Newsletter

• Catch my appearance on Recorded Future’s podcast where I ranted and raved about things I like — and don’t like — about the security industry. Lazy marketers get extra attention.
• I’ll be moderating and hosting a few sessions at SecurityWeek’s ICS Cybersecurity Conference (CFP is still open) in Atlanta on October 26-28. Register here and hopefully I’ll see some of you in the ATL.

The most clicked link from last week’s issue was Twitter’s new account security transparency report that shows stagnant multi-factor authentication adoption numbers.

Not much to say on a very, very busy week for those of us watching the cybersecurity industry.

I’ll be spending most of the coming days monitoring news and trends coming out of the Black Hat/Defcon conferences.  While everything feels different this year (in a not-so-good way), I’m impressed by the quality of talks on the agenda. Daniel Cuthbert picks some really good ones.  Best of luck to all the organizers, speakers and participants.  I hope you have a productive week.

P.S.  Consider this your weekly reminder to reboot your phone (iPhone or Android) as an important security measure.

_ryan

Cybersecurity as a whole can be overwhelming for startup founders. Start-Up Secure by CISO Chris Castaldo breaks down the essentials so you can determine what is right for your start-up and your customers. You’ll learn techniques, tools, and strategies that will ensure data security for yourself, your customers, your funders, and your employees. Buy the book.

Pegasus spyware watch.

There’s never a dull moment in this NSO Group/Pegasus high-end spyware scandal that continues to spotlight the shenanigans of these PSOAs (private sector offensive actors):

• France’s intelligence agency has confirmed that the Pegasus spyware was found on the phone of three journalists, including a senior member of staff at France 24, the country’s international television network.
• WaPo reports that David Haigh, a human rights activist and close ally of detained Dubai princess, had his phone hacked by NSO spyware.
• With the pressure mounting, NSO, Candiru and other Israeli 0day suppliers have been called into emergency conference in Tel Aviv today in wake of Project Pegasus findings into misuse of Israeli-made spyware.
• This ‘how-to’ guide on defending against Pegasus-type attacks is detailed and very useful.

Responsible cyber offense.

This op-ed has four bylines and is an important part of a nuanced conversation around the U.S. response to nation-state attacks:

The sense of crisis created by these two operations should not be wasted. Despite critical preventive efforts, offensive operations will continue apace in the foreseeable future — conducted by the United States, its allies and its adversaries. The choice is whether and how to engage in them responsibly and minimize cost to societies. For there are better and worse ways for governments (and their explicit or de facto contractors) to operate in cyberspace. Benign countries should cooperate now to promote verifiable, technical norms for responsible offensive cyber operations.

The piece offers suggestions for responsible offensive behavior, including the important of testing hacking tools before use, avoiding indiscriminate targeting, prohibiting certain targets, constraining automation and preventing criminal/third-party access to backdoors.

TPM sniffing attacks.

• Here’s a list of vulnerabilities or design flaws Microsoft does not intend to fix.  List includes a trio of PrintNightmare security defects.
• This Youtube video is an explanation of a critical vulnerability in GitHub that was found by Teddy Katz. He got $25,000 from GitHub bug bounty program.
• Twitter has launched a cash bounty challenge to proactively identify bias in machine learning (ML) models.
• A catalog of supply chain compromises dating back to 2003.
• New from Cybereason: Exposing Chinese threat actors targeting major telcos.
• Sanctioned Russian company Positive Technologies has a new report out on APT activity from a Chinese threat actor.

* Full Security Conversations podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.