#1 Matt Holland: Zero Day
Podcast Link: https://open.spotify.com/episode/2eW1DDccgvllRQ8qUW2Jeh?si=kZ2eAj3QRNWa-WJMMKaCqQ
Matt Holland is one of the world’s leading authorities in the cyber security industry since 1999. In 2007, he co-founded Linchpin Labs because he saw the opportunity to provide better solutions to democratic governments and corporate clients globally.
Over the next 12 years, Matt Holland helped grow Linchpin to be a leader in the privatized intelligence industry. Linchpin was ultimately acquired by L3 Technologies in 2018 for $200M.
Matt Holland has since taken charge of Field Effect as the CEO with a view to creating world-leading technology and tradecraft to protect companies of all sizes from modern cyber security threats.
The state of cybersecurity is scarier than you think
To best explain cybersecurity current ethics, we have to break it down into 3 pillars. The 1st pillar is the offensive side where the attacker would proactively try to engage in malicious hacking on devices or software. Hollywood has glamorized this activity to the point that it is misrepresented because the scope of this situation is actually larger than what was shown.
In cybersecurity practice, this is more commonly known as offensive cybersecurity or rather “red hat hacking”. There is actually an economy behind offensive cybersecurity and people get paid lots of money for it, only because people are horrible at writing software. This ultimately drives the dollars and cents behind the defensive cybersecurity economy which is the 2nd pillar.
The 3rd pillar is more of faux cybersecurity rather than traditional cybersecurity; it is where intelligence agencies come into play. For example, election vote interference where people are influenced to vote in a specific direction or manner. One of the prevalent change is the increasing pace at which companies are spied as a means to fast track RND and claim it as their own “work” besides the amount and value of consumer data.
From these 3 pillars, it is easy to see where the problem of ethics come into play. The fact of the matter is that people do not know what cybersecurity is and what they are buying into. This opens up numerous exploitative methods by vendors and individuals. One good example is SolarWinds which sells software that let’s an organization see what is happening on the computer’s network. Russian intelligence agency has inserted a malicious code into the update of that software known as Orion causing a widespread supply-chain attack on a strong 18,000 customer base.
Personally, I myself had a look at the Solidity framework which is the framework surrounding code compile in Ethereum smart contracts. Despite not being a professional coder, it is easy to see that there were about a jarring 16 vulnerabilities in the framework (there might be updates now about them). One of these hacks include a simple hook onto a public smart contract easily traceable by Etherscan; an attacker just have to adjust the receiver address to receive the crypto instead of the originally intended address.
So the next logical question to ask; wouldn’t the advancement of technology allow us to solve these issues? WRONG. In the podcast, Matt Holland has described that the problems we are seeing today are the same problems encountered 20 years ago. So what should have been a 20 year old problem is still here today as the scope of cybersecurity expands. It is a large reference to how not good the cybersecurity industry is at solving problems. I think it is interesting how he alluded to the fact that companies are selling interfaces that no one will not or won’t know how to use.
Another interesting point he made in the podcast was about the state of mobile devices. Apple has been adding an increasing number of security mechanisms that limits the operator to only being able to do specific things but that is crippling from a security standpoint. All an attacker needs to do is to get around these mitigations and basically will be able to own an Apple device anywhere in the world. A company called Vulpen bought zero day exploits and has reached full on IOS privilege escalations; if that doesn’t scare anyone then I don’t know what will. Android has its own set of challenges; since vendors will take the open-source based Android and make changes to the code base, then vulnerabilities will inevitably occur as a result. In fact, the odds of attacks on Android are higher than IOS due to the different versions of Android released out there. The basis of attacks on mobile phones OS is; once the attacker is inside the OS, then there is little that can be done.
Naivety is prevalent when it comes to cybersecurity
Most people don’t know what is cybersecurity and most won’t even know what they are buying into. Most of cybersecurity solutions are bolted on; this means that the solutions are lumped together in an organization’s system as if they are isolated software from each other. There is no one fix-all solution to cybersecurity and understandably so because of the complexity of the environment. However, what is alarming is the fact that most of the solutions are sold to customers without understanding if there is a need for it.
Take for example, a car salesman is making a sale to a prospective customer. Though the customer only needs new wheels, the salesman is insistent on buying the whole car unnecessarily. This is the case for the state of cybersecurity today; most are buying into the perception that they need it rather than actually needing it.
Another concern when it comes to naivety are the jargons used in the industry. One of the most common jargon used is NGAV (“next gen anti-virus”) or just “next gen” as a whole. Matt Holland described next gen solutions as the same ones 20 years ago; back then the term Machine Learning was not popularized and it was just called “training to look for anomalies”. It is the same case for current NGAV solutions today; most of the solutions are the same as it was 20 years ago. The terms were created by sales teams to drive revenue pipelines; ultimately what should have been next gen does not seemed to be next gen at all.
