Federal network devices fail CISA requirements
On June 13th, the Cybersecurity and Infrastructure Security Agency issued a directive requiring all federal civilian executive branch agencies to harden internet-exposed edge and remotely managed devices. As part of this, CISA gave agencies two weeks to remove management interfaces using network protocols. However researchers at the security firm Censys found that as of June 26th, it found roughly 250 hosts exposing network appliances with these protocols. These ranged from Cisco routers to firewalls from Fortinent and SonicWall. It also found “multiple” out-of-band remote server management devices and managed file transfer tools
exposed online.
(SC Media)
US considering more AI chip export bans
We’ve seen the US government consistently clamping down on Chinese access to the semiconductor supply chain for years now. Much of this focuses on limiting access to advanced chipmaking tools. But access to accelerator chips for AI workloads also remains a focus. Now the Wall Street Journal’s source say the Biden administration began considering new restrictions on the latter. This could codify export control measures announced by the Commerce department in October, stopping shipments from Nvidia and other chipmakers as early as next month. Nvidia already sells lower spec’d AI accelerators specifically for the Chinese market. However these new restrictions could ban the sale of those chips without a license. These new restrictions could also place limits on Chinese firms leasing cloud resources.
(WSJ)
The scope of MOVEit vulnerability
According to an analysis by Brett Callow, a researcher at the security firm Emsisoft, the ransomware group Clop exploited a zero-day vulnerability in the MOVEit file transfer utility to breach at least 122 organizations. Based on breach disclosures and data published on Clop’s leak site, Callow estimates this impacted 15 million people. Victims range from the BBC, British Airways, Siemens Electric, the Canadian province of Nova Scotia, New York City’s Department of Education and the US Department of Energy. Organizations saw the first signs of MOVEit exploitation on May 27th. MOVEit provider Progress patched the vulnerability within four days, but a lag in applying the update continues to expose organizations.
Apple criticizes UK’s Online Safety Bill
Apple publicly came out in opposition to measure in the proposed legislation that would require encrypted messaging apps to scan for child sexual abuse material, or CSAM. It urged the UK government to protect strong encrypting, citing its use by journalists, human rights activists, diplomats, and ordinary citizens. Makers of other encrypted messaging apps, including Meta and Signal, also oppose the bill on these grounds. Signal indicated it would leave the UK market rather than comply earlier this year. The BBC’s sources say legislators may change some of the language mandating scanning messages in the bill. But it’s unclear what these changes could look like.
(BBC)
And now a word from our sponsor, AppOmni
Take action with AppOmni. Secure your organization’s most sensitive data and continuously monitor your SaaS estate for data exposure and misconfigurations. Visit AppOmni.com to get a free risk assessment.
Proton releases password manager
Proton released Proton Pass, its end-to-end encrypted password manager it first announced back in April. The company hopes the offering stands out by encrypting not just passwords but also emails, URLs, and any notes. It lacks features seen in more mature commercial offerings like support for storing documents or breach alert notifications. It’s available as a browser extension and as an app on Android and iOS. The company plans to open source Proton Pass to allow for security audits of its code.
Brave adds local resource restrictions
The latest update to the privacy-focused browser adds the ability for users to limit how long a site can access local network resources. These resources could include access to devices on a network or locally hosted images and files. Many sites use these resources to create unique fingerprints on users. Most browsers allow sites to request access to these resources without restriction. Safar does block these requests by default. Brave will block these by default. Users can choose to enable local access, and further limit how long a site can use it, for instance until they close out of a site.
Patent Office leaked data for years
The U.S. Patent and Trademark Office notified roughly 61,000 filers that it exposed the applicant’s listed address in public records. This occurred from February 2020 until March 2023, impacting about 3% of filers in that span. The office exposed this data through its API, as well as through datasets the agency published for researchers. A spokesperson for USPTO said this appeared to be a failure of the office’s routing masking procedure with such data. It blocked access to non-critical APIs and took down datasets with the information until it resolved the issue.
The pain of the Password Game
Developer Neal Agarwal released a web-based text app called The Password Game. New players are met with a blank text box, prompted to “Please choose a password.” Entering text reveals an increasingly byzantine set of conditions the password must contain, including classics like a special character or a capital letter, but quickly getting much more esoteric. In an interview with Ars Technica Agarwal said he was spurred to make the game after being told by a site that his password was too long.