* The most clicked link from the last newsletter was Patrick Howell O’Neill’s piece on data from Atlantic Council that claims to paint a detailed picture of the ways Western companies are selling cyber weapons and surveillance technology to NATO’s enemies.
Note.
- I’ll be moderating an exciting roundtable discussion on threat intelligence, nation-state malware attacks, and the use of IOCs and data to combat ransomware at SecurityWeek’s Threat Hunting Summit. November 17, 2021. Register here.
Let’s talk about Zoom for a minute. In every corner of the world, Zoom is a mandatory piece of software to get any work done. It’s installed on billions of Windows and macOS machines, tightly integrated with calendars to provide the communications plumbing for all our virtual meetings and events.
About 19 months ago, Zoom leased a visible section of the security research community — including cyber super-influencer Alex Stamos — as part of a very public 90-day plan to shore up its security, privacy and safety posture. Immediately after, Zoom bought Keybase (yeah, I scratched my head at that one too) and talked about building enterprise E2E capabilities at scale.
The Zoom software is also riddled with security vulnerabilities. Some of these flaws are devastatingly bad. Zoom has been rolling out high-risk patches on what appears to be a monthly cadence but, inexplicably, Zoom users are never given this information.
Zoom does not have a self-patching, auto-updating mechanism. This is considered a minimum requirement for internet-connected software but, in 2021, Zoom does not offer this. Instead, Zoom users must manually check for updates (that’s also bit of an adventure) and, even when one is available, there’s zero documentation on the vulnerabilities being patched. If you scroll down the release notes long enough, you’ll eventually find a line about “security enhancements” on offer.
This is disgraceful. At minimum, Zoom and its influencers should insist on automatic updates for everyone. Proper disclosures about the severity of fixes should also be standard. This isn’t asking for much.
Along the same vein, weren’t you expecting all those threat-intel/darkweb monitoring badass vendors to claim the multi-million dollar rewards for tracking down the DarkSide/REvil ransomware gang leaders? Me neither.
_ryan
On to the newsletter…
- ProcessUnity’s Cybersecurity Program Management (CPM) is a single, comprehensive platform for centrally managing an organization’s cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. Request a demo.
- Symmetry DataGuard helps you protect what matters most. Start with a sealed, read-only service in your cloud. Point it at your data stores and fine-grained query logs. Get a risk map with at-risk data objects and suggested interventions. Get in touch today for a demo.
Breaking stuff.
- After a 10-year run, Nicole Perlroth is leaving the cybersecurity beat at the New York Times.
- Microsoft-owned GitHub is flagging another batch of major security problems in the npm registry. Security chief Mike Hanley explained the headaches. “This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously.”
- Mandiant is linking the Belarusian government to the ‘Ghostwriter’ APT campaign. European officials previously blamed Russia.
- Despite the best efforts of the most aggressive law enforcement agencies, the Emotet botnet is alive and kicking again.
- The FBI had some mail server security problems over the weekend.
- Randori got itself some free publicity — and a lot of criticism — with the public admission that it hoarded and used a Palo Alto VPN zero-day for almost a year before reporting it to the vendor.
- The U.S. Department of Treasury is partnering with Israel on a task force to share information and train staff on responding to the massive ransomware wealth transfer.
- This slide from a fascinating talk at CYBERWARCON calls attention to merging of Iranian APTs and ransomware actors. I predict Iran will rival the North Koreans for hacks against cryptobanks and ransomware money heists.
- A new bill — the Ransomware and Financial Stability Act (H.R.5936) (PDF) — aims to make it illegal for financial firms to pay ransoms over $100,000 without first getting the government’s permission.
- CISA has published cybersecurity incident and vulnerability response playbooks.
JD Work on Cyber weaponry.
This op-ed by JD Work takes an interesting look at how China is using hacking contests to serve as a type of military parade showcasing skills and capabilities. In China Flaunts Its Offensive Cyber Power – War on the Rocks, Work argues that the Tianfu Cup competition in Chengdu is a remarkable display of cyber-weaponry that conveys several key messages to an international audience.
Key quote: “The Tianfu competition demonstrated the continued ability to hold key Western systems and networks at risk, highlighted the substantial depth of China’s offensive cyber inventories, and showed off a talent base of aggressive hackers undeterred by blowback from international exposure of its activities. Taken in total, this signaling also seems to suggest a trajectory towards a surprising future in which China’s offensive cyber power surpasses that of the West.”
This is another nuance to the .gov 0day ecosystem worth your attention.
Security essays.
- Chris Rohlf argues that the oft-criticized fields of AI/ML will revolutionize the way software is written and calls for the U.S. government to invest in AI as a cybersecurity tool.
- Google’s Phil Venables proposes a framework to judge the maturity of a company’s cybersecurity program. This is useful alongside the minimum viable secure product checklist every time you want to see if a company is really “a leader in cybersecurity.”
- Ryan McGeehan on how to estimate legal costs from a data breach.
- Catch Jason Chan’s BSidesRDU talk. It’s important lessons from a security leader who has built/done it all.
- Facebook hired NCC Group to assess the security of E2E encrypted backups in WhatsApp. Here’s the technical report on what they found (PDF).
- Wiz researchers provide a technical blow-by-blow of its Azure Cosmos DB mega-hack. Impressive research work.
- The accelerometer in your iPhone is leaking all kinds of sensitive data to the likes of Facebook, Instagram, WhatsApp, Slack, TikTok, Twitter and WeChat.
- A look back at Project Memoria, a security research project that netted 97 vulnerabilities affecting TCP/IP stacks.
Tangentially.
Wanna check an iPhone for traces of the Pegasus .gov spyware? Here are the instructions from Amnesty International’s Claudio Guarnieri.