Newsletter

[ Security Conversations thanks the following sponsors for supporting the production of our high-signal, low-noise coverage of the cybersecurity industry: Uptycs (SQL-powered security analytics), Eclypsium (firmware security), Symmetry Systems (data visibility and protection), MongoDB (general purpose database platform) and SecurityWeek (enterprise security news and analysis  ]

Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).

---

Monday blues. 

I know it’s tough to get excited about another freakin’ virtual event but I wanted to flag this really strong agenda at this week’s Threat Intelligence Summit for your awareness.  I’ll be kicking off the day tomorrow with a fun live fireside chat with Thomas Rid, professor of strategic studies at Johns Hopkins School of Advanced International Studies.

The author of Active Measures: The Secret History of Disinformation and Political Warfare will join me to decipher the threat-intelligence discipline, nation-state connections to ransomware attacks, supply chain security implications, and the nuance of properly describing certain types of security incidents.

On Wednesday, I’ll be moderating a separate discussion with threat-intelligence practitioners on the currency of IOCs and how crowdsourced data can drive threat hunting at scale. Discussion victims include Gusto CISO Fredrick ‘Flee” Lee, Armorblox CTO Rob Fry and Prevailion CTO Nate Warfield.

Separately, there’s a really strong talk by Microsoft’s John Lambert on the evolution of data sharing, an ‘inside story’ presentation from Volexity’s Josh Grunzweig on he Microsoft Exchange hack, and an all-CISO panel on connecting threat intelligence to securing the software supply chain.

Needless to say, I can’t recommend this event enough tomorrow and Wednesday. Even the sponsor sessions look particularly interesting (imagine!).

More mysterious Android/MacOS zero-day attacks

The deluge of zero-day attacks hitting victims across all major computing platforms is more eyebrow-raising everyday. Just this week, Google quietly updated an Android bulletin to add the dreaded “may be under lim ited, targeted exploitation” language but, as is the norm, there are no IOCs or any documentation to help defenders.

Shout-out to Ars Technica scribe Dan Goodin for calling out on the vague, meaningless language that leave defenders more puzzled and protected.  Google’s Shane Huntley not only joined the discussion with an explanation of sorts, but he DM’d me his tweet to make sure I saw that Google was aware of the frustrations.

“We are working to provide more information where possible on what we observe but it is a trade off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can,” Huntley explained.

Several Googlers privately cited the “potential exposure of sources and methods” reality as the main reason for the lack of transparency around IOCs and other useful data.

While I was blinking through scribbling this note, I just noticed that Apple just dropped another batch of MacOS patches with the mysterious “this issue may have been actively exploited” buried in a bulletin.  Nothing more.  Just that an attack happened, and here’s a patch, and good luck.

We’ve somehow normalized this, because big companies like Google and Apple refuse to set a better standard.  And the beat goes on, week after week, month after month.

_ryan

---

On to the newsletter.

• The most clicked link from last week’s issue was Tencent Keen Lab’s hack of the Mercedes Benz infotainment system that produced five CVEs (4 remote code execution).

​🎧  On the show this week, I sat down with outgoing head of offensive security research at NVIDIA Alex Matrosov to discuss the state of security at the firmware layer, the need for specialized reverse engineering skills, the limits of hardware bug bounty programs and the future of advanced malware analysis.

The ransomware epidemic is causing some major hiccups in the cybersecurity insurance market and the U.S. government’s watchdog group is warning that insurers are jacking up premiums and cutting back on coverage in healthcare and education.The U.S. GAO issued a 26-page report (pdf) with a few major warnings:

DarkReading‘s Rob Lemos has related coverage of global insurer AXA refusing to reimburse French companies for ransomware extortion payments to cybercriminals.  This news comes right after another insurance powerhouse CNA Financial confirmed it shelled out $40 million to purchase decryption keys to help with a ransomware attack.

Meanwhile, when marketing trumps security, we end up with stories like this.  Sigh.

Tangentially.