1. Joe Sullivan and Uber Breach
This story was a huge talking point with a lot of varying opinions on the consequences of this case. One sure thing about it is it changed how CISO’s handle events going forward. Here is the breakdown of the story and why it mattered to so many practitioners.
The breach took place in 2016, but Uber only disclosed it publicly a year later.
Uber’s revelations sparked several federal and state inquiries. In September 2018, Uber paid $148m to settle claims by all 50 US states and Washington DC that it was too slow to disclose the breach. The two criminals involved in the breach plead guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program the following year.
The justice department filed criminal charges against CISO Joe Sullivan in 2020. At the time, prosecutors alleged he arranged to pay the hackers $100,000 in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data and not complying with the FTC consent order from 2014.
Sullivan was also accused of withholding information from Uber officials who could have disclosed the breach to the FTC, which had been evaluating the San Francisco-based company’s data security following a 2014 breach. A San Francisco jury has found Uber’s former chief security officer, Joe Sullivan, guilty of criminal obstruction for failing to report a 2016 cybersecurity incident to authorities. Sullivan, who was fired from Uber in 2017, was found guilty on counts of obstruction of justice and deliberate concealment of felony.
2. Okta/LastPass Breaches
2022 will be forever the year of identity. The year of shifting from the endpoint to the password. Both companies, Okta and LastPass spent the last year dealing with multiple security incidents and breaches cumulating with Okta source code being stolen and LastPass encrypted vault with customer data being copied by criminals.
Okta January 2022:
We have concluded our investigation into the January 2022 compromise of our third-party vendor. At the outset of our investigation, we focused on a five-day window of time, between January 16 and 21, when the third-party forensic firm, engaged by our vendor Sitel, indicated that the threat actor had access to their environment. Based on that window of time, we determined that the maximum potential impact of the incident was 366 Okta customers whose tenants were accessed by any Sitel customer support engineer within that time.
As a result of the thorough investigation of our internal security experts, as well as a globally recognized cybersecurity firm whom we engaged to produce a forensic report, we are now able to conclude that the impact of the incident was significantly less than the maximum potential impact Okta initially shared on March 22, 2022.
The threat actor actively controlled a single workstation, used by a Sitel support engineer, with access to Okta resources.
Control lasted for 25 consecutive minutes on January 21, 2022.
During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.
The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support “impersonation” events.
The threat actor was unable to authenticate directly to any Okta accounts.
Okta experienced a second compromise in August this year after it was targeted by another hacking campaign that breached more than 100 organizations, including Twilio and DoorDash. The impact to Okta wasn’t as big as the other two for the year.
Okta has confirmed that it’s responding to another major security incident after a hacker accessed its source code following a breach of its GitHub repositories. The identity and authentication giant said in a statement on Wednesday that it was informed by GitHub about “suspicious access” to its code repositories earlier this month. Okta has since concluded that hackers used this malicious access to copy code repositories associated with Workforce Identity Cloud (WIC), the organization’s enterprise-facing security solution. “As soon as Okta learned of the possible suspicious access, we promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications,” Okta said in a statement.
The story here is complex and really started in August when LastPass reported a security breach. At the time the scope of the breach wasn’t as bad as we could have imagined. LastPass reported customer information was accessed but passwords weren’t compromised. That news lasted until several weeks ago when LastPass reported that customer vaults were copied and are now at risk.
3. Apple Zero Days
Pre 2022, Apple OS was one of the most secure OS in the world and breaching an apple device was considered a specialty. Then the news of Pegasus by NSO group using an Apple zero day and being used by Governments all over the world broke. Over the last year Apple has had several zero-days impacting its OS.
Apple had 10 zero-days this year impacting their operating systems.
· February 2022: CVE-2022-22620.
· May 2022: CVE-2022-22675
· August 2022: CVE-2022-32894
· September 2022: CVE-2022-32917
· October 2022: CVE-2022-42827
4. Mudge Whistleblower
Peiter Zatko better known as Mudge in our community turned into a whistleblower after his short tenure as the CISO of Twitter. During the month of September Mudge testified during a Senate Judiciary Committee about the lack of controls at Twitter. The Twitter files released by Matt Taibi and Bari Weiss over the last several weeks only enforce Mudge’s version of the vast misconduct by Twitter’s leadership.
This was a shock and groundbreaking. Mudge testified that "Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors, the company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people."
Furthermore, Zatko painted a portrait of a company plagued by widespread security issues and unable to control the data it collects. Calm and measured, he stuck closely to his expertise, unpacking technical details of Twitter's systems with real-world examples of how information held by the company could be misused.
5. China & TikTok
2022 was the year where China took the front seat across many nations for the real risk it poses nations, organizations, and human rights. The popular app TikTok was in the headlines several times this year after it was disclosed that they violated privacy laws by allowing their parent company ByteDance in China to access data of users in the EU and US.
Also, recent White House actions and global economic powers movements have now banned Huawei, ZTE and other China based technologies from Telecom networks and government systems. The pressure on China and its large Cybersecurity Army have to be the highlight of geo politics in 2022. The collective approach to handling the threats from China is going to be needed even more. China move towards Taiwan and the threat to the digital supply chain will be front and center.
Other Notable Accomplishments for 2022:
2. Cryptocurrency Heists
3. Supply Chain risks