Cyber hiring woes, biometric threats and a check-in with the IT Army

The White House in Washington, D.C. Victoria Pickering/Flickr

Welcome to Changelog for 7/24/22, published by Synack! It was a blisteringly hot week for many of us across the U.S. — I’ve hardly ventured outside lately in Washington, D.C., where Mayor Muriel Bowser has declared a heat emergency through Monday. I’m jealous of my colleagues in San Francisco who were able to beat the heat with their secret weapon: Fog. Here’s your news roundup:

 

The payload

Last Tuesday, the White House hosted a National Cyber Workforce and Education Summit billed as a “call to action” to fill 700,000 open cybersecurity jobs in America.

National Cyber Director Chris Inglis kicked off the event with some cyber talent real talk: “We’re not in a good place.” He was speaking before a group of security officials and executives that included Cybersecurity and Infrastructure Security Agency Director Jen Easterly and former CrowdStrike CTO Dmitri Alperovitch.

“But the difference between good and not good in this particular dimension of cyberspace is not fate, it’s a choice,” Inglis continued. “We can choose to go to a different place, but we have to intentionally make that choice; we have to be willing to make the investments necessary to go to that place.”

To that end, more than a dozen private sector organizations made cyber workforce announcements or offered new skill development opportunities in connection with the event. Most notable: A Cyber Talent Hub backed by big-name companies like Mandiant and universities including NYU and the University of Chicago.

The hub’s goal is to allow job hunters to train on specific skills cybersecurity employers are seeking out, as the Wall Street Journal reported. The idea is to build a pipeline of qualified candidates who don’t need traditional four-year degrees but can demonstrate the ability to switch into a cyber career.

The Biden administration’s attention to the issue is laudable. But if the White House’s estimate of 700,000 job openings is to be believed, that’s more than the U.S. Postal Service’s entire workforce (including rural, part-time mail carriers). The spate of announcements last week may just be a drop in the bucket.

The week, compiled

The Transportation Security Administration, the agency I associate with needing to chug water at airports, is also the federal government’s steward of pipeline cybersecurity.

In the wake of the Colonial Pipeline hack, which disrupted fuel supplies to the East Coast for several days, TSA came under pressure to tighten cybersecurity rules for midstream oil and gas companies. The agency issued a security directive to mandate cyber incident reporting within hours and ensure someone at pipeline companies is always on call in case of emergencies, among other steps.

 1_R8-Kx4CM2mKtj9SIPMHfGA
Part of the Trans-Alaska Pipeline System oil conduit is pictured. Rickz/Flickr

Since May, TSA has relaxed some of those rules through new requirements based on “significant collaboration between TSA and the oil and natural gas pipeline industry,” per an agency statement. Companies now have a longer window of 24 hours to report incidents, as the Wall Street Journal reported last month. And another updated directive issued last week means that pipeline owners have more flexibility when it comes to the technologies they choose to segment operational and business networks, implement access controls and mitigate risks posed by unpatched systems.

Here’s what else played out last week:

README: As Congress advances a surprise data privacy bill, Payal Dhar checked up on cyberthreats to biometric data. Though widely considered to be more secure and convenient than passwords, authentication methods like fingerprints and face scans carry unique cyber risks that can’t be ignored.

Palo Alto Networks: Perhaps inspired by the incredible imagery coming out of the James Webb telescope, cybersecurity firm Palo Alto Networks looked to the stars as it overhauled naming conventions for cyberthreat groups. For instance, under the new rules, “Scorpius” (like the constellation) signals a non-nation-state ransomware group.

TechCrunch: “Encrypted” video calling and messaging app JusTalk, which boasts over 20 million global users, has left a massive cache of internal data including phone numbers, call records and millions of user messages accessible online.

Bleeping Computer: Microsoft officially, finally, really-for-real-this-time blocked macros by default in Office downloads after weeks of back-and-forth, cutting off a popular attack path for malicious hackers.

A message from Synack

In today’s threat landscape, everyone agrees “it’s a jungle out there.” At Black Hat, Synack will share our cybersecurity expertise to help attendees survive this jungle. Visit us in booth #2328, where we’ll serve jungle juice in the tiki bar and host other events in our penthouse suite. You’ll gain a deeper perspective on adversary tradecraft from our live cyber talks in the Synack Cave, featuring experts from our elite Synack Red Team. Learn more here.

Flash memory

Cybersecurity jargon is ubiquitous: From CVEs to cryptojacking, there are countless terms that would be hard to decipher for anyone outside the industry.

I took a look back at some tech jargon from 1998, when the New York Times reported on Microsoft’s “Microspeak.”

 1_sRJoVF4zoJ9WWmW886bWiQ

Some terms, like “ping” for, well, pinging a colleague, have since gone mainstream. Others are unique to the era: “BOOP,” for “Bill and the Office of the President,” referring to Bill Gates and three top execs. Still others have been replaced: “Gronk” nowadays would be much more likely to refer to the famous football player than the noise a computer makes when it’s chirping through bandwidth issues.

My personal favorite: “Zero-bug release — Not, as you might suspect, a version of a software product that’s error-free, but a release with the major bugs eliminated, retaining plenty of less significant problems.”

Local files

Vice: Motherboard reporter Lorenzo Franceschi-Bicchierai checked in with the IT Army of Ukraine, chronicling the exploits of a group that exists at the murky intersection of vigilantism, geopolitics and hacktivism. “Ukraine’s cyber capabilities seem to largely be made up of volunteers, and their mandate is to do whatever they possibly can as part of a large, decentralized organization,” Franceschi-Bicchierai wrote. (For now, that’s largely consisted of DDOS attacks on Russian targets.)

CNN: North Korean government-backed hackers saw $500,000 drained from their coffers after a successful cryptocurrency tracking campaign led by the U.S. Justice Department. The hacking group in question hit a medical organization in Kansas last year.

Off-script

American runner Sydney McLaughlin absolutely smashed the 400-meter hurdles world record Friday at the World Athletics Championships in Oregon, running the race in an astonishing 50.68 seconds. (That’s faster than a few of the athletes competing in the 400-meter event without hurdles.)

The 22-year-old New Jersey native hasn’t lost a 400-meter hurdles competition since 2019. Her standout performance at Worlds this year has cemented her legacy as a track and field legend.

And if that isn’t enough record-shattering news for you, don’t miss Noah Lyles’ 19:31 200-meter sprint last week, which broke an American record that had stood since 1996.

Congrats to all the incredible athletes who competed in Worlds, which ends today!

 1_mmHGmBW0KYZZcYp6FL17eg
Sydney McLaughlin competes in the Molloy Stanner Games in 2017. Stephen Pisano/Wikimedia Commons

That’s all for now — please send tips, feedback and running shoe recommendations to bsobczak@synack.com. See you in a week!