This newsletter brings three new ReThink security articles and quite a bit of new security news. There have been a couple of big security announcements, a huge security vulnerability in iPhone bootroms, a new version of the CWE Top 25, and some interesting articles on the global threat landscape.
Recent ReThink Articles
None of Us Knows What We Are Doing - Every security vendor, from products, to services, to network appliances, and the new wave of CyberAI is pitching something that they say will make you or your software more secure. Does anybody know what they’re doing?
Follow the Money - Do you want to know where attackers are going to target next? Just follow the money. Almost every aspect of vulnerability discovery and exploit development has evolved to be monetized. Your vulnerable systems are next.
We are in the Midst of a Cyber Cold War - Tensions are ramping up between global superpowers, but the weapons aren’t bullets and bombs. Our critical infrastructure is tragically fragile and brittle and there are no security controls in place protecting us from a full on Cyberwar.
More Security Headlines
Recently The BBC wrote an article on how ransomeware attacks are getting to be so bad that it’s causing them to have to turn people away looking for emergency services. This is a massive issue that I wrote about earlier. Read about that threat and what you can do about it in my Protecting Yourself and Enterprise from Ransomeware Attacks article.
iPhones running the A11 and earlier chipset are vulnerable to a new bootrom exploit called checkm8. With physical hardware access an attacker or jailbreaker can change the OS running on the device. The issue is in the bootrom so it is unpatchable. iPhones XS, XS Max and iPhone 11s are not vulnerable to this attack. Checkm8 Exploit Opens Door to Unpatchable Jailbreak on iPhone 4S Through iPhone X - MacRumors
This article from ZDNet really got me thinking about how to self-fund a hacking organization. I linked this concept with the attacks against infrastructure in the Cyber Cold War article, but if you work for a company that protects financial information or funds your security sins could be funding terrorist groups. US Treasury sanctions three North Korean hacking groups | ZDNet
I believe that eVoting is an inevitable future, this sooner we get this right the better. However, right now the options for eVoting are abysmal. Nobody has this figured out and it could be putting all Americans at his, starting with some of the most vulnerable. This could lead to many groups not having their votes counted the upcoming elections. Is this a vulnerability, a back door, or intentionally obfuscated functionality to make voter suppression easier?
Even the newest voting machines are vulnerable to reprogramming, cyber experts warn at Greensboro meeting called by the NAACP | Elections | journalnow.com
MITRE has released the first major update to the CWE Top 25 in more than 8 years. This update is interesting because they’ve moved to a pure data and algorithm based methodology using the CWE and CVSS scores from reported vulnerabilities. This could allow for skewing the data by basing it on publicly disclosed issues, but it will allow them to update far more frequently. Just like it’s 1995 The Buffer Overflow claims top spot. CWE - 2019 CWE Top 25 Most Dangerous Software Errors
I use Bear Notes for quick and easy note taking and love it. They just introduced encryption for sensitive notes and I was pretty concerned that the feature would be hobbled by bad UI/UX and/or bad cryptography. Not only did they get the crypto right, they partnered with Cossack Labs to architect a great crypto system that is useable and secure. There’s a great writeup on what they did. Cossack Labs / Implementing End-to-End encryption in Bear App
Microsoft released a new line of Surface Computers. The most surprising was the Surface Neo and Surface Duo. They’re gorgeous, dual-display devices. As a guarantee that we’re living in the least likely timeline the one that is a phone runs Android. Surface reveals new holiday lineup and introduces a new category of dual-screen devices built for mobile productivity | Microsoft Devices Blog
If you have any questions or comments, please don't hesitate to email us at newsletter@rethinksecurity.io
- Thanks for reading, J&J
