Wikibon Breaking Analysis podcast: the state of infosec today

One of my first outings for SiliconANGLE is doing this pod with co-founder Dave Vellente this week. We cover a wide range of topics, including examining a new report from Unit42, the “double supply chain” attack on 3CX’s network (and how inadequate their response will be, at least according to their own admissions), where passwordless is for enterprise IT, and other infosec matters. You can read my best bits on the transcript link, or watch the entire pod!

Improving devops security in the auto software supply chain

The automotive industry has long been the target of numerous cyberthreats across its software supply chain. Some of these include specific car hacking exploits that have been demonstrated by security researchers which have motivated massive vehicle recalls such as the car hacking work which necessitated the 2015 recall of 1.4M FiatChrysler cars.

Studying this rich history is important for computer professionals in other industries for several reasons. First, the methods of compromise aren’t necessarily car-centric and have general cybersecurity implications. These cyberthreats are relevant for a wide variety of circumstances, regardless of whether you work for other manufacturing-based businesses or  a bank or a hospital. The threat of compromised software supply chain security sadly is now far and wide. Second, cars have become complex digital environments. The average vehicle being made today has dozens of electronic control units. This means a car could be running 100 million lines of code, according to this source. This is twice the amount of code that makes up Windows itself, and more than is used in Apple’s MacOS. Electronics wiring alone is estimated to add 45-65 pounds to each vehicle.

Car hacking is therefore a target of opportunity, and more importantly, car-based cyberthreats can be easily understood even by non-technical managers who might be reluctant to invest in better endpoint security. Finally, the automotive breaches are also good illustrations of common devops security and network security failures, such as unprotected cloud data assets, inadequate API data security and poor password hygiene that can be found across numerous Internet of Things (IoT) situations.

Let’s look at some of the more notable recent car-related developments. Earlier this year, security researcher Sam Curry posted a series of car hacking exploits that could have implications for more than a 1M vehicles from 16 different major brands. He was able to fully remotely lock and unlock and start and stop various engines as well as enable remote management of other car functions. These hacks included SSO account takeovers, remote code execution, privilege escalation – all common exploits for IT operations.

In terms of careless data handling, a software supplier of Nissan was breached in an incident that occurred in June 2022. An unsecured cloud database was exposed, and a hacker collected almost 18,000 customer names, including birth dates and other private data. This was the second time the company’s data was exposed, with another incident happening in January 2021 that leaked 20 GB of data from an unprotected Git server. The issue is that supply chain security must be applied across a myriad of software suppliers and interconnected applications, all of which have their own potential API data security vulnerabilities.

Curry’s cyberthreats may be the most recent, and have widest impact, but there have been antecedents of both car hacking and careless data handling prior to his efforts. In terms of the former, back in 2019, hackers gained access to thousands of vehicles that were running two different GPS tracking apps and were able to remotely turn off running engines. It helped matters immensely that the tracking apps had easily guessed default passwords that weren’t ever changed by their owners. And even further in the past, cyber-security researchers Chris Valasek and Charlie Miller turned to car hacking and were able to compromise a single vehicle via an API vulnerability in the infotainment system in 2015.

But wait, there is more: The automotive industry has also been the target of numerous ransomware events, including:

Here are some suggestions to improve automotive software supply chain security and move towards better devops security practice. And some things to think about, even if you aren’t in this particular market segment.

  • Secure your various manufacturing processes, including improvements in network segmentation and monitoring network traffic to detect malware intrusions and compromised accounts and improvements in overall network security.
  • Secure connected cars, including better threat detection and network segmentation across in-car systems. As cars make use of the internet for communications, reporting traffic and driving conditions and delivering streaming services, these connections bring greater risk of cyberthreats.
  • Software supply chain security, especially with telematics and other in-car software controls. This includes better API security and devops security, including protecting application secret keys, better encryption of communication channels (such as employing SSL and TLS between applications) and not using default passwords that are easily guessed. As we have cited above, thanks to unprotected software supply chains, a single piece of software could eventually harm the entire vehicle, or expose private data.

Time to have a cybersec guru on your board

IT Security Guru (@IT_SecGuru) / TwitterLast month, the Securities and Exchange Commission proposed some new guidelines to promote better cybersecurity governance amongst public companies. They make for interesting reading, particularly in one area where the SEC is trying to track the level of cyber expertise on the boards of directors of these companies. They ask that companies disclose whether “any director has prior work experience in cybersecurity,” which includes a fairly broad range including if someone has been a CISO or has had any position that mentions security in its title, had any cyber certifications, or has specific cyber knowledge.

Now, just the way this is worded in the proposed rulemaking makes me very skeptical. My first impression is that anyone who admits to satisfying these criteria to the SEC will paint a target on their backs and will be blamed for any future threat or exploit. Then, what if I took an exam (like a CSSP or Security+) and didn’t pass? I still have some cyber knowledge. Does this mean I still have to disclose to the SEC?

The wording of the qualifications also implies (at least to me) that just about any Computer Science grad would probably have taken some infosec training (hope springs eternal) and would need to disclose this. I am not sure this satisfies the SEC’s intention.

But let’s get to the meat of the matter and address two important questions.

First, will these proposed rules motivate firms to hire any effective cyber experts as board members? My guess is probably not. At best, boards meet quarterly, and what is a board member supposed to do in between meetings if something is awry? Does this mean a CISO has a shadow reporting relationship to the cyber-aware board member? That is not a recipe for good corporate governance.

Here is a thought. A few years ago, I developed (somewhat tongue-in-cheek) a cybersec quiz that you can give your boss. It is easily repurposed for vetting your potential cyber-friendly board members, if you can get them to answer the questions truthfully. You may want to use that as a screening tool if you are going to expand your board of directors, or if you are going to have a separate “technical advisory board” that could be useful in directing your future digital and cybersec policies. (I have served in this capacity, BTW.)

Second, will having this kind of expertise make a difference in terms of better breach response? One of the other proposed rules by the SEC is to mandate a four-day turnaround period once a breach has been determined. That is probably more important than anything else in these proposed rules, especially as most firms have a culture of hiding a breach for as long as they can get away with it. How this turnaround period is measured isn’t really well defined either.

If you want to submit a comment before 5/22/23 on File No: S7-04-22, go to this page on the SEC’s website, scroll down the page and find this file number to bring up the appropriate form.

How to be more curious

I am by nature a curious person. I spend a lot of time trying to answer questions, which is why I love my job and what has contributed to my success as a tech journalist. One term that was popular was “life-long learner” (as I wrote about this term in relation to my non-retirement strategy back in 2021) but I think curiosity is a better description. I noticed that many analysts looking at our AI-enabled future have called attention to this skill as something we will need to cultivate and develop. So in this post, I want to examine what it will take to train folks to become more curious.

Before you do any formal training, it helps to understand what type of learner that you are. We all learn in different ways: some of us have to go through the actual experience — these people respond better to tactile situations. Others learn better through more visual or auditory cues and need materials specializing in these methods.

How do you figure this out? One way is to take this short online quiz to find out which style you are. Once armed with this data, you should focus your attention on situations that offer those types of materials so you can learn things your way and retain it better. For example, if you are an auditory learner, you may wish to listen to recorded lectures or presentations. This is a boon for online webinars, where you can stop, rewind, and replay the key portions. In some cases, you might want to take notes, or recite what was just said to fix the concepts in your mind.

If you are more of a visual learner, then by all means be sure that you look carefully at the study materials. Use charts, maps, movies, notes and flashcards. Practice visualizing or picturing words/concepts in your mind. Finally, if you are a tactile learner, think about ways that you can involve more of your senses besides just watching a particular lecture. Make study sheets and refer to them often.

But knowing how you learn is just one part of your journey. Next comes having the right motivations. I have been lucky to be a self-starter and get myself motivated, whether that involves writing one of these essays or tackling a more in-depth project. Sometimes, just seeking knowledge isn’t enough. If you’re not that motivated to learn, find someone who’s also interested in becoming more curious. That link will take you to other suggestions on how to become more curious. Here is another resource, posted on the site Natural Training, which describes the ten most common habits of curious people. Things like listening without judging, willing to be wrong, and staying in the moment are all important skills to acquire.

I was thinking about this when I read something that Naomi Wu, a Chinese maker, said recently about how the education of Asian students has to change. “The key skill- prompting, asking questions. Is something our kids are generally not taught and are often quite poor at. I’d even say it’s discouraged. The ability to ask good questions becomes incredibly important with AI.” I saw this first-hand when I gave lectures in Singapore and Japan years ago: I had to seed the audience with someone who was willing to ask the first question to break the ice.

ChatGPT For DummiesLongtime freelancing colleague Pam Baker’s forthcoming book on ChatGPT, has more tips on how to become an expert at using these tools. She told me, “Many worry that ChatGPT will erode the critical thinking skills of users. But that’s not likely because the most successful users will employ advanced critical thinking skills in forming prompts. The key is not in what you say to the machine, but in how you say it.” She tells me she is also putting together classes on LinkedIn Learning on the topic too.

I was thinking how fortunate I have been in my job as a freelance journalist. I have been able to to call up all sorts of people and ask them questions about their lives and jobs, as I wrote about ten years ago when I described two of my sources in this blog post on how to question everything. The two people had an insatiable curiosity for the unknown, to be constantly learning something new, and figuring out how the world works. While that extreme case of hyper-curiosity might not be your cup of tea, it might make you more motivated to become more curious about something.

Facing tough choices on TikTok

Last week Shou Chew, the CEO of the American TikTok, was called on the US House hearing room carpet. Combining the current anti-China paranoia with social media crimes against teenagers was a potent political mix that brought a tremendous amount of bipartisan angst. The five hour hearing was attended by seemingly the entire House membership, and for me it was noteworthy in that almost none of the members were folks that I have ever heard of, but all managed to ask unanswerable questions that they demanded simple yes or no answers so they could save time for their own take.

The best commentary was Jimmy Kimmel who simulated what the app does on his show (shown here at right). More insights from Casey Newton here.

Also last week, Utah became the first state to place legal restrictions on social media usage by children (<18).  This law goes into effect in a year; we’ll see how they will enforce it, which will be difficult. TikTok seems to be included in its framework, although Google might not be (there is an exemption for online emails, so Gmail might not apply but YouTube might be covered).

The hearing wasn’t a total time waster. In addition to getting acquainted with our Congress (a couple of whom actually have had tech jobs, interestingly), it also brought to the public’s attention a few reports that I will highlight here. But what I saw was that America will probably join others in some form of ban, whether it be just for the government employees (as the US has done, as have the UK and France did last week) or something that is contemplated by other bills that are making their way through Congress.

Second best commentary was by security maven Bruce Schneier, who wrote last month  “There’s no doubt that TikTok and ByteDance, the company that owns it, are shady. If we want to address the real problem, we need to enact serious privacy laws, not security theater, to stop our data from being collected, analyzed, and sold—by anyone.” He explored on the blog various kinds of bans, all of which would be ineffective or place Chinese-style restrictions across our internet. That message was lost on Congress, sadly. The UK ban is ineffective if you use your own Wifi or data provider, for example.

Who is Shou Zi Chew, TikTok's chief executive? | The EconomistThe relationship between TikTok and its parent company was explored in detail in this report done for the Australian Senate and released earlier this month. This was cited several times by various Congress members. The research found that ByteDance should be considered as a hybrid state/private entity, collaborating closely with the government on its operations. Chew made an effort to show TikTok’s independence from its parent and the Chinese Communist Party (CCP), an effort that fell on deaf ears and “didn’t pass the smell test” as one member said. The report looked closely at two days’ worth of content last November and compared the depictions of the CCP across TikTok when compared with what was posted on Twitter, Instagram and YouTube. While the researchers couldn’t assess the cause, they did find both Twitter and TikTok had more pro-CCP content than YouTube or Instagram.

Another issue is how TikTok tracks users across the internet. Consumer Reports did a report last fall that found hundreds of organizations sharing data with TikTok using tracking pixels and other canvas fingerprinting techniques. Before you sound any alarms, these are common for Facebook, Google, and numerous commercial websites, and TikTok’s tracking efforts are a small fraction of what these other companies do. Still Chew’s answers were less than satisfying in this area.

Much was made about the differences between the TikTok app we use in the USA versus the ByteDance app called Douyin that is only available in China. The excellent Citizen Lab issued a report last year that examined what data leaks from both apps. Not surprisingly, the Chinese app had more potential security and privacy issues, although the researchers said neither app had any noticeable malware characteristics.

So let’s answer some questions.

Is the TikTok app spying on its users? Not according to Citizen Lab and other security analysts. Could it become weaponized? Sure. But so could any other phone app.

What else should the government ban on its own phones? Well, if you are going to ban TikTok, how about deleting dozens of other apps that collect private data too? That is what France just did, or is trying to do. Good luck with that.

Will selling the company accomplish anything? Not really, other than improved optics. Look no further than Facebook to show misuse of data by a wholly-owned American company. Ownership doesn’t mean total control.

What about the Oracle Cloud migration? TikTok is making a big effort towards migrating its servers to the Oracle Cloud, and promises to keep all US data on these servers eventually. That clearly comes under the heading of “security theater,” since these servers can still transmit anything back to their Chinese parent company. Chew made a big deal about the Oracle project, but what he neglected to say is that any third-party code audit would be nearly impossible, since the servers started out in a pristine “bare metal” state and TikTok could put anything on them. I am not sure what is accomplished here other than having better app latency for US users. Again, a lot of effort to improve optics, but not much else.

What a security manager needs to know about chatbots

When I last wrote about chatbots in December, they were a sideshow. Since then, they have taken center stage. In this New Yorker piece, ChatGPT is called making a blurry JPEG of the internet. Since I wrote that post, Google, Microsoft and OpenAI/ChatGPT have released new versions of their machine learning conversation bots. This means it is time to get more serious about this market, understand the security implications for enterprises, and learn more about what these bots can and can’t do.

TechCrunch writes that early adopters include Stripe, which is using GPT-4 to scan business websites and deliver a summary to customer support staff; Duolingo built GPT-4 into a new language learning subscription tier and Morgan Stanley is creating a GPT-4-powered system that’ll retrieve info from company documents and serve it up to financial analysts. These are all great examples of how it is being helpful.

But there is a dark side as well. “ChatGPT can answer very specific questions and use its knowledge to impersonate both security and non-security experts,” says Ron Reiter, Co-Founder and CTO of Israeli data security firm Sentra. “ChatGPT can also translate text into any style of text or proofread text at a very high level, which means that it is much easier for people to pretend to be someone else.” That is a problem because chatbots can be used to refine phishing lures.  

While perhaps the prediction of the coming of Skynet taking over the world is a bit of an over-reach, the chatbots continue to get better. If you are new to the world of large language models, you should read what the UK’s National Cyber Center wrote about them and see how these models relate to the bots’ data collection and operation.

One of ChatGPT’s limitation is that its training data is stale and doesn’t include anything after 2021. But it is quickly learning, thanks to the millions of folks that are willingly uploading more recent bits. That is a big risk for IT managers, who are already fearful that corporate proprietary information is leaking from their networks. We had one such leak this week, where a bug in ChatGPT made public titles of user chat histories. This piece in CSOonline goes into further detail about how this sharing works.

My first recommendation is that a cybersecurity manager should “know thy enemy” and get a paid account and learn more about the OpenAI’s API. This is where the bot will interact with other software, such as interpreting and creating pictures, or generating code, or diagnosing human behavior as a therapist. One of my therapist friends likes this innovation, and that it could help people who need to “speak” to someone urgently. These API connections are potentially the biggest threat vectors for data sharing.

Gartner has suggested a few specific things, such as favoring Azure’s version for your own experimentation and putting the right policies in place to prevent confidential data from being uploaded to the botsCheck Point has posted this analysis last December that talks about how they can easily create malware, and further more recent analysis here.

Ironscales has this very illuminating video shown above on how this can be done. Also, to my earlier point about phishing, IT managers need to think about having better and more targeted awareness and training programs.

Infosys has this five-point plan that includes using the bots to help bolster your defensive posture. They also recommend you learn more about polymorphic malware threats (CyberArk has described such a threat back in January and Morphisec has specialized tools for fighting these that you might want to consider), and review your zero trust policies.

Finally, if you haven’t yet thought about cloud access security brokers, you should read my review in CSOonline about these products and think about using one across your enterprise to protect your data envelope.

Book review: Stalked by Revenge by Lynn Lipinski

Stalked by Revenge (Zane Clearwater Mystery Book 3) by [Lynn Lipinski]This is the third book in a series of mystery novels featuring Zane Clearwater, a character who has had a shady past. It can be read independently of the others and there is a fourth is in the works. The story centers on Clearwater’s family, including a gun-packing grandmother and a private detective who comes to the aid of the family to stop a revengeful assailant who starts out in prison at the story’s beginning. Lipinski’s descriptive prose is first-rate, and the various characters are well drawn, with some very realistic challenges in their lives. By the end of the book you will feel that you know them and have a lot of empathy for their circumstances. Fans of mystery novels will enjoy this book, and I highly recommend it.

Buy it from Amazon here.

How to know when you are ready to expand your career

“There may be nothing I’ve seen wreck the careers of high-performing, hardworking people more commonly than stepping into a manager role the person isn’t ready for,” tweeted Kieran Snyder earlier this month. The CEO of linguistic analysis firm Textio then follows up this with some very cogent remarks about knowing when to take that leap into management that really resonated with me.

This is because I faced a similar circumstance in my own career back in 1990, when I took the job to run Network Computing, a brand new computer publication. I have often mentioned that decision as a pivot point in my professional life in these essays, At that time, I was managing a group of about a dozen editors for PC Week — and this would be a big promotion to running an entire publication, hiring its entire staff, and learning how to get the magazine from words to a coherent whole. It shaped the rest of my career, to be sure.

I also addressed this topic a couple of years ago in this post about whether super coders should take the next step into management. It is worth reviewing that piece and listening to a discussion with Jaya Baloo and Troy Hunt on the subject.

Snyder lays out four important questions you need to ask yourself whether or not you are ready:

  1. Can you communicate complex expectations clearly? And behind this question is also holding people accountable — and avoiding eventual disappointments — for these expectations too. Even when you know this, it is still hard to achieve. “This is an issue I have faced, and often management fails to set clear expectations,” said Alan Elmont, who has been a recruiter and staffing professional for decades. “This has been particularly an issue with small companies or mid-sized companies that are growing too quickly.”
  2. Can you engage and mange conflicts well? Being fair in these fights is more important that being well-liked.
  3. Where do you fit in the scale between being a hero and being predictable? “Managers mostly do hero work to compensate when their team isn’t delivering,” she says. That could be caused by a variety of failures, such as unclear feedback or expectations or poor solutions delivery — or a combination.
  4. Finally, do you have the right combination of technical skills and a solid functional foundation to properly lead your team? That is a tough one to dispassionately assess, either by yourself or with your prospective hiring manager.

Now let me take another moment from my career when I got a job to run another publication. It was a major failure, and because I couldn’t do any of the first three things that Snyder mentioned above. I barely lasted a year there before being fired. I should have spent more time understanding the lay of the landscape and the management style of my eventual boss. Now, this happened years after my Network Computing anecdote, so you would think being older and more experienced I would have spotted the danger signs. But no, I was too caught up in the thrill of being chased for a new job. Live and learn.

While on the topic of career development, I had an opportunity to talk to a group of mid-career folks who are considering jobs in cybersecurity this week. You can see my slides below, and some of the issues that we discussed.

 

 

Book review: A Likely Story by Leigh McMullan Abramson

A Likely Story: A Novel by [Leigh McMullan Abramson]I really enjoyed this new novel which has characters and a plot line I found appealing, as a full time freelance writer for many decades.

The story is about a famous novelist and his ne’er-do-well daughter who is in her mid 30s, trying to figure out her life and try to finish her first book, which seems to have been started ages ago. It is set against the death of her mom, and interwoven we are privy to the draft of a novel (which plays an important role in the character’s lives without giving away any spoilers). The description of literary life in NYC and all its trappings and ridiculousness resonated with me, as do the challenges of 30-somethings.

The novel concerns the relationship of the famous writer to his wife and daughter, how the three of them collaborated on various projects, and the perception of the dad towards his family members. That is about all I can say in this review, but it is deliciously wicked, real, and poignant. Being related to the writer and enduring his oversize ego drives many of the plot points along. At one point the daughter feels that “writing was like being on a submarine, where she spent years being submerged, silent and secret, working toward the day where she would have something to show for all her time underwater.” The novel is interesting, amusing, and thoughtful and I highly recommend it.

Book review: All That Is Mine I Carry With Me

This novel by William Landay has plot points that approach numerous other thrillers — such as the missing title character in Gone Girl — but takes things just a bit further in telling the tale of a missing mom who is presumed killed by her husband. You hear from various family members in the first person, but again it is done to introduce some interesting plot twists that I don’t want to spoil you with here. Initially I was a bit annoyed by the mixed narrator style but came to appreciate it about halfway through the novel. The narrative arc covers decades as we move way beyond the actual missing/murder conundrum and into the finer aspects of the children and other family members’ personalities, relationships, and whether they think the dad did the deed or not. Having the dad as a criminal defense lawyer is also a nice touch too!. Highly recommended.