Newsletter
10.01.2021 | 4'' read
Information brokerage and cyber storytelling
* The most clicked link from last week’s newsletter was Kim Zetter’s interview with David Evenden, a former NSA hacker who was recruited to Abu Dhabi to do cybersecurity work, only to realize he had been deceived and he was actually lured there to hack for the UAE government.
- We have some open advertising slots for the newsletter and podcast. Contact me to discuss a smarter approach to telling your story to security practitioners.
- I’m planning to be in Atlanta October 25-28 to speak at this year’s hybrid ICS Cyber Security Conference. Let’s grab coffee if you’re in town. (Twitter DMs are open).
Monday blues.
High-end APT research is big business. From private reports to subscription feeds and data-bartering partnerships, companies old and new and cashing in. As JAG-S noted back in 2015, this means that the traditional malware researcher is now an “intelligence broker” operating in an oft-misunderstood space with geopolitical weight and consequences.
Imagine my twitching eyebrows when I read this wild Yahoo News piece on CIA’s secret war against Wikileaks, a story centered around the government’s use of the “information brokers” tag to raise the temperature on outside scrutineers. Regardless of your stance on Wikileaks or who is or isn’t a journalist, this is bone-chilling stuff that soon start touching parts of our industry.
Researchers, it’s imperative you begin to understand the nuances of your business and consider pushing back against aggressive demands from your marketing team. Eyes wide open, everyone.
_ryan
On to the newsletter…
The big APT stories
There’s a handful of significant APT stories worth your attention:
- Microsoft has published data on FoggyWeb, a post-exploitation backdoor capable of stealing data from a compromised Active Directory Federation Services (AD FS). The attacks are linked to Nobelium, the group behind the Solarwinds supply chain mega-compromise.
- Recorded Future’s Insikt Group has a new report out on four Chinese APT groups caught targeting the mail server of a major telco in Afghanistan.
- The U.S. intelligence community has deployed ad-blocking technology at scale (see letter) as a security mitigation.
- As nation-state attacks against VPN flaws surge, CISA has issued guidance on selecting and hardening remote access VPN solutions. As work-from-home stretches on, this is a high-priority issue for CISOs.
Advertisement — Symmetry Systems.
Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Get in touch today for a demo.
Apple in another public pickle
It seems we cant go a few days without a new Apple self-inflicted security scandal. On the heels of the CSAM embarrassment, the nonstop 0day exploits and signs of iOS security patch withholding, we now have legit anger from well-meaning security researchers who feel manipulated and abused by Apple’s bug bounty program.Some of the newest examples:
- Apple’s handling of this bug report is rather disgraceful. Read the cringeworthy timeline at the bottom.
- Upset with Apple’s handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple’s newly released iOS 15 mobile operating system.
- Here’s another researcher’s frustrating blow-by-blow while dealing with Apple’s security response team.
Security responders, pay attention to these high-priority items:
- VMWare’s CVE-2021-22005 vulnerability is being actively exploited. Patch info here.
- Google pushed out a patch for an “under-attack” Chrome bug. Refresh your browser ASAP. Microsoft Edge too.
- Trend Micro has released extremely critical ServerProtect patches. CVSSv3 score 9.8.
Leftovers.
- Shoutout to Kaspersky researchers for dogged, years-long work monitoring another one of these parasite exploit companies. The findings on the FinSpy surveillance malware, especially the UEFI bootloader, shows ongoing investments by FinFisher. Read my story.
- Trenchant’s Brent McBride shares the skinny on the Parallels Desktop guest-to-host escape bug that netted him a big Pwn2Own victory.
- Cloudflare is taking a shot at the lucrative email security business. See my news analysis on this hot market.
- With HTTPS everywhere, the EFF is planning to deprecate the HTTPS Everywhere web extension. It’s worth noting that security industry pioneers aren’t big fans of this project.
- BlackBerry hires former McAfee president to lead cybersecurity business.
- Stairwell has raised $20 million, landed another TechCrunch fluff piece, and still nobody can explain what the company does.
Tangentially.
- Wired has some useful guidance on the iOS 15 privacy settings you need to consider changing. Also, for no reason at all, remember to reboot your iPhones.
P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.