US Legislators Say Strong E2EE Protects National Security; Microsoft Device Code Phishing; PAN-OS Flaw Exploited After Disclosure

Quoting Senator Wyden and Representative Briggs: "After years of senior U.S. government officials — from both Republican and Democratic Administrations — pushing for weaker encryption and surveillance backdoors, it seems that the U.S. government has finally come around to a position we have long argued: strong end-to-end encryption protects national security." Common sense and past experience certainly backs this, but every incoming administration gets lobbied immediately by intelligence agencies about the need for back doors, and overall data security has suffered.

John Pescatore

If Salt Typhoon has taught us anything, it's that weakening the security of communication provides opportunities for abuse. I understand the desire for warranted government access to conversations, but the US Congress is concerned by the price of intended access.

Christopher Elgee

It is nice to see our elected officials understand the issues with backdoors such as the UK requested. This move would add the US Government as an ally when pushing back against such requests, hopefully enabling providers to negotiate from a position of strength if not law. While this is getting attention, make sure you’re enabling available encryption, particularly on mobile devices, and make sure you’ve tested you are both using best practices and don’t have any gaps.

Lee Neely

The proposed bill highlights that in today's highly connected and digital world, security cannot be selectively compromised for one party without endangering all users. Either a service is secure or it is not, there is no middle ground.

Brian Honan

A bit surprising the speed and directness in the Congressional response to the UK TCN. AAPL has a card to play but it can’t stop the far-reaching effect of the TCN. What pressure, if any, the current administration applies will be interesting to watch in the coming days/weeks.

Curtis Dukes

The so-called Five Eyes have historically been allied in their opposition to private communications among their citizens. Salt Typhoon has taught the US a harsh lesson: "If allies are strong with power to protect me, might they not protect me out of all I own?"

William Hugh Murray

Oh interesting, an actual law that I can maybe get behind. I need to read the legalese a little more to really understand it.

Moses Frost

Something we covered in the Cloud Penetration Testing course I author is how OIDC systems work. Device Code Phishing is a thing; it’s likely a Just in Time Phishing attempt that would be nasty. The device code for something like the Azure CLI is only suitable for 10 minutes. Based on the screenshots, the phishing lures send you to some Microsoft services that support device code but are not the Azure CLI, as the messages do not indicate what is being used.

Moses Frost

Part of my full-time job is tracking social engineering attacks like this, and explaining these attacks in a simple-to-understand format so people can easily detect and stop them. I’ll be honest, I’m finding my job getting harder and harder. Attacks are getting far more sophisticated not only at a technology level but also at the human level; the emotional triggers and stories are extremely well thought out. This is why I try to stay away from the technical indicators of social engineering attacks and focus on the most common context indicators, such as tremendous sense of urgency, something too good to be true, pressure to ignore company processes, etc. One of the biggest challenges we face trying to secure the human is making security simple.

Lance Spitzner

This is another example of how OAuth fails users. OAUTH may be a great technical design, but it fails at usability. There appears to be, however, no overlap between security experts who understand cryptography well and those who understand users. Users do not understand what they exactly agree on. Some competence-free administrators attempt to compensate by asking for frequent logins, which sometimes worsens things as it leads to even more careless authentication and authentication fatigue.

Johannes Ullrich

Social Engineering, meet technology. The average user isn’t going to understand this weakness, but they will understand never giving their one time code to anyone. The long term solution is to implement phishing resistant MFA, which significantly reduces the influenced behavior based bypass option.

Lee Neely

As more and more organisations adopt MFA, criminals in turn will improve their techniques to bypass it. So, while MFA is now table stakes for protecting online systems, you do need to regularly review its effectiveness to stay ahead of evolving threats.

Brian Honan

This PAN-OS flaw is rooted in the chaining of different HTTP proxies, and these proxies interpret headers and paths slightly differently. Try avoiding that. I am not sure why PAN considered this solution, but complexity hardly ever helps with security.

Johannes Ullrich

The fact that individuals expose the management interfaces to the internet is a significant issue. This, however, does not mean do not patch; that is table stakes. Once you have it globally exposed to all your internal devices, you don’t have direct access from unknown sources on the internet, but it’s still an exposure. Harden your control planes. Should your phones be able to touch the management interfaces of the firewall?

Moses Frost

This is one of the quickest turnarounds from vulnerability to active exploitation in recent memory – 24 hours. It says three things: 1) Edge devices continue to be a high value target; 2) The skills needed to exploit are modest; and 3) Attackers are hungry for quick wins. Bottom line, patch the vulnerability; the attacker clock is running.

Curtis Dukes

Verify you’re no longer running PAN-OS 11, which may mean some lifecycle upgrades are in order, then cross check the update process. If you are leveraging HA, make sure you’ve tested the failover to know how it behaves.

Lee Neely

Giving some people timely information about vulnerabilities to patch without giving others information about vulnerabilities to exploit has proven to be difficult.

William Hugh Murray

XCSSET has an exciting target — Xcode — which means developers. This would be considered a supply chain attack. Here is the more significant thing: MacOS is a target in many technology shops. I wonder why we don’t see more of this. Maybe it’s just the legacy of understanding how Windows works and all the work that has gone into it.

Moses Frost

What’s most interesting is the ingenuity of the attacker to seed infected Xcode projects in open source. That shows understanding that developers will use what’s available to them, in effect hastening the spread of the malware. As far as inspecting the Xcode, that’s difficult as its not easily readable.

Curtis Dukes

The new variant of XCSSET has enhanced obfuscation techniques, and creates a fake version of launchpad and replaces the dock entry point, causing the malware and legitimate launchpad to execute every time it’s accessed from the dock. The best mitigation is to verify your Xcode projects.

Lee Neely

CVE-2024-53704, authentication bypass, has a CVSS score of 9.8, and with published PoC, you need to assume compromise, both applying the update and checking for IoCs. Even if you’ve applied the update, you may want your threat hunters to check for the IoCs anyway.

Lee Neely

Another Month, Another VPN Vulnerability Being Exploited. This time, it’s SonicWall. People forget about this device and how prevalent it is. Specifically, either in heavily Dell shops or MSPs/MSSPs.

Moses Frost

The Russian hosting service Zservers is being sanctioned for “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, LockBit ransomware.” In short, they enabled the attack by providing IP addresses, launch platforms and storage. Continued takedowns like this help the fight against ransomware, and you still need to remain diligent, continuing your cyber hygiene and user education efforts, and working the problem from both sides.

Lee Neely

A lot of Russian companies operate infrastructure in the Netherlands; that appears to be changing. While the sanctions and action by Dutch police will have a short-term impact on criminal activities, the hosting service remains active in Russia and other front companies will pop up soon.

Curtis Dukes

Well done to all involved in this operation. No doubt that the seizure of various servers by law enforcement will lead to more intelligence data which in turn will hopefully lead to the arrests of those behind ransomware attacks.

Brian Honan

One finds it difficult to conceive of any legitimate use of spyware that does not involve a judge or other magistrate.

William Hugh Murray

The intent is to put guardrails around the use of spyware. While well intended, I’m not sure those illegally using spyware are going to heed the restrictions.

Lee Neely

We have long known that complexity obscures, that it is the enemy of security. LLMs are so complex by design that they even obscure their own workings.

William Hugh Murray

While it is important to research AI offerings to see how they can be used to your advantage as well as discover possible risks, make sure you’re clear on where and how your data, prompt, payment, etc., is stored and protected. Make sure risks are accepted at an appropriate level before storing any sensitive information. If you’re going to experiment with DeepSeek, use a local copy.

Lee Neely

Don’t use DeepSeek Apps?

Moses Frost

The AG website appears to be back online and makes no obvious mention of the incident. With impacted service, transparency is your ally: giving users and customers direction, and alleviating fears with current, accurate information. Plan your communication well before you need it, then review and update that plan regularly.

Lee Neely