Cybersecurity best practices are the worst, AI indegestion, real time doxxing – ESW #378
This week in the enterprise security news, we've got:
- Torq, Tamnoon, and Defect Dojo raise funding
- Checkmarx acquires ZAP
- Commvault acquires Clumio
- Would you believe San Francisco is NOT the most funded metro area for cybersecurity?
- Auto-doxxing Smart glasses are now possible
- Meta gets fined $100M for storing plaintext passwords
- AI coding assistants might not be living up to expectations
- Worst Practices
- Dumpster fires and truth bombs
All that and more, on this episode of Enterprise Security Weekly!
Hosts
- 1. FUNDING: Torq’s $70M Series C, Tamnoon’s $12M Series A, and Defect Dojo’s $7M Series A
This week's security funding news:
- Torq Announces $70M Series C to Double Down on Generative AI for Security Operations Platform, Bringing Total 2024 Funding to $112M
- Tamnoon Raises $12M Series A Fueling First Hybrid Human-AI Managed Cloud Security Remediation Service
- DefectDojo secures $7M to expand security automation platform - SiliconANGLE
- 2. ACQUISITIONS: ZAP Has Joined Forces With Checkmarx
I'm behind the times - I thought ZAP was still just an OWASP project!
They grow up so fast.
- 3. ACQUISITIONS: Commvault Accelerates Cyber Resilience Capabilities for AWS with Acquisition of Clumio
I need someone to help me understand how anyone is making money off of AWS backups. Isn't that feature already built in?
- 4. FUNDING RESEARCH: Top 10 Global Metro Areas for Cyber Funding by Stage
Spoiler: San Francisco is NOT #1 in total funding or in Seed funding.
I've never seen funding by geography broken down by funding stage, so this is VERY interesting to see. Metro areas that do a lot of early stage funding, don't necessarily do late stage finding, and vice versa.
- 5. DYSTOPIA – I-XRAY Enables Real Time doxxing with Meta Smart Glasses
- Video from glasses is streamed to AI software, which detects faces in real time.
- Detected faces are searched using PimEyes, which finds the person's face on the Internet
- The internet results lead to the individual's name, phone numbers, address, and other personal information.
- The whole process can be fully automated and takes seconds.
In fact, it's fast enough, that it's possible to pretend to recognize someone you see in public, and gaslight them into believing you've met before. All possible because you know things you shouldn't know the moment you meet a stranger!
On the one hand, this could be invaluable for safety in certain scenarios. Unfortunately, it's dual use, so it's just as invaluable to a stalker.
- 6. FINES: Meta Handed $100 Million Fine in Ireland Over Password Storage
If Meta is storing tons of plaintext passwords, what's everyone else doing???
- 7. CRIMES: Crooked Cops, Stolen Laptops & the Ghost of UGNazi – Krebs on Security
Absolute bonkers story - where cybercrimes and IRL crimes meet.
- 8. CRIMES: US charges British man over ‘hack-to-trade’ scheme
Fairly low-tech, but clever method of profiting off some very basic hacking. Strategic insider trading.
- 9. ESSAYS: Before Preaching, Stop Punching Yourself
This essay/rant on security awareness month is chef's kiss
- 10. AI INDEGESTION: Devs gaining little (if anything) from AI coding assistants
Somewhat unsurprising. AI is probably great for people that don't know how to code, or are trying to learn. These amateurs probably don't use coding assistants though, they're likely leveraging ChatGPT or other consumer-focused GenAI tools.
Professional developers, on the other hand, don't need help with writing code itself, but to figure out WHAT to code and HOW. Once the design work is figured out, the coding part is fairly straightforward.
Results seem to differ quite a bit, depending on who you ask, it looks like.
- a study shows that there are perceived benefits from AI coding assistants, but no measurable benefits
- developer burnout also doesn't seem to be affected
- also, it seems other organizations have found more creative ways of using AI, like measuring code quality
- while some find it just as time consuming to review AI-generated code as it would have been to write it themselves.
- however, AI is rapidly improving, so all these results could be drastically different just a few months from now
- 11. WORST PRACTICES: NIST proposes barring some of the most nonsensical password rules
- 12. DUMPSTER FIRES: Live Stream: Integrity vs. Opportunity: Navigating Ethical Dilemmas in Business
If CISOs on the take is already a common practice, how would this harm the industry, buyers, sellers, investors, and even the average individual?
I missed this one when it first came out (thanks to Jennifer Minella for bringing this to my attention). This is a great discussion between Bryson Bort and Robert Hansen that is largely a reaction to Cyberstarts' Sunrise program and the Calcalistech article about it.
Note: the Calcalistech article is now returning a 404, but Archive.org remembers.
- 13. TRUTH BOMBS: rekdt on Twitter
"My CISO to the board: We're tracking AI powered Attacks and Quantum Computing threats
My Board: And rekdt, what is Security Architecture working on?
Me: I just notified our internal teams they haven't remediated their deployed public S3 buckets"
Emphasizing Wendy Nather's points about CISO distractions, this really is a problem. Maybe one of our biggest problems.
- 14. SQUIRREL: Montana man faces sentencing for cloning giant sheep to breed large sheep for captive trophy hunts
Cloning sheep, as you do.
- 15. SQUIRREL: Host Coffee Recommendations
NOTE: these are not affiliate links, we're not making any money off them
- Darwin and Tyler: Lavazza Super Crema Whole Bean
- Adrian: Kicking Horse Coffee, Kick Ass, Dark Roast, Whole Bean
