Danger from Stolen Microsoft Key May Be Wider Than Estimated; Patch Everything with an Apple Logo On It; Legacy Encryption Often is Weak

Still very little from Microsoft about what exactly happened to the key. A Microsoft spokesperson in a response to the article published by The Register stated that Wiz came to its conclusion without knowing the internals of Microsoft's Cloud environment. But the same statement did avoid calling any of Wiz's conclusions wrong.

Microsoft hasn’t replied officially to these new analyses showing broader impact of the incident, which increases the probability Microsoft will amend its earlier statements. If so, this is worth a “Key Management is Job 1” kind of company-wide edict coming from Microsoft’s CEO.

The authentication tokens worked with OpenID 2.0 apps and those supporting "login with Microsoft." Regrettably, you probably won't have the log data you need to properly detect this sort of activity until September. Realistically, any sessions signed by that key will need to be re-established. The default for MS 365 is 14 days, so if you've not increased the interval, you're good. Spend the energy on ingesting and processing the new logs to discover what you may be missing.

While most of recent discussion has been on Microsoft up-charging for additional logging data and storage, the real question is how the evil-doer got access to the signing key in the first place. Wiz’s analysis doesn’t answer that question, but it does help in understanding the potential impact the use of that key has with other Microsoft applications.

The important story of the compromise of this key has been obscured by the far less important story of the logs that led to the discovery of the compromise.

These patches include fixes published as "Rapid Security Response" about two weeks ago. In addition, the update fixes new already exploited vulnerabilities. Apply not just for the new features but for the numerous security improvements included.

You remember the RSR updates about two weeks ago? Here are the regular updates that include them. The RSR fixes were specific to actively exploited/zero-day vulnerabilities: here comes the rest of the set Apple's been working on. iOS and iPadOS 16.6 address 25 CVEs each. Note that Apple also released iOS/iPadOS 15.7.8 to address 11 CVEs. Note that the Safari 16.6 update only applies to macOS Big Sur and Monterey (macOS 11 & 12), the update is included in the macOS 13.5 update.

This discovery required an amazing amount of work. In some ways it is sad that uncovering a significant encryption flaw like this was held back by proprietary algorithms and (in the end) weak intellectual property protections. While the flaw was apparently known to some, it was not known to a number of users of the technology who as a result may have unknowingly exposed themselves to significant risk.

There are patches for some of these vulnerabilities: check with your radio system provider. While the vulnerable encryption is predominantly used in Europe, US distributed radios and SCADA systems include the capability to use the TETRA encryption algorithms. Verify that you're using the strongest available encryption for encrypted communication channels. The planned presentation at BlackHat should be illuminating.

I may be overly optimistic, but I think in modern standards most of the world has learned dumbing down encryption so intelligence agencies can maintain access invariably allows evil actors the same access and results in an overall lowering of security, safety and resiliency. TETRA is just one example of many bad decisions that were made long, long ago.

This is a a timely reminder why backdoors, whether intentional or otherwise, in encryption tools are not a good idea.

Incidentally, "harvest-now-decrypt-later" is the normal mode of operation for intelligence agencies. Decryption is expensive; one wants to reserve its use to important traffic.

A positive first step in the public-private partnership around AI. The biggest win is identifying original content or that which has been artificially created. The reality though is that these principles can be easily discarded as competition heats up globally.

Like the efforts for security labelling, this should help our end-users, but we also need to be fully aware that other AI projects, such as WormGPT, are making no such commitment, and are focused on empowering cyber criminals.

Phew, we can all now relax now that big tech companies are going to self-regulate how they develop AI technologies. Sarcasm aside it is good the risks and issues are being identified but sadly with various industries in the past we have seen self-regulation only helps those doing the regulating.

One can only wonder about IBM's absence from this discussion. The pioneer developers of Deep Blue and Watson, committed to "transparency and governance from the ground up" in AI, obviously have something to contribute.

Ivanti’s Endpoint Manager (EPMM), formerly known as MobileIron, is the product in question here. Details of the vulnerability and how to remedy it can be found on Ivanti’s site at https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US

The cool part about using a central system across multiple organizations is you have commonality and can optimize processes. The other cool part is vulnerabilities can impact all those using it, to include accessing common data repositories. With hosted (cloud or otherwise) services, there are limits to the control you can exercise. Even so, you can make sure that you leverage visibility into the system to monitor its health, and have a good understanding of security, update, and incident response responsibilities. Maintaining those relationships, even if there is little you can change, allows you to have the conversations needed to keep your management happy whether or not the chips are down.

It is incredibly, incredibly difficult to defend against a zero-day vulnerability. What’s unknown is whether the application that was compromised is specific to Norwegian government operations or more generally available for sale globally. If the latter, let’s hope that details will be released soon to defend those other users.

The "particular IT platform" is called ICT, "Information Communication and Technology," a common implementation across the agencies.

These are some eye-popping numbers. Over the last three years we’ve seen double-digit increases reported in cybersecurity budgets and the cost of incident response, yet the number of cyber-attacks continue to increase. So, what’s the answer: more spend on threat detection or a return to the basics (knowing your environment, secure configuration, focus on patching, and active monitoring)? The potential result, removing yourself from being an easy target for cyber criminals.

You need to read reports like this to keep an eye on what breaches cost as well as to reduce their cost, such as involving law enforcement immediately, investing in a security team that is properly trained and resourced, and leveraging tools such as automation and AI to aid your detection and response capabilities. There is no silver bullet, but you can sure stack the deck in your favor.

While an interesting read, be careful how you use the statistics and reported costs of breaches from this report to your own management team. The source of the report are from IBM’s customer base and their costing of breaches, and indeed the size of those organisations, may be much different from your own.

TGH says “TGH’s monitoring systems and experienced technology professionals effectively prevented encryption…” which sounds good, but somehow exfiltration did happen. This could mean one of those hard to make “disconnect/don’t disconnect” decisions resulted in sensitive data flying out the door. Or it could be monitoring/logging could not disprove access and they erred on the side of warning customers. Both are good scenarios to work through in advance.

Excellent news: the breach was stopped prior to accessing the EHR system! Unfortunately, other systems were accessed which may have names, addresses, and phone numbers, DOB, SSN, insurance information, medical account numbers and treatment dates and descriptions - which sounds a lot like EHR data. Again, they are actively notifying affected patients, recovering and forensicating. The next thing on their list should be determining if that data was properly stored and protected. Recall incidents relating to employees extracting data from source systems to analyze locally, which then gets lost or otherwise mishandled. Make sure you have documented and mitigated, as much as possible, risks in this scenario.

It’s important for TGH to conduct an AAR (After Action Review) to determine the root cause of the data breach. Hopefully they will post the results of that AAR so that defenders, especially in the healthcare sector, can learn from their misfortune.

Read the schedule carefully to see which environments will have updates when. While AMD has released their update, the OEM updates are on a staggered schedule where data center servers can get updates today, while your desktop may not be able to update until October, and workstations/mobile are targeted for November/December.

If one is a CISO, wouldn't it be nice to know if one had any of these. This is both a supply-chain and IT asset inventory issue.