* This newsletter is sponsored by Uptycs, the cloud-native security analytics platform with multiple solutions for EDR, CWPP, CSPM, asset insights and inventory, audit and compliance.
The most clicked link from last week’s issue was the video of Orange Tsai’s talk on scary new attack surfaces found on Microsoft Exchange Server. Here’s the technical paper and slides from the presentation.
- I’m currently neck-deep working on the agenda for this year’s CISO Forum, coming up on September 14-15, 2021. We’ll be talking high-end malware, software supply chain, SBOMs, ransomware and cyber insurance.
- The Dan Kaminsky Fellowship is now accepting applications.
Monday blues.
It was a little verklempt over the weekend as we moved my son Jake into Arizona State University to pursue studies in Computer Science (Cybersecurity).
Computer security is in the midst of an important generational handoff (see my OPCDE keynote) and I’m thrilled to observe this class of students prepare themselves to operate in a tech world that spins in weird ways.
On Sunday, as I watched the kids unpack in new dorms with unbridled optimism, my mind wandered to Sir Ken Robinson’s seminal TED talk on education, creativity and that fact that nobody knows what the world will look like in a few years’ time.
Jake’s class graduates in 2025. What will the security landscape look like? Will the the cloud and micro-services look like? What happens to the ransomware epidemic? Can we really get rid of passwords forever? Where does mobile computing go? What happens to security below the operating system?
So many questions for which there are no answers. Jake’s generation gets to pick up the baton, with an impossible task of defending moving goal posts. I wish them the very best.
_ryan
A word from our sponsor – Uptycs
The Uptycs Security Analytics Platform offers one platform with multiple solutions for EDR, CWPP, CSPM, asset insights and inventory, and audit and compliance. Schedule a demo today.
Corellium dunks on Apple
It’s pretty amusing to watch security startup Corellium dunking on Apple at every opportunity. Less than a week after prevailing in a legal case filed by Apple, Corellium pounced on the controversy surrounding Cupertino’s new CSAM child-safety system to kick sand in Apple’s eyes:
A new Corellium Open Security Initiative will offer three $5,000 grants and free access to the company’s iOS virtualization platform for researchers who can “validate any security and privacy claims” made by Apple or any other mobile software vendor.
From the announcement:
We applaud Apple’s commitment to holding itself accountable by third-party researchers. We believe our platform is uniquely capable of supporting researchers in that effort. Our “jailbroken” virtual devices do not make use of any exploits, and instead rely on our unique hypervisor technology. This allows us to provide rooted virtual devices for dynamic security analysis almost as soon as a new version of iOS is released. In addition, our platform provides tools and capabilities not readily available with physical devices.
We hope that other mobile software vendors will follow Apple’s example in promoting independent verification of security and privacy claims. To encourage this important research, for this initial pilot of our Security Initiative, we will be accepting proposals for research projects designed to validate any security and privacy claims for any mobile software vendor, whether in the operating system or third-party applications.
Separately, the company released Corellium for Journalists less than a month after the NSO/Pegasus scandal exposed Apple’s iOS black hole as a problem for journalists and activists.
Also, a new petition from the Electronic Frontier Foundation:Apple has abandoned its once-famous commitment to security and privacy. The next version of iOS will contain software that scans users’ photos and messages. Under pressure from U.S. law enforcement, Apple has put a backdoor into their encryption system. Sign our petition and tell Apple to stop its plan to scan our phones. Users need to speak up say this violation of our privacy is wrong.
People and jobs.
- Citrix is looking for a CISO following the departure of Fermin J. Serna.
- NASA’s Jet Propulsion Lab is advertising a CISO opening.
- (ISC)² has a CISO opening in Clearwater, Florida.
Nation-state APT things.
- A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents.
- Kaspersky GReAT is calling attention to ‘Moses’, a private company that supplies exploits to several threat actors. The name Moses offers a tantalizing clue for journalists to start asking hard questions.
- The U.S. government is warning that gaping holes in the BlackBerry QNX operating system must be immediately patched. “These vulnerabilities may introduce risks for certain medical devices, as well as pharmaceutical or medical device manufacturing equipment.” Here’s the advisory with a 9.0 CVSS.
- CheckPoint has a new report out on Indra: In this piece, we present an analysis of a successful politically motivated attack on Iranian infrastructure that is suspected to be carried by a non-state sponsored actor. This specific attack happened to be directed at Iran, but it could as easily have happened in New York or Berlin.
- The Biden administration backed away from the idea of banning ransomware payments after meetings with the private sector and cybersecurity experts
Readables.
- From Project Zero’s James Forshaw: How to secure a Windows RPC server.
- GitHub has eliminated support for passwords for Git operations and now requires the use of a hardware security key or other strong 2FA option.
- From Tencent’s Keen Security Lab: In this paper, we will demonstrate that it is still possible to fully compromise, over the air, a 5G modem, and gaining remote code execution on a new 5G Smartphone.
Leftovers.
- Luna is a multi-tool for building, analyzing, and hacking USB devices.
- GCP Goat is an intentionally vulnerable Google Cloud Platform environment to learn and practice GCP security.
- All the Defcon 29 videos are now up on YouTube.