SANS NewsBites

AI Governance and Cloud Security Needed to Prevent AI Data Disclosures; Check Configuration of Authenticator Apps to Maximize Security Gain; More ASAP Patching of Fortinet Products Required to Mitigate Critical Vulnerabilities

September 19, 2023  |  Volume XXV - Issue #74

Top of the News


2023-09-18

Microsoft AI Researchers Accidentally Expose Data

The Wiz Researcher Team discovered that Microsoft AI researchers inadvertently exposed 38 terabytes of private data while publishing open source training data in GitHub. The issue was due to an “overly-permissive Shared Access Signature token for an internal storage account. The compromised data include passwords, private keys, secrets, and more than 30,000 internal Microsoft Teams messages. Wiz notified Microsoft through a Coordinated Vulnerability Disclosure (CVD) report.

Editor's Note

AI governance processes that include data management are critical to avoiding this and many other risks with AI. Think of it this way: Imagine if “Home Cooking AI” ingested everything in your kitchen, which would include food, cleaning supplies, and all your mail sitting in a pile on the counter or on the hard drive of your computer and then you typed in “Give me a recipe for Airline Chicken.” High probability of a poisonous meal and recipes containing the credit card numbers you used on airline reservations…

John Pescatore
John Pescatore

This is actually not an AI incident but a Cloud incident. Someone from Microsoft uploaded a huge amount of data into Azure / Github (a Microsoft’s Cloud solution). They misconfigured their configured account, accidentally exposing 37TB of data to the public. In addition, the data was editable, meaning malicious actors could have modified the data. It just so happens the data was AI-related as part of a research project. One of the biggest risks with Cloud is often not cyber threat actors, but privileged users making mistakes. Cloud environments are complex and constantly changing. If you get confused sometimes by the Cloud like I do, think what IT admins and developers are experiencing.

Lance Spitzner
Lance Spitzner

The core problem here was improper scope of the SAS (data sharing) token. It's a lot easier to share an entire collection than specific folders/storage containers. Good opportunity to review how you're training users to only share what's needed, as well as what processes you have to review what's been shared. Also take a look at expiring sharing. While some data will need to be shared indefinitely, other elements simply need to survive for a short interval. When reviewing scope and duration of data shares, also factor in the purpose, keeping an eye on how that can be misused, particularly data used to train AI.

Lee Neely
Lee Neely

It continues to be a bad couple months for Microsoft. Interestingly, GitHub recently implemented the capability to scan for secrets. Use the tools that GitHub and Microsoft make available to routinely scan your data repositories.

Curtis Dukes
Curtis Dukes

2023-09-18

Retool: Google Authenticator Feature Exacerbated Breach

Late last month, software development tool firm Retool notified 27 cloud customers of unauthorized access to their accounts. On August 27, Retool was the target of a successful spear-phishing attack that resulted in the disclosure of a multi-factor authentication (MFA) code. Retool says the breach was made worse by a new synchronization feature in Google Authenticator that syncs MFA codes to the cloud. The incident did not affect on-prem or managed accounts.

Editor's Note

Google Authenticator is not phishing resistant. I am not sure how much it actually exacerbated the breach in this case. It did its job as advertised. Without Google Authenticator, the breach would have been much simpler. But what Retool is really looking for is a phishing resistant second factor like a FIDO2 token or Passkeys. Additional monitoring of new devices paired with Okta may help as well.

Johannes Ullrich
Johannes Ullrich

This one gets messy fast. Retool makes some valid points about Google Authenticator’s syncing features (and it’s one of the reasons I also don’t synch MFA to my Password Manager). However, MFA authenticator apps are known to be phishable, which leads one to ask why a security provider was not using a more robust solution such as FIDO phishing resistant solutions. MFA was supposed to be a simple way to make passwords a much stronger authentication method. The problem is what was supposed to be simple has now become very complex. Not only can we not agree on WHAT to call this (MFA, 2FA, OTP, two-step verification, etc.) but we can’t agree on the HOW (SMS, mobile app generators, push method, etc.). Passkeys attempt to both simplify strong MFA and be phishing resistant, but it’s going to take a looooong time to see that adopted by both people and websites. More on Passkeys at https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner
Lance Spitzner

This comes down to the difference between hard and soft MFA tokens. TOTP apps, such as Authy and the Google and Microsoft Authenticators have provisions to store data to the cloud, which simplifies provisioning them on a new device; it also means the integrity of the OTP code is only as good as the security of the account it's stored in. If your users are enabling this feature, make sure the account is sufficiently robust, as good or better security. Hard tokens, to include smart cards, YubiKey, etc. don't have this capability and should be considered a stronger form of MFA for higher risk access requests, such as VPN, admin accounts, and applications processing sensitive data.

Lee Neely
Lee Neely

A multi-stage attack targeting a specific industry segment – cryptocurrency. What’s really interesting is that the attacker(s) used several novel attack techniques to gain the confidence of the Retool employee. This attack serves as a reminder that the IT department should never ask for your authentication code. Separately, Google will have to rethink its strategy for handling MFA codes, even if it means some inconvenience to the user.

Curtis Dukes
Curtis Dukes

Lesson for the rest of us: All security mechanisms have dependencies and limitations which must be managed and compensated for.

William Hugh Murray
William Hugh Murray

2023-09-18

Fortinet Releases Patches for Stored XSS Vulnerability

Fortinet has released patches for an improper neutralization of input during web page generation vulnerability that affects multiple versions of FortiProxy and FortiOS. The high-severity flaw (CVE-2023-29183) could be exploited in cross-site scripting (XSS) attacks. Users are urged to upgrade to the following or newer versions: FortiProxy 7.2.5, FortiProxy 7.0.10, FortiOS 7.4.0, FortiOS 7.2.5, FortiOS 7.0.12, 6.4.13, or FortiOS version 6.2.15.

Editor's Note

Back in 2021 when Fortinet had a rapid increase in vulnerabilities, they put out a blog entry detailing improvements in their development and vulnerability management processes. In 2023, nothing. It is time for Fortinet management to provide assurance that they understand why XSS and other vulnerabilities are still appearing in their security products and that they are making major changes to fix those problems.

John Pescatore
John Pescatore

Read that as improper input sanitization so an exploit can be used to execute code or commands. Code reuse means multiple platforms are affected. There is no workaround; the mitigation is to update to the latest version. One hopes Fortinet revisits their commitment to improving code quality from a couple of years ago.

Lee Neely
Lee Neely

The Rest of the Week's News


2023-09-15

New California Law Would Allow Consumers More Control Over Their Data

Lawmakers in California have passed the “Delete Law,” which would give consumers the ability to demand that data brokers delete all their personal information. If the governor signs the bill into law, the California Privacy Protection Agency (CPPA) will be tasked with creating a website that allows consumers to opt out of letting data brokers collect their information with a single request.

Editor's Note

This doesn’t kick in until 2026 and there is already industry lobbying to derail the legislation. But increased individual control of personal data is a trend that consumers are increasingly demanding. One big reason: companies have a horrible track record of protecting their data! If information was better protected, such as always encrypted when stored, deletion would be both easier to do and less often requested.

John Pescatore
John Pescatore

This recently enacted law settles who owns the information that data brokers routinely collect and sell. It has similarities to a part of the European GDPR regulation that stipulates right to be forgotten when it comes to personal information. I suspect that other states will follow suit as they enact privacy laws.

Curtis Dukes
Curtis Dukes

This is about who you allow to track/keep your data. With so many data breaches, it's not clear who you can trust to properly steward this data, so being able to opt out is attractive. The legislation doesn't go into effect until 2026, provided legal challenges are resolved. If you're a data broker, you are going to need to coordinate with the CPPA to find out how the opt-out process works. If you're a consumer, there isn't much you can do until 2026.

Lee Neely
Lee Neely

We should all be grateful that the California Legislature takes on some of our most difficult problems. This is well-intended legislation, to address widespread abuse, fraught with limitations and unintended consequences. One does not envy those charged with implementing it.

William Hugh Murray
William Hugh Murray

2023-09-15

US/Canada Water Rights Management Organization Confirms Cyber Incident

An organization that manages water rights on the US/Canada border has confirmed that it was the victim of a cyberattack. The International Joint Commission oversees water rights and related matters for bodies of water that exist along the border of the two countries.

Editor's Note

The gang behind the attack, NoEscape, goes after smaller targets such the Hawai'i Community College; Italian technical consultancy Kreacta; Lithuania's Republican Vilnius Psychiatric Hospital; and Taiwanese electronic connector manufacturing company Avertronics; while avoiding targets in Russia. The gang claims to have reams of data (80 Gb) and, true to form, is threatening to publish it. The question, for your next exercise, is would you, if faced with publication of sensitive internal documents, pay the ransom or hold the line? Where is your risk tolerance?

Lee Neely
Lee Neely

Yet another ransomware attack. Notwithstanding the positive actions taken to date by international law enforcement, 2023 continues to see an increase in ransomware attacks globally.

Curtis Dukes
Curtis Dukes

2023-09-15

ORBCOMM Suffers Ransomware Attack

ORBCOMM, a company that provides electronic logging device (ELD) systems for the trucking industry, experienced a ransomware attack earlier this month. That resulted in system outages. The US Department of Transportation (DOT) requires the use of ELDs to ensure drivers do not exceed the number of hours behind the wheel as established by federal safety regulations. Carriers using ORBCOMM devices have been using paper logging while the system is unavailable.

Editor's Note

ORBCOMM is targeting September 28th for full resumption of services, at which point permission for the use of paper logs will be revoked. Ironically, the truckers fought the transition to ELD in 2019, and are now struggling to return to them. When creating DR/BC plans, which include steps like reverting to paper, be sure to include what will be done with that paper, to include the impacts of transitioning those to electronic records.

Lee Neely
Lee Neely

This ransomware attack serves as an important reminder that, for the immediate future, organizations should review manual processes should on-line systems be compromised. This is particularly important in the healthcare sector, and now, the trucking industry.

Curtis Dukes
Curtis Dukes

2023-09-18

CISA Guidance on Identity, Credential, and Access Management (ICAM) Reference Architecture

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a guide to Identity, Credential, and Access Management (ICAM) Reference Architecture as part of its Continuous Diagnostics and Mitigation (CDM) Program. The “document refines and clarifies the CDM Program’s Identity and Access Management (IDAM) scope by providing a reference for how CDM IDAM capabilities may integrate into an agency’s ICAM architecture.”

Editor's Note

The derivation of results/state is dependent on participating agencies providing all the needed feeds into their CDM dashboard. When present, a lot of analysis can identify gaps in the identity management, privilege management, mobile identity management and even behavior and trust. The architecture covers aspects you need to factor in for Zero Trust as well as convention ICAM activities. Food for thought as you move to more modern cyber security models centered on identity rather than the network.

Lee Neely
Lee Neely

This guidance addresses a difficult problem that history suggests government has often gotten wrong.

William Hugh Murray
William Hugh Murray

2023-09-15

Memory Corruption Vulnerabilities in ncurses Library

Microsoft researchers detected “a set of memory corruption vulnerabilities in a library called ncurses, which provides APIs that support text-based user interfaces (TUI).” The vulnerabilities could be exploited to execute malicious code on Linux and macOS systems. Microsoft disclosed the vulnerabilities to the library’s maintainers, who fixed the flaws in April 2023.

Editor's Note

CVE-2023-29491, with a base CVSS score of 7.8, is being reanalyzed by NIST; it still warrants addressing. In case you're thinking ncurses is familiar but not recent, the library was first released in 1993 and provides mechanisms for handing creating windows, manipulating text, user input, colors etc. for terminal based applications. The maintainer created an updated version 6.4.20230408; Apple and RedHat released updates which address the flaws in September. Make sure that your ncurses libraries are up to date.

Lee Neely
Lee Neely

2023-09-15

Greater Manchester Police Data Compromised in Third-Party Cybersecurity Incident

A cyberattack that targeted an ID-card manufacturing company has exposed personal information of Greater Manchester Police (GMP) officers. The compromised data includes names, photographs, and serial numbers. The UK National Crime Agency is investigating the incident. GMP has more than 8,000 police officers. The attack bears many similarities to an attack that targeted London’s Metropolitan Police last month.

Editor's Note

Threat actors appear to be targeting police units in the UK. In both these attacks, the third-party service provider was breached. This raises questions about how you are verifying the security of your third-party providers. Particularly ones handling sensitive data like W-2, personnel hiring, insurance, legal claims, etc. Make sure you're re-assessing/validating those controls regularly, optimally annually.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner