Snowflake Customer Database Data Theft Due to Compromised Customer Credentials; Microsoft and Google to Help Rural US Hospitals with Cybersecurity; Type-O Blood Shortage Following Synnovis Cyber Incident

Apple yesterday released its plan for future AI integration into its products. As part of this announcement, Apple also released an article about how it will address the privacy challenges around off-device computing. I hope strong security and privacy assertions will become the norm going forward, but on the other hand, am well aware that these decisions are often not made by engineers and the lowest bidder/first to market will prevail. Snowflake got to its position right now not because it is the most secure provider of AI compute services. Allowing users to quickly setup accounts with weak passwords probably helped them gain market share.

Johannes Ullrich

With our ever-increasing reliance on third-party vendors and cloud service providers we need to be more aware that this introduces a different set of risks. Customers of these services need to ensure that the security features provided by third parties meet their security and compliance requirements, but they also need to ensure they utilise the security features and functions available from those third parties. As with all outsourcing arrangements, you can outsource the function and/or business process but you cannot outsource the responsibility.

Brian Honan

We deal with a lot of these conversations in the Cloud Penetration Testing course because it has become increasingly apparent that the “shared responsibility model” defines infrastructure incidents well but has no bearing on shared security responsibility. In this case, if you didn’t protect your customer’s data, it’s on you, but the service provider is mostly in the news.

Moses Frost

Don't be lulled into a false sense of security that Snowflake is the only environment where compromised, reusable credentials are being targeted. Verify that you're enabling and enforcing MFA for your outsourced and cloud services, regardless of the service providers requirement. Then the harder task: requiring MFA for your services. The good news is with the IDP you had to deploy for cloud authentication, you can leverage that on your services. Start with low hanging fruit, then move to more challenging use cases.

Lee Neely

After more than thirty years, strong authentication can hardly be described as "advanced." It is both essential and effective.

William Hugh Murray

Certainly Microsoft and Google are to be applauded for their efforts to help rural hospitals. But what happens when the grants conclude, when the free one-year subscription ends, when the free cybersecurity training ends. A basic lack of resources (human and fiscal) will still exist. Let’s use the year that Microsoft and Google are providing to figure out a sustainable long-term approach to protecting the cyber underserved.

Curtis Dukes

This is fantastic news and something that should be considered for almost any rural critical infrastructure. Cloud SaaS solutions like Microsoft and Google are lifesavers for small companies as they make business functionality simple. Now Microsoft and Google can do the same for security as security is built into their solutions. Rural infrastructure simply does not have the resources to both operate and be secure. We can regulate them to death, but that is not going to solve the problem. Solutions like this will help solve that problem.

Lance Spitzner

Arguably, this is good. I would like to see this implemented in a slightly different fashion. It feels like this move enables you to be locked into that vendor ecosystem. We need to have government backing to help these hospitals fix their systems. This will require a multi-year effort at all levels to fix the problem. The problem cannot be solved with just Windows Defender or just consulting. When your biomedical device is running Windows NT and is sitting next to the IoT Toaster, which is sitting next to the Windows desktops, and all these systems can fall over with just a port scan, Microsoft Windows Defender isn’t going to do much.

Moses Frost

This is huge! Microsoft is going to be offering non-profit pricing, including a year of their security suite, to existing customers while Google is going to be providing endpoint security advice at no cost, and a pool of funding to support software migration. Google is also launching a pilot program to develop a package of security capabilities which fit each hospital's needs. It would be nice to see similar offerings for doctors/dentists/labs/etc. which are often themselves small businesses without the resources to implement in-depth security programs, and suffer as keenly, if not more so, in a cyberattack.

Lee Neely

While on the surface this reads as a good news story, it also highlights the severe lack of funding that many governments around the globe, not just in the US, have given to securing critical services such as healthcare. The services people rely on for the quality of their lives and their security should not rely on charitable donations by private firms.

Brian Honan

A prime example of criminals not caring about the harm their actions have on the lives of people. Their primary motivation is money. The sooner our legislators and governments understand the true nature of this threat then the sooner we hopefully we see some proper and realistic response to this ever growing threat. It is not just systems that are being threatened anymore; it is people's lives.

Brian Honan

The toll of this ransomware attack continues. Unfortunately, it also highlights another single point of failure within the healthcare sector. Change Healthcare (part of UnitedHealth Group) is the example in the US, Synnovis the example in the UK. Government would be wise to launch a resilience study of critical infrastructure sectors with a particular focus on the unintended consequences of business consolidation (M&A).

Curtis Dukes

Type O negative blood is the universal blood type needed for emergency transfusions and can be donated to patients regardless of blood types, while O positive can be donated to anyone with positive blood type, about 3 out of 4 patients. With IT systems relating to typing and matching impacted, having a healthy store of both O negative and positive is a really good risk mitigation. Even if you're not in the healthcare industry, this is a call to consider where having a "generic" option for service impacts could help you weather that storm.

Lee Neely

Recall seems to (inadvertently) cross the line between continuous differential backups and Orwellian oversight. The snapshots Recall takes will be encrypted using Windows Hello Enhanced Sign-in Security (ESS) so the user has to authenticate before those snapshots are decrypted and available, which also means this is only as good as the strength of user authentication. Note to self: take time implementing new features, particularly those relating to AI, while powerful, they are complex and have implications you need time to assess.

Lee Neely

This whole debacle by Microsoft on the way Recall has been rolled out and this subsequent rushed response to the security and privacy concerns flies in the face of the recent "Prioritizing security above all else" announcement by the Microsoft CEO Satya Nadella. This episode is a prime example of "just because you can do it, doesn't mean you should do it."

Brian Honan

These vulnerabilities which include out of bounds writes, stack and heap-based buffer overflows, active debug code and insufficient input validation, have a collective CVSS 4 score of 9.3. Beyond the obvious verification that you don't have PLCs directly exposed to the Internet, make sure you update both the PLC firmware and the Productivity Suite to the newest versions. Also, verify network access is limited to only devices which are supposed to interact with them.

Lee Neely

PLCs are typically not Internet-facing. Any attack would require that the evildoer already have access on the target network to exploit any of the vulnerabilities. That said, given the large number of critical vulnerabilities, implement the vendor supplied security updates as soon as downtime is available.

Curtis Dukes

While many of these PLCs are not being used in sensitive applications, many that are have already been forgotten. We should require and expect both quality and stability.

William Hugh Murray

I am a bit surprised that the effort was worth it. How to set up a system like this is well-documented and not too difficult with modern software-defined radios. But there is still some cost and effort involved. As someone else suggested, maybe this was a proof of concept for a larger attack?

Johannes Ullrich

Imagine if you would, the fake AP attack but with a cell tower. The attack leveraged weaknesses in the protocols which require the devices to authenticate to the cell network, but not validate that network. This allowed the hackers to bypass the cell network anti-smishing defenses. The UK has a service which allows users to forward SMS message to 7726 for analysis. Other carriers are implementing junk SMS reporting. Investigate options provided by your carrier to identify junk SMS messages. Decide if you want a send-all or a send-suspect/on-demand model.

Lee Neely

Not to sound like a broken record, but a compromised reusable token was used to access the repositories and exfiltrate data. In this case 273GB of data was pilfered. (5 thousand repos, 3.6 million files.) In addition to source code (which included the Wordle game), IT documentation and infrastructure tools were taken. So yay for all the work to document and put that information online, but boo for having one credential to rule them all. As easy as it is to branch into a conversation about credential rotation, it's better to pull the MFA thread as well as talk about session timeout/expiration.

Lee Neely

Github made the following commitment: "Starting in March 2023 and through the end of 2023, GitHub will gradually begin to require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA)." The difficulty is that setting up strong authentication requires some user involvement. When the users are "customers, persuasion may be indicated.

William Hugh Murray

A bad update for a browser plugin isn't something you can easily roll back, let alone fix, QA, and distribute an updated version. While the pressure to deliver rapidly is incredible, and nothing new to security professionals, it's not a bad idea to understand how a scenario would be handled in your shop.

Lee Neely

LastPass helps users manage the increasing number of accounts they accumulate and is considered a best practice for password protection. Unfortunately, password managers can also be a single point of failure, whether intentional or not. Time to consider moving to Passkeys as an alternative.

Curtis Dukes

While 911 was offline, emergency responder radio systems were still operating, allowing emergency services to be delivered. City phone services have been restored as of Monday. Cleveland's 311 daytime calls are being handled by after-hours operators. 311 is the number to call for information about the City's programs and services, as well as submit a non-emergency service request. What I'm not finding is any sort of outage/incident announcement on the city's web site. Make sure your plans include outage notification/status updates on services where you manage the message.

Lee Neely

One may infer that safety applications were sufficiently isolated from more vulnerable applications. Would that the other applications were similarly isolated from each other.

William Hugh Murray

Today's contestants for SolarWinds Platform flaws are: CVE-2024-28996, SWQL Injection, CVSS 3 score of 8.1, is a high complexity attack, CVE-2024-28999, a race condition, CVSS 3 score of 8.1 and CVE-2024-29004, stored XSS, CVSS 3 score of 4.8. They impact the SolarWinds Platform 2024.1 SR1 and before, the fix is to update to 2024.2. Don't overlook the need to update their Serv-U product, CVE-2024-28995, a directory traversal flaw, CVSS score of 8.6, affects Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server. The fix is to deploy Serv-U 15.4.1 hotfix 2. While there is not any indication these are being exploited in the wild, given SolarWinds, and how easy it is to discover vulnerable products exposed to the Internet, expect that not to change.

Lee Neely