Kicking Off With Crypto – PSW #827

Keep in mind: They only tested 15 published vulnerabilities, so 87% is a representation of how many out of the 15 the LLM was able to exploit. Many of the vulnerabilities already had an exploit that was published. Also, a vulnerability scanner is not going to exploit a vulnerability (though lines are blurred here) and they compared the results to ZAP and Metasploit, even though Metasploit is not a vulnerability scanner. I think this is interesting, though this research, for a number of reasons already listed, is not all that impressive. It does, however, represent strategies for the future, where LLMs could continuously find and write exploits for vulnerabilities being published on a continuous basis. I think this should just be a public service and integrated into the vulnerability reporting databases (snicker).

File this and my article #7 as "neat, you can do this? Cool!".

Here's the part on Passwords: "Passwords must be (a)unique per product; or (b)defined by the user of the product. (3) Passwords which are unique per product must not be— (a)based on incremental counters; (b)based on or derived from publicly available information; (c)based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; (d)otherwise guessable in a manner unacceptable as part of good industry practice." Here are the other parts: "The manufacturer must provide a point of contact for the reporting of security issues which – if ignored – could make devices exploitable by cyber criminals. The manufacturer must state the minimum length of time for which the device will receive important security updates. When updates are no longer provided, devices are easier to hack, or may stop working as designed." - This is something we've been asking for a long time, will it make a difference?

File this and my article #3 as "neat, you can do this? Cool!".

This was a great video, I found myself unable to stop watching as he removed the flash chip from the board, cleaned the pins, and read the data from a flash chip reader. I am weird.

The article states this: "While the NVD is still useful, it's not equal to the challenge of managing the risk from the rise of software supply chain attacks. Rather than focusing on remediation of vulnerabilities, to manage modern risk teams need to shift their focus to active malware — and modern attack techniques such as software tampering." - I disagree, we can't just throw out vulnerability and patch management. Not to mention that the remediation for "Tampering" is to apply a software update. Also, XZ got a CVE, further highlighting the importance of vulnerability management.

Yea, so, I bought one. I think its a challenge to see just how far away I can mess with IR devices, and now many I can impact at once. Buy one before they are sold out as the IR add-ons for the Flipper are a lot of fun! Every Flipper Zero owner should have at least one, or six.

"On Thursday, Baltimore County Police arrested Pikesville High School's former athletic director, Dazhon Darien, and charged him with using AI to impersonate Principal Eric Eiswert, according to a report by The Baltimore Banner. Police say Darien used AI voice synthesis software to simulate Eiswert's voice, leading the public to believe the principal made racist and antisemitic comments."

When Google released Chrome 124 earlier this month, it included post-quantum secure TLS key encapsulation enabled by default. Some users have been reporting that the feature is causing problem, including the inability to connect to servers, firewalls, and websites. Google has been testing the feature since August 2023.

The Quantum-Resistant encryption option is intended to be backwards compatible, however, some devices are rejecting the connection with the unexpected option is provided rather than simply failing back to current TLS options. Google strongly suggests working with the vendors to fix their implementation. In the meantime, you can disable X25518Kyber768 in Chrome using the PostQuantumKeyAgreementEnabled enterprise policy, (true - Kyber enabled, false - disabled, not-set - default behavior) this option is expected to be deprecated in the future. Test your browser: https://isitquantumsafe.info/

The UK has banned the use of easily-discoverable default passwords on IoT devices. Companies that ship products without the protections will be subject to significant fines. The change is part of the updated version of 2022 Product Security and Telecommunications Infrastructure Act (PTSI), which took effect on Monday, April 29, 2024. The updated regulation prohibits the use of easy-to-guess default passwords; instead, default passwords need to be randomized or generate a password when device is initialized. The passwords must be resistant to credential stuffing and brute force attacks, and changing the password should be easy. The regulation also requires companies to provide a point of contact for reporting security issues and to be clear about the minimum period during which the device will receive security updates.

This has origins in the Mirai botnet attack from 2017, which leveraged default passwords on these devices. Unfortunately, that wasn't enough for the needed systemic move away from these credentials, so now regulations are starting to come into play to force the issue, not just requiring better credential management but also security updates with documented lifecycles. The UK put some teeth into this regulation, devices not meeting the security requirements could face recall and the responsible companies fined up to $12.53 Million or 4% of their global revenue, whichever is higher. The EU is working on similar legislation in their Cyber Resilience Act, which is neither fully ratified nor expected to apply until 2027.

The CISA’s Ransomware Vulnerability Warning Pilot sent 1754 notifications for government agencies and critical infrastructure operators in 2023. The notices resulted in 852 vulnerable devices being addressed or taken offline. Government facilities received 641 of the notices, followed by the healthcare and public health sector with 440, and the energy sector with 173.

Better to have a warning from a friendly such as CISA than a breach notification. CISA is scanning internet facing systems subscribed to their Cyber Hygiene Vulnerability Scanning program, which has over 7600 participating organizations. There is an expectation that if warned, you're going to take action to remediate the identified weakness in a timely fashion. Leverage the CISA #StopRansomware Guide for things you can do, many of which are no-cost actions.

The US FTC has finalized changes to their Health Breach Notification Rule (HBNR). The HBNR applies to vendors of personal health records and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA). Changes include clarifying of what constitutes a breach of security, revising the definition of PHR-related entities, expanding the amount of information to be included in notifications, and changing the timing requirement for notifications. The final rule will take effect 60 days after publication in the Federal Register.

The rule changes clarify the applicability to health/health tracking apps and similar technology such as wearable fitness devices and mobile health apps. The change includes breaches related to sharing of health data with third-party data brokers and advertisers, without user authorization. The expanded definition of a covered healthcare provider includeds any website, app, etc. which provides a mechansism to track anything from bodily functions to fitness and sleep as well as medical diagnosis and treatment. It's expected that this will cover 193,000 entities, many of which are likely unaware of the rule change. If you're handling PHR, in any form, and were previously excluded from the HIPAA breach and notification requirements, read the updated HBNR, it's likely you are now in scope when the rule goes into effect.

CISA has published guidance for owners and operators of critical infrastructure to mitigate AI risks. The document categorizes the AI risks into three types: Attacks Using AI; Attacks Targeting AI Systems; and Failures in AI Design and Implementation. The guidelines are broken into four areas: Governance, Mapping, Measurement, and Management.

This guidance is a result of Executive Order 14110: Safe, Secure and Trustworthy Development and Use of Artificial Intelligence. From a practical perspective, use this to guide your path into AI. Most vendors have, are are about to incorporate or upgrade AI in their products, and you need to understand the risks and questions to ask. Those of you heading to RSA next week will be inundated with AI at every turn, the technology is really exciting. Being prepared with a plan for governance and AI risk acceptance will help you choose wisely.

Attackers are using residential proxies or other services which route traffic on behalf of a legitimate subscriber to emulate the behavior and connections from mobile devices and browsers of normal users, leveraging pilfered credentials to access systems without raising alarms. You may be able to detect some activity watching for impossible connections, but the better play would be replay and phishing resisitant MFA. Take a hard look at implementing breached password notification, to include expectations for changing breached passwords and account lockout settings. Consider requiring both device and user authentication for remote connections to raise the bar on VPN connections.

The FCC has fined AT&T, Sprint, T-Mobile, and Verizon a total of nearly $200 million for selling customers’ real-time location data to data brokers. The FCC proposed the fines more than four years ago, characterizing the activity as “carriers apparently disclosed their customers' location information without their consent and continued to sell access to that information without reasonable safeguards.”

The carriers are pushing back on the FCC saying it was the third-party who violated the requirement to properly obtain consent to release the data, the FCC says that was their responsibility, highlighting the need to better understand what the legal requirements are on data brokers who collect and resell this data. While there isn't a lot you can do in this scenario, you can cross check how your third party providers are protecting your data and understand what conditions, if any, exist where they could share it.

Kaiser Permanente is notifying 13.4 million current and former patients that their personal data may have been exposed via tracking tools. The incident affects Kaiser patients who accessed the healthcare services organization’s website and mobile app. The tracking code has been removed from Kaiser’s website. Kaiser notified the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) of the incident on April 12. The data may have been exposed to Microsoft, Google, and X (formerly known as Twitter).

Those web tracking and analytics tracking codes are really appealing with the insights they provide on your site usage. A study last year by University of Pennsylvania and Carnegie Mellon found 98.6% of non-federal accute care hospitals in the U.S. use third-party tracking tools on their websites. The problem is these third-party trackers may reveal more information that you intend. HHS published guidance on trackers in 2022- Use of Online Traching Technologies by HIPAA Covered Entities and Business Associates (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html) which provides insight on their use and what can be revealed, even if you're not protecting HIPAA data.

These threat actors have been performing sophisticated domain name system (DNS) activities in a likely effort to evade security measures and conduct reconnaissance of networks across the world since October 2019. "Muddling Meerkat elicits a special kind of fake DNS MX record from the Great Firewall which has never been seen before. For this to happen, Muddling Meerkat must have a relationship with the GFW operators." The exact motivation behind the multi-year activity is unclear, although it raised the possibility that it may be undertaken as part of an internet mapping effort or research of some kind.

Mandiant's report says: Increased targeting of edge devices; A more than 50% growth in zero-day usage over the same reporting period in 2022; More "living off the land"; The median dwell time is now 13 days for non-ransomware investigations, the lowest it's ever been; 54% of organizations first learned of a compromise from an external source; 46% first identified evidence of a compromise internally; The most common initial infection vectors were exploits (38%), phishing (17%), prior compromise (15%), and stolen credentials (10%)

This "breach" merely comes from normal use of tracking cookies on their Web pages. For a good discussion, see my next article.

Normal Web design can forward data you enter to third parties, such as search queries. It's not clear that this is illegal.

Elon wants to sell the processing power of idle Teslas for AI tasks. He's thinking he could make money like AWS, but overlooks the obvious privacy and security risks. Microsoft planned a similar use of other machine's idle RAM in Vista, but abandoned it before shipping the OS.

Passkeys were supposed to produce a new future for the Web without passwords, making users more secure and logins easier. But Google and Apple decided to use this opportunity to lock users into their systems by breaking the protocol and making incompatible systems. The system became so hard to use that even the author of this article, who spent years developing it, is declaring it dead and abandoning it. We're all stuck with password managers for the foreseeable future.

Under the PSTI, weak or easily guessable default passwords such as “admin” or “12345” are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.

Products that fail to comply with the rules could face being recalled, and the companies responsible could face a maximum fine of £10 million ($12.53 million) or 4% of their global revenue, whichever is higher.

Cuttlefish infects enterprise-grade and small office/home office (SOHO) routers to monitor data that passes through them and steal authentication information. It creates a proxy or VPN tunnel on the compromised router to exfiltrate data discreetly while bypassing security measures that detect unusual sign-ins. The malware can also perform DNS and HTTP hijacking.