Newsletter

This newsletter is sponsored by Uptycs, the SQL-powered, cloud-native security analytics platform for modern defenders.

Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).

* The most clicked link from last week’s issue was Kevin Beaumont’s sobering piece on some of the hard truths about the ransomware epidemic. TL;DR, we aren’t prepared, its a battle with new rules, and it hasn’t yet reached peak impact.

Monday blues.

Some personal thingies, as planning continues for a subdued Black Hat/Defcon hacker summer camp in Las Vegas in early August:

📚  I’m partnering with Crossbeam CISO and book author Chris Castaldo on a book-signing ‘cabanacon’ on Wednesday, August 4th.  We ditch the business suits, share a beverage, network and chat about Chris’s new book, the podcast, CISO happenings, etc. Request an invite here (space is very limited). PS: The cabana is air-conditioned and Chris says he will be giving away fancy pens along with copies of the new book.

🎧 I’ll be traveling to Las Vegas with full podcast studio gear and setting up camp to record a batch of audio and video interviews.  If you’re coming to the conference and want to appear on the show, reach out here and say hello.

🔥 Catch my fireside chat with Dragos co-founder and CEO Robert M. Lee at the APAC ICS Cybersecurity Conference.  We have a frank discussion about ransomware, paying ransoms to cybercriminals, the Biden EO on cybersecurity, the coming SBOM requirements.

🎤 My pal Mary Jo Foley, who watches Microsoft closer than any other journalist in history, invited me on her MJF Chat podcast to talk about all the security things at Redmond. The full transcript includes my strong opinions on Microsoft emerging as a bigtime player in the security business..

On to the newsletter…

The big stories.

• ZDNet’s Danny Palmer: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next.
• Along the same lines, Wired’s Lily Hay Newman reports on the recent Cl0p ransmoware bust in Ukraine and explains why nothing will change, despite all the high-profile .gov activities.
• Going back in time, we found out that GPRS-era mobile data encryption algorithm GEA/1 was ‘weak by design’ and still lingers in today’s phones. The academic paper is here (PDF).
• If you want something new to doomscroll about, Kevin Collier looks at the security of America’s water supply and the takeaway isn’t exactly inspiring: “Of all the country’s critical infrastructure, water might be the most vulnerable to hackers: the hardest in which to guarantee everyone follows basic cybersecurity steps, and the easiest in which to cause major, real-world harm to large numbers of people.”
• BBC News does a deep-dive recap on the Lazarus heist, with excellent reporting on how North Korea almost pulled off a billion-dollar hack.

CFPs.

Some Ryan-approved security conference call-for-papers worth your attention:

• The Summercon 2021 CFP is officially open.  The speaker selection committee is premium so we can expect a fantastic agenda again this year.
• The Intel Security Conference (iSecCon) is accepting submissions through July 16th. This con is organized by my former team at Intel and I can vouch that they take great care to pick high-quality presentations.
• Kaspersky has announced that #TheSAS2021 will be a hybrid event in late September, with a small in-person conference in Barcelona. The CFP is open through July 18.
• Patrick Wardle’s #OBTS v4.0 is also accepting submissions for an in-person con in Maui, Hawaii at the end of September. CFP closes June 30.

New podcast: A fun, honest conversation with FuzzyNop

🎧 New podcast episode, sponsored by Eclypsium:  Verizon/Yahoo’s Josh Schwartz (aka FuzzyNop) on red-teaming, adversarial relationships within security programs, and the need for more empathy in the offensive security research community.  It’s a fantastic conversation, I promise.

Full transcripts are now available for my recent interviews with Google’s Heather Adkins and Facebook product security chief Collin Green.

Supply chain pain.

• The Linux Foundation has announced new industry research, training, and tools  to accelerate the use of  Software Bill of Materials (SBOM) in secure software development.
• NSA cybersecurity director Rob Joyce wants the agency to be “left-of-theft,” a nice catchphrase to describe intrusion prevention priorities.
• Intel471 discusses the blurry boundaries between nation-state actors and the cybercrime underground.

Tools and guidance.

• Brick, from Sentinel One, is a small tool designed to identify potentially vulnerable SMM modules in a UEFI firmware image. It is comprised out of a collection of modules (implemented as IDAPython scripts), each responsible for identifying a specific vulnerability/anti-pattern in SMM code.
• New: D3FEND is a framework for cybersecurity professionals to tailor defenses against specific cyber threats is now available through MITRE  D3FEND establishes terminology of computer network defensive techniques and illuminates previously-unspecified relationships between defensive and offensive methods. This framework illustrates the complex interplay between computer network architectures, threats, and cyber countermeasures.
• CERT/CC is warning that the Pulse Security Integrity Checker Tool (ICT) and the PCS factory reset functionality “can both be subverted by an attacker” on a compromised PCS device. Mitigation guidance available here.
• The NSA has released guidance (PDF) on securing unified communications and voice/video over IP systems.

Readables.

• An interview with my pal Costin Raiu, one of the best threat-hunters on the planet (no exaggeration!).
• Five tips to get started on a crisis communications strategy for your cyberattack plan.

Tangentially.