Robert Grupe's AppSecNewsBits 2024-08-17

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
NationalPublicData[.]com Hack Exposes a Nation’s Data
On July 21, 2024, denizens of the cybercrime community Breachforums released more than 4 terabytes of data they claimed was stolen from nationalpublicdata[.]com, a Florida-based company that collects data on consumers and processes background checks. The leak is the same information first put up for sale in April 2024 by a prolific cybercriminal who goes by the name “USDoD.” The snippets of stolen data that USDoD offered as teasers showed rows of names, addresses, phone numbers, and Social Security Numbers (SSNs). Their asking price? $3.5 million. It is a somewhat disparate collection of consumer and business records, including the real names, addresses, phone numbers and SSNs of millions of Americans (both living and deceased), and 70 million rows from a database of U.S. criminal records. There are 272 million unique SSNs in the entire records set.
If there is a tiny silver lining to the breach it is this: Atlas discovered that many of the records related to people who are now almost certainly deceased. They found the average age of the consumer in these records is 70.
Should you worry that your SSN and other personal data might be exposed in this breach? That isn’t necessary for people who’ve been following the advice here for years, which is to freeze one’s credit file at each of the major consumer reporting bureaus.
If you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet. All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus, through the website annualcreditreport[.]com. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free. If you haven’t done this in a while, now would be an excellent time to order your files.

US fines T-Mobile $60 million over unauthorized data access
A powerful U.S. committee that scrutinizes foreign investment for national security risks fined T-Mobile $60 million, its largest penalty ever, for failing to prevent and report unauthorized access to sensitive data. The penalty imposed by the Committee on Foreign Investment in the U.S. (CFIUS) is tied to violations of a mitigation agreement that German-controlled T-Mobile inked with the panel as part of its $23 billion acquisition of U.S.-based Sprint Corp in 2020.
T-Mobile said in a statement that it experienced technical issues during its post-merger integration with Sprint that affected "information shared from a small number of law enforcement information requests." It stressed that the data never left the law enforcement community, was reported "in a timely manner" and was "quickly addressed."

Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disaster
Biotech biz Enzo Biochem is being forced to pay three state attorneys general a $4.5 million penalty following a 2023 ransomware attack that compromised the data of more than 2.4 million people.
Among the more flagrant security failings at the biotech biz was the poor credential hygiene adopted on key user accounts. The investigation discovered that two sets of genuine user credentials were used to gain initial access to Enzo's systems, and these credentials were shared among five different employees.
To make matters worse, one of these credentials hadn't been updated in ten years. How secure that password would have been is anyone's guess. Multi-factor authentication (MFA)? Nope, staff could access email from anywhere without needing to jump through any extra hoops.
The vendor discovered various other failings too, like missing documentation, an "informal" approach to evaluating risk to IT systems, and a failure to use automatic tooling for detecting network anomalies, among others.
Enzo also didn't encrypt all sensitive patient data at rest, and that was known since 2021 – the date of its most recent vendor-administered HIPAA Security Risk Analysis before the attack. Sensitive data was encrypted in transit and at rest on laptops and phones, but some servers and desktop workstations stored it unencrypted.

Thousands of Corporate Secrets Were Left Exposed
Independent security researcher Bill Demirkapi has been building ways to tap into huge data sources, which are often overlooked by researchers, to find masses of security problems. This includes automatically finding developer secrets—such as passwords, API keys, and authentication tokens—that could give cybercriminals access to company systems and the ability to steal data.
At the Defcon security conference in Las Vegas, Demirkapi is unveiling the results of this work, detailing a massive trove of leaked secrets and wider website vulnerabilities. Among at least 15,000 developer secrets hard-coded into software, he found hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers. A major smartphone manufacturer, customers of a fintech company, and a multibillion-dollar cybersecurity company are counted among the thousands of organizations that inadvertently exposed secrets. As part of his efforts to stem the tide, Demirkapi hacked together a way to automatically get the details revoked, making them useless to any hackers.
Demirkapi also scanned data sources to find 66,000 websites with dangling subdomain issues, making them vulnerable to various attacks including hijacking. Some of the world’s biggest websites, including a development domain owned by The New York Times, had the weaknesses. While the two security issues he looked into are well-known among researchers, Demirkapi says that turning to unconventional datasets, which are usually reserved for other purposes, allowed thousands of issues to be identified en masse and, if expanded, offers the potential to help protect the web at large.

ChatGPT unexpectedly began speaking in a user’s cloned voice during testing
OpenAI released the "system card" for ChatGPT's new GPT-4o AI model that details model limitations and safety testing procedures. Among other examples, the document reveals that in rare occurrences during testing, the model's Advanced Voice Mode unintentionally imitated users' voices without permission. Currently, OpenAI has safeguards in place that prevent this from happening, but the instance reflects the growing complexity of safely architecting with an AI chatbot that could potentially imitate any voice from a small clip.

HACKING

Google’s threat team confirms Iran targeting Trump, Biden, and Harris campaigns
APT42, associated with Iran's Islamic Revolutionary Guard Corps, "consistently targets high-profile users in Israel and the US. Among APT42's tools were Google Sites pages that appeared to be a petition from legitimate Jewish activists, calling on Israel to mediate its ongoing conflict with Hamas. The page was fashioned from image files, not HTML, and an ngrok redirect sent users to phishing pages when they moved to sign the petition. APT42 is actively targeting the personal emails of "roughly a dozen individuals affiliated with President Biden and former President Trump.

Researchers hack [bicycle] electronic shifters with a few hundred dollars of hardware
Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks. Performance-enhancing drugs. Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs. Now, for those who fail to download a software patch for their gear shifters—yes, bike components now get software updates—there may be hacker saboteurs to contend with, too.

How fraudsters bypass customer identity verification using deepfakes
AI can be used to create virtual money mules — dummy accounts used to transfer stolen funds. Deepfakes allow criminals to successfully bypass customer identity verification (KYC, Know Your Customer) procedures used by financial institutions, thereby eliminating the need for living accomplices. Typically KYC procedures requires the customer to upload photos of their documents and take a selfie, often holding the documents. An additional security measure has also recently become popular: the customer is asked to turn on their smartphone camera and turn their head in different directions, following instructions.
Underground websites photos and videos of people for bypassing KYC. Traders of digital duplicates have entire collections of such content. They find volunteers in disadvantaged countries and pay them relatively small amounts ($5-$20) for the footage.
Websites alo specializing in selling realistic photos of fake documents created using AI.

DEF CON 32: the unfixable bug that allows malware to be deployed via a browser
A fundamental vulnerability in secure web gateway (SWG) logic opens virtually any business, organization, or user to “last mile reassembly” attacks, which enable attackers to deploy malware on a device. The SWG industry includes players like Cloudflare, Cisco, Palo Alto, Fortinet, and many others.
The trigger for an SWG to work is a file download is happening. So, what if we could completely kill that chain where the SWG doesn't even know a file is being downloaded?
Imagine you want to smuggle a dangerous item, like a pistol, to a location that doesn’t allow it. If you were trying to carry the whole item, security would very likely discover your payload. However, if multiple individuals tried smuggling in only one part of the pistol, they’d be less likely to raise any alarms. Welcome to last mile reassembly.
The vulnerability is not an oversight or something that can be patched with an update. SWGs can analyze the traffic, they’re completely blind to what is happening on the browser.
To carry out a last mile reassembly attack, the threat actor doesn’t need to be extremely sophisticated. This is not because the attack path is simple but because large language models reduce the bar necessary for attackers to cross over.

APPSEC, DEVSECOPS, DEV
IBM Cost of a Data Breach Report 2024
The global average cost of a data breach in 2024 is US$4.88m, which is a 10% increase over last year and the highest total ever. The USA had the highest average data breach cost at US$9.36m. Other countries in top 5 were the Middle East, Germany, Italy, and Benelux (Belgium, the Netherlands, and Luxembourg).
Compromised credentials topped initial attack vectors. Using compromised credentials benefited attackers in 16% of breaches. Compromised credential attacks can also be costly for organizations, accounting for an average US$4.81m per breach. Phishing came in a close second, at 15% of attack vectors, but in the end cost more, at US$4.88m.
The report found that breaches involving stolen or compromised credentials took the longest to identify and contain of any attack vector. That was 292 days. Similar attacks that involved taking advantage of employees and employee access also took a long time to resolve. For example, phishing attacks lasted an average of 261 days, while social engineering attacks took an average of 257 days.
US$2.22m is the average cost saving for organizations that used security AI and automation extensively in prevention versus those that didn’t.
Healthcare is still the costliest in terms of a data breach at US$9.77m, but that was down from US$10.93 in 2023. Financial is the second costliest sector at US$6.08m this year, with Industrial third with an average cost of US$5.56m.
23% are due to IT failure and 22% are due to human error.
Security teams and their tools detected breaches 42% of the time. Benign third parties detected the breach 34% of the time, and attackers themselves identified the breach 24% of the time.

NIST Releases 3 Post-Quantum Standards, Urges Orgs to Start PQC Journey
The National Institute of Standards and Technology (NIST) on Tuesday released the final version of the first three cryptographic standards based on algorithms deemed capable of resisting attacks from quantum computers powerful enough to decrypt data protected with the current Advanced Encryption Standard (AES).
Culminating a process launched in 2015, NIST's publication of the new Federal Information Processing Standards (FIPS) algorithms sets the stage for CISOs and providers of software, hardware, and services to kick off or advance their post-quantum cryptography (PQC) remediation strategies. Security experts say the release of the first PQC standards is the first major milestone for cryptography since the adoption of the Advanced Encryption Standard (AES) in 2001 to replace the Data Encryption Standard (DES). In modern communications, public-key infrastructure (PKI), standard AES, and RSA encryption are commonly used in tandem.
President Joe Biden signed the Quantum Computing Cyber Security Act in 2023, a law that encourages the migration of government information systems to migrate all federal systems to quantum-resistant cryptography. Last month the White House submitted its "Report on Post-Quantum Cryptography" to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Accountability. According to the report, the US Office of National Cyber Director (ONCD) estimates that migrating government systems between 2025 and 2035 will cost an estimated $7.1 billion.
“We know it's going to span several years. It's going to require all hands on deck, and it's going to have to be actively managed as well." Organizations should first assign a lead person to oversee the transition, set priorities, and create a plan for taking inventories of data and all cryptographic systems, including how keys and certificates are managed.
Google, which revealed its PQC research in 2016, announced in May that it has implemented the draft spec of ML-KEM in Chrome 124, enabled by default for TLS 1.3 and QUIC on the desktop.

LEGAL & REGULATORY

Disney claims agreeing to Disney+ terms waives man's right to sue over wife's death
Walt Disney Parks and Resorts wants a wrongful death lawsuit filed against it and one of its tenants, an Irish pub, to be booted from court into arbitration. Kanokporn Tangsuan, a New York University physician died from an allergic reaction after eating at the pub on October 5, 2023, according to the complaint. This despite alleged reassurances from restaurant staff that the food would be allergen free.
The Mickey Mouse titan contends the widower who brought the case waived his right to a court trial when he clicked "Agree" to the Terms of Service of a month-long Disney+ free trial on his PlayStation in 2019 and when he last year purchased online tickets to the Epcot theme park at the Walt Disney World resort in Florida.

Texas sues GM for selling driver data to analytics, insurance companies
The lawsuit filed yesterday in Texas state court, accuses both GM and its OnStar subsidiary of using telematics technology installed in most of its model year 2015 and later vehicles to transmit detailed driving data each time a vehicle is used.
According to the lawsuit, GM represented to firms buying driver data that owners had consented to the collection, sale and use of their info. This would technically be correct, however, Texas argues that the way permission was granted still runs afoul of Texas' Deceptive Trade Practices Act. At no point did General Motors inform customers that its practice was to sell any of their data, much less their Driving Data.
Upon purchase of a GM vehicle, buyers were allegedly pressured into signing up for a suite of connected vehicle services and apps under the OnStar brand, with some of those services eventually becoming mandatory.
Collected data was then sold to several data analytics companies to build driver scores, and the Lone Star state alleges GM required those firms to license access to insurance companies for the purpose of calculating rates based on their compiled data.

Germany’s BSI guns for better tech security
Following the financial disaster of the Microsoft/CrowdStrike debacle, the BSI — Germany’s Federal Office for Information Security — is demanding that tech firms take swift steps to secure their products and prevent a repeat meltdown. The BSI is summoning Big Tech companies to a conference later this year and will be pushing for kernel access to be restricted or abandoned. That’s almost certainly going to mean Microsoft will need to cease allowing kernel access in Windows, just as Apple already did. Microsoft has claimed it can’t get follow suit because of a 2009 agreement with the European Commission.

Russian man who sold logins to nearly 3,000 accounts gets 40 months in jail
The Russian sold more than 297,300 credentials on Slilpp and listed more than 626,000 over the course of his five-year tenure on the site, which also included running themed discount events such as Cyber Monday sales. Feds said "related PII" was sold alongside the logins for "online payment accounts, bank accounts, and other accounts." The people who purchased those login credentials used those credentials to steal money from victim accounts.

 And Now For Something Completely Different …

August to kick off four straight months of supermoons. When to enjoy the spectacles
Aug. 19 kicking off four straight months of supermoons — the brightest and largest full moons of the years. Two or three supermoons in a year is pretty normal, but four in a row is unusual. Supermoons are full moons that coincide with the moon's closest approach to Earth in its orbit — a point known as the perigee — making the moon appear about 14% larger and 30% brighter than the faintest moon of the year.