Newsletter

[ On Thursday, May 6 at 12p EST, I’ll be moderating a live discussion with head of Uptycs threat research Amit Malik on the recent MITRE FIN7/Carbanak evaluation. Register here and come with your questions ] 

Hello friend,
Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).

Monday blues. Remembering Dan Kaminsky (1979-2021)

I don’t handle news of death well, especially the sudden passing of folks younger than me. Dan Kaminsky’s sudden death over the weekend, at the age of 42, hit me particularly hard. My body shook uncontrollably in spurts and I could not leave the couch for hours.

I knew Dan only from work-related interactions but I felt like we were friends. I first met him in the early 2000s, at the height of his annual Black Ops presentations at Black Hat and DEFCON.  Back then, he used the “Effugas” handle and scored Black Hat talks without having to submit CFP proposals.

Dan was extremely generous with his time, especially with journalists covering his complicated research work. He proactively reached out to correct, clarify, or add context to stories I wrote over the years (even on things unrelated to his work). He wasn’t just focused on his work, but was passionate about making things better in other areas, whether that was clarifying complicated security concepts for other people or working on side projects.

We had some interesting fights over the years, but the most tense was the time I accused him of selling out to Microsoft during the infamous Windows Vista pen-test. At the time, Microsoft had essentially leased the security research community for the “largest ever penetration test” of a Redmond OS, and because of strict NDAs, the once-noisy hackers were no longer taking my calls to talk about Microsoft’s security problems.

The ensuing debate with Dan was professional and friendly, but he wasn’t happy with my insinuation and he let me know it. In Dan’s mind, Microsoft’s decision to embrace the hacker community was noble, genuine and would positively impact security for billions of users around the world. He stood by those convictions and taught me an important lesson about zooming out and understanding the long-game impact of the work we do.

The same theme would reemerge in 2008 when he found himself embroiled in a “partial disclosure” controversy that rankled his security peers who felt he was over-hyping an issue to promote a Black Hat presentation. The result was a long, detailed explanation, directly from Dan, that emphasized making the end users the priority.  An example of his empathy for the user is perfectly illustrated at 21:35 of this testy discussion with some of his most vocal peers.

While he will most be celebrated for the great DNS vulnerability or the Vista pen-test that killed Clippy, Dan’s legacy includes work on the “Paketto Keiretsu” tools to manipulate TCP/IP networks, authorship of spoofing and tunneling chapters in seminal books on network security, and the integration of VPN-style functionality to OpenSSH.

Dan was the original rock-star hacker, a media-savvy presenter who issued important security warnings with humor and candor.  He was in heavy demand but, somehow, always had time to help a friend.

He was beyond generous to me, at times when it would have been easy for him to decline my nonstop requests.  When I asked him to keynote the SAS conference in 2015, he took a ridiculous number of connecting flights to show up on time and deliver a kickass presentation. When he couldn’t help, he would call and offer alternatives and make sure I was properly connected to the right people.

Daniel Michael Kaminsky was a real one.  I will miss him dearly.  We all will.

On to the newsletter.  

• The most clicked link from last week’s issue was Kim Zetter’s piece linking the Atlantic Council ENFER description to the just-sanctioned Positive Technologies.

New podcast episodes.

​🎧  On the show this week, Crossbeam CISO Chris Castaldo explains why he enjoys briefings and demos with security vendors.  Also catch my conversation with Assetnote CEO Shubs Shah on how he found riches (and lessons) from participating in global bug bounty programs.

Sponsor message: Going on the ATT&CK versus FIN7 and Carbanak

The 2020 MITRE ATT&CK vendor evaluation results have been released! This is the first time the evaluation has focused on financially motivated criminal groups, in this case Carbanak and FIN7, which heavily target retail and financial services industries. Uptycs was among 30 vendor participants in this round and this blog looks at the significance of these threat groups and breaks down the fascinating simulation and evaluation process.

• HashiCorp has confirmed it is a victim of the Codecov supply chain attack. The GPG private key used to sign hashes to validate product downloads was exposed.
• The University of Minnesota is apologizing to the Linux community after being banned for contributing patches to the Linux kernel.  It’s a messy, complicated story.
• Sam Curry:  The keys to future supply chain integrity.
• Solarwinds CEO with some real-talk: “If a nation-state attacker wants to compromise your network or assets, it’s going ot be a matter of when — and not if.”

• How a WhatsApp status loophole is aiding cyberstalkers.
• Large-scale abuse of contact discovery in mobile messengers (direct PDF).
• Signal founder Moxie Marlinspike hacks Cellebrite and leaves a cryptic warning (bluff?) in the final paragraph. The video in the blog is everything.
• Use the Am I FloCed? website to see if you’re a target of Google’s new tracking feature.
• Lea Kissner leaves Apple to head up privacy engineering project at Twitter.

• Apple releases iOS 14.5 today with a ton of security fixes, including a WebKit bug that’s being exploited in the wild.  Also, new emojis!

_ryan

PS: The podcast is available on all platforms (Apple, Google, Spotify and Amazon).  As the kids say, like and subscribe, like and subscribe.