[ Advertisement: Last call for registrations for SecurityWeek’s CISO Forum 2021 — Sept 14-15, 2021. Prominent CISOs and security leaders will discuss topics ranging from ransomware, cyber-insurance, SBOMs and supply chain security, attack simulations, zero-trust, and post-pandemic attack surface expansion. Register here! ]
The most clicked link from the last newsletter issue was the blog post from researchers Thijs Alkemade and Daan Keuper on the Zoom zero-click RCE exploit used at Pwn2Own this year.
Note.
- I’m quoted heavily in this VentureBeat piece on VCs and uncontrolled spending that’s actually making things worse in cybersecurity. It’s a solid piece by Sage Lazzaro with my unfiltered (and pessimistic) not-so-hot takes.
- Security Conversations is offering paid internships to talented folks looking to work on podcast transcripts, audio + video editing, and social media shenanigans. Ideal for university students and newcomers looking to learn about cybersecurity. Under-represented folks to the front of the line. Ping me directly (naraine SHIFT 2 gmail.com) with your interest.
Monday blues.
In preparation for some hosting work I’m doing at this year’s CISO Forum, I spent parts of a quiet Labor Day weekend musing about the so-called skills shortage in cyber, the ongoing effects of ‘the great resignation’ (yes, it’s real), and whether the country’s wider good wages and workers rights shortage have now settled on cybersecurity’s doorstep. Oh, and the role of VCs in this big mess.
Just for grins, let’s use the bug-bounty sector as an example. The two main public platforms — HackerOne and BugCrowd — have raised a combined $189 million in venture capital funding. That, my friends, is a *lot* of money poured into two startups essentially creating a category on the fly. These are now well capitalized companies in so-called “growth-mode” with IPO or big-money acquisition ambitions.
The dark side of all this is worker rights and what appears to be abusive terms meted out to researchers on these public bug-bounty platforms.
Bill Demarkapi, an offensive security researcher at Zoom and a well-known hacker in the bug-bounty world (I interviewed him for OPCDE), provided examples of this abuse in a Twitter thread that makes my head spin. The self-righteous entitlement, the absence of logic, the immature tone from these vendors are so counter-productive and unnecessary.
Do yourself a favor, follow Katie Moussouris and pay attention to everything she says on this topic: “The problem is bug bounty platforms sell an illusion of control over a workforce they say doesn’t work for them as employees, yet they try to control their work & speech by threats to ban them…from submitting bugs to you through the platform. What does this do for your security?”
I argue that these stories out of the bug-bounty trenches mirror much of what’s happening in the rest of cyber. Security recruiters are looking for “rock-stars” that don’t really, leading to employers hiring junior coders and expecting senior-level engineering output.
The tide is starting to turn and now we’re hearing of a “skills shortage” that can only be solved via, you guessed it, more cybersecurity spending. And around and around we go.
Speaking of bug bounties, my pal Dennis Fisher’s opus on the birth and maturity of bug bounties is required reading for all cybersecurity practitioners. I’m serious, go read it all:
- Part One: Lawyers, bugs, and money: When bug bounties went boom.
- Part Two: Uprising in the Valley, featuring Katie Moussouris, Dino Dai Zovi, Chris Evans, etc.
- Part Three: ‘Drive it like you stole it’
_ryan
On to the newsletter…
The big Confluence exploit story.
The big story bubbling to the surface this week is the after-effects of a Confluence vulnerability that prompted a weekend “patch-or-else” warning from the U.S. government. Here’s the latest:
- The Confluence patches from Atlassian contains the “is being actively exploited in the wild” tagline.
- Here’s the technical documentation and proof-of-concept exploit making the rounds.
- Of course, there’s vulnerability disclosure drama that appears to drag VMWare into the story.
- Jenkins server, a widely used open-source automation system, was hit by an exploit targeting this Confluence bug. See company statement.
- The U.S. government isn’t mincing words on the severity of this incident and the urgency to apply available fixes.
Research things.
- Shoutout to Haroon Meer for releasing ThinkScapes as a free product. Here’s the latest edition. I wish there was a mechanism to subscribe.
- PDFs galore with quality research from the Hack in the Box conference.
- Mark Dowd’s keynote slides on the security technology arms race tell a rather optimistic story of security on mobile devices. Here’s the video.
- This well documented paper on remotely hijacking Zoom clients contains this throwaway line: “[This] exploit can be carried out by non-attendees.”
Nation-state apex predators.
- In an unclassified bulletin, the FBI says the Chinese government is hacking U.S.-based Uyghurs.
- U.S. counter-terrorism official Mike Orlando has pegged the cost of intellectual property loss to China (podcast+transcript) at $200 billion- to $600 billion. Most of this comes via hacking attacks.
- In addition to calling out SolarWinds for failing to enable the 15-year-old ASLR mitigation, Microsoft has casually attributed this mysterious zero-day to DEV-0322, a hacking group operating out of China.
- Speaking of Microsoft, here’s the company’s belated communications on the AzureDB cross-tenant cloud takeover vulnerability.
- The U.S. government’s CISA says the absence of multi-factor authentication is bad security practice. No word on how we incentivize end-users to actually enable and use the tech.
Say what now?
- General Keith Alexander’s cybersecurity company IronNet is apparently the latest meme stock. I can’t.
A section on Apple.
- A reminder that the Apple iOS FORCEDENTRY zero-day is still unpatched.
- After trotting out a sweaty exec to tell us that we “misunderstood” the CSAM tech they were proposing, Apple has backtracked and is delaying the program rollout.
- The EFF wants Apple to completely abandon what it calls the “surveillance plans.”
Photo of the day.
Crossbeam CISO Chris Castaldo signs copies of his book Startup Secure. This was meant to be a part of an event at Black Hat/Defcon (sponsored by our friends at Uptycs and Armorblox) but due to COVID, we had to cancel.
P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.