Robert Grupe's AppSecNewsBits 2024-09-21

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Construction firms breached in brute force attacks on accounting software
Foundation software includes a Microsoft SQL Server (MSSQL) that can be configured to be publicly accessible via TCP port 4243 to support a companion mobile app. However, this also exposes the Microsoft SQL server to external attacks that try and brute force MSSQL accounts configured on the server. By default, MSSQL has an admin account named 'sa' while Foundation has added a second one named 'dba.' Users who have not changed the default passwords on these accounts are susceptible to hijacks by external actors. Those who did but picked weak passwords may still be compromised via brute-forcing. Huntress reports that it observed very aggressive brute-force attacks against these servers, sometimes reaching up to 35,000 attempts on a single host over an hour before they successfully guessed a password. Once the attackers gain access, they enable the MSSQL 'xp_cmdshell' feature, which allows the threat actors to execute commands in the operating system through an SQL query.

Disney to stop using Slack after hack exposed company data
Walt Disney plans to transition away from its use of Slack as a companywide workplace collaboration system, after a hacking entity leaked online more than a terabyte of company data. Hacking group NullBulge had published data from thousands of Slack channels at the entertainment giant, including computer code and details about unreleased projects.

Chinese spies spent months inside aerospace engineering firm's network via legacy IT
The Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network — putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation.
Cyber snoops first compromised one of the victim's three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer's IT environment for four months while poking around for more boxes to commandeer.
Three of the victim's AIX development environment servers were exposed unprotected to the open internet, according to Binary Defense. One of them at least was running an Apache Axis admin portal with default administrator credentials, which gave the intruders full access to the IBM system. The server wasn't compatible with the organization's security monitoring tools, which is part of the reason why it took network defenders months to spot malicious activity on company computers.
It's a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants. And that's not to say AIX is retired or abandoned technology; it is advanced in its design and it still gets updates and support from Big Blue. By legacy we mean it is a child of the 1980s, is used in specialized roles where it can't be easily replaced, and lives on in a world now dominated by Linux and Windows.

Secure Boot-neutering PKfail debacle is more prevalent than anyone knew
A supply chain failure that compromises Secure Boot protections on computing devices from across the device-making industry extends to a much larger number of models than previously known, including those used in ATMs, point-of-sale terminals, and voting machines. The debacle was the result of non-production test platform keys used in hundreds of device models for more than a decade. These cryptographic keys form the root-of-trust anchor between the hardware device and the firmware that runs on it. The test production keys—stamped with phrases such as “DO NOT TRUST” in the certificates—were never intended to be used in production systems. A who's-who list of device makers—including Acer, Dell, Gigabyte, Intel, Supermicro, Aopen, Foremelife, Fujitsu, HP, and Lenovo—used them anyway.
PKfail is a great example of a supply chain security failure impacting the entire industry. However, these risks could be mitigated and totally avoidable if we focus more on delivering a secure-by-design philosophy.

Thousands of orgs at risk of knowledge base data leaks via ServiceNow misconfigurations
Pages set to "private" could still be read by tinkering with a ServiceNow customer's KB widgets. after looking at more than 1,000 different ServiceNow instances, 45 percent of them were unintentionally exposing data.
In cases where an organization's KB is set to "public," but the pages inside it are set to "private," each KB article can be read via ServiceNow's widgets. Meged estimated around 30 percent of ServiceNow customers have this faulty configuration and could be unwittingly exposing secrets held in their KB, such as first-time-access passwords for new starters connecting to a company VPN, for example.

Google Cloud Document AI flaw (still) allows data theft despite bounty payout
Traxler detailed this attack in research published Monday alongside a proof-of-concept (POC) demonstrating how she bypassed Document AI's access controls, swiped a PDF from a source Google Cloud Storage bucket, altered the file and then returned it. The issue exists in Document AI, a Google Cloud service that uses machine learning to extract information from documents and aims to make it easier and faster for businesses to analyze and process large numbers of documents. Customers can use either pre-trained models or create their own, and they can process documents stored in Google Cloud Storage via both standard (online) job or batch (offline) processing. The pre-set service agent permissions are too broad, and in batch-processing mode the service uses the service agent's permissions, not the caller's permissions. The permissions granted to the service agent allow it to access any Google Cloud Storage bucket within the same project, thus allowing the service to move data that the user normally wouldn't have access to.
Traxler reported the flaw in early April. Latest update from Google, “We developed a fix and are actively working to roll it out.”

Apple’s new macOS Sequoia update is breaking some cybersecurity tools
The software update has broken the functionality of several security tools made by CrowdStrike, SentinelOne, Microsoft, ESET, and others. “As a developer of macOS security tools, it’s incredibly frustrating to time and time again have to deal with (understandably) upset users (understandably) blaming your tools for breaking their Macs, when in reality it was Apple’s fault all along. I get it, that writing bug-free software is challenging, but maybe if Apple spent less time and money on marketing, and more time on actually testing their software, we’d all be better off!”

1 in 10 orgs dumping their security vendors after CrowdStrike outage
The July outage impacted organizations in multiple industries across the world from healthcare to transport, bricking 8.5 million PCs.
Germany's Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrike's outage in July are dropping their current vendor's products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to do so in the near future. One in five will also change the selection criteria when it comes to reviewing which security vendor gets their business.

Why Microsoft’s Copilot AI falsely accused court reporter of crimes he covered
Copilot’s results had asserted that Martin Bernklau was an escapee from a psychiatric institution, a convicted child abuser and a conman preying on widowers. For years, Bernklau had served as a court reporter and the artificial intelligence (AI) chatbot had falsely blamed him for the crimes he had covered.
In 2023 OpenAI was sued by radio talk show host who ChetGPT stated that he had been sued for defrauding and embezzling funds from an organization he wasn’t a member of. 

HACKING
Israel detonates Hezbollah walkie-talkies a day after pager attack
Tuesday’s pager attack: At least 9 people were killed, including a child, and more than 2,800 were wounded.
Wednesday’s walkie-talkie attack: At least 14 people were killed and 450 wounded. The walkie-talkies were booby-trapped in advance by Israeli intelligence services and then delivered to Hezbollah as part of the militia's emergency communications system.
Demo video
[rG: What’s next: home decorations, smart watches, speakers, TVs/displays, appliances, laptops, CCTV cameras, desktops/servers, routers, … ???]
The Supply Chain Conspiracy: Cyber Attacks Behind the Lebanon Explosions
As attackers may turn their sights on critical infrastructure and smart devices, it’s essential to enhance cyber defenses and remain vigilant against these new threats. As our world becomes increasingly interconnected, the potential for cyber attacks to cause physical harm grows. To protect against these emerging threats, we must prioritize security in every aspect of our operations—from supply chains to data management.
The attackers likely embedded explosives within communication devices, remaining undetected for months. Possible triggering methods could include remote detonation via radio control or manipulation of the devices’ software, causing them to overheat and malfunction. Many witnesses reported feeling the heat from the devices prior to the explosions, suggesting a failure related to their operation.
Organizations should enforce strict data minimization practices, ensure secure data transmission, implement robust access controls, and employ strong encryption methods. Comprehensive privacy protection strategies must be integrated into data management practices to safeguard sensitive information.

Companies Often Pay Ransomware Attackers Multiple Times
The survey of 900 IT and security executives from France, Germany, the UK, and the U.S. revealed nearly a third (32%) of organizations opted for multiple payments.
Nearly 85% of companies in the U.S. and UK experienced a ransomware attack in the past 12 months.
More than a third of companies that paid ransoms either received no decryption keys or were given corrupted ones.
75% paid a ransom to regain control of their data, with around 10% paying more than $600,000.
Additionally, 87% reported some level of operational disruption following the attacks.
80% of attacks compromised IT identity systems like Microsoft Active Directory or Entra ID, yet 61% of organizations admitted they lack dedicated backup systems for these critical identity platforms.
In some cases, it can be more cost-effective to pay a ransom demand versus waiting for security teams to assess the problem and act.

Scam ‘Funeral Streaming’ Groups Thrive on Facebook
Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook.

This Windows PowerShell Phish Has Scary Potential
Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it’s unlikely that many programmers fell for this scam, it’s notable because less targeted versions of it are likely to be far more successful against the average Windows user.
Visiting that link generates a web page that asks the visitor to “Verify You Are Human” by solving an unusual CAPTCHA. Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.

Ransomware gangs now abuse Microsoft Azure tool for data theft
Azure, being a trusted enterprise-grade service that is often used by companies, is unlikely to be blocked by corporate firewalls and security tools. Therefore, data transfer attempts through it are more likely to go through and pass undetected. Additionally, Azure's scalability and performance, allowing it to handle large volumes of unstructured data, is highly beneficial when attackers attempt to exfiltrate large numbers of files in the shortest possible time.
modePUSH says it observed ransomware actors using multiple instances of Azure Storage Explorer to upload files to a blob container, speeding up the process as much as possible.
Storage Explorer is a GUI management tool for Microsoft Azure, while AzCopy is a command-line tool that can facilitate large-scale data transfers to and from Azure storage.
Researchers noted that the attackers had to put in extra work to get Azure Storage Explorer working, including installing dependencies and upgrading .NET to version 8. This is indicative of the increasing focus on data theft in ransomware operations, which is the main leverage for threat actors in the ensuing extortion phase.

Massive China-state IoT botnet went undetected for four years—until now
At its peak in June 2023, Raptor Train, as the botnet is named, consisted of more than 60,000 commandeered devices. The botnet was made up primarily of small office and home office routers, surveillance cameras, network-attached storage, and other Internet-connected devices located all over the world.

Ever wonder how crooks get the credentials to unlock stolen phones
An international operation coordinated by Europol’s European Cybercrime Center said it arrested the Argentine national that was behind iServer and identified more than 2,000 “unlockers” who had enrolled in the phishing platform over the years. Investigators ultimately found that the criminal network had been used to unlock more than 1.2 million mobile phones. Officials said they also identified 483,000 phone owners who had received messages phishing for credentials for their lost or stolen devices.
Unlockers obtain the necessary information for unlocking the mobile phones, such as IMEI, language, owner details, and contact information, often accessed through lost mode or via cloud-based mobile platforms. They utilize phishing domains provided by iServer or create their own to set up a phishing attack. After selecting an attack scenario, iServer creates a phishing page and sends an SMS with a malicious link to the victim.

Ban warnings fly as users dare to probe the “thoughts” of OpenAI’s latest model
The AI industry that researchers regularly use outputs from OpenAI's GPT-4 (and GPT-3 prior to that) as training data for AI models that often later become competitors, even though the practice violates OpenAI's terms of service. Exposing o1's raw chain of thought would be a bonanza of training data for competitors to train o1-like "reasoning" models upon.
Unlike previous AI models from OpenAI, such as GPT-4o, the company trained o1 specifically to work through a step-by-step problem-solving process before generating an answer. When users ask an "o1" model a question in ChatGPT, users have the option of seeing this chain-of-thought process written out in the ChatGPT interface. However, by design, OpenAI hides the raw chain of thought from users, instead presenting a filtered interpretation created by a second AI model. OpenAI is watching through the ChatGPT interface, and the company is reportedly coming down hard on any attempts to probe o1's reasoning, even among the merely curious.
One of the first to post about the OpenAI warning email on X, complained that it hinders his ability to do positive red-teaming safety research on the model. "I was too lost focusing on #AIRedTeaming to realized that I received this email from @OpenAI yesterday after all my jailbreaks," he wrote. "I'm now on the get banned list!!!" 

VENDORS
AWS claims customers are packing bags and heading back on-prem
AWS says it is facing stiff competition from on-premises infrastructure, which is a turnaround from its once-proud boast that all workloads would eventually move to the cloud.
A growing number of cases of companies moving some or even all their workloads back from the cloud – so-called cloud repatriation – and cost often seems to be a factor. One notable example is Basecamp project management developer 37Signals, which decided to go back to on-premises infrastructure after being presented with a $3.2 million cloud hosting bill. By the end of last year, the company claimed it had already made savings of $1 million.

Chrome switching to NIST-approved ML-KEM quantum encryption
The upcoming change will swap Kyber used in hybrid key exchanges to a newer, and slightly modified version, renamed as Module Lattice Key Encapsulation Mechanism (ML-KEM). This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges.

Google Chrome Says Goodbye To Passwords On Windows, Mac, Linux, Android
Once a passkey has been saved, no matter which device you used to do so, it will then automatically sync across your other devices so as to make signing in to any account or service just a matter of scanning your fingerprint.

Why OpenAI’s new model is such a big deal
The bulk of LLM progress until now has been language-driven, resulting in chatbots or voice assistants that can interpret, analyze, and generate words. But in addition to getting lots of facts wrong, such LLMs have failed to demonstrate the types of skills required to solve important problems in fields like drug discovery, materials science, coding, or physics. OpenAI’s o1 is one of the first signs that LLMs might soon become genuinely helpful companions to human researchers in these fields.
OpenAI o1 is focused on multistep “reasoning,” the type of process required for advanced mathematics, coding, or other STEM-based questions. It uses a “chain of thought”. It learns to recognize and correct its mistakes; break down tricky steps into simpler ones; try a different approach when the current one isn’t working.
Developers using o1 through the API will pay three times as much as they pay for GPT-4o—$15 per 1 million input tokens in o1, versus $5 for GPT-4o.

Using GPT-4 to generate 100 words consumes up to 3 bottles of water — AI data centers also raise power and water bills for nearby residents
The exact water usage varies depending on state and proximity to data center, with lower water use corresponding to cheaper electricity and higher electricity use. Texas had the lowest water usage at an estimated 235 milliliters needed to generate one 100-word email, while Washington demanded a whopping 1,408 milliliters per email — which is about three 16.9oz water bottles. This may not sound like a lot, but remember that these figures add up fairly quickly, especially when users are using GPT-4 multiple times a week (or multiple times a day) — and this is just for plain text. Meta needed to use 22 million liters of water to train its LLaMA-3 model — about how much water is needed to grow 4,439 pounds of rice, or, as researchers noted, "about what 164 Americans consume in a year."
If one out of 10 working Americans use GPT-4 once a week for a year (so, 52 queries total by 17 million people), the corresponding power demands of 121,517 MWh would be equal to the electricity consumed by every single household in Washington D.C. (an estimated 671,803 people) for twenty days. That's nothing to scoff at, especially since it's an unrealistically light use case for GPT-4's target audience.
[rG: But it isn’t just IRS tax paying Americans who have devices using GenAI applications. And what about all that spam?]

Apple, Google wallets now support California driver’s licenses
Californians with an ID in the Apple Wallet or Google Wallet app can use their mobile devices to present their ID in person at select TSA security checkpoints and businesses. They can also use the app to verify their age or identity in select apps. Other states that already support digital driver’s licenses and state IDs include Arizona, Colorado, Georgia, Maryland, and Ohio.

Secret calculator hack brings ChatGPT to the TI-84, enabling easy cheating
YouTube video, "I Made The Ultimate Cheating Device," demonstrates a custom hardware modification that allows users of the graphing calculator to type in problems sent to ChatGPT using the keypad and receive live responses on the screen.

Tor insists its network is safe after German cops convict CSAM dark-web admin
The org has instead advanced a theory that by using the insecure Ricochet, “G” was caught by a guard discovery attack. In short, that means the cops were to able to figure out the entry or guard node he was using to send data over the Tor network. The police can ask Telefónica to list the subscribers who connected to that guard, and deduce the identity of the Tor user. Tor claims that "G" probably used an old version of Ricochet that did not include protections against such attacks. "This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022."

APPSEC, DEVSECOPS, DEV
CISA boss: Makers of insecure software are the real cyber villains
Despite a multi-billion-dollar cyber security industry, we still have a multi-trillion-dollar software quality issue leading to a multi-trillion-dollar global cyber crime issue. While no one would buy a car or board an airplane "entirely at your own risk," we do that every day with the software that underpins America's critical infrastructure.
The truth is: Technology vendors are the characters who are building problems into their products, which then open the doors for villains to attack their victims. Even calling security holes "software vulnerabilities" is too lenient. This phrase really diffuses responsibility. We should call them 'product defects. And instead of automatically blaming victims for failing to patch their products quickly enough. Why don't we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors.
Technology buyers should use their procurement power to pressure software vendors, by asking suppliers if they have signed the pledge – and, hopefully, done more than just put ink to paper in terms of building secure-by-design products. To this end, CISA just published guidance that organizations buying software can use, and questions they should ask manufacturers, to better understand if they are prioritizing security in the product development life cycle.

Google calls for halting use of WHOIS for TLS domain verifications
Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.
The formal proposal calls for reliance on WHOIS data to “sunset” in early November. It establishes specifically that “CAs MUST NOT rely on WHOIS to identify Domain Contacts” and that “Effective November 1, 2024, validations using this [email verification] method MUST NOT rely on WHOIS to identify Domain Contact information.”
Amazon previously implemented a unilateral change in which the AWS Certificate Manager will fully transition away from reliance on WHOIS records. Digicert proposes that instead of using WHOIS records, CAs instead use the WHOIS successor known as the Registration Data Access Protocol. 

LEGAL & REGULATORY
Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints
One cybercriminal of the most violent kind will spend his best years behind bars, as will 11 of his thug pals for a string of cryptocurrency robberies in the US. Remy Ra St Felix was found guilty of leading and playing a starring role in his gang of law-breakers earlier this year and will now spend the next 47 years in prison. There are five years of supervised release tacked on the end of that, plus an order to pay more than $524 million in restitution. He was convicted of nine counts relating to conspiracy, kidnapping, Hobbs Act robbery, wire fraud, and brandishing a firearm in furtherance of crimes of violence.

AT&T pays $13 million FCC settlement over 2023 data breach
The massive data breach investigated by the FCC occurred in January 2023, when threat actors accessed customer data of roughly 9 million AT&T wireless accounts stored by a vendor contracted to generate personalized video content, including billing and marketing videos. Even though the vendor was required to destroy or return the data after the contract ended—years before the breach—it failed to do so. AT&T was found to have inadequately monitored the vendor's compliance with their contractual obligations. "Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that's the case no matter which provider a customer chooses."
The consent decree mandates AT&T to implement a comprehensive Information Security Program that includes broad customer data protection, improve its data inventory processes to track data shared with vendors, ensure that vendors follow retention and disposal rules for customer information (to limit the amount of customer data vulnerable to date breaches), and conduct annual compliance audits.

And Now For Something Completely Different …
Scientists Identify New Blood Group After a 50 Year Mystery
As of 31 December 2023, a total of 45 human blood group systems. The two most important blood group systems are ABO and Rh; they determine someone's blood type (A, B, AB, and O, with + or − denoting RhD status) for suitability in blood transfusion.
Inherited AnWj-negative phenotype, forming the basis of a new blood group system, further reduces the number of remaining unsolved blood group antigens.

4 fonts that dominate brand design
Helvetica, Didot, Futura, Myriad
How AI is changing typography
Discovery ideation, but not design.