Enterprise Security WeeklySubscribe
Ransomware, Breach, Critical Infrastructure Security

Breaches, detecting deepfakes, cloning yourself, and cars are a privacy nightmare! – ESW #331

In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and software supply-chain utility kit. We get into CISA's roadmap to help secure open source software, and their offer to run free vulnerability scans for the United States' 150,000+ water utilities.

Then, discussion turns back to some more negative items with Brazil's self-inflicted $11 billion dollar data leak, and the MGM/Caesar's ransomware attacks, which seem like they could have a common attacker and initial attack vector (a shared IT support company, perhaps). We also discuss Microsoft's post mortem on the Storm-0558 attack. Kelly Shortridge wants to know, "why are you logging into production hosts", someone is submitting garbage CVEs, and Mozilla finds that privacy policies from auto manufacturers are a privacy TRAIN WRECK.

Finally, we wrap up discussing tools that can detect deepfake audio, as well as the likelihood that this will be the start of a game of leapfrog, as deepfakes get increasingly better over time. And we discuss Delphi's offer to create a 'digital clone' of you that could live on forever, haunting your descendants.

Full episode and show notes

Announcements

  • Join us at SC Media’s Investing in IAM eSummit September 19th through 20th. This two-day virtual event will provide insights from industry experts with a deep dive into identity and access management. Register now for this free event where you will gain cybersecurity knowledge and receive 6.5 CPE credits just for attending! 

    Register today: securityweekly.com/IAM

Hosts

Principal Researcher at The Defenders Initiative
  1. 1. FUNDING: Rapid7 Announces Upsized Pricing of $260 Million Convertible Senior Notes Offering

    Post-IPO debt raise

  2. 2. FUNDING: Compliance and risk management startup Certa raises $35M
  3. 3. FUNDING: Hyperproof has reached an exciting milestone: we closed $40 million in growth funding
  4. 4. FUNDING: AuthMind raises seed funding for its identity SecOps platform
  5. 5. FUNDING: Morgan Stanley Expands Global Inclusive Ventures Lab with Largest Single Cohort of 23 Companies

    Including, because Leigh Honeywell's Tall Poppy is among the 23 companies funded! Each cohort receives $250k.

  6. 6. FUNDING: Zenity Raises $16.5 Million Series A to Enhance Low-Code/No-Code Security – Intel Capital
  7. 7. ACQUISITIONS: SafeBase Acquiring Stacksi to Invest in Security Reviews with Zero Friction
  8. 8. ACQUISITIONS: Check Point to Acquire Atmosec
  9. 9. ACQUISITIONS: Tenable Increases Focus on Cloud Security With Agreement to Acquire CNAPP Vendor Ermetic

    Tenable continues to build out its portfolio!

  10. 10. ACQUISITIONS: Osirium agrees to takeover by SailPoint Technologies after challenges

    They call it a "takeover" though. Desperate times call for desperate measures...

  11. 11. ACQUISITIONS: Battery Ventures Acquires GrammaTech’s Application Security Testing Software Business, Forming CodeSecure

    Is this a divestiture? An acquisition? A spin-out? Whatever it is, it doesn't happen often, but we see something like this every now and then, often when a services org creates a software product and it grows to a point where it makes sense to spin it out.

  12. 12. BUSINESS FAILURES: Cyber Company IronNet Furloughs Workers, Explores Bankruptcy

    The drama has unfolded over the course of several years now, with accusations (and suits filed) by shareholders. Not many companies that went public via SPAC in 2020, 2021, or 2022 are big success stories today. The most obvious reason? They had no business going public in the first place. The S-1 path is still the most likely to result in proper due diligence and public scrutiny (see WeWork).

  13. 13. NEW TOOLS: What Is Hoppr?

    "Hoppr is your software bill-of-materials (SBOM) and secure software supply-chain (S3C) utility kit."

  14. 14. NEW FEATURES: New Gmail ‘Verify it’s you’ prompt appears when attempting ‘sensitive actions’
  15. 15. FEDERAL PROGRAMS: CISA releases roadmap to support the open source software ecosystem

    "We envision a world in which every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community"

    Amen.

    Goal 1: Establish CISA's Role in Supporting the Security of OSS Goal 2: Drive Visibility into OSS Usage and Risks Goal 3: Reduce Risks to the Federal Government Goal 4: Harden the OSS Ecosystem

  16. 16. FEDERAL PROGRAMS: Risky Biz News: CISA to provide free security scans to public water utilities
  17. 17. TALK: Demystifying LLMs and Threats My Journey – by Caleb Sima
  18. 18. JOBS: Vendors are Hiring (by Richard Stiennon on LinkedIn)

    Richard writes, "We just ingested all the LinkedIn job postings for 3,000+ cybersecurity vendors. There are over 67,000 job openings searchable within the Analyst Dashboard. 5,509 are in sales."

  19. 19. JOB MOVES: Famed hacker and Twitter whistleblower Peiter ‘Mudge’ Zatko is joining the Biden administration
  20. 20. BREACHES: Brazil’s government convicted for data leak exposed by The Brazilian Report

    Is this possibly the most expensive breach/data leak ever? $3000 to 3.7m citizens adds up. $11B is bigger than the total estimated damages by NotPetya and WannaCry. For comparison, Target and Home Depots estimated costs were < $200m.

  21. 21. HOT TAKES: “why are you logging into production hosts?”

    Shots fired by Kelly Shortridge. The replies are worth a read.

  22. 22. BREACHES: Caesars Ransomware Breach

    Two key statements here:

    1. "We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." ANALYSIS: They paid the ransom. I heard a rumor that they paid around $30 million USD.
    2. "resulting from a social engineering attack on an outsourced IT support vendor" ANALYSIS: Their MSP got hit. Is it the same MSP that MGM uses? The attack vector tracks (social engineering). Safe to assume that MSP serves more than two major hotel/casinos, so there could be more affected here. Is it possible this IT MSP caters specifically to the hospitality/gambling vertical?
  23. 23. BREACHES: Adrian’s take on rumors of how MGM got popped

    vx-underground reports: "All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation."

    Adrian's Take: We've got to stop thinking of breaches as something that only happens at step 1 of the attack. If each individual employee is your first and last line of defense, you're not doing security right.

    A proper security program has to assume employees will fall for pretexting, phishing, and other social engineering attacks. We've got to detect attacks at steps 2 - 17+ and have the capability to prevent, detect, and contain threats at these levels also.

    Bottom Line: This is a bad take, especially with the insight that this was a managed services vendor. The issues here are much more complex than "train your employees better".

  24. 24. POST MORTEMS: Results of Major Technical Investigations for Storm-0558 Key Acquisition

    Not a big fan of these results, as they're entirely focused on Microsoft fixing their internal stuff, and ignores the bits that impacts all their customers. Namely, the lack of information on how the attackers got in. If Microsoft can't keep attackers out, or even determine how they got in, what chance do the rest of us have?

  25. 25. POST MORTEMS: DEF CON 31 A Different Uber Post Mortem, by Joe Sullivan
  26. 26. DUMPSTER FIRES: “It’s time to talk about the ridiculous rash of awful CVEs posted in the last few weeks.”

    https://www.linkedin.com/posts/danlorenccve-vulnerabilitymanagement-nvd-activity-7102609622657548288-YBxY?utmsource=share&utmmedium=memberandroid

  27. 27. PRIVACY: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

    First off, I'm not sure I was aware Mozilla was doing this work. But it's good that they are, because HOLY CRAP are the findings troubling.

  28. 28. SECURITY DEBT: Risky Biz News: Microsoft to phase out 3rd-party printer drivers for security reasons

    This link is to the whole newsletter. I'm including it for the headlining story, but also because you should subscribe to it. Useful stuff.

  29. 29. INSIGHTS: As a programmer – when was the last time you used stack overflow?

    I had no idea there was a shift this hard by developers away from Q&A forums to LLM AI

  30. 30. AI TRENDS: Welcome to the Artificial Intelligence Incident Database

    Simultaneously welcome and disturbing.

  31. 31. AI TOOLS: Detect Deepfake Audio with Resemble
  32. 32. ESSAYS: The building blocks of modern enterprise identity
  33. 33. ESSAYS: The problem with buying too many security tools
  34. 34. SQUIRREL: You can now make an AI clone of yourself — or anyone else, living or dead — with Delphi

    On one hand, everyone wants to leave a legacy behind.

    On the other hand, will future generations really want an immortal AI of me making fart jokes for eternity?

Deputy CISO at JupiterOne
Product Marketer and Content Strategist at OX Security

Related

Fortinet, Palo Alto, VMWare – PSW #852

Fast cars kill people, Apple 0-Days, memory safety, poisoning the well, babble babble and malware that tries really hard to be stealthy, Palto Alto and Fortinet have some serious new vulnerabilities, open-source isn't free, but neither is commercial software, get on the TPM bus, find URLs with stealth, stealing credentials with more Palto Alto and ...
No CVE and No Accountability – PSW #851

Alright, so we dove deep into some pretty wild stuff this week. We started off talking about zip files inside zip files. This is a variation of old-school zip file tricks, and the latest method described here is still causing headaches for antivirus software. Then we geeked out about infrared signals and the Flipper Zero, which brought back memorie...