1. Easy, Moderate and Hard SBOM Wins by Dale Peterson

There’s been a lot of chatter about SBOMs, or Software Bill of Materials, lately, ever since the revelations around last year’s SolarWinds hack came to light, really. For the uninitiated, they’re essentially recipes for software - an itemized list of components that make up a software application. NTIA’s website has a good primer if you’re interested in learning more. There’s some actionable advice in this week’s newsletter from Digital Bond’s Dale Peterson, including what and what not to expect when you request and review a SBOM. When it comes to industrial control systems and risk mitigation, separating the signal from the noise is critical when managing SBOMs. As Peterson notes, “Patch everything and often is not helpful. Asset owners need to understand what security patches should be prioritized.”

Read more

2. Explainer: How hackers stole and returned $600 mln in tokens from Poly Network by Gertrude Chavez-Dreyfuss and Michelle Price

This was quite the rollercoaster if you followed along this week. Earlier this week, in what was dubbed the biggest cryptocurrency theft in history, attackers absconded with $600 million from Poly Network, a decentralized finance platform, after exploiting a vulnerability in its smart contract. Maybe you first heard about the story when they posted a letter on Twitter, telling the attacker, “The money you stole are from tens of thousands of crypto community members... you should talk to us to work out a solution." That was Tuesday. Jump ahead a day to Wednesday and the money began making its way back to the service, nearly $600 million returned by the attackers. This Reuters piece does a good job recapping the story. Another story, in CNBC, claims the hacker stole the funds “for fun” and that they were purportedly offered $500,000 bounty to send the money back.

Read more

3. Businesses Push to Shape Federal Rules for Disclosing Hacks by David Uberti

All states, the District of Columbia, Puerto Rico, and the Virgin Islands have legislation on the books requiring notification of security breaches involving personal information. The time between experiencing a breach and disclosure it is what varies. Now, hoping to get provisions of a bill included in next year’s defense spending package, companies are joining forces in hopes of granting a 72-hour period for reporting incidents, two days longer than the 24 hour period a Senate bill is proposing, the Wall Street Journal reported this week. The group, the Information Technology Industry Council, represents a handful of companies, Amazon, Google, and Oracle to name a few. It will certainly be interesting to see how the bill, which is being drafted by the House Homeland Security Committee, competes with the Senate’s Cyber Incident Notification Act of 2021, introduced last month. In case you missed it, that bill would require agencies and some companies to report hacks within 24 hours and even be fined up to 0.5% their previous year revenue for each day they break the rules.

Read more

4. Data breach at US waste management firm exposes employees’ healthcare details by Emma Woolacott

News on what sounds like a potentially damning breach at Waste Management Resources, which apparently is dealing with fallout from an incident back in January. According to Portswigger, which wrote about the incident this week, it sounds like a hacker was able to infiltrate its systems to access healthcare data belonging to employees who submitted claims to their insurance plan. It’s the list of data accessed that’s especially dizzying: Social Security numbers, taxpayer identification numbers, government, and state ID numbers, driver’s license numbers, dates of birth, bank account numbers, debit and credit card numbers. staff members’ and dependents’ medical history and treatment information, health insurance information, passport numbers and usernames, email addresses, and passwords for financial electronic accounts. Unfortunately, the company didn’t discover the breach until June 21, a full five months after it happened.

Read more

5. SynAck ransomware releases decryption keys after El_Cometa rebrand by Lawrence Abrams

With ransomware, it’s seems so rare that there’s good news, so you have to celebrate the tiny victories. Anyone who had their files locked by the SynAck ransomware likely agrees this week as the group released the master decryption keys for the ransomware, 16 in total, along with instructions on how to use them. If you’ve been patient – the ransomware group was primarily active in August/September 2017 according to Bleeping Computer – you can now decrypt your data. The change of heart comes as the group undergoes a rebrand; at the end of July it changed its name to El_Cometa and decided to shift its operation to a ransomware-as-a-service group.

Read more