This edition of the ReThink Newsletter includes two new ReThink articles, both of which cover important topics for our industry. It also includes five articles we think are the most interesting or important security news from the industry.
Recent ReThink Articles
Jason published an interview with Loren Kohnfelder, the father of Public Key Infrastructure. Jason met Loren while at Microsoft in the 90’s and both of them have been working on security issues ever since. In this long-form article Jason and Loren discuss PKI history, the current state of security and some predictions for the future . It’s amazing to hear from such an iconic pioneer of cryptography who rubbed elbows with Adelman and Rivest (the R and A in RSA) and get a chance to hear his perspective after over forty years of experience in the field.
I had the opportunity to sit in on a conference call with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency to hear their perspective of the escalating tensions between the US and Iran. CISA produces a lot of useful guidelines and coordinates both domestic and international threats for the private and public sectors. Read more about what I learned on that call here.
More Security Headlines
In the first 9 months of 2019 there were more than 5,000 data breaches, exposing nearly 8 billion records. These numbers are staggering, but not surprising. As leaders in the industry we must manage these threats and reduce data loss. The real losers, when we fail to secure data, are the end users. They pay the price and it is our responsibility to protect them.
I wrote about checkm8 before a major vulnerability in the bootrom of iOS devices. At the time the exploit did not allow for data extraction of locked devices. Now that has changed. Cellebrite has announced they can perform Full Filesystem extraction for iOS devices that are vulnerable to checkm8. The only fix for this issue is to upgrade to the latest iPhone.
I was introduce to CISA during my conference call with the DHS. They have some great resources. Well worth pursuing.
Microsoft and the NSA announced a major vulnerability in the way Windows validates certificates. This vulnerability could allow an attacker to bypass the cryptographic authentication mechanisms in Windows. The only way to mitigate this risk is to patch, so please be sure to patch your systems immediately.
Jeff Bezos claims that his phone has been hacked by Saudi Arabia. I think if I was in the public eye like Bezos I’d have a stronger OpsSec posture. Maybe carry more than one phone? Maybe make sure your risky photos are not on your primary phone? Maybe don’t carry your phone into a hostile country? It’s fascinating to think about individuals like Bezos using the same insecure software and devices as everyone else. Most of us are ‘saved’ by anonymity and a lack of intense interest in our lives. Bezos doesn’t have that luxury.