Monday blues.
A cautious hello to the droves of new folks joining the list over the last two weeks. I’m flattered and surprised, especially because I deliberately avoid marketing and promotion of this newsletter.
.
If you dig honest feedback from a curmudgeon documenting the business of security through cynical lens, you’ll probably enjoy these weekly emails. My tone is blunt but the coverage is fair and never malicious. I usually get things wrong so don’t hold back with the required corrections (Twitter DMs are open).
If my style isn’t your cup of tea, unsubscribe and reclaim your valuable inbox space. No hard feelings.
Today is Patch Tuesday. Get off TikTok your phone and update/reboot all the things.
Cheers,
_ryan
Flattening the ransomware curve.
- Law enforcement pressure. Takedowns and arrests in Russia are a real deterrence and we’re starting to see ransomware gang affiliates being a lot more careful and selective about targets. The downside is that small- and medium-sized businesses will continue to deal with a world of hurt.
- The Biden executive order on cybersecurity is shoring up the security posture of federal agencies and the vendors in that ecosystem. The mandates around zero-trust, multi-factor authentication and data encryption are starting to trickle out and benefit the rest of computing.
- CEO and boardroom-level anxieties about being the next victim testifying before congress have led to expanded security budgets and genuine top-down support for under-resourced CISOs. When ransomware is a CNBC topic, CEOs take note.
- Cyber insurance renewals are driving maturity around incident response and disaster recovery playbooks. To qualify for policy renewals, companies must attest to MFA segmentation, adequate back-ups,, and mature tabletop testing and planning. Win, win, all around.
More from Coveware with fresh ransomware data and some thoughts on how criminal ecosystem is dealing with the blowback
- Join us on Wednesday, February 23 for SecurityWeek’s Attack Surface Management Summit, presented by Randori. Learn from experienced CISOs, cloud software engineers, network architects, and security response engineers about best practices, defense frameworks and actionable data and to reduce risk from exposed attack surfaces. Free registration here.
Important people on the podcast.
Security Conversations podcast guests Heather Adkins (Google) and Katie Moussouris (Luta Security) have been named to the U.S. government’s first-ever Cyber Safety Review Board (CSRB). Listen to the episodes:
- Google’s Heather Adkins on defenders playing the long game, a conversation that includes mention of the CSRB several months ago. Read transcript.
- Luta Security founder and CEO Katie Moussouris talks about her ear;y life in the penetration testing trenches, advocating responsible security research, building bug bounty programs and the challenges of succeeding as a woman in the industry.
One small observation on the CSRB announcement: The board was originally set up with the Solarwinds mega-hack as the priority but has already pivoted to focus on Log4j. How quickly we move on to the next thing…
Patch Tuesday.
Today is the dreaded Patch Tuesday. Here are the ones worth your attention:
- Microsoft patches 51 security defects in multiple Windows OS components and 20+ vulnerabilities in the Microsfot Edge (Chromium-based) browser. ZDI digs into the details.
- Adobe joined the party with fixes for more than a dozen Illustrator vulns.
- Massive list of high-severity bugs fixed is this Android mega-update.
So far in 2022, the documented in-the-wild zero-day counter stands at three (3).
News headlines.
- There’s growing blowback against NSO Group in Israel where companies are starting to blacklist ex-employuees of the controversial exploit merchant and spyware maker. It’s getting uglier by the day.
- Earlier this month, someone attempted to move $3.55 billion worth of Bitcoin from the 2016 Bitfinex hack. Today, the Justice Department said it arrested and charged a New York couple in connection with the alleged laundering operation.
- Catalin Cimpanu reports on one of the most impactful decisions by Microsoft to reduce damage from malware embedded in Office documents.
- The FBI has released IOCs to help toss sand in the eyes of the LockBit ransomware gang.
Sponsored.
- Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.
Must-read reporting.
- Meet the NSA spies shaping the future is the first interview with Gil Herrera, the leader of the spy agency’s research directorate.
- The adoption of multi-factor authentication in Microsoft Azure Active Directory remains embarrassingly low (22%).
- An independent post-incident review of the massive HSE (Health Service Executive) ransomware hack offers amazing lessons.
- The Battle for the World’s Most Powerful Cyberweapon is a New York Times investigation into how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban. (non-paywall version)
Research projects.
- Amnesty’s Claudio Guarnieri dives deeper into Android system diagnostics and remote forensics.
- Resarchers at Tel Aviv university documents speculative type-confusion vulnerabilities in the wild.
- Malcolm Stagg explains how he hacked his way to the top of DARPA’s hardware bug bounty.
- Perception Point researchers discovered a vulnerability in macOS which allows attackers to bypass Apple’s SIP (System Integrity Protection) mechanism to s take full control over the system.
Essays.
- Dmitry Alperovitch weighs in on how Russia has turned Ukraine into a cyber battlefield.
- Google Cloud CISO Phil Venables releases part two of his piece on secrets of successful security programs. Part one is here.
- Joe Slowik argues that defenders should focus on ‘left of boom’ to detect mitigations as early and consistently as possible.
- BastionZero chief executive Sharon Goldberg picks apart the federal government’s latest zero-trust memo.
Tangentially.
- Mark Russinovich’s artwork is pretty impressive.