The Cyber Why: What We Read This Week...
... and why you should too! (5/24/24)
After a few weeks of slow cyber news, we’ve had a complete turnaround of great content. This week, it was impossible to pick the top stories, let alone which ones make the top 5 for you. The quick hits are so interesting that reading every article we reference in this email should be mandatory.
This week in The Cyber Why, we cover the latest cyber drama around VulnDB and CVE, the turf war brewing between MS and Google, an increase in ICS risk, privacy impacts of wifi location tracking, and a chest-thumping-worthy (NSFW) performance by Matt McConaughey for an SDFC commercial. Have a great holiday weekend - we hope you enjoy this week’s newsletter!
Get An Automated Security Buddy with DryRun Security
DryRun Security performs automated and seamless security code reviews in seconds. Devs love it because they get actionable security advice without all the noise, and AppSec loves it because every code change is reviewed for risk.
DryRun uses a proprietary Code Review Inquiry Methodology on LLMs to deliver results to developers in just a few seconds. Try it yourself and install DryRun Security, or book a spot for a quick 15-minute demo today.
100K VulnDB Vs CVE Cage Match
VulnDB Uncovers 100,000+ Hidden Vulnerabilities Beyond CVE (Flashpoint)
LinkedIn Thread on Vulnerability Disclosure, VulnDB and CVE (Ben Edwards)
What an absolute dumpster fire of name-calling, mean comments, and throwing shade at each other. I took the time to read through both posts and threads, along with all associated comments, and all I can say is WTF. Can’t we do better when it comes to working together to make the world a safer place? With a (let’s be truthful here) slightly clickbait-style title, Flashpoint released a report stating that they now had cataloged 100K more vulnerabilities in VulnDB than CVEs that are currently published. This torqued a subset of cybersecurity researchers and vulnerability hunters as they attacked Brian Martin and the team at Flashpoint for “not publishing” these vulnerabilities as CVEs themselves. Brian made a great argument that every vulnerability within the VulnDB is already publicly known and that CVE is notoriously bad at keeping up with publishing vulnerabilities based on the fact that it’s an inbound model - they don’t search for known vulnerabilities, instead letting the details come to them. If you have an hour or two to kill, I recommend reading these threads, as they will help you to understand exactly how broken the vulnerability database world is today. There has to be a better way!
Note: I don’t have an opinion on either side of this equation. I just wish the debate and discourse could be civil so that we can actually improve security instead of merely maintaining what little we’ve achieved over the last two decades.
Google Announces a Turf War for the Productivity Suite Market
Google Pitches Workspace as Microsoft email Alternative, Citing CSRB Report (Dark Reading)
Google Cites ‘Monoculture’ Risks in Response to CSRB Report on Microsoft (Security Week)
(Katie pick) Earlier this week, Google took advantage of an opportunity to grow its online productivity suite business — Workspace. In the wake of a publication by the US Cyber Safety Review Board (CSRB), which noted the many vulnerabilities and known exploits in Microsoft Exchange Online environments, Google executives touted how businesses could achieve a safer online environment and a reduced attack surface by switching to Workspace.
Microsoft has received tons of criticism over the years for security issues in its offerings. In fairness, when your company has the greatest number of deployments worldwide, the target on your back is bigger. That said, if you have the largest account base, there is an argument for “do better.”
Google has made strides in the business world over the years; start-ups and cloud-native organizations have primarily switched to GSuite. As someone who has only worked in the startups for the last 6 years, I say, “Microsoft, who?” (Only kidding. Word for the win.) While Google has many great features and is highly user-friendly, they must improve Slides to be competitive (not actually kidding). Further, Google will likely have to continue battling the perception that Microsoft is for “more serious” businesses, including the US government.
Ah, isn’t competition “suite”?
Threat Actors Increase Pressure on ICS
Rockwell Automation Urges Customers to Disconnect ICS From Internet (SecurityWeek)
Rockwell Automation Warns Admins to Take ICS Devices Offline (Bleeping Computer)
Rockwell Automation Warns Admin to Disconnect from Internet (Cybersecurity News)
(Katie pick) Rockwell Automation issued an urgent warning to its industrial control systems (ICS) customers — Inventory and control your asset environment.
According to the notice, the company is concerned about the potential for increased attacks against ICS due to “heightened geopolitical tensions.”
Basic security hygiene is (or should be) critical to all businesses, yet these foundational processes are often overlooked or unattended. In the case of ICS and Rockwell’s programmable logic controllers (PLCs), the company is concerned that customers may have risky assets configured to the public-facing internet — though they shouldn’t be. According to an article on SecurityWeek, “A Shodan search for ‘Rockwell’ currently returns more than 7,000 results, including thousands of what appear to be Allen-Bradley programmable logic controllers (PLCs). “
Rockwell, alongside CISA, has provided guidance for customers on how to identify exposed assets and recommendations for triage and remediation, including some of the most urgent, listed here:
Importantly, simply identifying risky assets isn’t enough. Rockwell highlights the need to patch vulnerable systems immediately (when/if a patch is available) and continuously monitor for suspicious and/or anomalous activity.
Yes, Your Apple Device is Tracking Your Location
Why Your Wi-Fi Router Doubles as an Apple AirTag (Krebs on Security)
(Katie pick) In the eyes of some buyers, the Apple operating ecosystem is the most secure. Especially in the early days of smartphones, cybersecurity experts touted Apple’s advantages over other brands. Today, cybersecurity experts rally behind the company, often citing the “strict” vetting process in the AppStore.
However, upon a deeper analysis, Apple allows for more precise geolocation than its rivals, opening up interesting privacy risks.
In a recent article, KrebsOnSecurity reveals Apple’s process for collecting (and sharing) location data. If you care at all about privacy, you should be concerned. But don’t worry; in 2023, Apple released an under-the-radar patch for users to keep their devices’ precise location private. This is excellent for tech users and slightly savvy non-tech users. The rest of the iOS consumers will remain blissfully unaware of the exposure and incapable of changing their settings.
And by the way, researchers at the University of Maryland could track specific movements of military personnel in Ukraine, essentially allowing them to understand when and where an attack was being planned. In the wrong hands, weaponized geolocation via basic cell phone settings and wifi could prove disastrous.
Well, AI-right AI-right AI-right - AI Privacy w/ MM
Story #5: “Out here in the AI Wild West, bad guys only want one thing - your customer data!” The last time we saw a cybersecurity ad campaign tackle the Wild West, we got this gem: CrowdStrike tames cybersecurity Wild West in a new Super Bowl commercial. If that isn’t enough to make you think twice about buying cybersecurity technology, we also have this one from Palo Alto Networks: This is Precision AI with Keanu Reeves.
Similarly, SalesForce has decided to get ahead of the AI data collection story and put out a preemptive advertising strike stating that they are smarter and safer with your data regarding AI. Check out this series of half a dozen of the best cybersecurity ads I’ve ever seen (albeit the quality bar is quite low!) Enjoy…
Quick Hits and Hidden Gems
Kevin Mandia Stepping Down As CEO At Google-Owned Mandiant (CRN) - It’s the end of an era. Two decades after its founding, Mandiant CEO Kevin Mandia is stepping down. Good luck on your next adventures, Kevin!
CyberArk acquires Venafi for $1.54B, integrating human and machine IAM (SC Magazine) - Identity is a BIG DEAL.. a 1.5B$ BIG DEAL to be exact.
"I was forced to hire legal counsel," actress Scarlett Johansson responds after Microsoft partner OpenAI 'clones' her voice for ChatGPT (Windows Central) - ScarJo doesn’t like people stealing her voice. Good legal debate here.
CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules (Dark Reading) - Are rules real if they aren’t clear? 4 days to report a “material” breach. Sounds way to vague to be enforceable to me.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!