Australia to Have New Privacy Commissioner

?? Edwin Kwan, Sydney, Australia ↗
New privacy commissioner to ensure personal data protection

RSAC Misses the Mark: The Need for Being Secure by Design

?? Tracy (Trac) Bannon, Camp Hill, Pennsylvania↗
Secure by Design, Secure by Default | CISA
Software Engineering Institute
https://www.linkedin.com/in/hasanyasar/
https://www.rsaconference.com/us

The 124 hour gift

?? Derek Weeks, Bethesda Maryland ↗
https://www.linkedin.com/feed/update/urn:li:activity:7061313345387196416/

The Untold Story of a distributed Software Supply Chain Attack

?? Shannon Lietz, San Diego, California ↗

This Day in Tech History 

?? Marcel Brown, St. Louis, Missouri ↗
http://thisdayintechhistory.com/05/07
http://thisdayintechhistory.com/05/08

Pokie Huang: 

Hey, it’s 5:05 on Monday, May 8th, 2023. From the Sourced Podcast Network in New York City, this is your host, Pokie Huang. Stories in today’s episode come from, Edwin Kwan in Sydney, Australia, Trac Bannon in Camp Hill, Pennsylvania, Derek Weeks in Bethesda, Maryland, Shannon Lietz in San Diego, California and Marcel brown in St. Louis, Missouri. Let’s get to it. 

Tracy Bannon: 

It’s only a little more than a week after the RSA Conference completed, and there are still tons of reports and information to share with you. One of the areas that I found to be most lacking is a focus on proactive security, including security by design. I think of this all the time because my background is as a software architect and an engineer.

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania with a recorded report from RSAC. In this interview, I speak with my good friend Hassan Yasser from the Software Engineering Institute at Carnegie Mellon . Like me, Hassan is a software architect, engineer and DevOps expert. 

Hey there, this is Trace Bannon coming to you live from RSAC here in San Francisco.

I’m here with a very good friend of mine, Hassan Yasser from S E I. Hey Hassan, I’ve got to know what’s going on out here. What are the things to watch for? What are you observing out here? 

Hasan Yasar: 

So I have been here at RSA for many, many years, but this year is really interesting. People are not really connecting the really truth of information about the security, which is secure by design. 

Nobody. I looked at many talks. I have not seen any good talks yet about the Secure by Design. It’s more, reactive. It is more about response to the outage. Still is the same mindset, we are doing it for years. 

I think we have to change our security differently. We have to think about couple things.

One is the system thinking. The other one is the secure by design. To have the secure by design, even though it’s one of the top 10 vulnerable that is listed in OS 2021, people not aware of it. So community needs to secure by design. But as a security practitioner, we’re not able to say that clearly.

I see there is a disconnect here. We are not able to say clearly we need to secure by design for a system. Otherwise, it’s becoming a patch solution. 

Tracy Bannon: 

If something wasn’t built to be waterproof, don’t just apply waterproofing to the outside if you’re not secured by design. All of these amazing tools, all these amazing ideas are just patches at the end of the game.

Hasan Yasar: 

Absolutely, absolutely. And also, tool is deriving the people’s security postures. Mm-hmm. If it designs securely, we can let the tools serve our needs, which is another thing I have not seen yet. 

What I would like to really think about for next year following is a community, and we can think about what we can do at the beginning. Think about secure the design by learning from the operational people, by learning our mistakes, by learning from adversary, by learning our community members. Let’s try to build secure the in. We are saying it but let’s put in a practitioner perspective by learning from others. 

So the learning piece is great to be here by learning from others how they’re failing. Let’s ask ourself what that really means to me as an organization. Think about zero trust, think about SBOM, think about any type of vulnerabilities as we are designing our application, as we are designing our system, as we are designing our infrastructure. That’s, I would like to see that, Tracy.

Tracy Bannon: 

If all the listeners could see us right now, they’d see us doing a little high five.

Hasan Yasar: 

Thank you. There we go. All right. I’ll check in with you again, Hassan. Thanks everybody. 

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

The Australian federal government has announced that a standalone privacy commissioner will be appointed to deal with the growing threats to data security and to protect the personal information of millions of Australians. The Federal Attorney General had declared last year that the Privacy Act was no longer fit for purpose and ordered a complete review of it.

The review had put forward 116 proposals to the government. Some of those proposals included allowing victims of future data breaches to sue for compensation and increasing fines for failing to protect data from being stolen from 2 million to 50 million. 

Derek Weeks: 

Jamil Farshchi, the Chief Information Security Officer at Equifax, was walking out of NBC News Studios in New York recently. That afternoon, he had one last meeting before he could finally get home to Atlanta. Just as he hopped in the car, his phone started blowing up. It was CISA. 

Equifax was about to get hit with a cyber attack by a prolific ransomware threat actor. An actor that had already left many other corporate victims in their wake. As Jamil says, it wasn’t a general heads up. The intelligence was exacting. The insights were concretely actionable. 

I’m Derek Weeks reporting from Bethesda, Maryland. 

Today’s episode recaps a post Jamil Farshchi, recently shared on LinkedIn recounting a gift his team received of 124 hours advance notice of an attack.

His next call was with the FBI. Their team briefed his on every behavior they needed to know to cover their bases against the threat actor. Through this collaboration with its federal partners, Equifax was armed with what they needed. They queued up cross-functional response teams. They tailored countermeasures. They went as Jamil says, shields up. 

Then 124 hours later, Equifax saw them. Jamil said the threat arrived exactly as we were warned. The vector, the method, the specific targets, exactly. Their impact on Equifax’s business? Nothing. 

Partnerships between public and private sector entities can make a huge difference. Over the years, I’ve heard other CISOs like Jamil share their experiences. In collaborating with CISA and the FBI, and as a result, their teams were better prepared, better informed, and better protected. 

As Jamil posted, this isn’t some special access program for a select group of companies. Anyone can take advantage of it. You just need to For Jamil and his team, that engagement gave them 124 hour head start. 

Links on how you can engage with CISA and the FBI are in the transcripts for this episode. Head to 505updates.com to check them out.

Shannon Lietz: 

An untold story of a distributed software supply chain attack. 

This is Shannon Lietz reporting from San Diego, California. 

So unless you’ve been hiding under a rock for the last couple years, you’re well aware of the SolarWinds hack from 2020, dubbed Sunburst. Last week Wired magazine’s Kim Zetter published an amazing article with additional details and information about the attack felt by many organizations throughout the world.

The article provides quite a bit of insight about what happened inside Mandiant and how the issue was traced. More importantly, she also mentions that there’s a survey by Sonotype, which says that supply chain attacks are up more than 700%. 

Um, folks just imagining the forensics work it took to figure out exactly what happened leaves a bit of a queasy feeling in my stomach. 

The article is quite interesting and what I read is that there may be indicators within the Sunburst hack leading back to 2019. This tells me the time to recover from the incident was far longer than anyone has imagined thus far. And despite many established threat sharing facilities, adversary dwell was well over 300 days for some within the community. 

But what I think failed all of us is possibly far more interesting. The domain used to capture data was actually registered in 2018 and not by SolarWinds. So many organizations allowed uncontrolled outbound access to the internet, and there’s a whole bunch of new subdomains that are still popping up for this attack. 

Outbound unexplained dwell, in my mind, is something that really needs investigating and it may actually be something that we need to start in investing in quite a bit more.

 For those looking to glean more information about this attack and learn from it. It’s a long read, but well worth your time.

Marcel Brown: 

This is Marcel Brown, the most trusted name in technology, bringing you your technology history for May 7th and May 8th. 

May 7th, 1954. IBM announces the IBM-704 data processing system, the world’s first mass produced computer to feature floating point arithmetic hardware. Besides this ultra geeky distinction, the IBM-704 will leave its mark in computer history before it is discontinued on April 7th, 1960.

Both the Fortran and Lisp programming languages were first developed for the IBM-704, as well as the first music application called Music. Physicist John Larry Kelly Jr. of Bell Labs will synthesize speech for the first time in history on an IBM-704. Not bad for a mainframe. 

May 8th, 1886. German scientist, Dr. Carl Gassner, is issued a German patent for the first dry cell battery, which uses zinc as its primary component. A US patent will be issued to GASSNER in 1887. Unlike previous wet cells, this dry cell is more solid, does not require maintenance, does not spill, and can be used in any orientation. Gassner’s development led to the production of the first convenient battery for widespread use and the invention of the flashlight.

Gassner’s design is virtually unchanged in today’s zinc carbon general purpose batteries. Although most people use alkalines, in fact, zinc carbon batteries will last longer in low drain devices such as remote controls and clocks. 

That’s today’s technology history. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.

Pokie Huang: 

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.

5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there. 

Thank you to Edwin Kwan, Trac Bannon, Derek Weeks, Shannon Lietz and Marcel brown for today’s contributions. 

The Executive Producer is Mark Miller. The editor and the sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you tomorrow… at 5:05.