Ryan McGeehan

@crtheisen @bettersafetynet Hi @bettersafetynet - Here's a good starting point to get acclimated if you're looking for one: #1" target="_blank" rel="nofollow noopener">magoo.github.io/Risk-Forecasti… Happy to DM if you run into trouble

Prompt injections will probably always work with this current generation of AI systems because we're now comingling the instructions and the code. It's a _wickedly_ difficult problem to fix. It pretty much breaks all security models we've built thus far.

I wish all security pros practiced a scenario-first mindset. Explanations based on risk scenarios before jumping to best practices, gaps, controls, compliance etc. I wrote an essay to coach on this: "Writing a risk scenario" medium.com/starting-up-se…

I wrote about that moment every security team faces when someone asks if they can work from China for a while, and then everyone freaks out. magoo.medium.com/the-working-fr…

Securing Customer Support: medium.com/starting-up-se…

@jeremiahg Yeah, either interpretation would have a pretty useful answer IMO, so I'm curious which it ends up being. Subscribed.

@Magoo "certain CVEs caused claims that were not present in KVE, which is not what you meant" Yes, it's hard to articulate this correctly. I'm going to try and dig more to find out for sure and better quantify.

Total CVEs: 240,830 Total KEVs 1,218 0.5% of CVEs have been seen exploited in the wild historically. I've also asked several cyber-insurance carriers if they could share with me the CVEs that resulted in claims. Answer, less than 200 per year.

@jeremiahg Oh, I see. Said differently: An even smaller subset of of vulns that appear in KVEs actually result in claims. This is what the correct suggestion is, right? Where my mind went, was that certain CVEs caused claims that were not present in KVE, which is not what you meant

@Magoo What I'm seeing, via data and conversations with the carriers, is that KEVs do not necessarily equate to insurance claims. They're just 'seen' in the wild, and do not result in notable losses.

@jeremiahg Clarifying question: This suggests some amount of CVE's with observed ITW exploitation that are not also formally accounted for in KEV data?

Oh, and overlap between KEVs and CVEs resulting in claims was not huge at the time I looked. This is important.

Ramping up on bluesky 🦋: bsky.app/profile/mag00.…

In the wild exploit in Firefox, disclosed and fixed within 25 hours. blog.mozilla.org/security/2024/…

My "Starting Up Security" writing correlates to my caffeine intake which has dropped off over the last few years. Today I got tricked into an actual coffee, so drafts are open. Taking any requests, just DM ☕️

“Detection is a problem I describe as deceptively tractable.” @Magoo on 🔍 Prioritizing Detection Engineering Proposed implementation order: 1. Get logging in order, focusing on query-ability and minimum viable logs. 2. Spend time on hardening before formalizing detection. 3. Introduce high-quality detections and alerts, starting with a reference alert and focusing on invariants. 4. Address management challenges before scaling detection efforts. 5. Fully embrace an engineering approach to detection, with the ability to throttle or accelerate work as needed. medium.com/starting-up-se…

@robertgraham @lcamtuf Seems less likely that an interdiction added explosives and relied on a known vuln to trigger it. More likely, while introducing explosives, introduced a trigger at the same time so it could be triggered at a more predictable time. Was it additional hardware, or malware?

@robertgraham @lcamtuf I think it's most likely that some kind of intervention occurred to add explosives, but it would still need to be triggered. If a physical intervention is already given, shouldn't some kind of malicious software trigger also be necessary? Or were they all on a simple timer?

Cyber security expert here: I don't think this is a hack. Making batteries do anything more than burn is very hard and implausible. Far more plausible is that somebody bribed the factory to insert explosives. reuters.com/world/middle-e…

I will be really surprised if these were not sabotaged before delivery somehow.

Malware (!!??!!) may have been the factor in an attack that blew up hundreds of Hezbollah Operatives pagers in an attack.

I wrote about how detection engineering should be prioritized in a security program. Feedback and discussion welcome! magoo.medium.com/prioritizing-d…

The boring security management stuff. 🤣 Managing a quarterly security review: Feedback welcome as usual. medium.com/starting-up-se…

Should CVE-2024-38063 be more widely discussed? It's a zero click IPv6 RCE (????). Am I just not reading this right? Normally there's a of panic about ITW exploitation, exposed hosts, and wormability for a vuln like this. I gotta be missing something. msrc.microsoft.com/update-guide/v…