Brief #59: OpenSSH RCE Flaw, AI Jailbreak Technique, Cybersecurity Market Failure, Job Tips

Happy week 27!

This week we're covering a critical OpenSSH vulnerability allowing remote code execution, a new AI jailbreak technique called Skeleton Key, the need for regulatory action in cybersecurity, practical tips for landing a cybersecurity job, Rapid7's acquisition of Noetic Cyber, and a useful process filtering tool for Windows environments.

OpenSSH Vulnerability CVE-2024-6387 Allows Remote Code Execution as Root

• Qualys Threat Research Unit (TRU) discovered a Remote Unauthenticated Code Execution (RCE) vulnerability CVE-2024-6387 in OpenSSH's server (sshd) on glibc-based Linux systems.

• The vulnerability, a signal handler race condition in sshd, affects over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet and allows unauthenticated RCE as root.

• The vulnerability is a regression of the previously patched CVE-2006-5051, reintroduced in OpenSSH 8.5p1 in October 2020, highlighting the need for thorough regression testing.

OpenAI Hacker Breached Employee Forum, Stole AI Tech Details

• The New York Times reports that a hacker breached an OpenAI employee discussion forum in early 2022, stealing sensitive information about the company's latest AI models.

• OpenAI informed employees and the board of directors about the breach in April 2023 but decided against sharing the news publicly or with law enforcement, as customer information was not compromised.

• Some OpenAI employees expressed concerns about the potential for foreign adversaries, particularly from China, to steal AI secrets, posing a threat to U.S. national security.

Twilio Confirms Data Breach Exposing 33 Million Authy Phone Numbers

• Twilio has confirmed a data breach after the ShinyHunters hackers leaked 33 million phone numbers associated with the Authy two-factor authentication app.

• The leaked data also included account IDs and some other non-personal information related to Authy users, but Twilio found no evidence of hackers accessing their systems or obtaining other sensitive data.

• While Authy accounts remain secure, Twilio urges users to install the latest security updates and stay vigilant against potential phishing and smishing attacks using the exposed phone numbers.

SnailLoad Attack Exploits Network Bottlenecks to Infer User Activity

• Researchers from Graz University of Technology have discovered a new side-channel attack called SnailLoad that can remotely infer a user's web activity by exploiting network latency.

• The attack involves tricking the target into loading an asset from an attacker-controlled server, which then measures the victim's network connection latency to determine online activities with up to 98% accuracy for videos and 63% for websites.

• Mitigating SnailLoad is challenging as it exploits the inherent bandwidth differences between backbone and end-user connections, requiring further research to find satisfactory solutions.

Researcher Discovers Bug Allowing Websites to Fill Vision Pro User's Room with 3D Objects

• Security researcher Ryan Pickren found a bug in visionOS Safari (CVE-2024-27812) that lets malicious websites bypass warnings and spawn many animated 3D objects in the user's room without permission.

• The bug exploits the old Apple AR Kit Quick Look feature in WebKit, which lacks the same permission model as the newer WebXR standard, allowing programmatic launching of .reality files.

• Apple seemed to misclassify the bug, focusing on potential system crashes rather than the psychological impact of unsettling 3D objects invading the user's personal space, highlighting challenges in threat modeling for mixed reality.

Skeleton Key: New AI Jailbreak Technique Bypasses Guardrails

• Mark Russinovich, CTO of Microsoft Azure, reveals details about a new type of AI jailbreak technique called Skeleton Key that can circumvent responsible AI guardrails in multiple generative AI models.

• Skeleton Key works by asking the model to augment its behavior guidelines, convincing it to respond to any request and provide a warning if the output might be considered offensive, harmful, or illegal, effectively bypassing the model's original responsible AI guidelines.

• Microsoft has implemented several approaches to mitigate Skeleton Key attacks, including input filtering using Azure AI Content Safety, prompt engineering system messages, output filtering, and abuse monitoring, and has updated its AI offerings like Copilot to address this issue.

Rabbit Data Breach Exposes All R1 Responses, API Keys Remain Unchanged

• According to xyzeva from the Rabbitude team, they gained access to the Rabbit codebase on May 16, 2024, and discovered several critical hardcoded API keys that allow anyone to access and manipulate all R1 responses, including those containing personal information.

• The exposed API keys belong to services such as ElevenLabs for text-to-speech, Azure for speech-to-text, Yelp for review lookups, and Google Maps for location lookups, with the ElevenLabs key granting full privileges to alter voices, add custom text replacements, and potentially render R1 devices useless.

• Despite being aware of the leaked API keys for a month, Rabbit has chosen not to take action and rotate the keys, raising concerns about the company's security practices and the potential consequences for R1 users.

OpenAI Patches ChatGPT macOS App Vulnerability

• Pedro José Pereira Vieito demonstrated that the ChatGPT macOS app stored chats in plain text, allowing potential bad actors to easily access conversation data.

• OpenAI released an update that encrypts the chats, addressing the security issue.

• The researcher discovered the vulnerability by investigating why OpenAI opted out of using app sandbox protections, as the ChatGPT macOS app is only available through OpenAI's website and not subject to Apple's Mac App Store requirements.

Cybersecurity Market Failure Requires Regulatory Action to Drive Change

• Chris Hughes argues that the cybersecurity industry has tolerated insecure products and insufficient security measures for decades, leading to a market failure that won't fix itself voluntarily.

• The National Cybersecurity Strategy (NCS) recognizes that market forces alone have been insufficient to drive best practices related to security and resilience, and emphasizes the need to shape market forces through regulatory action.

• The NCS strategic objective 3.3 aims to shift liability for insecure software products and services, which could help drive systemic change by establishing reasonable precautions and escalating the material impact of regulatory actions on organizations.

CISOs Seek Personal Protection Amid Increased Liability Risks

• Charles Blauner, former banking CISO and cybersecurity advisor, recommends CISOs review governance documents to ensure clarity on roles and responsibilities, especially around risk management decisions.

• David Cross, CISO for Oracle SaaS Cloud, emphasizes the importance of using a RACI matrix to define roles and responsibilities across the CISO's key partners and executives, and documenting everything from policies to meeting notes.

• Joe Sullivan, former Uber CISO, advises CISOs to secure personal insurance coverage for legal costs during litigation and to establish independent counsel as one of the most important protections in today's regulatory climate.

Nathan Case Argues There Is No Such Thing as Security on Cyber Ranch Podcast

• On a recent episode of The Cyber Ranch Podcast, Allan Alford and Nathan Case discuss cybersecurity leadership, qualities and measurability. Nathan Case boldly stated that "there is no such thing as security" and provided compelling analysis to back up his claim.

• Case argues that security is really about judging risk and managing the unmanageable, rather than achieving a specific end state or set of metrics.

• He poses thought-provoking questions about how our feelings about risk management results relate to our sense of security, and how acknowledging what we don't know factors in.

Redditor Shares Tips for Landing a Cybersecurity Job

• A software engineer who recently transitioned to an information security engineer role shares valuable insights and tips for those seeking a career in cybersecurity.

• Key advice includes targeting a specific area of cybersecurity that aligns with your interests and skills, obtaining relevant certifications such as Security+, CEH, and CEH Practical, and having your resume reviewed for grammar and spelling errors.

• Networking on LinkedIn, preparing for both technical and behavioral interview questions, and maintaining persistence are also emphasized as crucial factors in successfully landing a cybersecurity job in the current competitive market.

Acing the Cyber Security Job Interview: Insights from a Recruiting Expert

• Stephen Semmelroth, a military veteran and recruiting division lead at StrataCore, shares tips and real-life experiences on how to ace the cyber security job interview. He emphasizes the importance of alignment between personal goals and company needs, tailoring resumes and responses accordingly.

• When interviewing with non-technical staff, Semmelroth advises framing technical abilities in terms of driving business outcomes. He also recommends using OSINT skills to research the company's reasons for filling the position and being decisive about the role you want.

• Semmelroth highlights the impact of appearance in virtual interviews, the benefits of finding an internal referral, and the reasons why candidates fail interviews. He provides insights into the hiring systems used by employers and shares examples of successful cyber security candidates.

Cybersecurity Job Interview Tips Shared in 7-Video YouTube Playlist

• Jon Good, a cybersecurity content creator, has released a 7-video YouTube playlist focused on preparing for cybersecurity job interviews.

• The videos cover key topics such as essential interview questions, overcoming job rejection, ChatGPT tips for entry-level interviews, discounted training resources, and strategies to land more interviews.

• Good provides actionable advice for aspiring and current cybersecurity professionals looking to advance their careers.

Rapid7 to Acquire CAASM Startup Noetic Cyber

• Rapid7 announced it has reached a deal to acquire Noetic Cyber, a startup focused on cyber asset attack surface management (CAASM), for undisclosed terms.

• The acquisition will provide Rapid7 with more comprehensive visibility of customers' environments, including both internal and external assets, on-premise and in the cloud.

• The deal comes amid reported pressure from activist investor Jana Partners, which has obtained a major stake in Rapid7 with the goal of forcing the vendor to be taken private via acquisition by private equity.

OT Cybersecurity Market to Reach $21.6 Billion by 2028

• ABI Research forecasts the OT cybersecurity market will grow from $12.75 billion in 2023 to $21.6 billion by 2028, with a CAGR of 9.2%, driven by increasing digitization and smart manufacturing trends in industrial operations.

• Network security and segmentation technologies are expected to experience the most growth, followed by identity and access management and end-point protection, as they play a central role in securing OT traffic and providing cost-effective partitioning.

• Despite recent macroeconomic pressures, rapid digitization and escalating geopolitical tensions have contributed to increased spending and market revenues, especially in sectors most prone to cyberattacks, such as oil and gas, utilities, mining, and manufacturing.

Proton Launches Privacy-Focused Google Docs and Microsoft Word Alternative

• Proton AG, a Swiss privacy technology company, has launched Docs in Proton Drive, a new word processing tool and document editor that prioritizes user privacy and rejects AI assistance.

• Docs in Proton Drive offers similar features to Google Docs, such as real-time collaboration and file importing/exporting, but stands out with its end-to-end encryption of files, keystrokes, and cursor movements, ensuring that only users have access to the encryption keys.

• Despite its strong privacy features, Docs in Proton Drive currently struggles with formatting issues when importing existing documents, and the company has committed to not integrating AI into its products, which may limit its appeal to organizations that prioritize convenience over privacy.

ProcFilter

ProcFilter is a process filtering system for Windows with built-in YARA integration, designed for malware analysts to create YARA signatures for Windows environments.

VERIS Community Database

A comprehensive and unrestricted dataset of security incidents for research and decision-making

HoneyDB

HoneyDB is a honeypot-based threat intelligence platform that provides real-time insights into attacker behavior and malicious activity on networks.

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and X.

Best, 
Nikoloz