April 18, 2023
Selling Surveillance, New Era Security, Chatty Hacker, $50M Safe Security
In this Episode:
2023 State of Cyber Assets Report
?? Mark Miller, New York City ↗
JupiterOne, 2023 State of Cybers Assets Report
The 2023 State of Cyber Assets Report
QuaDream secretly selling surveillance platform to governments
?? Katy Craig, San Diego, California ↗
DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia – Microsoft Security Blog
Citizen Lab
A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers – The Citizen Lab
A new era of software security is upon us
?? Shannon Lietz, San Diego, California ↗
U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches | CISA
Chatting with a Hacker
?? Edwin Kwan, Sydney, Australia ↗
Safe Security raises $50M Series B round
?? Ian Garrett, Arlington, Virginia ↗
Yahoo Finance
Safe Security Raises $50 Million Series B Round for AI-Driven Platform to Manage and Mitigate Cyber Risk
PRNews Wire
Safe Security Raises $50 Million Series B Round for AI-Driven Platform to Manage and Mitigate Cyber Risk
Wall Street Journal
Safe Security Raises $50 Million in Series B Round
This Day in Tech History
?? Marcel Brown, St. Louis, Missouri ↗
https://thisdayintechhistory.com/04/18
Episode Transcription:
Bob Bannon:
Hey, it’s 5 0 5. Glad you can be here on Tuesday, April 18th, 2023 from the Sourced Podcast Network in Camp Hill, Pennsylvania. This is your host, Bob Bannon. Stories in today’s episode come from Mark Miller in New York City, Katy Craig in San Diego, California, Shannon Leitz, in San Diego, California, Edwin Kwan in Sydney, Australia. Ian Garrett in Arlington, Virginia. and Marcel Brown in St. Louis, Missouri. Pokes on vacation. I have the controls. Let’s get to it.
[00:00:00] Mark Miller:
JupiterOne recently released their annual State of Cyber Assets Report. J1’s definition of cyber assets in this report is different from most. Included in that definition of cyber assets are users, networks, applications, devices, data, policies, and pretty much anything that’s part of the system. This allows the visualization and evaluation of dependencies within and between those assets. It’s a pretty cool concept.
This is Mark Miller calling in this week from Albuquerque, New Mexico.
Here’s how Austin Kellerher, Principle Software Engineer, summarizes a few main points of the research included in the report.
“The State of Cyber Asset Report reveals 133% year over year increase in cyber assets.
“Mid-sized organizations lead in building security visibility, while security vulnerabilities saw 589% growth. Key takeaways include the importance of unified cyber insights, recognizing cyber assets as business assets, and the challenges of distributed attack surfaces.
“The report aims to help CEOs, CISOs, and security leaders understand the impact of the expanding attack surface on security complexity and business.”
The most interesting section for me is the source of critical findings. The JupiterOne research shows that a small handful of superclasses are linked to the vast majority of findings. Data, devices, and users are linked to 98.3% of all security findings.
The two most vulnerable superclasses, data and devices, collectively represent 96.3% of all security findings, while the remaining 3.65% is distributed among users, applications, networks, and policies.
One of the most valuable insights in the report is that devices, especially cloud hosts, are linked to just over one third of security findings (that’s 36.8%), but represent 96.1% of critical finding. So there you have it. A good place to start. Devices represent 96.1% of all critical findings.
There’s much more to review in this 69 page report. The download is free. You can find a direct link in the bottom of the transcript of this episode on on 505updates.com.
[00:02:57] Katy Craig:
Last week, Microsoft and the University of Toronto’s Citizen Lab unveiled the discovery of a mysterious Israeli firm QuaDream, which has been secretly selling its surveillance platform to governments around the world.
This is Katy Craig in San Diego, California.
This company dubbed as a Private Sector Offensive Actor, PSOA by Microsoft, has managed to fly under the radar with its activities being tracked as Dev-0196. The product it sells goes by the name REIGN and its malware targeting iOS devices has been christened KingsPawn.
In Microsoft’s view, QuaDream resembles a cyber mercenary operation providing both services and tools to its government clientele.
Now you might be asking yourself, what’s the big deal? Well, Citizen Lab’s investigation in collaboration with Microsoft revealed that QuaDream’s targets have included journalists, political opposition, figures, and even an NGO worker. This elusive business has mastered the art of keeping a low profile with no website, minimal media coverage or social media presence. In fact, QuaDream employees have reportedly been instructed not to mention their employer on social media. Talk about an undercover operation.
But let’s not get too caught up in the intrigue. Instead, let’s take this opportunity to acknowledge the larger issue at hand, the commercial surveillance market. The researchers at Citizen Lab remind us that this market is far more extensive and complex than any single company.
QuaDream may be just the tip of the iceberg in a vast ocean of surveillance.
This is Katy Craig. Stay safe out there.
[00:04:58] Shannon Lietz:
A new era of software security is upon us. This is Shannon Lietz from San Diego, California.
Last week, the Cybersecurity and Infrastructure Security Agency, CISA, published a paper to lead the discussion on shifting the balance of cybersecurity risk with pragmatic guidance for hardware and software manufacturers. CISA aims to increase the security of hardware and software products by guiding the principles of design and pushing for security by default in order to better protect customers.
A few key takeaways for everyone.
Manufacturers should take ownership for the security of their products. This is for both hardware and software. One of the cool things to read in there was radical transparency and accountability are a must from a CISA perspective, and the right organizational structure is required to ensure security is being talked about as part of business outcomes.
In my mind, this guidance paves the way forward for software to be safer, sooner, and matches nicely with some of the emerging trends towards maturing software trust… something that we should all care greatly about.
CISA also includes in its white paper a reference to cybersecurity performance goals outlined in a 2021 memorandum. Certainly worth a read.
If you’re interested in cybersecurity measurement. This is the beginning of a new era.
[00:06:34] Edwin Kwan:
This is Edwin Kwan from Sydney, Australia.
Four Corners from ABC News, just published an article about their conversation with one of the hackers whose work for the cyber criminal gangs behind some of Australia’s largest data breaches. When asked whether he sees Australia as an attractive target, he replied saying that Australians are the most stupidest humans alive and they have a lot of money and no sense at all.
He has no care for the stress their hacks have caused to millions of Australians. He said that he has made millions out of hacking and moves freely between the UK and Eastern Europe without fear of being arrested.
Read more about the article at the ABC website.
[00:07:48] Ian Garrett:
Safe Security started out as a hacking company that helped businesses find vulnerabilities. They realized that the bigger issue was that executives didn’t understand the implications of their cyber risk, nor had a way to quantify it. So they made the pivot to help businesses manage and mitigate their cyber risk.
Safe Security’s latest $50M Series B round of funding aims at giving CISOs an easy way to evaluate their cyber controls’ efficacy.
Hey folks. This is Ian Garrett in Arlington, Virginia,
Cybersecurity company Safe Security has secured $50 million in series B financing. The Palo Alto based firm creates software that analyzes gaps in defenses and quantifies the probability of breaches and their likely impact. Safe Security will use the new funds to expand its operations and invest in artificial intelligence tools for data analysis.
The investment comes at a time when cyber risk quantification is becoming an increasingly significant issue for corporate security executives. As companies struggle to secure capital, cyber security budgets are being questioned more frequently.
Meanwhile, the insurance industry has tightened its underwriting standards for policy holders, with insurers demanding more precise information about a customer’s cybersecurity defenses.
Quantifying cyber risk can also help customers decide on their insurance purchases. By providing clients with data and information, they can determine if they need more insurance or buying the wrong type of insurance, or do not need insurance at all. Safe Security’s latest funding round is an indicator of the growing interest in assessing cyber risk and the importance of having a firm handle on cybersecurity risks.
[00:09:37] Marcel Brown:
This is Marcel Brown, the most trusted name in technology, serving you up some technology history for April 18th.
April 18th, 1983. The Osborne Computer Corporation officially announced the Osborne Executive Portable Computer, the follow up to its extremely successful Osborne One.
This is the computer that, according to lore, took down the company. Known as the Osborne Effect, the legend is that by leaking the announcement of this computer earlier in the year, dealers canceled all orders for the Osborne One, effectively destroying the company’s cash flow and hindering operations going forward. This resulted in the cancellation of the company’s I IPO and eventually to bankruptcy .
Now the reality may not be so simple, but my research shows that the Osborne Effect may have been a contributing cause to the company’s demise, along with the rise of competitors, the introduction of the IBM PC and mismanagement by the company’s president, brought in by investors to provide so-called adult supervision.
April 18th, 1986. Newspapers report that the IBM Model 3090 Mainframe has become the first commercial computer to use a megabit memory chip, four times the storage capacity of the then current generation of 256 kilobit chips. To give context to that amount of storage. It was reported that a megabit chip could store over 1 million bits of data, which translated to about 100 double spaced typewritten pages. At the time, most personal computers were still using 64 kilobit memory chips.
IBM wanted to make the announcement for two big reasons. First, the use of higher density memory could allow them to make their mainframe computers smaller, which could save their customers cost and floor space. But perhaps more importantly, they wanted to show that American technology companies in general, and IBM in specific could keep up with Japanese companies in the highly competitive semiconductor market of the time.
Lower cost Japanese firms had captured 85% of the DRAM market, and Fujitsu, Hitachi, Mitsubishi, NEC, and Toshiba were set to begin shipping megabit memory of their own soon. IBM was attempting to shed the reputation as being slow and stodgy as compared to the upstart Japanese. They even made promotional buttons with actual one megabit chip.
That’s your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.
Bob Bannon:
That’s it for today’s Open Source cybersecurity update. The links to all stories and resources mentioned in today’s episode are available at 5:05 updates.com, where you can download the transcripts for easy reading or listen to our ever-growing library of more than 100 episodes. 5:05 is a source network production with updates available Monday through Friday on your favorite audio streaming platform. Just search for it’s 5:05. Also while you’re there, please subscribe. Thanks to Mark Miller, Katy Craig, Shannon Leitz, Edwin Kwan, Ian Garrett . and Marcel Brown for today’s contributions. The executive, producer and editor is Mark Miller. The sound engineer is Bob Bannon. Music for today’s episode is by Blue Dot Sessions. We use script for spoken text editing and audacity to layer in the soundscapes. The show distribution platform is provided by Captivate fm. This is Bob Bannon. See you again at 5:05.