The first three stories in our monthly CISOs roundup (first published in our CrowdSecWisdom newsletter) are all related to risks posed by society’s hyper-reliance on relatively few digital systems.
First, there’s the Securities and Exchange Commission (SEC) lawsuit brought against SolarWinds and its CISO in relation to the Sunburst cyber-attack. The far-reaching impact of that 2020 incident shows why security failures are increasingly treated with similar seriousness to, say, health and safety scandals.
The Sunburst attack, to remind readers, was a highly sophisticated software supply chain attack that resulted in the compromise of 18,000 customers, including Cisco, Microsoft and the US government, via a vulnerability in a SolarWinds component.
“CISOs have little reason to celebrate” the dismissal recently of all but one of the charges brought against the Texas-based firm over the incident, according to CSO Online. That’s because the remaining charge – securities fraud – is the most serious.
Reassuringly for CISOs, Brian Levine, a former federal prosecutor, told CSO Online that the SEC was unaccustomed to having its charges thrown out, and speculated that they might be more circumspect about launching similar lawsuits in future. Given the remaining charge relates to security claims made prior to the attack, he also suggested CISOs should think twice about making public statements about their security, especially when “you don’t get much credit for making them” anyway.
“Your device ran into a problem”
Meanwhile, in the InfoSec world beyond YesWeHack, the CrowdStrike incident was not technically a security failure, but the worst-ever global IT outage involves a security vendor and offers salutary lessons about a security fundamental: risk mitigation.
First, to return to our central thread, there's the risk of everyone, everywhere relying on the same few applications for critical functions. CrowdStrike itself accounts for 24% of the endpoint protection market. Ironically, a CrowdStrike executive recently warned (before the outage) of the risk of using a “single provider for operating system, cloud, productivity, email, chat, collaboration, video conferencing, browser, identity, generative AI, and increasingly security as well”.
Responding to the crisis that erupted last month, Kevin Beaumont, a well-regarded security researcher, wrote that “CrowdStrike overall reacted really well”, but said “the incident highlights a bunch of wider concerns”.
In a blog post about the incident, Beaumont advised organisations to demand that their vendors: “Provide more transparency about how endpoint security updates are tested and rolled back”; disclose “potentially risky interactions with the Windows kernel, and develop a roadmap to safer drivers”; be more transparent about their own security; “disclose, in advance, if they are subject to national security laws” that could compel them to “allow access to customer data”; and publish a post-mortem for bad updates “with full transparency explaining what happened, why it happened, and steps taken to remediate”. 🧐
Failing that, the improvisation of handwritten boarding passes at least showed there is a viable, analogue Plan B to ensure (partial) business continuity during digital meltdowns (always have a pen to hand!).
LLM Kryptonite
Many experts are also concerned at the pace at which Large Language Models (LLMs) are being built into applications performing all manner of tasks. In light of their growing ubiquity, it’s alarming that a tech expert managed to induce “every chatbot I could access” – with the sole exception of Anthropic's Claude 3 Sonnet – into descending into a “babble-like madness” with a prompt that he dubbed “LLM kryptonite”. 🤪
Like Monty Python’s lethal joke (see video below), his prompt was too dangerous to expose to prying eyes. And yet, Mark Pesce, a VR innovator and ex-Apple engineer, encountered “an almost complete lack of bug reporting infrastructure from the LLM providers”, according to a piece he published in The Register in May.
In a recent follow-up, Pesce said Microsoft had deemed that the bug “does not meet the definition of a security vulnerability”, and noted how some LLM vendors apparently failed to acknowledge issues while surreptitiously deploying “behind-the-scenes patches”.
Cyber attacks
Sonar, purveyor of high quality web security research, has recently recommended giving charset information when serving HTML documents to reduce the risk of XXS bugs, and detailed four unpatched vulnerabilities in Gogs, a popular open-source solution for hosting and managing source code, together with advice on protecting instances.
Other notable writeups includes a Phylum analysis of North Korean threat actors attacking the npm ecosystem, and an Evasec investigation of vulnerabilities in the CocoaPods dependency manager that allows malicious actors to claim ownership of thousands of unclaimed pods and insert malicious code into numerous popular iOS/MacOS applications.
Novel attack techniques that combine vulnerabilities found in dozens of email-hosting platforms are allowing threat actors to spoof emails from more than 20 million domains of trusted organisations, according to Dark Reading. 🦹 The publication has previewed the research ahead of its presentation at Black Hat USA next week.
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.