Newsletter
06.07.2021 | 8'' read
The definitive SBOM FAQ, ransomware as terrorism
Uptycs Sponsor message: What we learned at RSAC this year
Monday blues.
RIP, Philippe: It’s a sad morning here in the podcast studio as we absorb news of the passing of Philippe Courtot, a serial entrepreneur and cybersecurity lifer who was among the first to capitalize on the power of the cloud to deliver security products and services. Back in my eWEEK reporting days, Phillippe was a go-to resource for stories on network scanning and vulnerability management and I remember him as a warm, patient man who understood how to monetize security at scale. He was a skilled marketer who made Qualys a household name after first investing in the company back in 1999. Along with the late Dan Kaminsky, Philippe Courtot belongs in the Internet Hall of Fame.
Congrats, Uptycs: If you listen to my podcast for more than 15 minutes, you know I’m bullish on security analytics platforms playing a crucial role in defending the modern enterprise. One of the companies innovating in the space is Uptycs, a U.S. company that has attracted major investor interest for its impressive SQL-powered security analytics platform (based on osquery). Uptycs just raised another $50 million and appears poised to make a lot of noise in expanding EDR/xDR space. (Disclosure. Uptycs is a podcast sponsor).
Innovation at the Pwnies: It’s Black Hat season and the Pwnie Award nominations are open. While we mostly focus on the point-and-laugh-at-the-loser categories (“lamest vendor response” and “most epic fail”), I love that the Pwnies do recognize innovative research and the discovery of new attack classes. In fact, this is my favorite Pwnies category. Nominate and let’s celebrate building.
Black Hat in Las Vegas: I’ll be attending the Black Hat/DEFCON summer camp in Las Vegas and participating in several adjoining activities, including a poolside cabana-con and book signing with Crossbeam CISO and Start-up Secure author Chris Castaldo. Ping me privately for the cabana details. Castaldo will be signing copies of the book for attendees.
The podcast studio is on fire with new long-form conversations on a variety of security topics, coming directly to your earholes. Here is part of the lineup for June and July:
- Anne Marie Zettlemoyer, vice president, security engineering, Mastercard.
- Allan Friedman, director of cybersecurity initiatives at NTIA in the US Department of Commerce.
- Sounil Yu, CISO at JupiterOne, on SBOMs and executive orders.
- Josh Schwartz, director of offensive security research, Verizon Media (Paranoids).
- Enveil CEO and co-founder Ellison Anne Williams on homomorphic encryption as a business enabler.
- Eclypsium CISO Steve Mancini on the push to secure the layers below the operating system.
- Aaron Portnoy, offensive security researcher and principal scientist at Randori.
- VirusTotal (Google) security engineer and threat intelligence strategist Vicente Diaz.
On to the newsletter…
The most clicked link from last week’s issue was the full transcript of my conversation with Google security leader Heather Adkins. A close second was Andy Greenberg’s piece that picked apart the intricacies of supply chain attacks. In response to Andy Greenberg’s article, Quarkslab CTO Ivan Arce wrote in to point out that the first documented discussion around software supply chain problems can be found in this June 1974 paper on the security posture of the Multics operating system. This IBM recap 30 years later is still a great read.
Do you even SBOM?
I half-mockingly tweeted the other day about a future of “SBOM vendors” solving all your supply chain security problems. However, underneath the cynicism is a realization that .gov-driven requirements around SBOM and “software ingredients” are about to become a major part of the cybersecurity dialogue:
- The definitive SBOM FAQ: This 12-page document from the NTIA covers all the tricky questions around Software Bill of Materials, the benefits and some common misconceptions and concerns. This is something to print and keep on your desk.
- I strongly recommend that security teams learn these formats for conveying SBOM data — Software Identification Tagging (SWID), Software Package Data Exchange (SPDX), and Cyclone Dx,
- The U.S. Commerce Department’s NTIA is requesting comments on the minimum elements for an SBOM, and what other factors should be considered in the request, production, distribution, and consumption of SBOMs. Comments are due on or before June 17, 2021.
Ransomware as terrorism?
The U.S. government’s sudden interest in fighting the ransomware epidemic hit a new gear this week with a warning that ransomware hacks will be treated with the same priority as terrorism and the FBI director comparing ransomware to the 9/11 terror threat. The story is being reported as a clerical process to make sure all data-extortion attacks are reported into Washington DC, but there may be some spillover side-effects that could affect CISOs.
Some relevant Qs as .gov starts to follow the money: Will this affect ransomware payments? Does this add new wrinkles to existing reporting mechanisms? Where in the security response playbook does this belong? Mayor of Cybertown™ Chris Krebs has some thoughts on his this all plays out.
Separately, pay attention to this White House memo from Anne Neuberger on steps private businesses can take to ward off ransomware wealth transfer gangs.
Offensive security research things.
- Google Project Zero’s Tavis Ormandy has written another essay arguing against the use of password managers, especially because of implementation errors that lead to security problems. Tavis writes: “If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions. I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.
- Corellium co-founder and chief architect is on the Black Hat calendar with a talk on the internals of Apple’s new M1 machines: “The talk will cover interesting quirks of Apple ARM architecture variant, such as memory access issues (and how to recognize them) and the novel AMX vector instruction set. We’ll describe design patterns commonly employed by these SoCs, as well as give a short introduction to USB 4, which made its debut on them.”
- Github CISO Mike Hanley has shipped an update to the company’s controversial policies on hosting malware and proof-of-concept exploits on the Microsoft-owned platform. GitHub says it will explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits; but will NOT allow GitHub to be a party to unlawful attacks that cause technical harm.
- Inspired by an infamous blog post, bug bounty hunters take aim at Apple and scored $50,000 in rewards for finding some serious security problems. Separately, shoutout to Google for expanding its research grants program that lets bug hunters get paid even if they don’t find any vulnerabilities.
Security training freebies galore.
- A fantastic collection of slides and recordings on mobile security, including a quick history of smartphones, Android architecture and security, iOS security, and mobile malware. Thanks to Clint Gibler’s tl;dr for the pointers.
- Google has launched Security by Design on Google Play Academy to help developers identify, mitigate, and proactively protect against security threats.
-
A comprehensive list of cybersecurity sub-reddits covering almost everything.
Open source security goodie bag.
- Patrolaroid is an instant camera for capturing cloud workload risks. It’s a prod-friendly scanner that makes finding security issues in AWS instances and buckets less annoying and disruptive for software engineers and cloud admins.
- Zoom CIS Compliance Scans lets you run individual configuration, compliance and security controls or full compliance benchmarks for CIS for Zoom.
- PRET is a Printer exploitation toolkit that connects to a device via network or USB and exploits the features of a given printer language. This allows cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device.
- CapitalOne’s DataProfiler is a Python library designed to make data analysis, monitoring and sensitive data detection easy.
Have a fantastic week.
_ryan
PS: The podcast is available on all platforms (Apple, Google, Spotify and Amazon). As the kids say, like and subscribe, like and subscribe.
[ Sponsor message: MongoDB is proud to support and sponsor The Diana Initiative, an event focused on women, diversity and inclusion in information security. Register here for the virtual conference, scheduled for July 16-17, 2021. ]