Episode 28: September 19 2022



Patreon Lays Off Its Entire Security Team

  • September 11th (some confirmation by company on 9/13)
    • Initial story from Cyberscoop
      • several former employees have confirmed the layoffs, which occurred the previous week, and that Patreon doesn’t seem to be worried about no longer having a security team.
      • Update numbers confirmed by the company say that it was only five:
        • Patreon told CyberScoop: “As part of a strategic shift of a portion of our security program, we have parted ways with five employees. The changes made this week will have no impact on our ability to continue providing a secure and safe platform for our creators and patrons
      • Patreon’s Senior VP of Engineering
        • aid the company isn’t “scaling back investing in our security programs” and would be “expanding our investment in security as we continue to grow.”
      • Spokesperson
        • “more investments mean outside partnerships, engineering expertise we’ve added in recent months to our infrastructure and payments teams, and the fact that we are hiring heavily in engineering and product development right now.”
      • Emily Metcalfe
        • One of the members let go said
          • “So for better or worse, I and the rest of the Patreon Security Team are no longer with the company. As a result I’m looking for a new Security or Privacy Engineering role and would appreciate any connections, advice, or job opportunities from folks in my network. #OpenToWork”
          • Previously employed Google, Raytheon and the MITRE company
        • Company Security Teams
          • Many outsource IT Security (MSSP)
          • Some IT fills that gap
          • Many have nothing but wishes
          • Though not many at Patreon’s level
        • Is this something to trust?
          • “As a matter of policy, we can’t share the exact number of Patreon employees working on security but can confirm a majority of Patreon’s internal engineers working on security were not laid off,”
        • Why?
          • Even if false companies usually can’t see the outward benefit of security teams.
          • Kind of like insurance
            • You don’t really understand what you pay for until something happens?

Uber Hacked

  • September 16th tweet from Uber_comms
    • “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”
    • hacker didn’t access public-facing systems or user accounts
    • codebase also remains untouched
    • did compromise Uber’s bug bounty program, any vulnerability reports involved have been “remediated.”
    • contained the hack by limiting compromised accounts, temporarily disabling tools and resetting access to services.
    • They are utilizing extra monitoring for unusual activity
    • “no evidence” the perpetrator accessed sensitive user data, such as trip histories
  • Attribution
    • Uber said the perpetrator was affiliated with Lapsus$
      • they have been targeted tech firms like Microsoft, Samsung and T-Mobile
      • They will also appear again in our news segments
    • Tactic
      • Uber believer it took advantage of a contractor’s computer
        • Likely bought the contractor’s login details on the dark web
          • after they’d been exposed through a malware-infected computer
        • Two-factor authentication initially prevented the hacker from getting in
          • Attacker just kept requesting it for over an hour
            • MFA Fatigue attacks are when a threat actor has access to corporate login credentials but is blocked from access to the account by multi-factor authentication. They then issue repeated MFA requests to the target until the victims become tired of seeing them and finally accept the notification.
          • Attacker reported they used whatsapp to pretend to be IT and told them to accept it.
          • contractor accepted an authentication request
        • One in added machine as trusted
          • they logged into the Internal network through the corporate VPN and began scanning the company’s Intranet for sensitive information
        • hacker says they found a PowerShell script containing admin credentials for the company’s Thycotic privileged access management (PAM) platform, which was used to access the login secrets for the company’s other internal services.
        • an Uber employee said the threat actor had access to all of the company’s private vulnerability submissions on HackerOne
        • attacker downloaded all vulnerability reports before they lost access to Uber’s bug bounty program.
          • likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber.

Rockstar Hacked

  • Story still unfolding
    • 18 year old hacker (teapotuberhacker)
    • allegedly breached Rockstar Games’ Slack messages, stealing over 90 videos of GTA6 videos
      • Not announced yet
      • Highly Anticipated
    • Posting the videos to GTAForums
      • fans got a look at the yet-unshared footage
        • revealing plot details, location, game mechanics, characters, and just about everything a video game developer would want to keep under wraps
      • hacker claimed responsibility for a similar security breach to the ride-sharing company Uber just a week prior.
      • hacker is also reportedly blackmailing Rockstar Games over GTA V and GTA VI’s source code
        • all of the information needed to run the game
        • anyone could produce a pirated and even modified version of the game.
        • leak could even hurt future sales of GTA VI
        • accidentally reveal trade secrets from the game?

TikTok can record what you type

  • TikTok, like many apps has a built in browser
    • Some people assume it’s their browser
    • Having this ability is not out of the ordinary, as it lets you browse and get to the content quickly.
    • Many other apps use this…and you may not even know.
  • Researcher Felix Krause
    • tested seven apps
      • TikTok
      • Facebook
      • Facebook Messenger
      • Instagram
      • Snapchat
      • Amazon
      • Robinhood
    • few tracks online activity
    • only TikTok seemed to monitor keystrokes
    • Krause explains, this kind of browser tracking is a deliberate action.
      • “This was an active choice the company made. This is a non-trivial engineering task. This does not happen by mistake or randomly,”
    • TikTok confirmed to Forbes
      • the features exist
        • but allegedly only uses them for “debugging, troubleshooting and performance monitoring.
      • Protection
        • Not to use the app
        • never click on links inside an app you’re using
          • copy the URL from the link and paste it into your browser
          • or if you are forced to, open app and then open in browser