Cybersecurity best practices are the worst, AI indegestion, real time doxxing – ESW #378

This week's security funding news:

• Torq Announces $70M Series C to Double Down on Generative AI for Security Operations Platform, Bringing Total 2024 Funding to $112M
• Tamnoon Raises $12M Series A Fueling First Hybrid Human-AI Managed Cloud Security Remediation Service
• DefectDojo secures $7M to expand security automation platform - SiliconANGLE

I'm behind the times - I thought ZAP was still just an OWASP project!

They grow up so fast.

I need someone to help me understand how anyone is making money off of AWS backups. Isn't that feature already built in?

Spoiler: San Francisco is NOT #1 in total funding or in Seed funding.

I've never seen funding by geography broken down by funding stage, so this is VERY interesting to see. Metro areas that do a lot of early stage funding, don't necessarily do late stage finding, and vice versa.

1. Video from glasses is streamed to AI software, which detects faces in real time.
2. Detected faces are searched using PimEyes, which finds the person's face on the Internet
3. The internet results lead to the individual's name, phone numbers, address, and other personal information.
4. The whole process can be fully automated and takes seconds.

In fact, it's fast enough, that it's possible to pretend to recognize someone you see in public, and gaslight them into believing you've met before. All possible because you know things you shouldn't know the moment you meet a stranger!

On the one hand, this could be invaluable for safety in certain scenarios. Unfortunately, it's dual use, so it's just as invaluable to a stalker.

If Meta is storing tons of plaintext passwords, what's everyone else doing???

Absolute bonkers story - where cybercrimes and IRL crimes meet.

Fairly low-tech, but clever method of profiting off some very basic hacking. Strategic insider trading.

This essay/rant on security awareness month is chef's kiss

Somewhat unsurprising. AI is probably great for people that don't know how to code, or are trying to learn. These amateurs probably don't use coding assistants though, they're likely leveraging ChatGPT or other consumer-focused GenAI tools.

Professional developers, on the other hand, don't need help with writing code itself, but to figure out WHAT to code and HOW. Once the design work is figured out, the coding part is fairly straightforward.

Results seem to differ quite a bit, depending on who you ask, it looks like.

• a study shows that there are perceived benefits from AI coding assistants, but no measurable benefits
• developer burnout also doesn't seem to be affected
• also, it seems other organizations have found more creative ways of using AI, like measuring code quality
• while some find it just as time consuming to review AI-generated code as it would have been to write it themselves.
• however, AI is rapidly improving, so all these results could be drastically different just a few months from now

If CISOs on the take is already a common practice, how would this harm the industry, buyers, sellers, investors, and even the average individual?

I missed this one when it first came out (thanks to Jennifer Minella for bringing this to my attention). This is a great discussion between Bryson Bort and Robert Hansen that is largely a reaction to Cyberstarts' Sunrise program and the Calcalistech article about it.

Note: the Calcalistech article is now returning a 404, but Archive.org remembers.

"My CISO to the board: We're tracking AI powered Attacks and Quantum Computing threats

My Board: And rekdt, what is Security Architecture working on?

Me: I just notified our internal teams they haven't remediated their deployed public S3 buckets"

Emphasizing Wendy Nather's points about CISO distractions, this really is a problem. Maybe one of our biggest problems.

Cloning sheep, as you do.

NOTE: these are not affiliate links, we're not making any money off them

• Darwin and Tyler: Lavazza Super Crema Whole Bean
• Adrian: Kicking Horse Coffee, Kick Ass, Dark Roast, Whole Bean