Newsletter
11.23.2021 | 6'' read
That ‘we take security very seriously’ line
This edition of the newsletter is presented by Process Unity and SecurityWeek
- On December 15, I’ll be speaking at this SecurityWeek webinar on aligning internal cybersecurity practices with external third-party risk management. Register here.
Whenever a company drops the “we take security and privacy very seriously,” I do a basic smell test by adding “/security” to their domain to see how that page is being used. It’s a pretty instructive test of a company’s cybersecurity priorities.
This week, following an embarrassing — and utterly preventable — data breach that exposed WordPress FTP and database usernames and passwords for months (gasp!), I saw this line in GoDaddy’s SEC filing:
Meanwhile, it’s a long holiday weekend here in the U.S. (Thanksgiving Day) which means we’ll probably see one or two major ransomware extortion disclosures. If you’re involved in protecting critical things, you may want to heed these very specific warnings.
Also, remember to patch and reboot your iPhones.
_ryan
On to the newsletter…
Join this expert SecurityWeek panel discussion on Aligning Internal Cybersecurity Practices with External Third-Party Risk Management, presented by Process Unity. You will learn now to:
- Map external third-party risk to internal cybersecurity controls
- Evaluate control effectiveness against both internal and external risks
- Identify potential fourth-party risk
- Prioritize cyber/third-party risk projects based on control gaps and domain inefficiencies
- Build a world-class cybersecurity program that protects against internal and external threats
Here’s the link to register and add to calendar.
NSO Pegasus fallout.
Breaking: Apple has sued NSO Group for hacking into its iOS products. Nicole Perlroth reports that Apple is asking for unspecified damages for the time and cost to deal with NSO’s abuse of its products.
Patrick Howell O’Neill reports on the fallout from the U.S. government sanctions on NSO Group over misuse of the Pegasus .gov surveillance platform (archive):
The US sanctions have had an immediate and much greater effect on the company than previous scandals. Bloomberg reported that Wall Street is shunning NSO and treating it as a distressed asset; it’s saddled with over $500 million in debt and a growing risk of insolvency; meanwhile, the company’s newly appointed CEO quit just a week after being appointed.
There’s also gossip about a “secret letter” floating around Israeli political circles. 🍿
- The amazing researchers at QuarksLab looked closely at Titan M internals and usages in Android and found ways to guess a large part of the pinout of the chip and to identify the most important buses, in particular the SPI bus. This allowed us to sniff and send commands at any time in the lifecycle of the chip, even when the main CPU is in bootloader mode. All this was done with low-cost hardware tools and handmade micro-soldering.
- GitHub’s Man Yue Mo documents three security defects in the Qualcomm NPU (neural processing unit) that together form a very strong primitive that allows the execution of arbitrary code in the kernel from an untrusted app with ease. He used these primitives to create a reverse root shell with SELinux disabled on Samsung devices.
- Intel has published a security manifesto (pdf).
- Here’s an impressive voltage glitching research project that ends with full key extraction of NVIDIA TSEC.
- Google’s open-source group has released an open-source DDR controller framework for mitigating Rowhammer. It’s called the Rowhammer Tester platform.
- Chris Palmer’s thoughts on language design bugs is very valuable reading.
- Alex Chapman offers practical security recommendations for startups with limited budgets: Use a password manager and 2FA, develop with modern frameworks, configure an edge security service, enable HTTP security headers, apply security patches, backup user data and source code, centralize all logging, have a bug bounty program, service containerization, and deploy canary tokens.
- Dakota Cary warns that China’s next generation of hackers won’t be criminals.
-
Researchers at NCC Group’s Fox-IT look closely at the economics of ransomware extortion negotiations.
- The SolarWinds security team did a fascinating keynote presentation on creating an entirely new build system based on a number of open-source projects.
- Dima Kotic explains Sigstore, how it works, and why it’s important.
- This FatPipe VPN exploitation is the 81st in-the-wild 0day found so far in 2021. Data source.
- Here are all the talk recordings for SupplyChainSecurityCon.
- SentinelOne’s Max Van Amerongen goes hunting for security defects in VirtualBox Network Offloads.
- Brian Fletcher offers guidance on how to avoid leaking your customer’s source code with GitHub apps.
- This repo contains a set of tools to facilitate the analysis of the DJI drone WiFi communication protocol.
- RedHunt Labs scanned over 6 million unique public repos on Docker Hub and found an assortment of hard-coded secrets leaking everywhere.
- Wired has incredible coverage of Amazon’s shoddy track record in securing customer data.
Tidbits.
- The Tor Project is running out of relay bridges and is offering up hoodies and stickers to users to help bring more bridges online.
- The U.K. government’s GCHQ has issued its annual review for 2021.
- Mullvad is documenting System Transparency, a novel design that facilitates trust in the hardware and initial state of the system through a provisioning ritual and tamper detection which together with a TPM and firmware write-protection establishes the root-of-trust as well as prevents malware persistence.
- Shoutout to the Right to Repair folks for this victory against Apple.
Leftovers.
- Microsoft’s Blue Hat security conference will return to Israel in March 2022. The CFP is now open.
- The No Starch Press Foundation (NSPF) has announced the list of projects receiving $10,000 grants.
- Here’s an attempt to document private sector offensive actors, the companies known to be providing zero-days and exploits to nation-state APT groups.
Tangentially.
- It’s pretty neat to see cybersecurity defenders being celebrated at a big sporting event.