Newsletter
01.04.2022 | 7'' read
Some not-so-dire 2022 predictions cybersecurity predictions
- I’m currently working on the agenda for the Ransomware Resilience & Recovery Summit on Jan 26, 2022. Contact me for information on presenting or joining a panel discussion. Here’s a list of SecurityWeek’s 2022 events.
Monday blues.
Calling attention to an odd thing that flew under the radar this week: CrowdStrike officially moved its “principal executive office” from Silicon Valley (Sunnyvale, California) to Austin, Texas. The company gave no reason for the switch and used a simple statement to point out that official corporate addresses will soon be obsolete in a remote-first world.
CrowdStrike says: “While the traditional notion of a singular headquarters is not required and may become obsolete altogether in today’s transforming world, the Securities and Exchange Commission requires us to designate a principal executive office. Today, CrowdStrike Holdings is designating Austin, Texas as our principal executive office.
I’m reliably told these moves (more of these announcements are likely) is closely linked to Assembly Bill No. 979, a California law that requires publicly-traded California companies to diversify boards with the addition of directors from “underrepresented communities” by December 31, 2021.
The law requires (see coverage): “No later than the close of the 2021 calendar year, a publicly held domestic or foreign corporation whose principal executive offices, according to the corporation’s SEC 10-K form, are located in California shall have a minimum of one director from an underrepresented community on its board.
According to the AB-979, “Director from an underrepresented community” means an individual who self-identifies as Black, African American, Hispanic, Latino, Asian, Pacific Islander, Native American, Native Hawaiian, or Alaska Native, or who self-identifies as gay, lesbian, bisexual, or transgender.
Interestingly, CrowdStrike appears to be in compliance, at least until the end of this year when the law will become even stricter on diversity mandates. CrowdStrike’s nine-person board of directors currently includes two women and at least one director who fits the definition of being from an underrepresented community.
Here’s a related gem of a find: Coinbase says it has no corporate address at all: “[W]e [are] a remote-first company. Accordingly, we do not maintain a headquarters.”
I wish you all a pleasant new year and I hope you’re as happy as me about RSA Conference being pushed back to June.
Cheers,
_ryan
On to the newsletter…
Installed as a read-only service into your sealed environment, Symmetry DataGuard learns data objects from SQL, NoSQL, and object stores and constructs a large access control graph of all principals and objects in the system. DataGuard provides a risk assessment of all data stores down to unique objects and alerts with evidence based notifications during operations. Schedule a demo.
New podcasts.
Two new episodes of the show have been pushed to your podcast software thingies:
- Costin Raiu joined me to talk about the mercenary hacker-for-hire industry, the Israeli companies supplying mobile exploits to governments, and the role of venture capital investors bankrolling these controversial startups. Listen here.
- Corellium chief executive Amanda Gorton talks about entrepreneurship, raising a $25 million funding round, and the nuances of operating a business in the offensive security research space. Have a listen.
Coming up next: An interview with Egress CEO Tony Pepper on the email security market and running a global business during an extended pandemic.
My cybersecurity predictions for 2022.
It won’t be a new year’s edition without the good old cybersecurity predictions. I actually put some thought into what I think will be the big stories this year. They include:
- Ransomware is mostly solved (politicians will make deals) but APT actors will continue to blur the line between cyberespionage and financially motivated crime.
- Supply chain mega-hacks will explode as cybercriminals will join the nation-state APT operators in the supply chain malware free-for-all. It will be a long, painful slog with no clear solution in sight.
- The expose of the ugly hacker-for-hire industry will snare a few surprising U.S. companies and will lead to robust debates over blacklisting certain researchers.
- China will use hacking competitions like the Tianfu Cup as a kind of military display of Chinese hacking capabilities.
- By the end of this year, every major APT toolkit will include UEFI/firmware implantation capabilities, forcing a major revamp of anti-malware defenses. The firmware security problem will explode alongside impossible-to-detect supply chain hacks.
Read more of my thinking into these predictions and some additional ones from the SecurityWeek editorial team.
The Log4j urgency is very real.
One month in, here’s Microsoft on the current status of the Log4j crisis. It’s not very good :(. I’ve underlined the main takeaways
Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.
Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.
The urgency is real. I recommend the use of this CISA scanner to help find vulnerable Log4j installations.
- Google Cloud security chief Phil Venables on the concept of obviousness and CISOs overlooking the simple.
- Netflix technical engineers document SNARE, a Detection, Enrichment, and Response platform for handling cloud security related findings at Netflix.
- A telling interview with Palo Alto founder Nir Zuk on the crazy valuations for cybersecurity startups. The money quote: “I don’t believe that a company that sells for $20 million is worth $6 billion. I don’t know how it happens. If there are investors who are willing to do it, please. The world is a little crazy right now.You don’t even need a business plan. A big dream and hope are enough. That is why the end will be the same as it was in the 1990s.”
Research deep-dives.
- Researchers at the University of Piraeus in Greece test the quality of big-name EDR software and the findings (pdf) aren’t exactly encouraging: “Quite alarmingly, we illustrate that no EDR can efficiently detect and prevent the four attack vectors we deployed.” More from Catalin Cimpanu.
- Fixing the Unfixable is the story of a Google Cloud SSRF vulnerability with an endless loop of bypasses.
- This paper demonstrates lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip. Since the attack vector lies directly between the chips, it bypasses the main operating system. A full fix will require chip redesigns — current firmware fixes are incomplete.
- Andrew Scott analyzes 10 years of vulnerability data for Python packages and the findings are as ugly as you’d expect.
- Implant.ARM.iLOBleed.a is an in-the-wild rootkit discovered infecting HP iLO firmware.
- CrowdStrike has found a way to use Intel PT (processor trace) telemetry to thwart exploits that rely on code reuse.
- Binarly addresses the firmware supply chain security ecosystem and proposes ways to fix underlying problems. (Disclosure: I’m an advisor at Binarly).
- A fantastic study by ESET analyzing 15 years of nation-state threat actors jumping airgaps.
Hall-of-famer Dan Kaminsky
- Watch Dan Kaminsky’s mom accept his induction into the internet hall of fame. (Starts at 1:19:36).
Tangentially.
- It’s the end of an era. Today is doomsday for BlackBerry devices.