A lot happened in cybersecurity over the past week.
The University of Utah paid almost half a million dollars to stop hackers from leaking sensitive student data after a ransomware attack. Two major ATM makers patched flaws that could’ve allowed for fraudulent cash withdrawals from vulnerable ATMs. Grant Schneider, the U.S. federal chief information security officer, is leaving his post after more than three decades in government. And, a new peer-to-peer botnet is spreading like wildfire and infecting millions of machines around the world.
In this week’s column, we look at how Uber’s handling of its 2016 data breach put the company’s former chief security officer in hot water with federal prosecutors. And, what is “vishing” and why should companies take note?
THE BIG PICTURE
Uber’s former security chief charged with data breach cover-up
Joe Sullivan, Uber’s former security chief, was indicted this week by federal prosecutors for allegedly trying to cover up a data breach in 2016 that saw 57 million rider and driver records stolen.
Sullivan paid $100,000 in a “bug bounty” payment to the two hackers, who were also charged with the breach, in exchange for signing a nondisclosure agreement. It wasn’t until a year after the breach that former Uber chief executive Travis Kalanick was forced out and replaced with Dara Khosrowshahi, who fired Sullivan after learning of the cyberattack. Sullivan now serves as Cloudflare’s chief security officer.
The payout itself isn’t the issue, as some had claimed. Prosecutors in San Francisco took issue with how Sullivan allegedly tried to bury the breach, which later resulted in a massive $148 million settlement with the Federal Trade Commission.
“While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice,” the FBI said in a statement after the indictment was made public. “Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
Sullivan faces five years in prison for obstruction of justice, if found guilty. But the case, regardless of the outcome, has sparked discussion about the risks and pitfalls of the chief security role — one that doesn’t just require technical chops, but also ethics and legal training.
FBI and CISA warn of ‘vishing’ threat in wake of Twitter hack
The FBI and Homeland Security’s cybersecurity advisory agency CISA are both warning companies of the growing threat from “vishing,” or voice spearphishing, a social engineering technique where criminals spoof a phone number and impersonate a person in a voice call to trick the victim into turning over sensitive information.
Vishing is a new phenomenon that rose to recent prominence after hackers used the voice spoofing technique to get access to Twitter’s internal admin tools to spread a cryptocurrency scam. By posing as IT staff, hackers can pivot through internal networks by tricking employees into giving over passwords and access to systems.
Wired reports that Twitter wasn’t the only target of vishing attacks. Fraudsters have targeted banks, cryptocurrency exchanges and web hosting firms using the same voice impersonation tactics.
The FBI says fraudsters are increasingly using vishing attacks during the pandemic, particularly against employees who work from home. That’s opening up new problems for legitimate IT staff who are trying to keep their employees on guard against these tactics.
Once again, it’s further proof that humans are the weakest link when it comes to security.
MOVERS AND SHAKERS
“I think it’s more creepy than anything and has caused me a lot of anxiety about going back.”
That’s one student going into their senior year at Albion College, a small private liberal arts university in Michigan. Fearing a coronavirus outbreak on campus, the school told its students just weeks before classes were due to start that they are required to download and install a location-tracking app, and are not permitted to leave campus without the school’s permission. Students are not allowed to opt-out. If students don’t comply, they face suspension.
Worse, the app had two major vulnerabilities — one was found in-house by TechCrunch — which leaked student names and could be used to infer their COVID-19 test results.
Parents are calling on the school to make the app optional. As of the time of writing, a petition created by “concerned parents” has more signatures than students at the college. But the school has shown little sign of backing down.
$ECURITY $TARTUPS
Cloud management giant Sumo Logic has finally filed its long-awaited paperwork with U.S. regulators to go public. The move, announced Monday, has seen the company raise $340 million in funding from backers, reports Crunchbase. Sumo Logic parses data from its customers’ enterprise apps and monitors for operational, security and compliance issues.
Colbalt.io has raised $29 million in its Series B, led by Highland Europe, to help the startup grow out its penetration testing platform. Colbalt.io helps its customers stress-test apps for security issues before they launch.
If you missed our recent Palantir S-1 coverage, start here: TechCrunch’s Danny Crichton obtained leaked details of the secretive data analytics firm’s S-1 paperwork to go public. Meanwhile, reporter Alex Wilhelm looked at the startup’s revenue numbers.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.