Fake IDs threaten ID verification services, PANW hits $100B valuation, and other news – ESW #349
This week, we discussed how a quick (minutes) and cheap ($15 a pop) fake ID service creates VERY convincing IDs that are possibly good enough to fool ID verification services, HR, and a load of other scenarios where it's common to share images of an ID. Kudos to 404Media's work there.
In the security market, we discuss who might be the first cybersecurity unicorn to go public in 2024, Oasis Security and Tenchi's funding rounds, Protect AI's acquisition of Laiyer AI and their FOSS project, LLM Guard. We discussed the seemingly inevitable M&A activity as unfunded security startups NEED to find a sale. Ross Haleliuk had an interesting LinkedIn post that goes deeper on this topic. Finally, we discussed Tyler's observation that Palo Alto Networks did the seemingly impossible - increased their valuation from $19B to over $100B in 5 years, despite having to weather a pandemic and market downturn along the way! Ryan pointed out that PANW joined the S&P 500 somewhere along the way - a watershed moment for them.
We discussed Bluesky and how it's likely too little too late when it comes to building back the community we lost when much of the InfoSec community left Twitter.
We also discussed a cybersecurity training scammer, Daniel Miessler's new Fabric tool, AnyDesk getting hacked, The Real Shim Shady vuln, new (voluntary) cybersecurity goals for healthcare, and the lack of toothbrush-enabled DDoS attacks!
Full show notes here: https://www.scworld.com/podcast-episode/3061-enterprise-security-weekly-349
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Hosts
- 1. FUNDING: Oasis Security leaves stealth with $40M to lock down the wild west of non-human identity management
$40M from a $35M Series A and a $5M Seed round led by Sequoia, Accel, Cyberstarts, Maple Capital, Guy Podjarny (founder of Snyk) and Michael Fey (co-founder and CEO of Island). There was apparently a "frenzy" to invest in Oasis, which is focused on non-human identity management.
- 2. FUNDING: LightBeam Raises $17.8M in Funding
$17.8M Series A? Led by Vertex Ventures with participation from Dropbox Ventures. "Zero trust data protection platform"
- 3. FUNDING: Tenchi Security Raises $7M in Funding
$7M Series A, Bradesco, L4 Venture Builder (associated with the São Paulo stock exchange), and Accenture.
Brazilian startup Tenchi focuses on third-party cyber risk management. They have a highly integrated SaaS product that serves to give customers near real-time information about their third-parties' security status.
- 4. ACQUISITIONS: Protect AI Acquires Laiyer AI to Secure Large Language Models (LLMs)
"With the acquisition, Protect AI will be offering a commercial version of Laiyer AI’s open source LLM Guard with expanded features, capabilities, and integrations within the Protect AI platform. LLM Guard is freely available today, and an industry leading open-source project for protecting large language models (LLMs) against security threats, misuse and prompt injection attacks, while also providing tools to manage risk and compliance needs."
LLM Guard offers input controls and output controls for LLM use. https://github.com/protectai/llm-guard
- 5. ACQUISITIONS: Dynatrace to Acquire Runecast to Enhance Cloud-Native Security and Compliance
An observability and security platform gets AI-powered security and compliance solutions. I'm not sure what all that means, but it's an acquisition.
- 6. BADNEWS: An Instant Fake ID Factory
An epic writeup from Joseph Cox at 404Media, describing how easy it is to use AI-powered black market fake ID generators to bypass identity verification services.
- 7. BAD NEWS: A Security Researcher Allegedly Scammed Apple
A good writeup by 404Media, but unfortunate for the security researcher community. Decades of trying to earn mainstream respect for hackers and researchers, and trying to separate their benign efforts from those of criminals isn't well served when researchers with a track record of legitimate vuln disclosure get busted stealing from Apple.
- 8. COMMUNITY: Join Bluesky Today (Bye, Invites!) – Bluesky
Bluesky is now open to the general public! But will InfoSec Twitter return, or is it too late?
- 9. PREDICTIONS: Ross Haleliuk on LinkedIn: Desperate moves from security startups in the near future
"In the coming year, we will see the most aggressive go-to-market approaches and odd marketing decisions; not by choice but from desperation."
- 10. ESSAY: Palo Alto’s Big Hairy Audacious Goal
Tyler Shields marks an incredible milestone - Palo Alto Networks is the first pure-play cybersecurity vendor to crest a $100B valuation! CEO Nikesh Arora grew PANW from $19B in 2018 to $100B in 2023, with both a pandemic and market slump in the middle. How did he do it??? We'll ask Tyler to explain.
- 11. ESSAYS: Breaking Down The EU Data Act
The first piece from Katie Teitler-Santullo under The Cyber Why banner! She breaks down the EU Data Act and discusses its potential impacts.
- 12. AI TOOLS: danielmiessler/fabric: fabric is an open-source framework for augmenting humans using AI.
I'm not going to pretend to fully understand what this project is doing, but it seems focused around making LLM-based AI easier to use at scale for deeper tasks, particularly regularly executed ones.
- 13. DUMPSTER FIRE: How To Land a Remote, Six-Figure Cybersecurity Job in Just 45 Days
From downtown charlatan-ville, Ben Rothke outs a scammer promising to land you a six-figure cybersecurity job. All you have to do is give him all your money...
- 14. BREACHES: AnyDesk Hacked: Popular Remote Desktop Software Mandates Password Reset
Possibly the worst product to get hacked. Direct access to millions of endpoints? Yes, I can see how attackers might want that.
- 15. TRENDS: FAA Tells Pilots To Go Analogue As GNSS ‘Spoofing’ Incidents Increase
Spoofing wireless signals is a tough attack to protect against. It's brute-force and messy, as GPS spoofing in particular can't be targeted, to my knowledge. The spoofing attempt affects any devices within range of the spoofing signal.
- 16. TRENDS: Qualys Stock Plunges As Analyst Predicts End To Microsoft Partnership
This appears to be just replacing Qualys for container scanning. Doesn't seem like nearly as huge a deal as the market seems to think it is.
- 17. VULNERABILITIES: The Real Shim Shady – How CVE-2023-40547 Impacts Most Linux Systems – Eclypsium
Paul has been digging deep into this vuln. Check out episode 816 of Paul's Security Weekly, the news segment, for a detailed explanation of this vuln and why it is so serious.
- 18. REGULATIONS: Feds cough up ‘voluntary’ cybersecurity goals for hospitals
"If you are responsible for infosec at an American hospital or other healthcare organization, and you treat the US government's new "voluntary" cybersecurity performance goals (CPGs) as, well, voluntary, you're ignoring the writing on the wall."
...
"In early January, as a record-breaking 46 health networks with a total of 141 hospitals between them were still reeling from ransomware infections and data theft in 2023, rumors started swirling that the White House would soon require US hospitals to meet basic cybersecurity standards before receiving federal funding."
- 19. SQUIRREL: How to tell if your toothbrush is being used in a DDoS attack
Possibly the funniest (and shortest) article I've ever seen.
TL;DR - there's no evidence smart toothbrushes have participated in a DDoS attack, but these devices ARE wifi-enabled these days, so it's technically possible that this could happen in the future.
The longer explanation is that the Swiss media quoted some research from the Swiss office of Fortinet, regarding some IoT hacking on smart toothbrushes. A hypothetical scenario was misunderstood as an actual thing that happened, and before you know it, US outlets like Tom's Hardware are reporting that 3 million smart toothbrushes participated in DDoS attacks.
When Rob Graham weighs in, you know the PR blowback is gonna be bad.
Security experts might have gone too far in the other direction though, rolling their eyes and declaring that smart toothbrushes are bluetooth-only. Some quick research shows that assumption to be false. Most of Oral B's high end smart toothbrushes DO appear to have wifi-enabled bases. Oral B is the brand displayed in the original German article quoting Fortinet.
Rik Ferguson had a decidedly funny take.
