AI Becoming a Top Concern for Governments Globally; Patch Critical Vulnerability in F5 BIG-IP; Chrome HTTPS Upgrade

This is a very broad initiative and you could replace every mention of “Artificial Intelligence” with “New Technology” and it would pretty much read this same. What needs to be focused on is governance and essential security hygiene of AI and one really important area: stronger authentication to enable more use of encryption and digital signatures to be enable differentiating between real information and AI-product dis/misinformation.

This is a very broad directive. Capability and content filtering has been problematic in the past, eroding trust of the user. The administration, likely CISA, is going to be issuing guidance for agency use of AI, speed acquisition of AI products and hiring of AI professionals as part of a government-wide AI talent surge. Look to where you can leverage AI, possibly with a very focused training set, to help drive innovation and opportunities.

This is a very broad statement covering numerous different areas and tasking a large number of US federal departments and agencies. This EO is less about “AI is evil we need to control it” and much more about “AI is the next big thing and the US wants to lead it.” What is interesting about this EO is not only its breadth but timing. The UK government is leading an international AI summit this week; the US made sure to release this EO the day before the summit. In addition to the EO, the US government is promoting their new https://ai.gov/ website which is all about getting people training and jobs in AI.

The long awaited EO has dropped. It is rather extensive especially in the areas of research and applications. There is considerable focus on US strategic national advantage. What is a bit surprising is that there is little on international cooperation or standards making other than multiple references to actions among ‘international allies and partners.’ Hopefully that will be corrected in multi-lateral discussions.

Large language models (LLMs) are the newest user interface to the computer. They enable us to express the result that we want in natural language. Like every new UI in the past, they make the computer a more powerful tool and open up new applications. That said, the computer remains a tool. Tools vary in quality, utility, usability, and use. The user is responsible for the selection of the tool, its application, and all the properties of the result. We forget any part of that at our peril. We should not impute authority or autonomy to the tool. While regulating the quality of the tool may be useful, it will not ensure good results. Only the user can do that.

Big-IP from F5 is heavily used in many orgs and may even front end many commercial services. This could have a lot of impacts à la NetScaler. Unauthenticated RCE in the configuration utility would normally not be exposed to the internet but it's 2023 and all bets are off! Seeing that there is a mitigation script with a lot of detail, expect an exploit soon.

Two flaws here: CVE-2023-46747, CVSS score 9.8, unauthenticated remote code execution, which can give an attacker full admin rights, and CVE-20232-46748, CVSS score 8.8, SQLi vulnerability. When reading the affected versions, note that F5 only checks products that have not reached technical end of life, so don't assume you're not vulnerable if you're on an older release. Regardless, make sure you're moving to the most recent release with applied hotfixes. Then make sure that your traffic management user interface is not exposed to the internet or untrusted networks. The hotfixes have minimal QA testing, so you need to keep an eye out for the next scheduled software release which includes those fixes with more extensive QA, and then apply that update as well. Don't wait for the QA release, apply the hotfix now, this is going to be actively exploited.

The vulnerability affects versions back to 13.x, which means the vulnerability has been lurking around since 2017. Further, as it is a remote code execution bug with a CVSS score of 9.8, download and update your devices immediately.

This essentially makes "Strict Transport Security" the default behavior for Google Chrome, with the exception that users may still force http instead of https (but they have to deliberately do so). It may also lead to difficulties with old http only devices.

In short, the browser will attempt an HTTPS connection even if HTTP is used, falling back where needed, a slight raising of the bar, as mixed content (HTTP/HTTPS) pages, like those with forms, are still possible and sites with an HTTPS opt-out header are still respected. The behavior is for main frame navigation, not subresource requests, which are controlled by the user agent's policy on blockable and upgradable mixed content.

Another excellent security move by the Googler’s. HTTPS introduces encryption to protect user information and is therefore far more secure. Don’t make the user have to decide on security configuration; make it the default.

The US has failed for the past 20 years to pass any federal data privacy laws, so this type of agency by agency/state by state mish mash of needed rules is what happens. Reporting the data required within 30 days is not onerous, and the clock does not even start until detection.

The new FTC rule appears to be redundant with state breach notification laws. That said, I do believe that the government should be made aware of cyber breaches that affect its citizens. Perhaps over time, the federal government can create one set of incident reporting rules applicable to every industry sector instead of this hodge-podge of reporting requirements at both the state and federal level.

Non-banking financial institutions include payday lenders, mortgage brokers, motor vehicle dealers, investment firms, insurance companies, asset management firms, and peer-to-peer lenders. The rule applies to incidents that affect 500 or more customers, and seems focused on unauthorized access to unencrypted information, and includes provisions for a 60-day delay of public disclosure if requested by law-enforcement. With other regulators, including local state requirements, which also have reporting requirements, you'll want to update your playbook, double checking what the most restrictive reporting requirements are, to ensure you've got all the data necessary to report within the expected interval.

With the exception of card not present fraud, which this initiative does not address, and compared to healthcare or software, this industry has been pretty clean. One does not expect this requirement to have much impact.

The use of DNS filtering services should be a no-brainer for all state and local K-12 school systems.

Kudos to the UK National Cyber Security Centre (NCSC) for expanding its Protective Domain Name Service (PDNS) to schools. PDNS is already available for free to UK public sector bodies and filters out known malicious domains and IP addresses. This should help UK schools to better protect themselves. If you are in the UK and qualify for PDNS I strongly encourage you to apply for this service.

The service, planned for rollout over the next year, blocks access to known malicious sites by not resolving them. The year rollout is to make sure the service scales. The service includes both metrics for organizations about their use as well as support to resolve any issues. When implementing a secure DNS solution, make sure that all DNS lookups are routed to it, like DNS over HTTPS or TLS, aren't allowed to end-run the solution.

Kudos to the NCSC for making DNS filtering available to the UK school system. DNS filtering is a relatively straight-forward way to block malicious websites, and is one of the simplest and effective security solutions to implement. For non-UK citizens there are a number of free DNS filtering services available to you (i.e., Cloudflare, Quad9, Google Public DNS, etc).

The patches have been out for three weeks, the POC exploit is out there, and the vulnerability has a new name "Citrix Bleed," (a nod to the 2014 Heartbleed vulnerability). Time to stop planning and get this fixed. At this point, assume compromise, get your threat hunters checking those IOCs now.

Exploits are out for this and the vector is juicy.