SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
UK Demands Government Backdoor in Apple's E2EE
The UK's Home Office has reportedly served a Technical Capability Notice (TCN) under the Investigatory Powers Act (IPA) compelling Apple to give the government backdoor access to worldwide users' encrypted data in the company's cloud service. Although "under the law, the demand cannot be made public," and while the Home Office will neither confirm nor deny "any such notices," both the Washington Post, who first reported the news, and the BBC have spoken with anonymous "sources familiar with the matter." The alleged demand specifically targets Apple's end-to-end encrypted Advanced Data Protection (ADP) measures, and may apply in cases of national security risk, requiring a legal permission process to access the backdoor. Apple's history with similar cases and the company's prior statements show a pattern of opposing or refusing such demands. In the UK specifically, out of over 6,000 requests for iCloud data between 2020 and 2023, Apple complied only four times. Cybersecurity experts and privacy groups have expressed deep concern over the serious risks to users' security and privacy posed by breaking encryption with backdoors; the Electronic Frontier Foundation notes that "any 'backdoor' built for the government puts everyone at greater risk of hacking, identity theft, and fraud," and the UK's Big Brother Watch states that such a backdoor "will not make the UK safer, but it will erode the fundamental rights and civil liberties of the entire population."
Editor's Notes
- Slide 1 of 6
It seems that the UK government and its advisors have not being paying attention to the recent Salt Typhoon attacks against US telcos where lawful intercept capabilities built into those networks were abused by hostile nation state actors to intercept traffic travelling over those networks. As I have said many times, "we can have strong encryption and accept that the cost will be its abuse by criminals while the internet is made more secure, or we can weaken encryption and accept that the cost will be its abuse by criminals while the internet is made insecure."
- Slide 2 of 6
Governments will never learn from past failures in implementing 'back doors' in communication infrastructure. Proposing this before 'Volt Typhoon' is even fully evicted (or even identified as far as the UK is concerned) is actually kind of funny.
- Slide 3 of 6
Encryption with a "government/law enforcement" backdoor is an oxymoron. Remember the clipper chip? We've seen this movie before, there is no effective way to restrict access to that back door, let alone prevent others from reverse engineering it. The concerns over decrypting iCloud data were exacerbated with the introduction of Advanced Data Protection for iCloud in iOS 16 which enables end-to-end for the majority of your iCloud data, and not even Apple can access this data.
- Slide 4 of 6
If you thought the Cryptography War ended with Salt Typhoon, think again. Apparently governments will never gracefully consent to private communications for their citizens. As one might infer from Salt Typhoon, any such backdoor will become the target of choice for all the resources of China, Israel, Iran, Russia, and North Korea, not to mention NSA. It is unlikely that Scotland Yard, Special Branch, MI5, and GCHQ can protect any such backdoor better than the FBI, NSA, and the Telcos were able to protect CALEA. Such a facility, justified by terrorism and crime, will inevitably be used for surveillance, not limited to His Majesty's subjects.
- Slide 5 of 6
Everyone is watching how Apple will handle this. A backdoor for the UK government is a universal backdoor for everyone. At least that's what it would appear on the surface. I don't know how that will work or if Apple will be okay with it. If you want to know what these backdoors can be used for just follow Salt Typhoon, CALEA, and all that mess.
- Slide 6 of 6
Apple has been at the forefront in protecting the communication of users of its products. It was only a matter of time before some Government would demand access for national security purposes. One can understand the arguments, and each are valid. What's particularly interesting is the reach of the Investigatory Powers Act. If successful, other nations will surely follow in the UKÕs footsteps.
Slide 1 of 0- Slide 1 of 6
Ongoing Brute Force Attack Employs 2.8 Million Compromised Devices
The Shadowserver Foundation has detected an ongoing brute force attack on the login credentials of network devices, carried out at an increasing scale since January, 2025, daily employing up to 2.8 million compromised network devices worldwide. The attacks appear to target a wide range of edge devices including those from major manufacturers such as Palo Alto, Ivanti, and SonicWall, and appear to originate from routers and IoT devices mainly made by MikroTik, Huawei, Cisco, Boa, and ZTE. Shadowserver observes that the IP addresses involved may suggest a botnet employing residential proxy networks. BleepingComputer suggests changing and strengthening passwords, enforcing MFA, "using an allowlist of trusted IPs," and disabling unused web admin interfaces. In a separate story, last week, cybersecurity agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US) jointly published guidance for securing edge devices.
Editor's Notes
- Slide 1 of 4
This is what we enable when we fail to properly manage the devices that we expose to the public networks.
- Slide 2 of 4
What's particularly troubling about this attack is the number of compromised devices employed. It speaks to the poor job that IoT vendors have done embodying secure by design principles in their products. Hard-coding credentials in a product is no longer acceptable and vendors should be help accountable. In the meantime, prioritize MFA enforcement for all Internet facing devices.
- Slide 3 of 4
The attack leverages compromised SOHO devices, but the initial attack vector to those devices is unknown. Those devices are attempting password/login attacks. Make sure that your devices are not only running the most current firmware but are also still supported. Change default passwords and disable WAN access to the management console. Make sure VPN or remote access services use MFA rather than password-based authentication. Lastly, make sure you're not only monitoring service use but also actively reviewing/managing users.
- Slide 4 of 4
If you have an edge device with an N+1 day vulnerability and you get owned. Well, I mean, that's on you at this point. Honestly.
Slide 1 of 0- Slide 1 of 4
UK Ministry of Defence Fast-Tracking Training for Cyber Specialist Positions
The UK military is fast-tracking cyber-recruits to ensure that 50 cyber specialist operational positions within the Royal Navy and Royal Air Force are filled by the end of the calendar year. Recruits entering through the 'cyber pipeline' will complete their basic training within a month rather than the regular ten weeks. They will then receive three months of specialized training at the Cyber Defence Academy.
Editor's Notes
- Slide 1 of 2
It's a new day in the military with cyber skills very much in demand. For the recruit it's an opportunity to obtain skills that translate into high demand private sector jobs upon completion of military service. Well, done UK MoD, well done.
- Slide 2 of 2
The UK is dropping the traditional basic (fitness and weapons) training, focusing instead on needed cyber skills to fill the gaps in their Navy and Air Force now. The British Army is slated to join the campaign in 2026. Since last July, the UK has also increased the starting compensation by 35% for recruits and removed 100+ outdated policies which block or slow recruitment to attract and retain candidates. My concern is the lack of comradery and defense skills developed in basic training may put these candidates at risk as they are still soldiers, particularly when deployed in the field.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Apple Patches Zero-Day in iOS and iPadOS
Apple has released iOS 18.3.1 and iPadOS 18.3.1 and 17.7.5 to address a vulnerability that was being actively exploited in targeted attacks. The flaw could be exploited to 'disable USB Restricted Mode on a locked device,' and was fixed through improved state management. The vulnerability was detected by Bill Marczak, a researcher at the University of Toronto's Citizen Lab, which 'focus[es] on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.'
Editor's Notes
- Slide 1 of 3
USB Restricted mode, introduced in iOS 11.4.1, prevents unauthorized USB data access to your locked device, and is one countermeasure to bad-USB attacks, mitigating some risks for travelers who don't always think twice before connecting for a charge. This protection was augmented in iOS 18, which introduced an inactivity reboot (after 72 hours), which makes forensic access to devices much harder as when the device is in "Before First Unlock" mode all encryption keys are in the secure enclave and not otherwise accessible without the device passcode. CVE-2025-24200, USB Restricted Mode bypass, doesn't have a CVSS score and while the bypass is a sophisticated physical attack, the update is worth applying to your iOS/iPad 17 & 18 devices now; it's under 500mb and only takes a few minutes to install.
- Slide 2 of 3
Apple has done a fantastic job getting everyone to update their phones. I suspect that most people will update. What's interesting is the impact of this patch on physical access, as the exploit attacks the USB lockdown. Makes you wonder how they arrived at this exploit.
- Slide 3 of 3
Apple also published updates for MacOS, but these updates did not fix any security issues.
Slide 1 of 0- Slide 1 of 3
Trimble Cityworks Flaw Exploited
The Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control Systems (ICS) advisory, warning that some versions of Trimble Cityworks, an infrastructure software tool for managing assets and work, are vulnerable to a flaw that is under active exploit. The flaw, CVE-2025-0994, CVSS score 8.6, allows an authenticated user "to execute arbitrary code on the IIS server due to deserialization of untrusted data." All versions of Trimble Cityworks prior to 15.8.9 and Cityworks with office companion prior to 23.10 are affected; Cityworks Online has been automatically patched, and Trimble urges users to update on-premises instances immediately. The indicators of compromise (IoCs) show that "attackers attempted to leverage the flaw to deploy payloads including obfuscated JavaScript code, a custom Rust loader used to load Cobalt Strike, and various other malicious executable and binaries." Local and federal government agencies use Trimble Cityworks to manage "airports, utilities, municipalities and counties," and all Federal Civilian Executive Branch agencies must patch by February 28.
Editor's Notes
- Slide 1 of 3
The importance of sanitizing ALL input cannot be overstated. If your developers have never seen how easy it is to manipulate input data, perhaps a demonstration is in order. If your QA process isn't checking every input to make sure it's sanitized, you need to address that oversight. While a WAF can mitigate the risk on your applications, particularly COTS, the best fix remains within the application code itself as you need to continue to verify the WAF mitigations work throughout application lifecycles.
- Slide 2 of 3
Given the current quality of much of our software, it is prudent to hide as much of it from the Internet as possible. Given recent history of vulnerabilities in firewalls, consider layering them, at least for mission critical systems and applications. Ensure that sensitive data is encrypted at rest, keeping in mind that "cryptography is harder than it looks."
- Slide 3 of 3
According to the CISA advisory this flaw can be exploited by an "authorised user." To reiterate previous commentaries, any critical management systems should not be internet facing and instead should be only accessible via a VPN with all accounts protected by MFA.
Slide 1 of 0- Slide 1 of 3
Researchers Find Security and Privacy Issues in DeepSeek iOS App
Researchers at NowSecure have detected multiple security and privacy vulnerabilities in the DeepSeek app for iOS. NowSecure's assessment of the app turned up a number of risks, including unencrypted data transmission; weak and hardcoded encryption keys; unsecure data storage; data collection & fingerprinting; and data sent to China and subject to laws in PRC. NowSecure urges organizations to prohibit the use of the app, 'explore alternative AI platforms that prioritize mobile app security and data protection, [and] continuously monitor all mobile applications to detect emerging risks.'
Editor's Notes
The vulnerability research is troubling on several fronts. Like the UK Investigatory Powers Act (see NewsBites snippet), Government can demand access to the data stored by ByteDance. In this case however, the Chinese government has access to the unencrypted communications. The question becomes, is this simply poor coding practices exposed in one's rush to market, or something more devious? You can decide.
UK's Cyber Monitoring Centre Launches Incident Classification Systems
The UK's independent, non-profit Cyber Monitoring Centre (CMC) is now classifying cyber incidents by severity. CMC was initially conceived to provide quantifiable information for insurance companies to help them determine whether a cyber incident constitutes a systemic event; the organization will provide information to 'all security risk owners.' The CMC will evaluate incidents affecting organizations within the UK that are estimated to have 'a potential financial impact' of at least £100 million ($123.6 million). Categorization criteria include number of organizations impacted by the incident and the total estimated financial damages. For each evaluated incident, CMC staff members will provide a severity categorization from 1 to 5 and a report detailing how they arrived at the categorization. The CMC's classification system bears a resemblance to the scale used to classify hurricanes.
Editor's Notes
Well, I'm all for simplifying things. In this case, not sure it makes a whole lot of sense. The insured's state of defenses come into play, and they are not all equal. And, besides, it doesn't really solve any problem. That is, unless it's really just a feint to immunize the insurance industry. All I can say for now is meh.
Updates Available for Critical Vulnerability in Orthanc Server
A critical flaw in Orthanc Server could be exploited to disclose information, modify records, or cause denial-of-service conditions. The issue lies in missing authentication for a critical function and affects Orthanc Digital Imaging and Communications in Medicine (DICOM) Server versions older than 1.5.8. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control System (ICS) Medical Advisory describing the issue. Users are urged to upgrade to the most recent version to Òenable the HTTP authentication by setting the configuration "AuthenticationEnabled": true in the configuration file.'
Editor's Notes
- Slide 1 of 2
DICOM is a mess. It's a total mess. I am *very* surprised that we have not seen widespread exploitation. I'm telling you that after working in healthcare, people put DICOM servers on weird ports all over the place, and barely any scanners exist for it. It's a nightmare waiting to happen.
- Slide 2 of 2
CVE-2025-0896, missing authentication, CVSS score 9.8, can be exploited remotely with a low level of complexity. In addition to applying the update and security configuration change, also minimize network exposure to your ICS devices, don't expose them to the Internet, and restrict internal access to verified systems. Take a look at CISA's latest ICS Defense-in-Depth Strategies guide to see if you're missing any updated approaches to keep your systems protected.
Slide 1 of 0- Slide 1 of 2
Another British Engineering Firm Discloses Cyberattack
In a report to the London Stock Exchange, British engineering firm IMI plc has disclosed 'a cyber security incident involving unauthorised access to the Company's systems.' IMI has not provided many details beyond stating that they brought in third-party experts to investigate. IMIÕs disclosure comes roughly a week after another UK engineering firm, Smiths, disclosed a cyberattack.
Editor's Notes
Per Dragos, there were 119 ransomware attacks in 2024 targeting European companies, (UK, Germany and Italy most affected) and from July to September there were 394 attacks on the manufacturing sector globally, 56 of which targeted ICS systems. If you're in either of these categories, make sure you're up to speed on your cyber hygiene. Revisit the risks of exposed services, and consider newer compensating controls where access is only granted to continuously vetted devices.
US Newspaper Publisher Disrupted by Cyberattack
In a 10-Q form filed with the Securities and Exchange Commission (SEC), newspaper publisher Lee Enterprises disclosed a "cyber incident" on February 3, 2025, that has resulted in an IT outage and disruption of the company's operations. Lee Enterprises "publishes 77 daily newspapers and 350 weekly and specialty publications in 26 states," and many of its news outlets experienced the effects of the attack, including days of problems with editorial and production applications, sometimes causing delayed or missed publications, as well as problems with reader subscription account access. The company notified its employees on the day of the attack that "data centers hosting applications and services used by Lee employees and media outlets were offline, including its systems for subscriber services," and "call center applications, some phone lines and other core systems, including [the] VPN for remote employees and single sign-on for accessing applications, were inaccessible." At time of this writing, the outages have not been resolved. The exact nature, scope, full impact of the attack, and anticipated recovery timeline have not been disclosed.
Editor's Notes
The digital news sites still have headers indicating services are undergoing maintenance affecting access to subscription accounts and the electronic edition. The most visible impact to analog subscribers was a loss of printed editions, and publishers are working to print and deliver these back issues. Lee Enterprises is not yet claiming the event is materially impactful but is keeping recovery details close.