok’s case, monitoring user behavior like keystrokes and screen taps. TikTok confirmed the existence of those features on its app, although it claimed that it used the information only for debugging.

The Case for Banning Children from Social Media

The New Yorker’s Jay Caspian Kang walks through the growing concerns over protecting children from the dangers inherent in social media and the well-intentioned but faulty solutions devised to ban children from accessing social media altogether.

The civil-liberties implications of these restrictions are considerable and largely self-evident. The A.C.L.U.’s Speech, Privacy, and Technology project sent me a statement that said the Utah bill and many like it around the country would “restrict the ability of teenagers to explore and make up their own minds about everything from gender identity to safe sex to politics without parental knowledge or involvement.” Under the Utah law, an L.G.B.T.Q. child living in a household with disapproving parents might have fewer resources to find community and support because their parents would be able to look into their messages; children in abusive households would have a harder time using messaging platforms to seek help. Minors will also find it harder to access news. They will probably see fewer protests around the world and fewer videos that might inform them in one way or another, walling them off from online communities of people who care about the same things they do. They, in effect, will almost certainly be isolated from many of the ways people form political beliefs these days, especially those that fall outside of the mainstream.

The potential chilling effect of the Utah bill extends beyond children; its most galling civil-liberties concerns have implications for adults, too. Because Utah residents might have to verify their age using official government identification, adults without I.D.s may effectively be barred from creating social-media accounts as well. “Every adult will have to verify not just their age but their identity, because we don’t yet have a simple way of verifying your age without verifying your identity,” Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, told me. “It’s like getting carded to use the Internet.” Without any cover of anonymity or privacy, adults in Utah may become much more hesitant to express their beliefs online or to even seek out sources of information that might, for whatever reason, seem unseemly or potentially toxic. They will be much less likely to comment on anything, really, because they understand that their real identities have been linked to their accounts.