This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Jay Wilson, CISO, Insurity
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
UK health data donated for medical research shared with insurance companies
Despite a pledge that this would not happen, an investigation conducted by The Observer showed that “UK Biobank opened up its vast biomedical database to insurance sector firms several times between 2020 and 2023.” This data was provided to help “create digital tools that help insurers predict a person’s risk of getting a chronic disease.” The Observer points out that in 2002 Biobank promised that data would not be shared with insurance companies, but last weekend, the pledge – made repeatedly over four years – no longer applied. It said, “the commitment had been made before recruitment formally began in 2007 and that when Biobank volunteers enrolled, they were given revised information,” and that the commitment referred to identifiable information like a person’s name.
Experian takes a pass on identity protection
Last year, security researcher Brian Krebs reported on a flaw in the credit bureau Experian, which could allow anyone to re-register accounts to a different email address. This could be done without any prior notice or authentication from existing credentials, and let an attacker change information on unfreeze credit. Flash forward to today and Krebs found the issue has not been fixed. Someone registered his account under a different email address. Krebs was able to reestablish access using the same flaw. Experian allows for resetting a password using any phone number and a person’s social security number, along with publicly available information like past addresses. While Experian does send notice to an old email address that information changed, it does not seek any verification. Equifax and TransUnion require email verification before accepting any changes.
SSH connection keys vulnerable to attacks
Researchers at the University of California San Diego published a report demonstrating that many cryptographic keys used in SSH traffic can become vulnerable to complete compromise due to computational errors during connection. This impacts keys using the RSA cryptographic algorithm, used in about a third of SSH signatures. Error in those keys results in an exposed private key to the host in about one in a million instances. This opens the door to potentially obtaining a private key through passive observation of traffic.
Thanks to today’s episode sponsor, Sysdig
House chairman wants to overturn new SEC rules
New legislation proposed by Representative Andrew Garbarino, chairman of the House subcommittee on cybersecurity, would block implementation of the new rules from the Securities and Exchange Commission requiring companies to disclose “material” incidents. Garbarino argued CISA should lead reporting efforts rather than the SEC, and that a Congressionally approved reporting rule will come into effect in 2024. The SEC has argued the rules inform investors of critical cybersecurity issues.
Intel fixes high-severity CPU bug that causes “very strange behavior”
On Tuesday, Intel pushed fixes for a high-severity CPU bug (CVE-2023-23583) that affects virtually all modern Intel CPUs causing them to “enter a glitch state.” Google identified the issue which can result in system crashes and privilege escalation even when untrusted code is executed within a guest account of a virtual machine. Most cloud security models were assumed to be safe from such faults. Intel’s official bulletin lists two classes of affected products, those already fixed and those fixed by Tuesday’s microcode updates.
Generative AI threatens to dismantle terrorist content detection
With that last story in mind, Wired spoke with Tech Against Terrorism executive director Adam Hadley about how generative AI systems could be used to thwart existing controls around terrorist content. These approaches have relied on hashing systems shared on tech platforms. However Hadley’s organization now sees roughly 5000 pieces of AI-generated or altered terrorist content a week that get around these hashes. The organization also warned that high-quality AI translations could lead to content being quickly shared with more personalized messages across regions. Hadley said it’s working with Microsoft to use its trove of terrorist content to create a system that preemptively looks for newly generated content using that dataset.
(Wired)
New research reveals software vulnerabilities are on the decline
On Tuesday, Synopsys, Inc. published the 2023 Software Vulnerability Snapshot report which reveals that the number of known software vulnerabilities have dropped from 97% in 2020 to 83% in 2022. Only 27% of tests contained high-severity vulnerabilities, and 6.2% contained critical-severity vulnerabilities. This is an encouraging sign that code reviews, automated testing and continuous integration are helping to reduce common programming errors. Report data was derived from leveraging real-world hacking techniques (penetration (pen) testing, dynamic application security testing (DAST), mobile application security testing (MAST) and network security testing) on web applications, mobile applications, network systems and source code. Although this is a positive development for the industry, the report highlights that single security testing solutions are no longer sufficient for identifying software vulnerabilities.
Programmers leaving authentication creds in publicly accessible software code
Security researcher Tom Forbes and the GitGuardian team found almost 4,000 secrets hidden inside 450,000 projects submitted to the Python repository PyPi. Many of these secrets have already been leaked. Although 4,000 is just one percent of the projects, the report points out these secrets become included in multiple releases. The secrets included Azure Active Directory API Keys, GitHub OAuth App Keys, database credentials for providers such as MongoDB, MySQL, and PostgreSQL, Dropbox Keys and more. A link to the GitGuardian report is available in the show notes to this episode.