Newsletter
05.03.2021 | 6'' read
Security vendor ‘awards’ are meaningless
Hi friends, a quick reminder: On Thursday, May 6 at 12p EST, I’ll be moderating a live discussion with head of Uptycs threat research Amit Malik on the recent MITRE Engenuity FIN7/Carbanak evaluation. Register here and come with your questions.
Was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open).
Monday blues.
Security marketers, let’s have a very short talk. Watch this YouTube video and tell me honestly, would you purchase anything from this man? Why are so many of you celebrating these nonsense awards from his organization? Look at this list, if everyone wins, how is anyone winning?
We complain a lot about FUD and snake-oil ruining this industry but so many reputable companies are getting sucked into this pay-for-an-award-logo that turns you in a bit of a laughing stock among educated buyers.
Stop buying these fake awards. You’re doing yourself and your company a disservice.
On to the newsletter.
- The most clicked link from last week’s issue was HashiCorp’s confirmation that it got caught in the blast radius of the Codecov supply chain attack.
🎧 On the show this week, I scored an interview with Kentik’s Doug Madory on the mysterious appearance of once-unused IPv4 space belonging to the U.S. DoD and the bizarre timing and connection to an obscure Florida company now managing the world’s largest honeypot. Listen here.
Sponsor message: Going on the ATT&CK versus FIN7 and Carbanak
0day watch.
- According to this live tracker, we’ve caught 27 in-the-wild zero-day attacks so far this year. Apple accounts for 22% of the patched zero-days.
- Here goes — iOS 14.5.1 is out with fixes for a WebKit 0day being actively exploited. Patch your iOS/iPad device ASAP.
- Pulse Secure has belatedly shipped a fix for that nasty pre-auth code execution vuln being exploited in the wild. I recommend this tool to help mitigate Pulse exposure in your network.
- MacOS Big Sur 11.3 fixes a bunch of vulnerabilities with the “actively exploited” warning from Apple.
- Pay very, very close attention to this Codecov supply chain mess. The company has now released IOCs and additional data to help with threat-intel data gathering. I’m hearing reliable chatter that this is a ‘nation-state’ attack with significant implications.
- Max Justicz found a remote code execution bug in the central CocoaPods server. “This bug would have allowed an attacker to poison any package download.”
- OpenSSF has released SLSA (pronounced salsa), a proposal aimed at reaching industry agreement on the framework for software supply chain security through standards, accreditation, and technical controls.
- This is useful new guidance from CISA on defending against software supply chain attacks (pdf).
- A working group at the NTIA has issued this fantastic document (.pdf) on software identification challenges and guidance.
The ransomware epidemic.
- These new ransomware task force report recommendations provide a glimpse of how governments will respond to this epidemic. Read it carefully in anticipation of coming .gov regulations. Wired says the plan faces long odds.
- The Record has a piece on a ransomware gang threatening to leak sensitive police files unless the Metropolitan Police Department of DC agrees to pay a ransom demand.
- Researchers at Malwarebytes published an interesting teardown of the law enforcement uninstaller used to clean up Emotet infections.
- Flashpoint reports that .gov hackers aligned to the Iranian government are now involved with ransomware operations.
- Ralf-Philipp Weinmann and Benedikt Schmotzle hacked into Tesla cars via “remote zero-click security vulnerabilities” that was potentially wormable. There’s a slide deck showing how this attack could be launched via drones flying overhead.
- Zoom security researcher Bill Demirkapi finds gaping holes in an Experian partner website that lets anyone look up the credit score of tens of millions of Americans by just supplying their name and mailing address. Watch my interview with Bill from OPCDE.
- Patrick Wardle’s assault on the security posture of MacOS continues with this fantastic work on bypassing MacOS’s file quarantine, Gatekeeper, and notarization requirements.
- Academic researchers have found a way to break all the Spectre defense mitigations (.pdf)
- The coverage of this research from Science Daily is heavy on hype.
- Jon Masters weighs in with a note that it’s far from the “world -ending sensationalism” seen on some of the news websites.
- On the heels of my own calls for Microsoft to suspend and reinvent the MAPP vuln-sharing program, Bloomberg is reporting that Redmond’s leak investigation has zeroed in on two unidentified Chinese companies and may end with a complete revamp of the program.
- I love to see journalism about startups in the privacy engineering space. TheStack’s profile of homomorphic encryption specialist Enveil is worth your time.
- Soteria’s 365Inspect automates the security assessment of Microsoft Office 365 environments.
- The One Stop Anomaly Shop (OSAS) from Adobe provides anomaly detection with language processing and machine learning.
- Apple’s new macOS security compliance project is an open-source effort to provide a programmatic approach to generating security guidance.
- OpenSearch, from AWS, is a community-driven, open-source fork of Elasticsearch and Kibana.
- The nzyme project uses WiFi adapters in monitor mode to scan the frequencies for suspicious behavior, specifically rogue access points nad known WiFi attack platforms.]
- GitHub is collecting feedback to guide its policies on hosting exploits and malware on its platform.
Navel-gazing.
This was pretty cool to see in the wild. Shoutout to the podcast listener who sent in the photo!
_ryan
PS: The show is available on all platforms (Apple, Google, Spotify and Amazon). As the kids say, like and subscribe, like and subscribe.