The Cyber Why: What We Read This Week...
... and why you should too! (2/9/24)
Another fun week in the books, and The Cyber Why team is at it again. This week, Rick and I get into a snarky sparring match, we discuss CISO investing and conflicts of interest, the mushy middle that is the future of VC, a deepfake video attack that stole $25M, a broad-based threat intel update, and a toothbrush based botnet that wasn’t! All this and more in this week’s The Cyber Why!
The CISO’s guide to reducing the SaaS attack surface
Your workforce is adopting new cloud and SaaS tools all the time, which means your attack surface is constantly changing. Our CISO’s guide provides a strategic blueprint to reducing your SaaS attack surface, without slowing down the business.
CISO Cyber Investing - What Conflict Of Interest?!
CISOs and security leaders shouldn't invest in startups (Frankly Speaking)
Frank Wang is the lead security engineer at Headway and was formerly a venture investor with Dell Technologies Capital. He is uniquely positioned to speak about something I’ve been pondering for quite a while now -“CISOs should not invest in cybersecurity companies.” Frank states that there are inherent conflicts of interest that come from CISOs and security leaders investing in the companies of products that they have to either recommend or consider for purchase.
There’s actually a lot more to this story than Frank even gets into. It’s very likely to open one hell of a can of worms if some investigative journalist decides to dive into it in detail. It might be evident to you what Frank is articulating when he talks about the conflict of interest of a security leader recommending a purchase of a product he or she is invested in - forcing the purchase of a potentially subpar product. The other side to this coin is that if that same security leader doesn’t purchase a product for his employer that he has invested in, the signal to the market and follow-on investors is overwhelming and can also directly hurt the company! This is a no-win situation, and Frank does a great job explaining why security leaders must stay out of the cyber investing space.
The Mushy Middle of Venture Goes *POOF*
The Puritans of Venture Capital (Investing 101)
Contrary to the author's name - Investing 101 - this is undoubtedly NOT an Investing 101-level article. In this piece, the author goes into detail about the history of venture funds, the different types of venture funds and how venture partnerships actually work in modern times, how venture capital has bifurcated in recent years to be fees-based and returns-based models, and finally the difference between agglomerations and specialist funds. WHEW, that was a mouthful! While this is a long and challenging read at times, all venture investors would do well to dive into the meat of this article. The key takeaway for those living and playing the startup and venture game daily is that the venture market must understand how to align incentives and innovate better. If we can’t do this, we will see many mushy middle venture firms disappear.
If you are in the business of venture or find venture capital interesting, this one is a must-read.
Note: The older Rick gets, the mushier his middle gets. I hope he doesn’t go *POOF*
Deepfake Video Phishing - A Novel Attack
Deepfake video conference convinces employee to send $25M to scammers (SCMedia)
Continuing from our theme of deepfakes last week, another crazy story has hit the wire. In this piece, an elaborate spearphising campaign using deepfakes resulted in over USD 25M being stolen from a Hong Kong-based company. The CFO contacted the targeted employee directly and asked him to join an executive leadership team meeting. The entire executive team were deepfake videos, with the only “real” person on the call being the targeted employee. After confirming the details of the required “secret transfers” via video interaction, the employee shipped over the cash to numerous bank accounts held by the attackers. The question at hand is, would you have caught this attack? I like to think so, but the current statistics may say otherwise. A report published last June showed that participants asked to distinguish between a deepfake and real human video only had a 64% accuracy rate (OUCH!). Additionally, deepfake scams are becoming more common, with another report detecting a 3,000% increase in deepfake fraud attempts in the last two years. I predict this will become a very real issue that needs solving in the next year - someone get on this, please.
Rick: If someone sends deepfake 90s rapper Tyler to your door, DO NOT give him any money!
Ransomware and Nation-State Threats Explode
Iran surges cyber-enabled influence operations in support of Hamas (Microsoft)
Buying Spying: How the commercial surveillance industry works and what can be done about it (Google)
Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline (Chainanalysis)
Rick Pick - First, Microsoft's Threat Analysis Center released research on Iran's influence operations from October 7th through the end of last year. The research reads like a disinformation playbook for the 2024 US Elections. Next, a topic that many cyber security practitioners aren't following, as it's not in their threat models, is the commercial surveillance landscape. Google's Threat Analysis Group released detailed research on spyware deployed against "journalists, human rights defenders, dissidents, and opposition pay politicians." You may have heard of NSO Group, but there are many more. Google is tracking around 40 similar groups. Finally, blockchain analysis firm Chainanalysis released research on ransomware payments over 2023. It's not encouraging that the barriers to entry keep getting lower, and "ransomware gangs reached an unprecedented milestone, surpassing $1 billion in extorted cryptocurrency payments from victims." Who says crime doesn't pay? Sigh.
Tyler: deepfake 90s rapper Tyler actually looks like a ransomware operator showing off his extortion bling.
Brush Twice a Day To Hack The Planet
3 million smart toothbrushes were not used in a DDoS attack after all, but it could happen (ZD Net)
Millions of hacked toothbrushes could be used in cyber attack, researchers warn (Independent)
Rick Pick - Internet denizens were shocked to learn that a botnet of three million IoT toothbrushes launched a Distributed Denial of Service attack against a Swiss company. It turns out that the story wasn't true; the cybersecurity community questioned it and brushed it off. The DDoSing toothbrush scenario was apparently mentioned as a hypothetical example in an interview. Fortinet had to backtrack and state, "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears ... the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred." It is good to hear that Fortinet isn't researching toothbrushes when it should instead research vulnerabilities in its products. If you manage Fortinet devices, you know what I'm talking about. Malwarebytes won the Internet and took the crown with this blog post, "How to tell if your toothbrush is being used in a DDoS attack."
Quick Hits and Hidden Gems
So, Your CISO is a BITCH (CrankySec) - OMG, let’s go! I haven’t seen a rant site this good since Gobbles and the “antisec” movement 20 years ago! SO GOOD!
The private equity fund that only invests in barrels of whiskey (Axios) - DAMN IT! I’m late to this game. I’ve been buying barrels with groups for years now!
AI Security Posture Management (Wiz) - For the love of god why. AISPM, AI-BOM, Shadow AI, and AI-Pipeline Security. Acronym SOUP </barf>
Tired of cloud security alphabet soup? So am I (SCMedia) - This is a big problem. We have too many markets, too many tools, and too many acronyms. See the Wiz article above and understand why I believe consolidation is the future.
Gil Shwed stepping down as Check Point CEO after 30 years (Calcalist) - A real OG is stepping down. Will this be a positive or negative to CHKP? More risks need to be taken to compete with PANW. Time will tell!
Tesla Driver ‘Arrested’ for Driving With Apple Vision Pro Says It Was Just a ‘Skit’ (Gizmodo) - Don’t drink and drive, also don’t Tesla Autopilot and Apple Vision Pro and Drive.
Could Apple’s new Vision Pro headset make travel better? 6 things I learned from my demo (The Points Guy) - I’m a fan of The Points Guy, but this review is way off. This thing is going to bomb!
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!
I think this is my favorite part of this one (though there's a lot of great material in here): https://www.malwarebytes.com/blog/awareness/2024/02/how-to-tell-if-your-toothbrush-is-being-used-in-a-ddos-attack