Newsletter

This newsletter is sponsored by SecurityWeek, covering the intersection of business, technology and cybersecurity.

Personal notes.

• The Black Hat book-signing event with Crossbeam CISO Chris Castaldo is sold out. If you’re in Vegas and still want to grab breakfast near Cosmo, ping me, Twitter DMs are open.
• I’ll be hosting a fireside chat and panel discussion on the cloud and expanding attack surfaces at the SecurityWeek Cloud Security Summit.  Remember to register, these are always fun!
• I’m currently editing a few great podcast episodes — Jack Cable, researcher at the Krebs Stamos Group; and Vicente Diaz from Google/VirusTotal. Don’t miss the latest show with JupiterOne CISO Sounil Yu on SBOMs.
• I’m scheduled to appear as a guest on the Recorded Future’s CyberWire Daily podcast. I’ll share the link when the recording goes live.
• The most clicked link from last week’s issue was the official Kesaya web page documenting its response to the big ransomware hack.

Monday blues.

Today is the Patch Tuesday before the Black Hat/Defcon conferences and it’s causing quite a stir on the zero-day trackers. Microsoft’s mega-bundle (117 documented security defects) includes three new zero-days where the vendor learned of the problem via live in-the-wild attacks.

So far this year, there have been 54 documented zero-day attacks, with code from Microsoft (33 percent) and Apple (20 percent) at the center of malware attacks that’s near impossible to defend.  By comparison, there were a total of 38 zero-days documented in all of 2020.

In my notes last week, I grumbled about Microsoft’s stumbling and bumbling around the ‘PrintNightmare’ patch, only to later discover more problems with the newest emergency patch. The same week, we learned of a new SolarWinds zero-day being exploited (a Microsoft discovery) and newer waves of Windows ransomware infections that makes everything feel rather hopeless.

After years and years of spending billions of dollars on cybersecurity, here we are, on a zero-day patching treadmill while ransomware infections soar and vendors boast of successful IPOs and expanding revenue streams.

So much is wrong.

Remember to patch your machines, use a password manager, and multi-factor all the things.  It’s really all we can realistically do.

_ryan

Sponsor message: SecurityWeek Cloud Security Summit

As enterprises adopt cloud-based services to leverage benefits such as scalability, increased efficiency, and as cost savings, security has remained a top concern. SecurityWeek’s Cloud Security Summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Attendees, will be able to interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Date/Time July 21, 2021 from 11AM – 4PM Eastern.

SBOM and supply chain things

• Minimum elements for a Software Bill of Materials (SBOM) — This document identifies minimum elements that will enable basic use cases, such as management of vulnerabilities, software inventory, and licenses.
• Two new publications from NIST: Security Measures for “EO-Critical Software” Use and guidelines recommending minimum standards for vendors’ testing of their software source code.
• Solarwinds was notified by Microsoft of a new zero-day attack targeting its Serv-U software.
• On the show this week, JupiterOne CISO Sounil Yu goes deep on SBOMs and the U.S. government’s response to software supply chain security weaknesses.
• Corellium CTO Matt Tait will be this year’s Black Hat conference keynote, with a talk on supply chain infections and the future of contactless deliveries.
• Over on Lawfare, Steven Bellovin and Adam Shostack reacts to news of the U.S. government mandating a Cybersecurity Safety Review Board (CSRB)

Readables.

• China is moving to ban its offensive security researchers from selling data on vulnerablities to police, spy agencies or other private companies. The new rules could have downstream effects on bug bounty programs, hacker contests like Pwn2Own, and the boiling cauldron of zero-day exploit sales.
• Russia and Ukraine promised to cooperate and help catch the world’s most successful hackers but Patrick Howell O’Neill reports that things didn’t quite go to plan.
• A crazy story on a piece of malware that spies on victims via OBS Studio, a popular app used by live streamers and podcasters.
• These Iranian hackers posed as academics to steal e-mail passwords.
• From Red Hat – State of Kubernetes Security 2021.

* My thanks to all the sponsors: MongoDB, Uptycs, Eclypsium and SecurityWeek.  Our partnership with these companies help to keep our reporting independent and vendor-agnostic.

* Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms.  Directly subscribe from these links: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.