Secret CISO #7: Call of Duty and Canadian telecom hacked, MTA hires CISO
Welcome to the 7th edition of The Secret CISO newsletter! We have some exciting news to share with our esteemed CISO community. We've listened to your feedback and have decided to make our newsletter even more concise and to-the-point by strictly limiting each topic to just 5 sentences. This change will help us deliver valuable insights and advice in a more digestible format, making it easier for busy CISOs like you to stay up-to-date on the latest trends and best practices in cybersecurity.
Our goal is still to reach 1000 subscribers by the end of this 7th edition. We believe that with your help, we can achieve this goal and continue to grow our community of like-minded professionals who are passionate about cybersecurity.
So we kindly ask you to forward this email to your colleagues and invite them to subscribe to The Secret CISO newsletter.
Together, we can share knowledge and experience to build a more secure and resilient digital world.
Want to know how to get free WiFi on a plane? Jump to the Research (2) section.
1. Data Breaches
FBI investigates its own hack, Call of Duty compromised among other Activion assets, Canada's 2nd largest telecom source code is on sales
FBI Probes Cybersecurity Incident on Its Network
According to sources, the FBI is investigating a recent incident of malicious cyber activity on its network. The agency claims the isolated incident has been contained, but is working to uncover the extent of the damage. CNN reports that the cyberattack targeted a computer system used by the FBI's New York Field Office to investigate child sexual exploitation. This comes just months after the FBI's email servers were hacked to distribute spam emails impersonating FBI warnings in a "sophisticated chain attack." The FBI is working to gain more information about the incident and will release further details as the investigation unfolds.
Source: https://edition.cnn.com/2023/02/17/politics/fbi-cyber-incident-computer-network/index.html
Call of Duty, and other Activision Games, and Employee Data Stolen by Hackers
Hackers have successfully stolen internal data from Activision, including the release schedule for popular game, Call of Duty, according to cybersecurity group vx-underground. In addition, they stole employee data such as names, emails, phone numbers, and salaries, as confirmed by gaming blog Insider Gaming. Activision claims the breach occurred after a "phishing attempt" on December 4, 2022, though vx-underground says that other employees also received phishing emails but did not report them. This incident is just the latest in a string of cyberattacks against video game companies, including Riot Games and Rockstar Games. TechCrunch has yet to confirm the details of the breach or the legitimacy of the data published by vx-underground.
Source: https://techcrunch.com/2023/02/21/hackers-allegedly-steal-activision-games-and-employee-data
TELUS Investigates Possible Breach of Source Code and Employee Data
Canada's second-largest telecom, TELUS, is investigating a potential data breach after a threat actor shared samples of what they claim is employee data online. Screenshots were later posted of what appears to be private source code repositories and payroll records held by the company. While TELUS has not yet found evidence of customer data being stolen, the threat actor is now offering to sell the company's private GitHub repositories and source code, which purportedly includes information on "sim-swap-api." It is currently unclear whether the incident involved TELUS or a third-party vendor breach. In the meantime, TELUS employees and customers are advised to remain vigilant against phishing or scam messaging.
2. Research
Free Airlines WiFi hack, Magnetic Cards and Server-Side Prototype Pollution vulnerabilities
Magnetic Stripe Cards Still Magnetize Hackers
A hacker decided to test the magnetic stripe cards used on their college campus after becoming frustrated with the fees charged for replacements. They found that only two out of three tracks were in use on the cards, with the first track containing the PAN, last name, ID, and LRC for data verification, while the second track was used by card readers for transactions and door access. The only dynamic information on the second track was the PAN and LRC. The hacker read the data using the MSRX python library and MSR605, and found that the information was represented by the pipe-separated ISO 7811 format.
Source: https://github.com/bneils/magnetic-stripe-card-pentesting
Detecting Server-Side Prototype Pollution via Black-Box
Prototype pollution vulnerabilities in JavaScript applications have become increasingly prevalent, but detecting them has traditionally required access to source code. However, security researchers Daniel Thatcher and Gareth Heyes have independently developed black-box techniques to detect these vulnerabilities in a safer manner. The technique described in this article relies on a common coding pattern found in many applications, and can be used to detect prototype pollution vulnerabilities in both simple CTF challenges and real-world applications like Kibana. The technique involves cycling through many payloads that are likely to trigger prototype pollution in the application to add a required parameter to the JavaScript prototype.
Source: https://www.intruder.io/research/server-side-prototype-pollution
Hacking Airlines to Get Free WiFi
Getting bored on a long flight is the worst, but getting free WiFi is the best. A hacker found out that T-Mobile customers get a free hour of WiFi, but what happens after that? Using MAC spoofing and T-Mobile numbers, the hacker found a vulnerability in the airline's WiFi authentication method. By using a different T-Mobile number and MAC address, the hacker was able to get more free WiFi throughout the flight. After responsibly disclosing the vulnerability to the airline, they confirmed that they were aware of it and had plans to pilot a new authentication method. If you're an airline WiFi provider, it's best to use more reliable forms of authentication, like SMS-based or login-based methods.
Source: https://cylect.io/blog/cybr-2/exploit-airlines-to-get-free-wifi-airline-vulnerability-8
3. Podcasts
Azure on DevSecOps, large fintech CISO insights, and CISO lessons learn from SOC
Exploring DevSecOps in the Microsoft Universe
In episode 363, Josh and Kurt are joined by Joylynn Kirui, a Senior Program Manager at Microsoft, to discuss the current state of DevSecOps and the tools that Microsoft has made available to the open-source community. Joylynn provides an overview of the DevOps landscape and how security is being integrated into the process. She also discusses some of the challenges that organizations face when adopting DevSecOps and how they can overcome them. Joylynn talks about the importance of a culture of security and collaboration across teams, and how Microsoft is working to address these issues. She shares insights on the tools that Microsoft has developed, including Azure DevOps and GitHub, and how they can be used to support DevSecOps. Overall, this episode provides valuable insights for anyone interested in DevSecOps or looking to improve their organization's security posture.
Source: https://opensourcesecurity.io/2023/02/19/episode-363-joylynn-kirui-from-microsoft-on-devsecops/
How CISOs Help Large Corporations Stay Secure
Meg Anderson, the CISO of Principal Financial Group, discusses the importance of security controls and risk management in a large, multinational company. She shares her thoughts on centralization versus decentralization of cybersecurity control, and offers advice on how to keep employees up to date on cyber hygiene and awareness. Anderson also shares her perspective on whether a security team should be remote, and offers insights on the best ways to formulate questions that extract the best data. This episode of FinCyber Today provides valuable insights into the role of a CISO in maintaining security and flexibility in a large corporation.
Source: https://www.youtube.com/watch?v=xrj5eeyjnKE
Let's Talk SOC - Lessons Learned as a CISO
Ken Deitz, the Chief Security Officer & Chief Information Security Officer at Secureworks, will be sharing his experiences and insights as a CISO in this 12-minute talk. He will discuss key topics including maximizing talent to address risks, the evolution of the CISO role, artificial intelligence, and the importance of focusing on the basics. This talk is ideal for anyone interested in learning about the challenges and strategies for protecting against modern-day cybersecurity threats.
Source: https://www.brighttalk.com/webcast/5416/574821
4. CISO Jobs Postings
MTA, CrowdStrike, and GoHealth - all started hiring CISOs
CISO (Remote) at CrowdStrike
CrowdStrike, a global leader in cybersecurity, is looking for a Chief Information Security Officer (CISO) to develop and implement an information security strategy to protect the company's data, systems, and networks from cyber threats. The CISO will report to the Chief Security Officer and partner with other groups within the company. The role requires 20+ years of management experience in a combination of risk management, information security, and IT jobs, with a degree in information assurance, cybersecurity, information technology, or a related field.
The candidate should have strong knowledge of security technologies and industry standards, such as OWASP, ISO 27001, NIST, and Data Protection Laws. Excellent communication and leadership skills are a must. The CISO will be responsible for developing and implementing information security policies and procedures, leading a large security organization, conducting risk assessments, monitoring security-related data, and developing incident response plans.
Source: https://www.linkedin.com/jobs/view/3496769193
Chief Information Security Officer at GoHealth
GoHealth is looking for a Vice President of Information Security to lead a team of security professionals in driving Information Security vision, strategy, adoption, and continuous improvement. The successful candidate should have excellent collaboration, communication, people management, and coaching skills, as well as the ability to translate complex technology and security information into understandable business risks.
The role involves providing strategic leadership to define and advance the company Information Security priorities and objectives, analyzing and mitigating Information Security threats, and ensuring that newly-acquired technology complies with the organizational security requirements. The candidate should also advise senior management on policies, processes, and systems, plan, design, and implement an information security strategy, and present regular feedback reports on Information Security to organizational leadership.
Source: https://www.linkedin.com/jobs/view/3438190351
MTA is looking for Deputy CISO
The Metropolitan Transportation Authority is looking for a Deputy Chief Information Security Officer (CISO) to work under the CISO to provide strategic leadership for enterprise cybersecurity strategy across all MTA cybersecurity strategic projects and initiatives. This executive position will plan, design, implement, and manage cybersecurity programs related to rail systems such as CBTC, PTC, Signaling, Communications, Power, rolling stock, traffic management, and other safety systems across all MTA agencies. The Deputy CISO will partner with federal, state, and external transportation and cybersecurity related entities to enhance security for the MTA. The Deputy Chief Cybersecurity Officer positions will oversee human capital resource strategies to maintain a viable cybersecurity department, evaluation of emerging technologies, monitoring, and enforcing information security standards and policies. The position works across multiple technology and cybersecurity domains to ensure cybersecurity is looked at holistically from user, data, and component, and systems perspectives for both Information Technology and Operational Technology Systems.
Source: https://www.linkedin.com/jobs/view/3431152823
Final Words
Thank you for reading Episode 7 of our newsletter! We hope you found the information useful and informative. As a token of our appreciation, we're sending you a digital rabbit gift:
If you enjoyed this newsletter, please consider sharing it with your colleagues and friends by clicking the share button below.
Also, we always appreciate feedback from our readers, so please feel free to send us your thoughts and comments.
Thank you again for reading, and we look forward to bringing you more valuable insights and updates in the future!