Newsletter

09.14.2021 | 5'' read

Legal trouble for ex-NSA mercenary hackers

by Ryan Naraine

The most clicked link from the last newsletter was Sage Lazzaro’s VentureBeat article VC funding in cyber and all the negative downstream side effects.

Notes.
  • Crazy busy, heads-down and headphones cranked up editing new podcast interviews with Anne Marie Zettlemoyer (VP, Security Engineering, Mastercard), Aaron Portnoy (Principal Scientist, Randori), Mohit Tiwari (CEO, Symmetry Systems) and Vicente Diaz (Security Engineer, Google VirusTotal).
  • 🎧 New podcast advisory: Intel’s Venky Venkateswaran discusses hardware-enabled security and the chipmaker’s cybersecurity investments.

Monday blues. 

Back in March, I wrote in this very newsletter about the surge in zero-day attacks targeting software from the big shops — Microsoft, Apple and Google — and tried to argue that this was positive confirmation that defenders were getting better at detecting these high-end exploit chains.

This week, things took another major turn with all three vendors announcing exploitation of zero-days in software products used by billions around the world.  While the vendors are quick to minimize these as “extremely targeted,” the reality is quite sobering.

Here a sample of my own coverage just this week:

According to publicly available datathere have been 66 documented zero-day attacks so far in 2021.  The bulk of those target code from Microsoft, Google and Apple but the raw truth is that high-end adversaries are burning through expensive zero-day chains at record levels.

It’s also clear that threat actors are paying attention to security defects in software packages from vendors we’ve never heard about.  I had never heard of Solarwinds, or Kaseya, or CodeCov before they were smacked by zero-days.  Expect more of these.

In the meantime, try to remember to reboot your iPhones once a week.  That’s all I got.

_ryan

On to the newsletter…

ExpressVPN and Hackers in Dubai

I delayed sending his newsletter to drop a few lines about this Chris Bing breaking piece on the U.S. filing criminal charges against ex-NSA hackers working as mercenaries in Dubai, UAE.

The story is long and winding and was first told in this Project Raven investigation that documents the work of Lori Stroud and others who were recruited to move to Dubai to engage in surveillance of other governments, militants and human rights activists critical of the monarchy.

Here’s the U.S. government’s case against Marc Baier, Ryan Adams and Daniel Gericke.  Interestingly, Lori Stroud was not charged today.

The Daniel Gericke name is certain to raise eyebrows.  Gericke, whose resume includes time at Dubai hacking shop DarkMatter, was last seen as VP of Security and IT at ExpressVPN, a company that was just sold today for $936 million.  Hat-tip to Matt Suiche for finding all the connections.

Reminds me, of course, about Juan Andres Guerrero-Saade’s seminal ethics-and-perils paper.  I’d give it another read today.

Supply chain security things.

Zero Trust, explained.
Ever since the words “zero-trust” appeared in the Biden EO on cybersecurity, the nonsense hype machine has spun into overdrive.  Vendors have tweaked websites to add “zero trust” to their marketing schpiel,  Zero trust is everywhere but few people understand what it really means.

Shoutout to Wired’s Lily Hay Newman for a neat attempt at defining the catchphrase:

If you talk to enough zero-trust advocates, the whole thing starts to sound a bit like a religious experience. They consistently emphasize that zero trust isn’t a single piece of software you can install or a box you can check, but a philosophy, a set of concepts, a mantra, a mindset. They describe zero trust this way partly in an attempt to reclaim it from all the marketing doublespeak and promotional T-shirts that have attempted to paint zero trust as a magic bullet.
On a related note, to get a better understanding of the U.S. government’s interpretation of zero-trust, this guide from CISA is everyting you need.

Research things.

Readables.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy