Newsletter

• I’ll be doing an exclusive interview with McDonald’s CISO Shaun Marion at tomorrow’s Attack Surface Management Summit.  Register here to catch a fun conversation on securing our chicken nuggets.

• This Coinbase platforrm API security defect allowed people to sell bitcoins they didn’t own. Truly “market-nuking” and worthy of the largest ever bug bounty paid by Coinbase ($250,000).  Here’s more info from the hacker who found this gem.
• The NSA has issued a joint advisory with IOCs to help track a Russian state-sponsored APT targeting cleared defense contractor networks.
• Patrick Howell O’Neill reports on how the U.S. is unmasking Russian hackers faster than ever and what it means for the future of high-end malware attribution.
• Colonial Pipeline has tapped Adam Tice to head up its CISO office. Tice previously helped Equifax through its security crisis.

Viewpoints.

• Nicole Perlroth has landed on Lex Fridman’s podcast to hawk her book. It’s mostly two hours of useless blabber, if I’m being honest.
• CISA director Jen Easterly’s keynote at the Munich Cybersecurity Conference was disappointingly devoid of any real substance.
• Andy Ellis argues that the costs of an externally visible SBOM (software bill of materials) will likely outweigh the benefits. Catch my previous podcast with Sounil Yu on this very topic.
• Chris Inglis and Karry Krejsa pen an op-ed in Foreign Affairs calling for a “cyber social contract” where the U.S. government and bigger companies absorb the bulk of the cost and burden of cyber-defense.
• After the Internal Revenue Service (IRS) halted a plan to verify taxpayer identities using a third-party facial recognition software platform called ID.me, senators and privacy experts alike are expressing concerns around how government agencies overall are using biometrics technology.
• Greylock managing partner Asheem Chandna on playing the long game in cybersecurity.

SPONSORED.

• Join us on tomorrow (Wed, Feb 23) for SecurityWeek’s Attack Surface Management Summit, presented by Randori. Learn from experienced CISOs, cloud software engineers, network architects, and security response engineers about  best practices, defense frameworks and actionable data and to reduce risk from exposed attack surfaces. Registration is open.

Must-see research projects.

• A Samba horror story is a deep-dive into a vulnerability used at the Pwn2Own hacker contest.  It covers vulnerability engineering, modern environment setup, going from advisory to a PoC, with details on the thought process, struggles, and solutions.
• Harvard Business Review asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks.
• The Elite Hackers of Russia’s FSB is an interactive web thing on an apex threat actor. Be warned, the interface gave me a mild headache.
• NCC Group is documenting its work bypassing software update package encryption to extract the Lexmark MC3224i printer firmware. [ Part one | Part two ]
• Shoutout to my pal Zack Whittaker for this find: Mobile device monitoring services do not authenticate API requests.

Hacking things.

• SonarSource on a nasty, upatched Horde Webmail vulnerability: “We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment. Catalin Cimpanu covers the danger.
• Academics find a way to break into the encryption algorithm used by the Hive ransomware gang. “We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data.”
• Cado is sharing notes and IOCs related to the DDoS attacks against Ukrainian websites.
• Check Point looks closer at the EvilPlayout attack against Iran’s state broadcaster and finds data-wiping malware.
• Rapid7 analyzes the Kikvision camera security flaw that was exploited in the wild as zero-day.

SPONSORED.

• Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.

Actually useful vendor things.

• Chrome OS Flex will turn any old PC or Mac into a powerful Chrome-powered machine. Some companies are already using this in ransomware-recovery efforts.
• GitHub has opened up its advisory database to community contributors. Here’s the new public repository.
• Google’s Cybersecurity Action Team is sharing data on threats flowing across its cloud infrastructure.
• GitLab introduces a community-driven advisory database for third-party software dependencies.
• The Privacy Sandbox initiative aims to create technologies that both protect people’s privacy online and give companies and developers tools to build thriving digital businesses.

Israel’s spyware story update.

• An incredible chapter of the NSO Group Pegasus spyware story is playing out in Israel and journalists are now at the center of the storm.
• Bloomberg News is reporting that at least three other Israeli companies  –Paragon, Candiru and Cognyte Software Ltd. — have developed zero-click hacking tools or offered them to clients, demonstrating that the technology is becoming more widespread in the surveillance industry. [ Non-paywall archive here ]

Tangentially.

• Someone has curated an awesome list of research papers and links to tools and datasets related to using machine learning for compilers and systems optimization.