Newsletter
09.14.2021 | 5'' read
Legal trouble for ex-NSA mercenary hackers
- Crazy busy, heads-down and headphones cranked up editing new podcast interviews with Anne Marie Zettlemoyer (VP, Security Engineering, Mastercard), Aaron Portnoy (Principal Scientist, Randori), Mohit Tiwari (CEO, Symmetry Systems) and Vicente Diaz (Security Engineer, Google VirusTotal).
- 🎧 New podcast advisory: Intel’s Venky Venkateswaran discusses hardware-enabled security and the chipmaker’s cybersecurity investments.
Monday blues.
Back in March, I wrote in this very newsletter about the surge in zero-day attacks targeting software from the big shops — Microsoft, Apple and Google — and tried to argue that this was positive confirmation that defenders were getting better at detecting these high-end exploit chains.
This week, things took another major turn with all three vendors announcing exploitation of zero-days in software products used by billions around the world. While the vendors are quick to minimize these as “extremely targeted,” the reality is quite sobering.
Here a sample of my own coverage just this week:
- Microsoft Office Zero-Day Hit in Targeted Attacks
- Apple Ships Urgent Patch for FORCEDENTRY Zero-Days
- Google Warns of Exploited Zero-Days in Chrome Browser
According to publicly available data, there have been 66 documented zero-day attacks so far in 2021. The bulk of those target code from Microsoft, Google and Apple but the raw truth is that high-end adversaries are burning through expensive zero-day chains at record levels.
It’s also clear that threat actors are paying attention to security defects in software packages from vendors we’ve never heard about. I had never heard of Solarwinds, or Kaseya, or CodeCov before they were smacked by zero-days. Expect more of these.
In the meantime, try to remember to reboot your iPhones once a week. That’s all I got.
_ryan
I delayed sending his newsletter to drop a few lines about this Chris Bing breaking piece on the U.S. filing criminal charges against ex-NSA hackers working as mercenaries in Dubai, UAE.
The story is long and winding and was first told in this Project Raven investigation that documents the work of Lori Stroud and others who were recruited to move to Dubai to engage in surveillance of other governments, militants and human rights activists critical of the monarchy.
Here’s the U.S. government’s case against Marc Baier, Ryan Adams and Daniel Gericke. Interestingly, Lori Stroud was not charged today.
The Daniel Gericke name is certain to raise eyebrows. Gericke, whose resume includes time at Dubai hacking shop DarkMatter, was last seen as VP of Security and IT at ExpressVPN, a company that was just sold today for $936 million. Hat-tip to Matt Suiche for finding all the connections.
Reminds me, of course, about Juan Andres Guerrero-Saade’s seminal ethics-and-perils paper. I’d give it another read today.
Supply chain security things.
- Validating the Integrity of Computing Devices: This project will demonstrate how organizations can verify that the internal components of the computing devices they acquire, whether laptops or servers, are genuine and have not been tampered with.
- This repository provides content for aiding administrators in verifying systems have applied and enabled mitigations for hardware and firmware vulnerabilities such as side-channel and UEFI vulnerabilities.
- The NSA’s Host Integrity at Runtime and Start-up (HIRS) is s a proof-of-concept prototype intended to spur nterest and adoption of the Trusted Platform Module (TPM).
- The Record is reporting on a new academic research on a CPU side-channel attack that takes aim at Google Chrome’s site isolation feature.
- IBM has a new project to build supply chain security into ArgoCD.
- This projects tracks and documents software supply chain attacks dating back to 2003.
Shoutout to Wired’s Lily Hay Newman for a neat attempt at defining the catchphrase:
- The Racketeer Project is a ransomware emulation toolkit for teams to simulate and test test ransomware detections in a controlled environment.
- Countercept’s Chainsaw helps defenders rapidly search and identify threats within Windows event logs.
- A Twitter thread on some interesting cybersecurity innovation ideas for Microsoft.
- EXPMON (exploit monitor) is a service that analyzes files and URLs for exploit detection. This company was credited with finding the newest MSHTML itw exploit.
- The OWASP Top 10 for 2021 includes three new categories. Here’s a visual of the changes
Readables.
- Securing Netflix Studios at scale is required reading for cloud and appsec practitioners and program leaders.
- Apple pays hackers six figures to find bugs in its software. Then it sits on their findings.: Security researchers say Apple’s bug bounty program is undermined by Apple’s insular culture, confusion about payments, and long delays in fixing bugs. A related piece on why VC-fueled bug bounty platforms are a net-negative to the ecosystem.
- Journalists and marketers should pay close attention to this trend of VCs becoming their own media houses hype machines.
- EGoManiac: An unscrupulous Turkish-Nexus threat actor.
P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.