🎓️ Vulnerable U | #059

Sisense Breached causing massive secret rotation action needs for customers, Apple warns users targeted by nation state spyware, U.S. gets it's own GDPR?, HuggingFace gets a backdoored AI model, Some great blue team resources, and more!

Read Time: 8 minutes

Howdy friends!

Anyone going to RSA/BSidesSF? My calendar already looking spicy. Make sure to join me at the Securosis recovery breakfast on Thursday morning, as we’re happy to be sponsoring the event. Figured a recovery event after a marathon conference week was on brand with Vulnerable U, plus I love the Securosis guys.

In my blog this week I look at Jonathan Haidt’s new book, The Anxious Generation, where he explores the impact of social media on teen’s mental health.

The omnipresence of social media is the peak of connection and an absolute nightmare—offering boundless interaction while potentially ensnaring the vulnerable minds of teens in its bullshit psychological web. Hyperconnectivity is all so new to us in generational terms and came on very suddenly. All the stats point towards the generation that never knew a time before Instagram, which has been absolutely brain-nuked into an anxious spiral.

Is social media fueling anxiety among our youth? It seems obvious, but let’s explore what experts, not just some cybersecurity guy with a blog, have to say. Jonathan Haidt’s recent book, The Anxious Generation, sets out to answer this question. I’m a big fan of Haidt’s work and have read many of his books.

Haidt proposes that the absolute explosive reach of smartphones and social media platforms has not only reshaped the landscape of what it means to grow up in this world but may also be exacerbating mental health challenges.


🖊️ Something I wrote: I was talking this week to someone about Sunk Cost Fallacy and remembered a piece I wrote last year on Strategic Quitting

🎧️ Something I heard: Sherrod DeGrippo? Awesome. Decipher’s podcast? Awesome. Put em together? You know I’m into it.

🎤 Something I said: Took a look at an Israeli spyware leak that delivers attacks via ads with 0-click interaction.

🔎 Something I want you to check out: Managing cloud IAM and permissions could require an advanced degree at times. Sonrai is doing some really cool things to help folks out here.*

🔖 Something I read: Joseph Cox’s new book Dark Wire, where he infiltrated some FBI circles to get a look behind the curtain.


📣 Sponsor

⚔️ Slash your cloud permissions attack surface by 92% overnight!

No hero enters battle without the right weaponry to defeat their foes.

So why would you approach excessive cloud permissions differently? 

Conquer the challenge of achieving true least privilege effortlessly with the Cloud Permissions Firewall!

A one-click solution that removes excessive permissions and unused services, quarantines unused identities, and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.

Seize this heroic opportunity!

Vulnerable News

Sisense is one of those companies few of us have ever heard of until something like this but also has thousands of customers and a juicy pile of data. Here’s what we know: Sisense is a data analytics tool that suffered a serious breach this week. From what they’re telling customers, it seems like it was a complete compromise.

Sisense used a self-hosted version of GitLab, which was the initial access vector. In there were secrets and keys that allowed the attackers access to the company's AWS account. From there, it was a feeding frenzy of any and all company and customer data.

Sisense is also one of those tools you integrate into …everything… A lot to go rotate.

The government (CISA) is even putting warnings out about this due to the impact and breadth of this breach. My buddies over at Truffle put out a new open-source project just recently (great timing!) called howtorotate.com, which helps you navigate when secrets get leaked and what to do next to invalidate them for your attacker.

Also, go read Rich’s thoughts on Securosis; he lives this cloud security stuff. (read more)

Ever feel left out because you weren’t warned that you’re being targetted by nation-state spyware? Yeah me either.

Apple has issued alerts to iPhone users across 92 countries regarding potential threats from mercenary spyware attacks. The notifications warned individuals that their devices might be compromised due to targeted efforts by unidentified attackers. This type of spyware, which can include sophisticated tools like NSO Group's Pegasus, is known for its capability to infiltrate devices without the user's knowledge, primarily targeting specific individuals based on their roles or activities.

Imagine not knowing anything about cybersecurity and this popping up on your phone?! I’d need a change of pants.

Echoing John Scott-Railton here. - “This is serious. Seek expert help. If you're a journalist, activist, dissident, academic, etc. etc: contact the accessnow Digital Security Helpline.” (read more)

Is the U.S. getting our own version of GDPR? US Senators Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA) have jointly introduced a groundbreaking draft bill titled the American Privacy Rights Act aimed at establishing comprehensive data privacy protections for Americans. This bipartisan legislation seeks to replace the current fragmented state privacy laws with a uniform national standard, which would be more stringent than any existing state laws.

  • Control Over Personal Data: The bill would enable Americans to manage their own data, with provisions to prevent the sale or transfer of their information without express consent.

  • Enhanced Privacy Protections: It proposes tighter controls on sensitive data, requiring explicit consent before such data can be shared with third parties.

  • Legal Recourse: The legislation would provide individuals with the right to sue for privacy violations and prohibits mandatory arbitration in substantial privacy harm cases.

  • Corporate Accountability: The bill mandates rigorous data security standards and makes executives accountable for protecting user data.

Need to keep a close eye on this one as it will have large ramifications. Legal accountability for data mishandling will be a game changer for our industry. Also watch for all the vendors that will pop up to solve for a lot of these requirements. (read more)

Do you think this American Privacy Act will be helpful to the cybersecurity industry as a whole?

How effective do you think this will be?

Login or Subscribe to participate in polls.

This is the most thorough thread I’ve seen reviewing Microsoft’s Copilot for Security AI helper. TL;DR - it would be very expensive to run as often as a security team would need, it isn’t easy to get working, and the output doesn’t seem all that useful. - I’d wait a bit on this one until later versions iron some of the kinks in this thread out. But if you have money to burn, let me know your experience. (read more)

You ever hear the theory of how all evolution is eventually producing crabs? (Why Do Animals Keep Evolving into Crabs?) - Well I think all companies eventually put out Remote Code Execution as a feature. Everywhere I’ve worked has eventually come up with the idea: what if we let our user’s write code and we’ll execute it or give it to other user’s. This is doable safely with guardrails, but boy is it spicy!

HuggingFace is an AI model marketplace of sorts and some security researchers got a backdoored model uploaded and worked with HuggingFace to get the vulnerability that allowed it fixed, but boy do I love research like this. Cool bug team! (read more)

Take my PII, but not my bread bowl! Panera experienced a week-long IT outage due to a ransomware attack that encrypted several of the company's virtual machines, disrupting access to data and applications. The incident affected internal systems, point-of-sale operations, and customer-facing platforms like the website and mobile apps. The ransomware group responsible has not been identified, and Panera has been criticized for a lack of transparency about the breach. The company has since begun restoring services from backups. (read more)

Hey! Does this mean we’re winning?! As the security of products like iPhones and Android devices improves, the market value for zero-day exploits that can breach these protections has significantly increased. A company named Crowdfense is offering up to $7 million for exploits that can hack iPhones, among other high payouts for similar capabilities against Android phones and popular apps like WhatsApp and iMessage. This is directly due to the rising difficulty and cost of developing such hacking tools as manufacturers strengthen their software defenses. (read more)

For my blue team audience! Auditd and OSquery are super powers, learn to wield them! - This article on "Linux Threat Hunting for Persistence" discusses using tools like Auditd, Sysmon, and osquery to detect persistence mechanisms like web shells on Linux systems. It comes at it from an "offense informs defense" approach, where understanding attacker methods helps in setting up monitoring and detection strategies. (read more)

What a wild ride of a story. This one goes into the actions of Alejandro Caceres, known by his hacker alias "P4x," who launched a one-man cyberattack against North Korea's internet in response to their attempts to hack U.S. cybersecurity resources. Revealing his identity publicly for the first time, Caceres shared his motivations and methods, detailing how he single-handedly disrupted North Korean internet infrastructure from his home in Florida. The U.S. government, rather than prosecuting him, showed interest in leveraging his expertise for state-sponsored hacking efforts. The story unfolds against the backdrop of Caceres' dissatisfaction with the bureaucratic delays and risk aversion he perceives in the U.S. government's cyber operations, leading him to advocate for a more aggressive and nimble approach to cybersecurity. (read more)

Yossi Sariel, head of Israel's Unit 8200, was inadvertently exposed online due to a security lapse linked to his book "The Human Machine Team," published under a pseudonym. The book, promoting AI in military strategy, left a digital trail to Sariel's private Google account. This exposure comes amidst criticism of Unit 8200's reliance on technology over traditional intelligence, especially after failing to predict a major attack by Hamas. (read more)

This looks like an incredibly cool resource. I haven’t had time to crack it open yet but it takes APT behaviors and puts them in a lab for you to solve the incidents like a puzzle. Incident response is a muscle you need to practice to keep so I love things like this. - “Solve incidents emulating APT29, APT10 and other threat groups. Each lab comes with scoping notes, Windows VM with forensic tools, network diagrams, disk forensics, ELK access and was created from our collective experience working in the field.” (read more)

I’m a huge fan of security guardrails in code. The more developers can rely on security by default the better. My buddy Clint from TL;DRsec (where a lot of you reading this found me from) put together this awesome list of libraries you can use to build in protections for your code by default. This is organized by vulnerability type and by programming language. Keep stubbing your toe on SSRF in Python? It’s got you. Love it! Thanks Clint! (read more)

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Upcoming Appearances

I’m talking at a virtual conference GreyNoise is putting on about mental health, stress, and life for a SOC analyst.

Stay safe, Matt Johansen