Discord.io Stops, Azure AD Pops, Zoom AI Drops, Model Confusion Attacks, Early XSS – ASW #252
Discord.io ceases to be, Azure AD breach to get scrutiny from the CSRB, Zoom's AI stumbles show security concerns, model confusion attacks, a look at how far we have -- and haven't -- come with XSS flaws, an approachable article on AI, and more!
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape. We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register. Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Hosts
- 1. Discord.io has suffered a data breach
Discord offers up quite a new take on the phrase, "We take your security seriously."
Now it's a quite decisive, "We are stopping all operations for the foreseeable future."
- 2. Microsoft Cloud Security Woes Inspire DHS Security Review
Microsoft's Azure has had a lot of attention from security vendors lately and the recent Microsoft 365 breach exposed a lot of risk associated with Azure's Active Directory.
Also check out the Cyber Safety Review Board's announcement.
Flaws in cloud providers don't often get CVEs. That's one of the reasons a group, sponsored by Wiz, created the CloudVulnDB project. AWS talked about the shared responsibility model with cloud service providers. And the CSRB will be looking at that shared responsibility and shared fate of flaws within cloud providers, their potential impact on tenants, and how to harden that ecosystem.
- 3. Jamf Threat Labs explains their discovery of a post-exploit UI hack of Airplane Mode.
I like this article for the level of scrutiny the researchers put into understanding the state changes of putting an iPhone into airplane mode. They were able to figure out how to make the UI reflect the state change, but prevent Safari from being aware of the change. I'm not convinced this would be a high risk or become an attack vector, but that's partly because similar UI-oriented attacks like browser clickjacking always felt like cool bugs in search of an exploit, too. In any case, it's a bug to be fixed and great work in understanding the behavior of iOS.
- 4. Zoom revises terms again to say it doesn’t use customer data to train AI models
AIs are the new hot tech and everybody wants one. But nobody wants to the be training data for them when there's a lack of transparency, lack of opt-outs, and lack of affirmative consent.
We'll be diving more into the technical and social aspects of AI next week!
- 5. Model Confusion – Weaponizing ML models for red teams and bounty hunters
This is a followup blog from the author's talk at this year's DEF CON AI Village.
It's a mix of common package management issues like creating name confusion and collisions, and typosquatting. And it has a few examples of misusing and abusing ML models. Overall a good example of demonstrated attacks to include in your threat models and threat hunting playbooks.
- 6. FYI: What Is ChatGPT Doing … and Why Does It Work?—Stephen Wolfram Writings
Here's an article that explains the underlying concepts of LLMs like ChatGPT. It's a good mix of technical and accessible. There's a bit of math in there, which is unavoidable considering the topic and the author, but it's not an overwhelming amount and there are helpful visualizations to reinforce the concepts.
- 7. HISTORY: Earliest(-ish) hack against web-based email
This week marks 25 years since one of the earliest XSS attacks I could track down. It's from a Usenet message about a vuln in Hotmail.
The writeup is almost indistinguishable from what you might see today (with one typo fixed):
- The malicious code runs as soon as e-mail message is viewed
- The resources required to launch the attack are minimal and freely available.
- The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes, or classroom terminals
- The exploit will work with any javascript-enabled browser, ...
Ok, the "internet cafes" dates it, but otherwise that's the past and most of the present of appsec today. I try not to be too pessimistic about appsec -- and there are improvements to point to -- but this is one of the reasons why I find XSS flaws to be largely boring these days.
Check out the original disclosure here.
p.s. I have another example from 1996 here
- 8. Unleashing in-toto: The API of DevSecOps | Cloud Native Computing Foundation
This project from CNCF is intended to help appsec and dev teams create a trusted attestation for building and deploying software. Users define the expected steps of the process -- what the project calls a layout. As the tool executes each step, it records and cryptographically stamps the state.
The in-toto specification just hit 1.0 in June of this year, but it's been an idea since 2016 and worked on since 2017. But as a CNCF project, and with the attention on all things supply chain, maybe it'll reach a wide adoption.
- 1. SaaS outage causes late nite 3D prints
Bambu, a manufacturer of 3D printers and software, recently had an outage in their cloud. Their customers printers, which connect to said cloud to poll for new jobs to print, started timing out. The result of said timeout was the printers deciding to reprint the last job they had worked on, waking up nerds everywhere.
- 2. A user’s perspective of the Department of No
We talk a lot about not wanting security teams to be seen as the "department of no," but does that really happen? Here's a complete non-appsec instance where a user/writer decides the threat model for somebody hacking his iphone via bluetooth is not too risky for him to leave bluetooth on and use his airpods.
- 3. Hard-coded credentials still on the rise?
"At least" 10 million secrets were committed in 1 billion GitHub commits over the last year, according to a pair of talks at BSides Vegas. Apparently this was a 50% increase over the previous year.
Stop, please. Thanks.
- 4. Google releases first quantum-safe FIDO2 authenticator open-source
Besides the quantum and FIDO parts, there's a bit of a foxhole here to go down. They're releasing this as an app for TockOS, a lightweight OS for IOT devices, so in theory one could build their own authenticator token with this?
Just in case you need another project...
NOTE This is not meant for daily usage - "The cryptography implementations are not resistent against side-channel attacks."
- 5. AI Inventing new bowling techniques
While a fun video, this provides a visual example of how ML algorithms get trained