SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Apple Removes Advanced Data Protection for UK Customers
Apple is removing Advanced Data Protection (ADP) end-to-end encryption (E2EE) for iCloud storage from the roster of services it offers customers living in the UK. The move is a response to the UK government's demand for access to customer data to comply with the UK Investigatory Powers Bill. Some iCloud data, including health information, iMessages, and FaceTime calls, will retain E2EE protection. ADP is an opt-in feature. Apple will not turn it off, but UK customers who attempt to enable ADP will see an error message. UK customers who already use ADP will need to disable it themselves. Apple notes that 'we have never built a backdoor or master key to any of our products or services and we never will.'
Editor's Notes
- Slide 1 of 7
In many sci-fi worlds, tech companies become more powerful than governments. This story would be one small prologue to such a future. See also: Signal leaving Sweden (https://swedenherald.com/article/signals-ceo-then-were-leaving-sweden). It will be interesting to see what pressure consumers/citizens will place on their elected officials in cases such as these. Do they let it go, or do they push their governments to relent to the tech provider?
- Slide 2 of 7
If Apple had acceded to this request it would have meant any backdoor they introduced would impact all of their global users, not just those in the UK. By removing the service from its UK customers Apple has been forced to reduce the security of its UK customer base, but retain the security for the rest of its users. That is, until other governments introduce similar laws and make similar demands from Apple. We are moving back into the era of encrypting data under your own control rather than relying on services provided by third parties.
- Slide 3 of 7
This doesn't eliminate encryption of Apple's iCloud data; it reduces the items Apple cannot access for UK users. Given that UK users already using ADP will be contacted at a future date about turning that off, this feels like a stopgap; hold off on disabling until required or an alternate solution is available. In today's risk climate, you should be working to encrypt your data wherever stored, using available mechanisms, particularly when storing personal data in someone else's system. You should not only encrypt it, but also, if possible, control access to that encryption. ADP does that for iCloud services.
- Slide 4 of 7
The increased local fragmentation of data protection laws makes it more and more important to identify the location of customers and where the data the customers are accessing are stored. To simplify compliance, many organizations will have to carefully map customer-data location relationships and, in some cases, move data closer to customers. For iCloud, customers may opt to exit iCloud and instead use premise services. In particular, iCloud backups are relatively easy and affordable to host on premise.
- Slide 5 of 7
As expected, and AAPL standing on principle given the difficulty in complying without putting all customer data at risk. AAPL had already given a small win to Government by making E2EE an 'opt-in' feature. The real losers in this brouhaha are the UK citizens.
- Slide 6 of 7
This is going to get messy. This sends the message that Apple will remove more advanced controls from countries that demand them. This will probably be a patchwork of items. The question is, if you are traveling or residing for a portion of time in the UK but have this control enabled, are you violating the law? I am not sure yet how to decipher this.
- Slide 7 of 7
Where to begin? First, we have yet to hear from His Majesty's subjects on this issue. It is much broader than Apple; Apple is merely the Canary in The Coal Mine. Second, it is about the money, about the cost of surveillance to His Majesty and the cost of Freedom and Security to his subjects. However, it is clear that His subjects will pay more for less effective and convenient security. Workarounds will be available but, almost by definition, workarounds are less convenient and efficient.
Slide 1 of 0- Slide 1 of 7
Gmail to Drop SMS MFA in Favor of QR Codes
Google plans to stop using SMS for multi-factor authentication (MFA) codes for Gmail and move to QR codes instead. SMS poses numerous security concerns; it's been nearly nine years since the US National Institute of Standards and Technology (NIST) recommended that SMS no longer be used for MFA. Gmail spokesperson Ross Richendrfer explained how the new system will work: 'Instead of entering your number and receiving a 6-digit code, you'll see a QR code being displayed, which you need to scan with the camera app on your phone.'
Editor's Notes
- Slide 1 of 3
GOOG's intent is a little about security but more, much more about fraud. The real test is if the banking industry moves in this direction, as opposed to forcing you to use their app. Time will tell.
- Slide 2 of 3
Back in 2016, NIST 800-63 advised against using SMS for MFA, largely due to sim-swapping and SS7 redirection risks. Today add the telecom provider (Salt Typhoon) attacks, and it's not any better. If the only choice of MFA is SMS, select it, but it's time to retire SMS / phone call verification and move to alternate options. Google is keeping the specifics of the change close, only indicating this change will be rolled out in the next few months. If you're already using a non-SMS verification mechanism, you will continue to use that mechanism.
- Slide 3 of 3
"Nothing useful can be said about the security of a mechanism except in the context of a particular application and environment." --Robert H. Courtney, Jr. His First Law Google's approach, when they first offered strong authentication to their users, was to offer choices and leave them to the users. They should continue to offer OTPs via messaging, while adding QR tags as one more alternative. A better choice for Google users is Passkeys, secure and convenient.
Slide 1 of 0- Slide 1 of 3
Google Previews Quantum-Safe Digital Signatures
On February 20, 2025, Google announced the preview availability of software-based quantum-safe digital signatures in Google Cloud Key Management Service (Cloud KMS), aligning with Post-Quantum Cryptography (PQC) standards published by the National Institute for Standards and Technology (NIST) in August 2024. The available signatures involve "ML-DSA-65 (FIPS 204), a lattice-based digital signature algorithm, and SLH-DSA-SHA2-128S (FIPS 205), a stateless hash-based digital signature algorithm," with the roadmap also including future support for FIPS 203 and implementation of quantum-safe keys in Hardware Security Modules (HSM). Google intends this as a proactive measure against possible future attacks on public-key encryption using quantum computers, including the risk of "harvest now, decrypt later" attacks.
Editor's Notes
- Slide 1 of 2
I've been reading a ton into Quantum Computing over the last few weeks to try and get my head around how a Quantum Computer will defeat encryption. This is all about algorithm and how quantum superposition works. I recommend that if you have not been planning on Quantum safe algorithms, you start looking closely into them. It's best to take care of it now and not later. Who amongst us still doesn't support TLS 1.0?
- Slide 2 of 2
As your signature/certificate issuing systems - such as Google's Cloud KMS and Cloud HSM Ñ start supporting PQC algorithms, you should be testing them to see where you have compatibility issues. It's far easier to change your issuing process to use a new algorithm, issuing updated certificates as they expire, than to do a mass re-issuance process. This is also a good time to make sure you're using the strongest non-PQC options available where compatibility is an issue.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Manufacturer Not Changing Default Credentials in IoT Door Access Panels
A February 15 blog post by independent researcher Eric Daigle details his discovery of a critical (CVSS score 10.0) vulnerability in Enterphone MESH door entry panels, namely a set of default credentials to a system administration interface exposed to the internet. Daigle easily found both the product manual containing these default credentials and many buildings' TCP/IP control pages using simple Google searches. The first hit opened to the default login, and displayed the building address, residents' names listed with their unit numbers, and an "Events" section, which is "a multi-year log of every time a fob associated with a certain suite number accessed an entrance or an elevator." The same login gave access to an interface allowing a user to override any "Controlled Area" lock, as well as register new fobs, disable existing fobs, and change authorizations. Daigle estimates that 43% of these systems exposed to the internet in the past year have not changed the default credentials. Hirsch, the parent company of Enterphone MESH, has responded by insisting users are at fault for not following the manual's instructions; the company has neither taken action to remedy the vulnerability, nor confirmed that affected customers have been contacted.
Editor's Notes
- Slide 1 of 4
The sad part is that I doubt Hirsch blaming their customers for purchasing their product will negatively impact their business. This is probably cheaper than fixing the issue, given the increased support cost. After all, Hirsch is not liable for any impact of its negligence.
- Slide 2 of 4
And the blame game begins. Company: "It's the stupid users' fault." Users: "Did you really expect me to read the manual, why not just ship the product secure?" The question for judge and jury is, was the standard of reasonableness upheld in the design of the product? Methinks not, given that security best practices have talked about default hardwired credentials being a poor practice over the last few decades and it being flagged in Secure by Default/Secure by Design guidance.
- Slide 3 of 4
For years it's been expected to change default passwords on installation, and for years, that has failed to happen. The new SOP is becoming a forced change on install; regrettably that isn't the case universally, so you still need to include verifying they are changed in your procedures for installing new software and hardware. Moreover, your network scanners should be able to check for default credentials; you should be leveraging this capability, think trust-but-verify.
- Slide 4 of 4
Users of this system should implement the simple and obvious workaround. One may not like it but there is always a workarounds.
Slide 1 of 0- Slide 1 of 4
Australia's Government Bans Kaspersky Products from Their Systems
Australia's Department of Home Affairs has published a Protective Security Policy Framework (PSPF) Direction prohibiting the use of products and services from Kaspersky Lab on government systems and devices. Department of Home Affairs Secretary Stephanie Foster has 'determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage.' Australian government agencies have until April 1 to comply with the order, which includes removing existing instances of Kaspersky products from systems and devices. Australia joins the US, the UK, and Canada in banning Kaspersky from government systems.
Editor's Notes
- Slide 1 of 3
In short, governments are evaluating the ties between Kaspersky and the Russian government and how the extrajudicial directions from a foreign government can affect them (meaning threats of foreign government influence, espionage and sabotage), in this case deciding those actions would violate Australian law. This sort of assessment should be made when selecting products, and reviewed regularly, particularly after any mergers or acquisitions.
- Slide 2 of 3
Psst. Quick, snarf up the data before April 1st. All joking aside, it does look like we are entering an age of bifurcated technologies that are available to some, banned to others, and highly suspect. Feels reminiscent of the cold war era in some regards.
- Slide 3 of 3
Surely there are governments that bar products from companies that are associated with Five Eyes. If not, there ought to be. Long before AT&T was compromised by Salt Typhoon, Ma Bell was cooperating with NSA.
Slide 1 of 0- Slide 1 of 3
Cisco Confirms Salt Typhoon Exploited One Known Vulnerability and User Stolen Credentials
Cisco has confirmed that Salt Typhoon threat actors did exploit one known vulnerability in a Cisco product in their campaign to compromise US telecommunications companies' networks. Cisco released a patch for the remote code execution vulnerability (CVE-2018-0171) affecting Smart Install for Cisco IOS and IOS XE software in March 2018. Cisco Talos also notes that 'in all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials.' While there have been claims that the Salt Typhoon threat actors are abusing three additional Cisco vulnerabilities, Talos researchers found no evidence to support those claims. Nonetheless, Talos is recommending that users ensure that they have addressed all four vulnerabilities.
Editor's Notes
- Slide 1 of 3
Turn off Smart Install. Every penetration test we are on, we test for smart install, and eight out of ten times, we find it on Cisco infrastructure. Not only do we see it, but we also find that most people are not testing for Smart Install, and we are the first to report it. This does not even include the fact that this bug is an RCE. We typically find the open Smart Install that gives us all the goods. Now, as far as credentials are used, how difficult was it to guess those credentials? Is it a single factor?
- Slide 2 of 3
The takeaway is to not only make sure your boundary control devices are updated in a timely fashion (note the exploited flaw here is from 2018) but also make sure you're using best practices with the credentials, such as MFA and strong passwords which are rotated when compromised. Don't forget to limit where the management interfaces can be accessed from.
- Slide 3 of 3
Unfortunately, we will never have confidence that the Chinese have been eliminated from our telecoms. The US Government is right in recommending alternative security. His Majesty's government has other priorities.
Slide 1 of 0- Slide 1 of 3
MongoDB Library Vulnerabilities
Researchers from OPSWAT have detailed a pair of vulnerabilities in the Mongoose Object Data Modeling (ODM) library for MongoDB and Node.js. The first of the critical vulnerabilities, CVE-2024-5390, could be exploited to achieve remote code execution; an updated version of Mongoose was released in November 2024 to address that issue. Subsequent analysis of that fix revealed that it did not adequately address the issue; CVE-2025-23061 was identified as a bypass in mid-December 2024. Another update to Mongoose released in January 2025 addressed that issue.
Editor's Notes
CVE-2024-53900, search injection flaw for Mongoose 8.8.3, CVSS score 9.1, and CVE-2025-23061 search injection flaw for Mongoose 8.9.3, CVSS score 9.0 are both addressed with the Mongoose 8.9.5 update. The flaw comes down to improper input validation, fortunately the fix is to apply the update.
US Dept. of Health and Human Services Fines Warby Parker Over HIPAA Violations
The US Department of Health and Human Services Office for Civil Rights (HHS OCR) has fined Warby Parker $1.5 million for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) rules. The civil penalty was imposed following an HHS OCR investigation, which determined 'a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker's systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.'
Editor's Notes
If you're processing any type of PII, including PHI, make sure that you know where it is. Have validated security controls in place, including supporting policies, and audits. The basics, beyond a risk and vulnerability assessment, include encryption in transit and at rest, limiting access to those with a valid need to know, strong authentication (ideally MFA), regular training for users and system administrators, and monitoring of system activities. With the ongoing healthcare targeted attacks and breaches, HHS OCR is on the lookout for those not doing the required protections, so make sure you're doing your due diligence and documenting your decisions.
Internet Storm Center Tech Corner
SANS Internet StormCast Tuesday, February 25, 2025
Unfurl Updates; Google Ditches SMS; Paypal Phish; Exim; libXML; Parallels Vuln
https://isc.sans.edu/podcastdetail/9338
Unfurl Update Released
Unfurl released an Update fixing a few bugs and adding support to decode BlueSky URLs.
https://isc.sans.edu/diary/Unfurl+v202502+released/31716
Google Confirms GMail To Ditch SMS Code Authentication
Google no longer considers SMS authentication save enough for GMail. Instead, it pushes users to use Passkeys, or QR code based app authentication
Beware of Paypal New Address Feature Abuse
Attackers are using "address change" e-mails to send links to phishing sites or trick users into calling fake tech support phone numbers. Attackers are just adding the malicious content as part of the address. The e-mail themselves are legitimate PayPal emails and will pass various spam and phishing filters.
Exim SQL Injection Vulnerability
Exim, with sqlite support and ETRN enabled, is vulnerable to a simple SQL injection exploit. A PoC has been released
https://www.exim.org/static/doc/security/CVE-2025-26794.txt
https://github.com/OscarBataille/CVE-2025-26794?
XMLlib patches
https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
https://gitlab.gnome.org/GNOME/libxml2/-/issues/828
0-Day in Parallels
https://jhftss.github.io/Parallels-0-day/
SANS Internet StormCast Monday, February 24, 2025
sigs.py update; Google Introducing Quantum Safe Sigs; MSFT Update Win 11 issues; LTE/5G Vulns
https://isc.sans.edu/podcastdetail/9336
Tool Update: Sigs.py
Jim updates sigs.py. The tool verifies hashes for files and automatically recognizes what hash is used.
https://isc.sans.edu/diary/Tool+update+sigspy+added+check+mode/31706
Google Announcing Quantum Safe Digital Signatures in Cloud KMS
Google announced the option to use quantum safe digital signatures for its cloud key management system.
Windows 11 Patch issues
The February Patch Tuesday appears to have caused issues with a number of Windows 11 systems. In particular the usability of the file manager appears to be affected.
LTE/5G Vulnerabilities
Researchers at the university of Florida have identified a large number of vulnerabilities in 5G and LTE networks.