SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Fortinet Customer Data Accessed and Possibly Leaked
440GB of data in an Amazon S3 bucket, shared in a hacking forum, allegedly contains data exfiltrated from Fortinet. The company reported in a blog post that a threat actor gained unauthorized access to customer data stored in a 'third-party cloud-based shared file drive,' but that the breach impacted less than 0.3 percent of their customers. Fortinet has not confirmed the leakers' claims that their CEO received and declined a ransom demand, and has expressed confidence that the attack does not merit an 8-K filing.
Editor's Notes
- Slide 1 of 2
I have yet to see the datasets personally. From what the threat actor says, this appears to be related to all their SharePoint data. 440GB of something is not small in any way. This may be one of the most significant vendor breaches in quite some time. This will take time to download and review, so expect fall out from this for some time.
- Slide 2 of 2
The attacker claims they exploited a weakness in their Azure SharePoint site, accessing about 440GB and the Fortinet CEO walked away from ransom negotiations. While I'm not so sure 440GB qualifies as a limited amount of data, they still have the latitude of material impact to temper the requirement of filing the K-8. This has been a bit of a rough year for Fortinet, with critical fixes in January and February, as well as FortiGate firewall compromises in June, which means they need to downshift into full transparency, particularly with recent DLP and cloud security acquisitions, which they could highlight for their role in reducing the scope of the compromise or mitigating future incidents, so they can focus on remediation and mitigations rather than responding to external claims.
Slide 1 of 0- Slide 1 of 2
2FA and SVN Passwords Will Be Mandatory for WordPress Developers
WordPress[.]org, the branch of the site that provides resources for developers, will require authors of plugins and themes to protect their accounts with two-factor authentication. The site will also implement SVN passwords, which restrict commits in their version control system. These measures to prevent supply chain attacks will be enforced starting October 1.
Editor's Notes
- Slide 1 of 3
Increasing security on supply chain attacks, particularly for such a common target (WordPress) is vastly needed, and if you're developing WordPress plugins or enhancements, you need to jump on this or you're SOL come October 1. For those of us with WP sites, we still want to remain diligent, ensuring we're keeping everything automatically updated, removing unused plugins and deploying security modules or plugins to give you every advantage.
- Slide 2 of 3
WordPress joining a growing list of organizations that now mandate the use of MFA on hosted accounts. Perhaps the recent Snowflake security incident helped drive the decision by WordPress to mandate an additional form of identification for account access. Bottom line: overdue but a good thing nonetheless.
- Slide 3 of 3
Nothing can be more essential to SECDEVOPS than developer accountability and change control.
Slide 1 of 0- Slide 1 of 3
Google AI's GDPR Compliance Under Investigation
A press release from Ireland's Data Protection Commission announced an ongoing 'Cross-Border statutory inquiry' investigating data protection obligations during the development of Pathways Language Model 2 (PaLM 2). The inquiry will determine whether Google conducted a Data Protection Impact Assessment (DPIA) before processing European citizens' data. GDPR requires this assessment from any project 'likely to result in a high risk to the rights and freedoms of individuals.'
Editor's Notes
- Slide 1 of 3
This is similar to the reason X (formerly Twitter) were asked by the DPC to suspend their use of the data of people based in the EU to train its AI solution Grok https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-welcomes-conclusion-proceedings-relating-xs-ai-tool-grok. Under GDPR and the recent EU Artificial Intelligence (AI) Act there are a lot of obligations placed on organisations to ensure the rights of individuals are not infringed by AI solutions. If your organisation is based in the EU and you are looking to implement AI solutions you should read this guide from the Irish Data Protection Commission on "AI, Large Language Models and Data Protection" https://dataprotection.ie/en/dpc-guidance/blogs/AI-LLMs-and-Data-Protection.
- Slide 2 of 3
Of note here: know where your privacy data is being processed, particularly with services incorporating AI/LLMs into their service offering, and if you're processing privacy data be aware of the relevant privacy laws, GDPR, CCPA, etc. Some like the GDPR have restrictions on location of processing and the completion of a DPIA, and even user consent prior to processing backed up with substantial penalties for getting this wrong. This isn't the first case of the EU pumping the brakes on LLM's being trained on personal data. Previously, OpenAI/ChatGPT was temporarily banned in Italy for similar concerns, Meta paused plans for Meta AI in Europe over privacy concerns, and X consented to suspend training it's Grok chatbot on public posts from European users without prior consent. As these are resolved, there should be a model for the rest of us to learn from and emulate, resulting in a less litigious experience operating in the EU.
- Slide 3 of 3
Don't forget there is an AI race going on and the winner likely will drive this technology advancement into the future. One nation doesn't give its citizens a choice as their data, including facial recognition, is collected over and over again and is used to train LLMs. At least other nations do attempt to protect the privacy and data rights of their citizens. We have to find a middle ground else we're basically ceding this technology to one country.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
UK Government Designates Data Centres as Critical National Infrastructure
The UK government's Department for Science, Innovation and Technology has announced that data centres are now designated Critical National Infrastructure (CNI). The change in classification means that the government will support data centres during critical incidents. The last time the government the government assigned CNI designation to a sector was in 2015, when the Space and Defence sectors were granted CNI status.
Editor's Notes
- Slide 1 of 3
This designation will put the data centers on par with water, energy and emergency services systems when it comes to government support for recovery from and preparation for critical incidents. This will also likely result in increased scrutiny from government agencies to ensure these data centers are secure and contingencies are in place to minimize risk of damage to essential services and data. This comes on the heels of a proposed £3.75 billion investment in Europe's largest datacenter in Hertfordshire.
- Slide 2 of 3
I suspect that the UK government would have supported data centers during critical incidents regardless of the designation given the growing importance of the cloud for e-commerce and business operations. At least now it has been formalized.
- Slide 3 of 3
I suspect that many data centers with critical government services should be protected. If you consider the NHS Critical Infrastructure, the systems behind it must also be critical.
Slide 1 of 0- Slide 1 of 3
More Information Emerges About Transport for London Breach
Authorities in the UK have arrested a 17-year-old individual in connection with the Transport for London (TfL) breach. The suspect was detained on September 5 for suspicion of Computer Misuse Act violations and has since been released on bail. TfL now acknowledges that some customer banking data were compromised, and that the organization is resetting all employee passwords.
Editor's Notes
- Slide 1 of 3
Despite all the hype around nation state attackers, the various regulations and proposed regulations being implemented around cybersecurity, the various cybersecurity tools that promise to protect us, it is frustrating and frankly disheartening to see organisations suffering breaches of this magnitude from an individual who is still legally a child. Perhaps the individual arrested in this case has a lot of technical skills, but if your organisation can be breached by a teenager you have much more to worry about other than nation state attackers and APTs.
- Slide 2 of 3
The incident started September 1stand they are getting closer to service restoration. TfL is, in addition to changing all passwords, also re-ID proofing all staff to make sure only verified users have access. TfL is also committing to make any unexpected costs right for travelers, for example asking them to keep track of your where they had to pay a fare outside Oyster or Zip cards so TfL can issue a refund when things are back online.
- Slide 3 of 3
Public transit is essential to London. It appears as though it continues to operate in part because administrative systems were isolated from mission critical applications. However, it also appears as though the reliance on passwords for user authentication is implicated in this breach.
Slide 1 of 0- Slide 1 of 3
Google Rolling Out Improvements to Chrome Safety and Security
New features in Chrome aim to better protect users from online threats and provide them greater control over their personal data. Google has enhanced the Chrome Safety Check feature, allowing it to run automatically in the background. It will revoke permissions from sites users no longer visit, flag unwanted notifications, remind users of security issues that need to be fixed, and on desktop versions, it will notify users of dangerous extensions. On Pixel devices, Chrome will simplify the process of opting out of website notifications. Chrome for both Android and desktop will also allow users to grant one-time-only website permissions.
Editor's Notes
- Slide 1 of 3
Chrome Safety Check was first rolled out in 2020, it checked stored passwords for compromise, encouraged browser updates and warned when sites were deemed unsafe by their Safe Browsing service. It continues to evolve, now running in the background on mobile devices, it started running in the background on desktops last year and will now also automatically cancel notifications deemed deceptive rather than just flagging them if the site is deemed dangerous. Chrome Safety Check can be disabled on desktop browsers under the Security and Privacy Settings, you likely want it on for most users to help raise the bar on secure browsing. These services are also available in Chromium browsers' Privacy/Security settings (Edge, Opera, Brave, etc.).
- Slide 2 of 3
Anything we can do to automate security checks is a good thing -- thank you Google for pushing the security envelope. Yes, it might be an annoyance at first, but users will adjust and come to like the additional layer of security. Hopefully, other major browser developers will follow Google's example.
- Slide 3 of 3
Chrome will continue to get stronger and stronger in this regard. Expect to see some newer developments in this area.
Slide 1 of 0- Slide 1 of 3
Microsoft Patch Tuesday for September 2024
On Tuesday, September 10, Microsoft released updates to address nearly 80 security issues in their products. Seven of the vulnerabilities are rated critical, and at least four are being actively exploited: CVE-2024-38226, a Microsoft Publisher protection mechanism failure vulnerability; CVE-2024-43491, a Microsoft Windows Update use-after-free vulnerability; CVE-2024-38014, a Microsoft Windows Installer improper privilege management vulnerability; and CVE-2024-38217, a Microsoft Windows Mark of the Web (MOTW) protection mechanism failure vulnerability. The US Cybersecurity and Infrastructure Security Agency (CISA) has added those four vulnerabilities to their Known Exploited Vulnerabilities (KEV) Catalog; all four have mitigation deadlines of October 1, 2024.
Editor's Notes
- Slide 1 of 2
You should be pushing this update starting this weekend, if not sooner. Updates to the Windows Installer and Windows Update which can be leveraged for RCE and privilege escalation should be enough to warrant not waiting. If that isn't enough, successful exploits are already showing up in active attacks. The good news is the weekend is upon us, so users will be less disrupted by the pushed updates.
- Slide 2 of 2
Neither the number nor the severity are going down.
Slide 1 of 0- Slide 1 of 2
Palo Alto Networks Releases Advisories for Vulnerabilities in Multiple Products
Earlier this week, Palo Alto Networks released security advisories to address multiple vulnerabilities in their products. Two of the advisories address high severity issues: the first concerns a command injection vulnerability in PAN-OS; the second concerns the monthly update for Palo Alto Networks Prisma Access Browser and addresses nearly 30 CVEs. The rest of the advisories are rated medium severity.
Editor's Notes
- Slide 1 of 2
PAN-OS has had its share of bugs like this. I am used to upgrading firewalls, protecting the management interfaces, and staying vigilant. The other bug around PAN-OSÕs Browser Service is just a standard update to the system, just like you would upgrade Chrome.
- Slide 2 of 2
CVE-2024-8686, command injection flaw, CVSS score 8.6, is specific to PAN-OS 11.2.2 and the fix is to update to 11.2.3 or higher. The Prisma Access (chromium-based) Browser flaws have CVSS scores ranging from 4.3 to 8.8 where scored; affect versions under 128.91.2869.7 and are fixed in version 128.138.2888.2. Skip the list of which flaws are in which browser version, and deploy version 128.138.2888.2.
Slide 1 of 0- Slide 1 of 2
GitLab Patches CVSS 9.9 Pipeline Execution Vulnerability
GitLab urges users of its Community Edition and Enterprise Edition to update to the latest releases to fix eighteen vulnerabilities. Patched issues include potential for command injection, DoS attack, and Server-Side Request Forgery. The most severe flaw is CVE-2024-6678, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.'
Editor's Notes
Another case of a challenging matrix of affected versions and fixes. If you're running under 17.3.2, it may be simplest to get to the most current version rather than applying one of three fixed versions (17.3.2, 17.2.5 or 17.1.7), which you'll ultimately need to get to 17.3.2 or higher.
Washington State School District Resumes Classes Without Internet Access Following Cyber Incident
The Highline Public School system in the US state of Washington reopened on Thursday, September 12 after being closed for three days due to a cyberattack. For the time being, none of the district's 35 schools will have Internet access. The incident is still under investigation.
Editor's Notes
- Slide 1 of 2
If you're an old-fart like me, the idea of not being online in K-12 schools seems reasonable, until you realize this not only means printed bus schedules, manual attendance taking, but also online tools like Google Classroom will also have to use printed curricula, and traditional standalone teaching aids. The district is working to balance education and technology, publishing their reopening plan on the district web site as back-to-school 2.0 along with details, timeline and a FAQ relating to the incident. https://www.highlineschools.org/about/news/news-details/~board/district-news/post/back-to-school-20: Back to School 2.0
- Slide 2 of 2
Internet access is as essential to modern education as libraries, and cafeterias.
Slide 1 of 0- Slide 1 of 2
Internet Storm Center Tech Corner
Microsoft Patches
https://isc.sans.edu/diary/Microsoft+September+2024+Patch+Tuesday/31254
Adobe Patches
https://helpx.adobe.com/security/security-bulletin.html
Ivanti Patches
Compromise of old hostname .mobi whois server
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
Microsoft Reconsidering Security Tool API
Microsoft implements PQC in SymCrypt
GitLab Patch