Defensive Security Podcast Episode 267
Description
Defensive Security Podcast Episode 267
Links:
https://us-cert.cisa.gov/ncas/alerts/aa22-187a
jerry: [00:00:00 ] Alright, here we go. Today is Sunday, July 10th, 2022. And this is episode 267 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always. Is Mr. Andrew Kellett.
Andy: Good evening, Jerry, how are you? Good, sir.
jerry: I’m doing great. How are you doing?
Andy: I’m good man. It’s hot and steamy in Atlanta. Tell you that much.
jerry: Yeah. I ‘ve been back for a month from my beach place. And I think today’s the first day that we’ve not had a heat advisory. [00:01:00 ]
Andy: Yeah, that’s crazy.
jerry: which it has been brutally hot here.
Andy: Now, when you say beach place, you might have to be more specific, cause you’ve got one like seven beach houses now.
jerry: Well, the Southern most beach house. Yes.
Andy: Yeah. One is the Chateau. One’s technically a compound.
jerry: One’s an island,
Andy: that’s.
Andy: We’re going to have to probably name them because. They’re tough to keep straight.
jerry: They definitely are. Yup.
Andy: But, I, for one. Appreciate your new land barronness activities. And look forward to.
Andy: Jerry Landia being launched and seceding from the United States.
jerry: Hell. Yeah. That’s right.
Andy: I’ll start applying for citizenship whenever I can.
jerry: Good plan. Good plan. All right. A reminder. We should probably already said this, but the thoughts and opinions we expressed on the show are ours and do not represent those of our employers.
Andy: But for enough money, they could
jerry: yeah. Everything is negotiable. [00:02:00 ] All right. Couple of really interesting stories crossed my desk. Recently and the first one comes from the US department of justice of all places. And the title here is Aerojet , Rocketdyne agrees to pay $9 million to resolve false claims act allegations.
jerry: Of cybersecurity violations in federal government contracts. So the story here is that there’s this act, as you could probably tell by the title called the false claims act that permits an employee of a company who specifically does business with the US government to Sue the company under the false claims act claiming that the company is misrepresenting itself in the execution of its contracts. And if that [00:03:00 ] lawsuit is successful, the person making the allegation, basically it’s a whistleblower kind of arrangement. The person making the allegation gets a cut of the settlement. And so in this particular case the whistleblower received $2.61 million dollars of the $9 million.
Andy: Wow. So his company. In theory was lying on their security controls. And he found out about it or knew about it. And was a whistleblower. About it is getting 2.61 million.
jerry: Correct. Correct.
Andy: Have to go check everything in my company. I’ll be right back.
jerry: I’m guessing that his lawyers will probably take about 2 million of the 2.61, but, Hey, it’s still.
jerry: still. money, right?
Andy: That’s crazy. It reminds me, it’s probably a lot of our listeners are too young for this, but. The days of the business software Alliance about turning in your employer for using pirated software, that you could get a cut of that, but not in the you [00:04:00 ] know seven figure range.
jerry: Yeah, this is really quite interesting. And what’s more interesting is that there is apparently some indication that the US government may expand the scope of this to include non government contracts and including. Perhaps even like public companies. Under the jurisdiction of the securities and exchange commission. I don’t think that’s ah codified yet.
jerry: Probably just ah hyperbole at this point, but holy moly. It really really drives home the point that we need to, do what we say and say what we do.
Andy: So what were the gaps or what were the misses that they said they had.
jerry: have done a little bit of searching around. I didn’t go through all of the details in that case. Because it was a settlement, there may not be an actual Details available, but I’ve not been able to find the specific details of of what they were not doing.
Andy: Yeah. did [00:05:00 ] go and I cause. I was very curious about this and did do a bunch of searching and found some summaries of the case and some of the legal documentations, and it looks like. The best I was able to get into is there was a matrix of 56 security controls. Or something around those lines, don’t quote me on that and that the company only had satisfactory coverage of five to 10 of them.
jerry: Oh, wow.
Andy: And there was another one where they did a third-party pen tests who got into the company in four hours. It looks like there’s a bunch of Unpatched vulnerabilities. So it’s in legalese, right? So it’s a little tough to translate into our world at times.
Andy: But I’m actually quite curious and I might want to do some more research trying to figure out what exactly were the gaps and I guess at the end of the day, they agreed to these things contractually. And just didn’t do them.
jerry: Correct. That’s the net of it.
Andy: This is primarily if you’re doing business with the government, the us government.
jerry: Correct. Do you have a government contract?
jerry: Yeah for now. And I do think that over time, like I said, my [00:06:00 ] understanding is that the scope of this may make increase.
Andy: This is, I really feel like this is huge. This could open the door.
Andy: I mean because you and I both know how often those contractual obligations and the way you answer those questions is a little squishy.
jerry: Yeah. Yeah. Optimistic, I think. I think optimistic might be.
Andy: That’s fair. That’s fair. But it’s also interesting trying to have, federal judges navigate this very complex world. Yeah, that’s it. That’s a crazy story. We’ll see where that goes.
jerry: So anyway, it really highlights the point about being very honest and upfront with with what we’re doing. And if we commit to doing something, we need to do it.
Andy: Yeah, it just gets fuzzy when there’s business deals on the back end of that answer.
jerry: No, I could completely agree.
jerry: All right. The the next story also pretty interesting. Also comes from a us government agency. This one comes [00:07:00 ] from CISA the cybersecurity and infrastructure security agency. I hate the name. I really wish they come up with a different name. It’s the word security way too many times. Anyway that the title here is North Korea state-sponsored cyber actors use Maui ransomware to target the healthcare and public health sectors.
jerry: That from a, from a actual actor standpoint or threat actor standpoint, there’s not a ton a ton of innovation here. They’re not doing anything super sophisticated that we don’t see in a lot of other campaigns, but what is most interesting is that the government, the US government has attributed this particular campaign to North Korea. And North Korea is, one of the most, perhaps the most heavily sanctioned country in the world for the us government. And so if you, as a an entity in the US somehow support an [00:08:00 ] organization or a person or entity in North Korea, you can be subject to penalties from the U S government.
jerry: And the point here is if you are a victim of this ransomware campaign and you pay the ransom, you may run a foul of those sanctions and that could end in addition to whatever penalties you might come into as a result of of the breach you may actually run into some pretty significant additional penalties as a result of supporting the north Korean government.
Andy: Well, that is an interesting little problem isn’t it?
jerry: Yes, it is. Yes, it is.
Andy: What you need is a shell company. To run your ransomware payment through.
jerry: I have a feeling is a lot of that going on in the world.
Andy: we saw some shenanigans with like lawyers doing it as a proxy and with using. In essence [00:09:00 ] privileged communications to hide it. At least allegedly in some previous stories we’ve covered. But that’s an interesting problem. Yeah. I can see
United States
