Newsletter
06.01.2021 | 5'' read
Extending SBOMs to the firmware layer
Sponsor message: MongoDB supports The Diana Initiative
MongoDB is the leading modern, general purpose database platform, designed to unleash the power of software and data for developers and the applications they build. The company is proud to support and sponsor The Diana Initiative, an event focused on women, diversity and inclusion in information security. Register here for the virtual conference, scheduled for July 16-17, 2021.
The U.S. government’s cybersecurity unit (CISA) is starting to flag firmware security — “vulnerabilities below the operating system” — as a priority, warning there are categories of security holes lurking beneath the surface. This CISA slide deck, presented at the RSA Conference, does a fantastic job of describing the problem and suggesting responses to move the needle:
- Promote software bills of materials (SBOMS) extending to the firmware level.
- Have vendors include the intent of the components of the system.
- Produce analysis of code.
- Provide public risk scoring.
- Reduce purchasing of products that shape up poorly.
The reality is that the tech below the OS is an alphabet soup of complexity and security problems we just can’t see. It’s refreshing to see .gov carrying on this conversation in such a transparent manner. Even for firmware, SBOM is coming and you should start preparing for it.
On to the newsletter…
The most clicked link from last week’s issue was the GAO’s report on ransomware-induced disturbance in the cyber-insurance marketplace. [direct .pdf]
🎧 New Podcast: Google Security Leader Heather Adkins (presented by Eclypsium)
Founding-member of the Google security team Heather Adkins joins the show to stress the importance of defenders playing the “long-game,” the need for meaningful culture-change among security leaders, and the expansion of zero-trust beyond identities and devices. Listen here.
Here is a transcript of the Heather Adkins conversation, lightly edited for brevity and clarity.
Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms — Apple, Google, Spotify and Amazon.
Hardware/firmware security
- This whitepaper from the folks at Hardened Vault on protecting valuable digital assets with firmware security, cryptography engineering and Linux hardening is worth every minute of your time.
- Jessie Frazelle’s Oxide Computer Company has a beautiful new website that documents exactly what they do and how they do it. Pay attention to the secure-by-default messaging and the open-source firmware strategy.
- From Microsoft’s David Weston: “Coreboot, Firmware updates, DRTM and Hypervisor security, and OPNSense in a tiny 300 dollar device. This is basically the best thing ever.”
- The hardware/embedded track at the upcoming Black Hat conference includes at least five must-watch presentations. Kudos to the Black Hat review board.
- Dan Goodin writes about the M1racles bug found in the Apple M1 chip. It’s a fun bug that allows covert data sharing between two legitimate apps but you and I probably shouldn’t worry too much about this.
What’s a supply chain attack?
Wired senior writer Andy Greenberg does a fine job of explaining a supply chain attack. His story includes this nugget:
Supply chain attacks were first demonstrated around four decades ago, when Ken Thompson, one of the creators of the Unix operating system, wanted to see if he could hide a backdoor in Unix’s login function. Thompson didn’t merely plant a piece of malicious code that granted him the ability to log into any system. He built a compiler — a tool for turning readable source code into a machine-readable, executable program — that secretly placed the backdoor in the function when it was compiled. Then he went a step further and corrupted the compiler that compiled the compiler, so that even the source code of the user’s compiler wouldn’t have any obvious signs of tampering.
You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.
Mind-mapping all the things.
As a fan of mind-mapping software to visualize projects, I was thrilled to see Imran Parray publishing this list of security-themed mind-maps. They include mind-maps for Android attack vectors, bug hunters methodologies, red teaming and reconnaissance.
Rafeeq Rehman’s CISO mind-map is also a favorite understand and explain the modern security program.
Freebies.
- Corellium is dabbling with a freemium model called “security research.”
- Salesforce offers free, on-demand cybersecurity training.
- Microsoft’s Counterfit is a command line tool for assessing the security of machine-learning systems.
Things you should already have read.
- This is a curated list of public penetration test reports released by several consulting firms and academic security groups.
- Awesome Incident Response is a list of tools and resources for security incident response and DFIR teams.
- Amazon has released a privacy and security whitepaper documenting how the controversial “Sidewalk” connectivity feature works.
- SentinelOne exposes a disk-wiping malware with Iranian fingerprints.
- Half-Double is a new attack that bypasses Rowhammer defenses.
Tangentially.
- Daniel Miessler shares some tips and tricks on organizing RSS feeds. I bring this up because it looks like Google will be doing some Chrome innovation around RSS and I’m very much here for it.
Have a fantastic week.
_ryan
PS: The podcast is available on all platforms (Apple, Google, Spotify and Amazon). As the kids say, like and subscribe, like and subscribe.