OSS threats and more: first officer's blog - week 40

OSS threats, Hardbit's insurance attack, and more. Here are the latest stories from the fast-moving world of cyber risk.

Mike Parkin | February 27, 2023

First Officer’s log, Terrestrial date, 20230227. Officer of the Deck reporting.

By the time the ship reached [REDACTED] Colony, the consultant had finished their interviews and had isolated themselves to create the report they filed with the Captain and would later file with Starfleet. While the consultant had said that he was going to be in his cabin working alone on the report, and thus wouldn’t be available, or even visible, there was a general suspicion that his interaction with Mister [REDACTED] in the maintenance space had unsettled the consultant more than they cared to admit.

Not that any of us blamed him. She could be intimidating when her temper was riled, but as we had grown familiar with her people’s customs, incidents of miscommunication were all but forgotten. Unfortunately for the consultant, he had experienced the consequences of not bringing themselves up to speed on the specifics of peaceful and productive interactions with someone from a different race, world, or culture.

On some levels, the incident reflected why our crew had taken on the kind of specialized roles we were known for. Smoothing over the rough spots in communication between systems, and technologies, that had been sourced from multiple sources on multiple worlds based on multiple paradigms. We had built a specific skill set and earned a reputation for being able to translate between systems and keep everything working smoothly, even when the original systems had little in common. It was a vital capability that a lot of planetary defense and infrastructure networks didn’t even realize they needed. At least until something went wrong and they called us in to help them get everything working together.

In a multi-world, multi-species, multi-culture organization like the Federation, that ability to work together towards a common goal was ingrained. Though not everyone always managed to live up to the ideal.

Like the consultant.

Not surprisingly, the consultant wanted to meet with the Captain in private. While the Executive Officer and several of the department heads expressed their objections, the captain was willing to accommodate the consultant and they met for several hours in the Captain’s ready room. After which, the consultant returned to their quarters, gathered their things and promptly beamed down to the planet below. While he didn’t exactly look haunted, he did avoid certain main corridors and appeared quite conscious of his surroundings on the way to the transporter room.

Apparently, Mister [REDACTED] was somewhat concerned that she hadn’t had the chance to say goodbye and apologize for trying to fold him into a storage locker.

Shortly after the consultant beamed down to the planet, the Captain called us into his ready room to debrief us on the recommendations he’d received to help us “optimize our resources, improve efficiency, and get better performance from the crew.” A list which included moving personnel to other departments, changing team leadership structures, having some people reassigned to other commands, and several other recommendations which gathered a collective groan from the senior staff.

“How are we going to implement these recommendations, Sir?” from our XO.

“We’re not,” from the Captain.


The Captain gave us a wry smile and explained “we do not have the most glamorous role in Starfleet, but it is still vital. And this is the best crew in the fleet. I need you all here, with me, getting the job done. I’ll make a shipwide announcement shortly, but in the meantime tell your teams I’m proud of them. I’m proud of the job we do, and we’re going to keep doing it. Dismissed.”

And with that, life returned more or less to normal, and we set about preparing for our next mission.

OSS is still cool, but there are a lot of moving parts

What happened

Supply chain risks with Open-Source Software remain a concern according to recent reporting from The Register. While there are some notable advantages to using OSS in development, there are still concerns with the sometimes-fuzzy relationship between various OSS libraries and the code developed around them. There are also concerns about threat actors corrupting various repositories which house these libraries, especially the older ones that may still be in use but are no longer actively maintained.

Why it matters

With development based on OSS libraries, it’s not uncommon to have layers of dependencies that the devs don’t even recognize. Their software is based on “these” libraries, while those libraries are in turn based on other libraries, and so on, down a couple more layers. That can make it really challenging to fix all the dependent libraries when a threat actor finds an issue with the code buried three layers deep.

The Software Bill of Materials (SBOM) can help a lot with that, but only if it’s pulled together with everything in the build, and the repositories are properly documented, maintained, and secured. All of which combine to make it an operational challenge. That said, the “more eyes on the code” concept still helps OSS respond quickly and efficiently when these issues come up.

What they said

This one got a good amount of attention.

How much are you insured for, exactly?

What happened

Recent ransomware attacks by the HardBit group appear to consider whether the target has ransomware insurance or not and makes a play for the victim to work with them, and only pay the maximum amount the insurance will cover. This would, in theory, increase the likelihood of the target paying up by making the real loser the insurance company.

Why it matters

We have been saying for a while that cybercriminal gangs have reached the point where they are hard to tell from a legitimate business. At least from the perspective of business models. They have been evolving and maturing, and this shows as well as anything else that they are looking to maximize their returns. “Hey, c’mon, it’s covered by insurance, right?”

Threat actors are getting very, very, good at the game. Which makes dealing with the risk they represent more and more challenging. We can manage the risk, but we need to be aware that they’re adapting their models as quickly as we adapt our defenses.

What they said


Insurance may be at risk, but this story got plenty of coverage

War still never changes

What happened

A year into Russia’s war on Ukraine, and Russian cyberattacks against Ukraine continue apace. They have ranged from misinformation and propaganda campaigns to direct attacks against infrastructure, communication, and computing resources across the country. The attacks have hit multiple sectors, and show no sign of letting up. Collateral, or intentional, damage from the attacks has been felt across Europe, Asia, and the Americas.

Why it matters

For the people of Ukraine, whose cyber-defense teams have done an extraordinary job of defending against a highly skilled, experienced, well-resourced, and well-financed opponent, cyberwarfare is just one facet of a war that has claimed many lives and done untold damage. Cyberattacks themselves rarely result in the loss of life or property destruction that the people of Ukraine face. So, for the rest of the world, the consequences are usually far less physical but can sometimes be no less real. The fallout and collateral damage from Russian cyberattacks against Ukraine have been felt across the world, from direct attacks against Ukraine’s allies to organizations that have simply wound up caught in the crossfire.

The civilian cybersecurity community has had to spend the last year dealing with the risk of a war that extends from the conventional battlefield into cyberspace, along with the usual range of cybercriminal threat actors – some of which were already supported by State resources. It doesn’t help when financial

conditions make budgets tight, forcing security operations teams to manage more risk with fewer resources.

What they said

As ever, this story got a lot of people talking.


Want to get ahead of the stories?


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy