🎓 VulnU #015: Bigger pools have more ways to sink
Short Thought, Big Impact: Exploring Cyber Emissions and Their Connection to Risk
Read Time: 5 minutes
One major lesson I’ve learned in committing to this new content creation adventure of mine has been how much harder it is to go from 0 → 1 than it is to go 1 → 100.
Lets dig into that a bit, shall we? Then I’ll leave you with something else to chew on.
Putting myself out there
New ways to ingest Vulnerable U content
Cyber risk as emissions & food for thought
Lets Get Vulnerable
For years I used to record a podcast, before they were cool, called Liquidmatrix Security Digest. We recorded over 100 episodes and it was just part of my weekly routine to hop on a Skype call with some friends and talk about the security news of the week. It never felt hard, but I didn’t have to start Liquidmatrix, the avenue was already there.
Vulnerable U being born out of the ether has been a challenge.
In a very self referential way, it has made me feel very exposed as I put myself out there every week with my own thing. I’m not new to content creation, I am new to swimming in the deep end alone in a pool of my own making.
This week I made the pool bigger.
🎉 Big news is that you can now digest this content visually or as audio. I’ve anxiously launched the Vulnerable U Youtube channel and podcast.
From 0 to now 1.
Daunting, but hoping to pick up a bit of momentum here and make it part of the weekly routine for all of you. Also hoping it grows the audience to those who’d rather not sign up for an email.
For those who would rather the podcast instead of Youtube, the audio will be listed on all major podcasting platforms. Some have longer approvals than others, but most major platforms are ready to go. Here are a few:
Since I had all that to say today and I like keeping the newsletter succinct, I’m going to just share a short thought that I’ve been stewing on this week that will most likely turn into some longer form content.
Cyber risk is an emission of doing business online.
Infosec is a series of emissions control systems to keep the whole thing from burning down.
— Matt Johansen (@mattjay)
Jun 7, 2023
I’ve quoted him in another recent newsletter so as you can tell I’m turning into a big fan of Scott Galloway. He’s been putting out this idea that got me thinking about “emissions” being more than just carbon dioxide or other greenhouse gases.
Here is Galloway’s intro to this thought:
This gave my brain the good chemicals. Started the wheels spinning. (Read the rest of his post: here)
❓️ What if we looked at capital R Risk in the same way? What would that make different cyber security solutions?
❓️ Is anti-virus the paper straw of our world? Apparently everywhere now and not solving the real issue.
❓️ Is DLP the catalytic converter? A desperate attempt to reduce emissions as they’re already leaving the engine and into the cloud?
❓️ Is cyber insurance the carbon offset? Spending money to make yourself feel better about not actually doing anything about the risk you’re imposing.
❓️ Is EDR eco diesel or clean coal? A rebrand of an old tech in an effort to make it sound more modern?
❓️ What would carbon capture be? Dark web scraping and storage?
This is a fun exercise but I also think the thought might be a useful thread to pull; so I’m going to explore this more later.
Until then, if your brain is going the way mine is, send me your thoughts. I’d love to include them on the next iteration of this topic.
It’s infosec Christmas! Verizon DBIR day! If you’re new to it, it’s the most comprehensive report of available breach data that shares trends of what the attackers are actually doing. Grab it here - Link
I’ve been collecting my thoughts and will most likely blog them soon but Kelly got advanced copy and her blog is spot on as usual. (Seriously she’s one of the best content creators in the industry)
maldr0id gave a talk at RightsCon on spyware disinformation campaigns. It seems like the conference had a lot of great attendees and talks. Łukasz did a write up of their talk here: Link to Medium
Glad to see Apple continuing to invest in Lockdown Mode. This is a feature you need to check out, especially if you’re a public figure or journalist.
The ever brilliant John Hammond did some research around the crazy MOVEit vuln that has been causing lots of havoc this week. Originally, it seemed it was a SQLi vuln, but John realized it was RCE as well based on some reversing. Read their whole report here: Link
There is also a great GitHub repo tracking a bunch of things related to MOVEit here: Link
🧵 HUGE Update around the active exploitation of MOVEit 0day!
From @HuntressLabs - CVE-2023-34362 is not just SQLi - they reversed it and found full RCE as well...
— Matt Johansen (@mattjay)
Jun 6, 2023
I’ve had the honor of working for Phil Venables in a past life and tend to read every word he puts out. Here is another good one. I liked it so much I wrote some thoughts about it on my blog: here
Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.
Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.
Stay safe, Matt Johansen