The RESTRICT Act, Intel’s Attack Surface, & Stop Developing AI (For 6 Months) – PSW #778

Not what you think. Do not try this at home.

Sounds like AV/EDR needs to update its protection mechanisms: "This appears to be an oversight and is the reason I would like to draw more attention to it. I’m not aware of a reason to grant suspend/resume privileges to an arbitrary process in relation to a PPL process. Those implementing AV/EDR drivers could additionally filter suspend/resume permissions and reject them, as they already do with terminate permissions."

"TestSigning mode is a boot configuration option in Windows that allows users to load and execute drivers and system files that have not been digitally signed by Microsoft."

Some neat tools and such, still a WIP from what I can tell, full set of scripts is here: https://github.com/R-Eric-Kiser/python-pentesting

"Apparently, if you’re running macOS Ventura and you’ve hooked your Mac up to a Studio Display, just updating the Ventura operating system itself isn’t enough to secure you against potential system-level attacks. According to Apple’s bulletin, a bug in the display screen’s own firmware could be abused by an app running on your Mac “to execute arbitrary code with kernel privileges." (From https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-including-a-zero-day-fix-for-ios-15-users/) - So there is a kernel on your Apple Studio Display, curious what you do with this vulnerability...

A bold claim: "Intel claims that the latest version of its vPro platform provides dozens of security capabilities that can help reduce the attack surface of a 13th Gen Core-powered computer by as much as 70% compared to a 4-year-old PC. This is based on an attack surface study conducted by cybersecurity firm IOActive." - The problem is, while this is likely true from a certain perspective, the downstream suppliers will mess it up. Firmware, bootloaders, kernels, and operating systems (and virtualization) won't use these features or use them in the wrong way, providing opportunities to attackers. Much like crypto, the weakness is in the implementation. On the plus side, these security features are moving the needle forward, we just need to convince the supply chain to use them, correctly.

"Even if the vendor uses strong cryptography, such as AES in a sufficiently secure mode (and not something obscure and senseless like XOR’ing with a 16-bit constant), the confidentiality of the resulting encrypted image will be compromised if the corresponding key is compromised. Key management will therefore be crucial for these systems, however, provisioning device unique keys is non-trivial for many designs, and to properly protect encryption keys, one must also implement a proper boot trust chain and rely on the hardware root of trust capabilities of the SoC, when present. Keys hardcoded into bootloader binaries or image header structures will definitely not do the trick." - So much this. It would seem that this security through obscurity provides little value, it really just tries to prevents people from reversing the firmware and finding vulnerabilities, not provide any operational security to the end user.

Yep: "Finally, I've seen a couple of people imply that the blame here should be attached to whoever or whatever caused the private key to be committed to a repository in the first place. This is a terrible take. Humans will make mistakes, and your systems should be resilient against that. There's no individual at fault here - there's a series of design decisions that made it possible for a bad outcome to occur, and in a better universe they wouldn't have been necessary. Let's work on building that better universe."

Ouch.

"The problem was that for these two affected binaries – shdloader.efi (CVE-2022-34302) and esdiags.efi (CVE-2022-34301) – flat SHA256 file hashes were added to the DBX update instead of their PE authenticode hashes." - I was told testing was important...

[PAUL] - "Should we automate away all the jobs, including the fulfilling ones? Should we develop nonhuman minds that might eventually outnumber, outsmart, obsolete and replace us? Should we risk loss of control of our civilization?" - I think we are not even close to this. Ex Machina was just a movie, man. Also, they propose a 6-month stoppage on all AI. What are six months going to do exactly? We change the face of AI in 6 months and stop Skynet?

Elon Musk and a group of artificial intelligence experts and industry executives are calling for a six-month pause in developing systems more powerful than OpenAI's newly launched GPT-4, in an open letter citing potential risks to society and humanity. It called for a pause on advanced AI development until shared safety protocols for such designs were developed, implemented and audited by independent experts.

North Dakota is the first state in the nation to approve legislation requiring cybersecurity education. It requires the teaching of computer science and cybersecurity and the integration of these content standards into school coursework from kindergarten through 12th grade. [PAUL] - I was walking through the book sale at my children's elementary school. I did not see one book on the subject of computer science or computer security. I love what North Dakota has done here, and usually, the laws being passed are ridiculous, like banning straws or something.

Github announces a new Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click. The resulting JSON file saves project dependencies and metadata, like versions and licenses in the industry standard SPDX format.

The long-range, low-bandwidth network can give any IoT device free low-speed data. Over 90 percent of the US population can access the now public network. It works over three existing wireless radio technologies — Bluetooth Low Energy (BLE) for short distances, LoRa for long range, and frequency shift keying using 900MHz.

Following a radically successful trial on cancer patients, a new blood test that promises to predict tumors more than a year before they begin to form is now being applied in hospitals across the United Kingdom. It can detect cancer earlier than other known technologies, before the tumor has physically formed.

A comedy video

It’s not uncommon for Chinese authorities to forcibly “disappear” business executives, a practice that has increased in recent years under President Xi Jinping. Some executives have never been heard from again. Some have returned to work as if nothing had happened. Some ended up going to prison. Some even mysteriously died when incarcerated. [PAUL] - Yea, so not independent. And what most people miss about the TikTok ban is this: it's all politics and has nothing to do with technology or privacy.

First, our Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance. Since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.

Arm is performing a "radical shake-up" of its business model. The new plan is to raise prices across the board and charge "several times more" than it currently does for chip licenses. According to the report, Arm wants to stop charging chip vendors to make Arm chips, and instead wants to charge device makers—especially smartphone manufacturers—a fee based on the overall price of the final product.

On Feb 2, Brian Krebs reported details of a zero-day remote code injection exploit in Fortra's GoAnywhere software, which Fortra had hidden behind a login screen on its website. Fortra released security fixes for GoAnywhere five days later on February 7. By then, the hackers had already stolen reams of data from 130 alleged companies. Fortra also owns Cobalt Strike.

The 'Untitled Goose Tool' is Python-based and can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments. It's a robust and flexible hunt and incident response tool.

The so-called Risk Model Manager (RMM) platform is now available for organizations to assess supply chain risk and security. RMM is a cloud-based prototype platform for its new System of Trust (SoT) framework that defines and quantifies risks and cybersecurity concerns for the supply chain. The SoT framework, which is a cloud-native app hosted on AWS, is centered around 14 top-level risk areas related to suppliers, service providers, and supplies, including the financial stability and cybersecurity practices of the supplier, as well as risk of counterfeit and compromise to products.

The bill could have implications not just for social networks, but potentially security tools such as VPNs. Under the RESTRICT Act, the Department of Commerce would identify information and communications technology products that a foreign adversary has any interest in, or poses an unacceptable risk to national security, the announcement reads. The bill only applies to technology linked to a “foreign adversary.” Those countries include China (as well as Hong Kong); Cuba; Iran; North Korea; Russia, and Venezuela. “If Congress is serious about addressing risks to Americans’ privacy, it could accomplish far more by focusing its efforts on passing comprehensive privacy legislation like the American Data Privacy and Protection Act”