Newsletter

09.21.2021 | 6'' read

Stop legitimizing parasite 0day companies

by Ryan Naraine

* The most clicked link from last week  was the U.S. government’s case (.pdf) against a trio of ex-NSA hackers (.pdf) who were caught doing cyber-espionage work for the United Arab Emirates.

Notes.

  • My personal thanks to all the CISOs and security leaders who generously shared their time and expertise with us at the CISO Forum last week. It was an incredible thrill for me to participate in these conversations.

Monday blues. 

Chris Soghoian was absolutely right all those years ago.  Back in 2012, the privacy rights activists warned us all about accepting and legitimizing the work of exploit brokers and researchers hawking zero-days to governments around the world.

Soghoian’s cautionary words from 2012:

“Governments are going to use zero-days, we have to deal with this. But the middle-man firms that buy exploits and resell them to governments are a ticking bomb.   Security researchers should not be selling zero-days to middle man firms. This trade is not legitimate and we should not legitimize them.

“These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.”

At the time, Soghoian was referring to VUPEN (now Zerodium), FinFisher and HackingTeam when he warned of the risk of zero-day exploit blowback.  “It’s not a matter of if, but when,” he added.

Well, here we are.

Soghoian’s presentation and warnings (see slides from VB) pops to mind this week as I read about two U.S. companies caught supplying zero-days to foreign governments, only to find those exploits used to target high-end spyware at Americans.

First up, we have Denver, Colorado-based Accuvant (formerly Optiv) caught developing and selling a powerful iPhone exploit to UAE operators who turned around and use it to spy on human rights activists.

A few days later, Forbes identified Texas-based Exodus Intelligence as the supplier of multiple zero-days used in murky .gov malware campaigns in several countries throughout Asia.  Shoutout to my former colleagues at Kaspersky for dropping the “Moses” hint in July and for continued brilliant work exposing these players.

It’s not too late to heed Soghoian’s warning and stop legitimizing these private sector offensive actors.  These aren’t cybersecurity companies helping to solve security problems.  These are parasites cashing in on an unregulated space, making things worse for the rest of us.

Kudos to the journalists and researchers exposing their operations.

_ryan

On to the newsletter…

Apple, IOS 15, and different types of software updates.

Apple released iOS 15 yesterday with a handful of security and privacy goodies.  The update is available from Settings > General > Software Update but it’s super interesting that Apple isn’t forcing this update patch to users.  Instead, Apple has added a ribbon at the bottom of the Software Update page, treating it as something optional.

Then, I noticed this throwaway line in the iOS 15 literature that should get some extra attention:

How does Apple differentiate between “the most complete set of security updates” and some other category of “important security updates”?  Apple will be withholding security patches for IOS 14 devices but how and why?  Very weird stuff at a very sensitive time for Apple.

Mercenary hacker things.

I touched on this in the preamble today but calling out these stories for extra attention:

 

Hacking back at ransomware gangs.

CrowdStrike co-founder Dmitri Alperovitch wants to see a “hacking back” component to the U.S. government’s response to the ransomware menace.

“An aggressive campaign would target the foundation of ransomware criminals’ operations: their personnel, infrastructure and money,” Alperovitch writes. Such a campaign could reveal personal details about the perpetrators, take down the ransom payment servers they are using to conduct operations, seize their cryptocurrency wallets and perhaps even introduce subtle bugs into their code that enable victims to unlock their data without paying a ransom.”

Super slippery slope but these are important conversations and I’m glad some of it is seeping out into the public domain.

Major vulnerability alerts.

If you’re responsible for security response, these are the things worth paying attention to:

Security research.

Newsworthy bits.

Tangentially.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy