Cloud-computing and retail behemoth Amazon won a legal victory today against rival Microsoft, as a federal judge agreed to order a hold on a massive federal contract Microsoft was awarded late last year.
Amazon late last year filed suit against the Trump administration over the Joint Enterprise Defense Infrastructure (JEDI) cloud-computing contract. Amazon last month asked the court to grant a temporary injunction halting any JEDI work while the case is pending, and today Judge Patricia Campbell-Smith agreed. Although the existence of the injunction is public, documents relating to the matter are presently sealed.
The JEDI contract is a $10 billion agreement to build a cloud computing and storage platform for use by the entire Department of Defense. Several firms were in the running for the deal, including Oracle and IBM. in April, the DoD dropped the list of finalist candidates to two: Amazon’s AWS and Microsoft’s Azure. AWS was widely expected to seal the deal, and so industry-watchers were surprised when in October Microsoft nabbed the contract instead.
Amazon filed suit a month later. The company argued that it didn’t just lose the contract for ordinary reasons of cost or capability but was instead sabotaged for political reasons. Microsoft’s win flowed from “improper pressure from President Donald J. Trump, who launched repeated public and behind-the-scenes attacks to steer the JEDI Contract away from AWS to harm his perceived political enemy—Jeffrey P. Bezos,” the lawsuit argued. (Bezos is the founder of Amazon and CEO as well as owner of The Washington Post.)
“While we are disappointed with the additional delay we believe that we will ultimately be able to move forward with the work to make sure those who serve our country can access the new technology they urgently require,” a Microsoft representative said in a written statement, adding that the company believes the facts will show the DoD “ran a detailed, thorough, and fair process” to award the contract.
Sean Gallagher, Ars’ own national security editor, had a stronger suggestion: “At this point, they should just cancel the whole contract.”
Numerous Visible Wireless subscribers are reporting their accounts have been “hacked” this week. Visible runs on Verizon’s 5G and 4G LTE networks. Rather than being a Mobile Virtual Network Operator (MVNO), Visible is actually owned by Verizon.
Suspicions of a data breach at Visible started Monday when some customers saw random unauthorized purchases on their Visible accounts:
@Visible I was just hacked! They sent themselves a phone and changed my address! Urgent!’ How do i@stop this!!!! HURRY!!
On the Visible subreddit, users have reported seeing unauthorized orders placed from their accounts, with a shipping address different from theirs:
Social media was flooded with similar reports of customers not receiving a response from Visible for days:
Great, someone hacked my @visible account, purchased iPhone using my PayPal, and changed the password. @visiblecare is not responding. Scammer also tricked me with email spams in an effort to make me miss any email notifications from Visible.
Credential stuffing likely the cause of hacked accounts
In an email sent out to customers and a public announcement posted yesterday, Visible shared what could be the cause of these hacks:
“We have learned of an incident wherein information on some member accounts was changed without their authorization. We are taking protective steps to secure all impacted accounts and prevent any further unauthorized access,” said Visible in an announcement. “Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.”
Rather than a data breach at Visible itself, the company’s wording makes it sound like customer credentials were obtained from a third-party leak or breached database and then used to access customer accounts—a practice known as credential stuffing. The company advises customers to reset passwords and security information and will prompt users to re-validate payment information before further purchases can be made.
But experts have cast doubts on theories that this incident stemmed from credential stuffing, considering Visible also admitted to “technical issues” on its chat platform, with the company briefly unable to make any changes to customer accounts just this week. Visible’s tweet mentioning this information was deleted by the company.
Did Visible know about the incident since last week?
Although a public statement from Visible arrived yesterday, the company had first acknowledged the issue on Twitter on October 8, if not earlier. Interestingly, a vague reason was provided at the time—order confirmation emails having been erroneously sent out by Visible. “We’re sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it.”
One Visible customer reacted angrily to the delay: “This response is completely irresponsible, given the fact that you are currently under attack and are aware of MANY users that have had their accounts compromised.”
Despite the panic generated among hacked customers, at least, one can find relief in the fact that customers won’t be held liable for any unauthorized charges. “If there is a mistaken charge on your account, you will not be held accountable, and the charges will be reversed,” states the company as the investigation continues.
In addition to monitoring for suspicious transactions, Visible customers impacted by the incident should change their credentials, both on Visible websites and any other websites where they have used the same credentials.
In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced “Civil Cyber-Fraud Initiative” will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DoJ calls “cybersecurity fraud.” Usually, the False Claims Act is used by the government to tackle civil lawsuits over false claims made in relation to federal funds and property connected with government programs.
Cyber contractors chose silence “for too long”
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” states Deputy Attorney General Lisa O. Monaco, who is pioneering the initiative. “Well, that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The introduction of the Civil Cyber-Fraud Initiative is the “direct result” of the department’s ongoing thorough review of the cybersecurity landscape ordered by the deputy attorney general in May. The goal behind these review activities is to develop actionable recommendations that enhance and expand the DoJ’s efforts for combating cyber threats.
The launch of the Initiative aims to curb new and emerging cybersecurity threats to sensitive and critical systems by bringing together subject-matter experts from civil fraud, government procurement, and cybersecurity agencies.
The development comes at a time when cyberattacks are rampant, and advanced ransomware gangs repeatedly target critical infrastructures, such as the Colonial Pipeline and health care facilities.
Provisions of the act would protect whistleblowers
The Civil Cyber-Fraud Initiative will utilize the False Claims Act, aka the “Lincoln Law,” which serves as a litigative tool to the government when placing liability on those who defraud government programs.
“The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation,” explains the DoJ in a press release.
The initiative will hold entities, such as federal contractors or individuals, accountable when they put US cyber infrastructure at risk by knowingly “providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
In summary, the Initiative is designed with the following objectives in mind:
Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
Holding contractors and grantees to their commitments to protect government information and infrastructure.
Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
Improving overall cybersecurity practices that will benefit the government, private users, and the American public.
The timing of this announcement also coincides with the deputy attorney general’s creation of a “National Cryptocurrency Enforcement Team” designed to tackle complex investigations and criminal cases of cryptocurrency misuse. In particular, the team’s activities will focus on offenses committed by cryptocurrency exchanges and money-laundering operations.
What stands out, though, is that the Civil Cyber-Fraud Initiative would pursue those who were knowingly negligent in the implementation of a robust cybersecurity posture or knowingly misrepresented their cybersecurity practices—leaving room for plausible deniability.
Equally interesting is the fact that just two days ago, Senator Elizabeth Warren and Representative Deborah Ross proposed a new bill dubbed the “Ransom Disclosure Act.” The act would require ransomware victims to disclose details of any ransom amount paid within 48 hours of payment and to divulge “any known information about the entity demanding the ransom.”
Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers’ text messages.
A filing with the Securities and Exchange Commission last week said that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”
Syniverse said that its “investigation revealed that the unauthorized access began in May 2016” and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”
Syniverse isn’t revealing more details
When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what’s in the SEC filing. Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.
“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse said.
The SEC filing is a preliminary proxy statement related to a pending merger with a special purpose acquisition company that will make Syniverse a publicly traded firm. (The document was filed by M3-Brigade Acquisition II Corp., the blank-check company.) As is standard with SEC filings, the document discusses risk factors for investors, in this case including the security-related risk factors demonstrated by the Syniverse database hack.
Syniverse routes messages for 300 operators
Syniverse says its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn’t a familiar name to most cell phone users, the company plays a key role in ensuring that text messages get to their destination.
We asked AT&T, Verizon, and T-Mobile today whether the hacker had access to people’s text messages, and we will update this article if we get any new information.
Syniverse’s importance in SMS was highlighted in November 2019 when a server failure caused over 168,000 messages to be delivered nearly nine months late. The messages were in a queue and left undelivered when a server failed on February 14, 2019, and finally reached their recipients in November when the server was reactivated.
Syniverse says it fixed vulnerabilities
Syniverse said in the SEC filing and its statement to Ars that it reset or deactivated the credentials of all EDT customers, “even if their credentials were not impacted by the incident.”
“Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time,” the SEC filing said. Syniverse told us that it also “implemented substantial additional measures to provide increased protection to our systems and customers” in response to the incident, but did not say what those measures are.
Syniverse is apparently confident that it has everything under control but told the SEC that it could still discover more problems resulting from the breach:
Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity… While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.
Syniverse’s SEC filing was submitted on September 27 and discussed yesterday in an article in Vice’s Motherboard section. According to Vice, a “former Syniverse employee who worked on the EDT systems” said those systems contain information on all types of call records. Vice also quoted an employee of a phone company who said that a hacker could have gained access to the contents of SMS text messages.
Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.
“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”