The Cyber Why: What We Read This Week...

... and why you should too! (1/21/2023)

A busy week in news and an even busier week at The Cyber Why HQ. First of all, welcome to all of the new subscribers we’ve recently received. We’ve doubled the subscriber count since January 1st and are on track to do it again in just a few more weeks. For those of your that are new to The Cyber Why, we are a weekly news letter discussing the top articles and events in technology and cyber security each week. We also put out a thought research style piece at least once every few weeks to make sure you are getting all of the best content available.

This week in The Cyber Why we talk again about OpenAI / ChatGPT and their impact on cybersecurity. We discuss an API hack that resulted in the leak of private law enforcement missions to the public. The general news saw the arrest of the top Cosa Nostra Mafia boss in Italy who has been on the run for over 30 years! Finally, we talk about the price cuts in Tesla and the potential impact on the stock and last but certainly not least I publicly state that the Apple Ski Goggles are JUST PLAIN UGLY!

This and much more in this episode of The Cyber Why - Now go get to reading!

GitHub Introduces Automatic Vulnerability Scanning Feature (Security Week)
Didn’t Github do this a long time ago? Maybe I’m confusing my history (probably). Either way, GitHub has introduced automatic vulnerability scanning that can be turned on by default for GitHub repositories that are of certain languages. I’m guessing, as it doesn’t actually say in the article, that they are doing some kind of software composition analysis for known insecure libraries, as well as a static analysis of the specific languages looking for zero day issues in the code you write. I first predicted that GitHub / Microsoft would take over the traditional application security market about 5-6 years ago causing a new wave of innovative startups to emerge. I guess I was just a little bit too early to the dance.

A Police App Exposed Secret Details About Raids and Suspects (Wired)
The only thing worse then having all of your criminal investigative data available for the world to see is being alerted to the fact by an author from WIRED! The online magazine Wired received an anonymous tip that there was a flaw in a tool called “SweepWizard” which is used by many law enforcement agencies to coordinate intra-agency operations. The flaw appears to have been in the API that the application used to communicate with the backend for the application. The API did not properly require or enforce authentication and authorization requirements allowing anyone with the URL to the API to pull down tons of sensitive information about criminals, suspects, law enforcement operations, and police officers themselves. Oops! Someone is going to be in deep trouble for this one!

Private-Equity Firms Tighten Focus on Cyber Defenses at Portfolio Companies (WSJ Cyber)
It’s finally getting to the point that cyber security risk is being mandated at companies before a PE firm will close an acquisition. First of all, I can’t believe it’s taken this long. Second, the real question is why now? I guess there is an opportunity to put a lot more pressure on targets of acquisitions as well as new investments as the equity market has really turned in the investors favor. Due diligence levels fell to nearly zero during the high flying market of the last few years. This resulted in some acquisitions that aren’t what they were sold as, including their ability to secure the systems. As a result of this increased scrutiny we should see MSP, MSSP, CyberInsurance, and Assessment Services/Products companies continue to grow.

Norton LifeLock says thousands of customer accounts breached (TechCrunch)
6,450 accounts compromised via credential stuffing attacks. Oh the irony of a company that provides identity protection and cybersecurity services being breached by credential stuffing attacks. They did say that they recommend two factor authentication be turned on (recommend? not require?). So what’s the best course of action to handle the fall out? Should they offer free identity protection services like every other company that gets popped - Isn’t it IRONIC! </AlanisM>

ChatGPT and Malware: Making Your Malicious Wishes Come True (Deep Instinct)
There’s been a decent amount of commentary on using ChatGPT to automate the creation of malware. It appears as if word has gotten back to OpenAI and ChatGPT about this devious behavior and they have put in some limitations on what they will write. Basic risk detection via syntactical analysis of what you’re asking for is stopping people who don’t try hard enough. For instance, if you ask the system to write a “keylogger” you will get a polite ethical reason why they won’t write it for you. However, if you ask the system to write code for what a “keylogger” actually DOES, without using the keyword “keylogger”, there’s no issue.

Orca Security deploys ChatGPT to secure the cloud with AI (Venture Beat)
Continuing with the OpenAI and ChatGPT thread, it looks like one of the first companies to productize this new technology in cybersecurity has arrived. Orca Security has created a system that automates the creation of the "remediation steps” when a vulnerability is discovered. Basically, when Orca finds an issue with the security of your cloud deployment it asks ChatGPT how to fix it. This is either a new version of cutting and pasting from slashdot (old reference I know) OR it’s going to be a brilliant way to help companies fix things faster. We are on the edge of having AI become extremely useful in so many ways. I’m hoping this one takes off and is super successful!

Italy's most-wanted Mafia boss Matteo Messina Denaro arrested in Sicily (BBC)
My son loves all things Mafia. From the Soprano’s to The Godfather and Goodfellas, he’s seen it all and constantly quotes me lines. It was my son who pointed me to this bit of news out of Italy as the long time big boss of the Cosa Nostra crime family, Messina Denaro, was arrested in Palermo, Sicily this week. He was taken into custody while at a clinic getting treated for cancer. He was wearing a watch worth over 35K Euros. The crowds in the street were supposedly cheering his arrest. I guess they got tired of the violence and danger that has been coming out of the modern day mafia. Times have certainly changed!

What to know about Tesla slashing prices (The Hustle)
My investment communities were all in a tizzy this week as Tesla announced that they would be slashing the prices for certain model vehicles by up to as much as 20%. Some people were very angry after having just purchased a car at the pre-slashed inflated number. Most of my investor friends didn’t care about the price cut, instead they were trying to unpack what impact this will have on the Tesla stock. So far not much, but it’s going to be interesting to watch how the market reacts when the margins and revenue fall through the floor at the next quarterly earnings announcement.

Buyers Call Bluff On Unicorn Valuations: Spread Between Asking Prices And Bids Widens On Secondary Markets (Crunchbase News)
Liquidity is what makes a market. Without liquidity it’s impossible for deals to get done and for a market to standardize on a price. The secondary market for privately held stock options is no different and right now that market is stuck at an impasse. With massive differences between what sellers are willing to sell and buyers are willing to buy, there is no way that deals can get done. Company founders and boards are going to have to accept the fact that their stock isn’t worth what it once was and reset the valuation of the company to something within reach. Once they do that life will get quite a bit easier for many facets of their business.

Private Market’s Don’t Like To Go Down (Bloomberg Opinion)
In a similar vein to the previous piece, the first article in this link is all about what happens when a company takes a down round. It’s also a really good lesson on structure and what it really means to a company and it’s stock holders when preference stacks, ratchets, and warrants are added to the mix. The short answer is that when you see a “We raised at X$ valuation” you better dig into the real meat of the deal before you get too excited. Here’s a great thread on twitter diving into some additional detail.

Apple’s mixed-reality headset could arrive this year (TechCrunch)
Is it really going to happen? Finally? Apple has been talking about releasing a mixed reality AR/VR headset for what feels like an eternity. The latest information coming out of Bloomberg is that Apple will announce the new device during the keynote of WWDC in June and it will be called the “Reality Pro”. It’s apparently going to look like a set of ski goggles. My biggest concern with calling this launch “super important” is that regardless of the abilities of the unit itself, if it looks like shit people won’t buy it. It has to look good as well. That’s going to be the biggest sticking point. What do you think? Looks kind of dumb to me! Oh, and it’s 3K dollars — OUCH!

---

If you’ve made it this far you either found my musings at least semi-entertaining OR you enjoy pain and kept going regardless. No matter how you made it to this point, you should know that I appreciate you. Please do me a solid and share The Cyber Why with your friends. I would love to reach a bigger audience and referrals is how I’ll do it. Help me out and I’ll see you next week!