Pre-Jailbroken iPhones for Zero-Days, Unveiling Backstory, and Cyber Apprenticeships
CyberWeekly Edition
Pre-Jailbroken iPhones Used to Find Zero-Days
If iPhones are as secure as they’re reputed to be, how do security researchers find vulnerabilities in them? Motherboard informed the world this week that security researchers (or anyone willing to fork over the money) can acquire “dev-fused”—aka pre-jailbroken—iPhones to conduct vulnerability research.
Of course, these dev-fused iPhone were never intended to leave the Apple production pipeline. The dev-fused iPhone supply chain seems to consist of tweeting a guy, who knows a guy, who knows a guy in an iPhone factory in China. It’s called a grey market, but I’m sure Apple isn’t happy.
Now that this open secret seeing the light of day it may force Apple’s hand to crack down, but probably not. After all, what are they going to do? Post American security guards in Chinese cell phone factories? Going after middlemen is unlikely to be effective.
I suspect the more likely answer is that Apple will need to revisit their bug bounty program to make it more competitive with the black market. After all, now that we know the integral tool to develop cyber super-weapons, like Karma—recently used by United Arab Emirates’ intelligence services—Apple needs to do something to address the concern. Otherwise, it will be hard for Apple to argue the importance ensuring their customers’ devices are adequately secured.
CYBER’s podcast on this report is definitely worthwhile. They even interview a seller of dev-fused iPhone. You can check it out here (ironically, on Apple’s iTunes).
Unveiling Chronicle’s Backstory
Just over a year ago Alphabet (Google’s parent company) announced that its moonshot factory X was spinning out its first cyber security company called Chronicle. I was excited to hear more, but nothing further was announced until this month. I was eager to hear more. Chronicle’s promise of creating an “immune system” for the digital world sounds cool, it also is a bit vague.
Chronicle’s initial product announcement Backstory does seem to live up to the hype. It’s a security information and event management (SIEM) tool that leverages Google’s indexing power, VirusTotal’s intelligence (remember Google bought them in 2012), and Google Cloud’s storage and compute capacity. It seems like Backstory will empower security analysts or incident responders to do more with limited resources. It’s definitely worth checking out the Backstory demo video.
Chronicle seems to have anticipated the obvious question, Are we all expected to just feed our corporate data to Google to have? CEO Stephen Gillett distanced Chronicle from its sister company, stating “We are distinctly not Google.” Backstory has separate legal and privacy agreements. The creation of Alphabet as a holding company makes sense, as Gillett couldn’t quite say the same if Google was Chronicle’s parent company.
Chronicle has already signed up Avast and Proofpoint as partners and is seeking to partner and integrate with more cyber security firms. While Chronicle has declined to state, who it considers its competition to be, analysts expect that the list of competitors include IBM, Rapid7 and Splunk.
Cyber is on Fire
The cyber security industry has been on fire for several years now. It looks like the industry will continue on that path for a while. Recent reports project continued outsized growth in cyber. A recent report forecasts a 13.5% compound annual growth rate over the next 8 years!
An analyst from Wedbush Securities recently noted that based on a survey of enterprise spending, cyber security budgets are expected to grow about 20% in 2019. Considering that the US overall service sector grew at an annualized rate of 2.6% in the fourth quarter of 2019, that’s a lot.
I still think we’ll see consolidation in the near-future, but that really reflects a desire from companies to increase their product offerings without need to develop (and fight) their way into new categories. It’ll likely be a good thing for the industry. After all, we’ve seen in technology for years, that just because it’s a good product doesn’t necessarily make for a good stand-alone company. There is a lot of potential value in offering a suite of integrated cyber security tools and services.
It’s worth pointing out that some people are starting to ask, if the rapidly growing cyber security industry is actually keeping us safer. As long as companies continue to alleviate pain points for cyber security teams, the answer will be yes.
Cybersecurity Apprenticeships Tracker
The ironic thing about the ongoing cyber security talent shortage is that we witness two seemingly contradictory events occurring simultaneously. On one hand, employers complain about how hard it is to find cyber security professionals. On the other hand, perspective cyber security professionals complain about how difficult it is to find a job in the field.
So how does one get cyber security experience without a degree? One option I’ve recently discovered is apprenticeships. I’m really excited to hear that we have cyber security apprenticeships in the United States. I know it’s an odd topic to sounds excited about, so I’ll give you the backstory.
I spent a few years living in Germany, where apprenticeship are an everyday part of the educational ecosystem. Not everyone goes to college, so many Germans head to formal apprenticeship programs after high school. This provides a pool of highly-skilled workers in Germany, that is the envy of most any industrialized nation. I’ve wondered for years why the United States doesn’t take greater advantage of the apprenticeship system. Historically, it was part of education and business in the US.
Recently, I learned about a cyber security apprenticeships tracker, which is maintained by FIU-New America Cybersecurity Partnership and the Center on Education & Skills at New America (CESNA). Not only does the tracker show cyber security apprenticeships around the country, but it even annotates, whether the apprenticeship are paid. (As of this writing all, but one listed apprenticeship is indeed paid.) Tackling the industry’s talent shortage will require a diverse set of candidates from a variety of paths. Cyber security apprenticeships can been an effective (and hopefully growing) pipeline for new cyber security professionals from increasingly diverse backgrounds.
Interop19
I’m excited to announce for the first time publicly that I’ll be speaking at Interop19 at The Mirage in Las Vegas. My presentation, Zero Hour: The First 60 Minutes of a Cyber Crisis, will be on Thursday, May 23, 2019. Interop is an educational IT conference from the same team that brings you both Black Hat and Dark Reading. Vegas baby!
Cool Job of the Week
Humana — Director, Cyber Security Business Alignment - Digital Health Analytics (Location: Jersey City, NJ)
Veteran-Preferred Job of the Week
GM Financial — Cybersecurity Engineer- Threat Hunting (Location: Arlington, TX)
Hope you’ve enjoyed this week’s edition of The CyberFuture Newsletter. Please share with a friend or colleague.
Click here to subscribe to The CyberFuture Newsletter.
Stay vigilant,
Oritse J. Uku, Editor-in-Chief
Disclaimer: The opinions expressed in this newsletter are my own.