The Cyber Why: What We Read This Week...
... and why you should too! (4/26/24)
There were WAY too many incredible stories to cover them all this week. Due to the volume, I even had to leave off half a dozen from the quick hits list. There is so much awesomeness to discuss that we’ve decided to bring a chunk of it over to The Cyber Why POD. We’re recording the latest episode of the podcast this weekend, and it is scheduled to go live on our podcast link by the end of the week! We’ll talk about the best stories of the last 30 days, including some of the big ones you see here! Remember to subscribe to The Cyber Why podcast on your favorite podcast tool (we’re on all of the good ones!) Now, onto this week’s newsletter.
This week in The Cyber Why, we cover the latest updates to the gift that keeps on giving news: the United Healthcare Group hack. We discuss the impact of the non-compete ban in the United States and take aim at building companies just to get rich. We provide a feedback loop on Iranian phishing attempts, and finally, we put a new gift on Tyler’s birthday wishlist — a flame-throwing robot dog (I want one SO BAD!). All this and more in this week’s The Cyber Why!
Sponsor The Cyber Why - Reach Nearly 5,000 Tech and Cyber Leaders TODAY!
The Cyber Why is your weekly dose of cybersecurity wit straight to your inbox. TCW tracks cyber and tech news and drama with humor you won't find anywhere else. Sponsor TCW and reach thousands of active subscribers bi-weekly. Don't be a phish, sponsor today!
CLICK HERE or email tyler dot shields at gmail.com for sponsorship specifics.
UHG Update - Admits To Having Paid Ransom
UnitedHealth Group Updates on Change Healthcare Cyberattack (United Health Group)
UnitedHealth paid ransom after massive Change Healthcare cyberattack (CBS News)
Authentication failure blamed for Change Healthcare ransomware attack (CSO)
UnitedHealth CEO to testify before US House panel on cyberattack at tech unit (Reuters)
(Rick Pick) It was a significant news week for updates on the Change Healthcare extortion attack. UnitedHealth Group (UHG) issued a press release with less-than-encouraging news on Monday. The company said that it:
"has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America."
There are over 335 million Americans, and the release substantially understates the potential implications. Later that night, a spokesperson told CBS News that the company paid a ransom ($22M) to the extortionists (ALPHV). The company revealed "$872 million in unfavorable cyber attack effects in its release."
What would a favorable cyberattack effect be? Asking for a friend. It was also reported that "compromised credentials on an application" is how the attackers gained their initial access.
You could debate me, but this could be a top-three ransomware attack, especially considering potential future losses. It demonstrates the fragility of our interdependent systems and begs the question, where is the next Change Healthcare? What other sectors have their version of this type of target? Finally, if compromised creds on an "MFA-less" application were the initial access vector, it highlights that actors don't need esoteric zero-day to achieve their goals. Companies need to be maniacal about managing their external footprints and hardening their external services. UHG's CEO, Andrew Witty, is testifying on The Hill next week; get your popcorn ready.
I’m Now Dating Your Best Friend - HOW YA LIKE ME NOW!
U.S. bans non-compete agreements for nearly all jobs (NPR)
One of this week's hottest topics, the FTC ban on non-compete agreements in the United States, brought on a flurry of news articles, pundit commentary, and debate about whether non-compete agreements are essential to safeguard a business. In some circles (employee slack groups specifically), the commentary was all rainbows and unicorns talking about how bad non-competes were, and while commonly known to be unenforceable in most states, how they still acted as a deterrent to changing jobs since most companies wouldn’t hire you if you signed a non-compete agreement for fear of being sued by your former overlords.
In some tech founder groups, the commentary wasn’t so appreciative of the moves made by the FTC. Some founders said that if people could move freely to competition, it would make it more difficult to keep human resources and increase the cost of doing business. They also suggested that it would bring about a significant amount of IP theft and brain drain from one company to another in a similar space. In general, I don’t believe that non-competes should be allowed. However, I see the potential impact that can occur to businesses with no better way to defend themselves from nefarious individuals willing to act maliciously. Let me know how you feel about the topic in the comments below!
Founder Syndrome in Cybersecurity
In 2024, finding cybersecurity startup ideas worth pursuing is harder than many people think (Venture in Security)
(Katie pick) As Ross writes in his latest piece, “Starting a cybersecurity startup is easier than ever,” but that doesn’t mean the industry needs more startups or that founders and would-be founders are starting cyber vendor companies for the right reasons.
As I’ve written in the past (part 1; part 2), there are plenty of headwinds to founding a cybersecurity business, which Ross expertly outlines in his article. What he doesn’t touch on is what I’ll call “founder syndrome,” or the idea that “there is a gap in X aspect of security. I’ll build this widget. I’ll sell this widget. I’ll get rich and create the world’s biggest cybersecurity company.” Building a cybersecurity technology with the idea of “getting rich” rarely results in achieving the goal. You’d be better served just buying state-run lottery tickets!
Building a security company from scratch is a mighty endeavor, even for tenured founders. This piece covers many of the considerations that entrepreneurs should ask themselves—and their investors—before entering the fray. Don’t just throw caution to the wind and hang a shingle - know what you are getting yourself into.
Iranian Attackers Go Phishing
Iran Dupes US Military Contractors, Gov’t Agencies in Years-Long Cyber Campaign (Dark Reading)
(Katie pick) While the US government has been busy issuing cybersecurity guidance for public and private sectors, it seems that they, themselves, are not immune to social engineering attacks.
The Fed recently announced that “hundreds of thousands” of US business and government employees were the target of Iranian state-sponsored cyber espionage campaigns between 2016-2021. Four Iranian nationals were indicted but are unlikely to face any real charges due to extradition laws.
While the article claims the attackers were “clever” and “more sophisticated by a significant margin,” the tactics employed seem straightforward — masquerading as a cybersecurity services provider and asking targets to click on links. You know the rest of the story. The story's moral here isn’t “Haha, the government got tricked, too!” Instead, the moral is: We must focus on security basics that help limit attack escalation. Social engineering works and will continue to work until someone can build a solution that stops the malware from executing and stops the attackers from elevating privileges after the link has been clicked. We’re not going to stop link-clicking — we all need it for everyday, non-malicious business — so let’s look at the compensating controls. And get them right.
Tyler’s Updated Birthday Wish List
Watch: Fire-breathing robot dog that can torch anything in its path (Yahoo)
This is the thing that nightmares are made of! Robot dogs with flamethrowers on their backs. It reminds me of Austin Powers talking about “sharks with fricken LASERS on their heads!” As if that wasn’t scary enough. These little 1ft square beauties are manufactured by the US firm Throwflame, can eject fuel for up to 45 minutes, and can be purchased by the general public in the United States of Freaking America for only 7,600 British Pounds. Shoots 30-foot jets of fire, remotely controlled and enabled with laser sight and a built-in flashlight, this bringer of mayhem looks too good to pass up! Time to get my checkbook out! Or better yet - I’ll start a GoFundMe for my next birthday present… it’s just around the corner.
Quick Hits and Hidden Gems
Aaron Levie, CEO at Box on AI Agents Impact On Business (LinkedIn) - Aaron is one smart dude. He equates AI agents to the advent of SaaS, detailing the potential massive market impact.
Wiz CTO: “AI is probably the fastest-adopted technology in history” (Calcalist) - This time with data to back the assertion. WOW... incredible pace of change.
A world after Wiz: Emerging opportunities in cloud security (Scale VP) - While we are on the topic of Wiz. What’s a world post-Wiz look like for cybersecurity companies? Where’s the whitespace for the next crop of Israeli startups?
Is NoName the normal exit size now? (Cole Grolmus) - Lots to unpack here. Strategic products and companies can still exit but nowhere near as big as they once could. Down rounds abound!
The Wiz acquisition of Lacework makes sense (Frankly Speaking) - PHEW, at least I’m not the only one that thinks this way. I thought I was on an island here!\
The Rise Of Application Security Posture Management (ASPM) Platforms (Chris Hughes) - Sorry, buddy. Let’s agree to disagree on this one. ASPM is just another token product that will get absorbed into something bigger.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!
Good effing riddance to non-compete agreements. Here in Austin, Tx I can still vividly remember basically being blackmailed into signing those in order to get a job in IT/Managed Services. Agreeing to that before working one hour at a company.
I'm fortunate in that I have a brother who is a lawyer and told me long ago that most of those agreements had very low chances of holding up in court.