SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Microsoft Secure Future Initiative September 2024 Progress Report
Microsoft has published a report detailing the progress of their Secure Future Initiative (SFI). The initiative debuted in November 2023, several months before a scathing report from the US Cyber Safety Review Board regarding Microsoft's security failings that led to the compromise of US government officials' Microsoft email accounts, and deeming 'Microsoft's security culture É inadequate.' The SFI Progress Report describes steps the company has taken to improve their security culture, including tying senior leadership compensation to security performance.
Editor's Notes
- Slide 1 of 4
Microsoft is setting the standard (and in many ways the blueprint) for truly building a strong security culture. Remember, culture is the shared attitudes, perceptions and beliefs of your organization. In this case, how invested are people in cybersecurity; do they believe in and prioritize it? Unlike behavior, it takes years to change an organization's culture but it appears Microsoft is committed to making that journey. I highly recommend you take the time to read this report, or if nothing else the summary, as their SFI initiative will be the case studies other organizations will be using for years to come.
- Slide 2 of 4
Microsoft claims to have dedicated 34,000 full-time engineers to SFI. The report confirms security is a core priority in all employee performance reviews as well as senior executive compensation plans. With luck this prevents recurrence of issues which lead to successful attacks by Chinese and Russian spies.
- Slide 3 of 4
Many good initiatives, especially nice to see 'integrating cybersecurity performance into the senior leadership team's compensation plans.' Back in 2003 or so, having product managers' compensation impacted by security performance really seemed to put the walk behind the talk after Bill Gates's 2002 'Security is Job 1' all-company email. Don't be fooled, though, by all the big numbers in the report. For example, having the equivalent of 34,000 full time employees focused on security is still only 15% of Microsoft's headcount. Higher than average, but probably not that high for the world's second-largest software vendor who is obviously one of the top attacker targets.
- Slide 4 of 4
Culture is inculcated over decades. Like quality, it is difficult to patch on. Shipping early in hopes of patching in necessary quality later is fundamental to Microsoft's identity. Getting to doing it "right the first time" from there will be a stretch.
Slide 1 of 0- Slide 1 of 4
Easterly: Reframing the Current Approach to Cybersecurity
In a keynote speech at the Mandiant mWISEª conference, US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said that we need to place the burden of ensuring software products are secure squarely on the shoulders of vendors. 'We don't have a cyber security problem - we have a software quality problem. We don't need more security products - we need more secure products.' Easterly urges organizations to demand secure-by-design products through their procurement power. Easterly also recommended changing the language we use to speak about cybersecurity, proposing that software vulnerabilities instead be called product defects, and suggesting that threat actors be given unappealing names.
Editor's Notes
- Slide 1 of 5
Lack of liability by software vendors is part but not all of the cybersecurity problem we definitely do have. Safer trucks and cars still require driver and mechanic training to stay safe. Well-built bridges require maintenance investments, or they fall down or are knocked down by new, larger, heavier freighter ships that were not well maintained. I have to admit, I would like to see 'Patch Tuesday' called 'Windows Defect Day.'
- Slide 2 of 5
Finally we are hearing leaders in cybersecurity calling things out as they should be. For too long we have romanticised cybersecurity actors, be they threat actors or defence actors. If we want to be taken seriously by businesspeople, we need to lose the militaristic jargon that is so pervasive in our industry and the trivialising of criminals by giving them cute nicknames - or indeed in the case of one vendor producing action dolls based on threat actor names.
- Slide 3 of 5
Patching is an inefficient way to achieve necessary quality. Given the numbers, it is not even effective.
- Slide 4 of 5
A fair point, shifting responsibility, but we must establish some guardrails else the cost to vendors becomes so large that innovation suffers. As far as the comment about changing the language: meh. Instead, we should be focused on reducing software vulnerabilities and automating software updates.
- Slide 5 of 5
Expect to see continued initiatives requiring secure software out the gate. Expect CISA to require attestations from software providers that they are following secure-by-design processes as part of qualifying their products for government customer
Slide 1 of 0- Slide 1 of 5
The Rest of the Week's News
macOS Sequoia Updates are Disrupting Security ProductsÕ Functionality and Network Connectivity
Users have begun noting that macOS Sequoia, which Apple released on Monday, September 17, is causing problems with security products and network connectivity. The update appears to be affecting security tools made by Microsoft. CrowdStrike, SentinelOne, and other vendors. The update is reportedly interfering with DNDS resolution for some VPNs.
Editor's Notes
- Slide 1 of 2
Apple has always been zealous about controlling its product ecosystem, and this simply reflects the tension with security vendors. The question becomes: Are Apple's included security applications sufficient where you don't need third-party security tools? Microsoft is attempting to move in a similar direction.
- Slide 2 of 2
While tempting to deploy a new OS as soon as the production release is ready, you should have a testing process to verify your security settings, endpoint tools, EDR, scanning, etc. are fully functional. While not definitive, changes to the network stack seem to be a common denominator here. Expect an OS update from Apple in the near future which addresses the issue or provides workarounds.
Slide 1 of 0- Slide 1 of 2
LinkedIn Stops Training Their AI Models on UK User Data
LinkedIn has stopped using UK user data to train their artificial intelligence (AI) models following concerns raised by the UK Information Commissioner's Office (ICO). In a September 18 blog post, LinkedIn wrote, 'When it comes to using members' data for generative AI training, we offer an opt-out setting.' On September 20, the ICO issued a statement saying they 'are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its UK users. We welcome LinkedIn's confirmation that it has suspended such model training pending further engagement with the ICO.'
Editor's Notes
- Slide 1 of 3
Interesting to note that LinkedIn did not roll out this feature to their users based in the European Union due to the EU General Data Protection Regulation and the EU AI Act. As an EU citizen it is comforting to know that big tech are legally prevented from abusing and using my personal data without my explicit permission and I do not have to opt out of such data grabs.
- Slide 2 of 3
The AI data collection was disclosed in LinkedIn's updated terms of service. Most of us missed it. This change means that for the European Economic Area, UK & Switzerland the setting is now off by default, but for the rest of us the AI setting is on. Go to Settings, Data Privacy, Data for Generative AI Improvement, to toggle it on or off. Also consider the setting for Social, economic and workplace research. If you're going to feed your GenAI user data, consider an opt-in model to avoid some privacy concerns.
- Slide 3 of 3
LinkedIn took a half-step in the right direction. Opt-in vs. opt-out should be the default configuration when it comes to user selection. But, alas, vendors know that most users don't read the fine print and rarely opt out.
Slide 1 of 0- Slide 1 of 3
Telegram Will Share Rule Violators' Info With Authorities
The Telegram messaging service has revised its terms of service to indicate that it will share identifying information about 'bad actors' with authorities. In the past, Telegram provided information only upon receiving a court order confirming that a user was suspected of terrorism. The updated policy reads 'If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities.'
Editor's Notes
- Slide 1 of 3
A reasonable next step for Telegram. The key is that a valid court order must be presented. Perhaps the change in terms was brought on by recent legal challenges with the CEO, but we'll never really know. In any event, bad actors have been put on notice.
- Slide 2 of 3
It took a long time, and arguably the arrest of Telegram's CEO to make this happen. It still would not make me trust Telegram as a secure messaging platform.
- Slide 3 of 3
Telegram has been in the hotseat lately for complicity in the distribution of illegal activities. This, coupled with the activity from the Germany on crypto exchanges, highlight law enforcement's increased awareness of illegal use of services, hopefully putting folks on notice that such activities will be discovered.
Slide 1 of 0- Slide 1 of 3
CERT/CC: Critical Flaw Affecting Microchip Advanced Software Framework's tinydhcp Server Implementation
Carnegie Mellon University's CERT Coordination Center (CERT/CC) has published a vulnerability note warning of a critical stack-based overflow vulnerability in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server. The software, which is largely used in IoT products, is no longer supported. The code is publicly available in multiple repositories. CERT/CC recommends 'replacing the tinydhcp service with another one that does not have the same issue.'
Editor's Notes
- Slide 1 of 2
In short, the flaw exists in the current and all previous versions of the tinydhcp server. As the code isn't supported, there isn't a wait for new version option, the "workaround" is to use a different dhcp server.
- Slide 2 of 2
Sadly when it comes to IoT devices, replacing vulnerable services will not be a straightforward task, especially for consumer devices. I predict we are going to see lots of vulnerable devices connected to the Internet over the coming years as many devices won't have their vulnerable services updated until the physical device is itself replaced. Make sure to factor these IoT devices into your corporate vulnerability management program to determine how you reduce your attack surface.
Slide 1 of 0- Slide 1 of 2
Patch Critical Flaw in Apache HugeGraph-Server
An improper access control vulnerability (CVE-2024-27348) in Apache HugeGraph-Server can be exploited to achieve remote code execution. The issue affects Apache HugeGraph0-Server version 1.0.0 up to but not including 1.3.0. Apache addressed the issue in April, recommending that users 'upgrade to version 1.3.0 with Java11 and enable the Auth system, which fixes the issue.' The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog.
Editor's Notes
Apache HugeGraph-Server is a core component of the Apache HugeGraph project, designed to handle large scale graph data with high performance and scalability. It is used for risk analysis, transaction pattern analysis, and fraud detection. CVE-2024-27348, improper access control, CVSS score 9.8, is fixed in version 1.3.0, and while compatible with Java 8, you need Java 11 to get all the security features. Next you need to enable user authentication (off by default) as well as the Whitelist-IP/port function to improve security of the RESTful-API.
Kaspersky Software Automatically Replaced by UltraAV
On September 19, three months after the US Commerce Department banned the sale of Kaspersky products, users found the antivirus software had been uninstalled automatically from their devices and replaced with Pango Group's UltraAV and UltraVPN. Customers and resellers expressed distress that the deletion and installation occurred without user permission. While the company had sent an email about the change in service and account activation, the message did not warn users of any unauthorized software changes on their systems.
Editor's Notes
While the change from Kaspersky to UltraAV was completely transparent, and, as promised, required no user intervention, the promised migration date was after September 29th. Some users report UltraAV is configured to reinstall after a reboot after being uninstalled. The action of making the change prior to the announced date coupled with the action of uninstalling/installing security software without active user consent, triggered by Kaspersky, is not a good start to customer's relationship with the Pango Group. This may be a good time to assess your future endpoint protection selection if you are a newly installed UltraAV user.
Research Reveals Trojan Malware in Android Apps
Two apps with over 11 million combined downloads from the Google Play store contain trojan malware known as 'Necro,' according to Kaspersky. Researchers traced the infection to an unverified software developer kit (SDK) claiming to support ad display. The SDK instead downloaded code obfuscated by stenography in the pixel values of a PNG image, allowing safety bypass exploits and malicious plugins to run invisibly. Modified versions of many well-known apps hosted on third-party stores are also likely infected.
Editor's Notes
This is the same Necro trojan from five years ago that affected about 100 million devices. The malware uses a reflection attack to create a separate instance of the WebView factory, with privileges which are normally disallowed. The malware was in two Google Play apps: Wutu Camera app versions 6.3.2.148 - 6.3.6.148, the latest is now clean, and Max Browser, which has been removed form Google Play. IOC's as well as a detailed writeup are available in the blog published on Kaspersky's Securelist site.
Proposed US Ban on Car Parts Supplied by PRC and Russia
The US Department of Commerce, Bureau of Industry and Security (BIS), has issued a Notice of Proposed Rulemaking that would "prohibit the sale or import of connected vehicles integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to the People's Republic of China (PRC) or Russia." The proposal is grounded on concerns about surveillance, remote control access, and sabotage via vehicle connectivity systems and automated driving systems, as the BIS claims the supply chain is 'easily exploitable by PRC and Russian authorities.' If approved, the ban would go into effect with model year 2027 for software, and 2030 for hardware.
Editor's Notes
- Slide 1 of 2
I was opposed to economic protectionism when Europeans used it against our computer industry in the sixties, and I continue to oppose it now. "World Peace through World Trade" works.
- Slide 2 of 2
This is supply chain security. If approved, software bans don't go into effect for a year to give manufacturers time to verify they are not tied to the PRC or Russia. The hardware ban, which affects things like sensors, Wi-Fi, cellular, Bluetooth, and satellite connectivity, has a longer lead time allowing manufacturers implement other solutions. US-based autonomous vehicles are exempted, but Chineese robotaxi services, such as Nullmax, Pony.ai and WeRide would be affected.
Slide 1 of 0- Slide 1 of 2
German Authorities Shut Down Crypto Exchanges That Were Facilitating Money Laundering
Authorities in Germany have shut down nearly 50 cryptocurrency exchanges that were being used to conduct criminal activity. The exchanges allowed transactions without requiring users to register or checking proof of identity. The exchanges' operators have been charged with 'knowingly concealing the origin of criminally obtained funds on a large scale through inadequate implementation of legal requirements for combating money laundering (so-called know - your - customer principle), and thus of having committed money laundering and operating criminal trading platforms on the Internet in accordance with Sections 127, 261 Paragraph 1 Sentence 1 No. 2 and Paragraph 4 of the German Criminal Code.' The operation was carried out by the Frankfurt am Main Public Prosecutor's Office - Central Office for Combating Internet Crime (ZIT) - and the Federal Criminal Police Office (BKA).
Editor's Notes
- Slide 1 of 3
More enforcement of Know Your Customer laws and regulations are needed.
- Slide 2 of 3
"Know your customer" has always been fundamental to sound banking. While necessary for effective anti-laundering enforcement, it did not originate with it. It is also necessary for sound lending and resisting fraud.
- Slide 3 of 3
Historically Crypto Exchanges have been tricky to regulate. Hopefully Germany can raise the bar.
Slide 1 of 0- Slide 1 of 3
Internet Storm Center Tech Corner
Phishing Links With @ Sign
Kaspersky Deletes Itself Installs UltraAV Antivirus Without Warning
Microchip ASF tinydhcp Vulnerability
https://kb.cert.org/vuls/id/138043
Windows Server Update Services Deprecation
Windows Server 2025 Hotpatches
Google Suggests Not Using WHOIS for Certificate Validation
https://lists.cabforum.org/pipermail/servercert-wg/2024-September/004821.html
Versa Director Vulnerability
https://security-portal.versa-networks.com/emailbulletins/66e4a8ebda545d61ec2b1ab9
Apache HugeGraph Vulnerability Exploited