SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Microsoft AI Researchers Accidentally Expose Data
The Wiz Researcher Team discovered that Microsoft AI researchers inadvertently exposed 38 terabytes of private data while publishing open source training data in GitHub. The issue was due to an “overly-permissive Shared Access Signature token for an internal storage account. The compromised data include passwords, private keys, secrets, and more than 30,000 internal Microsoft Teams messages. Wiz notified Microsoft through a Coordinated Vulnerability Disclosure (CVD) report.
Editor's Notes
- Slide 1 of 4
AI governance processes that include data management are critical to avoiding this and many other risks with AI. Think of it this way: Imagine if “Home Cooking AI” ingested everything in your kitchen, which would include food, cleaning supplies, and all your mail sitting in a pile on the counter or on the hard drive of your computer and then you typed in “Give me a recipe for Airline Chicken.” High probability of a poisonous meal and recipes containing the credit card numbers you used on airline reservations…
- Slide 2 of 4
This is actually not an AI incident but a Cloud incident. Someone from Microsoft uploaded a huge amount of data into Azure / Github (a Microsoft’s Cloud solution). They misconfigured their configured account, accidentally exposing 37TB of data to the public. In addition, the data was editable, meaning malicious actors could have modified the data. It just so happens the data was AI-related as part of a research project. One of the biggest risks with Cloud is often not cyber threat actors, but privileged users making mistakes. Cloud environments are complex and constantly changing. If you get confused sometimes by the Cloud like I do, think what IT admins and developers are experiencing.
- Slide 3 of 4
The core problem here was improper scope of the SAS (data sharing) token. It's a lot easier to share an entire collection than specific folders/storage containers. Good opportunity to review how you're training users to only share what's needed, as well as what processes you have to review what's been shared. Also take a look at expiring sharing. While some data will need to be shared indefinitely, other elements simply need to survive for a short interval. When reviewing scope and duration of data shares, also factor in the purpose, keeping an eye on how that can be misused, particularly data used to train AI.
- Slide 4 of 4
It continues to be a bad couple months for Microsoft. Interestingly, GitHub recently implemented the capability to scan for secrets. Use the tools that GitHub and Microsoft make available to routinely scan your data repositories.
Slide 1 of 0- Slide 1 of 4
Retool: Google Authenticator Feature Exacerbated Breach
Late last month, software development tool firm Retool notified 27 cloud customers of unauthorized access to their accounts. On August 27, Retool was the target of a successful spear-phishing attack that resulted in the disclosure of a multi-factor authentication (MFA) code. Retool says the breach was made worse by a new synchronization feature in Google Authenticator that syncs MFA codes to the cloud. The incident did not affect on-prem or managed accounts.
Editor's Notes
- Slide 1 of 5
Google Authenticator is not phishing resistant. I am not sure how much it actually exacerbated the breach in this case. It did its job as advertised. Without Google Authenticator, the breach would have been much simpler. But what Retool is really looking for is a phishing resistant second factor like a FIDO2 token or Passkeys. Additional monitoring of new devices paired with Okta may help as well.
- Slide 2 of 5
This one gets messy fast. Retool makes some valid points about Google Authenticator’s syncing features (and it’s one of the reasons I also don’t synch MFA to my Password Manager). However, MFA authenticator apps are known to be phishable, which leads one to ask why a security provider was not using a more robust solution such as FIDO phishing resistant solutions. MFA was supposed to be a simple way to make passwords a much stronger authentication method. The problem is what was supposed to be simple has now become very complex. Not only can we not agree on WHAT to call this (MFA, 2FA, OTP, two-step verification, etc.) but we can’t agree on the HOW (SMS, mobile app generators, push method, etc.). Passkeys attempt to both simplify strong MFA and be phishing resistant, but it’s going to take a looooong time to see that adopted by both people and websites. More on Passkeys at https://www.sans.org/blog/what-is-phishing-resistant-mfa/
- Slide 3 of 5
This comes down to the difference between hard and soft MFA tokens. TOTP apps, such as Authy and the Google and Microsoft Authenticators have provisions to store data to the cloud, which simplifies provisioning them on a new device; it also means the integrity of the OTP code is only as good as the security of the account it's stored in. If your users are enabling this feature, make sure the account is sufficiently robust, as good or better security. Hard tokens, to include smart cards, YubiKey, etc. don't have this capability and should be considered a stronger form of MFA for higher risk access requests, such as VPN, admin accounts, and applications processing sensitive data.
- Slide 4 of 5
A multi-stage attack targeting a specific industry segment – cryptocurrency. What’s really interesting is that the attacker(s) used several novel attack techniques to gain the confidence of the Retool employee. This attack serves as a reminder that the IT department should never ask for your authentication code. Separately, Google will have to rethink its strategy for handling MFA codes, even if it means some inconvenience to the user.
- Slide 5 of 5
Lesson for the rest of us: All security mechanisms have dependencies and limitations which must be managed and compensated for.
Slide 1 of 0- Slide 1 of 5
Fortinet Releases Patches for Stored XSS Vulnerability
Fortinet has released patches for an improper neutralization of input during web page generation vulnerability that affects multiple versions of FortiProxy and FortiOS. The high-severity flaw (CVE-2023-29183) could be exploited in cross-site scripting (XSS) attacks. Users are urged to upgrade to the following or newer versions: FortiProxy 7.2.5, FortiProxy 7.0.10, FortiOS 7.4.0, FortiOS 7.2.5, FortiOS 7.0.12, 6.4.13, or FortiOS version 6.2.15.
Editor's Notes
- Slide 1 of 2
Back in 2021 when Fortinet had a rapid increase in vulnerabilities, they put out a blog entry detailing improvements in their development and vulnerability management processes. In 2023, nothing. It is time for Fortinet management to provide assurance that they understand why XSS and other vulnerabilities are still appearing in their security products and that they are making major changes to fix those problems.
- Slide 2 of 2
Read that as improper input sanitization so an exploit can be used to execute code or commands. Code reuse means multiple platforms are affected. There is no workaround; the mitigation is to update to the latest version. One hopes Fortinet revisits their commitment to improving code quality from a couple of years ago.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
New California Law Would Allow Consumers More Control Over Their Data
Lawmakers in California have passed the “Delete Law,” which would give consumers the ability to demand that data brokers delete all their personal information. If the governor signs the bill into law, the California Privacy Protection Agency (CPPA) will be tasked with creating a website that allows consumers to opt out of letting data brokers collect their information with a single request.
Editor's Notes
- Slide 1 of 4
This doesn’t kick in until 2026 and there is already industry lobbying to derail the legislation. But increased individual control of personal data is a trend that consumers are increasingly demanding. One big reason: companies have a horrible track record of protecting their data! If information was better protected, such as always encrypted when stored, deletion would be both easier to do and less often requested.
- Slide 2 of 4
This recently enacted law settles who owns the information that data brokers routinely collect and sell. It has similarities to a part of the European GDPR regulation that stipulates right to be forgotten when it comes to personal information. I suspect that other states will follow suit as they enact privacy laws.
- Slide 3 of 4
This is about who you allow to track/keep your data. With so many data breaches, it's not clear who you can trust to properly steward this data, so being able to opt out is attractive. The legislation doesn't go into effect until 2026, provided legal challenges are resolved. If you're a data broker, you are going to need to coordinate with the CPPA to find out how the opt-out process works. If you're a consumer, there isn't much you can do until 2026.
- Slide 4 of 4
We should all be grateful that the California Legislature takes on some of our most difficult problems. This is well-intended legislation, to address widespread abuse, fraught with limitations and unintended consequences. One does not envy those charged with implementing it.
Slide 1 of 0- Slide 1 of 4
US/Canada Water Rights Management Organization Confirms Cyber Incident
An organization that manages water rights on the US/Canada border has confirmed that it was the victim of a cyberattack. The International Joint Commission oversees water rights and related matters for bodies of water that exist along the border of the two countries.
Editor's Notes
- Slide 1 of 2
The gang behind the attack, NoEscape, goes after smaller targets such the Hawai'i Community College; Italian technical consultancy Kreacta; Lithuania's Republican Vilnius Psychiatric Hospital; and Taiwanese electronic connector manufacturing company Avertronics; while avoiding targets in Russia. The gang claims to have reams of data (80 Gb) and, true to form, is threatening to publish it. The question, for your next exercise, is would you, if faced with publication of sensitive internal documents, pay the ransom or hold the line? Where is your risk tolerance?
- Slide 2 of 2
Yet another ransomware attack. Notwithstanding the positive actions taken to date by international law enforcement, 2023 continues to see an increase in ransomware attacks globally.
Slide 1 of 0- Slide 1 of 2
ORBCOMM Suffers Ransomware Attack
ORBCOMM, a company that provides electronic logging device (ELD) systems for the trucking industry, experienced a ransomware attack earlier this month. That resulted in system outages. The US Department of Transportation (DOT) requires the use of ELDs to ensure drivers do not exceed the number of hours behind the wheel as established by federal safety regulations. Carriers using ORBCOMM devices have been using paper logging while the system is unavailable.
Editor's Notes
- Slide 1 of 2
ORBCOMM is targeting September 28th for full resumption of services, at which point permission for the use of paper logs will be revoked. Ironically, the truckers fought the transition to ELD in 2019, and are now struggling to return to them. When creating DR/BC plans, which include steps like reverting to paper, be sure to include what will be done with that paper, to include the impacts of transitioning those to electronic records.
- Slide 2 of 2
This ransomware attack serves as an important reminder that, for the immediate future, organizations should review manual processes should on-line systems be compromised. This is particularly important in the healthcare sector, and now, the trucking industry.
Slide 1 of 0- Slide 1 of 2
CISA Guidance on Identity, Credential, and Access Management (ICAM) Reference Architecture
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a guide to Identity, Credential, and Access Management (ICAM) Reference Architecture as part of its Continuous Diagnostics and Mitigation (CDM) Program. The “document refines and clarifies the CDM Program’s Identity and Access Management (IDAM) scope by providing a reference for how CDM IDAM capabilities may integrate into an agency’s ICAM architecture.”
Editor's Notes
- Slide 1 of 2
The derivation of results/state is dependent on participating agencies providing all the needed feeds into their CDM dashboard. When present, a lot of analysis can identify gaps in the identity management, privilege management, mobile identity management and even behavior and trust. The architecture covers aspects you need to factor in for Zero Trust as well as convention ICAM activities. Food for thought as you move to more modern cyber security models centered on identity rather than the network.
- Slide 2 of 2
This guidance addresses a difficult problem that history suggests government has often gotten wrong.
Slide 1 of 0- Slide 1 of 2
Memory Corruption Vulnerabilities in ncurses Library
Microsoft researchers detected “a set of memory corruption vulnerabilities in a library called ncurses, which provides APIs that support text-based user interfaces (TUI).” The vulnerabilities could be exploited to execute malicious code on Linux and macOS systems. Microsoft disclosed the vulnerabilities to the library’s maintainers, who fixed the flaws in April 2023.
Editor's Notes
CVE-2023-29491, with a base CVSS score of 7.8, is being reanalyzed by NIST; it still warrants addressing. In case you're thinking ncurses is familiar but not recent, the library was first released in 1993 and provides mechanisms for handing creating windows, manipulating text, user input, colors etc. for terminal based applications. The maintainer created an updated version 6.4.20230408; Apple and RedHat released updates which address the flaws in September. Make sure that your ncurses libraries are up to date.
Greater Manchester Police Data Compromised in Third-Party Cybersecurity Incident
A cyberattack that targeted an ID-card manufacturing company has exposed personal information of Greater Manchester Police (GMP) officers. The compromised data includes names, photographs, and serial numbers. The UK National Crime Agency is investigating the incident. GMP has more than 8,000 police officers. The attack bears many similarities to an attack that targeted London’s Metropolitan Police last month.
Editor's Notes
Threat actors appear to be targeting police units in the UK. In both these attacks, the third-party service provider was breached. This raises questions about how you are verifying the security of your third-party providers. Particularly ones handling sensitive data like W-2, personnel hiring, insurance, legal claims, etc. Make sure you're re-assessing/validating those controls regularly, optimally annually.
Internet Storm Center Tech Corner
Internet Wide Multi VPN Search from Single /24 Network
https://isc.sans.edu/diary/Internet+Wide+Multi+VPN+Search+From+Single+24+Network/30226
iOS/iPadOS/tvOS/WatchOS Updates
https://support.apple.com/en-us/HT201222
Juniper Vuln Details/Exploit CVE-2023-36845
https://vulncheck.com/blog/juniper-cve-2023-36845
When MFA isn't actually MFA
https://retool.com/blog/mfa-isnt-mfa/
QNAP Patches
https://www.qnap.com/en/security-advisories?ref=security_advisory_details
Chrome able to use Apple Keychain Passkeys
https://9to5google.com/2023/09/14/chrome-118-icloud-passkey/
Fortinet XSS
https://fortiguard.fortinet.com/psirt/FG-IR-23-106
vBulletin XSS
https://gist.github.com/GiongfNef/8fe658dce4c7fcf3a7b4e6387e50141c