Was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open).
It’s RSA Conference week and, quite frankly, I’m yawning through most of it this year. There’s just no way to replicate the in-person experience where RSA offsite networking drive a lot of deal-making, hirings and vendor partnerships. This year, it feels staler than usual and the year-long Zoom/headphone fatigue means that no one is excited to watch another virtual presentation with poor camera/microphone settings.
That said, I’ll be helping to facilitate Sounil Yu’s deep dive on the Cyber Defense Matrix, helping RSA attendees to create new use cases, create roadmaps, map incidents and figure out business constraints. For more on the Cyber Defense Matrix, listen to my conversation with Sounil on expanding use cases in modern security programs.
Next week, I’ll be appearing at SecurityWeek’s threat-intel summit, hosting a fireside chat with Tom Rid, professor of strategic studies and Johns Hopkins School of Advanced International Studies and moderating a panel of CISOs discussing the value of threat-intelligence to defenders.
A closing note, to security marketers, are you seriously proud of seeing your name in this scrolling list of paid-for participation trophies? Terribly embarrassing, for all involved.
On a much more positive note, congrats to cybersecurity lifer Adam Ely for landing the CISO gig at Fidelity Investments.
_ryan
- The most clicked link from last week’s issue was this Digital Shadows outline of the DarkSide ransomware-as-a-service operation.
Upcoming guests:
- Collin Greene, head of product security, Facebook.
- Heather Adkins, director, information security, Google
- Anne Marie Zettlemoyer, vice president, security engineering, Mastercard
Full conversations are available on the SecurityConversations.com home page, and on all major platforms — Apple, Google, Spotify and Amazon.
[ SPONSOR MESSAGE: Eclypsium Enhances Enterprise Device Integrity Platform ]
The unmanaged attack surface is actively being targeted. Eclypsium announces a new platform extension allowing organizations to extend visibility and security beyond traditional endpoints to now include network and unmanaged devices. Learn more.
- Code execution attacks against encrypted machines: We show that memory encryption is not sufficient for protecting guest VMs in a virtualized environment. See The Record’s additional reporting.
- undeSErVed trust: We show that the measurement used in AMD SEV’s attestation is block permutation-agnostic, meaning that changing the order of measured memory blocks does not affect the attestation outcome, and thus allows the attacker to modify the execution flow without detection by the VM’s owner. More from Tom’s Hardware.
- FragAttacks (fragmentation and aggregation attacks) is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim’s Wi-Fi network can abuse these vulnerabilities to steal user information or attack devices. Also see this USENIX Security presentation, the academic research paper [pdf], this demo of the flaws, and this open-source tool to test for these WiFi design and implementation vulnerabilities.
- Cloudflare wants to kill the CAPTCHA using hardware security keys: Based on our data, it takes a user on average 32 seconds to complete a CAPTCHA challenge. There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days. This very simple back of the envelope math equates to somewhere in the order of 500 human years wasted every single day — just for us to prove our humanity.
- Top-notch reporting by Kim Zetter: Days before the Darkside ransomware creators formally launched their business with a press release last August, a U.S. victim was already preparing to pay them a $2 million ransom.
- FireEye’s deep-dive into the Darkside ransomware-as-a-service operation is required reading for everyone involved in incident response or threat intelligence. The attack lifecycle chart shows that these attacks should be noisy enough to be caught. We have a ransomware epidemic because the foundational basics are being forgotten.
- Intel471 found the note that the criminal gang passed to affiliates claiming the infrastructure was taken offline amidst heat from law enforcement and .gov officials.
- Researchers at Tencent’s Keen Lab have hacked into the infotainment system in Mercedes Benz cars and published a fascinating paper describing remote code execution flaws.
- Daimler issued a separate statement confirming the Keen Lab findings and exploitation of some attack surfaces in the Mercedes Benz vehicles.
- GM Cruise’s Charlie Miller explains the research.
- Speaking of Cruise, this self-driving car demo is intoxicating.
- Full text of White House Executive Order (EO) on improving cybersecurity in the U.S.
- A question on everyone’s lips lately: What is an SBOM and why should you care?
- The U.S. NTIA has published resources on Software Bill of Materials, described as “a nested inventor, a list of ingredients that make up software components.
- JupiterOne has published its SBOM, prompting a very interesting Twitter discussion on where this is all heading.
- On June 2-3, NIST will host a virtual workshop to enhance the security of the software supply chain and to fulfill the White House EO.
- In-toto is a specification to provide policy and attestations for software supply chains.
- Veracode’s Chris Wysopal helps to decipher the White House EO.
Cloud things.
- The Cloud Incident Response Framework serves as a go-to guide for cloud customers to effectively prepare for and manage cloud incidents.
- Bridecrew’s Matt Johnson looks at the top trends from analyzing the security posture of open-source Helm charts.
- The CFP is open for this year’s fwd:cloudsec conference.
Off-topic.
- There’s an actual color called Cyber yellow. Now you know.
Have a fantastic week.
_ryan
PS: The podcast is available on all platforms (Apple, Google, Spotify and Amazon). As the kids say, like and subscribe, like and subscribe.