AI Governance and Cloud Security Needed to Prevent AI Data Disclosures; Check Configuration of Authenticator Apps to Maximize Security Gain; More ASAP Patching of Fortinet Products Required to Mitigate Critical Vulnerabilities

AI governance processes that include data management are critical to avoiding this and many other risks with AI. Think of it this way: Imagine if “Home Cooking AI” ingested everything in your kitchen, which would include food, cleaning supplies, and all your mail sitting in a pile on the counter or on the hard drive of your computer and then you typed in “Give me a recipe for Airline Chicken.” High probability of a poisonous meal and recipes containing the credit card numbers you used on airline reservations…

John Pescatore

This is actually not an AI incident but a Cloud incident. Someone from Microsoft uploaded a huge amount of data into Azure / Github (a Microsoft’s Cloud solution). They misconfigured their configured account, accidentally exposing 37TB of data to the public. In addition, the data was editable, meaning malicious actors could have modified the data. It just so happens the data was AI-related as part of a research project. One of the biggest risks with Cloud is often not cyber threat actors, but privileged users making mistakes. Cloud environments are complex and constantly changing. If you get confused sometimes by the Cloud like I do, think what IT admins and developers are experiencing.

Lance Spitzner

The core problem here was improper scope of the SAS (data sharing) token. It's a lot easier to share an entire collection than specific folders/storage containers. Good opportunity to review how you're training users to only share what's needed, as well as what processes you have to review what's been shared. Also take a look at expiring sharing. While some data will need to be shared indefinitely, other elements simply need to survive for a short interval. When reviewing scope and duration of data shares, also factor in the purpose, keeping an eye on how that can be misused, particularly data used to train AI.

Lee Neely

It continues to be a bad couple months for Microsoft. Interestingly, GitHub recently implemented the capability to scan for secrets. Use the tools that GitHub and Microsoft make available to routinely scan your data repositories.

Curtis Dukes

Google Authenticator is not phishing resistant. I am not sure how much it actually exacerbated the breach in this case. It did its job as advertised. Without Google Authenticator, the breach would have been much simpler. But what Retool is really looking for is a phishing resistant second factor like a FIDO2 token or Passkeys. Additional monitoring of new devices paired with Okta may help as well.

Johannes Ullrich

This one gets messy fast. Retool makes some valid points about Google Authenticator’s syncing features (and it’s one of the reasons I also don’t synch MFA to my Password Manager). However, MFA authenticator apps are known to be phishable, which leads one to ask why a security provider was not using a more robust solution such as FIDO phishing resistant solutions. MFA was supposed to be a simple way to make passwords a much stronger authentication method. The problem is what was supposed to be simple has now become very complex. Not only can we not agree on WHAT to call this (MFA, 2FA, OTP, two-step verification, etc.) but we can’t agree on the HOW (SMS, mobile app generators, push method, etc.). Passkeys attempt to both simplify strong MFA and be phishing resistant, but it’s going to take a looooong time to see that adopted by both people and websites. More on Passkeys at https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner

This comes down to the difference between hard and soft MFA tokens. TOTP apps, such as Authy and the Google and Microsoft Authenticators have provisions to store data to the cloud, which simplifies provisioning them on a new device; it also means the integrity of the OTP code is only as good as the security of the account it's stored in. If your users are enabling this feature, make sure the account is sufficiently robust, as good or better security. Hard tokens, to include smart cards, YubiKey, etc. don't have this capability and should be considered a stronger form of MFA for higher risk access requests, such as VPN, admin accounts, and applications processing sensitive data.

Lee Neely

A multi-stage attack targeting a specific industry segment – cryptocurrency. What’s really interesting is that the attacker(s) used several novel attack techniques to gain the confidence of the Retool employee. This attack serves as a reminder that the IT department should never ask for your authentication code. Separately, Google will have to rethink its strategy for handling MFA codes, even if it means some inconvenience to the user.

Curtis Dukes

Lesson for the rest of us: All security mechanisms have dependencies and limitations which must be managed and compensated for.

William Hugh Murray

Back in 2021 when Fortinet had a rapid increase in vulnerabilities, they put out a blog entry detailing improvements in their development and vulnerability management processes. In 2023, nothing. It is time for Fortinet management to provide assurance that they understand why XSS and other vulnerabilities are still appearing in their security products and that they are making major changes to fix those problems.

John Pescatore

Read that as improper input sanitization so an exploit can be used to execute code or commands. Code reuse means multiple platforms are affected. There is no workaround; the mitigation is to update to the latest version. One hopes Fortinet revisits their commitment to improving code quality from a couple of years ago.

Lee Neely

This doesn’t kick in until 2026 and there is already industry lobbying to derail the legislation. But increased individual control of personal data is a trend that consumers are increasingly demanding. One big reason: companies have a horrible track record of protecting their data! If information was better protected, such as always encrypted when stored, deletion would be both easier to do and less often requested.

John Pescatore

This recently enacted law settles who owns the information that data brokers routinely collect and sell. It has similarities to a part of the European GDPR regulation that stipulates right to be forgotten when it comes to personal information. I suspect that other states will follow suit as they enact privacy laws.

Curtis Dukes

This is about who you allow to track/keep your data. With so many data breaches, it's not clear who you can trust to properly steward this data, so being able to opt out is attractive. The legislation doesn't go into effect until 2026, provided legal challenges are resolved. If you're a data broker, you are going to need to coordinate with the CPPA to find out how the opt-out process works. If you're a consumer, there isn't much you can do until 2026.

Lee Neely

We should all be grateful that the California Legislature takes on some of our most difficult problems. This is well-intended legislation, to address widespread abuse, fraught with limitations and unintended consequences. One does not envy those charged with implementing it.

William Hugh Murray

The gang behind the attack, NoEscape, goes after smaller targets such the Hawai'i Community College; Italian technical consultancy Kreacta; Lithuania's Republican Vilnius Psychiatric Hospital; and Taiwanese electronic connector manufacturing company Avertronics; while avoiding targets in Russia. The gang claims to have reams of data (80 Gb) and, true to form, is threatening to publish it. The question, for your next exercise, is would you, if faced with publication of sensitive internal documents, pay the ransom or hold the line? Where is your risk tolerance?

Lee Neely

Yet another ransomware attack. Notwithstanding the positive actions taken to date by international law enforcement, 2023 continues to see an increase in ransomware attacks globally.

Curtis Dukes

ORBCOMM is targeting September 28th for full resumption of services, at which point permission for the use of paper logs will be revoked. Ironically, the truckers fought the transition to ELD in 2019, and are now struggling to return to them. When creating DR/BC plans, which include steps like reverting to paper, be sure to include what will be done with that paper, to include the impacts of transitioning those to electronic records.

Lee Neely

This ransomware attack serves as an important reminder that, for the immediate future, organizations should review manual processes should on-line systems be compromised. This is particularly important in the healthcare sector, and now, the trucking industry.

Curtis Dukes

The derivation of results/state is dependent on participating agencies providing all the needed feeds into their CDM dashboard. When present, a lot of analysis can identify gaps in the identity management, privilege management, mobile identity management and even behavior and trust. The architecture covers aspects you need to factor in for Zero Trust as well as convention ICAM activities. Food for thought as you move to more modern cyber security models centered on identity rather than the network.

Lee Neely

This guidance addresses a difficult problem that history suggests government has often gotten wrong.

William Hugh Murray

CVE-2023-29491, with a base CVSS score of 7.8, is being reanalyzed by NIST; it still warrants addressing. In case you're thinking ncurses is familiar but not recent, the library was first released in 1993 and provides mechanisms for handing creating windows, manipulating text, user input, colors etc. for terminal based applications. The maintainer created an updated version 6.4.20230408; Apple and RedHat released updates which address the flaws in September. Make sure that your ncurses libraries are up to date.

Lee Neely

Threat actors appear to be targeting police units in the UK. In both these attacks, the third-party service provider was breached. This raises questions about how you are verifying the security of your third-party providers. Particularly ones handling sensitive data like W-2, personnel hiring, insurance, legal claims, etc. Make sure you're re-assessing/validating those controls regularly, optimally annually.

Lee Neely