SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Apple and Google Want Shorter Certificate Lifecycles
Apple has proposed significantly reducing the length of time that SSL/TLS certificates remain valid. Currently, the certificates are valid for 398 days; Apple's proposal describes a gradual reduction in the length of certificate lifecycles, ending with a 45 day validity period by 2027. Similarly, Google plans 'to study the impact of reducing domain validation reuse periods to 90 days or less.' Sysadmins have made known their unhappiness with the plans.
Editor's Notes
- Slide 1 of 4
This change has been discussed for about a year now. It is important to automate certificate renewals, if possible with standard protocols like ACME. Some certificate authorities may also offer their own solutions, but be careful before you lock yourself into a proprietary solution.
- Slide 2 of 4
The CA Browser Forum has now been around for almost 20 years and has always been slow to make needed progress in making an SSL trust chain actually trustable. In 2011, compromise of a Comodo affiliate Registration Authority resulted in bogus certificates being issued for domains at Yahoo, Google, Skype, Mozilla and others. This pointed out how weak the strength of registration validation was, and in 2014 the Heartbleed OpenSSL vulnerability was discovered and we saw how badly certificate revocation was handled. The changes recommended are long overdue. Imagine if we said 'Let's only patch Windows once every 398 days because sys admins are complaining.' CIOs like to talk about rapid development and CI/CD pipelines - if IT operations can really do that they should be able to patch operating systems every 2 weeks and renew certificates every 45 days by 2027.
- Slide 3 of 4
With the advent of Let's Encrypt, I would say this is an excellent idea for a large set of websites on the internet. Where this is problematic are protocols that live outside of the web. Some certificates are used internally between services in various places. One example is 802.1X/NAC with EAP and EAP-TLS. Another example is Smart Cards. There are just some places where renewing certificates is more problematic and impactful. Let's do this where we can and consider something longer-term where we cannot.
- Slide 4 of 4
There will have to be agreement on duration: 90, 45, etc. Shorter lifetime reduces the amount of time a compromised certificate can be used, reducing risk and improving security. This will also require automation as we're busy putting certificates on endpoints, mobile devices, and about any service which supports it, and there is no good way continue manual updates. Let's Encrypt already only issues 90-day certificates. Even with 398-day expirations, start automating certificate updates; your future self, who isn't getting the expired certificate ticket, will thank you.
Slide 1 of 0- Slide 1 of 4
CISA: SolarWinds Hardcoded Credential Bug is Being Actively Exploited
The US Cybersecurity and Infrastructure Security Agency (CISA) says that there is a hardcoded credential vulnerability in SolarWinds Web Help Desk; CISA has added this to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability 'could allow a remote, unauthenticated user to access internal functionality and modify data.' SolarWinds has released a hotfix to address the flaw.
Editor's Notes
- Slide 1 of 4
I hope Solarwinds does not blame the intern this time. The password isn't Solarwinds123 É is it?
- Slide 2 of 4
CVE-2024-28986, Java Deserialization RCE flaw, CVSS score 9.8, and CVE-2024-28987, hardcoded credential flaw, CVSS score 9.1, are fixed in SolarWinds Web Help Desk (WHD) 12.8.3 Hotfix 2 or 3. As WHD 12.8.3 Hotfix 3 is now available, if you've not already applied HF 2, go straight to HF3. Per the NIST KEV, you have until November 5th to remediate this vulnerability.
- Slide 3 of 4
This was expected as soon as the credentials became public.
- Slide 4 of 4
Ugh, hardware credential baked into the product. That's bad enough, but to have to announce another hot fix in the span of six months after the last bugaboo that gained so much notoriety Not a good look for the company after it tried to calm jittery customers with an independent third-party audit and security focused marketing blitz.
Slide 1 of 0- Slide 1 of 4
Security Agencies from US, Canada, and Australia Warn Iranian State-Sponsored Cyberthreat Actors are Targeting Critical Infrastructure
In a joint cybersecurity advisory, the US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA); the Communications Security Establishment Canada (CSE); the Australian Federal Police (AFP), and the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) warn that Iranian state-sponsored cyberthreat actors are targeting critical infrastructure organizations in multiple sectors. The attackers' techniques include password spraying and MFA push bombing to gain access to targeted accounts. The advisory includes a list of tactics, techniques, and procedures used by the threat actors, as well as indicators of compromise.
Editor's Notes
- Slide 1 of 3
MFA push bombing attacks are why you should be looking at phishing resistant MFA. If you've rolled out MFA, make sure that you're covering all Internet facing services. Train users to detect unsuccessful login attempts, deny MFA requests they didn't generate, and ensure that MFA, where enabled, is properly configured. Make sure that passwords, where used, are strong and follow the latest NIST 800-63 guidance, and that you're disabling accounts in an expeditious fashion. Make sure that you're tracking password reset requests for attempts to bypass your processes.
- Slide 2 of 3
Can't we just get to the point where we say, if you're internet facing, you're being targeted? I mean, nation state, cyber-criminal, hacktivist, they're all using the same tactics listed. If I'm a defender, I already know I'm a target of some organization. The best thing I can do is be religious in the patching, configuring, and monitoring of my enterprise. Have we 'over-rotated' on the value of threat intelligence?
- Slide 3 of 3
Even the most obvious bears repeating.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Readiness for Post-Quantum Cryptography Means Renovation and Innovation
Nearly fifty percent of US federal cybersecurity "experts and decision-makers" surveyed by General Dynamics Information Technology (GDIT) identified legacy systems as a major obstacle to implementing post-quantum cryptography (PQC) in "defense, civilian, and intelligence agencies." About the same proportion of respondents are "actively developing strategies for PQC readiness," but resource limitations may account for the 17 percent with "no defined plans" nor priorities for the transition. The study asserts that "the ability to consistently monitor and update cryptographic systems will be crucial as new algorithms and standards are adopted." In August, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published guidance for strategizing and tracking US agencies' adoption of PQC, and the National Institute of Standards and Technology (NIST) released the finalized ML-KEM, ML-DSA, and SLH-DSA algorithms "designed to withstand the attack of a quantum computer." Days prior to GDIT's survey results, a consortium was announced comprising three companies, all developers of powerful encryption-focused hardware: the Fully Homomorphic Encryption Technical Consortium (FHETCH). "Fully homomorphic encryption is a quantum-resilient cryptography method that allows encrypted data to be processed without first decrypting it," and the consortium's goal is "to collaborate on technical standards necessary to develop commercial fully homomorphic encryption solutions and lower adoption barriers."
Editor's Notes
- Slide 1 of 2
While we tend to think of NSA in its SIGINT mission, they also have responsibility for COMSEC. They will get it right in time.
- Slide 2 of 2
We can barely get companies on TLS 1.3 or just on TLS 1.2, released in 2008. Some work is already being done out of various universities claiming to have 'broken' RSA and possibly AES. Broken is probably the wrong way of thinking about it. They have proven prime number factorization to decrypt RSA in a reasonably fast amount of time using Quantum computing. This means that there may not be a reasonably good enough cryptographic set of algorithms that would be truly secure for some time. This is the current thinking, which probably means that we need to be much more agile in quickly changing ciphers.
Slide 1 of 0- Slide 1 of 2
CISA/FBI 'Bad Practices' Guidance Open to Feedback
"Product Security Bad Practices," a joint guidance document from the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI, is open to public comment until December 2, 2024. The guidance is not set of requirements, but rather recommendations "urg[ing] software manufacturers to reduce customer risk," outlining "exceptionally risky" software design practices and how to best avoid them. Three categories define the list: 1. "Product properties," including development in memory unsafe languages, user input in SQL queries and OS command strings, use of default passwords, and inclusion of known KEVs; 2. "Security features," including lack of MFA and lack of available logs in the baseline product for providing evidence of intrusion; and 3. "Organizational processes and policies," including failure to publish "timely CVEs with CWEs," and failure to publish a vulnerability disclosure policy.
Editor's Notes
- Slide 1 of 2
CISA continues to shine the light on bad coding practices in support of their Secure by Design, Secure by Default, and Secure Operations initiatives. Those old shortcuts and bad practices need to become a thing of the past. Regrettably, some systems may need a forklift replacement rather than the end-to-end revamping of the security. The best plan is to work with your suppliers on what their plans are, and make sure that your internal SQA practices are set up to catch these bad practices.
- Slide 2 of 2
Trying to teach good practice is not working. Calling out bad practice is worth a try.
Slide 1 of 0- Slide 1 of 2
US Defense Department Publishes Cybersecurity Maturity Model Certification Rule
The US Department of Defense (DoD) has published the final version of the Cybersecurity Maturity Model Certification Program Rule in the Federal Register. The rule, which aims to help 'verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI),' takes effect in mid-December.
Editor's Notes
Requirements for protecting CUI and FCI have been solidifying for about 10 years now. CMMC is designed to enforce these requirements, and this ruling now creates a standardized measurement to ensure this information is properly protected. This will be a part of awarding contracts. The DCMA DIBCAC website (https://www.dcma.mil/DIBCAC/) includes pre-assessment documents, a publicly releasable version of the assessment database, FAQs, and other reference material you'll need.
Pilots Flying With Spotty GPS in Parts of Norway Due to Jamming Attacks
GPS jamming is so prevalent in parts of Norway that the country's communication authority (NKOM) has stopped logging the events, accepting the situation as a 'new normal.' A captain and senior safety advisor with the Norwegian airline Widere said the jamming incidents last around seven minutes, and that they are experienced 'every day.' The jamming causes the GPS to stop working; pilots are able to navigate by communicating with ground stations. In recent years, some smaller airports have begun using GPS exclusively in place of ground-based equipment.
Editor's Notes
- Slide 1 of 2
Good practice in navigation, land, sea, and air, is to use more than one method. It is equally good practice in security.
- Slide 2 of 2
Pilots compare flying during the jamming, which lasts 6-8 minutes at a time, to being transported back 30 years in time. The ground-based systems are becoming less common due to their increased cost versus GPS. Currently, these attacks are largely in the vicinity of the Russia/Ukraine conflict and now also include jamming of the GNSS satellite and ground communications bands. Even devices like iPads, which use multiple GPS satellites for accuracy and resiliency, are impacted by the jamming.
Slide 1 of 0- Slide 1 of 2
Microsoft's Digital Defense Report 2024
Microsoft's Digital Defense Report 2024 addresses a range of topics, including nation-state threat actors, ransomware, identity and social engineering, strategic approaches to cybersecurity, the emerging threat landscape, AI for defense, and advancing global AI security. The main report summary page includes links to a general executive summary, as well as executive summaries tailored to CISOs and to Government and Policy Makers.
Editor's Notes
- Slide 1 of 3
Except for the Actionable Insights sections, this should really be called the Microsoft Digital Threat Report 2024. I tried to get the Chat GPT AI bot to just pull those sections - most of them started with 'Move to Multi-Factor Authentication' - but could not get it to do it. To save you a lot of reading, 70 pages in I found this summary for OT security that really is the same for IT: 'Based on this work we've identified three core actions that, if taken by the operations technology industry, would significantly improve the security of systems across the industry: 1 Adopt modern authentication for users and devices. 2 Enable centralized device configuration management and secure apps and devices by default. 3 Implement a Secure Development Lifecycle (SDLC) program for product development that is certified by independent security experts.'
- Slide 2 of 3
The top targeted sectors worldwide are, IT (24%), Education and Research (21%), Government (12%), Think tanks and NGOs (5%), Transportation (5%), Consumer Retail (5%), Finance (5%), Manufacturing (4%), Communications (4%), and other (16%). From 2023 to 2024 there is an increase of over 13 trillion security signals per day with over 1500 unique threat groups tracked. While many of the recommended mitigations are familiar, note that OT is even more firmly on the radar as trends show an increasing focus on attacking these components. The report is 114 pages, while the summaries are about 14, so you want to start there first.
- Slide 3 of 3
The report weighs in at a beefy 114 pages. As always, chock full of interesting tidbits on the evolving threat and security, including AI. Here's the bottom line by Tom Burt: "We all can, and must, do better, hardening our digital domains to protect people at all levels." That quote was applicable in 2023, in 2022, in 2021, É you get the picture.
Slide 1 of 0- Slide 1 of 3
US DoJ Indicts Sudanese Brothers for Alleged Roles in Multiple Damaging DDoS Attacks
The US Justice Department (DoJ) unsealed a June 2024 indictment against two Sudanese brothers for allegedly operating Anonymous Sudan, a hacktivist group that has claimed responsibility for numerous significant distributed denial-of-service (DDoS) attacks. The group's targets include ChatGPT, Microsoft, Telegram, X, and the Associated Press, as well as government websites in several countries, an alert system warning of incoming missiles, and hospitals in multiple countries. The indictment charges Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer with conspiracy and impairing computers. The brothers were arrested in March and are being held in an undisclosed location.
Editor's Notes
Score one for the good guys. That said, too many servers are left misconfigured and unpatched that enable DDoS attacks. What accountability, if any, should those organizations bear for not exhibiting a standard 'duty of care' in properly maintaining the devices?
Critical Vulnerability in VM Images Built with Kubernetes and Proxmox
Virtual machines (VMs) running an image built with Kubernetes Image Builder 0.1.37, or any previous versions, are vulnerable to unauthorized SSH connection leading to access with root privileges, with especially high risk to images made with the Proxmox provider. The SSH connection would allow a threat actor to use default credentials which were "enabled during the image-building process and not disabled afterward." The Kubernetes/Proxmox flaw (CVE-2024-9486) carries a critical 9.8 CVSS rating; images built with other providers are still vulnerable, but not as severely (CVE-2024-9594, CVSS 6.3). A security advisory on the Kubernetes forum recommends mitigation by rebuilding and redeploying affected images, disabling the builder account on affected VMs, and upgrading to Image Builder 0.1.38 or later.
Editor's Notes
A pox on default passwords. We need to get beyond them, like yesterday. The updated rebuild process sets a randomly generated password for the builder account during the build and then disables account when finished.
Jetpack Updates 100+ Versions of Plugin to Fix Critical Flaw
Jetpack has released updated versions of its WordPress plugin to address a critical flaw in the Jetpack Content Form feature. The vulnerability was reportedly discovered during a security audit. Jetpack has updated versions of the plugin as far back as version 3.9.10; in all, they released updates for 101 versions. So far, there is no assigned CVE for the vulnerability.
Editor's Notes
Make sure that you've got automated updates of your plugins enabled and your copy of Jetpack is up to date. It's a bit crazy that Jetpack released updates for 101 versions of their plugins; most vendors would have a smaller subset, outside of which you need to install a supported version. Even with this model, it'd be a good idea to make a deliberate plan to move to the version 13.9.1 or later. While you're in your WordPress plugin list, uninstall unused or disabled plugins. Not only do they leave potentially unsecure code on your server, but also, they can contribute to instability of your WordPress site.
Internet Storm Center Tech Corner
Scanning Activity from Subnet 15.184.0.0/16.
https://isc.sans.edu/diary/Scanning+Activity+from+Subnet+151840016/31362
The Top 10 Not So Common SSH Usernames and Passwords
https://isc.sans.edu/diary/The+Top+10+Not+So+Common+SSH+Usernames+and+Passwords/31360
Angular-base64-upload Demo Script Exploited
https://isc.sans.edu/diary/Angularbase64update+Demo+Script+Exploited+CVE202442640/31354
Gatekeeper Bypass
https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/
Oracle Critical Patch Update
https://www.oracle.com/security-alerts/cpuoct2024.html
Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
SAP Vulnerability
https://redrays.io/blog/poc-sap-note-3433192-code-injection-vulnerability-in-sap-netweaver-as-java/
Dept. of Commerce Sites Advertising Medication
https://x.com/tliston/status/1833542884047654984
CISA Product Security Bad Practices
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
Kubernetes Image Builder Vulnerability CVE-2024-9486 CVE-2024-9594
SolarWinds Hardcoded Password Exploited CVE-2024-28987
Bypassing noexec and executing arbitrary binaries
https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries
Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage
https://www.theregister.com/2024/10/14/china_quantum_attack/
EDRSilencer
https://github.com/netero1010/EDRSilencer
Synchronizing Passkeys
https://fidoalliance.org/specifications-credential-exchange-specifications/