The inability of an entity to withstand the adverse effects of a hostile or uncertain environment
POPULARITY
Categories
Vulnerabilities in Samsung-produced chipsets may require you to remove the phone from your smartphone. Plus we learn about a bunch of new AI stories, including a company that can generate video based off text input. Plus a watchdog group in Germany brings accusations against Meta and German politicians. And more!See omnystudio.com/listener for privacy information.
The CI/CD pipeline is the backbone of the software development process, so it's critical to ensure you are meeting and exceeding the most critical security measures. Throughout this podcast, Tal Morgenstern, Co-founder and CSO of Vulcan Cyber, will break down the process of how organizations can properly secure a CI/CD pipeline into a checklist of four key steps, as well as offer a handful of tools and tactics security leadership can use to bake risk-based vulnerability management into their CI/CD pipelines. He will explain how securing your CI/CD pipelines alone is not enough to reduce the chances of cyber attacks and the importance for organizations to not only maintain security at speed and scale, but quality at speed and scale. Finally, Tal will dive into how Vulcan Cyber helps organizations to streamline security tasks in every stage of the cyber-risk management process, integrating with their existing tools for true end-to-end risk management. Segment Resources: https://vulcan.io/ https://vulcan.io/platform/ https://vulcan.io/blog/ci-cd-security-5-best-practices/ https://www.youtube.com/watch?v=nosAxWc-4dc Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks? Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice. Segment Resources: https://canary.tools https://canarytokens.org https://blog.thinkst.com Finally, in the enterprise security news, We quickly explain the SVB collapse, A few interesting fundings, Rapid7 acquires Minerva who? We'll explain. GPT-4 - what's new? Detect text written by an AI! Then, produce text that can't be detected as written by an AI! The K-Shaped recovery of the cybersecurity industry, Software Security is More than Vulnerabilities, Microsoft Outlook hacks itself, Robert Downey Jr. gets into teh cyberz, & Reversing intoxication! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw309
While Spring4Shell, Ransomware and attacks on critical infrastructure were the most severe attacks in 2022 the evolving trends in 2023 are around the rising power of AIs, complexity and therefore misconfiguration of cloud native stacks as well as social engineering challenges as part of the post-pandemic shift back towards the office.Tune in and learn from Stefan Achleitner, Lead Researcher Cloud Native Security at Dynatrace, about getting better in securing software supply chain, understanding the impact of attacks and vulnerabilities and why nobody should look away when it comes to detecting and preventing cyber security threats
Vulnerabilities and security gaps are increasingly being identified in software and applications daily. Attackers are often quick to act when any vulnerabilities are made known - even within minutes. You may have heard of the term patching in cyber security, but what is it exactly, and how does it figure into an organization's security posture? WithSecure security consultants Katie Inns and Antti Laatikainen join us to discuss all things patching.
Two things to know today Recent AI Developments: OpenAI Offers Cheaper Integration, Microsoft Launches Kosmos-1, and new ChatBot Vulnerabilities AND Apple reportedly working on M3 iMac, Intel hints at Windows 12 Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on: Facebook: https://www.facebook.com/mspradionews/ Twitter: https://twitter.com/mspradionews/ Instagram: https://www.instagram.com/mspradio/ LinkedIn: https://www.linkedin.com/company/28908079/
As the Chief Strategy Officer at Ericom Software, Dr. Chase Cunningham is a leading voice in cybersecurity. With his extensive experience in enterprise security and his nickname "Dr. Zero Trust," Dr. Cunningham is well-positioned to offer insights and advice to organizations looking to protect themselves from advanced security threats. One of the key points that Dr. Cunningham stresses is the importance of Zero Trust security. Zero Trust security is not just a "nice to have," but an essential component of modern cybersecurity. With businesses becoming increasingly digital and connected, their security threats are also growing. Dr. Cunningham explains that implementing Zero Trust security is a proactive way to reduce risk and ensure that sensitive information is protected from cyberattacks. Cybersecurity Threats and Vulnerabilities are also key areas of concern for Dr. Cunningham. He is currently seeing an increase in the use of ransomware and other cyberattacks, and he believes this trend will only continue in the future. As a result, businesses need to be proactive in their approach to cybersecurity, and they need to make sure that they are using the latest technologies and strategies to protect their assets. Another topic that Dr. Cunningham discusses is the recent rapid growth of ChatGPT. ChatGPT has gained 100 million users in just three months, a trend that will likely continue. However, with this growth comes an increased risk of cyberattacks, and Dr. Cunningham believes that organizations must be prepared for these challenges. Finally, Dr. Cunningham touches on the growing threat of Cyber Warfare. With so much global conflict and political tension, he believes that it's only a matter of time before we see an increase in cyberattacks carried out maliciously. This is why he stresses the importance of Cyber Forensic and Analytic Operations, which can help businesses understand the root causes of these attacks and take steps to prevent them in the future.
CISA adds three entries to its Known Exploited Vulnerabilities Catalog. "Hydrochasma" is a new cyberespionage threat actor. IBM claims the biggest effect of cyberattacks in 2022 was extortion. Social network hijacking in the C2C market. A credential theft campaign against data centers. LockBit claims an attack on a water utility in Portugal. Tim Starks from the Washington Post describes calls to focus on harmonizing cyber regulations. Our guest is Luke Vander Linden, host of the RH-ISAC Podcast. Disrupting Mr. Putin's speech, online, and what the hybrid war suggests about the future of cyber auxiliaries. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/35 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia (Symantec) IBM Security X-Force Threat Intelligence Index 2023 (IBM) S1deload Stealer – Exploring the Economics of Social Network Account Hijacking (Bitdefender Labs) Cyber Attacks on Data Center Organizations (Resecurity) Hackers Scored Data Center Logins for Some of the World's Biggest Companies (Bloomberg) LockBit gang takes credit for attack on water utility in Portugal (The Record from Recorded Future News) Ukraine Suffered More Data-Wiping Malware Last Year Than Anywhere, Ever (WIRED) Ukrainian hackers claim disruption of Russian TV websites during Putin speech (The Record from Recorded Future News) Ukraine's volunteer cyber army could be model for other nations: experts (Newsweek) Ukraine's largest charity wants to raise $1.3 million for ‘cyber offensive' (The Record from Recorded Future News)
Pete: CSO and co-founder at Phylum, securing software supply chains beyond just known CVEs Previously founded and led Clever Security, a security focused R&D shop and consultancy Ex-VP at Optiv and Accuvant Check out the episode for our conversation on the range of vulnerabilities in the software supply chain and how major events like the Ukraine war can impact the public trust of open-source packages. Phylum.io
Episode 216. I dive into the uses of DMR, how they're frequently set up, and how that system is exploited. There's a smarter way to stand up communications systems in an unconventional warfare environment. The Guerilla's Guide to the Baofeng Radio is a #1 Bestseller! Nehemiah Strong discount code: SCOUT1 Radio Contra Sponsors: Civil Defense Manual Tactical Wisdom Blacksmith Publishing Radio Contra Patron Program Brushbeater Training Calendar Brushbeater Forum Palmetto State Armory Primary Arms
Some Git flaws you need to know about, we reflect on 10 years of Steam on Linux, and then dive into the much anticipated Plasma 5.27.
Watch the Service: To enable YouTube provided closed-captioning while viewing the service, click the “CC” icon on the bottom bar of your YouTube video player.
Quicky #12 is from Season 1, Episode 13: Create Your Own Sexual Rituals (with Paisley Heart) On this episode, I chat with entrepreneur, artist, and Shamanic practitioner, Paisley Heart. He embodies the hybrid archetypes of the Wild Businessman and Lifestyle Artist. Founder of the shamanic rite of passage event The Funeral and panel style podcast Curious Conversations, and previously such businesses as the holistic digital marketing agency DigiLove and Independent record label Fight Music - his gifts are unique and diverse. Paisley is known to prowl the mysterious shadow realms of business. With the flaming torch of innovation, he sets the normal and mundane ablaze with alternative business approaches. Combining his obsession with spirituality, artistic expression, nature, and ritual, he has made a strong impact on the music, social media marketing, and personal development industries. Paisley's unorthodox style has often been challenging for his clients and for professionals in the industry. Pushing against these paradigms has become a strong and recognizable brand he is proud of. Paisley has proven that he has a sharp eye in discerning who he works with and where he invests his creative magic. The accolades, achievements, and rapid growth shared between his clients, artists and business are a testament to his uniqueness and grit.
When he was a senior Pentagon official, Charles (or Chuck) Beames and his fellow military planners would speak forebodingly about “a day without space.” The nightmare scenario would involve a wide-ranging attack, kinetic or otherwise, on space systems, which could produce cascading communications and navigation failures for the armed forces (and wreak havoc on civilian technology systems as well). While that scenario hopefully never comes to pass, space is no longer a sanctuary nor uncontested higher ground. And securing civil, commercial, and military spacecraft is the order of the day. Today's episode is brought to you by Kepler Communications, a company bringing the internet to space. To learn more about Kepler and how they are modernizing space communications, visit https://kepler.space/• Sneak peek •On Pathfinder #0035, Chuck joins Ryan for a conversation on reconnaissance, security, and the growing cyber threat in space. Among other things, Chuck is the executive chairman of SpiderOak, a startup focused on shoring up the digital defenses of satellites, space networks, and the ground segment. The company recently raised a $16.4M Series C to develop, test, and fly OrbitSecure 2.0. SpiderOak employs two novel security approaches—zero-trust encryption and distributed ledger technology (DLT)—to secure space assets, along with the creation, communication, and management of data. OrbitSecure wraps up the company's design philosophy and latest defensive techniques into one offering. The product securely compartmentalizes data for complex, interconnected space infrastructure. That's important, per SpiderOak, because “today, the horizontal integration of ground stations, spacecraft, and payloads means you're trusting third parties with mission-critical data.” Rest of the resume: Chuck is also the executive chairman of York Space Systems, a satellite manufacturer, and cofounder/chairman of the SmallSat alliance. In a past life, Chuck held executive positions in the Pentagon and served as the president of Vulcan Aerospace, where he oversaw $1B of AUM invested in space and tech initiatives and directed the Stratolaunch project. In one of his government posts, Chuck oversaw a $90B annual acquisition budget mostly focused on remote sensing, space-based communications, and orbital launch services. Lastly, Chuck served 23 years on active duty as an Air Force space and intelligence officer, and retired as a colonel. • Chapters •02:30 Chuck joins show 03:18 SpiderOak mission + raise 07:29 Waking up to cyber threat from peer/near-peer adversaries 09:14 Thoughts on the Chinese spy balloon? 12:10 Balance of offensive vs. defensive capabilities on orbit 15:44 Cybersecurity and the gray zone 17:22 Vulnerabilities of space systems 19:37 Should space have its own critical infrastructure designation? 21:12 A day wthout space 27:15 SpiderOak using COTS 32:09 The zero trust security framework 37:10 What's unique about cybersecurity in space (vis-a-vis terrestrial applications) 45:36 Max Q 49:01 Staying focused while dealing with diverse mission needs across military, commercial, and civil space 53:24 Chuck's hobby • Show notes •Chuck's Twitter — https://twitter.com/ChuckBeamesBio — https://spideroak.com/executive-chairman/Recent TV appearance — https://video.foxbusiness.com/v/6319232902112#sp=show-clipsOrbitSecure — https://spideroak.com/orbitsecure/Ryan's socials — https://twitter.com/Ryandoofy / https://www.linkedin.com/in/rfduffy/Payload's socials — https://twitter.com/payloadspace / https://www.linkedin.com/company/payloadspacePathfinder archive — Watch: https://www.youtube.com/playlist?list=PL_uY3GaNf67hP-i6TRWF2n06xMv1kdkZ6Listen: https://pod.payloadspace.com/episodes
CISA adds to its Known Exploited Vulnerabilities Catalog. Cl0p claims responsibility for GoAnywhere exploitation. Victims mine for gold; attackers use pig butchering tactics. Hacktivists disrupt Iranian television during Revolution Day observances. Killnet claims a DDoS attack against NATO earthquake relief efforts. CyberWire UK Correspondent Carole Theriault asks what can we learn from the recent Roomba privacy snafu? Rick Howard looks at first principles we considered along the way. And can you name and shame the shameless? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/29 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks (SecurityWeek) Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day (BleepingComputer) Fool's Gold: dissecting a fake gold market pig-butchering scam (Sophos) Iranian State TV Hacked During President's Speech on Revolution Day (HackRead) Russian hackers disrupt Turkey-Syria earthquake relief (The Telegraph) Hacking marketplace emerges from Killnet partnership, seeks pro-Russia donations (SC Media) Russian Government evaluates the immunity to hackers acting in the interests of Russia (Security Affairs) Russia's Ransomware Gangs Are Being Named and Shamed (WIRED)
Earn additional income by sharing your opinion on userinterviews.com!Episode Resources:Executive Order on Improving the Nation's CybersecurityAlpha-Omega ProjectsCybersecurity & Infrastructure Security Agency (Cisa)Tools to create SBOM About Barak BrudoBarak Brudo helps organizations secure their software supply chain. He works as a Developer Relations Advocate at Scribe Security.Other episodes you'll enjoyWhat developers should know about securityThe Secret To High-Quality CodeVulnerability disclosure with Katie Moussouris
On this week's Cyber Report, sponsored by Fortress Information Security, Jim Richberg, the former national intelligence manager for cyber who is now with cyber security firm Fortinet, discusses the cyber vulnerabilities of the nation's air travel system in which government, industry and the public all interact, how to improve security as the internet of things rapidly expands and more with Defense & Aerospace Report Editor Vago Muradian.
We continue our discussion with Nate Sheen and get into security assessments, testing, and other good things to do. These are the ways you can determine where vulnerabilities are and how to secure your systems and organization. The idea and cost of an assessment may seem too much for your organization. However, the ROI is substantial. It is that old idea of the value of peace of mind. Security Assessments As A Proactive Move No one wants to find out where they have allowed holes for hackers after the fact. That is where security assessments come in. They point out known weaknesses and gaps in our security. While these can be technical issues, Nate also talks about how a hacking organization can use non-technical means to get into secure systems. It is not just code and firewalls. We also need to be aware of a human factor to security. A Little Background Nate grew up in a closed community; his first friends were his siblings. He launched his first business not knowing anyone in the community. At 19, running his 2nd business, he started understanding how the business worked. While he had the nuts and bolts, he had no sales or networking experience. Nate spent his early 20s' building a vast network in person and online. When he launched his 3rd company, which he owns today, he successfully built a solid corporation. Nate has worked through mental health issues with his struggles with Depression and suicide. Further, he has dealt with financial trials that allow him to have a firm grasp on how to keep on going. Learn More about Nate at Trustastoria.com His Story Nate is the President and Owner of Astoria, founded in 2015. Astoria is an Ohio-based Cyber-Security Agency. Nate has discovered through managing cyber-security, there is a mental health aspect. The health of individuals and businesses is linked to Cyber-Security.
Nothing can be hidden from Christ Jesus who knows our struggles. You are never alone.
Cisco patches a command injection vulnerability. NIST issues antiphishing guidance. HeadCrab malware's worldwide distribution campaign. The Gamaredon APT is more interested in collection than destruction. Kathleen Smith of ClearedJobs.Net looks at hiring trends in the cleared community. Bennett from Signifyd describes the fraud ring that's launched a war on commerce against U.S. merchants. And trends in cyberattacks by state-sponsored actors. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/22 Selected reading. Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover (Dark Reading) Phishing Resistance – Protecting the Keys to Your Kingdom (NIST) OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK (Proofpoint) HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign (Aquasec) Another UAC-0010 Story (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine) Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware (The Record from Recorded Future News) City of London traders hit by Russia-linked cyber attack (The Telegraph) ChristianaCare recovers from cyberattack, restores website service (6abc Philadelphia) Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report (CSO Online) Microsoft Digital Defense Report 2022 (Microsoft Security)
My podcast with the brilliant Marc Andreessen is out!We discuss:* how AI will revolutionize software* whether NFTs are useless, & whether he should be funding flying cars instead* a16z's biggest vulnerabilities* the future of fusion, education, Twitter, venture, managerialism, & big techDwarkesh Patel has a great interview with Marc Andreessen. This one is full of great riffs: the idea that VC exists to restore pockets of bourgeois capitalism in a mostly managerial capitalist system, what makes the difference between good startup founders and good mature company executives, how valuation works at the earliest stages, and more. Dwarkesh tends to ask the questions other interviewers don't.Byrne Hobart, The DiffWatch on YouTube. Listen on Apple Podcasts, Spotify, or any other podcast platform. Read the full transcript here. Follow me on Twitter for updates on future episodes.Similar episodesYou may also enjoy my interview of Tyler Cowen about the pessimism of sex and identifying talent, Byrne Hobart about FTX and how drugs have shaped financial markets, and Bethany McLean about the astonishing similarities between FTX and the Enron story (which she broke).Side note: Paying the billsTo help pay the bills for my podcast, I'm turning on paid subscriptions on Substack.No major content will be paywalled - please don't donate if you have to think twice before buying a cup of coffee.But if you have the means & have enjoyed my podcast, I would appreciate your support
The Cognitive Crucible is a forum that presents different perspectives and emerging thought leadership related to the information environment. The opinions expressed by guests are their own, and do not necessarily reflect the views of or endorsement by the Information Professionals Association. During this episode, US Army MAJ Joe Littell discusses his recent article: the Future of Cyber-Enabled Influence Operations–including emergent technologies, disinformation, and implications for democracy. Joe also presents some of the things we can do to protect ourselves. Research Question: How did China use social media to control the COVID narrative within China? How was Chinese state media messaging oriented, both in frequency and content, prior to their invasion of COVID19 Lockdown Protests? Was Chinese messaging uniform, both in frequency and content, across languages and regions, or was it tailored by either? Did Chinese messaging change, either in frequency or content, in response to increased publicity from Western outlets? Resources: Cognitive Crucible Podcast Episodes Mentioned #41 Toomas Ilves on the Estonian Perspective #86 Nick Starck and David Bierbrauer on Vulnerabilities in the Military Use of AI #129 Eliot Jardines on Open Source Intelligence Littell, Joseph, "The Future of Cyber-Enabled Influence Operations: Emergent Technologies, Disinformation, and the Destruction of Democracy" (2022). ACI Books & Book Chapters. Link to full show notes and resources https://information-professionals.org/episode/cognitive-crucible-episode-133 Guest Bio: Joe Littell enlisted in the Army in 2003 as an infantryman and attained the rank of Sergeant before commissioning in 2010. Upon commission, Major Littell has served as a Platoon Leader, Company Executive Officer, and Battalion Logistics Officer while assigned to the 83rd Chemical Battalion. As a 1LT, MAJ Littell applied for, assessed, and completed the Psychological Operations Qualification Course and served within the ARSOF community as a Tactical Detachment Commander and Company Commander with 9th PSYOP Battalion (Airborne). MAJ Littell currently serves as a research scientist at the Army Cyber Institute at West Point on the Information Warfare team working on computational propaganda, narrative warfare, radicalization, and microtargeting through publicly and commercially available data. He holds a BS in Computer Science from the University of South Florida and a MS in Data Science from Duke University. About: The Information Professionals Association (IPA) is a non-profit organization dedicated to exploring the role of information activities, such as influence and cognitive security, within the national security sector and helping to bridge the divide between operations and research. Its goal is to increase interdisciplinary collaboration between scholars and practitioners and policymakers with an interest in this domain. For more information, please contact us at communications@information-professionals.org. Or, connect directly with The Cognitive Crucible podcast host, John Bicknell, on LinkedIn. Disclosure: As an Amazon Associate, 1) IPA earns from qualifying purchases, 2) IPA gets commissions for purchases made through links in this post.
Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that there are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X. The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities. The research can be found here: Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1
Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that there are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X. The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities. The research can be found here: Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1
Thomas Pace, CEO and Co-Founder of NetRise, discusses the biggest firmware vulnerabilities and how to fix them before they become a problem. He breaks down how firmware analysis is done, what is software bill of materials (SBOM) and additional challenges surrounding the space.Thomas is currently the co-founder and CEO of NetRise, a cybersecurity company focused on providing visibility into devices to identify vulnerabilities and risks via firmware analysis. Before NetRise, Thomas served as the Global Vice President of Enterprise Solutions at Cylance. His responsibilities ranged from conducting incident response investigations, product marketing, public speaking, and analyst relations. Thomas was also responsible for ICS security at the DOE for three years and served in the United States Marine Corps, serving in both Iraq and Afghanistan. Thomas has spoken at Black Hat, DEFCON, RSA, and was interviewed on 60 Minutes and Last Week Tonight with John Oliver for his efforts related to ransomware.NetRise provides visibility and risk identification to a class of devices (IoT, ICS, MedDev, telecommunications equipment) that historically have had no visibility with the intention of providing clear recommendations to remediate these risks efficiently.
On today's Network Break podcast we cover a raft of Juniper vulnerabilities, whether Cisco should patch serious vulnerabilities in end-of-life products, a big T-Mobile breach, Avaya dealing with significant debt, sweeping rounds of layoffs, and more IT news. The post Network Break 414: 230 Juniper Vulnerabilities, Should Cisco Patch An EOL Router, T-Mobile Takes Weeks To Spot Breach appeared first on Packet Pushers.
On today's Network Break podcast we cover a raft of Juniper vulnerabilities, whether Cisco should patch serious vulnerabilities in end-of-life products, a big T-Mobile breach, Avaya dealing with significant debt, sweeping rounds of layoffs, and more IT news. The post Network Break 414: 230 Juniper Vulnerabilities, Should Cisco Patch An EOL Router, T-Mobile Takes Weeks To Spot Breach appeared first on Packet Pushers.
On today's Network Break podcast we cover a raft of Juniper vulnerabilities, whether Cisco should patch serious vulnerabilities in end-of-life products, a big T-Mobile breach, Avaya dealing with significant debt, sweeping rounds of layoffs, and more IT news. The post Network Break 414: 230 Juniper Vulnerabilities, Should Cisco Patch An EOL Router, T-Mobile Takes Weeks To Spot Breach appeared first on Packet Pushers.
A hostile takeover of the Solaris contraband market. Ukraine warns that Russian cyberattacks continue. An overview of 2H 2022 ICS vulnerabilities. Codespaces accounts can act as malware servers. Blank-image attacks. Campaigns leveraging HR policy themes. Dinah Davis from Arctic Wolf has tips for pros for security at home. Our guest is Gerry Gebel from Strata Identity describes a new open source standard that aims to unify cloud identity platforms. And travel-themed phishing increases. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/12 Selected reading. Friday the 13th on the Dark Web: $150 Million Russian Drug Market Solaris Hacked by Rival Market Kraken (Elliptic Connect) Russia-linked drug marketplace Solaris hacked by its rival (The Record from Recorded Future News) Cyber-attacks have tripled in past year, says Ukraine's cybersecurity agency (the Guardian) Ukraine: Russians Aim to Destroy Information Infrastructure (Gov Info Security) Ukraine says Russia is coordinating missile strikes, cyberattacks and information operations (The Record by Recorded Future) ICS Vulnerabilities and CVEs: Second Half of 2022 (SynSaber) Abusing a GitHub Codespaces Feature For Malware Delivery (Trend Micro) The Blank Image Attack (Avanan) Phishing Attacks Pose as Updated 2023 HR Policy Announcements (Abnormal Security) Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns (Bitdefender)
Facebook has been ordered to pay a fine of $414m by EU regulators who ruled that the company had broken EU law by forcing users to accept personalized ads. The ruling could have a major impact on Facebook's advertising business in the EU, which is one of the company's largest markets, if it is required […] The post Meta's EU Ad Practices Ruled Illegal, Twitter API Data Breach, Vulnerabilities in Major Car Brands appeared first on The Shared Security Show.
About TimTim Gonda is a Cloud Security professional who has spent the last eight years securing and building Cloud workloads for commercial, non-profit, government, and national defense organizations. Tim currently serves as the Technical Director of Cloud at Praetorian, influencing the direction of its offensive-security-focused Cloud Security practice and the Cloud features of Praetorian's flagship product, Chariot. He considers himself lucky to have the privilege of working with the talented cyber operators at Praetorian and considers it the highlight of his career.Tim is highly passionate about helping organizations fix Cloud Security problems, as they are found, the first time, and most importantly, the People/Process/Technology challenges that cause them in the first place. In his spare time, he embarks on adventures with his wife and ensures that their two feline bundles of joy have the best playtime and dining experiences possible.Links Referenced: Praetorian: https://www.praetorian.com/ LinkedIn: https://www.linkedin.com/in/timgondajr/ Praetorian Blog: https://www.praetorian.com/blog/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Thinkst Canary. Most Companies find out way too late that they've been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching 'em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents. Check out what people are saying at canary.love today!Corey: Kentik provides Cloud and NetOps teams with complete visibility into hybrid and multi-cloud networks. Ensure an amazing customer experience, reduce cloud and network costs, and optimize performance at scale — from internet to data center to container to cloud. Learn how you can get control of complex cloud networks at www.kentik.com, and see why companies like Zoom, Twitch, New Relic, Box, Ebay, Viasat, GoDaddy, booking.com, and many, many more choose Kentik as their network observability platform. Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Every once in a while, I like to branch out into new and exciting territory that I've never visited before. But today, no, I'd much rather go back to complaining about cloud security, something that I tend to do an awful lot about. Here to do it with me is Tim Gonda, Technical Director of Cloud at Praetorian. Tim, thank you for joining me on this sojourn down what feels like an increasingly well-worn path.Tim: Thank you, Corey, for having me today.Corey: So, you are the Technical Director of Cloud, which I'm sort of short-handing to okay, everything that happens on the computer is henceforth going to be your fault. How accurate is that in the grand scheme of things?Tim: It's not too far off. But we like to call it Praetorian for nebula. The nebula meaning that it's Schrödinger's problem: it both is and is not the problem. Here's why. We have a couple key focuses at Praetorian, some of them focusing on more traditional pen testing, where we're looking at hardware, hit System A, hit System B, branch out, get to goal.On the other side, we have hitting web applications and [unintelligible 00:01:40]. This insecure app leads to this XYZ vulnerability, or this medical appliance is insecure and therefore we're able to do XYZ item. One of the things that frequently comes up is that more and more organizations are no longer putting their applications or infrastructure on-prem anymore, so therefore, some part of the assessment ends up being in the cloud. And that is the unique rub that I'm in. And that I'm responsible for leading the direction of the cloud security focus group, who may not dive into a specific specialty that some of these other teams might dig into, but may have similar responsibilities or similar engagement style.And in this case, if we discover something in the cloud as an issue, or even in your own organization where you have a cloud security team, you'll have a web application security team, you'll have your core information security team that defends your environment in many different methods, many different means, you'll frequently find that the cloud security team is the hot button for hey, the server was misconfigured at one certain level, however the cloud security team didn't quite know that this web application was vulnerable. We did know that it was exposed to the internet but we can't necessarily turn off all web applications from the internet because that would no longer serve the purpose of a web application. And we also may not know that a particular underlying host's patch is out of date. Because technically, that would be siloed off into another problem.So, what ends up happening is that on almost every single incident that involves a cloud infrastructure item, you might find that cloud security will be right there alongside the incident responders. And yep, this [unintelligible 00:03:20] is here, it's exposed to the internet via here, and it might have the following application on it. And they get cross-exposure with other teams that say, “Hey, your web application is vulnerable. We didn't quite inform the cloud security team about it, otherwise this wouldn't be allowed to go to the public internet,” or on the infrastructure side, “Yeah, we didn't know that there was a patch underneath it, we figured that we would let the team handle it at a later date, and therefore this is also vulnerable.” And what ends up happening sometimes, is that the cloud security team might be the onus or might be the hot button in the room of saying, “Hey, it's broken. This is now your problem. Please fix it with changing cloud configurations or directing a team to make this change on our behalf.”So, in essence, sometimes cloud becomes—it both is and is not your problem when a system is either vulnerable or exposed or at some point, worst case scenario, ends up being breached and you're performing incident response. That's one of the cases why it's important to know—or important to involve others in the cloud security problem, or to be very specific about what the role of a cloud security team is, or where cloud security has to have certain boundaries or has to involve certain extra parties have to be involved in the process. Or when it does its own threat modeling process, say that, okay, we have to take a look at certain cloud findings or findings that's within our security realm and say that these misconfigurations or these items, we have to treat the underlying components as if they are vulnerable, whether or not they are and we have to report on them as if they are vulnerable, even if it means that a certain component of the infrastructure has to already be assumed to either have a vulnerability, have some sort of misconfiguration that allows an outside attacker to execute attacks against whatever the [unintelligible 00:05:06] is. And we have to treat and respond our security posture accordingly.Corey: One of the problems that I keep running into, and I swear it's not intentional, but people would be forgiven for understanding or believing otherwise, is that I will periodically inadvertently point out security problems via Twitter. And that was never my intention because, “Huh, that's funny, this thing isn't working the way that I would expect that it would,” or, “I'm seeing something weird in the logs in my test account. What is that?” And, “Oh, you found a security vulnerability or something akin to one in our environment. Oops. Next time, just reach out to us directly at the security contact form.” That's great. If I'd known I was stumbling blindly into a security approach, but it feels like the discovery of these things is not heralded by an, “Aha, I found it.” But, “Huh, that's funny.”Tim: Of course. Absolutely. And that's where some of the best vulnerabilities come where you accidentally stumble on something that says, “Wait, does this work how—what I think it is?” Click click. Like, “Oh, boy, it does.”Now, I will admit that certain cloud providers are really great about with proactive security reach outs. If you either just file a ticket or file some other form of notification, just even flag your account rep and say, “Hey, when I was working on this particular cloud environment, the following occurred. Does this work the way I think it is? Is this is a problem?” And they usually get back to you with reporting it to their internal team, so on and so forth. But let's say applications are open-source frameworks or even just organizations at large where you might have stumbled upon something, the best thing to do was either look up, do they have a public bug bounty program, do they have a security contact or form reach out that you can email them, or do you know, someone that the organization that you just send a quick email saying, “Hey, I found this.”And through some combination of those is usually the best way to go. And to be able to provide context of the organization being, “Hey, the following exists.” And the most important things to consider when you're sending this sort of information is that they get these sorts of emails almost daily.Corey: One of my favorite genre of tweet is when Tavis Ormandy and Google's Project Zero winds up doing a tweet like, “Hey, do I know anyone over at the security apparatus at insert company here?” It's like, “All right. I'm sure people are shorting stocks now [laugh], based upon whatever he winds up doing that.”Tim: Of course.Corey: It's kind of fun to watch. But there's no cohesive way of getting in touch with companies on these things because as soon as you'd have something like that, it feels like it's subject to abuse, where Comcast hasn't fixed my internet for three days, now I'm going to email their security contact, instead of going through the normal preferred process of wait in the customer queue so they can ignore you.Tim: Of course. And that's something else you want to consider. If you broadcast that a security vulnerability exists without letting the entity or company know, you're also almost causing a green light, where other security researchers are going to go dive in on this and see, like, one, does this work how you described. But that actually is a positive thing at some point, where either you're unable to get the company's attention, or maybe it's an open-source organization, or maybe you're not being fully sure that something is the case. However, when you do submit something to the customer and you want it to take it seriously, here's a couple of key things that you should consider.One, provide evidence that whatever you're talking about has actually occurred, two, provide repeatable steps that the layman's term, even IT support person can attempt to follow in your process, that they can repeat the same vulnerability or repeat the same security condition, and three, most importantly, detail why this matters. Is this something where I can adjust a user's password? Is this something where I can extract data? Is this something where I'm able to extract content from your website I otherwise shouldn't be able to? And that's important for the following reason.You need to inform the business what is the financial value of why leaving this unpatched becomes an issue for them. And if you do that, that's how those security vulnerabilities get prioritized. It's not necessarily because the coolest vulnerability exists, it's because it costs the company money, and therefore the security team is going to immediately jump on it and try to contain it before it costs them any more.Corey: One of my least favorite genres of security report are the ones that I get where I found a vulnerability. It's like, that's interesting. I wasn't aware that I read any public-facing services, but all right, I'm game; what have you got? And it's usually something along the lines of, “You haven't enabled SPF to hard fail an email that doesn't wind up originating explicitly from this list of IP addresses. Bug bounty, please.” And it's, “No genius. That is very much an intentional choice. Thank you for playing.”It comes down to also an idea of whenever I have reported security vulnerabilities in the past, the pattern I always take is, “I'm seeing something that I don't fully understand. I suspect this might have security implications, but I'm also more than willing to be proven wrong.” Because showing up with, “You folks are idiots and have a security problem,” is a terrific invitation to be proven wrong and look like an idiot. Because the first time you get that wrong, no one will take you seriously again.Tim: Of course. And as you'll find that most bug bounty programs are, if you participate in those, the first couple that you might have submitted, the customer might even tell you, “Yeah, we're aware that that vulnerability exists, however, we don't view it as a core issue and it cannot affect the functionality of our site in any meaningful way, therefore we're electing to ignore it.” Fair.Corey: Very fair. But then when people write up about those things, well, they've they decided this is not an issue, so I'm going to do a write-up on it. Like, “You can't do that. The NDA doesn't let you expose that.” “Really? Because you just said it's a non-issue. Which is it?”Tim: And the key to that, I guess, would also be that is there an underlying technology that doesn't necessarily have to be attributed to said organization? Can you also say that, if I provide a write-up or if I put up my own personal blog post—let's say, we go back to some of the OpenSSL vulnerabilities including OpenSSL 3.0, that came out not too long ago, but since that's an open-source project, it's fair game—let's just say that if there was a technology such as that, or maybe there's a wrapper around it that another organization could be using or could be implementing a certain way, you don't necessarily have to call the company up by name, or rather just say, here's the core technology reason, and here's the core technology risk, and here's the way I've demoed exploiting this. And if you publish an open-source blog like that and then you tweet about that, you can actually gain security support around such issue and then fight for the research.An example would be that I know a couple of pen testers who have reported things in the past, and while the first time they reported it, the company was like, “Yeah, we'll fix it eventually.” But later, when another researcher report this exact same finding, the company is like, “We should probably take this seriously and jump on it.” It sometimes it's just getting in front of that and providing frequency or providing enough people around to say that, “Hey, this really is an issue in the security community and we should probably fix this item,” and keep pushing others organizations on it. A lot of times, they just need additional feedback. Because as you said, somebody runs an automated scanner against your email and says that, “Oh, you're not checking SPF as strictly as the scanner would have liked because it's a benchmarking tool.” It's not necessarily a security vulnerability rather than it's just how you've chosen to configure something and if it works for you, it works for you.Corey: How does cloud change this? Because a lot of what we talked about so far could apply to anything. Go back in time to 1995 and a lot of what we're talking about mostly holds true. It feels like cloud acts as a significant level of complexity on top of all of this. How do you view the differentiation there?Tim: So, I think it differentiated two things. One, certain services or certain vulnerability classes that are handled by the shared service model—for the most part—are probably secure better than you might be able to do yourself. Just because there's a lot of research, the team is [experimented 00:13:03] a lot of time on this. An example of if there's a particular, like, spoofing or network interception vulnerability that you might see on a local LAN network, you probably are not going to have the same level access to be able to execute that on a virtual private cloud or VNet, or some other virtual network within cloud environment. Now, something that does change with the paradigm of cloud is the fact that if you accidentally publicly expose something or something that you've created expo—or don't set a setting to be private or only specific to your resources, there is a couple of things that could happen. The vulnerabilities exploitability based on where increases to something that used to be just, “Hey, I left a port open on my own network. Somebody from HR or somebody from it could possibly interact with it.”However, in the cloud, you've now set this up to the entire world with people that might have resources or motivations to go after this product, and using services like Shodan—which are continually mapping the internet for open resources—and they can quickly grab that, say, “Okay, I'm going to attack these targets today,” might continue to poke a little bit further, maybe an internal person that might be bored at work or a pen tester just on one specific engagement. Especially in the case of let's say, what you're working on has sparked the interest of a nation-state and they want to dig into a little bit further, they have the resources to be able to dedicate time, people, and maybe tools and tactics against whatever this vulnerability that you've given previously the example of—maybe there's a specific ID and a URL that just needs to be guessed right to give them access to something—they might spend the time trying to brute force that URL, brute force that value, and eventually try to go after what you have.The main paradigm shift here is that there are certain things that we might consider less of a priority because the cloud has already taken care of them with the shared service model, and rightfully so, and there's other times that we have to take heightened awareness on is, one, we either dispose something to the entire internet or all cloud accounts within creations. And that's actually something that we see commonly. In fact, one thing I would like to say we see very common is, all AWS users, regardless if it's in your account or somewhere else, might have access to your SNS topic or SQS Queue. Which doesn't seem like that big of vulnerability, but I changed the messages, I delete messages, I viewed your messages, but rather what's connected to those? Let's talk database Lambda functions where I've got source code that a developer has written to handle that source code and may not have built in logic to handle—maybe there was a piece of code that could be abused as part of this message that might allow an attacker to send something to your Lambda function and then execute something on that attacker's behalf.You weren't aware of it, you weren't thinking about it, and now you've exposed it to almost the entire internet. And since anyone can go sign up for an AWS account—or Azure or GCP account—and then they're able to start poking at that same piece of code that you might have developed thinking, “Well, this is just for internal use. It's not a big deal. That one static code analysis tool isn't probably too relevant.” Now, it becomes hyper-relevant and something you have to consider with a little more attention and dedicated time to making sure that these things that you've written or deploying, are in fact, safe because misconfigured or mis-exposed, and suddenly the entire world is starts knocking at it, and increases the risk of, it may really well be a problem. The severity of that issue could increase dramatically.Corey: As you take a look across, let's call it the hyperscale clouds, the big three—which presumably I don't need to define out—how do you wind up ranking them in terms of security from top to bottom? I have my own rankings that I like to dole out and basically, this is the, let's offend someone at every one of these companies, no matter how we wind up playing it. Because I will argue with you just on principle on them. How do you view them stacking up against each other?Tim: So, an interesting view on that is based on who's been around longest and who is encountered of the most technical debt. A lot of these security vulnerabilities or security concerns may have had to deal with a decision made long ago that might have made sense at the time and now the company has kind of stuck with that particular technology or decision or framework, and are now having to build or apply security Band-Aids to that process until it gets resolved. I would say, ironically, AWS is actually at the top of having that technical debt, and actually has so many different types of access policies that are very complex to configure and not very user intuitive unless you speak intuitively JSON or YAML or some other markdown language, to be able to tell you whether or not something was actually set up correctly. Now, there are a lot of security experts who make their money based on knowing how to configure or be able to assess whether or not these are actually the issue. I would actually bring them as, by default, by design, between the big three, they're actually on the lower end of certain—based on complexity and easy-to-configure-wise.The next one that would also go into that pile, I would say is probably Microsoft Azure, who [sigh] admittedly, decided to say that, “Okay, let's take something that was very complicated and everyone really loved to use as an identity provider, Active Directory, and try to use that as a model for.” Even though they made it extensively different. It is not the same as on-prem directory, but use that as the framework for how people wanted to configure their identity provider for a new cloud provider. The one that actually I would say, comes out on top, just based on use and based on complexity might be Google Cloud. They came to a lot of these security features first.They're acquiring new companies on a regular basis with the acquisition of Mandiant, the creation of their own security tooling, their own unique security approaches. In fact, they probably wrote the book on Kubernetes Security. Would be on top, I guess, from usability, such as saying that I don't want to have to manage all these different types of policies. Here are some buttons I would like to flip and I'd like my resources, for the most part by default, to be configured correctly. And Google does a pretty good job of that.Also, one of the things they do really well is entity-based role assumption, which inside of AWS, you can provide access keys by default or I have to provide a role ID after—or in Azure, I'm going to say, “Here's a [unintelligible 00:19:34] policy for something specific that I want to grant access to a specific resource.” Google does a pretty good job of saying that okay, everything is treated as an email address. This email address can be associated in a couple of different ways. It can be given the following permissions, it can have access to the following things, but for example, if I want to remove access to something, I just take that email address off of whatever access policy I had somewhere, and then it's taken care of. But they do have some other items such as their design of least privilege is something to be expected when you consider their hierarchy.I'm not going to say that they're not without fault in that area—in case—until they had something more recently, as far as finding certain key pieces of, like say, tags or something within a specific sub-project or in our hierarchy, there were cases where you might have granted access at a higher level and that same level of access came all the way down. And where at least privilege is required to be enforced, otherwise, you break their security model. So, I like them for how simple it is to set up security at times, however, they've also made it unnecessarily complex at other times so they don't have the flexibility that the other cloud service providers have. On the flip side of that, the level of flexibility also leads to complexity at times, which I also view as a problem where customers think they've done something correctly based on their best knowledge, the best of documentation, the best and Medium articles they've been researching, and what they have done is they've inadvertently made assumptions that led to core anti-patterns, like, [unintelligible 00:21:06] what they've deployed.Corey: This episode is sponsored in part by our friends at Uptycs, because they believe that many of you are looking to bolster your security posture with CNAPP and XDR solutions. They offer both cloud and endpoint security in a single UI and data model. Listeners can get Uptycs for up to 1,000 assets through the end of 2023 (that is next year) for $1. But this offer is only available for a limited time on UptycsSecretMenu.com. That's U-P-T-Y-C-S Secret Menu dot com.Corey: I think you're onto something here, specifically in—well, when I've been asked historically and personally to rank security, I have viewed Google Cloud as number one, and AWS is number two. And my reasoning behind that has been from an absolute security of their platform and a pure, let's call it math perspective, it really comes down to which of the two of them had what for breakfast on any given day there, they're so close on there. But in a project that I spin up in Google Cloud, everything inside of it can talk to each other by default and I can scope that down relatively easily, whereas over an AWS land, by default, nothing can talk to anything. And that means that every permission needs to be explicitly granted, which in an absolutist sense and in a vacuum, yeah, that makes sense, but here in reality, people don't do that. We've seen a number of AWS blog posts over the last 15 years—they don't do this anymore—but it started off with, “Oh, yeah, we're just going to grant [* on * 00:22:04] for the purposes of this demo.”“Well, that's horrible. Why would you do that?” “Well, if we wanted to specify the IAM policy, it would take up the first third of the blog post.” How about that? Because customers go through that exact same thing. I'm trying to build something and ship.I mean, the biggest lie in any environment or any codebase ever, is the comment that starts with, “To do.” Yeah, that is load-bearing. You will retire with that to do still exactly where it is. You have to make doing things the right way at least the least frictionful path because no one is ever going to come back and fix this after the fact. It's never going to happen, as much as we wish that it did.Tim: At least until after the week of the breach when it was highlighted by the security team to say that, “Hey, this was the core issue.” Then it will be fixed in short order. Usually. Or a Band-Aid is applied to say that this can no longer be exploited in this specific way again.Corey: My personal favorite thing that, like, I wouldn't say it's a lie. But the favorite thing that I see in all of these announcements right after the, “Your security is very important to us,” right after it very clearly has not been sufficiently important to them, and they say, “We show no signs of this data being accessed.” Well, that can mean a couple different things. It can mean, “We have looked through the audit logs for a service going back to its launch and have verified that nothing has ever done this except the security researcher who found it.” Great. Or it can mean, “What even are logs, exactly? We're just going to close our eyes and assume things are great.” No, no.Tim: So, one thing to consider there is in that communication, that entire communication has probably been vetted by the legal department to make sure that the company is not opening itself up for liability. I can say from personal experience, when that usually has occurred, unless it can be proven that breach was attributable to your user specifically, the default response is, “We have determined that the security response of XYZ item or XYZ organization has determined that your data was not at risk at any point during this incident.” Which might be true—and we're quoting Star Wars on this one—from a certain point of view. And unfortunately, in the case of a post-breach, their security, at least from a regulation standpoint where they might be facing a really large fine, is absolutely probably their top priority at this very moment, but has not come to surface because, for most organizations, until this becomes something that is a financial reason to where they have to act, where their reputation is on the line, they're not necessarily incentivized to fix it. They're incentivized to push more products, push more features, keep the clients happy.And a lot of the time going back and saying, “Hey, we have this piece of technical debt,” it doesn't really excite our user base or doesn't really help us gain a competitive edge in the market is considered an afterthought until the crisis occurs and the information security team rejoices because this is the time they actually get to see their stuff fixed, even though it might be a super painful time for them in the short run because they get to see these things fixed, they get to see it put to bed. And if there's ever a happy medium, where, hey, maybe there was a legacy feature that wasn't being very well taken care of, or maybe this feature was also causing the security team a lot of pain, we get to see both that feature, that item, that service, get better, as well as security teams not have to be woken up on a regular basis because XYZ incident happened, XYZ item keeps coming up in a vulnerability scan. If it finally is put to bed, we consider that a win for all. And one thing to consider in security as well as kind of, like, we talk about the relationship between the developers and security and/or product managers and security is if we can make it a win, win, win situation for all, that's the happy path that we really want to be getting to. If there's a way that we can make sure that experience is better for customers, the security team doesn't have to be broken up on a regular basis because an incident happened, and the developers receive less friction when they want to go implement something, you find that that secure feature, function, whatever tends to be the happy path forward and the path of least resistance for everyone around it. And those are sometimes the happiest stories that can come out of some of these incidents.Corey: It's weird to think of there being any happy stories coming out of these things, but it's definitely one of those areas that there are learnings there to be had if we're willing to examine them. The biggest problem I see so often is that so many companies just try and hide these things. They give the minimum possible amount of information so the rest of us can't learn by it. Honestly, some of the moments where I've gained the most respect for the technical prowess of some of these cloud providers has been after there's been a security issue and they have disclosed either their response or why it was a non-issue because they took a defense-in-depth approach. It's really one of those transformative moments that I think is an opportunity if companies are bold enough to chase them down.Tim: Absolutely. And in a similar vein, when we think of certain cloud providers outages and we're exposed, like, the major core flaw of their design, and if it kept happening—and again, these outages could be similar and analogous to an incident or a security flaw, meaning that it affected us. It was something that actually happened. In the case of let's say, the S3 outage of, I don't know, it was like 2017, 2018, where it turns out that there was a core DNS system that inside of us-east-1, which is actually very close to where I live, apparently was the core crux of, for whatever reason, the system malfunctioned and caused a major outage. Outside of that, in this specific example, they had to look at ways of how do we not have a single point of failure, even if it is a very robust system, to make sure this doesn't happen again.And there was a lot of learnings to be had, a lot of in-depth investigation that happened, probably a lot of development, a lot of research, and sometimes on the outside of an incident, you really get to understand why a system was built a certain way or why a condition exists in the first place. And it sometimes can be fascinating to kind of dig into that very deeper and really understand what the core problem is. And now that we know what's an issue, we can actually really work to address it. And sometimes that's actually one of the best parts about working at Praetorian in some cases is that a lot of the items we find, we get to find them early before it becomes one of these issues, but the most important thing is we get to learn so much about, like, why a particular issue is such a big problem. And you have to really solve the core business problem, or maybe even help inform, “Hey, this is an issue for it like this.”However, this isn't necessarily all bad in that if you make these adjustments of these items, you get to retain this really cool feature, this really cool thing that you built, but also, you have to say like, here's some extra, added benefits to the customers that you weren't really there. And—such as the old adage of, “It's not a bug, it's a feature,” sometimes it's exactly what you pointed out. It's not necessarily all bad in an incident. It's also a learning experience.Corey: Ideally, we can all learn from these things. I want to thank you for being so generous with your time and talking about how you view this increasingly complicated emerging space. If people want to learn more, where's the best place to find you?Tim: You can find me on LinkedIn which will be included in this podcast description. You can also go look at articles that the team is putting together at praetorian.com. Unfortunately, I'm not very big on Twitter.Corey: Oh, well, you must be so happy. My God, what a better decision you're making than the rest of us.Tim: Well, I like to, like, run a little bit under the radar, except on opportunities like this where I can talk about something I'm truly passionate about. But I try not to pollute the airwaves too much, but LinkedIn is a great place to find me. Praetorian blog for stuff the team is building. And if anyone wants to reach out, feel free to hit the contact page up in praetorian.com. That's one of the best places to get my attention.Corey: And we will, of course, put links to that in the [show notes 00:30:19]. Thank you so much for your time. I appreciate it. Tim Gonda, Technical Director of Cloud at Praetorian. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how no one disagrees with you based upon a careful examination of your logs.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
In this episode of CHATTIN CYBER, Marc Schein interviews Sherri Davidoff and Michael Kleinman about the rising ransomware attacks in cyberspace and the legal and operational ways to confront them. Sherri Davidoff is the CEO of LMG Security, and the author of three books, including "Ransomware and Cyber Extortion" and "Data Breaches: Crisis and Opportunity." Michael Kleinman is Special Counsel in the Data Strategy, Security, and Privacy Practice at Fried, Frank, Harris, Shriver & Jacobson LLP. The Russian-Ukrainian war has given us an open window into ransomware gang operations, thanks to some gangs facing internal discord, like the Conte ransomware gang, which became known for putting a pro-Russia statement and having a gang affiliate steal their internal information and put it out online. If sources are to be believed, the Conte ransomware gang has made at least $2.7 billion in Bitcoin over the past three years – a number drastically higher than any previous ones we've seen. The result of the explosive growth of such ransomware gangs is also that law enforcement is getting better at following the money and busting cybercriminals. However, the fight gets tougher as criminals move to more privacy-oriented cryptocurrencies. With the current geopolitical state with Russia and Ukraine in the way, cyber attacks are focused on more than economic gains, as our guests share. Vulnerabilities and attacks on critical infrastructure are predicted to rise. An interesting point to note is the OFAC advisory on ransomware from September 2021, which tends to assuage the risks towards individuals considering making a ransomware payment and avoid being hit with sanctions violation and the reputational and financial risks associated with that. This new advisory helps you if you implement cybersecurity practices, including those highlighted by Cisco, like having an offline backup, incident response plan, cyber training, and authentication protocols, and cooperating with law enforcement during and after an attack. You might never get a full sign-off, but these would certainly help your company's image significantly. The FTC is on the watch, and you need to look for a lock for vulnerabilities and repair or remediate them. If not, you'd land in hot water. The Ukraine-Russian war has also seen the introduction of new kinds of malware like wiper ransomware that wipe out the complete information from a system. These are known to have been distributed through software vendors like tax software. Though Ukraine is on the receiving end of these attacks at the moment, fears are the attack could extend to more countries. In situations like this which jeopardize our cyber health, early detection is critical. Also important is the need to have a coordinated industry-wide response to reduce the damage. As attackers get better at sneaking in and damaging our systems, our defense style also needs to grow from reactive to proactive. Prevention methodologies must also go hand-in-hand with government regulations. For more on this, listen to this episode! Please note that this podcast was recorded on February 25,2022 prior to the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Highlights: “One of the points from the White House is to bolster resilience to withstand ransomware attacks. And for the past two decades, we've seen almost a reticence to push our businesses and organizations too much. Because we recognize cybersecurity as a cost.” “The new banking law was designed not to be overly burdensome to banks, but to give regulators an early heads up about issues. And that is super important, especially if you're concerned about large scale operational impact on our financial sector.” “Now is the time to deploy proactive measures, things like multi factor authentication, endpoint detection and response security training, we have to figure out what is blocking organizations and just jump over those h...
For India, the growing ubiquity of China-dependent IoT and smart technologies holds ramifications in both critical infrastructure and military domains.
In this episode of the Security Ledger Podcast, Paul speaks with Jill Moné-Corallo, the Director of Product Security Engineering Response at GitHub. Jill talks about her journey from a college stint working at Apple's Genius bar, to the information security space - first at product security at Apple and now at GitHub, a massive development platform that is increasingly in the crosshairs of sophisticated cyber criminals and nation-state actors. The post Episode 248: GitHub's Jill Moné-Corallo on Product Security And Supply Chain Threats appeared first on The Security Ledger with Paul F. Roberts. Click the icon below to listen. Related StoriesEpisode 243: The CSTO is a thing- a conversation with Chris Hoff of LastPassEpisode 241: If Its Smart, Its Vulnerable a Conversation with Mikko HyppönenEpisode 241: If Its Smart, Its Vulnerable a Conversation wit Mikko Hyppönen
Friday marks the second anniversary of the January 6 attack on the U.S. Capitol. Steven Sund was the chief of the Capitol Police that day and he described the events as "the worst mass attack on law enforcement" in his nearly 30-year-long career. Sund joined Geoff Bennett to discuss his new book on the attack, "Courage Under Fire." PBS NewsHour is supported by - https://www.pbs.org/newshour/about/funders
Friday marks the second anniversary of the January 6 attack on the U.S. Capitol. Steven Sund was the chief of the Capitol Police that day and he described the events as "the worst mass attack on law enforcement" in his nearly 30-year-long career. Sund joined Geoff Bennett to discuss his new book on the attack, "Courage Under Fire." PBS NewsHour is supported by - https://www.pbs.org/newshour/about/funders
Dr. May Wang, CTO of IoT Security at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization
Why we won't see a new Raspberry Pi until 2025, the first steps to Plasma 6 are being taken, and PipeWire gets a major Bluetooth upgrade.
Commercial stalkerware can record everything on a victim's iPhone; yet another Gatekeeper bypass shows that even Lockdown Mode isn't impermeable; and Apple hasn't transitioned all its Macs to its own processors: the Mac Pro still hasn't made the change. Show Notes: Microsoft discovers new Gatekeeper bypass; Apple updates past security advisories Apple also patched a zero-day vulnerability last week (that was previously patched for iOS only) Xnspy stalkerware spied on thousands of iPhones and Android devices Microsoft digital certificates have once again been abused to sign malware Apple Considering Dropping Requirement for iPhone Web Browsers to Use WebKit Apple Expands Do-It-Yourself Repair Program to Desktop Macs With M1 Chips and Studio Display It might be time for Apple to throw in the towel on the Mac Pro Apple Pushing to Launch Search Engine to Rival Google Safari Search & Privacy Anker's Eufy deleted these 10 privacy promises instead of answering our questions Swatters used Ring cameras to livestream attacks, taunt police, prosecutors say Apple Home security camera and doorbell compatibility Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you're ready to buy.
Links: Azure's VP of Security Engineering published a post describing their approach to cloud vulnerabilities Panther deployed Yubikeys internally and blogged about it. LastPass has (yet again) suffered a breach, and published a no-content advisory that TechCrunch took the time to parse through. Apparently Wiz decided to poke around a bit into IBM "Cloud" and found a bunch of security issues. Prepare for consolidated controls view and consolidated control findings in AWS Security Hub Reported ECR Public Gallery Issue From the world of tools: osquery turns your operating system into a database
The Cloud Pod recaps all of the positives and negatives of Amazon ReInvent 2022, the annual conference in Las Vegas, bringing together 50,000 cloud computing professionals. This year's keynote speakers include Adam Selpisky, CEO of Amazon Web Services, Swami Sivasubramanian, Vice President of Data and Machine Learning at AWS and Werner Vogels, Amazon's CTO. Attendees and web viewers were treated to new features and products, such as AWS Lambda Snapstart for Java Functions, New Quicksight capabilities and quality-of-life improvements to hundreds of services. Justin, Jonathan, Ryan, Peter and Special guest Joe Daly from the Finops foundation talk about the show and the announcements. Thank you to our sponsor, Foghorn Consulting, which provides top notch cloud and DevOps engineers to the world's most innovative companies. Initiatives stalled because you're having trouble hiring? Foghorn can be burning down your DevOps and Cloud backlogs as soon as next week. Episode Highlights ⏰ AWS Pricing Calculator now supports modernization cost estimates for Microsoft workloads. ⏰ AWS Re:Invent 2022 announcements and keynote updates. Top Quote