The Cyber Why: What We Read This Week...
... and why you should too! (6/29/24)
Happy Saturday. As I sit here putting the final touches on the current TCW newsletter I realize how thankful I am to have friends that help me write the content every week.
are the best in the biz and I love you guys!Now on to this week’s TCW! This week we cover quant vs. human based venture investing, the polarizing story of Jacob Appelbaum, polyfill or poly-fluff?, nation state false flags, and for story #5 McDonald’s AI ordering SNAFU!
The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)
TCW Newsletter and the TCW Podcast both have a few 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.
Quant vs. Human Based VC - Math vs. Intuition
Can We Fully Automate Startup Investing? (Data Driven VC)
Venture investing today is, operationally, drastically different depending on the stage, focus, fund size, and type of investing that you are doing. In the early stages of venture investing there is very little data to go on, making team and idea the predominant factors on which decisions are made. As you progress into later stage investing with companies who have been around a while and have sufficient metrics to analyze, venture investing becomes much more quantifiable. The question that remains is can we apply more quant techniques earlier in the target company lifecycle to make even more data driven decisions in the angel, seed, and pre-seed rounds. Data Driven VC author, Andre Retterath believes the early stage end state will be a blending of quant and human decision making processes which is a cop out if you ask me. If you are an investor, leave your comments below on which methodology will come to dominate early stage over time.
Handcraft / Traditional VC: A shrinking group of senior, gray-hair industry veterans, characterized by a strong belief that VC is more art than science and that the best deals will always be sourced through their proprietary personal networks. Moreover, they are rarely aware of their biases (recency, similarity, confirmation, over-simplification, etc.) when making decisions and tend to overestimate their position based on their firm and personal brands as well as their (oftentimes impressive) investment track records.
Augmented VC: Combining the best of both worlds, where machines collect, process and contextualize vast amounts of data to achieve comprehensive coverage and give direction, and where human investors focus on a select number of founders to build deep relationships and assess the soft factors based on their intuition. While data provides coverage and guidance, the human makes the final decision.
Quant VC: A new species of purebred algorithmic VCs who believe that startup investment decisions should not involve humans at all, just like in pure-play quant public funds. Just algos, no humans. Fast, clean and repeatable. These investors believe that human involvement skews the models and reduces the likelihood to generate alpha.
ioerror - The Story of a Polarizing Figure
This cyber-security activist made me afraid of surveillance culture (CBC)
Nobody Wants To Talk about Jacob Appelbaum Movie (CBC)
Jacob Appelbaum. AKA ioerror. I remember him from Defcon and Blackhat in the early to mid-2000s. He had white hair and a bit of a wild and crazy demeanor. We ran in similar circles, yet he always had something off about him. My spidey senses tingled, and I distanced myself from him quickly. At the time, I wasn’t sure what bothered me other than something wasn’t right.
I won’t use this platform to dive into his history or past—you can research that independently. The short of his story is this: He supposedly contributed to some very interesting cyber research in the mid-2000s. Behind closed doors, he was often referred to as a “hanger-on” and a “noncontributor” by the other authors of the papers. At the end of the day, none of the technical work mattered when compared to the horrible accusations and proven actions that surfaced. Eventually, he connected with Julian Assange, WikiLeaks, and the Tor Foundation, and everything went completely off the rails from there. Nobody is sure if the core of the story is one of paranoia and mental issues or, indeed, a government plot to wreck a person’s life (or maybe a bit of both.) Either way, I’m watching this movie this weekend!
The new documentary entitled “Nobody Wants To Talk About Jacob Appelbaum” by director and creator Jasmie Kastner is available free on CBC.
Polyfill or Poly-fluff?
Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack (The Hacker News)
Polyfill supply chain attack embeds malware in JavaScript CDN assets (Dev.to)
Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites (Dark Reading)
Hulu, 100K+ Websites May Be Exposed to Polyfill Malware (PC Mag)
(Katie pick) Earlier this week it was reported that polyfill.io, a widely used JavaScript service, was compromised, potentially impacting 100,000+ websites. As the news rolled out, watchers speculated on whether the service’s new China-based content delivery network (CDN) company, Funnull, had anything to do with the exploit, either intentionally or unintentionally.
The timing was suspicious: Funnull took ownership of the domain; shortly thereafter, malicious code was delivered through any website using cdn.polyfill.io, redirecting users to betting and porn websites. No reports of anything more than redirects have been issued.
Curiously, Polyfill’s original creator, Andrew Betts, warned people back in February when the domain was sold to the Chinese entity. He noted that “no website today requires any of the polyfills in the polyfill.io library.”
Well, I guess some companies didn’t hear/read the statement or didn’t care. But the story doesn’t end there: As of Thursday, Namecheap.com, a domain hosting company, decided to remove polyfill.
In theory, this stops any further propagation of the attack. Time will tell.
Nation States Deploying Ransomware To Throw Defenders Off The Scent
ChamelGang APT Disguises Espionage Activities With Ransomware (Dark Reading)
Chinese State Actors Use Ransomware to Conceal Real Intent (InfoSecurity Magazine)
Cyberespionage Groups Attacking Critical Infrastructure with Ransomware (Sentinel One Labs)
(Rick pick) This week, SentinelOne's SentinelLabs released new research highlighting suspected Chinese and North Korean APT groups leveraging ransomware in their campaigns for “financial gain, disruption, distraction, misattribution, or removal of evidence.” In traditional intelligence parlance, the misattribution angle is referred to as a false flag. If you aren't a spymaster or Jason Bourne, let me help you out. The CIA defines a false flag as a:
"deliberate misrepresentation of motives or identity; an operation designed to appear as if it were conducted by someone other than the person or group responsible for it."
APT groups gain plausible deniability from conducting ransomware activity, and data exfiltration is part of the IP theft playbook. When conducting investigations, don’t make attribution assumptions. If you are in the US manufacturing sector in particular, you should read the full report and conduct threat hunting on the research findings.
Bacon Ice Cream Should Be A Feature, Not An AI Misfire
Bacon ice cream and nugget overload sees misfiring McDonald's AI withdrawn (BBC)
McDonald’s to end AI drive-thru experiment after errant orders — including bacon on ice cream and $222 McNuggets bill (New York Post)
AI is everywhere, even McDonalds. About a year ago McDonalds restaurant group rolled out AI based chatbot ordering to over 100 stores nation wide. The result of the year long experiment has been colossal failure and a horrible inability to take accurate orders. Viral videos have emerged showing hundreds of dollars of chicken nuggets sneaking onto the order slip, dozens of cream and kethup packets being added to a drive through request, and even one person getting a side of bacon layered on top of her ice cream cup. What a mess up - at least learened that current AI capabilities aren’t quite ready to ask if you would like fries with that!
Quick Hits and Hidden Gems
Neiman Marcus confirms data breach after Snowflake account hack (Bleeping Computer) - The long tail of the exposed Snowflake credentials continues.
TeamViewer's corporate network was breached in alleged APT hack (Bleeping Computer) - Russian threat actor, APT29 is actively exploiting the popular remote access solution.
Batten down the hatches, it's time to patch some more MOVEit bugs (The Register) - Progress Software is making headlines for all the wrong reasons, again.
Evolve Bank Data Leaked After LockBit’s ‘Federal Reserve Hack’ (Security Week) - LockBit claimed to have 33 TB of Federal Reserve data, but so far it appears to be from an Arkansas bank.
The 'BlackSuit' hacker behind the CDK Global attack hitting US car dealers (Reuters) - Reuters took a deeper dive into the ransomware actor behind the CDK Global outage crippling car dealerships across the country.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!