Briefly Briefed: Newsletter #23 (15/02/24)
Hello Cyber People,
This is week #23 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.
My ‘if you only read two’ recommendations for the week are:
Security for AI: The New Wave of Startups Racing to Secure the AI Stack by Venky Ganesan, Rama Sekhar, Feyza Haskaraman, Sam Borja
ChatGPT Account Takeover - Wildcard Web Cache Deception by Harel (nokline)
Have a great week!
Lawrence
Meme of the Week:
Government of Canada hosts National Summit on Combatting Auto Theft by Public Safety Canada
The Canadian government convened a summit to address the rising issue of auto theft, which is increasingly linked to organised crime. The summit, attended by officials from various levels of government, law enforcement, and industry leaders, aimed at finding solutions and coordinating efforts to tackle this challenge. Measures discussed include increasing the capacity of the Canada Border Services Agency, pursuing bans on theft devices, and enhancing collaboration across jurisdictions and sectors. The summit concluded with a commitment to finalise an action plan.
So What?
One of the most controversial decisions derived from the summit, was to ban the import and use of ‘Flipper Zero’ devices. The manufacturer has contested the Canadian government’s decision, arguing the device is incapable of compromising the security of modern automobiles, particularly those manufactured after the 1990s. According to Alex Kulagin, COO of Flipper Devices, Flipper Zero is not designed to defeat the contemporary security systems of modern cars.
Canada does like a prohibition on ‘hacking’ tools it seems. When I led a team in North America, I remember multiple instances of US team members being turned away at the Canadian border, and being banned from future entry after being caught with lock picks. It was almost like it was intentional, and they didn’t like going on site and travelling to Canada…
Security for AI: The New Wave of Startups Racing to Secure the AI Stack by Venky Ganesan, Rama Sekhar, Feyza Haskaraman, Sam Borja
This article discusses the emerging challenges and opportunities in securing AI technologies. It highlights the risks associated with generative AI, including attacks on AI models like DoS attacks and model theft. The article also outlines a range of innovative security solutions being developed to protect AI systems, from governance and observability tools to AI firewalls and data privacy solutions. It emphasises the need for continuous investment and innovation in AI security to combat evolving cyber threats.
So What?
There are a lot of interesting vendors I’d never heard of in this article. With the acceleration of ‘AI’ adoption and development, the Cybersecurity industry was always going to follow the trend. While we still struggle to create high-efficacy or -utility SAST and DAST (and IAST and RASP), I’d be surprised if we nail this first time.
Defending against the Attack of the Clone[d website]s! by Jacob Torrey
The article discusses innovative security tokens developed to alert website owners of Adversary-in-the-Middle (AitM) phishing attacks. It introduces CSS-based tokens that can be deployed even on sites with limited administrative access, like Azure login portals, providing high-quality alerts when users are targeted. The development aims to enhance protection against phishing by utilising CSS tricks for alerting, addressing limitations of previous JavaScript-based solutions, and ensuring broader applicability across different web platforms.
So What?
This is a really smart concept and implementation, kudos to Thinkst. The deception space is starting to hot up again, despite a big false start over the last couple of years whilst vendors found their feet (save a few pioneers, including Thinkst). Many of the vendors are repositioning and finding ways to operationalise their stacks, and complement lower fidelity alert sources, such as EDR. If you’re a CISO, MSSP or SOC leader, I’d strongly encourage you to evaluate or re-evaluate this space (AMTD in Gartner speak) in the coming months.
N.B. LOL at the reference to the historic misspelling of ‘referrer’ in the post!
IT suppliers hacked off with Uncle Sam's demands in aftermath of cyberattacks by Brandon Vigliarolo
The article discusses proposed changes to US government procurement rules, requiring IT contractors to grant agencies access to their systems post-security incident and report incidents within eight hours. These measures, aimed at strengthening cybersecurity, have faced industry backlash for being burdensome, particularly around the software bill of materials and incident reporting timelines. Critics argue these changes could hinder operations and affect contractor relationships with non-federal customers.
So What?
At a nation state level, it’s challenging to balance heavy-handed regulation with a tendency towards inaction for anything that increases financial overheads. I’ve found it interesting to watch the introduction of more prescriptive legislation in the US. I believe there’s a strong evidence base [in the cost of cyberattacks] to suggest that security fundamentals are rarely done without incentive (or disincentive) and that the efficacy is low in the absence of transparency and validation. Despite there having been considerable challenge relating to the introduction of SBOMs, I believe that it’s driven consumer pressure on vendors in a positive way. A double whammy of carrot and stick.
No, 3 million electric toothbrushes were not used in a DDoS attack by Lawrence Abrams
The article debunks a sensational claim that 3 million electric toothbrushes were used in a DDoS attack. It clarifies that the story, initially reported by a Swiss news site, is likely a misunderstood hypothetical scenario rather than an actual event. Security experts and Fortinet, the cybersecurity firm linked to the story, have disputed the claim. The piece serves as a reminder of the potential for any internet-connected device to be targeted in cyberattacks, underscoring the importance of securing such devices.
So What?
I’m not sure there was a lot of value in the drama that ensued around this curious ‘miscommunication.’ However, it was quite perplexing as to why Fortinet said what they said. It’s hardly the first pointless telenovella in Cybersecurity, and it won’t be the last.
'Enshittification’ is coming for absolutely everything' by Cory Doctorow
The post introduces ‘enshittification’ to describe the degradation of online platforms due to their prioritisation of profit over user experience. It outlines the process where platforms initially benefit users, then exploit them and eventually their business customers for maximum profit, leading to a decline in quality and trust. The article discusses Facebook as a case study, illustrating how platforms evolve to extract value at the expense of users and stakeholders, suggesting a critical examination of internet governance and corporate power.
So What?
They’re not wrong! This was one of the primary drivers for me to shift from LinkedIn and ‘X’ posts to a newsletter format. The likes of Mastodon and BlueSky (which recently opened up membership to anyone) are growing, but they’ve still work to do on tempting the hoards away from the major players.
Discerning Saints: Moralization of Intrinsic Motivation and Selective Prosociality at Work by Mijeong Kwon, Julia Lee Cunningham, and Jon M. Jachimowicz
This article explores the complex effects of intrinsic motivation at the workplace, suggesting that highly intrinsically motivated employees may engage in selective prosocial behaviors, favoring colleagues they perceive as similarly motivated. This inclination stems from the moralisation of intrinsic motivation, leading to differentiated treatment based on perceived moral standing. The findings, supported by a field study and online experiments, challenge the universally positive view of intrinsic motivation, highlighting its potential to foster workplace divisions.
So What?
Not cyber. Essentially, the study found that people who’re self-motivated can judge themselves and others who’re self-motivated to be morally superior to those who’re not. While ‘humans gonna human’, the key take away for me is to apply the wisdom that everyone is different and to seek humility.
AI, Deepfakes, and Phishing by Clint Gibler
A summary page tracking AI and LLMs being applied to deepfakes and phishing.
So What?
This is really useful if you’re following the progression of malicious deepfakes, or you need to report, point-in-time, on the proliferation of this TTP.
Preventing The Quantum Crypto Apocalypse by Nigel Smart
The paper discusses the threat quantum computing poses to current cryptographic systems and the solutions proposed by the American National Institute for Standards and Technology (NIST). Utilising linear algebra problems, NIST's recommendations aim to secure digital infrastructure against quantum attacks. The article delves into the specifics of Learning-with-Errors (LWE), a promising approach in post-quantum cryptography, explaining its basis in linear algebra and its potential to safeguard against the quantum crypto-apocalypse through complex mathematical frameworks.
So What?
This is a VERY technical (read ‘Maths-y’) paper, but it provides a lot of insight into the currently accepted approach to PQC.
Living Off The Land Leaked Certificates (LoLCerts) by WithSecureLabs
The GitHub repository gathers details of code signing certificates known to have been misused by threat actors. The repository includes a Python script to generate Yara rules for these certificates, aiming to assist in identifying malware signed with these compromised credentials.
So What?
This is quite a cool project, it highlights the increasing relevance of this threat as more defenses rely on digital signatures to permit execution on endpoints.
APT29’s Attack on Microsoft: Tracking Cozy Bear’s Footprints by Andy Thompson
This article discusses APT29's sophisticated cyber-attacks on Microsoft, identifying the group as a Russian espionage entity aiming to gather sensitive information. It delves into the tactics, techniques, and procedures employed, including a notable breach through password spraying. The piece underscores the importance of multi-factor authentication, identity threat detection, and response strategies to mitigate similar threats. It calls for heightened vigilance and security measures across industries to protect against such advanced persistent threats.
So What?
This is a pretty interesting write-up on Cozy Bear (despite the key recommendation being ‘buy CyberArk’).
Trends in Phishing & Fraud by Domain Guard
This article explores the increasing sophistication of phishing and fraud, emphasising the dual-use nature of technological advancements like AI in perpetuating these crimes. It highlights the misuse of legitimate services like Cloudflare by attackers to shield phishing sites, alongside tactics like creating fake banks and universities. The piece offers actionable advice for both individuals and cybersecurity professionals on safeguarding against these threats, underscoring the importance of vigilance and adaptive security measures in the face of evolving cyber risks.
So What?
There are some good data in this report for presentations and building business cases.
ChatGPT Account Takeover - Wildcard Web Cache Deception by Harel (nokline)
The post outlines a critical vulnerability in ChatGPT, exploiting a web cache deception with a path traversal URL parser confusion, leading to user auth token leaks and account takeovers. By manipulating cache rules and path normalisations between CDN and web server, Harel demonstrated how attackers could access sensitive API endpoints. This discovery, netting a $6500 bounty, highlights the ongoing need for vigilance and advanced security measures against evolving cyber threats.
So What?
I really enjoyed this post (thanks to Tom Neaves for sharing), despite needing some additional Googling to ensure I understood it fully. It demonstrates how ‘traditional’ web application bugs are still valid for Conversational AI Chatbots. I think this particular attack chain is interesting, as it’s likely applicable to a number of disparate implementations. Bug Bounty mavens (and TAs) will be having fun with this already, no doubt.
Practical WPA2 Security Assessment of Wireless Routers by WirelessBits
The article presents an exploration into the security of WPA2 on various router models by simulating an attack to test default SSID passphrase strength. The assessment reveals significant security vulnerabilities with factory-default settings, emphasising the necessity for users to adopt stronger, customised passphrases and to consider upgrading to WPA3 for enhanced security. The author also discusses technological advancements in hashing and the importance of using VPNs for additional protection, underscoring the critical need for vigilant cybersecurity practices in wireless networking.
So What?
It’s been a while since wireless security has been hotly discussed. This post contains some really great practical advice for assessing WPA2 in particular. A sub-set of the offsec community have been saying on social media that modern wireless is super secure and we should just dive into public access points without trepidation. However, history teaches us that it’s unlikely the case and many remain sceptical.
QR Codes - what's the real risk? by UK NCSC
The UK's National Cyber Security Centre addresses concerns surrounding QR code safety, noting their widespread adoption during the COVID-19 pandemic. While QR-enabled fraud exists, it's less common than other cyber threats. The article advises caution, particularly with QR codes in emails or public spaces, as these may link to malicious sites. For safety, use built-in phone scanners and remain alert to oversharing personal information.
So What?
The UK NCSC has been releasing some great information and guides recently, including this one on Vulnerability Management. It’s great to see their focus on providing well-researched information on the basics.