SBOMbshells, Honeytokens, Fixin It in the Future, & Immortal Modems – PSW #784
In the security news: feel free to cry a bit, honeytokens are the shiny new hotness, it's fixed in the future, backdooring electron, should we move to passkeys, the turbo button, why Cisco hates SMBs, old vulnerabilities are new again, MSI, Boot Guard and some FUD, fake tickets, AI hacking, prompt injection, and the SBOM Bombshell!
Announcements
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Hosts
- 1. Microsoft warns of two bugs under active exploit
*"Feel free to cry a bit and/or consider a career change." - Pretty much sums it up. The patch that applied the revocation list (to prevent things like Blacklotus) has to be manually applied, cannot be backed out, will break things (like restoring from backups) and does not really fix all the problems. These problems are complex.
- 2. Why Honeytokens Are the Future of Intrusion Detection
Pretty sure we've been talking about honeypots, oh well, since the beginning of the Internet (remember "The Cockoos Egg"?) Aaaand, we're right back where we started. LOL. Also this: "The future of honeytokens looks bright, and that's why it was little surprise to see Kevin Mandia praise the benefits of honeypots to the largest cybersecurity companies at RSA this year." - If this is the shiny new thing to be excited about from RSA this year, well, you can draw your own conclusions.
- 3. Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
- 4. Intel Linux Graphics Driver Affected By Privilege Escalation Vulnerability – Phoronix
"This is a CVSS 8.8 "High" score for a potential security vulnerability within the Linux i915 kernel driver that with local access could lead to escalation of privileges. The problem stems from an improper restriction of operations within the bounds of a memory buffer. INTEL-SA-00886. Fortunately, the issue has been fixed upstream since Linux 6.2.10 when it was quietly resolved. So upgrade past that point if you are making use of Intel Linux graphics and concerned about local users potentially gaining elevated privileges." - Uhm, great, except most distros are still on the 5.x kernels, 6.1 maybe if you are brave.
- 5. Backdooring Electron Applications
I like this method: "By unpacking, injecting JavaScript into the Source-Files, and repacking the asar-Files, it is possible for an attacker to add custom JavaScript to the actually View of the Application." - This is not new BTW, but there is no real fix as asar packages are not signed (despite a request being filed in 2019).
- 6. Below the Surface Spring 2023 – Eclypsium
Scott did a great job with this report, it rivals other threat reports for sure. Also, no registration to download it.
- 7. AMD Plans to Replace AGESA Firmware with Open Source openSIL
- 8. Redash SAML Authentication Bypass
Whoops, sort of a "forgot to authenticate the user" issue: "In the SAML flow, Redash acts as the Service Provider (SP), and popular providers like Okta or Google act as the Identity Provider (IdP). SAML relies on digital signatures to authenticate users. The user logs into the IdP and gets redirected back to Redash with a signed SAML message containing the user’s information. Redash uses the library pysaml2 6.1.0 to implement SAML authentication at the two endpoints /saml/login and /saml/callback. However, pysaml2 before version 6.5.0 is vulnerable to CVE-2021-21239, which allows one to bypass signature verification on arbitrary SAML messages."
- 9. PRFs, PRPs and other fantastic things
- 10. Making authentication faster than ever: passkeys vs. passwords
"This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user’s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device’s screen lock. The user’s biometric, or other screen lock data, is never sent to Google’s servers - it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account." - Reasons we should not be adopting this technology?
- 11. Unraveling the Mystery: What Did the Turbo Button Do on Old Computers?
I miss the turbo button: "The turbo button was typically connected to the motherboard via a two-pin connector. Pressing the button would send a signal to the motherboard, which in turn would adjust the clock multiplier, bus speed, or both, depending on the system’s design. This change in speed would be reflected on a small LED display on the front of the computer case, indicating the current clock speed."
- 12. Raspberry Pi OS Debuts New Version Featuring Linux Kernel 6.1, Improved Performance, and App Updates
- 13. Ex-Uber CSO Joe Sullivan gets probation for breach cover-up
"Joe Sullivan won't serve any serious time behind bars for his role in covering up Uber's 2016 computer security breach and trying to pass off a ransom payment as a bug bounty. A San Francisco judge on Thursday sentenced the app maker's now-former chief security officer to three years of probation plus 200 hours of community service, despite prosecutors' pleas to throw Sullivan in the cooler."
- 14. Cisco warns critical RCE bug in end-of-life IP phone adapters won’t get patched
There are no workarounds for this. There is no guidance from Cisco on what to do. This affects their small business line of VoIP gear. Cisco continues to treat this line like second class citizens and not produce software updates once end of life. I would not recommend using the SMB gear from Cisco, it likely does not generate enough revenue to make it worth while to support and fix security issues longer term. Cisco likely just wants you to buy new gear or upgrade to enterprise-class systems. Shaking my finger at you Cisco...
- 15. The Problem of Old Vulnerabilities — and What to Do About It
"In other words: At a time when ransomware attacks are perhaps the biggest threat facing organizations, the vulnerabilities most often exploited by ransomware attackers are already known to us. And yet countless companies have left themselves open to them. IT departments can't entirely be blamed for this persistent problem — most are overworked, overstretched, and engaged in triage with a never-ending cascade of threats from every direction." - This is a great article and should serve as a wake-up call for IT folks across the globe. While 0day vulnerabilities get a log of attention, once the hype cycle slows down they remain in environments and get less attention than the next shiny new 0day. The fix is pretty simple: Patch your stuff! Easier said than done as we have so much software to patch these days, and figuring out which ones to fix first is still hard.
- 16. Guidance related to Secure Boot Manager changes associated with CVE-2023-24932
Follow the link in the article for configuration guidance and read the section titled: "Examples of bootable media and recovery media impacted by this issue", then head -> desk.
- 17. MSI and Insecure KMs – Technical Blog of Richard Hughes
I just want to take a moment to remind everyone that there's FUD out there surrounding this. Don't believe all of the hype just yet. Its a good time to understand how Intel Boot Guard works. Also, please understand that if you have a system that is still in manufacturing mode, Boot Guard means nothing (and there are still plenty of boards out there that shipped in manufacturing mode). This is all a result of the MSI leak. Researchers are still going through the leak and determining the impact. For now, I will say that it affects MSI hardware, which may include hardware from other OEMs that may have used the keys that were leaked (or, more accurately, has hardware with public keys fused into the board were generated from leaked private keys). Please also note that Intel doesn't dish out private keys to OEMs. OEMs, for boot guard, generate their own private keys. For more information these are the best two references I could find:
- https://web.archive.org/web/20171006051839/https://embedi.com/blog/bypassing-intel-boot-guard - Bypassing Intel Boot Guard
- https://trmm.net/Bootguard/ - Bootguard by Trammell Hudson
- 1. QR codes used in fake parking tickets, surveys to steal your money
- 2. Send My: Arbitrary data transmission via Apple’s Find My network
- 3. AI Hacking Village at DEF CON This Year – Schneier on Security
- 4. U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwid
- 5. Hacking a VW Golf Power Steering ECU – Part 1
- 6. Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme
- 7. Leak of Intel Boot Guard Keys Could Have Security Repercussions for Years
- 1. OpenAI’s new tool attempts to explain language models’ behaviors
OpenAI is developing a tool to automatically identify which parts of an LLM are responsible for which of its behaviors. The engineers behind it stress that it’s in the early stages, but the code to run it is available in open source on GitHub as of this morning. MY TAKE: Like studies of real brains, there are occasionally functions dependent on a single neuron, but most processing uses many neurons in a complex way that is difficult to characterize.
- 2. Personal Safety User Guide for Apple devices
Apple's guide covers using Safety Check to control how you share user data such as location, how to record suspicious activity, Lockdown Mode, and more. 100 pages, many security features.
- 3. Companies Are Offering Insanely High Salaries For ChatGPT Experts
Select individuals with expertise in AI chatbots, especially those using next-gen tech like ChatGPT, can earn a lucrative six-figure salary as “prompt engineers.” These professionals train others on using AI chatbots more effectively and earn up to $335,000 per year.
- 4. How prompt injection attacks hijack today’s top-end AI – and it’s tough to fix
Prompt injection involves finding the right combination of words in a query that will make the large language model override its prior instructions and go do something else. It's really, really difficult to fix. The whole point of these models is you give them a sequence of words, but there is no mechanism to say 'some of these words are more important than others'.
- 5. LEAKED INTERNAL GOOGLE DOCUMENT CLAIMS OPEN SOURCE AI WILL OUTCOMPETE GOOGLE AND OPENAI
Google is very worried that Open Source LLMs will wipe the floor with both Google’s and OpenAI’s efforts. Low-Rank adaptation (LoRa) massively cuts down the effort and resources required to train a model. Google and in extension OpenAI do not have a ‘secret sauce’ that makes their approaches better than anything the wider community can come up with. The dire prediction is thus that in the end the proprietary LLMs by Google, OpenAI and others will cease to be relevant, as the open source community will have steamrolled them into fine, digital dust.
- 6. DEF CON to set thousands of hackers loose on LLMs
The AI Village will host "the largest red teaming exercise ever for any group of AI models," tasked with finding flaws in LLMs that power today's chat bots and generative AI.
- 7. The SBOM Bombshell
Many security players and code scanners in the market are finally starting to automatically generate SBOMs as part of their offerings. The result, as shown in a figure, is very complex.
- 8. Run. Hide. Fight.
In this FBI training video, customers at a bar are caught in an active shooter event. By employing the run, hide, and fight tactics, as well as knowing the basics of rendering first aid to others, they are prepared, empowered, and able to survive the attack.
- 9. AskJOE
AskJOE is a tool that utilizes OpenAI to assist researchers wanting to use Ghidra as their malware analysis tool. This is a Ghidra script that calls OPENAI to give meaning to decompiled functions.
- 10. TikTok Tracked Users Who Watched Gay Content, Prompting Employee Complaints
Employees at TikTok were able to find a list of users who watch gay content. The data was accessible to more workers than is common at other tech platforms. Employees in China also had access to the data. TikTok workers raised concerns about this practice: they feared employees might share the data with outside parties, or that it could be used to blackmail users. Tiktok says the data on watchers of gay content was deleted in the U.S. nearly a year ago. Now TikTok claims to stores the data in its new U.S. subsidiary. Meta Platforms also track similar data, but in recent years have locked down access to sensitive information.
- 11. The Team of Sleuths Quietly Hunting Cyberattack-for-Hire Services
Three major cybercriminal takedowns in the past five years began inside an informal working group that calls itself Big Pipes. The team has 30 members: staffers from cloud service providers and online gaming companies, security researchers, academics, FBI agents and federal prosecutors.
- 12. Detecting Large Language Models
AI/ML systems make different kinds of mistakes than people. This is a fundamental limitation of artificial neural networks. They are useful tools, but do not reproduce human cognition particularly well. Understanding these differences gives us many ways to detect LLMs and other models via challenges. A figure in this short paper shows ML systems making ridiculous errors simply finding the last three digits of a large number.