Read Time: 8 minutes

Howdy friends!

Anyone going to RSA/BSidesSF? My calendar already looking spicy. Make sure to join me at the Securosis recovery breakfast on Thursday morning, as we’re happy to be sponsoring the event. Figured a recovery event after a marathon conference week was on brand with Vulnerable U, plus I love the Securosis guys.

In my blog this week I look at Jonathan Haidt’s new book, The Anxious Generation, where he explores the impact of social media on teen’s mental health.

ICYMI

🖊️ Something I wrote: I was talking this week to someone about Sunk Cost Fallacy and remembered a piece I wrote last year on Strategic Quitting

🎧️ Something I heard: Sherrod DeGrippo? Awesome. Decipher’s podcast? Awesome. Put em together? You know I’m into it.

🎤 Something I said: Took a look at an Israeli spyware leak that delivers attacks via ads with 0-click interaction.

🔎 Something I want you to check out: Managing cloud IAM and permissions could require an advanced degree at times. Sonrai is doing some really cool things to help folks out here.*

🔖 Something I read: Joseph Cox’s new book Dark Wire, where he infiltrated some FBI circles to get a look behind the curtain.

*Sponsor

Vulnerable News

Why CISA is Warning CISOs About a Breach at Sisense

Sisense is one of those companies few of us have ever heard of until something like this but also has thousands of customers and a juicy pile of data. Here’s what we know: Sisense is a data analytics tool that suffered a serious breach this week. From what they’re telling customers, it seems like it was a complete compromise.

Sisense used a self-hosted version of GitLab, which was the initial access vector. In there were secrets and keys that allowed the attackers access to the company's AWS account. From there, it was a feeding frenzy of any and all company and customer data.

Sisense is also one of those tools you integrate into …everything… A lot to go rotate.

The government (CISA) is even putting warnings out about this due to the impact and breadth of this breach. My buddies over at Truffle put out a new open-source project just recently (great timing!) called howtorotate.com, which helps you navigate when secrets get leaked and what to do next to invalidate them for your attacker.

Also, go read Rich’s thoughts on Securosis; he lives this cloud security stuff. (read more)

Apple alerts users in 92 nations to mercenary spyware attacks

Ever feel left out because you weren’t warned that you’re being targetted by nation-state spyware? Yeah me either.

Apple has issued alerts to iPhone users across 92 countries regarding potential threats from mercenary spyware attacks. The notifications warned individuals that their devices might be compromised due to targeted efforts by unidentified attackers. This type of spyware, which can include sophisticated tools like NSO Group's Pegasus, is known for its capability to infiltrate devices without the user's knowledge, primarily targeting specific individuals based on their roles or activities.

Imagine not knowing anything about cybersecurity and this popping up on your phone?! I’d need a change of pants.

Echoing John Scott-Railton here. - “This is serious. Seek expert help. If you're a journalist, activist, dissident, academic, etc. etc: contact the accessnow Digital Security Helpline.” (read more)

Lawmakers unveil new bipartisan digital privacy bill after years of impasse

Is the U.S. getting our own version of GDPR? US Senators Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA) have jointly introduced a groundbreaking draft bill titled the American Privacy Rights Act aimed at establishing comprehensive data privacy protections for Americans. This bipartisan legislation seeks to replace the current fragmented state privacy laws with a uniform national standard, which would be more stringent than any existing state laws.

• Control Over Personal Data: The bill would enable Americans to manage their own data, with provisions to prevent the sale or transfer of their information without express consent.

• Enhanced Privacy Protections: It proposes tighter controls on sensitive data, requiring explicit consent before such data can be shared with third parties.

• Legal Recourse: The legislation would provide individuals with the right to sue for privacy violations and prohibits mandatory arbitration in substantial privacy harm cases.

• Corporate Accountability: The bill mandates rigorous data security standards and makes executives accountable for protecting user data.

Need to keep a close eye on this one as it will have large ramifications. Legal accountability for data mishandling will be a game changer for our industry. Also watch for all the vendors that will pop up to solve for a lot of these requirements. (read more)

THREAD: Round #2 of using Copilot for Security in this thread

This is the most thorough thread I’ve seen reviewing Microsoft’s Copilot for Security AI helper. TL;DR - it would be very expensive to run as often as a security team would need, it isn’t easy to get working, and the output doesn’t seem all that useful. - I’d wait a bit on this one until later versions iron some of the kinks in this thread out. But if you have money to burn, let me know your experience. (read more)

THREAD: We uploaded a backdoored AI model to @HuggingFace which we could use to potentially access other customers’ data

You ever hear the theory of how all evolution is eventually producing crabs? (Why Do Animals Keep Evolving into Crabs?) - Well I think all companies eventually put out Remote Code Execution as a feature. Everywhere I’ve worked has eventually come up with the idea: what if we let our user’s write code and we’ll execute it or give it to other user’s. This is doable safely with guardrails, but boy is it spicy!

HuggingFace is an AI model marketplace of sorts and some security researchers got a backdoored model uploaded and worked with HuggingFace to get the vulnerability that allowed it fixed, but boy do I love research like this. Cool bug team! (read more)

Panera Bread week-long IT outage caused by ransomware attack

Take my PII, but not my bread bowl! Panera experienced a week-long IT outage due to a ransomware attack that encrypted several of the company's virtual machines, disrupting access to data and applications. The incident affected internal systems, point-of-sale operations, and customer-facing platforms like the website and mobile apps. The ransomware group responsible has not been identified, and Panera has been criticized for a lack of transparency about the breach. The company has since begun restoring services from backups. (read more)

Price of zero-day exploits rises as companies harden products against hackers

Hey! Does this mean we’re winning?! As the security of products like iPhones and Android devices improves, the market value for zero-day exploits that can breach these protections has significantly increased. A company named Crowdfense is offering up to $7 million for exploits that can hack iPhones, among other high payouts for similar capabilities against Android phones and popular apps like WhatsApp and iMessage. This is directly due to the rising difficulty and cost of developing such hacking tools as manufacturers strengthen their software defenses. (read more)

Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)

For my blue team audience! Auditd and OSquery are super powers, learn to wield them! - This article on "Linux Threat Hunting for Persistence" discusses using tools like Auditd, Sysmon, and osquery to detect persistence mechanisms like web shells on Linux systems. It comes at it from an "offense informs defense" approach, where understanding attacker methods helps in setting up monitoring and detection strategies. (read more)

A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask

What a wild ride of a story. This one goes into the actions of Alejandro Caceres, known by his hacker alias "P4x," who launched a one-man cyberattack against North Korea's internet in response to their attempts to hack U.S. cybersecurity resources. Revealing his identity publicly for the first time, Caceres shared his motivations and methods, detailing how he single-handedly disrupted North Korean internet infrastructure from his home in Florida. The U.S. government, rather than prosecuting him, showed interest in leveraging his expertise for state-sponsored hacking efforts. The story unfolds against the backdrop of Caceres' dissatisfaction with the bureaucratic delays and risk aversion he perceives in the U.S. government's cyber operations, leading him to advocate for a more aggressive and nimble approach to cybersecurity. (read more)

Top Israeli spy chief exposes his true identity in online security lapse

Yossi Sariel, head of Israel's Unit 8200, was inadvertently exposed online due to a security lapse linked to his book "The Human Machine Team," published under a pseudonym. The book, promoting AI in military strategy, left a digital trail to Sariel's private Google account. This exposure comes amidst criticism of Unit 8200's reliance on technology over traditional intelligence, especially after failing to predict a major attack by Hamas. (read more)

THREAD: APT Emulation Labs: NOW LIVE

This looks like an incredibly cool resource. I haven’t had time to crack it open yet but it takes APT behaviors and puts them in a lab for you to solve the incidents like a puzzle. Incident response is a muscle you need to practice to keep so I love things like this. - “Solve incidents emulating APT29, APT10 and other threat groups. Each lab comes with scoping notes, Windows VM with forensic tools, network diagrams, disk forensics, ELK access and was created from our collective experience working in the field.” (read more)

GitHub: Awesome secure by default libraries to help you eliminate bug classes!

I’m a huge fan of security guardrails in code. The more developers can rely on security by default the better. My buddy Clint from TL;DRsec (where a lot of you reading this found me from) put together this awesome list of libraries you can use to build in protections for your code by default. This is organized by vulnerability type and by programming language. Keep stubbing your toe on SSRF in Python? It’s got you. Love it! Thanks Clint! (read more)

Upcoming Appearances

I’m talking at a virtual conference GreyNoise is putting on about mental health, stress, and life for a SOC analyst.

Stay safe, Matt Johansen
@mattjay