Newsletter

11.23.2021 | 6'' read

That ‘we take security very seriously’ line

by Ryan Naraine

This edition of the newsletter is presented by Process Unity and SecurityWeek


* The most clicked link from last week’s newsletter was JD Work’s essay on China using the Tianfu Cup 0day festival as a military-type display of cyber-weaponry and hacking capabilities.
Note.
Monday blues.

Whenever a company drops the “we take security and privacy very seriously,” I do a basic smell test by adding “/security” to their domain to see how that page is being used.  It’s a pretty instructive test of a company’s cybersecurity priorities.

This week, following an embarrassing — and utterly preventable — data breach that exposed WordPress FTP and database usernames and passwords for months (gasp!), I saw this line in GoDaddy’s SEC filing:

“We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.”
So I navigated to godaddy.com/security to take a peek.  Of course the page is being used to hawk security services.  I looked up the experience of GoDaddy’s CISO on LinkedIn and, well, I’ll let you go look for yourself…

Meanwhile, it’s a long holiday weekend here in the U.S. (Thanksgiving Day) which means we’ll probably see one or two major ransomware extortion disclosures. If you’re involved in protecting critical things, you may want to heed these very specific warnings.

Also, remember to patch and reboot your iPhones.

_ryan

On to the newsletter…


Sponsored.

Join this expert SecurityWeek panel discussion on Aligning Internal Cybersecurity Practices with External Third-Party Risk Management, presented by Process Unity.  You will learn now to:

  • Map external third-party risk to internal cybersecurity controls
  • Evaluate control effectiveness against both internal and external risks
  • Identify potential fourth-party risk
  • Prioritize cyber/third-party risk projects based on control gaps and domain inefficiencies
  • Build a world-class cybersecurity program that protects against internal and external threats

Here’s the link to register and add to calendar.


NSO Pegasus fallout.

Breaking:  Apple has sued NSO Group for hacking into its iOS products. Nicole Perlroth reports that Apple is asking for unspecified damages for the time and cost to deal with NSO’s abuse of its products.

Patrick Howell O’Neill reports on the fallout from the U.S. government sanctions on NSO Group over misuse of the Pegasus .gov surveillance platform (archive):

The US sanctions have had an immediate and much greater effect on the company than previous scandals. Bloomberg reported that Wall Street is shunning NSO and treating it as a distressed asset; it’s saddled with over $500 million in debt and a growing risk of insolvency; meanwhile, the company’s newly appointed CEO quit just a week after being appointed. 

There’s also gossip about a “secret letter” floating around Israeli political circles. 🍿

Hardware security.
Essays.
Supply chain of pain.
Research findings.

Tidbits.

Leftovers.

Tangentially.

|

This site uses cookies and may process personal data based on our Privacy Policy