Newsletter

06.22.2021 | 6'' read

Upcoming Black Hat conference shenanigans

by Ryan Naraine

This newsletter is sponsored by Uptycs, the SQL-powered, cloud-native security analytics platform for modern defenders.

Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).

* The most clicked link from last week’s issue was Kevin Beaumont’s sobering piece on some of the hard truths about the ransomware epidemic. TL;DR, we aren’t prepared, its a battle with new rules, and it hasn’t yet reached peak impact.

Monday blues.

Some personal thingies, as planning continues for a subdued Black Hat/Defcon hacker summer camp in Las Vegas in early August:

📚  I’m partnering with Crossbeam CISO and book author Chris Castaldo on a book-signing ‘cabanacon’ on Wednesday, August 4th.  We ditch the business suits, share a beverage, network and chat about Chris’s new book, the podcast, CISO happenings, etc. Request an invite here (space is very limited). PS: The cabana is air-conditioned and Chris says he will be giving away fancy pens along with copies of the new book.

🎧 I’ll be traveling to Las Vegas with full podcast studio gear and setting up camp to record a batch of audio and video interviews.  If you’re coming to the conference and want to appear on the show, reach out here and say hello.

🔥 Catch my fireside chat with Dragos co-founder and CEO Robert M. Lee at the APAC ICS Cybersecurity Conference.  We have a frank discussion about ransomware, paying ransoms to cybercriminals, the Biden EO on cybersecurity, the coming SBOM requirements.

🎤 My pal Mary Jo Foley, who watches Microsoft closer than any other journalist in history, invited me on her MJF Chat podcast to talk about all the security things at Redmond. The full transcript includes my strong opinions on Microsoft emerging as a bigtime player in the security business..

On to the newsletter…

The big stories.

  • ZDNet’s Danny Palmer: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next.
  • Along the same lines, Wired’s Lily Hay Newman reports on the recent Cl0p ransmoware bust in Ukraine and explains why nothing will change, despite all the high-profile .gov activities.
  • Going back in time, we found out that GPRS-era mobile data encryption algorithm GEA/1 was ‘weak by design’ and still lingers in today’s phones. The academic paper is here (PDF).
  • If you want something new to doomscroll about, Kevin Collier looks at the security of America’s water supply and the takeaway isn’t exactly inspiring: “Of all the country’s critical infrastructure, water might be the most vulnerable to hackers: the hardest in which to guarantee everyone follows basic cybersecurity steps, and the easiest in which to cause major, real-world harm to large numbers of people.”
  • BBC News does a deep-dive recap on the Lazarus heist, with excellent reporting on how North Korea almost pulled off a billion-dollar hack.

A word from our sponsor (Uptycs, SQL-powered security analytics platform)
If you’re struggling with questions like, “What containers in my environment are running this known vulnerable package?” or “Where else is this file hash appearing across my Kubernetes Cluster?” or “How many servers have had the password rotated in the last 90 days?”, Uptycs gives you the ability to get all the answers from the same console.
Reach out for a hassle-free demo.

CFPs.

Some Ryan-approved security conference call-for-papers worth your attention:

New podcast: A fun, honest conversation with FuzzyNop

🎧 New podcast episode, sponsored by Eclypsium:  Verizon/Yahoo’s Josh Schwartz (aka FuzzyNop) on red-teaming, adversarial relationships within security programs, and the need for more empathy in the offensive security research community.  It’s a fantastic conversation, I promise.

Full transcripts are now available for my recent interviews with Google’s Heather Adkins and Facebook product security chief Collin Green.

Supply chain pain.

Tools and guidance.

Readables.

Tangentially. 

When the big-game VCs become media houses, news becomes marketing, marketing becomes news, the lines get blurred and nobody knows up from down. This is disaster of a trend we can’t seem to avoid.

Have a fun and productive week.

PS: My thanks to all the podcast and newsletter sponsors: MongoDBUptycsEclypsium and SecurityWeek.  Our partnership with these companies help to keep our reporting independent and vendor-agnostic.

_ryan

PS: Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms — AppleGoogleSpotify and Amazon.

|

This site uses cookies and may process personal data based on our Privacy Policy