Celebrity investors, creator metrics, and Chrome extension compromise – ESW #389
In this latest Enterprise Security Weekly episode, we explored some significant cybersecurity developments, starting with Veracode’s acquisition of Phylum, a company specializing in detecting malicious code in open-source libraries. The acquisition sparked speculation that it might be more about Veracode staying relevant in a rapidly evolving market rather than a strategic growth move, especially given the rising influence of AI-driven code analysis tools. We also covered One Password's acquisition of a UK-based shadow IT detection firm, raising interesting questions about their expansion into access management. Notably, the deal involved celebrity investors like Matthew McConaughey and Ashton Kutcher, suggesting a trend where Hollywood influence intersects with cybersecurity branding.
A major highlight was the Cyber Haven breach, where a compromised Chrome extension update led to stolen credentials. The attack was executed through a phishing campaign disguised as a Google policy violation warning. To their credit, Cyber Haven responded swiftly, pulling the extension within two hours and maintaining transparency throughout. This incident underscored broader concerns around the poor security of browser extensions, an issue that continues to be exploited due to lax marketplace oversight.
We also reflected on Corey Doctorow's concept of "Enshittification," critiquing platforms that prioritize profit and engagement metrics over genuine user experiences. His decision to disable vanity metrics resonated, especially considering how often engagement numbers are inflated in corporate settings. The episode wrapped with a thoughtful discussion on how CISOs can say "no" more effectively, emphasizing "yes, but" strategies and the importance of consistency. We also debated the usability frustrations of "magic links" for authentication, arguing that simpler alternatives like passkeys or multi-factor codes could offer a better balance between security and convenience.
Hosts
- 1. ACQUISITIONS: Veracode Acquires Phylum, Inc. Technology to Transform Software Supply Chain Security
"Acquired certain assets" <-- I'm wondering if this was a distressed fire sale.
We keep hearing from folks that we're going to continue to see forced acquisitions when the low-interest-rate free-money-folks near the end of their runways. Is this the beginning of a long year for folks that weren't able to raise the next round?
- 2. ACQUISITIONS: 1Password acquires Trelica to extend its cybersecurity capabilities
- 3. TOOLS: Free Google Workspace Risk Assessment Tool
Just give this free tool admin access to your Google Workspace. I'm sure it will be fine ;)
- 4. TOOLS: Retrofitting spatial safety to hundreds of millions of lines of C++
We can't just quit C++ overnight and move to Rust. So there's still room for improvement. A LOT of room. Hardened libc++ now includes checks for common security issues, preventing an estimated 1000-2000 bugs per year across Google's codebases (which apparently still include millions of lines of C++).
- 5. ESSAYS: Security Anti-Patterns in the AI Era
Some great, general advice here to take into the new year.
- 6. ESSAYS: Pluralistic: Proud to be a blockhead (21 Dec 2024) – Pluralistic: Daily links from Cory Doctorow
It's a long read, but a really interesting one, particularly for those of us that do a lot of writing and creative work.
TL;DR Cory Doctorow doesn't gather stats for his websites, posts, nothing. Even where stats exists, he intentionally ignores them. Instead, he measures success by active engagement. Number of comments, whether he got any insights out of a conversation in the comments section.
This really resonates with me. I often look at stats and wonder, "what percentage are bots now?" I know some percentage are bots, so could they all be bots? This is more good advice going into 2025. Don't worry about the number of likes, reshares, thumbs up - focus more on the conversation you spark.
- 7. ESSAYS: Drivers of Disharmony in U.S. Cyber Regulations
When are you required to report a breach? It depends.
This essay is all about the disjointed mess that is cyber regulation at the moment.
- 8. ESSAYS: How to Say “No” Well
Sure, we shouldn't be the department of "no". But don't overcorrect either.
This post is all about saying no, but correctly
- 9. ESSAYS: Magic/Tragic Email Links: Don’t make them the only option
The latest from our friend and sometimes emergency host, Guillaume, inspired by a post over at 404media titled We don't want your password.
I'm with him here. I'm a paying subscriber to 404 Media from day one, but OMG is it painful to log in with a link. Especially when that link expires after one use, and your email client uses up that one use trying to create a preview of the website for you.
AAARRRRGHHH
No more intermediary steps or temporary flavors of MFA, let's just passkey all the things please?
- 10. BREACHES: Cyberhaven says it was hacked to publish a malicious update to its Chrome extension
"Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens"
Big Oof. That's a tough statement to read for a cybersecurity vendor. A data loss prevention vendor being the source of the leak? There are a ton of details worth going into here though.
First off, I'm giving Cyberhaven a 10/10 on the breach response here. They detected it quickly, pulled it down quickly, and have been very transparent during the whole process - all the most important things you want to see in incident response from one of your third parties.
The benefit of reporting on this now, a few weeks later (it happened on Christmas Eve/Day, because attackers are jerks like that), is that we now know that Cyberhaven's chrome extension was just one of 36 extensions that were successfully hacked, all using the same phishing tactics. It's the details of these tactics that get really concerning.
- The phish: sent to extension maintainers, the email created a sense of urgency by suggesting the extension didn't meet Google's policies and was at risk of getting pulled.
- The trap: clicking "Go To Policy" takes the target to a legitimate Google auth page, but for the attacker's OAuth app, nefariously named, "Privacy Policy Extension". The target thinks they're accepting a new Google policy, when they're actually delegating control of their extensions to the attackers.
- The kicker: "direct approvals in OAuth authorization flows" don't require MFA.
In Cyberhaven's post mortem there's another painful statement: "The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee's Google credentials were not compromised."
Big Oof.
- 11. BREACHES: These were the badly handled data breaches of 2024
I've been saying for years, the lowest point isn't the breach, it's a breach handled badly
This is a list of badly handled breaches. Don't do what these companies did!
- 12. REPORTS: Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition
Some fun analysis from Greynoise
- 13. HOWTO: How We are Self Hosting Code Scanning at Reddit
A very interesting read on how Reddit has automated code scanning, particularly, looking for hardcoded creds in code.
- 14. SQUIRREL: It’s a trap.
