Brief #18: Microsoft's 38TB Leak, Cisco's Splunk Acquisition

TL;DR

Misconfigured SAS Token: Microsoft's AI research team exposed 38TB of private data, including internal Microsoft Teams messages and disk backups of employees. The culprit was a misconfigured Shared Access Signature (SAS) token in Azure, which granted access to the entire storage account instead of specific files.
Risks in AI Development: The incident highlights the new security challenges as organizations increasingly rely on AI. Engineers and data scientists working with massive training data sets need to implement additional security checks and safeguards.
Arbitrary Code Execution: The exposed data was linked to a GitHub repository that provides AI models. These models use Python's pickle formatter, which is prone to arbitrary code execution. An attacker could have injected malicious code into the AI models.
Lack of Monitoring and Control: The SAS token mechanism lacks effective monitoring and control features. Once a highly permissive, non-expiring token is created, it's difficult for administrators to know it exists or to revoke it.

Strategic Move for AI-Enabled Security: Cisco's acquisition of Splunk aims to capitalize on AI-driven security and observability, marking a major shift towards software and services.
Financial and Operational Synergies: The deal is set to boost Cisco's revenue and gross margins. Splunk's CEO Gary Steele will join Cisco's executive team, adding valuable expertise in data analysis and security.
Regulatory and Market Response: While Cisco's shares dropped by 4%, Splunk's surged by 21%. The deal has raised some eyebrows regarding potential antitrust issues, but both companies are optimistic about clearing regulatory hurdles.
Recent Acquisitions and Future Outlook: This acquisition follows Cisco's recent purchases in the cybersecurity space, including Valtix and ArmorBlox. The deal is expected to close by Q3 2024, adding $4 billion in annual recurring revenue to Cisco.

CVE Details: Three zero-days were patched—CVE-2023-41991 affecting certificate validation, CVE-2023-41992 in the kernel for privilege escalation, and CVE-2023-41993 in WebKit for arbitrary code execution. These flaws were exploited in iOS, macOS, and Safari.
Attack Vector: The Predator spyware was delivered through network injection. When the target visited specific non-HTTPS websites, a device at the border of Vodafone Egypt's network redirected him to a malicious site, exploiting the zero-days.
Spyware Capabilities: Predator, made by Cytrox, is similar to NSO's Pegasus. It can surveil targets and harvest sensitive data. It was delivered via a sophisticated "adversary-in-the-middle" (AITM) attack, exploiting both SMS and WhatsApp.
Security Gaps: Despite Apple's patches, the telecom sector remains a weak link. The attack used Sandvine's PacketLogic middlebox for network injection, highlighting the need for stronger security measures in telecom infrastructure.

Master Password Length: LastPass is enforcing a 12-character minimum for master passwords. This is a change from their previous lax requirements, especially for legacy users. The company claims this aligns with industry standards, but the timing post-breach raises questions.
Crypto Heists Connection: Security experts have linked LastPass to a series of cryptocurrency heists totaling over $35 million. The commonality among victims is the use of LastPass for storing crypto seed phrases. This suggests that hackers may have successfully decrypted some of the stolen vaults.
Encryption Iterations: LastPass initially had a low number of encryption iterations for older accounts, making them easier to crack. Newer accounts had up to 600,000 iterations, making brute-force attacks more time-consuming. Legacy users were not upgraded, leaving them vulnerable.
Lack of Forced Upgrades: Despite the new password requirements, LastPass hasn't forcibly upgraded the security settings of accounts affected by the 2022 breach. Critics argue that this makes the new policy more of a PR move than a substantial security upgrade.

Expert Recruitment: OpenAI is actively recruiting cybersecurity and penetration experts for its Red Teaming Network. The goal is to rigorously evaluate and improve the safety of AI models like ChatGPT and GPT-4.
Diverse Skill Set: The company is seeking experts from various domains, including healthcare, economics, and computer science. This multi-disciplinary approach aims to cover all potential vulnerabilities.
Regulatory Pressure: The initiative comes as the U.S. Federal Trade Commission is investigating OpenAI's data collection and security practices. The company is under increased scrutiny regarding the safety and ethics of its AI models.
Compensation and NDAs: Participants in the Red Teaming Network will be compensated. However, they may be subject to nondisclosure agreements, limiting the public sharing of their findings.