Companies Report Progress in Implementing CISA Secure by Design Pledge Goals; FBI: Warns of Compromised Government eMails Used to Request Information; Phishing Campaign Accuses Recipients of Copyright Infringement

Over the past six months, nearly 250 organizations have signed the US Cybersecurity and Infrastructure Security Agency's (CISAÕs) Secure by Design Pledge. The Pledge comprises seven goals: increasing the use of multi-factor authentication (MFA); reducing default passwords; reducing entire classes of vulnerabilities, such as memory safety, cross-site scripting, and SQL injection vulnerabilities; increasing the level of patch installation; publishing a vulnerability disclosure policy; increasing transparency in vulnerability reporting by publishing CWE and CPE fields in every CVE record; and 'providing artifacts and capabilities to gather evidence of intrusions.' Multiple companies, including Amazon Web Services, Fortinet, Microsoft, Okta, and Sophos, have taken steps to fulfill the pledge.

The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification that warns of an 'uptick' in compromised US and foreign government email addresses being used to make 'fraudulent emergency data requests to US-based companies, exposing personally identifying information (PII).' Suggested mitigations to help prevent exposure of sensitive data include vetting third-party vendors' security posture, and stepping back to examine elements - including images and referenced legal codes - of requests for sensitive information, particularly when the requests have been fabricated to instill a sense of urgency.

Researchers at Check Point have identified a phishing campaign that attempts to scare people into downloading malware by impersonating media and technology companies, and by accusing the email recipient of copyright infringement. The phishing emails come from different Gmail accounts each time; they urge recipients to download an archive file, which employs DLL side-loading to deploy an information stealer known as Rhadamantys.

On November 7, Anthropic announced a partnership with Amazon Web Services (AWS) and US intelligence and defense contractor Palantir. The deal leverages AWS to integrate Claude AI 3 and 3.5 into the Palantir AI Platform, accredited at DOD Impact Level 6 (IL6), which "handles data critical to national security up to the 'secret' classification level." Claude is expected to automate the processing and analysis of large volumes of documents and data, and in the words of Anthropic CTO Shyam Sankar, to bring "decision advantage to [U.S. defense and intelligence communities'] most critical missions." Authority to make those decisions will still rest with human beings. Ars Technica notes that Anthropic is drawing criticism online for this perceived compromise of their proactively "ethics- and safety-focused approach to AI development." Anthropic's announcement arrives in good company: In the words of Scott Rosenberg with Axios, "The public sector AI gold rush is on." While Meta explicitly prohibits use of its Llama AI for use in military and espionage applications, a November 4 announcement disclosed that the platform is now open to "U.S. government agencies, including those that are working on defense and national security applications, and private sector partners supporting their work," including Palantir, Anduril, Booz Allen, and Lockheed Martin. The same day as Meta's press release, Scale AI separately debuted "Defense Llama," a variation on Meta's Llama 3, purpose-built for warfare. Scale AI's Dan Tadross states that protections built into commercial LLMs are too restrictive for military applications: "We needed to figure out a way to get around those refusals in order to act. Because if you're a military officer and you're trying to do something, even in an exercise, and it responds with 'You should seek a diplomatic solution,' you will get very upset. You slam the laptop closed."

Several US government entities have partnered or continued developing a relationship with OpenAI technology, including the National Gallery of Art, NASA, the Internal Revenue Service, Los Alamos National Laboratory, the Air Force Research Laboratory, and the Defense Advanced Research Projects Agency (DARPA). Many have purchased ChatGPT licenses for a variety of purposes, often to "reduce administrative burdens and increase efficiency." First among ChatGPT's Enterprise customers was the US Agency for International Development (USAID). The Federal Aviation Administration (FAA) has also published documents indicating interest in "machine learning and artificial intelligence to identify safety risks."

In a data security incident notice, Missouri-based law firm Thompson Coburn LLC says that information belonging to patients of one of their clients, New Mexico-based Presbyterian Healthcare Services (PHS), was compromised. Thompson Coburn 'became aware of suspicious activity within [their] network' in late May. A subsequent investigation revealed that files viewed and/or taken by intruders included some PHS patients' protected health information. The law firm has notified the US Department of Health and Human Services Office for Civil Rights; the number of individuals affected by the breach is estimated to be more than 305,000.

Researchers from Trend Micro's Zero Day initiative detected six vulnerabilities in the Mazda Connect Connectivity Master Unit (CMU) system, which is used in multiple models of Mazda vehicles. All flaws are due to insufficiently sanitized user-supplied input, and could be exploited by an attacker with physical access to the system. Some of the flaws could be exploited to execute arbitrary code with root privileges. The vulnerabilities are currently unpatched.

The US Transportation Security Administration (TSA) has published a notice of proposed rulemaking that would 'impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators, and a more limited requirement on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents.' TSA is accepting public comment on the proposed rulemaking through February 5, 2025.

Amazon has confirmed that a security breach of a third-party vendor resulted in the compromise of some Amazon employee data. The breach was among the May 2023 MOVEit incidents; the compromised information includes work contact information, such as work-related email addresses, phone numbers, and building locations.

Halliburton's most recent financial report says a cybersecurity incident disclosed earlier this year has cost the company $35 million so far. In August filings with the US Securities and Exchange Commission (SEC), Halliburton noted that the incident forced the energy services company to temporarily shut down IT systems and disconnect customers, and that the threat actors stole information.