Zero-Trust is Meaningless if Your Cryptography is Flakey – Vincent Berk – ESW #349
Full Audio
View Show IndexSegments
1. Zero-Trust is Meaningless if Your Cryptography is Flakey – Vincent Berk – ESW #349
Legacy systems are riddled with outdated and unreliable cryptographic standards. So much so that recent proprietary research found 61 percent of the traffic was unencrypted, and up to 80% of encrypted network traffic has some defeatable flaw in its encryption
No longer can enterprises take their cryptography for granted, rarely evaluated or checked.
Knowing when, where and what type of cryptography is used throughout the enterprise and by which applications is critical to your overall security policy, zero-trust approach, and risk management strategy. After all, zero-trust is meaningless if your cryptography isn't working.
Segment Resources: https://www.businesswire.com/news/home/20231030166159/en/Proprietary-Research-from-Quantum-Xchange-Shows-the-Dreadful-State-of-Enterprise-Cryptography
https://www.forbes.com/sites/forbestechcouncil/people/vincentberk/?sh=3d88055852c1
This segment is sponsored by Quantum Xchange. Visit https://securityweekly.com/quantumxchange to learn more about them!
Announcements
Don’t let 3rd party risk ruin your Valentine’s Day! Join Adrian Sanabria and Bill Brenner on an SC Media webcast titled: Understanding third party risk by studying third party breaches. As listeners will know, Adrian loves exploring risk through our understanding of real breaches and incidents. They’ll discuss how to prepare for some of the most concerning third party risks you should be aware of, along with our partner for this webcast, ProcessUnity.
Visit securityweekly.com/ValentineRisk to register!
Guest
Dr. Vincent Berk is responsible for charting the growth of the company and driving stronger alignment between all revenue-generating functions of the business. In his role, he acts as the primary company spokesperson and is a member of the Forbes Technology Council where he frequently shares his opinions and expertise.
Vince comes to Quantum Xchange from Riverbed Technologies, a large network performance company where he served as Chief Technology Officer and Chief Security Architect. Recognized as a highly technical cybersecurity executive and industry thought leader, Vince is also a successful entrepreneur and academic. He founded and led FlowTraq, an enterprise network security and analytics company from conception to acquisition and served as a computer science faculty member at the prestigious Dartmouth College.
Vince has a Ph.D. in machine learning and large-scale data analytics from Leiden University and holds several patents in the application of data analysis in cybersecurity and network performance.
Hosts
2. Fake IDs threaten ID verification services, PANW hits $100B valuation, and other news – ESW #349
This week, we discussed how a quick (minutes) and cheap ($15 a pop) fake ID service creates VERY convincing IDs that are possibly good enough to fool ID verification services, HR, and a load of other scenarios where it's common to share images of an ID. Kudos to 404Media's work there.
In the security market, we discuss who might be the first cybersecurity unicorn to go public in 2024, Oasis Security and Tenchi's funding rounds, Protect AI's acquisition of Laiyer AI and their FOSS project, LLM Guard. We discussed the seemingly inevitable M&A activity as unfunded security startups NEED to find a sale. Ross Haleliuk had an interesting LinkedIn post that goes deeper on this topic. Finally, we discussed Tyler's observation that Palo Alto Networks did the seemingly impossible - increased their valuation from $19B to over $100B in 5 years, despite having to weather a pandemic and market downturn along the way! Ryan pointed out that PANW joined the S&P 500 somewhere along the way - a watershed moment for them.
We discussed Bluesky and how it's likely too little too late when it comes to building back the community we lost when much of the InfoSec community left Twitter.
We also discussed a cybersecurity training scammer, Daniel Miessler's new Fabric tool, AnyDesk getting hacked, The Real Shim Shady vuln, new (voluntary) cybersecurity goals for healthcare, and the lack of toothbrush-enabled DDoS attacks!
Full show notes here: https://www.scworld.com/podcast-episode/3061-enterprise-security-weekly-349
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Hosts
- 1. FUNDING: Oasis Security leaves stealth with $40M to lock down the wild west of non-human identity management
$40M from a $35M Series A and a $5M Seed round led by Sequoia, Accel, Cyberstarts, Maple Capital, Guy Podjarny (founder of Snyk) and Michael Fey (co-founder and CEO of Island). There was apparently a "frenzy" to invest in Oasis, which is focused on non-human identity management.
- 2. FUNDING: LightBeam Raises $17.8M in Funding
$17.8M Series A? Led by Vertex Ventures with participation from Dropbox Ventures. "Zero trust data protection platform"
- 3. FUNDING: Tenchi Security Raises $7M in Funding
$7M Series A, Bradesco, L4 Venture Builder (associated with the São Paulo stock exchange), and Accenture.
Brazilian startup Tenchi focuses on third-party cyber risk management. They have a highly integrated SaaS product that serves to give customers near real-time information about their third-parties' security status.
- 4. ACQUISITIONS: Protect AI Acquires Laiyer AI to Secure Large Language Models (LLMs)
"With the acquisition, Protect AI will be offering a commercial version of Laiyer AI’s open source LLM Guard with expanded features, capabilities, and integrations within the Protect AI platform. LLM Guard is freely available today, and an industry leading open-source project for protecting large language models (LLMs) against security threats, misuse and prompt injection attacks, while also providing tools to manage risk and compliance needs."
LLM Guard offers input controls and output controls for LLM use. https://github.com/protectai/llm-guard
- 5. ACQUISITIONS: Dynatrace to Acquire Runecast to Enhance Cloud-Native Security and Compliance
An observability and security platform gets AI-powered security and compliance solutions. I'm not sure what all that means, but it's an acquisition.
- 6. BADNEWS: An Instant Fake ID Factory
An epic writeup from Joseph Cox at 404Media, describing how easy it is to use AI-powered black market fake ID generators to bypass identity verification services.
- 7. BAD NEWS: A Security Researcher Allegedly Scammed Apple
A good writeup by 404Media, but unfortunate for the security researcher community. Decades of trying to earn mainstream respect for hackers and researchers, and trying to separate their benign efforts from those of criminals isn't well served when researchers with a track record of legitimate vuln disclosure get busted stealing from Apple.
- 8. COMMUNITY: Join Bluesky Today (Bye, Invites!) – Bluesky
Bluesky is now open to the general public! But will InfoSec Twitter return, or is it too late?
- 9. PREDICTIONS: Ross Haleliuk on LinkedIn: Desperate moves from security startups in the near future
"In the coming year, we will see the most aggressive go-to-market approaches and odd marketing decisions; not by choice but from desperation."
- 10. ESSAY: Palo Alto’s Big Hairy Audacious Goal
Tyler Shields marks an incredible milestone - Palo Alto Networks is the first pure-play cybersecurity vendor to crest a $100B valuation! CEO Nikesh Arora grew PANW from $19B in 2018 to $100B in 2023, with both a pandemic and market slump in the middle. How did he do it??? We'll ask Tyler to explain.
- 11. ESSAYS: Breaking Down The EU Data Act
The first piece from Katie Teitler-Santullo under The Cyber Why banner! She breaks down the EU Data Act and discusses its potential impacts.
- 12. AI TOOLS: danielmiessler/fabric: fabric is an open-source framework for augmenting humans using AI.
I'm not going to pretend to fully understand what this project is doing, but it seems focused around making LLM-based AI easier to use at scale for deeper tasks, particularly regularly executed ones.
- 13. DUMPSTER FIRE: How To Land a Remote, Six-Figure Cybersecurity Job in Just 45 Days
From downtown charlatan-ville, Ben Rothke outs a scammer promising to land you a six-figure cybersecurity job. All you have to do is give him all your money...
- 14. BREACHES: AnyDesk Hacked: Popular Remote Desktop Software Mandates Password Reset
Possibly the worst product to get hacked. Direct access to millions of endpoints? Yes, I can see how attackers might want that.
- 15. TRENDS: FAA Tells Pilots To Go Analogue As GNSS ‘Spoofing’ Incidents Increase
Spoofing wireless signals is a tough attack to protect against. It's brute-force and messy, as GPS spoofing in particular can't be targeted, to my knowledge. The spoofing attempt affects any devices within range of the spoofing signal.
- 16. TRENDS: Qualys Stock Plunges As Analyst Predicts End To Microsoft Partnership
This appears to be just replacing Qualys for container scanning. Doesn't seem like nearly as huge a deal as the market seems to think it is.
- 17. VULNERABILITIES: The Real Shim Shady – How CVE-2023-40547 Impacts Most Linux Systems – Eclypsium
Paul has been digging deep into this vuln. Check out episode 816 of Paul's Security Weekly, the news segment, for a detailed explanation of this vuln and why it is so serious.
- 18. REGULATIONS: Feds cough up ‘voluntary’ cybersecurity goals for hospitals
"If you are responsible for infosec at an American hospital or other healthcare organization, and you treat the US government's new "voluntary" cybersecurity performance goals (CPGs) as, well, voluntary, you're ignoring the writing on the wall."
...
"In early January, as a record-breaking 46 health networks with a total of 141 hospitals between them were still reeling from ransomware infections and data theft in 2023, rumors started swirling that the White House would soon require US hospitals to meet basic cybersecurity standards before receiving federal funding."
- 19. SQUIRREL: How to tell if your toothbrush is being used in a DDoS attack
Possibly the funniest (and shortest) article I've ever seen.
TL;DR - there's no evidence smart toothbrushes have participated in a DDoS attack, but these devices ARE wifi-enabled these days, so it's technically possible that this could happen in the future.
The longer explanation is that the Swiss media quoted some research from the Swiss office of Fortinet, regarding some IoT hacking on smart toothbrushes. A hypothetical scenario was misunderstood as an actual thing that happened, and before you know it, US outlets like Tom's Hardware are reporting that 3 million smart toothbrushes participated in DDoS attacks.
When Rob Graham weighs in, you know the PR blowback is gonna be bad.
Security experts might have gone too far in the other direction though, rolling their eyes and declaring that smart toothbrushes are bluetooth-only. Some quick research shows that assumption to be false. Most of Oral B's high end smart toothbrushes DO appear to have wifi-enabled bases. Oral B is the brand displayed in the original German article quoting Fortinet.
Rik Ferguson had a decidedly funny take.