Epic Cybersecurity Fails (S1:E43)
December 1, 2022
While it’s no fun for the organizations involved, this week’s episode takes a playful look at epic cybersecurity fails. We’re joined by journalist Drew Todd who covers cybersecurity at Secure World News. For 20 years, Secure World has been tackling global cybersecurity issues and sharing critical knowledge and tools needed to protect against ever-evolving threats.
Speaker 1: You're listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cybersecurity, and IOT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging figital [00:00:30] experience. Join us on our journey as we discover just how connected the future will be, and how we will fit into that picture. Your host is Leigh Dow, VP of global marketing at Identiv.
Leigh Dow: Welcome, welcome to Humans in Tech. Today we've got a pretty fun topic for us, not so fun for others. We're talking about epic cybersecurity fails. We're joined by journalist, Drew Todd, who covers cybersecurity at media outlet, Secure World News. For 20 years, Secure [00:01:00] World has been tackling global cybersecurity issues and sharing critical knowledge and tools needed to protect against ever evolving threats. Hi, Drew. Thanks for coming on our podcast today.
Drew Todd: Hi, Leigh. Thank you for having me today. I'm excited to be here.
Leigh Dow: Tell us how you ended up as a journalist covering cybersecurity, and what it's like to just cover such a major tech beat in today's really fast changing world.
Drew Todd: So it's kind of been interesting for me. I feel like for a lot of people, you didn't set out to work in [00:01:30] cybersecurity. There's a lot of different paths that people I've talked to, and that they have getting into cyber. And so I graduated from college at the beginning of the pandemic in 2020, so it was a joy trying to find a job. And I just kind of stumbled onto my role here at Secure World, and it kind of just ... Our boss asked me to do one thing, and then it kind of snowballed into a whole job. And now I am pretty much our main journalist and content person, so [00:02:00] I've been covering cybersecurity issues for about a year and a half. And it's been really fascinating to me, as someone who didn't study cybersecurity in school, I've learned a ton about the industry. And it seems like every single day, there is something new, a breaking issue that a lot of people are talking about, some new cyber attack or ransomware, so it's been kind of a joy for me to learn [00:02:30] a lot about the industry and cover cybersecurity.
Leigh Dow: Did you study journalism, or something else technical, or both, or neither?
Drew Todd: I actually graduated with a degree in economics. And so I guess I've just always sort of had a knack for writing. And my company recognized that pretty quickly. They asked me at first, they're like, "Hey. You think you can write an article or two about this?" And I was like, "Yeah, sure. That sounds fine." And then [00:03:00] everyone was like, "Wow, you seem like you're doing a really good job." And so I just kept going and kept writing. And so it's been fun for me to learn about all that.
Leigh Dow: Economics is hard. I'm a poly-sci major, and I really, really didn't like my economics classes very much.
Drew Todd: Yeah, it was not easy.
Leigh Dow: Recently, you did an article on the top 10 data breaches of all time. Tell me about that article, why you wanted to write [00:03:30] about that, what the criteria was that you chose for the worst data breaches. There's probably so many to choose from.
Drew Todd: So like a lot of articles that I write, I just want to share interesting information about the industry. So with the top 10 data breaches story, I pretty much just researched and combed through the top breaches of the last decade or so and put a list together. It's pretty difficult to define exactly what the top [00:04:00] data breaches are because there's so much criteria that goes into that, so if you look at my article, you'll notice that I didn't number them one through 10. There's just 10 there because it would be pretty hard to pick exactly what goes at the top and what goes at the bottom.
But basically, I just looked at things like how many individual records were compromised, what information was involved. Was it sensitive personal information? What sort of damages did the company have to pay? [00:04:30] Were the fined from a government agency, from a regulator? Did they have to pay out any lawsuits or any things like that? And then who was the attacker? Was it a state sponsored attacker? Was it China, or Russia, or North Korea? And so pretty much all of those things went into choosing a list. You're absolutely right, there's so many data breaches that you could choose from, so it took me a while to find [00:05:00] what I felt like the top 10 were. And it's just great, it's sort of not fun for the companies that are involved, but it's fun, sort of fun to just go back and look at, wow, I kind of forgot that data breach happened. There were three billion records involved, or wow, they had their social security information leaked. And so that's pretty much what went into that article.
Leigh Dow: One of the things that I think is really interesting is the rise of the [00:05:30] ransomware hacks, and that topic is just fascinating to me because it's a pretty recent, as far as technology terms, it's actually a pretty recent trend.
Drew Todd: Yeah, absolutely. Ransomware has been probably the issue at the forefront of most executives' minds because you hear about stories where a company gets hacked, and then they have [00:06:00] all of their data is locked and they can't operate their business normally. And so then it's like the threat actor, the cyber criminal is asking them to pay this exorbitant fee to unlock their own data. And it's pretty concerning, especially for smaller organizations that don't have the resources to either recover their assets or pay the cyber criminals money. And so it's a tricky situation [00:06:30] for a lot of people, and that's why it's become such a huge issue. You see news stations talk about ransomware on your nightly news and you were not seeing that a few years ago.
Leigh Dow: Well, and even in pop culture. Right? I think there's a Grey's Anatomy episode on a ransom attack, ransomware attack.
Drew Todd: I haven't seen Grey's Anatomy, but I'm sure it's probably an interesting episode.
Leigh Dow: Yeah. As we just discussed, cyber attacks can really affect all [00:07:00] different industries, from airports, to banking, educational institutions, investment companies, retailers, the list goes on. And the federal government is also a constant target for threat actors. Are there any industries that you notice to be more or less prone to cyber attacks?
Drew Todd: Everybody is prone to a cyber attack. There's no industries that are completely safe. But I would say since the beginning of the pandemic, the healthcare sector has been frequently targeted by cyber actors because of the [00:07:30] sensitive information that they're containing with the vaccine and everybody is now going, checking up with their doctor. So everyone's been looking at the healthcare sector, trying to find any vulnerabilities they can because if you attack a hospital, and it's a life threatening situation, they pretty much have to pay right away because you can't not give somebody the care they need because of a ransomware attack. And so that's [00:08:00] been a huge issue for the healthcare sector. And then I'd also say the education sector is pretty frequently targeted. And it's really difficult for the education sector because unlike a lot of other industries, they lack the funding and tools to appropriately react to a cyber incident.
I recently covered a story for the Los Angeles Unified School District, the second biggest school district in the country, [00:08:30] was hit with a ransomware attack. And they didn't make the number public what the ransomware actor was asking for, but the superintendent of the district just came out and said, "There's no way we're even having a conversation about paying the ransom. We, like most schools, barely have the funding to get their teachers the tools they need for their classroom, let alone pay a $500, [00:09:00] 000 ransom fee because they got hacked and their data is exposed." So I'd say the healthcare sector and the education sector are two that I look at pretty frequently.
Leigh Dow: See, healthcare, Shonda Rhimes, the genius who writes Grey's Anatomy.
Drew Todd: There you go.
Leigh Dow: So cybersecurity is also an issue on social media platforms. You recently reported on cybersecurity problems at Twitter posing a national threat, and also how TikTok [00:09:30] has denied claims of a massive data breach. Tell us about what you found there.
Drew Todd: Yeah. So this is something, this is pretty interesting and incredibly concerning to me. The more that you read about cybersecurity with social media, it doesn't make you exactly feel great. The story that I covered was the former head of security for Twitter, Peiter Zatko, also known as Mudge, has been industry leader [00:10:00] for decades, was a whistleblower for Twitter, and said that Twitter was covering up some of their most severe vulnerabilities and misleading the board and government regulators. And he also believed that one or more employees was working for a foreign intelligence service. And so when you read stuff like that, it's incredibly concerning because of the elections that we had in 2020. There was so much concern about that. Is Russia hacking and [00:10:30] messing with our stuff? What is China doing?
Zatko also mentioned that Twitter doesn't reliably delete user data after canceling an account, and that Twitter doesn't have the resources to understand the number of bots on the platform. And so I've read about a ton of stories where people think that there's so many bots on social media platforms that are purposely spreading misinformation and [00:11:00] making everything more confusing for all of us, and making people argue with each other. And it's something that I think our country and the world at this moment in time is something we really don't need to add that to the mix of everything we have going on.
Leigh Dow: Yeah. I've written quite a bit about disinformation architecture, and the bots are a big part of that because what they do is they sort of take people, they sort of identify people [00:11:30] who are vulnerable to go down a rabbit hold of disinformation, and then they bring them down that rabbit hole and sort of keep them there in a bubble and keep feeding them more and more of that disinformation in ways that feel very authentic.
Drew Todd: Yeah, exactly. I mean, you probably hear it all the time about your aunt or uncle on Facebook is sending out these random messages that they get, and they believe it because they've been fed all [00:12:00] of this misinformation. And then you read what they're sending you and you're like, "This doesn't make any sense, Uncle," [inaudible 00:12:08].
Leigh Dow: No. I think we all have that aunt or uncle, yeah. For sure.
Drew Todd: Even with TikTok, TikTok is a whole other issue from Twitter. It's obviously a Chinese based company, and the issue with that being all companies in China, if the government asks them for information, they don't have a choice but to give the Chinese [00:12:30] government the information that they have. And so I've read about where the TikTok algorithm is kind of terrifying. I don't know if you are on TikTok or not.
Leigh Dow: I can go down a TikTok rabbit hole like nobody's business.
Drew Todd: Yeah. Their algorithm knows exactly what you want to look at, so the way that I've read about how it's kind of coordinated is, in China, they're showing their own citizens really [00:13:00] upbeat, happy things, like promoting good causes or whatever, or kind of propaganda for the government. And then in the US specifically, there's more negative videos, more videos of people just dancing and kind of mindless things. And so it's interesting how it's possible that the Chinese government is kind of manipulating social media to over time kind of negatively affect [00:13:30] people that use it in the US and Europe, and I mean, really just everywhere around the world.
Leigh Dow: Yeah. Apparently, they believe that I have a deep, significant need to see Bama Rush because that got fed to me for a while there during rush, Bama Rush, which I don't know why because I didn't go to an SEC school. In fact, I went to an ACC school, so the last thing I want to see is Bama Rush.
Drew Todd: Right, right. [00:14:00] I'm pretty sure I got some of those videos too.
Leigh Dow: Yeah. And then I guess the Chinese government is probably gathering a lot of information about how much I like food and fashion.
Drew Todd: Yeah. Yeah, definitely food for me too.
Leigh Dow: Yeah. So what are some of the top vulnerabilities actively exploited by hackers?
Drew Todd: What I would say to this, the top vulnerabilities exploited by hackers are the ones that they can get to easily, the ones that are right there ready to be hacked. [00:14:30] But aside from the easy one, the one that I would point out is the Log4Shell vulnerability has really been giving everybody a headache since it emerged in late 2021. It's essentially a software flaw in the Apache Log4j log in utility. And the reason it's been such an issue is because of the number of apps and web services that rely on Log4j. Apple, Google, Amazon, Microsoft all heavily rely on it. [00:15:00] And so it created an exceptionally broad attack surface for threat actors. And so that has been a major issue that I've listened to multiple speakers at our Secure World conferences talk about. They always, number one, what's the top vulnerability, they say Log4Shell has been giving everybody issues.
And then aside from the Log4Shell vulnerability, there's a lot of others that you could pick. And [00:15:30] so any chance I get to highlight CISA, the US government organization, they do just an incredible job in the last few years, especially with Jen Easterly being the director now. I encourage everyone to go look at their known exploited vulnerabilities catalog. They have so many vulnerabilities listed and so many other resources. So if you're listening and you have a chance, check out cisa.gov. They have so [00:16:00] much info on the top vulnerabilities that they're more than willing to share.
Leigh Dow: I've been seeing a lot lately on hacktivists. I mean, I suppose I some ways, Anonymous started that trend, people who gain unauthorized access to computer files or networks in order to further a social or political end. You must see more stories like this emerging, especially close to elections, not only in our own country, but others.
Drew Todd: Yeah, absolutely. You hit it right on the nail with Anonymous. The situation with [00:16:30] Ukraine and Russia is pretty much a daily battle. If you're looking for a story on cybersecurity, pretty much all you have to do is type into Google, Ukraine Russia cyber, and there'll be something new. At the beginning of the conflict, Anonymous came out and announced that it was declaring a cyber war on Russia defending Ukraine. And so they kind of got their army of hackers, pretty much just being pesky individuals doing whatever they can [00:17:00] to disrupt Russian activities any way that they can get to Putin, any way that they can disrupt high level organizations and traffic within Russia, so that's been really interesting to follow with hacktivists.
There was an interesting story a little bit again. Russian hackers hacked a radio network in Ukraine, and they spread misinformation on Zelensky [00:17:30] and said that Zelensky was sick and dying in the hospital. And they broadcast that over the radio, and so a bunch of people in Ukraine started freaking out. And they're like, "Oh, my gosh. Is our president okay?" And then Zelensky came out himself and posted a selfie. He's like, "I'm good. No need to worry. That's just Russian hackers doing their thing." And so it's stuff like that daily in Ukraine and Russia. And then even more recently, the situation in Iran [00:18:00] has been really interesting to follow. There was a young woman who was detained by police for not wearing her hijab, and she died in police custody. And since then, there's been outbreaks across the country protesting. And so hacktivists have come to the citizens of Iran's aid trying to help them in any way that they can. Iran is limiting [00:18:30] internet access, and so people are sharing VPNs and other types of things just to help the people of Iran fight back against the kind of brutal regime over there.
Leigh Dow: Enter Starlink.
Drew Todd: Yes, yes, absolutely.
Leigh Dow: Yeah. I've been following that story really closely. And just in the last few days, there was a young woman who was participating, she's a climber I believe, participating in an outside of the country event, and [00:19:00] didn't wear her hijab, or I think any of her required-
Drew Todd: Yeah, I saw that too.
Leigh Dow: Uniform. And then went back to Iran and I think nobody's heard from her since. And that's a really great example of how hacktivism maybe isn't such a bad thing, where you've got all of these people who are mobilized and they're in the streets, and they're protesting. And they're really risking their lives [00:19:30] and their future in order to try to make some social change, political change. And that's where hacktivists come in. But it is really interesting, that trend of hacktivism, to me because it's really a totally different kind of of grassroots. And grassroots, I started my career in politics, and so grassroots is one of the best ways to make social change, or political reform, or anything like that [00:20:00] because you get that groundswell of people that are too big and too connected to ignore. And so I just find the hacktivism piece really interesting because it's sort of the modern day's take on social marches and things like that for social change.
Drew Todd: Yeah, I totally agree with you. I think most stories that I read about hacktivists and hacktivism, they're usually doing it for a good cause. And so it's kind of encouraging to see [00:20:30] when a huge group of people like Anonymous, they're like, "Okay, Russia is invading Ukraine. What can we do to help the citizens of Ukraine in this time of need?" And the same thing in Iran. And so it's cool to see those stories.
Leigh Dow: Well, it's also just it allows for people who are not local to support and participate in making those changes.
Drew Todd: Yeah, yeah, absolutely.
Leigh Dow: So it's not really uncommon for cybersecurity [00:21:00] companies to be the targets of attacks. You've covered that angle. Right?
Drew Todd: Yes, I have covered that angle before. It's sort of something that I try to avoid as much as I can, as Secure World partners with a lot of these companies, so I don't want to really paint anybody in a bad light, and then they're like, "Oh, we're your sponsor, but you just wrote this article ripping into us on our cybersecurity," so I do cover it if it's a story that warrants it definitely. It's been [00:21:30] interesting. I don't know if you've followed the story with the Lapsus$ group.
Leigh Dow: No.
Drew Todd: Lapsus$ is a sort of new cyber gang that emerged earlier this year, and they pulled off hacks of Invidia, Samsung, Ubisoft, Microsoft, Okta, government of Brazil, and a bunch of other people. And after pulling off all these hacks on these huge tech companies, [00:22:00] they're leaking source code and internal documents, and so it really puts, specifically for cybersecurity companies, it puts the executives in quite a pickle for paying the ransom or having your source code for your lead product be leaked on the dark web and sold to the highest bidder essentially. But what I love about this story is that the mastermind of the Lapsus$ group is reportedly a 16 or [00:22:30] 18 year old kid.
Leigh Dow: Of course it is, of course it is.
Drew Todd: Who lives with his ... I know. I know. He lives with his mom in London. And so after they pulled off all these high level breaches within a really short span, and so of course, the authorities took notice and they arrested seven individuals in London, and all of them were teenagers. And so it's crazy to think that a group of teenagers can get together and be like, "Okay. What are we going to do today? Oh, we're going to hack the [00:23:00] four biggest tech companies in the world and steal their source code."
Leigh Dow: For funsies.
Drew Todd: Yeah, just for funsies. And so that's been a fun story to follow. It's obviously just attention grabbing because of the big companies involved, and then the teenagers, the reported 16 year old mastermind behind the operations.
Leigh Dow: How do you spell that?
Drew Todd: Lapsus is L-A-P-S-U-S, and then they add [00:23:30] a dollar sign after the S.
Leigh Dow: Of course they do because they've got to get the [inaudible 00:23:36]. Yeah. Like they're Kesha or whatever. Well, you know what's funny is I have gone on rants before about schools that still teach cursive.
Drew Todd: Oh, my God.
Leigh Dow: Instead of teaching kids to code. I'm like, "You should be using that time to teach kids to code because that's what they're going to need to run their households and stuff," but now [00:24:00] I might take that back after hearing that story.
Drew Todd: That's actually, I've never thought about that. I've never once used cursive.
Leigh Dow: Of course not.
Drew Todd: In my adult life [inaudible 00:24:10].
Leigh Dow: And in today's world, where we all DocuSign, there's absolutely nothing magical about scribbling your name versus printing it.
Drew Todd: Yeah. I would totally agree with you though. Despite the teenage hackers, let's start teaching coding at a young age instead of cursive.
Leigh Dow: Exactly.
Drew Todd: I think that would be hugely beneficial for [00:24:30] everybody.
Leigh Dow: Completely agree. What is the annual global damage in costs from these attacks? Is it getting better? Is it getting worse? Is it staying the same?
Drew Todd: So unfortunately, I have to say that it's getting worse and it's probably only going to continue to get worse for a while. There's just so many things that threat actors [00:25:00] can target nowadays with everything being connected to the internet. Since the pandemic started, obviously the transition to remote work has increased the attack surface for threat actors. And so everybody's working remotely, everybody is on, they're connected to the cloud, or connected to a VPN. And so there's just so many ways for threat actors to get into your network and start stealing your information and your data. I've seen reports [00:25:30] that cyber crime is up 600% since the beginning of COVID, that it costs roughly the world six trillion a year.
Leigh Dow: Wow.
Drew Todd: And I've seen estimates that say that it could rise to 10 trillion by 2025. And something that I think that's interesting to note is that a lot of cyber crime goes unreported, and so we have [00:26:00] actual data on what gets reported, but if 60% of cyber crime or whatever percentage it is, isn't reported, we don't have accurate numbers on a lot of things because especially if a huge company gets breached, and they're doing their best to kind of keep it under wraps, even though they're probably supposed to report it, there's a lot of that going on that's just unreported. And so we don't really know. [00:26:30] I know that for an average organization, the average data breach costs $4 million, depending on what information gets involved, if you have personal information that gets leaked, you'll probably have lawsuits. And eventually, you'll have to pay out your customers' money for damages. And so I really wish that I could say I see it getting better. I just don't know how we get there. [00:27:00] I know right now there's a huge labor shortage in cybersecurity, something like three million jobs globally are unfilled in cyber.
I know that it's been increasing in the last year because cybersecurity is sort of gaining popularity. People are ... I think five years ago, you asked somebody, "What's cybersecurity?" They're like, "I have no idea."
Leigh Dow: And it means so many different things.
Drew Todd: The password on my phone.
Leigh Dow: There's so many different jobs in cybersecurity. [00:27:30] And even I have a few friends that work for the FBI. And the FBI has even retooled many of their agents to give them cybersecurity training and be cybersecurity focused.
Drew Todd: Yeah. I think that's a huge thing that a lot of organizations have been pushing in the last year or so, is just cyber training and awareness. A lot of people just don't know what to look for. And so the more that everybody can spread awareness [00:28:00] and train your employees, well, eventually I think the number will climb down as we get better tools to protect ourselves and our organizations. It's just right now with the labor shortage, I just don't know how it gets better sooner. I think in the long run, it will eventually get better. Ideally, in 20 years, we have great, great coding. Everybody is aware. Everybody is trained. And then we can really [00:28:30] start to limit incidents, but it's just going to take time.
Leigh Dow: So I Googled the Lapsus$ hacking group. And one of the first stories that came up, this is just perfection, mentions that Claire Tills, a senior research engineer at Tenable, describes the methods of the hacking group, Lapsus$, as bold, illogical, and poorly thought out. And as the mother of a teenage boy, if that doesn't 100% just describe what a group of 16 year old hackers [00:29:00] would be like, I don't know what does.
Drew Todd: That's perfect. That's awesome.
Leigh Dow: That's so great. So I can't thank you enough for joining us on this episode. I definitely would love to have you back to talk about some of the crypto crimes and other things like that, that are in the cyber criminal world.
Drew Todd: Oh, yeah. Oh, yeah. I've got a lot of them.
Leigh Dow: Yeah. Let's do that. Hopefully we're all more informed about cyber threats lurking out there and how to take precautions against them. Definitely [00:29:30] go check out Drew's articles with Secure World News. And if you enjoyed this podcast, please like and subscribe. We drop a new episode every Thursday.
Speaker 1: Eliminate the risk of data breaches, phishing, password theft, and replay attacks with hardened multifactor authentication cybersecurity. Password-less logins are simple and secure with uTrust FIDO2 NFC Plus Security Keys. Insert the device, [00:30:00] tap the button, and get secure access. It really is that easy. Learn more at identiv.com. We design powerful NFC enabled identity solutions that seamless integrate into kiosks, terminals, vending machines, slot machines, betting machines and more. Our new uTrust NFC kiosk kit features our contactless USB CCID uTrust 3525 F reader module, [00:30:30] NFC antenna, and highly customizable LED array. The kit can easily support loyalty cards and digital wallets. If you're ready to add NFC to your slot machine or kiosk, speak to an expert today at identiv.com.
Physical security, identity verification, the IOT. The hyper-connectivity of our lives will only grow more pervasive. As technology becomes more automated and experiences more augmented, it's up to us [00:31:00] to preserve our humanity and use new tools and trends for good. The only question is: Are we up for the challenge?