The RESTRICT Act, Intel’s Attack Surface, & Stop Developing AI (For 6 Months) – PSW #778
In the Security News: Turning traffic lights green with the flipperzero (and a bunch of other hardware), suspending AV and EDR, Test signing mode, Linux control freaks, hacking the Apple Studio Disaply, Intel;s attack surface reduction claim, the truth about TikTok that everyone is missing, just stop developing AI, but only for 6 months, anyone can connect to Amazon's wireless network, revoking the wrong things, losing your keys, the funny, not-so-funny things about firmware encryption, and exploding thumb drives. All that, and more, on this episode of Paul’s Security Weekly!
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
- 1. Hacker Uncovers How to Turn Traffic Lights Green With Flipper Zero
Not what you think. Do not try this at home.
- 2. Disabling AV With Process Suspension – TrustedSec
Sounds like AV/EDR needs to update its protection mechanisms: "This appears to be an oversight and is the reason I would like to draw more attention to it. I’m not aware of a reason to grant suspend/resume privileges to an arbitrary process in relation to a PPL process. Those implementing AV/EDR drivers could additionally filter suspend/resume permissions and reject them, as they already do with terminate permissions."
- 3. Flerov/TS-Fucker: TS-Fucker – Forces the machine in/out of TestSigning Mode at runtime.
"TestSigning mode is a boot configuration option in Windows that allows users to load and execute drivers and system files that have not been digitally signed by Microsoft."
- 4. Python Penetration Testing: Being a Linux Control Freak!
Some neat tools and such, still a WIP from what I can tell, full set of scripts is here: https://github.com/R-Eric-Kiser/python-pentesting
- 5. About the security content of Studio Display Firmware Update 16.4
"Apparently, if you’re running macOS Ventura and you’ve hooked your Mac up to a Studio Display, just updating the Ventura operating system itself isn’t enough to secure you against potential system-level attacks. According to Apple’s bulletin, a bug in the display screen’s own firmware could be abused by an app running on your Mac “to execute arbitrary code with kernel privileges." (From https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-including-a-zero-day-fix-for-ios-15-users/) - So there is a kernel on your Apple Studio Display, curious what you do with this vulnerability...
- 6. The curl quirk that exposed Burp Suite & Google Chrome
- 7. Using an Undocumented Amplify API to Leak AWS Account IDs
- 8. Control A Raspberry Pi With Your Mind and PiEEG
- 9. Exploiting aCropalypse: Recovering Truncated PNGs
- 10. blacklanternsecurity/badsecrets: A library for detecting known secrets across many web frameworks
- 11. PHP filter chains: file read from error-based oracle
- 12. Mimicry – Security Tool For Active Deception In Exploitation And Post-Exploitation – Haxf4rall
- 13. We updated our RSA SSH host key
- 14. Continued march of time
- 15. Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
A bold claim: "Intel claims that the latest version of its vPro platform provides dozens of security capabilities that can help reduce the attack surface of a 13th Gen Core-powered computer by as much as 70% compared to a 4-year-old PC. This is based on an attack surface study conducted by cybersecurity firm IOActive." - The problem is, while this is likely true from a certain perspective, the downstream suppliers will mess it up. Firmware, bootloaders, kernels, and operating systems (and virtualization) won't use these features or use them in the wrong way, providing opportunities to attackers. Much like crypto, the weakness is in the implementation. On the plus side, these security features are moving the needle forward, we just need to convince the supply chain to use them, correctly.
- 16. Journalist plugs in unknown USB drive mailed to him—it exploded in his face
- 17. Beyond Firmware Encryption: Enhancing Embedded Device Security
"Even if the vendor uses strong cryptography, such as AES in a sufficiently secure mode (and not something obscure and senseless like XOR’ing with a 16-bit constant), the confidentiality of the resulting encrypted image will be compromised if the corresponding key is compromised. Key management will therefore be crucial for these systems, however, provisioning device unique keys is non-trivial for many designs, and to properly protect encryption keys, one must also implement a proper boot trust chain and rely on the hardware root of trust capabilities of the SoC, when present. Keys hardcoded into bootloader binaries or image header structures will definitely not do the trick." - So much this. It would seem that this security through obscurity provides little value, it really just tries to prevents people from reversing the firmware and finding vulnerabilities, not provide any operational security to the end user.
- 18. OpenAI, MinIO, And Why You Should Always Use docker-cli-scan To Keep Your Supply chAIn Clean
- 19. Hacking AI: System and Cloud Takeover via MLflow Exploit
- 20. We need better support for SSH host certificates
Yep: "Finally, I've seen a couple of people imply that the blame here should be attached to whoever or whatever caused the private key to be committed to a repository in the first place. This is a terrible take. Humans will make mistakes, and your systems should be resilient against that. There's no individual at fault here - there's a series of design decisions that made it possible for a bad outcome to occur, and in a better universe they wouldn't have been necessary. Let's work on building that better universe."
- 21. Journalist plugs in unknown USB drive mailed to him—it exploded in his face
- 22. Vulnerable UEFI binaries Revoked in August 2022 DBX update were revoked incorrectly
"The problem was that for these two affected binaries – shdloader.efi (CVE-2022-34302) and esdiags.efi (CVE-2022-34301) – flat SHA256 file hashes were added to the DBX update instead of their PE authenticode hashes." - I was told testing was important...
- 1. ChatGPT Suffers First Major Personal Data Breach
- 2. Experts call for pause on AI training citing risks to humanity
[PAUL] - "Should we automate away all the jobs, including the fulfilling ones? Should we develop nonhuman minds that might eventually outnumber, outsmart, obsolete and replace us? Should we risk loss of control of our civilization?" - I think we are not even close to this. Ex Machina was just a movie, man. Also, they propose a 6-month stoppage on all AI. What are six months going to do exactly? We change the face of AI in 6 months and stop Skynet?
- 3. Micron sees recovery ahead after revenue dive of 53%
- 1. Elon Musk and others urge AI pause, citing ‘risks to society’
Elon Musk and a group of artificial intelligence experts and industry executives are calling for a six-month pause in developing systems more powerful than OpenAI's newly launched GPT-4, in an open letter citing potential risks to society and humanity. It called for a pause on advanced AI development until shared safety protocols for such designs were developed, implemented and audited by independent experts.
- 2. Burgum, Baesler applaud landmark North Dakota computer science, cybersecurity measure
North Dakota is the first state in the nation to approve legislation requiring cybersecurity education. It requires the teaching of computer science and cybersecurity and the integration of these content standards into school coursework from kindergarten through 12th grade. [PAUL] - I was walking through the book sale at my children's elementary school. I did not see one book on the subject of computer science or computer security. I love what North Dakota has done here, and usually, the laws being passed are ridiculous, like banning straws or something.
- 3. Introducing self-service SBOMs
Github announces a new Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click. The resulting JSON file saves project dependencies and metadata, like versions and licenses in the industry standard SPDX format.
- 4. Amazon just opened up its Sidewalk network for anyone to build connected gadgets on
The long-range, low-bandwidth network can give any IoT device free low-speed data. Over 90 percent of the US population can access the now public network. It works over three existing wireless radio technologies — Bluetooth Low Energy (BLE) for short distances, LoRa for long range, and frequency shift keying using 900MHz.
- 5. ‘Holy grail’ of cancer detection predicts tumors a year before they form: breakthrough
Following a radically successful trial on cancer patients, a new blood test that promises to predict tumors more than a year before they begin to form is now being applied in hospitals across the United Kingdom. It can detect cancer earlier than other known technologies, before the tumor has physically formed.
- 6. The oral part of the CCNA exam
A comedy video
- 7. The Problem with TikTok’s Claim of Independence from Beijing
It’s not uncommon for Chinese authorities to forcibly “disappear” business executives, a practice that has increased in recent years under President Xi Jinping. Some executives have never been heard from again. Some have returned to work as if nothing had happened. Some ended up going to prison. Some even mysteriously died when incarcerated. [PAUL] - Yea, so not independent. And what most people miss about the TikTok ban is this: it's all politics and has nothing to do with technology or privacy.
- 8. Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs
First, our Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance. Since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.
- 9. RISC-Y Business: Arm wants to charge dramatically more for chip licenses
Arm is performing a "radical shake-up" of its business model. The new plan is to raise prices across the board and charge "several times more" than it currently does for chip licenses. According to the report, Arm wants to stop charging chip vendors to make Arm chips, and instead wants to charge device makers—especially smartphone manufacturers—a fee based on the overall price of the final product.
- 10. New victims come forward after mass-ransomware attack
On Feb 2, Brian Krebs reported details of a zero-day remote code injection exploit in Fortra's GoAnywhere software, which Fortra had hidden behind a login screen on its website. Fortra released security fixes for GoAnywhere five days later on February 7. By then, the hackers had already stolen reams of data from 130 alleged companies. Fortra also owns Cobalt Strike.
- 11. New CISA tool detects hacking activity in Microsoft cloud services
The 'Untitled Goose Tool' is Python-based and can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments. It's a robust and flexible hunt and incident response tool.
- 12. MITRE Rolls Out Supply Chain Security Prototype
The so-called Risk Model Manager (RMM) platform is now available for organizations to assess supply chain risk and security. RMM is a cloud-based prototype platform for its new System of Trust (SoT) framework that defines and quantifies risks and cybersecurity concerns for the supply chain. The SoT framework, which is a cloud-native app hosted on AWS, is centered around 14 top-level risk areas related to suppliers, service providers, and supplies, including the financial stability and cybersecurity practices of the supplier, as well as risk of counterfeit and compromise to products.
- 13. The ‘Insanely Broad’ RESTRICT Act Could Ban Much More Than Just TikTok
The bill could have implications not just for social networks, but potentially security tools such as VPNs. Under the RESTRICT Act, the Department of Commerce would identify information and communications technology products that a foreign adversary has any interest in, or poses an unacceptable risk to national security, the announcement reads. The bill only applies to technology linked to a “foreign adversary.” Those countries include China (as well as Hong Kong); Cuba; Iran; North Korea; Russia, and Venezuela. “If Congress is serious about addressing risks to Americans’ privacy, it could accomplish far more by focusing its efforts on passing comprehensive privacy legislation like the American Data Privacy and Protection Act”