SANS NewsBites

Approaches to Changing Cybersecurity Culture: Microsoft's Secure Future Initiative Progress Report and Jen Easterly on Responsibility for Quality and Clarity in Cybersecurity

September 24, 2024  |  Volume XXVI - Issue #73

Top of the News


2024-09-23

Microsoft Secure Future Initiative September 2024 Progress Report

Microsoft has published a report detailing the progress of their Secure Future Initiative (SFI). The initiative debuted in November 2023, several months before a scathing report from the US Cyber Safety Review Board regarding Microsoft's security failings that led to the compromise of US government officials' Microsoft email accounts, and deeming 'Microsoft's security culture É inadequate.' The SFI Progress Report describes steps the company has taken to improve their security culture, including tying senior leadership compensation to security performance.

Editor's Note

Microsoft is setting the standard (and in many ways the blueprint) for truly building a strong security culture. Remember, culture is the shared attitudes, perceptions and beliefs of your organization. In this case, how invested are people in cybersecurity; do they believe in and prioritize it? Unlike behavior, it takes years to change an organization's culture but it appears Microsoft is committed to making that journey. I highly recommend you take the time to read this report, or if nothing else the summary, as their SFI initiative will be the case studies other organizations will be using for years to come.

Lance Spitzner
Lance Spitzner

Microsoft claims to have dedicated 34,000 full-time engineers to SFI. The report confirms security is a core priority in all employee performance reviews as well as senior executive compensation plans. With luck this prevents recurrence of issues which lead to successful attacks by Chinese and Russian spies.

Lee Neely
Lee Neely

Many good initiatives, especially nice to see 'integrating cybersecurity performance into the senior leadership team's compensation plans.' Back in 2003 or so, having product managers' compensation impacted by security performance really seemed to put the walk behind the talk after Bill Gates's 2002 'Security is Job 1' all-company email. Don't be fooled, though, by all the big numbers in the report. For example, having the equivalent of 34,000 full time employees focused on security is still only 15% of Microsoft's headcount. Higher than average, but probably not that high for the world's second-largest software vendor who is obviously one of the top attacker targets.

John Pescatore
John Pescatore

Culture is inculcated over decades. Like quality, it is difficult to patch on. Shipping early in hopes of patching in necessary quality later is fundamental to Microsoft's identity. Getting to doing it "right the first time" from there will be a stretch.

William Hugh Murray
William Hugh Murray

2024-09-20

Easterly: Reframing the Current Approach to Cybersecurity

In a keynote speech at the Mandiant mWISEª conference, US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said that we need to place the burden of ensuring software products are secure squarely on the shoulders of vendors. 'We don't have a cyber security problem - we have a software quality problem. We don't need more security products - we need more secure products.' Easterly urges organizations to demand secure-by-design products through their procurement power. Easterly also recommended changing the language we use to speak about cybersecurity, proposing that software vulnerabilities instead be called product defects, and suggesting that threat actors be given unappealing names.

Editor's Note

Lack of liability by software vendors is part but not all of the cybersecurity problem we definitely do have. Safer trucks and cars still require driver and mechanic training to stay safe. Well-built bridges require maintenance investments, or they fall down or are knocked down by new, larger, heavier freighter ships that were not well maintained. I have to admit, I would like to see 'Patch Tuesday' called 'Windows Defect Day.'

John Pescatore
John Pescatore

Finally we are hearing leaders in cybersecurity calling things out as they should be. For too long we have romanticised cybersecurity actors, be they threat actors or defence actors. If we want to be taken seriously by businesspeople, we need to lose the militaristic jargon that is so pervasive in our industry and the trivialising of criminals by giving them cute nicknames - or indeed in the case of one vendor producing action dolls based on threat actor names.

Brian Honan
Brian Honan

Patching is an inefficient way to achieve necessary quality. Given the numbers, it is not even effective.

William Hugh Murray
William Hugh Murray

A fair point, shifting responsibility, but we must establish some guardrails else the cost to vendors becomes so large that innovation suffers. As far as the comment about changing the language: meh. Instead, we should be focused on reducing software vulnerabilities and automating software updates.

Curtis Dukes
Curtis Dukes

Expect to see continued initiatives requiring secure software out the gate. Expect CISA to require attestations from software providers that they are following secure-by-design processes as part of qualifying their products for government customer

Lee Neely
Lee Neely

The Rest of the Week's News


2024-09-23

macOS Sequoia Updates are Disrupting Security ProductsÕ Functionality and Network Connectivity

Users have begun noting that macOS Sequoia, which Apple released on Monday, September 17, is causing problems with security products and network connectivity. The update appears to be affecting security tools made by Microsoft. CrowdStrike, SentinelOne, and other vendors. The update is reportedly interfering with DNDS resolution for some VPNs.

Editor's Note

Apple has always been zealous about controlling its product ecosystem, and this simply reflects the tension with security vendors. The question becomes: Are Apple's included security applications sufficient where you don't need third-party security tools? Microsoft is attempting to move in a similar direction.

Curtis Dukes
Curtis Dukes

While tempting to deploy a new OS as soon as the production release is ready, you should have a testing process to verify your security settings, endpoint tools, EDR, scanning, etc. are fully functional. While not definitive, changes to the network stack seem to be a common denominator here. Expect an OS update from Apple in the near future which addresses the issue or provides workarounds.

Lee Neely
Lee Neely

2024-09-21

LinkedIn Stops Training Their AI Models on UK User Data

LinkedIn has stopped using UK user data to train their artificial intelligence (AI) models following concerns raised by the UK Information Commissioner's Office (ICO). In a September 18 blog post, LinkedIn wrote, 'When it comes to using members' data for generative AI training, we offer an opt-out setting.' On September 20, the ICO issued a statement saying they 'are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its UK users. We welcome LinkedIn's confirmation that it has suspended such model training pending further engagement with the ICO.'

Editor's Note

Interesting to note that LinkedIn did not roll out this feature to their users based in the European Union due to the EU General Data Protection Regulation and the EU AI Act. As an EU citizen it is comforting to know that big tech are legally prevented from abusing and using my personal data without my explicit permission and I do not have to opt out of such data grabs.

Brian Honan
Brian Honan

The AI data collection was disclosed in LinkedIn's updated terms of service. Most of us missed it. This change means that for the European Economic Area, UK & Switzerland the setting is now off by default, but for the rest of us the AI setting is on. Go to Settings, Data Privacy, Data for Generative AI Improvement, to toggle it on or off. Also consider the setting for Social, economic and workplace research. If you're going to feed your GenAI user data, consider an opt-in model to avoid some privacy concerns.

Lee Neely
Lee Neely

LinkedIn took a half-step in the right direction. Opt-in vs. opt-out should be the default configuration when it comes to user selection. But, alas, vendors know that most users don't read the fine print and rarely opt out.

Curtis Dukes
Curtis Dukes

2024-09-23

Telegram Will Share Rule Violators' Info With Authorities

The Telegram messaging service has revised its terms of service to indicate that it will share identifying information about 'bad actors' with authorities. In the past, Telegram provided information only upon receiving a court order confirming that a user was suspected of terrorism. The updated policy reads 'If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities.'

Editor's Note

A reasonable next step for Telegram. The key is that a valid court order must be presented. Perhaps the change in terms was brought on by recent legal challenges with the CEO, but we'll never really know. In any event, bad actors have been put on notice.

Curtis Dukes
Curtis Dukes

It took a long time, and arguably the arrest of Telegram's CEO to make this happen. It still would not make me trust Telegram as a secure messaging platform.

Brian Honan
Brian Honan

Telegram has been in the hotseat lately for complicity in the distribution of illegal activities. This, coupled with the activity from the Germany on crypto exchanges, highlight law enforcement's increased awareness of illegal use of services, hopefully putting folks on notice that such activities will be discovered.

Lee Neely
Lee Neely

2024-09-23

CERT/CC: Critical Flaw Affecting Microchip Advanced Software Framework's tinydhcp Server Implementation

Carnegie Mellon University's CERT Coordination Center (CERT/CC) has published a vulnerability note warning of a critical stack-based overflow vulnerability in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server. The software, which is largely used in IoT products, is no longer supported. The code is publicly available in multiple repositories. CERT/CC recommends 'replacing the tinydhcp service with another one that does not have the same issue.'

Editor's Note

In short, the flaw exists in the current and all previous versions of the tinydhcp server. As the code isn't supported, there isn't a wait for new version option, the "workaround" is to use a different dhcp server.

Lee Neely
Lee Neely

Sadly when it comes to IoT devices, replacing vulnerable services will not be a straightforward task, especially for consumer devices. I predict we are going to see lots of vulnerable devices connected to the Internet over the coming years as many devices won't have their vulnerable services updated until the physical device is itself replaced. Make sure to factor these IoT devices into your corporate vulnerability management program to determine how you reduce your attack surface.

Brian Honan
Brian Honan

2024-09-19

Patch Critical Flaw in Apache HugeGraph-Server

An improper access control vulnerability (CVE-2024-27348) in Apache HugeGraph-Server can be exploited to achieve remote code execution. The issue affects Apache HugeGraph0-Server version 1.0.0 up to but not including 1.3.0. Apache addressed the issue in April, recommending that users 'upgrade to version 1.3.0 with Java11 and enable the Auth system, which fixes the issue.' The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog.

Editor's Note

Apache HugeGraph-Server is a core component of the Apache HugeGraph project, designed to handle large scale graph data with high performance and scalability. It is used for risk analysis, transaction pattern analysis, and fraud detection. CVE-2024-27348, improper access control, CVSS score 9.8, is fixed in version 1.3.0, and while compatible with Java 8, you need Java 11 to get all the security features. Next you need to enable user authentication (off by default) as well as the Whitelist-IP/port function to improve security of the RESTful-API.

Lee Neely
Lee Neely

2024-09-23

Kaspersky Software Automatically Replaced by UltraAV

On September 19, three months after the US Commerce Department banned the sale of Kaspersky products, users found the antivirus software had been uninstalled automatically from their devices and replaced with Pango Group's UltraAV and UltraVPN. Customers and resellers expressed distress that the deletion and installation occurred without user permission. While the company had sent an email about the change in service and account activation, the message did not warn users of any unauthorized software changes on their systems.

Editor's Note

While the change from Kaspersky to UltraAV was completely transparent, and, as promised, required no user intervention, the promised migration date was after September 29th. Some users report UltraAV is configured to reinstall after a reboot after being uninstalled. The action of making the change prior to the announced date coupled with the action of uninstalling/installing security software without active user consent, triggered by Kaspersky, is not a good start to customer's relationship with the Pango Group. This may be a good time to assess your future endpoint protection selection if you are a newly installed UltraAV user.

Lee Neely
Lee Neely

2024-09-23

Research Reveals Trojan Malware in Android Apps

Two apps with over 11 million combined downloads from the Google Play store contain trojan malware known as 'Necro,' according to Kaspersky. Researchers traced the infection to an unverified software developer kit (SDK) claiming to support ad display. The SDK instead downloaded code obfuscated by stenography in the pixel values of a PNG image, allowing safety bypass exploits and malicious plugins to run invisibly. Modified versions of many well-known apps hosted on third-party stores are also likely infected.

Editor's Note

This is the same Necro trojan from five years ago that affected about 100 million devices. The malware uses a reflection attack to create a separate instance of the WebView factory, with privileges which are normally disallowed. The malware was in two Google Play apps: Wutu Camera app versions 6.3.2.148 - 6.3.6.148, the latest is now clean, and Max Browser, which has been removed form Google Play. IOC's as well as a detailed writeup are available in the blog published on Kaspersky's Securelist site.

Lee Neely
Lee Neely

2024-09-23

Proposed US Ban on Car Parts Supplied by PRC and Russia

The US Department of Commerce, Bureau of Industry and Security (BIS), has issued a Notice of Proposed Rulemaking that would "prohibit the sale or import of connected vehicles integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to the People's Republic of China (PRC) or Russia." The proposal is grounded on concerns about surveillance, remote control access, and sabotage via vehicle connectivity systems and automated driving systems, as the BIS claims the supply chain is 'easily exploitable by PRC and Russian authorities.' If approved, the ban would go into effect with model year 2027 for software, and 2030 for hardware.

Editor's Note

I was opposed to economic protectionism when Europeans used it against our computer industry in the sixties, and I continue to oppose it now. "World Peace through World Trade" works.

William Hugh Murray
William Hugh Murray

This is supply chain security. If approved, software bans don't go into effect for a year to give manufacturers time to verify they are not tied to the PRC or Russia. The hardware ban, which affects things like sensors, Wi-Fi, cellular, Bluetooth, and satellite connectivity, has a longer lead time allowing manufacturers implement other solutions. US-based autonomous vehicles are exempted, but Chineese robotaxi services, such as Nullmax, Pony.ai and WeRide would be affected.

Lee Neely
Lee Neely

2024-09-20

German Authorities Shut Down Crypto Exchanges That Were Facilitating Money Laundering

Authorities in Germany have shut down nearly 50 cryptocurrency exchanges that were being used to conduct criminal activity. The exchanges allowed transactions without requiring users to register or checking proof of identity. The exchanges' operators have been charged with 'knowingly concealing the origin of criminally obtained funds on a large scale through inadequate implementation of legal requirements for combating money laundering (so-called know - your - customer principle), and thus of having committed money laundering and operating criminal trading platforms on the Internet in accordance with Sections 127, 261 Paragraph 1 Sentence 1 No. 2 and Paragraph 4 of the German Criminal Code.' The operation was carried out by the Frankfurt am Main Public Prosecutor's Office - Central Office for Combating Internet Crime (ZIT) - and the Federal Criminal Police Office (BKA).

Editor's Note

More enforcement of Know Your Customer laws and regulations are needed.

John Pescatore
John Pescatore

"Know your customer" has always been fundamental to sound banking. While necessary for effective anti-laundering enforcement, it did not originate with it. It is also necessary for sound lending and resisting fraud.

William Hugh Murray
William Hugh Murray

Historically Crypto Exchanges have been tricky to regulate. Hopefully Germany can raise the bar.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Phishing Links With @ Sign

https://isc.sans.edu/diary/Phishing+links+with+sign+and+the+need+for+effective+security+awareness+building/31288

Kaspersky Deletes Itself Installs UltraAV Antivirus Without Warning

https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/

Microchip ASF tinydhcp Vulnerability

https://kb.cert.org/vuls/id/138043

Windows Server Update Services Deprecation

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-server-update-services-wsus-deprecation/ba-p/4250436

Windows Server 2025 Hotpatches

https://techcommunity.microsoft.com/t5/windows-server-news-and-best/now-in-preview-hotpatch-for-windows-server-2025/ba-p/4248296

Google Suggests Not Using WHOIS for Certificate Validation

https://lists.cabforum.org/pipermail/servercert-wg/2024-September/004821.html

Versa Director Vulnerability

https://security-portal.versa-networks.com/emailbulletins/66e4a8ebda545d61ec2b1ab9

Apache HugeGraph Vulnerability Exploited

https://nvd.nist.gov/vuln/detail/CVE-2024-27348