Newsletter

• My thanks to Uptycs and Armorblox for generously supporting the Chris Castaldo Startup Secure book-signing event in Las Vegas on August 4, 2021. Sign up here to secure an invitation.
• I’ll be attending and participating in SecurityWeek’s ICS Cybersecurity Conference (CFP is open) in Atlanta on October 26-28.  This is a long-running confab on securing ICS/SCADA and industrial networks. Register here and hopefully I’ll see some of you in the ATL.
• Last week, I hosted two sessions at the Cloud Security Summit, including a Q&A with Forgepoint Capital managing director Will Lin. We talked about the surge in VC cybersecurity investments, the true size of the market, and the hype/trends worth watching carefully.  Catch it on-demand here.

Monday blues.

On these pages a few weeks ago, my exasperated tone touched a nerve with readers:

While some folks shared my blunt assessment, I caught some flak for being overly pessimistic and dismissive of a lot of hard work to secure every layer of computing. I was reminded that we have biometric e-commerce on phones (“Don’t forget you can simply look at your iPhone and make a secure payment in a supermarket!”); we have solid foundational tech/processes in place (“the zero-trust security model works!”); and we have tools like password managers and multi-factor authentication apps to avoid ID-theft or phishing attacks.

True, we’ve seen decades of innovation that have truly raised the cost for attackers. Spam as a daily annoyance is mostly solved and modern web browsers do all the heavy security lifting to keep hackers at bay.

Yet, I can’t shake the disconnect between all that spending and innovation and the reality on the ground, where silent supply chain compromises wreak havoc, ransomware infections affect gas distribution in a major U.S. city, mercenary hacking groups sell zero-days to mysterious customers, and we still can’t click on links or open attachments with confidence.

As far as we’ve come, it feels like we’re chasing a tail that’s disappearing in the distance.  Attack surfaces are expanding faster than we can react to securing them and there’s still too much friction with adopting the best available security tools.  Twitter offers a wide range of MFA tools but barely 2.3 percent of users have enabled one form of password-verification and, even then, most choose the weaker, already-broken SMS method.

Beyond low-end ransomware infections (it’s really bad and getting worse!), zero-day attacks are surging against the most modern, hardened computing devices. Just this week, Apple responded to the 13th instance of actively-exploited zero-days in iOS and macOS devices.  At Google, the 2021 zero-day count stands at eight while attacks against products from Microsoft, Solarwinds and Kaseya remain easy targets.

Meanwhile, let’s not ignore how the money and hype cycle adds to the confusion and apathy. This New York Times story on venture capital investments may make you cringe.  Here’s a snippet:

Even as data shows that users are rejecting multi-factor authentication tools, 1Password has a massive new funding round that values the company at $2 billion.  🤷‍♂️

It all makes my head spin. Hang in there and have a productive week.

_ryan

Cybersecurity as a whole can be overwhelming for startup founders. Start-Up Secure by CISO Chris Castaldo breaks down the essentials so you can determine what is right for your start-up and your customers. You’ll learn techniques, tools, and strategies that will ensure data security for yourself, your customers, your funders, and your employees. Buy the book.  If you’re in Las Vegas for Black Hat, come to our book signing hangout.

The NSO and the mobile ‘surveillance list’

The explosive story on Israeli surveillance vendor NSO Group and the Pegasus malware has expanded in multiple directions since last week:

• NSO has published a new statement focused on the “list” of phone numbers leaked, insisting all the public claims regarding targets are erroneous and part of a vicious and slanderous campaign.
• Indie journalist Kim Zetter analyzes all the public reporting around the list of phone numbers and comes up with some interesting questions and answers.
• Several prominent U.S. lawmakers want the U.S. government to be more proactive in dealing with these private-sector companies that trade in high-end spyware are cyber-intrusion tools.
• From the Times of Israel:  “Defense Minister Benny Gantz was scheduled to depart on Wednesday for a brief visit to France, where he will meet with his French counterpart to discuss a range of issues, including the controversial Israeli cyber firm NSO Group, whose software may have been used to target French President Emmanuel Macron.”
• WhatsApp chief Will Cathcart has a lot to say about this murky industry in this Q&A:  “I would love to see all the other tech companies stand up, talk about this problem, talk about the victims, talk about the principles at stake, and do everything they can to put a stop to it.”
• If you want to binge deeper into this scandal, here’s a very good “everything you need to know” collection.

• Crossfeed is a new open-source utility from CISA that continuously enumerates and monitors an organization’s public-facing attack surface in order to discover assets and flag potential security flaws. The documentation is fantastic.

Important stories that may have gotten lost.

Some eyebrow-raising stories of cyber-attacks with real-world human consequences keep getting lost amidst all the noise:

• South Africa’s state-owned port and rail company Transnet says a cyberattack five days ago continues to cause disruption at Cape Town and other major ports.
• Iran’s railroad system came under cyberattack on July 9 with hackers posting fake messages about train delays or cancellations on display boards at stations across the country. The hack led to “unprecedented chaos” at rail stations. Somehow, I think there’s a lot more to this story.

Readables.

• A long-form Q&A with former congressman Will Hurt on ransomware, China, and the race the U.S. can’t afford to lose.  I’m still bummed at the way Hurt was invited, then disinvited from keynoting the Black Hat conference a few years ago.
• From the Cyentia Institute [PDF]: This study is an attempt to stitch together a more complete view of the application security elephant. We examine published industry reports from multiple sources to develop a better understanding of the frequency and role of application exploits in security incidents. Along the way, we’ll demonstrate the challenges of multi-source analysis and offer recommendations on how research producers can make it easier for those who want to piece together the bigger picture.
• Twitter’s new account security transparency report is a depressing look at the state of multi-factor authentication adoption at the social media giant.
• Google is planning to expand the availability of its “shared fate” risk protection program that connects customers with cyber-insurance providers.
• John Hammond from Huntress has a must-read blow-by-blow of his attempts to discover the origins of the Kaseya mass-ransomware incident.

• A collection of hacker tools using HackerOne’s API.
• Lists, manuals, cheatsheets, blogs, hacks, one-liners, and more.
• StopRansomware.gov is the U.S. government’s official one-stop location for resources of dealing with data-encrypting malware attacks.
•  A thought-provoking essay from professional bug-bounty hunter Shubham Shah on the controversies surrounding triage and management of new vulnerability reports.

* My thanks to Uptycs and Armorblox for generously supporting the Chris Castaldo Startup Secure book-signing event in Las Vegas on August 4, 2021. Sign up here to secure an invitation.

* Full Security Conversations podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.