Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Consumers Ready for Passkeys - Once They Know About Them

A new survey conducted by password manager vendor 1Password indicates that consumers are ready for a passwordless future using passkeys - but they don't know about them.

Passkeys were developed by the FIDO Alliance (specifically, the Client-to-Authenticator Protocol [CTAP]) and the World Wide Web Consortium (the Web Authentication specification). This passwordless (yay!) authentication system effectively works the same way as the SSH public-key authentication familiar to security professionals - during site registration, the protocol automatically generates a public/private key pair and uploads the public key to the user's new account on a web site. From that point on, the user need only unlock their authenticator - which could use biometrics on a smartphone, so just a tap would be required - and that will select the correct private key and complete the authentication process.

Unsurprisingly, 1Password's survey revealed that almost two out of every three people say that they are open to using any new technology that will make their lives simpler. However, only one in four has heard the term 'passwordless', indicating that they are not seeing it on the web sites they use or in mainstram media coverage.

However, once shown a description and an example of passkeys in operation, 75% of respondents say they are open to using them.

Since Google, Microsoft and Apple have all announced passkey support in their browsers, the bottleneck to adoption probably lies with the developers of popular web development platforms. Consumers have shown a preference for federated identity management solutions where appropriate and available, and would almost certainly switch rapidly to passkeys once they are widely accepted.

Uncredited, Preparing for a passwordless future, report, 18 April 2023. Available online at https://1password.com/resources/passwordless-future-report.

The Billion Dollar Scam

Following Monday's ABC Four Corners documentary on ransomware group REvil, we have stumbled across another interesting doco from a national broadcaster. In this one, BBC investigative reporter Simona Weinglass has led a wide-ranging investigation into a criminal network which is believed to have scammed more than one billion dollars through investment scams all over the world.

While Chinese gangs are notorious for running 'pig butchering' scams in SE Asia, this particular group runs a similar operation targeting European and US victims from call centers - in Kyiv until the war began, followed by a rapid relocation to Tbilisi in Georgia. Perhaps most fascinating is the way the ringleaders distance themselves from the front-line workers, behaving and appearing in almost all respects as legitimate businessmen - not to mention the regret felt by some of the call center workers when they realise their well-paying jobs are not with a legitimate investment fund, but actually a criminal organization.

Weinglass, Simona, The Billion Dollar Scam, documentary program, 14 April 2023. Available online at https://www.youtube.com/watch?embed=no&v=w6JXZ3GzSCQ.

Vaastamo CEO Given (Suspended) Jail Time

Our course attendees and regular readers will be familiar with the case of Finnish mental healthcare provider Vaastamo, which suffered a ransomware breach in September 2020, encrypting their patient records. When the company's CEO, Ville Tapio, refused to pay a ransom, the firm discovered that the ransomware had also performed data exfiltration, as the hackers released sensitive patient records on a Tor network server. And when the CEO still refused to pay the ransom, the hackers turned to extorting payments from the individual patients, predictably leading to a class action.

Investigations revealed that the company's software was only minimally secured and did not comply with Finland's regulations for healthcare records systems. The CEO was terminated and the company subsequently liquidated.

On Tuesday, the Helsinki District Court handed down its judgement in a criminal prosecution of former Vaastamo CEO Ville Tapio for a data protection offence. The court found that he did not fulfil the EU's GDPR (General Data Protection Regulation) requirements to pseudonymise and encrypt patient data handled by the company.

The court characterised Tapio's actions as particularly reprehensible, due to both the size of the breach and the sensitivity of the information involved. In the sentencing statement, the court found that, "Taking into account the long period of time, the district court finds that this act cannot be reconciled with fines, but that Tapio must receive a prison sentence for the act". However, considering that Tapio had no previous criminal record, the court imposed a three month suspended sentence.

Tapio had claimed ignorance of the company's poor security, blaming the breach on two former IT staff. However, governance law and regulations in most jurisdictions makes boards and executive management liable for the management of cybersecurity risk, so that defence was never going to fly.

Incidentally, the alleged perpetrator of the breach, Aleksanteri Kivimäki, was apprehended back in late February and will face a range of charges in due course.

YLE News, Hacked therapy centre's ex-CEO gets 3-month suspended sentence, news report, 18 April 2023. Available online at https://yle.fi/a/74-20027665.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.