Briefly Briefed: Newsletter #15 (13/12/23)
In a galaxy far, far away...
This is week #15 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.
I’ve made couple of minor changes this week to the newsletter, I’ve added a new ‘poll’ feature to rate the quality of the posts, and a feedback link half way down the page. I will change the poll weekly to include industry issues (feel free to make suggestions in the comments), and I’ll share results with subscribers. Please consider adding your thoughts (positive or constructive) via the feedback button if you have a moment, it links through to a Google form and remains private and confidential.
My ‘if you only read two’ recommendations for the week are:
LLM AI Security & Governance Checklist by the OWASP Top 10 for LLM Applications Team.
A Phisher’s Guide to Slack by Push Security.
May the Force be with you.
Lawrence
Meme of the Week:
Ukraine's top mobile operator hit by biggest cyberattack of war by Max Hunder, Jonathan Landay, and Stefaniia Bern
Kyivstar, Ukraine's largest mobile network operator, was targeted in the biggest cyberattack since the Russian invasion began in February 2022. This attack, which disrupted services and damaged IT infrastructure, left millions without crucial air raid alerts. Kyivstar CEO Oleksandr Komarov attributed the attack to the ongoing war with Russia, stating it significantly damaged their infrastructure. Russian hacktivist group Killnet claimed responsibility, but without evidence. Ukraine's SBU intelligence agency is investigating the possibility of a Russian state-orchestrated cyber-attack.
The attack affected over 24.3 million mobile and 1.1 million home Internet subscribers. Services were partially restored, with full restoration expected by today (13/12). Ukrainian officials reported the cyberattack impacted air raid alert systems in over 75 settlements around Kyiv, forcing them to use loudspeakers for warnings. The outage also affected some Ukrainian financial institutions' ATMs and card terminals. This cyberattack is part of a pattern of alleged Russian cyberattacks against Ukrainian state bodies and companies.
So What?
The Grugq did a short write-up on this, which is more insightful than I can be on this topic. In short, he posits that although this attack is impactful, it’s not as disruptive as some of the other attacks seen in the conflict. It does seem fairly punitive, and aimed at reducing morale within the populous.
Russia's FSB malign activity: factsheet by the UK Foreign, Commonwealth and Development Office
The article explains that Russia conducts extensive cyber operations through its intelligence services, particularly the FSB (Federal Security Service), SVR, and GRU. The FSB's cyber programme includes two main centres: Centre 16 and Centre 18. Centre 16 focuses on collecting radio-electronic intelligence and has been active in cyber operations since at least 2010. It has targeted critical national infrastructure worldwide, including energy, healthcare, finance, and government sectors. These operations involve advanced malware like Snake, affecting over 50 countries.
Centre 18, part of the FSB's Counter-Intelligence Service, is responsible for cyber espionage and has targeted the UK's democratic and political processes. The National Cyber Security Centre (NCSC) has raised concerns about the risks posed by these centres. The article highlights the UK government's confirmation of FSB's involvement in these activities, aiming to increase awareness and transparency around these threats.
So What?
This is a great summary of state-sponsored Russian cyber operations. If you’re not constantly deep in CTI, this will provide you with a great primer on the FSB.
Conference Slide Repository by OnHexGroup
This GitHub repository contains a number of recent conference talk slides, including Black Hat Europe 2023.
So What?
The repo provides a handful of slide decks for the latest larger conferences. It’s a handy bookmark!
A Phisher’s Guide to Slack by Push Security
The document explains that instant messaging (IM) applications, like Slack, are becoming increasingly targeted for phishing and social engineering attacks. It highlights how attackers can gain initial access through external phishing and then exploit the platform for persistence and lateral movement. The article covers several Software as a Service (SaaS) attack techniques such as IM phishing, user spoofing, and exploiting OAuth system integrations. The focus on IM apps is due to their rising use in business communication and the higher degree of trust users place in them compared to email. The article posits that the expanded functionalities of IM apps, combined with a lack of centralised security controls and user unfamiliarity with these threats, make them attractive targets for attackers. Techniques like IM user spoofing, link preview spoofing, and using Slack's bot tokens for persistence are discussed. The guide aims to increase awareness of the security risks associated with IM platforms and the need for organisations to integrate these considerations into their security strategies.
So What?
This is a great resource from Push Security. I’m lucky enough to speak with the guys there regularly. They’re ahead of the curve in understanding the way that advanced actors are starting to utilise SaaS and identities maliciously (without touching networks or endpoints). This is a major threat for cloud-first organisations, and an emerging one for more traditional hybrid businesses.
LLM AI Security & Governance Checklist by the OWASP Top 10 for LLM Applications Team
The document presents a checklist addressing the surge in generative artificial intelligence (GenAI) applications, like ChatGPT. It underscores the need for organisations to prepare for both the opportunities and challenges posed by these advancements, particularly in Large Language Models (LLMs). The checklist is designed for leaders in various sectors, including technology, cybersecurity, and legal, to assist in understanding the risks and benefits associated with LLMs. It aims to help in strategising for the use and management of these technologies, covering scenarios for both internal applications and third-party services.
So What?
While the guide offers a starting point for developing LLM strategies, it is not comprehensive and should be adapted according to specific organisational needs and evolving regulations in the field of AI. However, this is still a great resource and a must-read for organisations utilising or developing LLMs.
Palo Alto Networks reaches a big milestone, and it’s Jim Cramer’s top cybersecurity stock by Morgan Chittum
The article states that CNBC's Jim Cramer has named Palo Alto Networks (PANW) as his top cybersecurity stock pick. This follows Palo Alto Networks becoming the first company in the Cybersecurity sector to achieve a $100 billion market cap. Cramer highlighted this accomplishment as a significant milestone, previously set as a goal by the company's management. He prefers Palo Alto over competitors like Fortinet due to its more diversified and less cyclical revenue channels, which enable the company to serve larger clients on a greater scale. The stock, part of ‘Jim’s Charitable Trust’, has seen substantial growth, becoming the Trust's third-best performing stock in 2023 and more than doubling in value year to date.
So What?
Wow! $100bn! This is a testament to marketing and business strategy, as much as it is to technological innovation. That’s not to say Palo don’t have some great tech in their portfolio, but from day one their positioning / acquisition strategy and messaging has been sublime.
Google expands minimum security guidelines for third-party vendors by John P. Mello Jr.
The article explains that Google has updated its Minimum Viable Secure Product (MVSP) program, initially launched in 2021, to enhance security standards for third-party applications. The update offers more comprehensive guidelines for working with external bug researchers and advocates for the integration of basic security features into applications by design, rather than charging extra for them. The MVSP program aims to establish a strong security baseline for third-party products, promoting key security controls as fundamental in enterprise-ready products and services.
The expanded guidance includes publishing a clear vulnerability disclosure policy, developing procedures for managing reported vulnerabilities, and ensuring prompt responses and patches within 90 days of discovery. Google also discourages vendors from adding costs for basic security features, aligning with security-by-design principles. Despite these advancements, nearly half of third-party vendors still fail to meet several MVSP controls, highlighting the need for greater awareness and enforcement in security compliance.
So What?
It’s always heart-warming to see the major CSPs raise the security bar for third-parties. I’m particularly happy to see the focus on full-disclosure procedures and patching. That said, the current state of adoption evidences the weakness of guidance as a control, with nearly half of third-party vendors electing to ignore the minimum standard. While I believe that regulation (or restrictive terms of use) should be used sparingly, and for the most important primitives of security, the CSPs need to find more effective mechanisms to enforce security hygiene within their ecosystems.
Blind CSS Exfiltration: exfiltrate unknown web pages by Gareth Heyes (Portswigger)
The post explains a novel technique for 'blind CSS exfiltration' to exploit vulnerabilities in web pages. This method is useful when JavaScript is not an option due to site constraints like Content Security Policy (CSP) or filters like DOMPurify. The technique involves injecting styles to extract data using CSS, particularly when the structure of the target page is unknown. It utilises CSS variables as triggers for requests to an external server, leveraging attribute selectors and the ‘:has’ selector. The process includes setting up conditional requests with background images and exploiting the :has selector to extract data from elements that don't normally allow it, such as hidden inputs. The approach is designed to be efficient in exfiltrating data from various form elements and anchor tags using CSS, even in cases where the page structure is not apparent. The article also discusses how to use @import chaining and multiple backgrounds for sending requests and collecting data effectively.
So What?
A much more technical share than usual, but this technique is pretty interesting. If you’re into the technical aspects of Appsec, you may find this useful at some point.
EDR Telemetry Repo by Kostas Tsale
This repo provides a list of telemetry features from EDR products and other endpoint agents, such as Sysmon, broken down by category.
The methodology of the project involves analysing EDR vendor table schemas, independent testing, and requiring evidence for contributed information. The Telemetry Comparison Table, a key part of the project, compares the telemetry from different EDR products. It focuses on out-of-the-box default telemetry events and covers categories like process execution, file system activity, scheduled tasks, network connections, registry activity, user activity, and system configuration changes. The project, currently focused on Windows operating systems, invites EDR vendors and the community to contribute to expanding and updating the information.
So What?
Another more technical resource. This is useful for detection engineers and red teamers especially. It provides lots of information regarding detection opportunities within quite a broad range of EDR technologies. However, these resources are only useful if they’re meticulously maintained, and many of these types of projects fall by the wayside when the maintainer moves on to the new hotness. Fingers crossed though, as this is good.
The Evolution of Enterprise Browsers by Francis Odum and Shubham Goel
This article explores the rapidly growing enterprise browser market in cybersecurity. In 2023, significant acquisitions occurred, such as Palo Alto Networks buying Talon Security for $625M, and Island Enterprise Security raising $100 million in funding, valuing the company at $1.5 billion. These developments indicate a strong trend towards enterprise browsers.
The article discusses the increasing importance of enterprise browsers in the context of the rise in hybrid workforces, BYOD policies, and the use of temporary or external contract employees. These factors drive the demand for enterprise browsers, which can virtualise work environments and SaaS apps, providing secure access to personal devices.
So What?
This is a very long and detailed post, but packed with great information. Gartner estimates that by 2027, enterprise browsers will be a key component in enterprise super-app consolidation strategies. The article outlines three potential long-term outcomes for enterprise browsers, including becoming a central platform for deploying security and productivity software, a main platform for managing work for third-party contractors and BYOD policies, or becoming acquisition targets for larger platforms. Let’s see. I remember secure browsers being the future in the 2010s too.
Personal Data in the Cloud Is Under Siege. End-to-End Encryption Is Our Most Powerful Defense by Ivan Krstić (Lawfare)
The article highlights the increasing threat of data breaches in the cloud, emphasising the vulnerability of personal data stored by various organisations. These breaches are becoming more sophisticated, with criminals using stolen data for ransom or public disclosure.
The author advocates for a shift to end-to-end encryption as a solution. This method ensures encryption keys are only available to the intended users, making data inaccessible to service providers and, consequently, to attackers. While implementing end-to-end encryption is challenging and not yet widespread, it is considered the most effective way to protect data in the cloud. The article warns against legislative attempts to weaken encryption, arguing that such measures would compromise overall data security for the sake of solving individual crimes. End-to-end encryption is essential for safeguarding privacy and should be preserved as a key defence against cloud data breaches.
So What?
There’s certainly an attack on privacy as a human right, by many of the world’s governments at the moment. If you’re an advocate of such things, it’s worth considering how you can support organisations championing the cause. Here are some such groups:
Ex-Twitter exec claims in lawsuit he was fired for raising security concerns by Daniel Wiessner (Reuters)
Alan Rosa, former global head of information security at Twitter, now known as X Corp, has filed a lawsuit alleging wrongful termination. Rosa claims he was fired for opposing budget cuts imposed after Elon Musk's acquisition of the company. These cuts, he argues, would have hindered Twitter's compliance with a U.S. Federal Trade Commission (FTC) settlement. The lawsuit, filed in New Jersey federal court, includes claims of breach of contract and retaliation.
Rosa asserts that the proposed 50% reduction in his department's budget and the shutdown of software vital for law enforcement cooperation would violate the terms of a $150 million FTC settlement from earlier in 2022. This settlement was based on Twitter's misuse of personal data and required the implementation of stringent privacy and security measures.
Rosa was dismissed shortly after voicing these concerns. His lawsuit seeks compensatory and punitive damages, plus legal fees. Since Musk's takeover, X Corp has faced multiple lawsuits from ex-employees, covering issues like severance pay, discrimination, and mass layoffs, which the company denies.
So What?
X has been embattled by lawsuits since Musk took control. It’s interesting to see someone in Infosec on the other side of a lawsuit for a change…
Ex-commissioner for facial recognition tech joins Facewatch firm he approved by Mark Townsend
The post explains that Professor Fraser Sampson, the former UK biometrics and surveillance camera commissioner, has joined Facewatch, a firm he previously approved, as a non-executive director. This move, occurring the day after he left his government role, has raised concerns of a potential conflict of interest. Facewatch, which uses biometric cameras in high streets, was the first to receive the watchdog's backing under Sampson's tenure. Critics, including advocacy groups like Big Brother Watch, argue that this hiring blurs the lines between public duty and private interests, undermining public trust. They point out the lack of specific laws regulating facial recognition surveillance in the UK and express concerns about privacy and bias in the technology.
However, Sampson defends his decision, stating he took measures to avoid conflicts of interest and had given prior notice of leaving his government role. He believes his move to Facewatch, which he views as a company committed to lawful and ethical operations, is justified. Facewatch chairman Nick Fisher supports this view, saying Sampson's appointment reinforces their commitment to responsible use of facial recognition technology.
So What?
I don’t really know enough about the situation either way to comment, but there’s a concerning element to these types of conflicts of interest.