Newsletter

10.26.2021 | 6'' read

The software supply chain pain intensifies

by Ryan Naraine

~~ This edition of the newsletter is resented by Symmetry SystemsProcess Unity and SecurityWeek ~~

* The most clicked link from last week’s newsletter was the 26-page paper from a group of big-name cybersecurity pioneers picking apart Apple’s iOS client-side scanning technology plans. The conclusions are pretty damning.
Notes:

  • A lighter-than normal newsletter this week because of work travel.
  • Earlier today, I interviewed  Dragos founder and chief executive Robert M. Lee to kick off this year’s ICS Cybersecurity Conference. Catch the recording here.
Monday blues.

I’m in the midst of dumping Google Chrome for an alternative browser (you should too!) when I stumbled upon this piece that makes me grit my teeth in exasperation: Firefox is selling ads in the most sacred place:  the actual search bar.

In the same announcement of this new Firefox “feature,” Mozilla simultaneously explains that ads will be sold and served in the address bar and that “privacy is fundamental” to its mission.

I’m close to giving up.

_ryan

On to the newsletter…

Zero-days and nation states.


Sponsored.

  • Symmetry DataGuard helps you protect what matters most. Start with a sealed, read-only service in your cloud. Point it at your data stores and fine-grained query logs. Get a risk map with at-risk data objects and suggested interventions.. Get in touch today for a demo.
  • ProcessUnity’s Cybersecurity Program Management (CPM) is a single, comprehensive platform for centrally managing an organization’s cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. The solution enables the CISO to inventory and assess high-value assets; map them to threats, risks, policies and control standards; automate reviews; and capture evidence of compliance — all on a predefined schedule. Request a demo.

Supply chain pain.

Research things.

Ransomware everywhere.

NYTimes reporter hacked by Saudis

Citizen Lab has a head-scratcher of a report on a New York Times reporter Ben Hubbard’s devices hacked by Saudi Arabian operators using the Pegasus spyware tool.  The raw details:

  • Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
  • The targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.
  •  Some forensic artifacts connected to NSO Group are present on Hubbard’s device as early as April 2018.
  • A phone number belonging to Hubbard also reportedly appeared on the Pegasus Project list in July 2019.

Hubbard wrote a first-person account of the compromise.

Leftovers.     

Danny Moore’s upcoming talk at CyberWarCon is all kinds of fascinating:

This talk will explore how the modern military is information security’s worst nightmare. In particular, we will focus on the US military and its decades-old, globe-spanning operational networks powering weapons designed by a dozen low-bidding contractors with enormous supply chains. Weapons must be remotely targeted, operated and maintained thousands of miles from home, and potentially work both over civilian and military infrastructure. For an attacker, that is an incredible playing field.

The talk tackles specific examples such as the US Navy’s Littoral Combat Ship, the F-35, and military satellite comms. We will explore their design vulnerabilities, opportunities for compromise, and how they may be attacked for operational gain during – or right before – conflict.

This makes Danny’s book on Offensive Cyber Operations a must-read.

Tangentially.

From the ISC SANS diary:

A bug in the GPSD project that could cause time to rollback in October 2021. Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers. The next occurrence should have been in November 2038, but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021 . This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021.

 Beautiful bug.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.
|

This site uses cookies and may process personal data based on our Privacy Policy