AI Becoming a Top Concern for Governments Globally; Patch Critical Vulnerability in F5 BIG-IP; Chrome HTTPS Upgrade

This is a very broad initiative and you could replace every mention of “Artificial Intelligence” with “New Technology” and it would pretty much read this same. What needs to be focused on is governance and essential security hygiene of AI and one really important area: stronger authentication to enable more use of encryption and digital signatures to be enable differentiating between real information and AI-product dis/misinformation.

John Pescatore

This is a very broad directive. Capability and content filtering has been problematic in the past, eroding trust of the user. The administration, likely CISA, is going to be issuing guidance for agency use of AI, speed acquisition of AI products and hiring of AI professionals as part of a government-wide AI talent surge. Look to where you can leverage AI, possibly with a very focused training set, to help drive innovation and opportunities.

Lee Neely

This is a very broad statement covering numerous different areas and tasking a large number of US federal departments and agencies. This EO is less about “AI is evil we need to control it” and much more about “AI is the next big thing and the US wants to lead it.” What is interesting about this EO is not only its breadth but timing. The UK government is leading an international AI summit this week; the US made sure to release this EO the day before the summit. In addition to the EO, the US government is promoting their new https://ai.gov/ website which is all about getting people training and jobs in AI.

Lance Spitzner

The long awaited EO has dropped. It is rather extensive especially in the areas of research and applications. There is considerable focus on US strategic national advantage. What is a bit surprising is that there is little on international cooperation or standards making other than multiple references to actions among ‘international allies and partners.’ Hopefully that will be corrected in multi-lateral discussions.

Curtis Dukes

Large language models (LLMs) are the newest user interface to the computer. They enable us to express the result that we want in natural language. Like every new UI in the past, they make the computer a more powerful tool and open up new applications. That said, the computer remains a tool. Tools vary in quality, utility, usability, and use. The user is responsible for the selection of the tool, its application, and all the properties of the result. We forget any part of that at our peril. We should not impute authority or autonomy to the tool. While regulating the quality of the tool may be useful, it will not ensure good results. Only the user can do that.

William Hugh Murray

Big-IP from F5 is heavily used in many orgs and may even front end many commercial services. This could have a lot of impacts à la NetScaler. Unauthenticated RCE in the configuration utility would normally not be exposed to the internet but it's 2023 and all bets are off! Seeing that there is a mitigation script with a lot of detail, expect an exploit soon.

Moses Frost

Two flaws here: CVE-2023-46747, CVSS score 9.8, unauthenticated remote code execution, which can give an attacker full admin rights, and CVE-20232-46748, CVSS score 8.8, SQLi vulnerability. When reading the affected versions, note that F5 only checks products that have not reached technical end of life, so don't assume you're not vulnerable if you're on an older release. Regardless, make sure you're moving to the most recent release with applied hotfixes. Then make sure that your traffic management user interface is not exposed to the internet or untrusted networks. The hotfixes have minimal QA testing, so you need to keep an eye out for the next scheduled software release which includes those fixes with more extensive QA, and then apply that update as well. Don't wait for the QA release, apply the hotfix now, this is going to be actively exploited.

Lee Neely

The vulnerability affects versions back to 13.x, which means the vulnerability has been lurking around since 2017. Further, as it is a remote code execution bug with a CVSS score of 9.8, download and update your devices immediately.

Curtis Dukes

This essentially makes "Strict Transport Security" the default behavior for Google Chrome, with the exception that users may still force http instead of https (but they have to deliberately do so). It may also lead to difficulties with old http only devices.

Johannes Ullrich

In short, the browser will attempt an HTTPS connection even if HTTP is used, falling back where needed, a slight raising of the bar, as mixed content (HTTP/HTTPS) pages, like those with forms, are still possible and sites with an HTTPS opt-out header are still respected. The behavior is for main frame navigation, not subresource requests, which are controlled by the user agent's policy on blockable and upgradable mixed content.

Lee Neely

Another excellent security move by the Googler’s. HTTPS introduces encryption to protect user information and is therefore far more secure. Don’t make the user have to decide on security configuration; make it the default.

Curtis Dukes

The US has failed for the past 20 years to pass any federal data privacy laws, so this type of agency by agency/state by state mish mash of needed rules is what happens. Reporting the data required within 30 days is not onerous, and the clock does not even start until detection.

John Pescatore

The new FTC rule appears to be redundant with state breach notification laws. That said, I do believe that the government should be made aware of cyber breaches that affect its citizens. Perhaps over time, the federal government can create one set of incident reporting rules applicable to every industry sector instead of this hodge-podge of reporting requirements at both the state and federal level.

Curtis Dukes

Non-banking financial institutions include payday lenders, mortgage brokers, motor vehicle dealers, investment firms, insurance companies, asset management firms, and peer-to-peer lenders. The rule applies to incidents that affect 500 or more customers, and seems focused on unauthorized access to unencrypted information, and includes provisions for a 60-day delay of public disclosure if requested by law-enforcement. With other regulators, including local state requirements, which also have reporting requirements, you'll want to update your playbook, double checking what the most restrictive reporting requirements are, to ensure you've got all the data necessary to report within the expected interval.

Lee Neely

With the exception of card not present fraud, which this initiative does not address, and compared to healthcare or software, this industry has been pretty clean. One does not expect this requirement to have much impact.

William Hugh Murray

The use of DNS filtering services should be a no-brainer for all state and local K-12 school systems.

John Pescatore

Kudos to the UK National Cyber Security Centre (NCSC) for expanding its Protective Domain Name Service (PDNS) to schools. PDNS is already available for free to UK public sector bodies and filters out known malicious domains and IP addresses. This should help UK schools to better protect themselves. If you are in the UK and qualify for PDNS I strongly encourage you to apply for this service.

Brian Honan

The service, planned for rollout over the next year, blocks access to known malicious sites by not resolving them. The year rollout is to make sure the service scales. The service includes both metrics for organizations about their use as well as support to resolve any issues. When implementing a secure DNS solution, make sure that all DNS lookups are routed to it, like DNS over HTTPS or TLS, aren't allowed to end-run the solution.

Lee Neely

Kudos to the NCSC for making DNS filtering available to the UK school system. DNS filtering is a relatively straight-forward way to block malicious websites, and is one of the simplest and effective security solutions to implement. For non-UK citizens there are a number of free DNS filtering services available to you (i.e., Cloudflare, Quad9, Google Public DNS, etc).

Curtis Dukes

The patches have been out for three weeks, the POC exploit is out there, and the vulnerability has a new name "Citrix Bleed," (a nod to the 2014 Heartbleed vulnerability). Time to stop planning and get this fixed. At this point, assume compromise, get your threat hunters checking those IOCs now.

Lee Neely

Exploits are out for this and the vector is juicy.

Moses Frost

Exfiltrated data includes Social Security numbers, addresses, financial, email and family information. Attackers targeted their 20-year-old Accellion FTA, which had been slated for retirement in April 2021, yet continued to operate, highlighting the criticality of replacing old technology, particularly one with known security flaws. Make sure that you've not stalled legacy service replacements indefinitely without adequate mitigations and monitoring.

Lee Neely

TPL is being very transparent about what they are doing and which services are impacted, and which are still available. For example, Wi-Fi in branches is still available, but the public computers are not. Another notification example to add to your reference should you ever need it.

Lee Neely

The attackers are emailing pilfered data to the students' parents, which includes email, birth dates, ethnicity, PSAT scores, health information, suspensions, incident reports, and more, with a claim that they were in the system for six months before letting school staff know they were there, and will continue to wreak havoc until they are either paid or blocked from access. While the claims of access and legitimacy of the proffered data are not yet validated, the interaction with parents and DataBreaches.net is sufficient to keep the water muddy. CCSD's lack of response isn't helping here. Consider the value of keeping customers informed of a breach, to include timely updates. When engaging help, don't forget to leverage law enforcement and government resources in addition to any security team you hire.

Lee Neely

The plugin maintainer, who was notified on September 28th of the flaw, acknowledged the report the next day and released an updated plugin on October 19th. Make sure that you've auto-updated to version 4.9.3 of the plugin. Note the bugs were fixed in 4.9.1, but some were re-introduced in 4.9.2, which is why you want 4.9.3 where they are all resolved. Wordfence released firewall rules to their paid and free versions September 29th and October 29th respectively.

Lee Neely