Newsletter
12.07.2021 | 10'' read
10 things you’ll be bombarded with at RSA 2022
This edition of the newsletter is presented by Process Unity and SecurityWeek.
* The most clicked link from last week’s newsletter was Dark Reading’s eulogy for its late founding-editor Tim Wilson.
- Next Wednesday (Dec 15), I’ll be speaking at this SecurityWeek webinar on aligning internal cybersecurity practices with external third-party risk management. Register here.
Monday blues.
The RSA Conference program committee has released a scannable e-book on topics and trends observed during this year’s CFP. It’s a good early warning about the marketing hype and thought-leadering we’ll see at the conference next February. Set your filters accordingly 😉
The top-ten things that bubbled up:
- What on earth is zero-trust? “Debate ensued within the Program Committee as we grappled with where we are on the maturity curve, what problems can be uniquely served with a Zero Trust approach, and what, really, Zero Trust even is, despite the fact that the US Federal Government has been talking about “it” since 2009.”
- Ripple effects of the SBOM. “Submissions explored the challenges SBOM creates, concerns around application lifecycle management, the legalities of what it means when partner code fails, and the challenges to really maintaining code, be it commercial or open-source.”
- Supply chain challenges. “Submitters explored the challenges relative to NPOs and SMBs in the supply chain and exposure points they can create, as well as providing firsthand accounts of experiences and legal, governance and fiduciary challenges introduced by cyber-insurance policies related to the “pay or not” question.”
- Passwordless breaks through. “Submissions seemed to push past just MFA conversations and explored sustainable operations, interoperability and legacy challenges, and attack vectors and issues specific to passwordless approaches.”
- Back to the basics. “We observed an increase in submissions focused on starting security programs from scratch and the first 90 days in the CISO seat.”
- The ever-expanding cloud. “The maturation of submissions this year was significant, with sessions that explored new threat modeling approaches along with a call to action for a common vulnerability database, governance challenges, cloud-focused attacks with systemic consequences, and long-kept secrets from CSPs emerging.”
- Artificial intelligence and machine learning. “We saw more submissions around ethics and detecting algorithmic bias, along with guidance on how and when to call BS if you’re not a data scientist. “
- Risk takes center stage. “Third-party risk was a key theme, as was the impact of privacy considerations, as proposals put forward concrete studies with tangible takeaways, KPIs and metrics tied to business outcomes.”
- What do I really want to be when I grow up? “We had a myriad of submissions with guidance on how to transition into consulting, being a board member, writing a book, being a CISO, being an advocate…”
- There’s a framework for that! “This year the frameworks exploded as we worked on mapping everything to everything, technical and non-technical.”
I’m surprised the word ‘ransomware’ doesn’t take center stage (the vendor booths will probably take care of this) but this is a useful list to see where the content and hype-cycle is trending.
On to the newsletter…
Join this SecurityWeek panel discussion on Aligning Internal Cybersecurity Practices with External Third-Party Risk Management, presented by our friends at Process Unity. You will learn now to:
- Map external third-party risk to internal cybersecurity controls
- Evaluate control effectiveness against both internal and external risks
- Identify potential fourth-party risk
- Prioritize cyber/third-party risk projects based on control gaps and domain inefficiencies
- Build a world-class cybersecurity program that protects against internal and external threats
Here’s the link to register and add to calendar.
Zoho no!
If you have a Zoho product deployed in your organization, pay very, very close attention to the company’s handling of critical vulnerabilities and ongoing zero-day attacks.
These three security defects — CVE-2021-44515, CVE-2021-37415 and CVE-2021-44077 — have all been exploited by advanced hacking groups over the last four months, prompting CISA to issue urgent deadlines for mitigation. Florian Roth isn’t entirely pleased with Zoho’s response.
Two pieces I wrote this week for the SecurityWek audience:
- Zoho Confirms New Zero-Day, Ships Exploit Detector
- CISA adds Zoho flaws to federal agencies ‘must-patch’ list.
Keeping VPN vendors accountable.
Journalist Yael Grauer (in collaboration with Consumer Reports) looks closely at the security and privacy of consumer VPNs running on Windows 10. Key takeaways:
- We found that every VPN company we evaluated could do better when it comes to committing to allow users to obtain the public-facing and private user information that the company holds, including users not covered under CCPA or GDPR.
- Many of the VPNs we tested could improve by providing specific retention periods for any data they do collect.
- VPNs would better serve their users by explaining in detail how user data is handled in case of a merger, bankruptcy, or acquisition.
- The industry could improve by giving specific retention periods for destroying or getting rid of outdated or unnecessary personal information. Almost every VPN, including Mozilla VPN and Mullvad, failed to state in their documentation that they will delete user information immediately and permanently in a reasonable time (in this case, 30 days) if service is terminated or inoperable.
- We’d like to see VPNs clearly outline in their documentation which information outside parties require, provide options, and host first- and third-party tools on their own servers — something only IVPN has done.
See my previous coverage of eyebrow-raising shenanigans in the consumer VPN space:
- Beware of shady VPN corporate ownership
- Guest op-ed by Juan Andres Guerrero-Saade: VPNs and targeted espionage concerns
Microsoft catches, disrupts Chinese .gov hacking group.
This week has seen a flurry of activity on the nation-state .gov hacking front:
- Microsoft threat hunters are exposing NICKEL, a Chinese APT targeting government organizations across Latin America and Europe.
- The NICKEL disclosure includes a court-approved takeover of thousands of malicious sites used by the hacking group and the blocking of registrations for some 600,000 domains the APT group planned to use in the future.
- New York Times speculates the Chinese hackers were likely using the websites to install malware to gather data from government agencies and other groups.
- Dan Goodin reports that NICKEL hacked targets using compromised third-party VPN suppliers or stolen credentials obtained through spear-phishing. In other cases, the group exploited vulnerabilities Microsoft had patched but victims had yet to install in on-premises Exchange Server or SharePoint systems.
- A scary CVS 10 vulnerability in WebHMI: “Successful exploitation of these vulnerabilities could allow an administrator account login without password authentication and remote code execution with root privileges.”
- A PrintJacking warning from GreyNoise about a single IP address seen mass-transmitting a message to port 9100, a common port for printer connections.
- USB Over Ethernet — SentinelOne researcher Kasif Dekel documents a number of high-severity flaws in driver software affecting AWS and numerous cloud service providers. Millions are affected.
- Project Zero’s Jann Horn publishes a root cause analysis on CVE-2021-1048, an Android/Linux kernel flaw that was exploited in-the-wild as zero-day.
- Google just paid $15,000 for a high-risk memory safety vuln in the Chrome browser.
Research deep-dives.
- A new research paper from ESET (pdf) that describes how malware frameworks targeting air-gapped networks operate, and provides a side-by-side comparison of their most important TTPs. The researchers also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.
- Exploring Container Security – A Storage Deep Dive is a technical analysis of a high-severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries.
- Google Project Zero’s Tavis Ormandy: “This issue demonstrates that even extremely well-maintained C/C++ can have fatal, trivial mistakes.
- Sam Curry writes about exploiting vulnerabilities in a TLD registrar to take over Tether, Google, and Amazon.
- Kaspersky GReAT’s annual review of APTs observed in 2021 is worth your time.
Must-read essays.
- Happy trails to one of my favorite managers Larry Dignan, who is leaving ZDNet after an impressive 15-year run as editor-in-chief. Larry covers the six things he learned during his stint as ZDNet editor-in-chief. I’m proud to have played a small part.
- CISO Roadmap: The First 90 Days provides a decent game plan for a new security leader to modernize and strengthen a security program.
- Andy Ellis writes about the hidden costs associated with endpoint agents, inscrutable alerts, complex deployments and organizational friction.
- NSI Visiting Fellow and Crossbeam CISO Chris Castaldo writes about the SBOM tax on smaller businesses.
- Vice Motherboard says U.S. vice president Kamala Harris is right not to trust the security of Bluetooth technology. It’s in response to this weird Politico article hating on wires.
- Nathaniel Mott writes about hackers finding workarounds for multi-factor authentication (MFA) technology.
Watching the SolarWinds hackers.A few items advancing the SolarWinds supply chain mega-hack story as defenders keep watch on Russian hacking group Nobelium:
- One year after the SolarWinds compromise, Mandiant publishes a report documenting all the tactics used by the two distinct clusters within the Nobelium umbrella. Two things stand out — the use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations; and the abuse of multi-factor authentication leveraging “push” notifications on smartphones.
- Microsoft has produced an interesting docu-series on Nobelium, hyping it as “the insider account from the frontline defenders who tracked and responded to the NOBELIUM incident, the most advanced nation-state and supply chain attack in history.”
- At the Open Source Firmware conference, Alex Matrosov argues that firmware supply-chain security is broken and proposes some fixes (pdf).
- Hackaday has a fantastic piece on why you should care about everything the UEFI universe.
- Bunnie Huang has a new project called Precursor. It’s styled as a mobile, open-hardware, RISC-V System-on-Chip development kit.
- Over the AirTag: Shenanigans with a Keyfinder (video) explores the internals of Apple’s cheapest peripheral, including a deep-dive into the over-the-air firmware update protocol.
- This talk covers a side-channel attack that targets the Google Titan Security Key’s secure element (the NXP A700x chip) by the observation of its local electromagnetic radiations during ECDSA signatures.
Leftovers.
- WhatApp is now allowing users to turn on “disappearing messages” by default on all new chats.
- Ballistic Ventures in a new VC firm dedicated entirely to funding and incubating cybersecurity startups.
- A curated list of awesome Kubernetes security resources.
- A mysterious threat actor has been running hundreds of malicious servers on the Tor network
- The Cuba ransomware group has raked in $43.9 million in data recovery extortion payments from Western businesses to Russian cybercriminals.
- Firefox 95 will feature a novel sandboxing technology called RLBox. Documentation here.
- SentinelOne has a new mobile security product with a fancy name.
Tangentially.
- InTheWild is a community-driven open database of in-the-wild vulnerability exploitation.
- The Enigma 2022 Conference agenda looks very promising.