For the three reporters who have written articles about this, and the one who provided invaluable guidance, my gratitude is endless. This post doesn't apply to you, nor "the feds", the cybersecurity experts, or #lawyers (including and especially @eff), who were extremely helpful. The rest, however, should take note.
I've willingly laid my neck on a chopping block, unprotected, for over six months.
My outreach has been exhaustive:
• Attempted to engage with over 150 journalists and #news organizations,
• Coordinated frequently with the Cybersecurity and Infrastructure Security Agency (#CISA or "the feds"),
• Consulted with numerous cybersecurity experts,
• Sought advice from multiple lawyers,
• Spoke with ten state and state court CISOs,
• Attempted to talk to several dozen state and county court clerks and judges,
• Sent emails to every Florida State Senator, State Representative, and Supreme Court justice, and to multiple governors,
• Discussed with the staff of multiple U.S. Senators and U.S. Representatives,
• Contacted twelve vendors and over 40 employees
I've offered to write articles -- for free.
I've had no fewer than eight background checks done on me.
I've been cyberstalked by the Arizona Supreme Court.
I've put my job and my family's livelihood at risk in more ways than one.
I've made a grand total of $0; in fact, I've invested several hundred.
When I'm able to sleep, it's with one eye open, always waiting for "that" knock on the door.
After my first #disclosure, I prepared for a week to deal with what I expected to be a #media circus. What I received was one preemptive email from a state court #CISO (who was not affected) and one kind person (who is not a #journalist) on the #fediverse.
I've spent over 900 hours discovering, documenting, reporting, and disclosing vulnerabilities, trying to get this fixed on a mass scale, and attempting to contact the above list. I see no signs of this slowing down any time soon. All of this for what is merely a #hobby.
I've done my part. It's time for reporters to step up. The real-world harm these vulnerabilities have caused — and continue to cause — cannot be overstated. The need for widespread awareness and action is urgent.
Kind sollte in der 3.Klasse erklären, was #Mama von #Beruf macht.
„Meine Mama macht anderen Menschen Angst, dass ihre Computer nicht mehr funktionieren, wenn sie nicht vorsichtig sind.“
Watch our new video case study on how attackers gained access the personal data of 6.9 million #23andMe users without compromising the company directly. We'll share what happened and the new implications for organizations: https://youtu.be/B-5Y72UWWhI #databreach#cybersecurity#CISO
There are 3 ways to move forward for security leaders who decide to stay at their current company a few years into the role. @Yael and I collaborated to explain how to proceed intentionally and productively: https://zeltser.com/three-ciso-opportunities-when-staying/
Ready to take on the role of #CISO? Let us guide you through your first 100 days in this essential role with our talk track "New CISO," filled with expert insights and strategies to set you up for success.
I really like #mastodon and ethos around here so much better than the ‘other’ site(s), BUT….. the engagement and interactions are SO much less. What am I missing and are there some tips and tricks I should be using to turn that experience around?
Here are a few hashtags for visibility on the things I most often comment on and talk about.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #47/2023 is out! It includes the following and much more:
➝ 🔓 🇬🇧 University of Manchester #CISO Speaks Out on Summer Cyber-Attack
➝ 🔓 🇺🇸 Hacktivists breach U.S. nuclear research lab, steal employee data
➝ 🔓 👀 Sumo Logic Completes Investigation Into Recent Security #Breach
➝ 🔓 🇺🇸 Auto parts giant AutoZone warns of #MOVEit data breach
➝ 🔓 🇨🇦 Canadian government discloses data breach after contractor hacks
➝ 🇦🇫 New 'HrServ.dll' Web Shell Detected in #APT Attack Targeting Afghan Government
➝ 🇬🇧 🇰🇷 UK and South Korea: Hackers use zero-day in supply-chain attack
➝ 🇵🇸 🇮🇱 #Hamas-Linked #Cyberattacks Using Rust-Powered SysJoker #Backdoor Against #Israel
➝ 🇷🇺 😱 “They are tired of him, but they are afraid”: what is known about the leader of the hacker group Killnet
➝ 🇰🇵 N. Korean Hackers Distribute Trojanized #CyberLink Software in Supply Chain Attack
➝ ▶️ 🛒 Play #Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals
➝ 🇮🇳 Indian Hack-for-Hire Group Targeted U.S., #China, and More for Over 10 Years
➝ 🇷🇺 Russian hackers use #Ngrok feature and #WinRAR exploit to attack embassies
➝ 🇺🇸 🩺 #CISA Releases Cybersecurity Guidance for #Healthcare, Public Health Organizations
➝ 🇬🇧 🙏🏻 Thanking the vulnerability research community with #NCSC Challenge Coins
➝ 🧅 #Tor Network Removes Risky Relays Associated With #Cryptocurrency Scheme
➝ 🇺🇦 👋🏻 #Ukraine fires top cybersecurity officials
➝ 🩹 Johnson Controls Patches Critical #Vulnerability in Industrial Refrigeration Products
➝ 🦠 🦀 New WailingCrab #Malware Loader Spreading via Shipping-Themed Emails
➝ 🦠 📨 New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks
➝ 🦠 🎠 NetSupport #RAT Infections on the Rise - Targeting Government and Business Sectors
➝ 🚫 Google #Chrome will limit ad blockers starting June 2024
➝ 🐛 ☁️ 3 Critical Vulnerabilities Expose #ownCloud Users to Data Breaches
➝ 🔓 ☁️ Researchers Discover Dangerous Exposure of Sensitive #Kubernetes Secrets
➝ 🔓 ☝🏻 New Flaws in Fingerprint Sensors Let Attackers Bypass #Windows Hello Login
➝ 🔓 🩸 ‘#CitrixBleed’ vulnerability targeted by nation-state and criminal hackers: CISA
➝ 🐡 Researchers extract RSA keys from #SSH server signing errors
📚 This week's recommended reading is: "How I Rob Banks: And Other Such Places" by FC a.k.a. Freakyclown
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #44/2023 is out! It includes the following and much more:
➝ 🔓 #Okta hit by another #breach, this one stealing employee data from 3rd-party vendor
➝ 🔓 💸 #LastPass breach linked to theft of $4.4 million in crypto
➝ 🇮🇳 #India's Biggest Data Leak So Far? Covid-19 Test Info of 81.5Cr Citizens With ICMR Up for Sale
➝ 🔓 ✈️ #Lockbit ransomware group claims to have hacked #Boeing
➝ 🇳🇱 ⚖️ Dutch hacker jailed for extortion, selling stolen data on RaidForums
➝ 🇷🇺 🇺🇸 Russian Reshipping Service ‘SWAT USA Drop’ Exposed
➝ 🇮🇷 🦠 Iranian Cyber Spies Use ‘#LionTail’ Malware in Latest Attacks
➝ 📉 Security researchers observed ‘deliberate’ takedown of notorious #Mozi#botnet
➝ 🇮🇳 📱 Apple warns Indian opposition leaders of state-sponsored #iPhone attacks
➝ 🌍 Four dozen countries declare they won’t pay #ransomware ransoms
➝ 🇷🇺 How #Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate #Cybercrime
➝ 🇪🇺 EU digital ID reforms should be ‘actively resisted’, say experts
➝ 🇷🇺 🇺🇦 #FSB arrests Russian hackers working for Ukrainian cyber forces
➝ 🇺🇸 FTC orders non-bank financial firms to report breaches in 30 days
➝ 🇨🇦 📱 #Canada Bans #WeChat and #Kaspersky Apps On Government Devices
➝ 🇺🇸 #SEC Charges #SolarWinds and Its #CISO With Fraud and Cybersecurity Failures
➝ 🇺🇸 🤖 #Biden Wants to Move Fast on AI Safeguards and Will Sign an Executive Order to Address His Concerns
➝ 🦠 📱 #Avast confirms it tagged Google app as #malware on Android phones
➝ 🦠 🇰🇵 North Korean Hackers Targeting Crypto Experts with #KANDYKORN#macOS Malware
➝ 👥 💸 EleKtra-Leak #Cryptojacking Attacks Exploit #AWS IAM Credentials Exposed on #GitHub
➝ 🦠 🐍 Trojanized #PyCharm Software Version Delivered via #Google Search Ads
➝ ✅ 🤖 #GooglePlay adds security audit badges for Android #VPN apps
➝ 🔐 Microsoft pledges to bolster security as part of ‘Secure Future’ initiative
➝ 🆕 FIRST Releases #CVSS 4.0 Vuln Scoring Standard
➝ 🆕 #MITRE Releases ATT&CK v14 With Improvements to Detections, ICS, Mobile
➝ ⛔️ 🦠 #Samsung Galaxy gets new Auto Blocker anti-malware feature
➝ 🍏 🔐 #Apple Improves #iMessage Security With Contact Key Verification
➝ 🔓 Researchers Find 34 #Windows Drivers Vulnerable to Full Device Takeover
➝ 🔓 🪶 3,000 #Apache#ActiveMQ servers vulnerable to RCE attacks exposed online
➝ 🗣️ #Atlassian CISO Urges Quick Action to Protect #Confluence Instances From Critical #Vulnerability
➝ 🔓 🩸 “This vulnerability is now under mass exploitation.” #CitrixBleed bug bites hard
➝ 🐛 💰 HackerOne paid ethical hackers over $300 million in #bugbounties
📚 This week's recommended reading is: "Permanent Record" by Edward Snowden
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
The phrase "security is everyone’s responsibility" concerns me. People feel less responsible when they are a part of a group because they think someone else will take action. I explored this in a post on distributing cybersecurity responsibilities:
I imagine a lot of current CISOs will be looking into cashing out and taking early retirement in the near future. Good news for Info Risk Management types who've grown weary of banging their heads on the wall.
In this convo with Bishop Fox’s Trevin Edgeworth, you’ll discover how #RedTeaming can empower your organization to make confident decisions in challenging times.
Trevin has over 20 years of #offensivesecurity experience, including helping create #RedTeam programs at American Express, Capital One, and Symantec in addition to serving as #CISO at Norton Lifelock.
On Wednesday, October 18, 2023, we @cloudflare] discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance.
.. and they wrap up with recommendations...
Take any report of compromise seriously and act immediately to limit damage; in this case Okta was first notified on October 2, 2023 by @beyondtrust but the attacker still had access to their support systems at least until October 18, 2023.
In #Germany we'd call this "criminally gross neglect" and I really hope this won't be finished juat by firing the #CISO immediately.and without severance packages but woll have long lasting consequences.
But thanks for the info so I'll know to deny-list #Okta as supplier for that reason alone.
Trevin Edgeworth has experience establishing world-class #RedTeams; he has previously built them for American Express and Capital One in addition to Symantec and serving as the #CISO of Norton Lifelock. And in our virtual session, he’ll review why #RedTeaming can be a strategic “sanity check” for #security team leaders, VPs, #CISOs, C-Suite executives, and the Board.
We recently celebrated a milestone at Bishop Fox – the establishment of our #CISO and #CTO positions. Christie Terrill a long-time Bishop Fox veteran, and Aaron Symanski will be holding these roles.
Get ready for some insightful conversations on the latest episode of the Shared Security podcast!
📢 Join our host, @agent0x0 as he discusses into the dynamic world of the Chief Information Security Officer (CISO) with Ryan Davis, Chief Information Security Officer at NS1. 🌐
In this episode, Ryan shares his expertise and experiences, shedding light on the ever-evolving role of a Chief Information Security Officer. In this episode Tom and Ryan discuss fascinating topics, including:
🔒 The transformative nature of the CISO position
🤝 Navigating cybersecurity through acquisitions
🌟 The biggest challenges facing CISOs today
💡 Priceless advice for aspiring CISOs
If you've ever wondered what it takes to be a CISO, are contemplating a career in cybersecurity leadership, or are already a CISO yourself, this episode is a MUST-listen!
Stay tuned for an enlightening conversation that will broaden your horizons in the world of cybersecurity. Don't miss it! 🚀
I'm pretty sure #Musk fired his #cybersecurity team around the same time he got rid of the #mediaRelations and #moderation teams, but if there is a #CISO left at #Twitter they should hurry out the door and get a new job while the going is "good"..