The Cyber Why: What We Read This Week...
... and why you should too! (3/8/24)
We did it! Last week, we published the first episode of The Cyber Why Pod! Creating it was super fun, and the reception has been excellent. Check out the show at the “podcast” link in the navigation bar above, or instead go directly to episode one.
This week’s TCW newsletter covers the current healthcare cyber attacks and the Blackcat exit scam making recovery difficult, the difference between quadratic and exponential growth in business terms, more OpenAI tea, hackers and lawyers abusing trust, and another Flipper Zero story. Let’s get to the news!
Premier Sponsor: Nudge Security
How to identify and investigate risky OAuth grants
OAuth grants make it incredibly easy to connect apps to share data, enable automation, and simplify workflows. However, attackers are exploiting these connections to gain access to valuable data. Learn how to decipher OAuth risks and protect your org.
Drama In The Dark Web: No Honor Among Thieves
BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare (Krebs on Security)
UnitedHealth cyberattack: US Dept. of HHS addresses fallout (Yahoo Finance)
After collecting $22 million, AlphV ransomware group stages FBI takedown (ARS Technica)
BlackCat Ransomware Group 'Seizure' Appears to Be Exit Scam (Bank Infosecurity)
Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment (Wired)
(Rick Pick) The fallout from the BlackCat - Change Healthcare extortion continues but with a new cybercriminal twist. A BlackCat/ALPHV affiliate member, "Notchy," claimed that the Ransomware-as-a-Service provider cut them out of their commission on the $22M extortion payment. In "ironic" timing, shortly after, the BlackCat dark web onion site displayed a fake law enforcement seizure notice, and the group claimed that they were shutting down and selling their ransomware source code. This move is known as an exit scam, where one group of criminals steals the commissions or funds held in escrow and "shuts down." Exit scams have been prevalent in the English-language cybercriminal underground. Dream Market is one example of this: the site admins stole $30M from its customers.
What does this mean for the good guys? Companies must not assume that just because they pay an extortion fee, their data will be unencrypted or, in the case of double extortion, deleted once from the criminal's infrastructure. Some ransomware groups guarantee they will delete the stolen data. It is part of their "value prop," but would you really trust them? Second, with the RaaS model, it can be challenging to distinguish between affiliates and the ransomware "mothership." Some groups could be less "trustworthy" than others. The bottom line is that when paying extortion demands, there are many risks, and you better understand them before you start paying out that much cheddar.
Quadratic Vs. Exponential Growth - A Nerd’s Eye View (Lots of Math Warning!)
The Elephant in the room: The myth of exponential hypergrowth (A Smart Bear)
The Myth of Hyper-Growth: Successful Startups Follow Quadratic Hypergrowth, Not Exponential (The Venture Crew)
As a business school professor who teaches a class called “Managing the growing enterprise”, this piece of research is super interesting. Most educators teach that the J-curve with exponential growth is how you should hope to build a high-growth business. However, this research contradicts the existence of exponential curve business growth over time and instead does the math to predict that even the highest growth businesses are really quadratic hypergrowth models that eventually turn linear and decline over an infinite time horizon.
There’s a lot of math (and nerd speak) in the original piece, so for those of you who want the tl;dr version, check out the second article listed in last week’s The Venture Crew newsletter. The result is a fantastic graphic that shows that the best businesses operate on an “elephant curve.” Over time, a series of those curves put together make up a quadratic hypergrowth model. My ongoing question is how, if at all, this impacts the venture capital model. If we don’t have exponential growth curve expectations and instead, it’s elephant or, at worst linear, does the power law of venture investing still hold the test of time? This question is worth backtesting for sure!
OpenAI Drama Continues as Email Tea Spills
OpenAI publishes Elon Musk’s emails. ‘We’re sad that it’s come to this’ (CNN)
OpenAI and Elon Musk (OpenAI Blog)
Like a moth to a flame, I am not sure why I am attracted to this type of techno drama. I can’t seem to keep myself away from the scent of the dumpster as it burns bright and hot in the cool evening air. In the latest installment of the “Days of our Lives” GenAI style, Elon Musk sued Sam Altman and the OpenAI team for an alleged breach of an agreement to make AI breakthroughs “freely available to the public” through a multibillion-dollar partnership with Microsoft. In response, the OpenAI team disclosed several emails dating back to 2018 in which Elon made financial commitments (comments?) on the order of billions of dollars and even went so far as to offer to purchase OpenAI into Tesla so that Tesla could become the cash cow for the success of the supreme AI vision. Talk about some insane he-said, she-said type of shit! I think Sam, Elon, and maybe even Satya should sit down on the couch with Andy Cohen (founder of the Housewives of “X” series) and just have a good old-fashioned bitch session. Let’s get it all out so we can move on to the next season of the soap opera.
Hackers are LIke Lawyers - Don’t Trust Them
Attackers are Like Lawyers (Kelly Shortridge)
Kelly is never short on commentary and great insights, and this post is no different. In this piece, Kelly compares hackers to lawyers in so much as their primary focus is to poke holes in assumptions.
Attackers are more like lawyers, searching for loopholes and alternative interpretations in our mental models that they can brandish in their favor.
Many eons ago, when I was a professional offensive security person, we called this abusing trust. I don’t think reality has changed in over three decades. Hackers look for areas where trust models can be abused. The API trusts that the request is coming from an authenticated source, the function trusts that submitted variables will not be controllable by an outside force, a pub sub-model trusts that the input will come from a sanitized data source, and more - you get the point. Hacking is all about looking for spots where trust can be abused. If this is how a lawyer treats the law, then I guess Kelly is spot on in her description yet again!
Flipper Zero Yourself a New Car!
Want to Steal a Tesla? Try Using a Flipper Zero (Gizmodo)
It’s not the most cutting-edge attack, but it’s still a quick and easy way to steal yourself a new Tesla. The attack goes like this:
Pull up to a Tesla charging location
Using a Flipper Zero, spoof the guest wifi and middleman yourself a login and password
Add yourself as an owner of the keys on their account
Steal away!
It’s not novel, but it is fun! Maybe it is a good thing that Canada banned the Flipper Zero - because it’s not like you could do this with a laptop or anything <eye roll>
Quick Hits and Hidden Gems
How Hackers Dox Doctors to Order Mountains of Oxy and Adderall (404 Media) - It seems like targeted healthcare attacks are a massive problem right now. The US is in a rough spot between the current healthcare ransomware issues and this pill mill report.
How Could Platformization Work in Cybersecurity? (Strategy of Security) - I said I wouldn’t write anymore about the “Platformization” issue as I’ve beat it silly in the last two issues and on our pod. So go read someone else’s excellent commentary instead!
Clouded Judgement 3.8.24 - 2024 Guides (Jamin Ball) - I love Jamin’s analysis. One of the best in the business. He does a weekly brain dump and well worth looking at if you are into publicly traded cloud metric data.
AI Is Worse If You Think It's Someone's Fault (Unsupervised Learning) - An interesting discussion on framing and blame. Great generalized life advice and more than just another technology-based AI discussion.
Focus On CACD & LTV Than CAC & LTV (The Venture Crew) - The venture crew does it again. This time, they add the concept of time to the traditional golden ratio. CAC:LTV should not be observed without cohort-based time and customer source slices on the data.
Exploring the GitHub Advisory Database for fun and (no) profit (Acquia Blog) - For you data nerds out there this is a good one. Dig into the open source advisory database hosted on GitHub, there are really interesting results.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!