The Cyber Why: What We Read This Week...
... and why you should too! (6/3/2024)
I’m having trouble keeping my eyes open today. I’m in the middle of an eleven-day travel run and quite delirious. If you read this and it doesn’t sound even remotely coherent, you know why! I’m at the Gartner Security event in DC this week, so if you are in the area, hit me up with a DM, and we can get together. If you aren’t here.. you’re missing out. This is a great show!
This week in The Cyber Why, we touch on the potential (not confirmed) catastrophic hack at Snowflake and its fallout downstream. We discuss the startup debate AppSec vs. OpSec and which makes more sense. We also debate two privacy-related stories by Google and Microsoft (I fall on one specific side here… can you guess which one it is?). Finally, we make some crude jokes in the style of Beavis and Butthead for our story #5. All this and more in this week’s The Cyber Why!
Get An Automated Security Buddy with DryRun Security
DryRun Security performs automated and seamless security code reviews in seconds. Devs love it because they get actionable security advice without all the noise, and AppSec loves it because every code change is reviewed for risk.
DryRun uses a proprietary Code Review Inquiry Methodology on LLMs to deliver results to developers in just a few seconds. Try it yourself and install DryRun Security, or book a spot for a quick 15-minute demo today.
Snowflake Pwnage Potentially Catastrophic
Santander staff and '30 million' customers hacked (BBC)
Ticketmaster Hack: Data of Half a Billion Users Up for Ransom (TicketNews)
Here Are 9 Companies With Reported Data Hacks This Week: Everything we Know (Newsweek)
Snowflake: ‘No Evidence’ Linking Ticketmaster Breach To Its Products, But Signs Of Former Employee Account Accessed (CRN)
What do Ticketmaster and Santander Financial have in common? Not much, unless you consider that they appear to have been hacked by the same attacker. In a recent post on an underground hacking forum, the group calling themselves “ShinyHunters” posted an advertisement naming Santander and offering the following data for sale:
30 million people’s bank account details
6 million account numbers and balances
28 million credit card numbers
HR information for staff
The same hacking group is also offering over 500M credit card records for TicketMaster users. The question is, how are these two hacks connected? According to the article and BBC research, it’s highly likely that both of these attacks stem from Snowflake's recent disclosure that their systems have been compromised.
Snowflake refutes the claims that it is responsible and, as of the time of writing, does not believe it has been hacked in any other way than possibly with externally compromised credentials being used to access customer data. Other attack victims may include Advance Auto Parts, Allstate, Anheuser-Busch, Mitsubishi, Neiman Marcus, Progressive, and State Farm Insurance. There is a good chance we’re only seeing the beginning of the fallout of this one. We’ll watch it and update you as more details unfold.
AppSec or OpSec - A Fork In the Market Road
What Tool Best Compliments CNAPP? (James Berthoty - Latio Sec)
In many of the vendors I speak with, there is often a desire to merge two major market segments in a way that creates differentiation and the ability to sell a broader platform to the cyber security buyer. The most frequent version of this discussion is whether a product should push “right” into the operational security offerings or “shift left” into the application and code side of the market.
Each of the two sides of the coin comes with different buying personas, value propositions, go-to-market strategies, and even willingness to pay, making it extremely difficult to cover both sides simultaneously. As a startup, you are almost forced to pick one side of the other until you reach critical mass and have the resources to truly go horizontal in your approach. The future of the cloud-native application protection platform (CNAPP) market is no exception to this rule of thumb.
In this article, James breaks down each side's how and why in minute detail, helping you see his vision for the space. I recommend this read if you are interested in cloud security's future market trends.
Microsoft Recall - Dream or Danger (or both)
How the new Microsoft Recall feature fundamentally undermines Windows security (Double Pulsar)
UK watchdog looking into Microsoft AI taking screenshots (BBC News)
Is this a dream technology or a privacy nightmare? According to those in the cybersecurity space I have spoken to, it’s an attacker’s potential perfect storm and a significant cybersecurity problem just waiting to happen. Just last week, Microsoft announced “Recall” to the market.
The idea is it allows you to rewind back in time at the click of a button to see what you were doing at, say, 11pm two months ago. It also classifies almost everything you’re doing, seeing and typing. This is instantly searchable.
In a nutshell, the technology is an infostealer and rootkit built directly into the Microsoft operating system. It watches literally everything you do on the device and allows you to play that information back while making it completely queryable. Content is stored locally but, in my opinion, the data will eventually be used in many cloud contexts.
Spicy Take: This sounds EXACTLY like what I’ve been looking for. I want something that automatically records all of my Zoom, Team, and Google meetings and analyzes them with AI, can cross-reference that data with all my email and calendar data, and knows everything about my daily digital usage and life. In a nutshell, I want a complete second brain, and this sounds like a great start!
Regarding privacy worries, users will GLADLY trade security and privacy for any simple long-term convenience. If this really gives us the ability to track, query, and remember our entire digital life with an AI overlay, people will clamor for the solution and happily trade away security and privacy.
I, for one, think the risk is worth it! I’d love to hear your opinions below!
Google Says - We Got Your Privacy Right Here
Google Leak Reveals Thousands of Privacy Incidents (404 Media)
Google made an oopsie. 404 Media recently acquired an internal Google database that tracked company privacy violations and remediations, such as collecting and analyzing children’s voices, saving license plates from Street View, inadequate blurring of sensitive YouTube videos, and many other self-reported incidents, large and small. The database recorded privacy issues from 2013 to 2018, all appearing to have been fixed quickly by Google’s team.
The problem isn’t in tracking and remediating privacy concerns directly. Instead, the issue is the sheer volume of privacy issues that Google has to deal with annually. These are not just little bugs; they can significantly compromise human privacy rights. It’s great to see Google fixing things quickly. However, the size of the problem may make it completely impossible to secure long-term. Look at the article and check out the wild list of issues discovered in this five-year period.
NVD Backlog To Be Cleared in Fiscal Year (9/24)
Federal agency taps new contractor help with bug backlog (Axios)
In this week’s “story #5,” we bring you the contract company NIST believes will be the savior of the National Vulnerability Database (NVD). The firm Analygence has been contracted to fill the existing hole and help clear the backlog that has been building up with NVD. It turns out that the contract is a five-year, $125M project, and it was awarded to Analygence as one of 14 applicants. It was awarded last December, and they have yet to operationalize the contract fully. Good luck, NIST and Analygence; your solution is desperately needed. This is a “story #5” for a reason - #iykyk - please leave your thoughts in the comments section below.
Quick Hits and Hidden Gems
Gartner Security and Risk Management Summit (The Security Industry) - Some raw data on vendors sponsoring the Gartner event this week. Some interesting growth trends here.
Visibility Without Action is Just Noise (Yaron Levi) - I think he means that visibility and observation don’t matter if you don’t have context. He mentions it directly in the article - finding another issue is nearly worthless without context. Context is everything during data collection, analysis, and remediation. Without context, we can’t possibly scale. Good quick read.
Is this the end of SIEM? (Frank Wang) - SIEM, as the concept of “security event aggregation,” is indeed dead. The addition of assets PLUS events could reinvent this market into something new. This provides context to everything in the data set, making it much richer and easier to use. Context is KING!
A venture capitalist walks into a bar (lcamtuf’s thing) - I love lcamtuf’s view of the world. He’s been around the block, and he speaks a great truth. My moral takeaway from this story is to understand the incentives, and you will be able to predict the future.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!