Hello friend,
Was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open).
Monday blues, 3/29/2021.
Finally, thanks to incredible reporting by MIT Tech Review’s Patrick Howell O’Neill, we now understand Google’s deliberate secrecy around all those Chrome and iOS zero-days. Patrick essentially confirmed what I’ve been hinting at here in these columns, that Google discovered parts of a FEYE counter-terrorism operation that included included exploit chains for the latest and greatest iPhone and Android devices.
I encourage you to read the entire article (this newsletter gets a shoutout!): Google’s top security teams unilaterally shut down a counterterrorism operation.
In summary, Google’s universe-scale telemetry gave its researchers a perch to observe an apex APT group that burned through 11 0days over the course of nine months. Turns out, Google was observing an “active counter-terrorist operation” conducted by an unidentified Western government.
The story digs deeper into the ethics and perils of private sector research teams finding and disrupting so-called “friendly” FEYE malware. To be clear, Google’s blog post was largely just a public flex and didn’t advance defense in any way. By the time of that publication, the 0days — at least the ones Google found — had already been flagged and it’s a safe bet the operator was given a back-channel heads-up about certain discoveries and decisions on patching.
If you think that’s hyperbole, here’s an incredible line from Patrick’s story: “Several members of Google’s security teams are veterans of Western intelligence agencies, and some have conducted hacking campaigns for these governments.”
And while there may have been contentious Googleplex meetings about how to handle the disclosure of these bugs — all appropriate meetings, fyi — I’m happy that Project Zero opted to quickly work with Apple and the Chrome/Android teams to patch the security holes. The publication of the blog — again, without IOCs — was done full five months after Google first disrupted the campaign. High-end APT groups cater for this in their playbooks.
It’s curious that Project Zero is choosing to use this for marketing attention, but I’m not entirely sure I understand Google’s threat-intelligence business ambitions. There’s no entity on earth (I include Microsoft here) with the quality and scale of visibility/telemetry into global malicious activity and these hiccups will become commonplace.
My friend Juan warned about this many moons ago and the chickens are coming home to roost. We’re leaving it up to private sector research teams to make decisions on what the rest of us needs to know about the threat landscape.
This is a tricky world filled with obvious double-standards and hypocrisy. And it will only get worse.
On to this week’s newsletter…
New podcast advisory.
It brings me great joy to share the latest episode of the show, an interview with the fascinating Nico Waisman, who heads up security and privacy at Lyft. I’ve known Nico for many years, observing his career as a pioneer of the offensive security research industry and a prominent part of the Argentinian hacker scene.
Nico is a great storyteller and it shouldn’t come as a surprise to learn he studied journalism and never considered himself a technical wizard. My favorite part of this conversation was Nico’s breakdown of the emotional roller-coaster of finding and exploiting software vulnerabilities.
🎧 Listen to our conversation here.
Coming up next week, a conversation with MongoDB CISO Lena Smart.
7 years after Heartbleed.
From the department-of-feeling-old department comes this reminder from Cloudflare that Heartbleed was seven years ago and, in the time since, we’ve mitigated quite a lot, including the addition of things like secure key separation (keyless SSL, DCs), OSCP must-staple support, and configurable lifetime certifications (from one year down to two weeks).
Although the Cloudflare blog reads like marketing copy, I think this is the kind of gradual innovation we should collectively applaud. 👏
Firmware under the crosshairs.
Eclypsium’s latest firmware threat report points to a really worrying trend: a dramatic surge in in-the-wild malware campaigns targeting attack surface below the traditional operating system. Attacks at this layer remain largely invisible and these discoveries mean two things — we are getting better and finding them; or, ominously, we’re only now starting to find the noisier ones.
Here’s firmware threat activity for just one month (March this year):
- Keksec leveraging Citrix Netscaler RCE’s to Fbot targeting transportation device firmware.
- Crypto-miners hitting storage devices.
- Researchers cracking into 150,000 security cameras.
- Working POC exploits for Spectre leaked in an exploit pack, along with researchers demonstrating browser-memory Spectre-based POC.
- Side-channel attacks against Intel CPU’s [PDF] while leveraging machine learning to de-noise traces and leak bits.
CISO pay and average time on the gig.
One of my favorite things to read is the results of Hitch Partners CISO survey that covers all things from compensation to reporting structure to the ongoing problem of staff turnover and churn that continues to haunt enterprise security programs.
Some highlights for your general awareness:
- As of 2019, the average tenure for a CISO in their current role amongst survey participants was 2 years, 7 months (31 months).
- CISOs experienced a 12% average increase in total comp in 2019. West Coast and Northeast companies pay the most but WFH will likely see shifts here.
- The CISO is now reporting directly to the board of directors on a regular basis and this is expected to remain.
Things to read and see.
- From Rand Corp., the life and times of zero-day vulnerabliities and their exploits [PDF].
- Inspired by Kim Zetter’s book on Stuxnet, an artist created this piece of art. It was immediately bought by Cloudflare CEO Matthew Prince.
- Google Cloud CISO Phil Venables with an essay on cybersecurity being a winner’s game and a loser’s game.
- The Black Hat 2020 talks are all live on YouTube. Binge away.
- PhishCatch, from Palantir, is a browser extension and API server for detecting corporate password use on external websites.
Have you bought your VC Starter Kit?