The Cyber Why: What We Read This Week...
... and why you should too! (2/16/24)
Happy President’s Day weekend y’all! In this week’s TCW, Rick and I discuss lucid dreaming work sessions, Canada's need to say “soooorry” to Flipper Zero, workplace loyalty myths, the use of AI by state-affiliated actors, and the effectiveness of Super Bowl ads for cybersecurity firms. In the Quick Hits section, we navel gaze on self-destructing USB sticks, Wi-Fi jamming burglars, and MORE!
As we continue to trickle through 2024, like the Chiefs through the Niners, we hope to improve our service to you significantly! If you like what you see, please let us know in the comments! Your feedback helps us refine our content. Also… find me on Twitter or LinkedIn and say hello - I need the public acceptance affirmation! Now on with the show!
Featured Sponsor – Aphinia: “a professional tribe of cybersecurity superheroes.”
Join Aphinia today and get instant access to our network of 1,500+ CISOs, VPs, Directors of information security, and to the private Slack channel for peer feedback, curated content, networking, speaking, consulting opportunities, and member-only events. Membership is free. Apply here now.
Lucid Dreams - NOPE, I’ll Pass
Lucid dream startup says people can work in their sleep (The Independent)
Can lucid dreaming be dangerous? New research suggests lucid dreaming is generally a safe and positive experience (PsyPost)
This story sounds more like a science fiction movie than a current Silicon Valley startup. A cutting edge technology by the company Prophetic, called “Halo,” is designed to allow the wearer to have lucid dreams. For those who don’t understand the term, lucid dreams are when the wearer is in a sleep state and dreaming but is entirely in control of their dream and can move around and execute their active thoughts. The maker is billing the device as a “non-invasive neurostimulation device” that offers “the ultimate sandbox for divergent problem-solving.” This sounds like a whole lot of spin and hot garbage to me. If the average human being got a hold of the ability to control their dreams and live in a trance-like state, you can bet your bottom dollar that they would abuse the heck out of it. If the technology actually works, I can easily see users going to dark places and making deplorable decisions, resulting in deep addictions. Imagine being able to control your surroundings in any way that you want - essentially playing god in a make-believe world that feels completely real to you. I’m hoping this technology never sees the light of day.
Note: The researched counterpoint to my opinion is linked in the PsyPost article. It’s worth reading to hear the actual research behind lucid dreaming.
Canada Bans Flipper Zero - Say You’re SORRY!
Canada to ban the Flipper Zero to stop surge in car thefts (Bleeping Computer)
When the news on this article broke, all of the #oldheads that I know were up in arms. “Canada is trying to ban the Flipper Zero” because it can be used to steal cars!” The news reminded me of the late 90s when The L0pht released the Back Orifice 2k remote access system. There was a massive uproar because you could install BO2K onto any computer and have complete remote control of the target system. However, at the same time, other remote control applications were billed as “IT support tools” and weren’t getting the same kind of vitriol from the press. The Flipper Zero is nothing more than a piece of technology that can be used for good and bad purposes. Technology isn’t inherently BAD. The risk is in the user's intent. Hammers can be used to drive nails into wood, or they can be used to kill someone - should we ban all hammers from Canada as well? I really thought we had learned some things over the years about how to treat technology, but I guess that hope was misguided. By the way, I can put all of the same technology into USB ports on my computer. Should we use computers from import? It’s a slippery slope. You better apologize, CANADA!
Loyalty? There’s No Such THING!
What I got wrong about loyalty at work (Business Insider)
Imagine thinking you're stirring the pot by calling out the “young kids” for their lack of loyalty, only to get schooled by a chorus of Gen Xers and Boomers, all singing the "been there, done that, got the corporate betrayal T-shirt" anthem. The article hit a nerve, becoming a complete bitch session for angry workers across the age spectrum.
It turns out that the real divide isn't between the young rebels and the supposedly loyal old guard but between those clinging to the dream of a bygone era of workplace loyalty. The reality of today's "every man for himself" corporate jungle was surprisingly unsettling to the reader. Go FIGURE?! A deep dive into workplace bitching that ended up uniting the generations in a collective eye-roll at the state of corporate America. Bosses, be DAMNED!
Of Course State-Affiliated Actors Are Using LLMs
Staying ahead of threat actors in the age of AI (Microsoft Threat Intelligence)
Disrupting malicious uses of AI by state-affiliated threat actors (OpenAI)
(Rick pick) Microsoft is in the news again this week. Fortunately, it's not because senior leadership emails have been pwned again. This week, MS and OpenAI published joint research on five state-affiliated malicious actors (2x China, 1x Iran, 1x North Korea, 1x Russia) that have used OpenAI's services. "These actors generally sought to use OpenAI services for querying open-source information, translating, finding coding errors, and running basic coding tasks." I particularly liked the breakdown of the LLM-themed TTPs in the Microsoft blog:
LLM-informed reconnaissance
LLM-enhanced scripting techniques
LLM-aided development
LLM-supported social engineering
LLM-assisted vulnerability research
LLM-optimized payload crafting
LLM-enhanced anomaly detection evasion
LLM-directed security feature bypass
LLM-advised resource development
This research gives a good breakdown of LLM-themed tactics, techniques and procedures (TTPs), which are helpful as defenders are interested in how threat actors leverage LLMs. We aren't quite ready for AI on AI cyber battles (yet). Second, it illustrates how LLMs lower the barrier to entry for those targeting our networks. LLMs make the jobs of state-affiliated actors, criminals, and even hacktivists easier. Some pundits have said bad actors don't need to leverage LLM - their jobs are already easy enough. I don't see it this way. Threat actors are always looking for ways to be more efficient and reduce their costs. It’s all about the benjamins. Finally, the research provides a view into the tip of the adversarial AI usage iceberg. These countries have the technical capability to run private LLMs based on their training data without any restrictions.
Are Superbowl Ads WORTH IT in Cyber?
Crowdstrike The Future: Extended Cut (YouTube)
CrowdStrike's Super Bowl ad is a direct descendant of the HBO show "Westworld." Cyber and the Wild West is a super weird mashup, but it somehow grabs your attention (#winning). Yet, let's be real, the average Super Bowl viewer, fueled by chicken wings and the anticipation of Taylor Swift's next wine glass chug on the jumbotron, probably missed the finer points of the cybersecurity advertisement (#losing). Picture CrowdStrike spending a small fortune, hoping to woo tech skeptics in a crowd more interested in Travis Kelce’s next public outburst than laser beam-toting robot outlaws (O_o). Here’s the kicker, though - the entire cyber world was talking about the advertisement the entire next week, making the brand impact massive (#massive_winning). This might end up being a huge positive for the Crowdstrike brand over time - we can only wait and see!
Note: For what it’s worth, the cinematography and visuals were outstanding. Kudos to the creative team on that front!
Quick Hits and Hidden Gems
Lyft CEO Apologizes For $2B Typo (LinkedIn) - Talk about a major oops! A typo generated $2B of market cap growth for Lyft last week. Too bad it wasn’t legit!
Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries -- smart security systems vulnerable as tech becomes cheaper and easier to acquire (Tom’s Hardware) - The main takeaway from an article with a title that’s too long is: I can’t believe we found a use for Wi-Fi jamming! Good on ya, criminals!
New USB stick has a self-destruct feature that heats it to over 100 degrees Celsius — a secret three-insertion process needed to unlock data safely (Toms Hardware) - This one also has a super long title. Insert the USB drive three times rapidly, or it will LITERALLY melt and die, deleting all stored data. WOW!
We're at a Pivotal Moment for AI and Cybersecurity (Dark Reading) - A pretty good view into why now is the “red-flag” moment for cybersecurity and AI.
The Cybersecurity World Needs MORE Founders (Ross Haleliuk) - A great thread from top cyber luminaries on how security engineers + product people + business people can make a trifecta of perfect startup founders.
The Sudden Repricing of Startups in Early 2024 (Tomasz Tunguz) - AI-leaning businesses are fetching 3x valuations and are expected to go 63% faster than non-AI-enabled companies.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!