#5 Secret CISO: OpenSSH pre-auth RCE, Iranian TV hacked in live, Finastra is hiring new CISO
Greetings from secret CISOs!
We are thrilled to announce that we have reached a milestone in our project, the Secret CISO newsletter. This week marks the 5th episode of our newsletter and our first small anniversary.
For those who may be new to our project, we are a group of anonymous CISOs who bring to you the latest cybersecurity research, data breaches, podcasts and interesting CISO job postings on a weekly basis.
We are proud to say that with just 4 episodes under our belt, we have already gained 300 subscribers. With the 5th episode, we have set our sights on reaching 500 subscribers and we would be honored if you could share our newsletter with your network of cybersecurity professionals.
So, sit back and enjoy the latest episode of the Secret CISO newsletter, your one-stop source for all things cybersecurity.
1. Data Breaches
Iranian President's live speech hacked on TV, Reddit phished, several CA medical group affected by the breach of 3M patients
The Iranian State TV and radio station was hacked during a live speech by President Ebrahim Raisi on Revolution Day.
The hacker group Ali's Justice (Edalat-e Ali) claimed responsibility for the attack and used the opportunity to disrupt the President's speech and air the slogan "Death to Khamenei." The hackers also encouraged citizens to participate in antigovernment protests and withdraw their money from government banks. Edalat-e Ali is a prominent group of hacktivists who have been working against the Iranian government for several years. They have disrupted live TV transmissions before and have also breached a prison facility in northern Tehran. Iran has faced a wave of cyberattacks since September 2022, when Anonymous hacktivists launched Operation OpIran to support Iranians protesting against the death of 22-year-old Masha Amini. The latest hack from Edalat-e Ali is also part of its support for the protestors in Iran. Despite the government's vow to tackle the protesters, hacktivists from around the world are targeting the country's critical infrastructure.
Source: https://www.hackread.com/iran-tv-hacked-revolution-day
Reddit suffered a devastating cyberattack that saw hackers breach the company's internal systems and steal sensitive information, including internal documents and source code.
The attack was carried out via a phishing lure that targeted Reddit employees, tricking them into entering their credentials and two-factor authentication tokens into a fake intranet site. Unfortunately, one employee fell for the trap and allowed the hackers to gain access to Reddit's internal systems.
According to Reddit, the stolen data included limited contact information for company employees and contractors, as well as some details about the company's advertisers. However, credit card information, passwords, and ad performance were not accessed. Reddit also stated that there were no indications that the hackers were able to breach their primary production systems, which run the website and store the majority of their data.
The breach was discovered after the affected employee self-reported the incident to Reddit's security team. The company has not shared much information about the phishing attack, but they did reference a similar attack that took place at Riot Games, where the hackers stole source code for popular games like League of Legends and Teamfight Tactics. The hackers later tried to ransom the data for $10 million, but Riot Games refused to pay.
The data breach has hit several California medical groups, resulting in sensitive health and personal information of over three million patients being stolen.
The breach took place around December 1, 2022, and the medical groups have sent security breach notification letters to the affected patients. The medical groups reported that they hired third-party incident responders and worked with security vendors to restore access to their systems and determine the impact of the data breach.
The data that was stolen includes patients' names, social security numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and phone numbers. According to the US Department of Health and Human Services, the database breach affected 3,300,638 people.
It is unclear who is responsible for the cyberattack, but several ransomware gangs are known to target healthcare facilities as they assume that the organizations will pay the ransom. However, in late January, the FBI announced that they had shut down Hive's ransomware network and seized control of the gang's servers and websites. Hive was known to have a particular affinity for hospitals, and the US Health and Human Services agency had warned healthcare organizations about Hive in April, describing it as an "exceptionally aggressive" threat to the health sector.
Source: https://www.theregister.com/2023/02/11/ransomware_regal_medical_group
2. Research
OpenSSH pre-auth RCE, Microsoft research on low-cost IoT security, and a new method to execute indirect syscalls
Pre-auth Double Free vulnerability found in OpenSSH, the most popular and trusted tool for secure remote terminal access.
The OpenSSH is widely used for various applications and supports a range of platforms, making it a widely adopted tool for secure remote access. It was a real shocker to see that even such a trusted software can be vulnerable. We all thought OpenSSH was super secure and stable, but it turns out that even the best can have a bad day.
The vulnerability is known as OpenSSH Pre-Auth Double Free CVE-2023-25136, and it's in version 9.2p1. The vulnerability can have a severe impact on OpenSSH servers, leading to DoS or RCE (Remote Code Execution), so the JFrog team decided to dive in and see what was going on. The fix commit showed that a function called compat_kex_proposal was responsible for the double-free. This research showed that the default configuration is vulnerable, but the good news is that it can be fixed by updating to the latest version of OpenSSH. The research team also found that the vulnerability can be triggered through the use of an obsolete client, such as PuTTY version 0.64. As we've learned from this research, it's always important to stay up-to-date with software updates, even for the most trusted and secure tools.
As CISOs, it's our job to keep our systems secure and our data safe. This vulnerability is a reminder that even the most trusted software can have vulnerabilities, and it's important to always stay vigilant and stay informed about the latest security updates and patches. And remember, even superman has a kryptonite, so always be prepared!
Source: https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
Microsoft has released a technical report on CHERIoT (Capability Hardware Extension to RISC-V for Internet of Things).
This report covers the current status of the CHERIoT ISA and how it is being developed to provide more security for low-cost embedded systems. The ISA builds on top of CHERI and RISC-V and aims to provide object-granularity spatial memory safety and deterministic use-after-free protection to protect against security threats from hostile Internet sources.
The CHERIoT project is based on previous work from the CHERI project and has been tuned to support smaller embedded systems. This report covers the RISC-V ISA extension, the compartment model, the RTOS implementation, the language extensions, and the ABI used to implement the compartment model.
For CISOs, this is exciting news as it provides a new approach to security for embedded systems. The CHERIoT project is focused on providing security at a low cost and with a small footprint, making it a great option for CISOs who are looking to secure their embedded systems without breaking the bank. The report also highlights the need for continued research in this area, as the CHERIoT ISA is still a work in progress and may be improved with feedback from the cybersecurity community.
Source: https://www.microsoft.com/en-us/research/uploads/prod/2023/02/cheriot-63e11a4f1e629.pdf
HWSyscalls, a new tool that’s making waves in the cybersecurity community.
A new research has been released, and it's all about syscalls. What's a syscall you ask? It's a way for a computer program to request a service from the kernel (the central part of the operating system) without accessing it directly. HWSyscalls is a new method to execute indirect syscalls using three main components: hardware breakpoints and Vectored Exception Handler to control the flow of execution, HalosGate to find syscall numbers and addresses, and creating a synthetic trampoline on kernel32 (yes, that's for Windows) with hardware breakpoints.
The main problem with calling syscalls from ntdll is that it's a weird access from a program directly to ntdll, without going through any previous dll. HWSyscalls solves this issue by combining hardware breakpoints functionality to create the synthetic trampoline in kernel32 and HalosGate to get the SSNs. And the best part? It's an easy-to-include library that can be added to any project that wants to use indirect syscalls without triggering any detections.
To use the project, simply include the HWSyscalls.h and call InitHWSyscalls to find the required gadgets and initialize the exception handler. Then, execute your function and call DeinitHWSyscalls to remove the exception handler at the end of your program's execution. The debug verbosity can be turned on or off as desired.
Source: https://github.com/Dec0ne/HWSyscalls
3. Podcasts
Four Areas of a World Class CISO, layoff story by McKeena Yeakey, and cyber week review by Terry Cutler
Cyber Security Today podcast, Howard Solomon and Terry Cutler discuss the latest in cyber security news
The highlights from the past seven days include a security researcher finding vulnerabilities in Toyota's supplier website, the need to protect servers running outdated versions of VMware's ESXi hypervisor from ransomware, the sale of 20 million customer lists from two U.S. companies, a suggestion for the Canadian government to offer tax breaks for small businesses to spend more on cyber security, and a warning for IT administrators using open-source document management systems. The U.S. and the U.K. have sanctioned seven members of the Trickbot cybercrime group, a British MP fell for a phishing scam, and another DDoS-as-a-service provider has emerged in Russia. Authorities in the Netherlands, Germany, and Poland have dismantled the Exclus encrypted messaging system. Atlassian released fixes for a critical vulnerability in Jira Service Management Server and Data Center and a 20-year-old man in Australia was sentenced for taking advantage of a data theft from a telecom provider. The podcast also covers France and Italy's alert about ransomware attacks on vulnerable VMware ESXi servers and the importance of patching unsupported software.
Four Areas of a World Class CISO with Dr. Eric Cole
Dr. Eric Cole got some amazing insights that will make you go "wow" and "aha"! Dr. Cole believes that if you want to succeed in your career as a CISO, you have to focus on being world-class in all areas of your life. He breaks it down into four main areas that will help you to optimize the quality of your life and become a better CISO.
What should you know about Dr. Cole? What about 20 years of Director of Research; Architecture Director of Cyber Defense Curriculum at SANS Institute.
Source: https://ericcole.libsyn.com/four-areas-of-being-a-world-class-ciso-part-1
CYBERSECURITY LAYOFFS AND DIVERSITY WITH MCKENNA YEAKEY
Do you want to learn about someone's journey in the industry? Then you should check out the Hacker Valley Studio podcast! In the first episode, hosts Ron and Chris chat with McKenna Yeakey about her experience with being laid off in cybersecurity and finding a new job.
McKenna shares how difficult it was to go through the emotional and psychological struggles of being laid off. She talks about the self-doubt and feelings of unworthiness she faced. But with the support of her professional network and the cybersecurity community, she was able to overcome those struggles and find a new job.
Not only does McKenna talk about her journey, but she also shares her insights on diversity and leadership in the cybersecurity industry. As a black woman in tech, she offers her perspective on what true inclusivity should look like and how to identify companies that are actively promoting it.
If you're looking to improve your cybersecurity career, this podcast is a must-listen. McKenna offers tips on how to support others in the industry and even shares her favorite leadership questions to ask during job interviews. Also, there is a job posting section in our newsletter right below.
Source: https://hackervalley.com/e/cybersecurity-layoffs-and-diversity-with-mckenna-yeakey/
4. CISO Job Postings
Mathematica, CISO, Washington, DC (Hybrid)
This is a great opportunity for someone with experience in information security management and a desire to work for a company that is making a positive impact on the world. Mathematica offers a dynamic work environment, competitive salary, and benefits package, and the opportunity to be part of an employee-owned firm.
Mathematica is a company that focuses on using data, methods, policy, and practice to make a positive impact on the world. They work with partners in both the public and private sector to improve programs and refine strategies, using data science and analytics to provide actionable insights. Mathematica is an independent, employee-owned firm that offers its employees competitive salaries, a comprehensive benefits package, and the advantages of being 100% employee-owned.
They are currently looking for a Chief Information Security Officer (CISO) to join their IT Services team in either Washington, DC or Princeton, NJ. The position is at the VP-level and will be responsible for establishing and maintaining the company-wide information security management program to ensure that information assets are adequately protected. The CISO will work closely with executive management to determine acceptable levels of risk for the organization.
The responsibilities of the CISO will include participating and contributing as an effective member of the leadership team, briefing the executive team on status and risks, and providing thought leadership in client and corporate security, privacy, risk, and compliance strategy and execution. The CISO will also be responsible for managing the Security, Risk and Compliance team supporting client projects, creating a governance structure around data security, risk, privacy, and ethical use, and developing an effective learning program to create a culture of security.
Apply: https://www.linkedin.com/jobs/view/3390672129
Finastra, CISO, Lake Mary, FL (Hybrid)
This is a high visibility, impactful role that requires an individual who can balance the strategic and execution requirements of the role to deliver an IT Security strategy and the associated programs to mitigate risk. Finastra is a leading FinTech company that offers a dynamic work environment, competitive salary, and benefits package.
Finastra works with over 9,000 customers, including 90 of the top 100 banks globally, to deliver innovative, next-generation technology on their open Fusion software architecture and cloud ecosystem.
The company is currently looking for a CISO to join their team. Reporting to the EVP, Chief Risk and Compliance Officer, the CISO will be responsible for developing and implementing a strategic, long-term information security strategy and roadmap to ensure that Finastra's information assets are adequately protected. The CISO will work with senior leaders across the business to assess, communicate, and oversee acceptable levels of information security risk.
Responsibilities of the CISO include identifying, evaluating, and reporting on information security risks, providing subject matter expertise on security standards and best practices to meet regulatory and compliance obligations, and developing, mentoring, inspiring, and managing a high-performing team of information security professionals. The CISO will also act as the champion for the enterprise information security program and foster a security-aware culture.
Apply: https://www.linkedin.com/jobs/view/3477883697
Director Information Security and Deputy CISO, Paylocity, United States (Remote)
Paylocity is a next-generation employee experience platform that provides uniquely designed solutions to help companies engage employees and create a personalized work environment. They offer great benefits and perks, including medical, dental, vision, life, disability, and a 401(k) match, as well as career development opportunities. Paylocity is seeking a creative and driven security leader to assist in oversight of their Information Security (InfoSec) group.
The InfoSec group at Paylocity is an ambitious, diligent, highly motivated team working together to secure their customers' data from real-world ever-evolving cyber threats. The ideal candidate for the position is a strong operational leader, curious partner, critical thinker, consensus builder, people motivator, and has the ability to communicate at all levels. Reporting to the CISO, the person in this position will own a portfolio of security initiatives spanning across multiple teams.
Primary responsibilities of the position include assisting the CISO with the definition of the InfoSec program vision and lead continued development of associated materials, working closely with other Infosec Directors and CISO to develop program-level initiatives based on identified gaps, managing expectations of customers, leadership across other departments, and executive stakeholders, partnering with InfoSec Managers and Directors to build and present credible business cases for strategic security initiatives and investments, and overseeing RFPs and evaluations of products and services and negotiates purchases.
Source: https://www.linkedin.com/jobs/view/3442512725
Final Words
Thank you for reading the fifth episode of the Secret CISO newsletter! We hope you found the latest cybersecurity research, data breaches, podcasts, and CISO job postings informative and helpful.
We are always looking for ways to improve our newsletter and provide even more value to our subscribers. That's why we would love to hear your feedback!
Please reply to this email and let us know what you liked, what you didn't like, and what you would like to see in future episodes.
We also encourage you to share this newsletter with your colleagues and friends in the cybersecurity field. Together, we can make the world a more secure place.
As usual, as a thank you for reading this episode in full, we would like to give you a digital gift of a cyber panda, here is yours:
Thank you again for being a part of our community and for helping us reach our goal of 500 subscribers. We can't wait to see what the future holds for the Secret CISO newsletter!