Newsletter

08.03.2021 | 4'' read

Making the case for responsible cyber offense

by Ryan Naraine

* Get in touch for information on sponsoring the newsletter and podcast. Slots are limited.

Personal notes.

  • Catch my appearance on Recorded Future’s podcast where I ranted and raved about things I like — and don’t like — about the security industry. Lazy marketers get extra attention.
  • I’ll be moderating and hosting a few sessions at SecurityWeek’s ICS Cybersecurity Conference (CFP is still open) in Atlanta on October 26-28. Register here and hopefully I’ll see some of you in the ATL.

The most clicked link from last week’s issue was Twitter’s new account security transparency report that shows stagnant multi-factor authentication adoption numbers.

Monday blues.

Not much to say on a very, very busy week for those of us watching the cybersecurity industry.

I’ll be spending most of the coming days monitoring news and trends coming out of the Black Hat/Defcon conferences.  While everything feels different this year (in a not-so-good way), I’m impressed by the quality of talks on the agenda. Daniel Cuthbert picks some really good ones.  Best of luck to all the organizers, speakers and participants.  I hope you have a productive week.

P.S.  Consider this your weekly reminder to reboot your phone (iPhone or Android) as an important security measure.

_ryan


A word from our sponsor (Startup Secure)

Cybersecurity as a whole can be overwhelming for startup founders. Start-Up Secure by CISO Chris Castaldo breaks down the essentials so you can determine what is right for your start-up and your customers. You’ll learn techniques, tools, and strategies that will ensure data security for yourself, your customers, your funders, and your employees. Buy the book.


Pegasus spyware watch.

There’s never a dull moment in this NSO Group/Pegasus high-end spyware scandal that continues to spotlight the shenanigans of these PSOAs (private sector offensive actors):

Responsible cyber offense.

This op-ed has four bylines and is an important part of a nuanced conversation around the U.S. response to nation-state attacks:

The sense of crisis created by these two operations should not be wasted. Despite critical preventive efforts, offensive operations will continue apace in the foreseeable future — conducted by the United States, its allies and its adversaries. The choice is whether and how to engage in them responsibly and minimize cost to societies. For there are better and worse ways for governments (and their explicit or de facto contractors) to operate in cyberspace. Benign countries should cooperate now to promote verifiable, technical norms for responsible offensive cyber operations.

The piece offers suggestions for responsible offensive behavior, including the important of testing hacking tools before use, avoiding indiscriminate targeting, prohibiting certain targets, constraining automation and preventing criminal/third-party access to backdoors.

TPM sniffing attacks.

The Dolos Group published a detailed walk-through of how they extracted the TPM-protected Bitlocker keys from a “stolen” laptop as part of a penetration test.  Hardware hacker Tramell Hudson digs deeper into TPM sniffing attacks and offers some protection suggestions.

Leftovers.

Tangentially.

The story of Chobani is so wholesome and also a good example of how companies can get funded outside of VC. Taking big risks, Chobani founder Hamdi Ulukaya went all-in betting on his heritage and a powerful emerging consumer trend.

* Full Security Conversations podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy