I hope you're having a wonderful day! This one is a full issue again, and there's a lot of interesting stuff to read. A lot of it is research related, which makes sense I suppose since it's DEFCON and Black Hat time in Vegas.
Breaches and leaks
- UK Electoral Commission data breach exposes 8 years of voter data: link.
- Colorado Department of Higher Education warns of massive data breach: link.
- Ransomware attack on Prospect Medical Holdings impacts hospitals across 4 states : link.
- Missouri warns that health info was stolen in IBM MOVEit data breach: link.
- North Korean hackers breached Russian missile maker: link.
Researchers have discovered a new Spectre-like attack called 'Inception' that impacts all AMD Zen CPUs. In the research the data leak rate achieved was 39 bytes/sec, which would take about half a second to steal a 16-character password and 6.5 seconds for an RSA key. It does seem to be a local-only exploit, meaning you'd have to already be infected by malware. Still, worth keeping an eye on.
And we can't leave Intel out in the cold, I guess. This is another Spectre-like attack, this time impacting all processors based on Intel microarchitectures Skylake through Ice Lake. Similarly, it seems to be local-only. These things are complicated though, so make sure to dive deep into this if your environment might be affected.
I'm usually sceptical of how practical these are in the real world. But this one does sound like it might be usable for nefarious purpouses. If you have enough data linking keyboard sounds to messages written, like when someone is typing in chat on Zoom, or when following a Twitch streamer, you very well might be able to extract their password when they type it next. HN thread: link.
Two types of attacks were discovered: LocalNet and ServerIP. These are clever ways to trick VPN clients into exposing their traffic to attackers, one by convincing it it's sending data to the local network (which many clients don't encrypt), and the other by convincing it that it's talking to the VPN server itself. Judging from the VPN vendor responses in this article from The Register they don't consider it a huge deal, but they're still working on mitigations where needed.
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
It should allow users and organisations to disable the usage of 2G and unencrypted connections. Sounds like a very nice feature.
I don't know how many seeders there would be for data like that, but it'll be interesting to see if they keep this tactic going.
Research shows that three-quarters of companies in the US and the UK have implemented a software bill of materials (SBOM), and that 60% of companies require an SBOM of their vendors. That's much higher than I would have expected. Good stuff.
The Google Cloud security team acknowledged some common tactics used to slip malware on Android devices after being approved by the Play store review process. Malicious code can be introduced by either downloading updates after the app is already installed, or dynamically loading external code libraries. Seems rather obvious really. I don't see a reliable way to block that without becoming a lot more strict on what apps are allowed to do in Android though.
CISA, the NSA and the FBI released a list of most exploited vulnerabilities in 2022. It's pretty sad to see that 4 out of 5 were also on the 2021 list.
I haven't played around with them myself but they do seem useful, both to legit and malicious use. Cloudflare tunnels will allow for a secure outbound-only connection, opening up the device to the outside world on a user-specified hostname. They can then be reconfigured in real-time, only enabling them when needed. There's advice on how to detect them too, like monitoring for specific DNS queries, and scanning for the hashes of the 'cloudflared' client that needs to be installed.
Interesting read about the team within Microsoft that attacks machine learning systems. Anything from letting it generate inappropriate content to tricking it into situations where they could attack other users. We'll be seeing more of these AI Red Teams in the future no doubt.
Our industry is trying to completely remove phishing as a threat by using passkeys, and it has me pretty excited. Check out this article to learn more about how they work and how it applies to 1Password going forward. (Sponsored)