The Cyber Why: What We Read This Week...
... and why you should too! (3/3/2023)
Happy Friday from your favorite authors at The Cyber Why. Today is going to be one of those days when an afternoon bourbon and some beef jerky sustains me through the grueling grind of my day-to-day work effort. It’s a long day and a long weekend ahead… keep on crushing it out there, the juice really is worth the squeeze!
In The Cyber Why this week we discuss Wiz’s massive fundraising round, the LastPass breach, regulator’s saying NO to Elon’s BRAIN CHIP, is the VC space ripe for disruption, and the herd mentality of high-tech layoffs. All this and more from Rick Holland and myself in this week’s newsletter!
Cloud Security Firm Wiz Raises $300 Million at $10 Billion Valuation (Security Week)
Woo doggy! What a “wiz”-bang of a raise this one is. The total amount of money raised by the self-proclaimed “fastest-growing software company EVER” is staggering. A whopping $900 MILLION was invested into Wiz in the last ~24 months. Don’t get me wrong, I’m sure that Wiz has done an amazing job growing revenue and building products in those two+ years, but to raise nearly $1B to build a business in the modern era is just plain crazy. In August of last year, Wiz was at $100M ARR. Even if we assume they grew 50+% in the two quarters since is that revenue value + growth rate worth a valuation of $10B smackeroos!? My guess is this valuation is about 55x revenue (major assumptions here). Wiz has just put itself into a position where there is only one option going forward - IPO or bust.
Biden-Harris Administration Announces National Cybersecurity Strategy (White House - Rick pick)
In May 2021, the Biden Administration released the "Executive Order on Improving the Nation's Cybersecurity." On Thursday, the Biden Administration announced the much anticipated National Cybersecurity Strategy. There are five pillars to the National Cybersecurity Strategy.
Defend Critical Infrastructure
Disrupt and Dismantle Threat Actors
Shape Market Forces to Drive Security and Resilience
Invest in a Resilient Future
Forge International Partnerships to Pursue Shared Goals
One part that stands out is pillar three and the desire to shift software liability to vendors. "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities." I agree with this concept; however, this is a strategy document, and other mechanisms would be required to enforce this approach. The proof will be in the pudding. If you think you can stay awake, you can download the entire thirty-nine-page strategy here.
Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 (Krebs on Security - Rick pick)
It's tough to justify remaining a T-Mobile customer. T-Mobile is the WordPress of mobile carriers. (WordPress is one of the most vulnerable and targeted pieces of software for those who don't know.) On the heels of the deadline to participate in the $350 million class action settlement from their August 2021 data breach, T-Mobile disclosed yet another data breach on January 19th. To add insult to injury, this week, Brian Krebs wrote, "Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022" for the purposes of SIM swapping. I know there is one thing I’d like them to stop.
LastPass says employee’s home computer was hacked and corporate vault taken (Ars Technica - Rick pick)
LastPass continues to reel from its recent intrusion. On Monday, the company provided more information. This announcement included the most detail the company has offered to date which is better late than never from a PR perspective. Initial access was "accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gained access to the DevOps engineer's LastPass corporate vault." This engineer was one of four people with access to that corporate vault.
How data breaches affect stock market share prices (Comparitech)
If you love math you are going to love this article. I’ve been saying for over a decade now that it doesn’t really matter if you get breached from a stock perspective. I never did the math behind the statement so of course, I couldn’t prove anything. Well someone less busy than myself finally went ahead and did the deep analysis. The results… You guessed it… In general, breaches do not materially affect the stock price! There are lots of other data cuts in the research that you SHOULD geek out to, but the tl;dr is that when odd outliers are removed, breaches don’t mean shit to company valuations.
Regulators say NOPE to Elon’s brain chip. (Reuters - Rick pick)
Another week, another Elon story. The Food and Drug Administration denied Neuralink's brain-machine interface human trial application request this week. "The agency's major safety concerns involved the device's lithium battery; the potential for the implant's tiny wires to migrate to other areas of the brain; and questions over whether and how the device can be removed without damaging brain tissue.”
Elon’s wires migrating around your brain, cool. Speaking of cyberpunk, Tyler claims Keanu is "one of the worst actors in Hollywood," I wholeheartedly disagree and I point to 1995’s Johnny Mnemonic, where Keanu a “data courier, literally carrying a data package inside his head, must deliver it before he dies from the burden or is killed by the Yakuza.” WHOA!
Editors (Tyler’s) Note: Canoe sucks. BUT … it’s a little-known fact that I worked at one of the world’s first VR Helmet companies in 1994/1995. The VFX-1 was way ahead of its time and was actually worn by Canoe in this crappy Mneumonic movie.
Miss a Car Payment and Ford’s Patent Could Shut Off Your A/C. (Bloomberg - Rick pick)
Ford wants to be able to brick your car, so you better keep up with your payments. “According to the Ford patent application for repossession-linked technology, cruise control, and automated windows could be disabled if a consumer doesn’t acknowledge a notice of an overdue car payment. Ford could also shut down key fobs, door locks — even the accelerator or the engine itself.” I considered putting this story in the Cyber Security News section because as you can imagine if Ford does indeed develop this technology, it will be abused. Trolls could have some lulz with these capabilities.
Venture Capital Is Ripe for Disruption (Evan Armstrong)
In a world where a billion is a drop in the bucket, could we be seeing a time when the massively inflated venture capital funds of the world are ripe for disruption? While old (October 2022), this article describes a scenario where it may be the best time in history for smaller, more nimble venture firms to exist and win. I welcome feedback from any of my VC subscribers - slide into my DMs or hit me with a comment below!
I'm a Stanford professor who's studied organizational behavior for decades. The widespread layoffs in tech are more because of copycat behavior than necessary cost-cutting. (Business Insider)
In what might just be the worst headline ever written in history, a Stanford professor just released a piece of research explaining that the widespread layoffs occurring in tech are likely more because of copycat behavior than necessary cost-cutting. My zero research-backed gut tells me he’s probably right. The more I talk to privately held company founders the more I realize just how much of a massive herd mentality there is in high-tech. Much of this stems from CEOs and board members following “rockstar CEOs” in the private company world who take certain actions and then blindly using those same actions in their own businesses. Sadly, much of the time this is done without a deep understanding of the impact of the actions and the deltas between the businesses that may cause unique results. Please don’t be a sheep… make your own decisions on what’s right for your business.
If you’ve made it this far you either found my musings at least semi-entertaining OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that I appreciate you. Please do me a solid and share The Cyber Why with your friends. I would love to reach a bigger audience and referrals are how I’ll do it. Help me out and I’ll see you next week!