Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

International Counter Ransomware Summit

The White House has brought together over 35 countries, the EU and multiple private sector firms for a two-day summit to discuss how best to counter ransomware attacks. US Government officials attending included FBI Director Christopher Wray, national security adviser Jake Sullivan, Deputy Treasury Secretary Wally Adeyemo and Deputy Secretary of State Wendy Sherman.

The administration was prompted to act by the increasing level of ransomware activity, citing recent high-profile attacks such as that on the LA Unified School District. The situation is doubtless being exacerbated by the amount of money being paid to ransomware operators, which allows them to buy and develop 0day exploits, which will, in turn, lead to even more money being paid, etc.

While the summit will focus on improving system reslilence and developing techniques to disrupt threat actors' activities, I dare say the idea of legislation to ban the payment of ransoms will be a hot topic.

Uncredited, White House invites dozens of nations for ransomware summit, news report, 31 October 2022. Available online at https://apnews.com/article/technology-european-union-business-christopher-wray-wally-adeyemo-aff98eba1c7470f9b0128c882971547d.

EdTech Company Chegg Earns Wrath of Federal Trade Commission

For many years, student-focused web site Chegg has been the bane of academics, with its support for sharing of exam questions, class assignments and solutions, etc. The growth of this and similar sites have forced educators to produce completely new exam papers and assignments each year, a heavy workload.

Now comes news that Chegg itself has let its users down, suffering multiple breaches over the last five years and exposing the personal data of millions of students. According to a complaint before the Federal Trade Commission, Chegg's scholarship search service collects sensitive personal information from its users, including 'religious denomination, heritage, date of birth, parents' income range, sexual orientation and disabilities', as well as videos of tutoring sessions that included users' images and voices.

This data is stored in AWS S3 buckets, which Chegg allegedly has failed to reasonably secure. The FTC complaint documents four breaches over a three-year period; in one case, the use of a single AWS access key that provided full administrative privileges over all data allowed a former contractor to access the data of millions of users which was later found for sale online. This dump included plaintext (!) passwords for 25 million accounts.

Other breaches, primarily via phishing attacks, gave access to both student and employee data which again was found for sale online. (I dare say some universities would be keen buyers, as they investigate cases of alleged plagiarism!)

Khan, Lina M., et. al., Complaint In the Matter of CHEGG, INC., a corporation, FTC Complaint docket 202-3151, October 2022. Available online at https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf.

News for CISSP's

(ISC)² Board Election Opens With Dubious Ballot Form

The election for the (ISC)² Board has opened today with an online voting form which provides the five candidates put forward by the current Board for the five open positions - in other words, not much of an election at all.

As regular readers will be aware, an alternate slate of five candidates is standing as write-in candidates (I have reprinted their information below). However, the online ballot form provides only one position for a write-in candidate; in the opinion of many members, a fair form would provide as many write-in slots as there are open positions.

Many members are irate; some are voting but writing in multiple candidates in the one field (which will possibly not be counted as a valid vote), while others are complaining to Member Services. Others are considering legal action, and at least one request for investigation of the organization's non-profit status has been raised with the IRS.

Overall, the mood is that the election should be cancelled and only restarted once the ballot form has been fixed to comply with the requirement to allow for multiple write-in candidates as stated in section IV.8 of the Bylaws. (ISC)² is unlikely to comply.

Alternative Slate for Upcoming (ISC)² Election

As those certified by (ISC)² should know by now, the election for the upcoming vacancies on the Board of the organization will open on 1 November. As previously discussed, the current Board has nominated only five candidates for the five vacancies - a move that renders the election moot - as well as proposing a set of contentious changes to the By-Laws which will further disenfranchise the membership.

Several members who had nominated for Board positions - some of them with previous experience and, more to the point, continued engagement with the members - have asked the voting members to consider them as write-in candidates. With the assistance of Stephen Mencik (one of those stepping forward) I have assembled the following information:

Here are the members asking for your support - and, I would suggest, offering you theirs:

• Wim Remes - Belgium - member number 97080
• Stephen Mencik - US - member number 10288
• Richard Nealon - Republic of Ireland - member number 4205
• Sami O. Koskinen - Finland - member number 54813
• Diana-Lynn Contesti - Canada - member number 5053

For those interested in more information about the five people asking for your write-in votes, here are their information pages:

• For Stephen Mencik - https://sites.google.com/view/smm-petition

The above site was used in an attempt to gain enough petitions to get on the ballot via that route. There are links to his resume and to the skillset questions and answers from the nomination process, and letters of recommendation. Mr. Mencik is ISC2 Member number 10288 and holds CISSP-ISSAP, ISSEP. Mr. Mencik also did most of the work on the counter-proposals for by-laws found at https://jsweb.net/isc2.

• For Diana-Lyn Contesti - https://sites.google.com/site/dlcpetitionboard/home

This site was used by Ms. Contesti in an attempt to gain enough petitions to get on the ballot. It contains a summary of her qualifications. Ms. Contesti is ISC2 member number 5053 and holds CISSP-ISSAP, ISSMP, CSSLP, SSCP.

• For Wim Remes - https://www.be-represented.org/

This site was used by Mr. Remes in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Remes is ISC2 member number 97080 and holds CISSP.

• For Richard Nealon - https://sites.google.com/view/RN-petition-isc2-board

This site was used by Mr. Nealon in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Nealon is ISC2 member number 4205 and holds CISSP-ISSMP, SSCP.

• For Sami O. Koskinen - http://www.linkedin.com/in/sami-koskinen-429624

The link is to Mr. Koskinen's Linked profile, which gives a summary of his qualifications. Mr. Koskinen is ISC2 member number 54813 and holds CISSP-ISSMP.

I would urge all those entitled to vote to visit the pages above and consider carefully before voting.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.