Newsletter

Hello friend,

Was this newsletter forwarded to you?  Sign up here! If you enjoy my scribbles, consider sharing this with a friend or colleague.  Follow me on Twitter (DMs are open) and LinkedIn for daily conversations.

Monday blues (3/15/2021).   

Short-story time. At the intersection of Main and College Streets in downtown Enterprise, Alabama, there’s an odd-looking statue of a woman holding up a weevil on a pedestal, much like the athletes do when they win an MVP award. Seriously, it’s real.

It’s a monument dedicated to the boll weevil, a reddish-brown insect that ravaged cotton crops and ruined the economy in the American South in the early 1900s. At the time, agriculture was a monoculture of cotton farming but, as boll weevil infestations destroyed cotton and left the soil dry and exhausted.

Back to the monument. The city erected the statue because the destruction by the boll weevil led to agricultural diversity, starting with peanuts and other crops that led incredible prosperity.

Today, it’s the only statue dedicated to an insect pest in the world and is an important reminder of the dangers of a monoculture, especially in computer tech, where the risk of “massive, cascading failures” is very real and very present.

I’m reminded of the boll weevil today while scribbling notes for what’s now the third Google Chrome in-the-wild 0day attack for 2021 and realizing we are heading into a Chromium web browser monoculture that will have negative consequences for years to come.

[An important side note: Google has shared nothing about these ITW 0days beyond throwaway lines buried in in Chrome advisories. How is this acceptable?  When Project Zero/TAG found the iOS exploit chain, we got “a very deep dive into iOS Exploit chains found in the wild.”  Now that Google has its own Chrome 0day problems, it’s radio silence.  Not a good look. ] 

The latest Chrome 0day wave is especially worrisome now that Microsoft has abandoned Edge and hopped aboard the Chromium freight train. A reliable Chromium exploit chain now takes on more significance.

Just like the boll weevil did in the early 1900s.

Now for the newsletter.

New podcast (Ron Brash on water plant hacks).

Verve Industrial Protection’s Ron Brash joins the show to discuss the root cause of the recent Oldsmar water supply hack, the state of ICS/SCADA security and share some tips for securing factories and plants on a tight budge.   It’s a fantastic conversation, listen here.

Microsoft selling while Exchange burns.

• It’s pretty ugly to watch Microsoft’s targeted ad buy on Twitter, hawking security products, in the midst of the Exchange Server 0day catastrophe.  Feels so much like ambulance chasing, when you’re the ambulance that caused the accident in the first place.  When cybersecurity turns into a $10 billion-a-year business, we end up here.
• Reuters says lawmakers aren’t happy to see Microsoft cashing in on cybersecurity when its own software was recently at the heart of two big hacks.
• Microsoft yanking proof-of-concept exploit code from GitHub is a terrible look for a company that has the history and experience to know better.
• Microsoft’s controversial MAPP pre-patch vuln sharing program is under fire again, this time for a possible leak from a Chinese anti-malware partner.  Here’s a fun exercise: Add country flags to every vendor listed on this MAPP page and see how unnerving it looks.  I predict security data will be heavily balkanized in the near future as more of these geo-political hiccups appear.
• This site is attempting to keep track of all in-the-wild zero-day attacks in a lovely, sortable format.

Things you should read this week.

• Security industry pioneer Dan Geer argues that the HTTPS-Everywhere push is nothing more than security theater and virtue signaling.  It’s hard to disagree.
• DARPA is funding multiple hardware/software mathematician teams to push the envelope forward on the holy-grail “last mile” of privacy engineering — fully homomorphic encryption.   I’m paying close attention to the work out of Galois, a Mass.-based company working a software/hardware co-design to get around performance limitations.

Open-source goodies.

• Red Canary’s Atomic Red team is a small and highly portable detection tests based on MITRE’s ATT&CK framework.
• KilledProcessCanary from NCC Group offers a nifty approach to minimizing the impact from certain ransomware actors.
• Mystikos is a set of tools for running applications in a hardware trusted execution environment (TEE).
• Gophish is a phishing framework that makes it easy to test your organization’s exposure to phishing.

Tangentially.

The Netflix security program has a YouTube channel and it’s fully of incredible talks and presentations.  If you really want to binge, here’s a list of Dan Geer’s talks and publications.   Enjoy.
​
Have a fantastic week,

_ryan

P.S. As usual, the podcast is available on all platforms (Apple, Google, Spotify and Amazon).  If you enjoy the show, consider leaving a rating and review to help spread the word.

P.P.S.  I welcome feedback. Don’t be shy.