SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
FIDO Alliance Making Passkeys More Portable
The FIDO Alliance has announced two supplementary projects meant to address current challenges putting its passkey authentication method into widespread practice. The first is a set of technical standards drafted collaboratively with researchers from major tech firms and password manager companies: The Credential Exchange Protocol (CXP). CXP "aims to standardize the technical process for securely transferring [passkeys] between platforms," avoiding the risk of "user lock-in" and the unsecure migration process of exporting credentials from a conventional password manager. The second project is Passkey Central, a website offering an implementation guide and set of informational resources and tools for supporting and facilitating passkey adoption. Among other materials, the site contains basic introductory guides and use cases, business metrics, and technical documentation for developers.
Editor's Notes
- Slide 1 of 5
Passkeys are meant to be a more useful form of the FIDO2 protocols. Defining a standard export/import format will hopefully make it easier to adopt this important authentication technology.
- Slide 2 of 5
A secure and standard Credential Exchange Protocol is badly needed, but a vulnerable protocol needs to be avoided Ð there should be a lot of pounding and external penetration testing before any release. The focus should for now be on narrow but secure support for supplanting reusable passwords vs. some broad approach to exchanging generic 'secrets.'
- Slide 3 of 5
If you're feeling the pressure to adopt passkeys, read the information on the Fido Alliance: Passkey Central site, from the introduction to rollout, resources, and developer documentation Ñ you need this information for a successful implementation. With sync capabilities and reduced lock-in, user acceptance will be easier, and you can continue to move forward towards password-less authentication, and a smoother user experience across strongly authenticated applications.
- Slide 4 of 5
Passkeys have indeed come a long way in a relatively short time. These announcements may be the final components needed to realize the tipping point away from passwords. On portability, it is important, but I think the OS vendors realized that most people tend to stay with one ecosystem, whether it be Microsoft, Linux, Apple, or Android. Hence their support in creating the exchange protocol.
- Slide 5 of 5
I am glad to see this. Adopt passkeys and get out of the password game. It's about time.
Slide 1 of 0- Slide 1 of 5
Shadowserver: 86,000+ Fortinet Instances are Still Vulnerable to Known Format String Flaw
According to data gathered by Shadowserver, more than 86,000 Fortinet instances remain vulnerable to a known format string flaw in FortiOS fgfmd daemon. The critical vulnerability (CVE-2024-23113) was disclosed in February 2024, more than eight months ago. The majority of unpatched instances (38,778) are in Asia, followed by North America (21,262) and Europe (16,381). The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to their Known Exploited Vulnerabilities (KEV) catalog last week; Federal Civilian Executive Branch (FCEB) agencies have until October 30 to mitigate the issue.
Editor's Notes
- Slide 1 of 3
86,000. This isn't a firewall manufacturer's problem right now. This is a problem on the general internet, where 'critical' security devices that are meant to keep customers safe have been unpatched for a lengthy amount of time. This reminds me of how we 'solved' errors-based SQL injection. It was basically Lulzsec going around and 'owning' everyone because it was for the ÒLULZ.Ó It only takes one very motivated group to take this from 'we didn't patch our firewalls all that often' to 'a group has owned us because they thought it was funny.' Regardless of who makes the product, this is the equivalent of having unpatched Windows on the internet and hoping no one takes over your device.
- Slide 2 of 3
CVE-2024-23113, externally controlled format string vulnerability, CVSS score 9.8, can be used to allow a remote attacker to execute arbitrary commands. The flaw was discovered in February, but apparently attackers were busy going after other Fortinet flaws and are now actively exploiting the flaw. The fix is to update your installation of FortiWeb, FortiProxy, FortiPAM or FortiOS to the latest version. You can mitigate the flaw by disabling fgfm access to portX, which prevents FortiGate discovery from FortiManager, but even so this workaround isn't a complete fix.
- Slide 3 of 3
This format string vulnerability isn't all that straightforward to exploit. Exploitation may be blocked if the Fortinet SSLVPN verified the certificate authority of the certificate used by the client, something the patch enforces. Refer to the Watchtowr writeup to understand the impact. Fortinet's bulletin is a bit short on the details. labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/: Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024
Slide 1 of 0- Slide 1 of 3
Sonatype Report: 13 Percent of Log4J Installations are Still Vulnerable
According to Sonatype's 10th Annual State of the Software Supply Chain report, 13 percent of Log4J open-source logging utility installations are unpatched nearly three years after the Log4Shell vulnerability was disclosed. In 2022, Sonatype found that 40 percent of Log4J downloads were vulnerable. Ken Dunham, Director of Threat Research at Qualys' Threat Research Unit, noted that 'Some vulnerabilities are easy to patch and to mitigate and remove, and others are more integrated and multilayered and various dependencies.'
Editor's Notes
- Slide 1 of 3
Pour one out for Log4J. It is still affecting systems.
- Slide 2 of 3
Sonatype is introducing the concept of "Persistent Risk:" a combination of unfixed and corrosive vulnerabilities which erode the security integrity of software over time. The first example given is "Log4J." While there are updated versions of Log4J packages, the fix isn't as simple as just replacing your jar file. You need to redo the code which uses it, which may necessitate a culture change in how you react to changes in third-party components used in your applications. With the increased demand for SBOMs, the choice to accept the risk and move on will become problematic.
- Slide 3 of 3
It's not surprising. As a point of reference, the EternalBlue exploit was leaked 7+ years ago and remains active today. Like Log4j, a patch for EternalBlue is available, but for various reasons, some operational, some lackadaisical, vulnerable installations exist. The question becomes, should those organizations be held liable if the vulnerable device is used to further a cyber incident?
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
The Internet Archive is Back Online
As of the evening of Sunday, October 13, the Internet Archive's Wayback Machine is back online, albeit 'in a provisional, read-only manner,' according to a social media post from Internet Archive founder Brewster Kahle. The site was offline last week after suffering a spate of distributed denial-of-service (DDoS) attacks. They also experienced a data breach in September, which affected 31 million user records.
Editor's Notes
Attacking the Internet Archive is pointless and equivalent of throwing stones to break the window to a food bank. The Internet Archive's wayback machine provides a unique and useful service. Consider donating to help them recover from the incident.
Thousands of Dutch Traffic Lights Susceptible to Remote Manipulation
A researcher in the Netherlands discovered that thousands of traffic lights in that country are vulnerable to remote hijacking. The researcher was able to access the network emergency services use to connect to traffic lights to change lights on their route to green to expedite their arrival at emergencies or hospitals. By manipulating a mechanism used in older traffic signals, they were able to remotely change the lights to green. The Dutch government plans to replace the affected traffic signals, a task which will likely not be completed until 2030.
Editor's Notes
- Slide 1 of 2
The affected traffic lights can be controlled by a radio signal, known as KAR, which was developed and deployed when the threat landscape and the practicality of this type of exploit were negligible. The risk with long-lived purpose-built equipment such as this, is that the current threat landscape will eclipse the security they were designed with; the fix is a forklift upgrade. Make sure that you're tracking the current security settings/best practices for these systems. Make sure you understand the complexity and impact of a full replacement before championing that path.
- Slide 2 of 2
If anyone actually pulls this attack off, they better be rollerblading and yelling hack the planet. It's only fair.
Slide 1 of 0- Slide 1 of 2
Massachusetts State Payroll Taken Down After Phishing Attack
The Massachusetts state "HR/CMS Employee Self-Service Time and Attendance (SSTA) system" was offline from October 8 to October 9, 2024 following a breach which the Office of the Comptroller described as "credential harvesting." While it is unclear how the phishing attack was delivered, an announcement on October 9 reported that a number of employees entered credentials into a counterfeit login page, exposing their account and direct deposit information. The system was temporarily taken down for further investigation, but apart from certain affected employees receiving paper checks, payroll will proceed unaffected. The announcement recommends employees vet and bookmark any portal links, change their passwords, and take basic anti-phishing precautions.
Editor's Notes
The human element is the most difficult to defend against. No matter the amount of anti-phishing training one receives, stuff happens. The best thing a defender can do is limit the exposure with rigorous patching, configuration, and active monitoring. It appears that the MA state IT department did just that.
India's Star Health Acknowledges Data Breach
India's Star Health insurance provider has acknowledged that cyber threat actors gained 'unauthorized and illegal access to certain data' in earlier this year but maintain that the incident has not affected business operations. The breach made news in September when threat actors claimed to have posted data belonging to more than 30 million individuals. The data were being leaked through two Telegram chatbots. After being notified of the situation, Telegram removed the bots and moderators are monitoring activity to ensure they are not recreated.
Editor's Notes
The attacker, who goes by the name of xenZen, claims to have obtained the data from the Star Health CISO Amarjeet Khanuja. Meanwhile, Star Health claims their CISO was not involved and threats against him are to create panic. Since the breach of 31 million policy holders plus over 5.8 million insurance claims, totaling about 7.24 terabytes, Star Health's shares have dropped 11% and they are suffering reputation damage. On top of all that, Star Health has a ransom demand of $68,000. Star Health is suing Telegram (bots that leaked the data), Cloudflare (hosting the data), and xenZen. Put this scenario into your tabletop playbook and see what happens when you have to restore company and C-Level reputations as well as share values. This becomes much more than a cyber/IT scenario.
Colorado's Axis Health Care Cyber Incident
Axis Health System, which operates 13 healthcare facilities in western and southwestern Colorado has acknowledged that they 'experienced a cyber incident.' The incident has disrupted the portal that patients use to communicate with healthcare providers. A ransomware group known for targeting healthcare organizations claimed responsibility for the attack on Thursday, October 10.
Editor's Notes
Researchers have discovered a significant number of healthcare devices, with medical information, which are exposed the internet: 36% of these process medical images while 28% are EHR systems. While many of these are tied to small practices and positioned to share information with other medical professionals and hospital networks in their areas, steps need to be taken to limit access to only authorized partners. While it's simplest to open services to "all" to avoid steps to incorporate new users/partners, the threat is significant enough to warrant stronger controls such as MFA and device signaling to raise the bar. censys.com/state-of-internet-of-healthcare-things/: The Global State of Internet of Healthcare Things (IoHT) Exposures on Public-Facing Networks
Tor Browser Update Addresses Firefox Vulnerability
The Tor Project has updated Tor Browser to version 14.0a9 to include a fix for a critical use-after-free vulnerability in Firefox. (Tor Browser is based on Firefox ESR). The vulnerability could be exploited 'to achieve code execution in the content process by exploiting a use-after-free in Animation timelines.' Mozilla released updates to address the flaw last week.
Editor's Notes
Tor Browser still uses Mozilla Firefox, arguably one of the most significant installations.
Internet Storm Center Tech Corner
Phishing Page Delivered Through a Blob URL
https://isc.sans.edu/diary/Phishing+Page+Delivered+Through+a+Blob+URL/31350
Fortinet Fortigate CVE 2024-23113 deep dive
This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands
Windows PPTP and L2TP Deprecation
BIG-IP LTM Systems Unencrypted Cookie Exploitation
Telekopye Toolkit Used in Hotel Booking Scams