The Cyber Why: What We Read This Week...
... and why you should too! (3/15/24)
This week’s TCW is a bit late, as “yours truly” has been on the road. After a long week in Silicon Valley, I’m ready for a cocktail and a hockey game! But first… I must release the latest issue of
. Have a read, and have a great weekend!This week’s newsletter covers another criminal “exit scam,” the ticking clock on TikTok, Europe’s AI regulatory push, a great take on application security vs. enterprise security priorities, and the ever-expanding 10K cybersecurity product landscape. The quick hits section is incredibly rich and exciting, with some hot takes from
, , and . Don’t stop reading part way through - it’ll be worth it, I promise!Email security with less noise and more signal
Sophisticated attackers continually refine their approach to evade detection. But while methods change, objectives remain constant.
That’s why Material Security maps coverage to objectives to create more durable detections based on a unique combination of threat intelligence, observed attacks, and AI/ML powered logic. Stay ahead of email threats like credential theft, malware/ransomware, and fraud/ business email compromise with one API-based solution for advanced threat detection, insider risk protection, and incident response automation.
No Honor Amongst Thieves!
Incognito Darknet Market Mass-Extorts Buyers, Sellers (Krebs On Security)
Two “exit scams” in two consecutive weeks. First, UnitedHealth gets stuck in a nast exit scam as the hackers responsible for the ransomware attack pull a nasty disappearing act, leaving both the target and their co-conspirators high and dry. Not to be outdone, this week Krebs released a report detailing how the Incognito Darknet Market is executing its own “exit scam” by threatening to release crypto transaction records and chat logs of its users unless they pay a fee ranging from $100 to $20k.
“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”
Talk about no honor amongst thieves! Are we starting to see the end of an era? Is this the point at which communities of criminals begin to splinter off and former much smaller entities that they can “trust”? Time will tell!
The Clock for TikTok is Running Out
Bill that could ban TikTok passed in the House. Heres what to know (AP News)
US House passes bill that could ban TikTok nationwide (BBC News)
House Passes Bill to Force TikTok Sale from Chinese Owner or Ban the App (NYT)
(Katie pick) The drama over US citizens’ use of TikTok intensified on Wednesday when the House of Representatives passed a bipartisan-supported bill requiring the Chinese-owned social media company to divest its controlling stake in the app. The U.S. government argues that, by law, Chinese companies must comply with Chinese government intelligence requests. The worry is that the Chinese government, widely known for its interesting surveillance practices, would use the app to spy on U.S. citizens.
The big question here is: Which country is flexing its authoritarian oversight muscle? And if the U.S. is so concerned with data harvesting, why are they allowing U.S.-based social media companies to run rampant with our data?
Europe Leading the Charge on AI Regulation
Europe Passes AI Act to Ban Riskiest Tools, Force Copyright Compliance (PC Mag)
World’s Most Extensive AI Rules Approved in EU Despite Criticism (Bloomberg)
(Katie pick) Well, that didn’t take long. The European Union’s Parliament passed the Artificial Intelligence Act on Wednesday. Its stated aim is to place “safeguards on general-purpose artificial intelligence” and give consumers the right and ability to “launch complaints and receive meaningful explanations” when AI goes too far or oversteps fundamental human rights.
The new rules — still subject to final approval — will classify AI-based products into risk categories; the higher the risk to human health, safety, fundamental rights, the rule of law, and more, the stricter the rules.
There are also outright bans on AI’s use. Applications that use AI for biometric categorization systems, social scoring, predictive policing, or manipulating/exploiting human behavior, for instance, are not allowed.
While the Act intends to ensure AI’s use doesn’t turn into some Sci-Fi nightmare, it won’t be long until major tech companies jump into the fray and start lobbying against restricted use, claiming the government is stifling technological innovation. There’s more to this story. Just wait for it.
We’re Focused On The WRONG Issues (Again)
Product security: barking up the wrong tree (lcamtuf’s thing)
This article is bound to fire up some debate. Michael Zalewski, a.k.a. lcamtuf and formerly CISO at Snap, believes that enterprise information security teams are wasting their time on code security and should instead be focused on the foundational elements of information security for the business. The Whitehouse even took a stance recently with the release of its February paper: “Back to the Building Blocks: A Path toward Secure and Measurable Software.” I really like his points, and while code security does get at the heart of product issues, including RCE, buffer overflow, and most specific technical vulnerabilities, it doesn’t solve the real issue, which is almost always human, configuration, or mistake-related. Attackers will leverage the lowest hanging fruit first because the return of cash to expended effort is at a better ratio that the more technical 0-day style issues. To quote lcamtuf:
In contrast, my view of enterprise security isn’t nearly as optimistic. The purported basics — meaningful asset inventories, privilege reduction, comprehensive access control — are unsolved problems. It doesn’t matter how much you care: there’s no product or policy that lets you address these challenges at scale.
WHY? When we only need a few dozen?!
10,000 Cybersecurity Products (The Security Industry)
Water water everywhere, but not a drop to drink (
For our “story #5” this week, I bring you an exciting article by
. According to research from Richard’s company IT-Harvest, there are now officially over 10K products and 3764 companies in the cybersecurity market. Creating what Richard and the team have built is extremely time-consuming and difficult. The output is highly valuable to many constituencies in and around cybersecurity. However, the CISO shouldn’t be one of them.CISOs today are absolutely overwhelmed with the number of products they currently operate and maintain. Why would it matter to them if there are 1000 or 10,000 available products? They want to buy as few products as possible to achieve their goals. I wish the research actually said something like, “Here are the 5-10 products that will move the needle when building a security program at an enterprise company.” That is research worth paying for!
Side note: how do you remove companies and products that die from the database?
Quick Hits and Hidden Gems
Massively Popular Safe Locks Have Secret Backdoor Codes (404Media) - Not new news, but more widespread than thought. Certified pre-owned safes!
"Platform", "Consolidation" & "Platformization" (Pramod Gosavi) - Investor at 11.2 Capital calls out the differences between a platform and just consolidation. Pramod always has excellent views on these type of topics.
Risky Biz News: NIST NVD stopped enriching CVEs a month ago (Risky Biz) - This story is a big one. Lots of systems rely on NVD as the SOA for all vulnerability data. If this solution were to be dissolved, there would be a massive problem. Luckily, the company VulnCheck is well-positioned to take over for the flailing NVD. Go get ‘em VulnCheck crew… we need you!
Death Knell of the NVD? (Resilient Cyber) - Chris Hughes wrote up a killer article with great details on the NVD debacle. Check out his detailed piece.
Security needs to be build again (Frankly Speaking) - Isn’t a field CISO just a specialized bad ass sales engineer? Someone educate me on this one.
Microsoft Says Russian Gov Hackers Stole Source Code After Spying on Executive Emails (SecurityWeek) - We all knew that the email hack announcement wasn’t the end… we’ve only just begun here!
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!