This week’s Cyber Security Headlines – Week in Review, August 7-11, is hosted by Rich Stroffolino with guest, Michael Woods, CISO, GE
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Be sure to check out the 2023 Director’s Handbook on Cyber-Risk Oversight that Mike Woods is a contributor to. It includes a toolkit on ransomware readiness.
Microsoft resolves vulnerability following criticism from Tenable CEO
Microsoft has resolved a vulnerability that allows threat actors to gain access to information managed by Azure AD. Concerns about the issue burst into public view this week when Amit Yoran, the CEO of cybersecurity firm Tenable, published a scathing LinkedIn post bashing the tech giant for its handling of the vulnerability. A researcher at Tenable discovered an issue on March 30, and Microsoft apparently waited months to get back to Tenable before claiming the issue was fixed on July 6. Tenable checked the fix and discovered that it was incomplete and was still exploitable. The full account of this exchange plus a link to Amit Yoran’s LinkedIn post is available in the shownotes to this episode.
(The Record and LinkedIn)
Tampa General Hospital sued over data breach
Law firm Morgan & Morgan has lodged a class-action lawsuit against Tampa General Hospital on behalf of three victims affected by a significant data breach. Between May 12 and May 30, 2023, cyber-criminals infiltrated Tampa General Hospital’s computer system, pilfering PII and HIPAA data belonging to approximately 1.2 million patients. The plaintiffs contend that Tampa General Hospital not only failed to secure their personal and medical data adequately but also exacerbated the situation by delaying the notification of victims until July 19—over two months after the initial breach.
Banks hit with over $500 million in fines for using out-of-band chat apps
On Tuesday, US regulators announced a combined $549 million in penalties against Wells Fargo and a raft of smaller or non-US firms that failed to maintain electronic records of employee communications. The Securities and Exchange Commission (SEC) issued fines totaling $289 million against 11 firms they say admitted using side channels like WhatsApp to discuss company business dating back to 2019, therefore violating federal securities laws by failing to preserve records. The Commodity Futures Trading Commission doled out an additional $260 million worth fines to four banks for similar records violations. These actions follow similar settlements totaling more than $2 billion with bigger players including JPMorgan Chase, Goldman Sachs, Morgan Stanley and Citigroup.
(NBC News)
75% of organizations set to ban generative AI
According to results of a global survey released by BlackBerry Limited on Tuesday, 75% of organizations worldwide are currently implementing or considering bans on ChatGPT and other Generative AI applications. 61% of those respondents said the measures are intended as long term or permanent, pointing to risks to data security, privacy, and corporate reputation as driving their decisions. Despite their inclination towards outright bans, the majority also recognize the opportunity for Generative AI apps to increase efficiency (55%) and innovation (52%), and enhance creativity (51%). When it comes to using Generative AI tools for cybersecurity defense, the majority of respondents (81%) remained in favor, suggesting that IT decision makers don’t want to be caught flat-footed and give cyber criminals the upper hand.
Zoom will train AI on customer data
Zoom updated its terms of service on July 27th. In the fine print, Zoom clarified it holds the right to use some customer “service-generated data” for training and optimizing its various machine learning models. This will include product usage, telemetry and diagnostic data. Zoom said that training on voice, video, or chat data would be done on users that chose to turn on trials of AI tools, with a transparent consent process. The company will use the data for internal service improvements, saying it will not sell it to third-parties.
(CNBC)
Thanks to today’s episode sponsor, Conveyor
It auto-generates precise, accurate answers to entire questionnaires with accuracy far superior to existing tools on the market. It’s so accurate, your customers can now use it in our new ‘upload questions to trust portal’ feature. It’s exactly as it sounds. Customers can upload questions and the AI will generate instant answers based on your trust portal content.
Try a free proof of concept with your own data and see why top SaaS companies are making the switch from outdated RFP software and other portal solutions.
Learn more at www.conveyor.com.
New Downfall CPU attacks steal sensitive data
Google researcher Daniel Moghimi has devised new CPU attacks to exploit a side-channel vulnerability, dubbed “Downfall,” that affects multiple Intel microprocessor families (Skylake through Ice Lake). Moghimi was able to exploit the flaw (CVE-2022-40982) to steal AES 128-bit and 256-bit cryptographic keys and other sensitive info protected by Intel’s hardware-based memory encryption mechanism called Software Guard eXtensions (SGX). Downfall attacks require an attacker to be on the same physical processor core as the victim, however, locally-installed malware could also potentially exploit the flaw. Details about the vuln were kept private for almost a year to allow original equipment manufacturers (OEMs) and communication service providers (CSPs) time to develop a microcode update which is now available to mitigate the issue. However, fully eliminating the risk of Downfall attacks requires a complete hardware redesign. Intel downplayed the issue saying that, “trying to exploit this outside of a controlled lab environment would be a complex undertaking.” Moghimi has released exploit details and is scheduled to discuss it this week at the Black Hat security conference.
Attackers use EvilProxy phishing kit to take over executives’ Microsoft 365 accounts
Proofpoint, which released a report on the incidents on Wednesday, said the attacks exhibited both the prevalence of pre-packaged phishing-as-a-service toolkits, as well as the increased bypassing of multi-factor authentication to gain access to accounts. In all, Proofpoint observed the targeting of more than 100 organizations with EvilProxy, with 35% of the compromised accounts being MFA-enabled. More than one-third of the accounts belonged to C-level executives, including CEOs and chief financial officers.