Get a demo

Plugwalk Joe and more: first officer's blog - week 51

Plugwalk Joe, more AI security (mis)adventures, and more. Here are the biggest stories from the world of cyber risk.

Mike Parkin | May 15, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED] 

First Officer’s log, Terrestrial date, 20230515 Officer of the Deck reporting.  

We arrived at Starbase [REDACTED] on schedule and the control center directed us immediately to the maintenance space dock so they could get started on the inspections and possible remediation efforts. We experienced no additional issues on the flight, so were reasonably confident that our own engineering and systems teams had done a good job. 

Within a few hours of our arrival, after getting the ship squared away and arranging liberty call on station for the crew, the Executive and Systems officers of the USS [REDACTED] checked in to explain the issue they were asking for help with. 

According to the officers, their ship had received an upgrade to their core computing system during the last major layover. There was nothing inherently unusual about that, as Starfleet ships received upgrades off and on through their entire service lives, with the computer systems receiving frequent attention. Our own ship had gotten an upgraded memory core recently herself without incident. However, the heavy cruiser’s upgrade consisted of updated memory, more core computing power, and, most importantly, a core operating system update that included an advanced Expert System overlay.  

And that was where the problem lay. While every ship’s computer in Starfleet had expert system capabilities, they weren’t technically sentient. They could do an excellent job of interpreting verbal orders in multiple languages to “do what I mean” even when “what I say” isn’t exactly clear. While they were known to have a bit of personality as far back as the old Constitution class heavy cruisers, they did not possess true artificial intelligence. 

With this upgrade, however, the ship’s computer was acting oddly. At least as far as the XO and Systems officer were concerned. Which was where we came in, with the XO explaining that “Honestly, you’ll just have to come see for yourself. The system works, but it is not normal.” 

So, with part of our crew on liberty call, part staying aboard to work with station maintenance team, our integration team headed over to the [REDACTED] to see if we could help them solve their issue. 

The computer is your friend. Trust the computer 

What happened 

Generative AI has become a major topic of discussion with numerous implications for organizations and individuals, with a range of expected impacts. Much of the conversation has been focused on technical aspects and how generative AI will change how security tools are designed. However, there are additional concerns about how these new tools will affect the individuals working in, or entering, the profession.  

Why it matters 

I, for one, am not especially worried about our impending AI overlords. Mostly because there will always be a place for the Organic element in the cyber security stack. That, and I’ll probably be ready to retire before AI matures enough to render us obsolete. That said, there are going to be changes in the cyber security landscape as both attackers and defenders adopt more and more generative AI. 

There is a real place for it in Risk Management, 1st tier support, and as expert systems. That means getting used to working with it and learning how to get the most out of it will become valuable skills. 

What they said 

There’s been plenty of good old-fashioned human-generated coverage of this story.

Do the crime, do the time. Plugwalk Joe extradited

What happened 

Joseph James O’Connor, also known as PlugwalkJoe, has been extradited from Spain to the United States to face criminal charges related to Twitter “hacks” in 2020. In that incident, threat actors were able to compromise over 100 Twitter accounts to execute fraud attacks. Plugwalk Joe will face multiple charges stemming from this and other attacks. 

Why it matters 

It is good to see a cybercriminal like Plugwalk Joe brought to trial, and, perhaps, convicted of their crimes and appropriately punished. However, these trials, and even convictions, do little to deter cybercriminal activity in general and do virtually nothing to impede cybercriminals who operate from regions that are not going to cooperate with legal authorities in the West. I don’t need to say what countries I’m referring to here, do I? 

These investigations and prosecutions need to happen. But they are expensive and time-consuming and, while they may fill our need for justice, the return on investment isn’t especially good. It seems that the resources would be better spent preventing these incidents in the first place, by investing in better training, tools, and processes. What’s the phrase? “An ounce of prevention is worth a pound of cure.” 

Yeah. That. 

What they said 

plugwalk joe

Crime doesn’t pay, but the stories about Plugwalk Joe are certainly selling. Here’s what people are saying

They just keep evolving 

What happened 

There is strong evidence that threat actors are continuing to target ESXi servers, and the leak of the Babuk malware source code in 2021 has only compounded the problem. Recent research has shown that current threat actors are using malware bearing a strong resemblance to the leaked Babuk code, indicating that other malware developers have adopted and continued to evolve those strains. 

Why it matters 

The Babuk code leak was a mixed blessing for the cyber security community. On the one hand, we got to see the code and know how the malware worked. Which makes defending against it much easier. On the other hand, other threat actors could now fork the code to their heart’s content, and we’ll be dealing with new variations ad nauseum for quite a while. 

The thing is that interrelationships between malware strains are nothing new. Malware developers change teams, sell, share, or steal code from one another, and otherwise spread the love, so to speak, among themselves. While some specific relationships may be unexpected, seeing code mingling between groups shouldn’t be a real surprise to anyone. 

Ultimately, something like this increases the external risk, it doesn’t really alter the threat surface or how we manage the risk. It still comes down to timely patches, using safe configurations, and training the user base on how not to be a victim. 

What they said 

This one got plenty of attention


Want to get ahead of the stories?

vulcan free

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy