The Cyber Why: What We Read This Week...
... and why you should too! (09/5/23)
Robot-shaken cocktails or hand-poured drinks made by human beings? Six-mile walks through the desert with DJ Diplo and Chris Rock (I wonder if Diplo slapped him?), two of my old colleagues get major promotions, massive crypto theft based on LastPass vault hacks, and “ugh,” another major cyber vendor decides to spew on about “platforms.” All this and much more in this week’s edition of The Cyber Why!
Featured Sponsor - Next DLP
Stop Data Exfiltration & Expose Risky Behavior
The Reveal Platform by Next DLP instantly identifies risk, including malicious insider behavior, so you can quickly implement policies to secure sensitive data. You'll balance blocking with point-of-risk user training, all while your business keeps humming. Born and built in the cloud, it's data loss prevention at the heart of a modern security ecosystem. nextdlp.com
Burning Man Floods Out
Tens of thousands at Burning Man stuck in the mud (CNN)
Death Confirmed at Burning Man Festival as Rain Turns Desert to Mud (WSJ)
20+ Collection of Burning Man Memes 2023 (Guide for Geek Moms)
The Burning Man Fiasco Is the Ultimate Tech Culture Clash (Wired)
A celebration of community, art, self-expression, and self-reliance became an absolute nightmare last week as the annual Burning Man festival was flooded, shifting the terrain from sand into inches of mud and clay, stranding nearly 70,000 people in the middle of the desert. Every year, Burning Man is home to artists, makers, entrepreneurs, celebrities, and others who consider this popup city their playground for a week. I am certainly hoping that everyone gets out safely from the event, but I must admit part of me is like, “You went into the middle desert for a week - you kind of were asking for trouble from the jump!” I’ve never been a “Burning Man” type of person, but this video of DJ Diplo and Chris Rock finding a way out of the desert with a pickup truck full of random people made my day. I wonder if they could have made this a new version of “Carpool Karaoke?”
Famous Hackers Securing The World
The NCSC announces Ollie Whitehouse as the new CTO (NCSC.gov)
NCSC’s new CTO Ollie Whitehouse is a seasoned hacker (The Stack)
Famed hacker and Twitter whistleblower Peiter 'Mudge' Zatko is joining the Biden administration (The Washington Post)
Secrets of GCHQ's first cyber-attack revealed 20 years after it happened (Gloucestershire Live)
Two famous hackers have joined forces with their respective countries to help bring a new era of cybersecurity to bear. Ollie Whitehouse, formerly Group CTO of the company NCC Group, joins the National Cyber Security Centre as its new CTO, where he will help shape the UK’s national approach to cyber security. On the other side of the pond, Peiter ‘Mudge’’ Zatko is joining the Cybersecurity and Infrastructure Security Agency to add focus on helping software manufacturers bake security into the products they create. It’s incredible to see such great people with genuine positive intent make it to the highest levels of cybersecurity within their respective governments. Congratulations, Ollie and Mudge - Best of luck securing the world. If you two can’t do it, I don’t know who can!
Robots Can Never Replace a Good Bartender
Robots are pouring drinks in Vegas. As AI grows, the city's workers brace for change (NPR)
Should the US implement a robot tax? (TechCrunch)
I recently took my family on a Mediterranean cruise. On this ship, the Symphony of the Seas, there was a robot bartender. Of course, my son and I ordered drinks from this emotionless robotic arm. I had to see what the buzz was all about. You ordered your drinks from an iPad with dozens of pre-designed cocktails to choose from. You could also order your drink by clicking on the different mixers, pour amounts, and desired liquors. When everything was said and done, the disembodied mechanical appendage poured, mixed, shook, and stirred your drink to perfection. We did the experience once - then we proceeded to sit at the Irish Pub next door, ordering pints of Guinness and tall ciders for the remainder of the trip. It was way more fun to interact with the bartenders and servers, discuss the day’s events, and debate news stories than it was to watch a robot jiggle around. Plus, the robot never gave us tasters, it never gave an extra splash of booze, and it never made us laugh. I’ll take the human experience any day!
Context-Infused Application Security
Competition is heating up in the AppSec market (Cybersecurity Market Perspectives)
How "Next Gen" AppSec startups are innovating (Cybersecurity Market Perspectives)
The Appsec space is near and dear to my heart. I’ve been in application security forever, including stints at AtStake, Veracode, Sonatype, and a few others. I even covered application security for Forrester Research for a while. With this background in mind, I think it’s time we start thinking about application security in a fundamentally different way. We shouldn’t just think about “scanning to find vulnerabilities” or even “protecting our environment from attack.” Application security is in a new era of “context-aware application security.” Specifically, it’s time we stop worrying about exploits and vulnerabilities in isolation and begin to analyze them in context to the infrastructure configuration, security capabilities and products, and the state of our security program. Let’s fix application security by looking at things more broadly and “in context!”
You Get a Platform! Everybody Gets a Platform!
CrowdStrike Delivers Strong Quarterly Results That Show Growing Cybersecurity Platform Adoption (Forbes - Rick Pick)
The platform wars are heating up. We highlighted Palo Alto Network's earning call slide deck a few weeks ago, laying out its vision. PANW announced plans to make its platforms "comprehensive & ubiquitous" and "delivering real-time security outcomes." "Platform" was mentioned 113 times on the call. Not to be outdone, Crowdstrike continued the earnings call platform bonanza. "Platform" was mentioned 50 times during Crowdstrike's call. So, platforms are getting attention, and understandably so, but are they a new concept? No, some might remember Symantec and McAfee duking it out to be the platform of choice back in the day. Neither company was able to build the one ring to rule them all. Are platforms going to kill startups? No, I understand the desire to have integrated solutions delivering outcomes, but since blue chip vendors aren't typically agile or innovative, there will always be a need for disruptive startups to solve problems uniquely.
Crypto Theft - Result of LastPass Breach
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (Krebs)
When supposedly secure password vaults get hacked, things get bad. We are just now beginning to see the results of a breach in 2022 that resulted in the theft of over 25M encrypted Lastpass vaults. Expert security leaders fear that a subset of these vaults have been broken open and the seed phrase compromised. There have been a string of crypto thefts recently where the only unifying factor is that they all used LastPass vaults that may have been stolen during this breach. While that seems slim on evidence, Krebs interviewed researchers who can demonstrate with a high certainty that seed phrase compromises are at fault here. The result is this - change all your passwords, reconfigure your vault to higher security levels, reset your seeds, and pray Lastpass doesn’t screw up again!
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!