Another Computer Security PSA

sgt_zim

sgt_zim

AH legend
Joined
Mar 26, 2017
Messages
3,842
Reaction score
13,490
Location
Richmond, Texas
Media
26
Articles
1
Hunting reports
USA/Canada
3
Australia/NZ
1
Member of
NRA, Houston Safari Club Foundation, NWTF
Hunted
Idaho, Texas, Louisiana
By "computer" I also mean smart phones, because that's what they are - computers that can also easily be used as telephones.

We have noticed quite the uptick in reported 0-day vulnerabilities (unknown vulnerabilities) over the last 10 months or so. Our thinking when AI first started being a thing was that it would probably take maybe 3 years for the bad guys to start weaponizing AI. Bad news. It didn't take them 3 years.

No operating system is safe. Even software developers who are very good at what they do, are very conscientious about security, make a lot of security mistakes. Most software developers aren't that good. There are actually software tools called SAST and DAST that scan and test code for vulnerabilities. I look through the reports generated by these tools for our developers with some regularity. I won't say the reports are all horrible, but there's a reason we renew licensing for them both every year.

The bad guys are going to use AI to discover vulnerabilities that have likely existed for years that nobody ever knew about. In a recent test, some researchers spun up some bots with AI to do just this, and about 50% of their testing found 0-day vulns. Keep in mind, they're still fairly primitive with the AI-based attacks, but they will get more sophisticated with it.

Finding a 0-day prior to AI was painstaking work, and only the guys who were *really* good at super-nerdery were capable of it. We're talking people who are capable of PhD level math or computer science, even if they were not degreed. AI has changed that. I can copy what these guys have done, but coming up with an original, 0-day attack...I just don't pack the gear to be able to do that.

I said all that to say this: patching has become more important than ever. Folks on Win XP/Vista/7/8/8.1 need new computers with Win 11 (and I hate W 11, I won't be upgrading to it from 10, but I'm a nerd and have other options).
 
Are there any obvious signs to indicate a 0-day, AI attack on a computer or device? Thank you for this post.
sgt_zim said:
By "computer" I also mean smart phones, because that's what they are - computers that can also easily be used as telephones.

We have noticed quite the uptick in reported 0-day vulnerabilities (unknown vulnerabilities) over the last 10 months or so. Our thinking when AI first started being a thing was that it would probably take maybe 3 years for the bad guys to start weaponizing AI. Bad news. It didn't take them 3 years.

No operating system is safe. Even software developers who are very good at what they do, are very conscientious about security, make a lot of security mistakes. Most software developers aren't that good. There are actually software tools called SAST and DAST that scan and test code for vulnerabilities. I look through the reports generated by these tools for our developers with some regularity. I won't say the reports are all horrible, but there's a reason we renew licensing for them both every year.

The bad guys are going to use AI to discover vulnerabilities that have likely existed for years that nobody ever knew about. In a recent test, some researchers spun up some bots with AI to do just this, and about 50% of their testing found 0-day vulns. Keep in mind, they're still fairly primitive with the AI-based attacks, but they will get more sophisticated with it.

Finding a 0-day prior to AI was painstaking work, and only the guys who were *really* good at super-nerdery were capable of it. We're talking people who are capable of PhD level math or computer science, even if they were not degreed. AI has changed that. I can copy what these guys have done, but coming up with an original, 0-day attack...I just don't pack the gear to be able to do that.

I said all that to say this: patching has become more important than ever. Folks on Win XP/Vista/7/8/8.1 need new computers with Win 11 (and I hate W 11, I won't be upgrading to it from 10, but I'm a nerd and have other options).
Click to expand...
 
DillonG said:
Are there any obvious signs to indicate a 0-day, AI attack on a computer or device? Thank you for this post.
Click to expand...
No different than any other attack.

A 0-day is just a novel, never-before-seen attack on some vulnerability nobody but the attacker(s) knew about.

Patching fixes known problems. Of course, the OS vendors (MS, Apple, all the Linux distros) can't offer patches for vulnerabilities they didn't know about.
 
sgt_zim said:
No different than any other attack.

A 0-day is just a novel, never-before-seen attack on some vulnerability nobody but the attacker(s) knew about.

Patching fixes known problems. Of course, the OS vendors (MS, Apple, all the Linux distros) can't offer patches for vulnerabilities they didn't know about.
Click to expand...
This might be a dumb question, but would an encryption service help me keep more of my information protected?
 
DillonG said:
This might be a dumb question, but would an encryption service help me keep more of my information protected?
Click to expand...
From ransomware? No. Ransomware will encrypt what you've already encrypted, but it'll use a different key to do the encrypting, a key that you'd have to pay for to decrypt what the ransomware encrypted. Encrypting your important documents isn't a bad idea. It won't keep them from being re-encrypted by ransomware, but as long as your private key is safe and secure, at least the bad guys won't be able to obtain valuable info from it if they steal it.

Suppose you had a 1 cubic foot strong box with your important docs in it, with a nice padlock on it. Then imagine somebody grabs your strongbox and puts it in a 2 cubic foot strongbox with their own padlock on it. If you want to get to your strongbox, you're going to need the key to get into the other strongbox first.

BitDefender has pretty good ransomware protection. Most AV does these days.
 
Zim, has anybody started red teaming their own software with AI bots to find vulnerabilities prior to version release? Or is everyone just using manual red teaming, patching stuff and waiting for attacks to identify vulnerabilities?
 
One thing to help you guys understand this a little better.

Operating systems are comprised of 10s of thousands of executable programs (in windows, they will end with either .exe or .dll for the most part); or they might be powershell scripts (end with .ps1).

Most attacks look for a way for the attacker to escalate their privileges, either to administrator or (even worse) SYSTEM or (worst of all) at the UEFI/hardware layer. A 0-day attack just found a new vulnerability in one of those EXEs or DLLs, a vuln that allows them to escalate privilege.

Every known attack (there are millions of them by now) was at one time in the past a 0-day attack.
 
BourbonTrail said:
Zim, has anybody started red teaming their own software with AI bots to find vulnerabilities prior to version release? Or is everyone just using manual red teaming, patching stuff and waiting for attacks to identify vulnerabilities?
Click to expand...
We're behind the curve on that kind of red teaming. We don't have the bandwidth to catch up without bringing in new bodies, and we have about 25 people on the security team. Likely we'll farm that out to a 3rd party vendor like Trace3 or similar.

I can't reveal what's in our security stack, but we probably manage about 30 different kinds of security tools. I'm the SME for 5 of them: WAF (because I'm the only guy who can write regex and have web dev experience), endpoint zero trust, DAST, identity threat detection, and API security. Three of those are on my plate because I used to be a web application developer and my learning curve for configuring them was a lot shorter. We only have 1 other guy on the team with any dev experience at all, and he is a robotics/ICS/SCADA developer, not web apps.

Security guys with actual dev experience are expensive. I'm paid above what my actual paygrade says I should be paid.
 
DillonG said:
This might be a dumb question, but would an encryption service help me keep more of my information protected?
Click to expand...
The data stored on your computer is most likely already encrypted (e.g. BitLocker), and most communication in and out of it also is, e.g. https. So your data is fairly safe if your computer is stolen, or if someone were to eavesdrop on your network comms.

But many attacks will happen because you are being tricked into clicking a link, running some script, opening an attachment etc. And at that point those protection mechanisms do not really work anymore - since you yourself unlocked the computer by logging in. Any malicious script that you inadvertently run, will do so "in your name", and you (of course) have access to your own data.

We have all been told to not click those links in random emails/text messages etc from unknown senders, and this is another area where AI tools can help an attacker, by making more deceptive approaches to fool people into doing what they should not.

Today it is quite possible to generate audio/video clips that sound and look like your boss, given that the attacker has a small sample of real data (photos/recordings). So if you have a voicemail from your boss instructing you to do some interesting stuff, like transfer money, adding new admin accounts, disabling some security mechanism, resetting a password etc, it might be a good idea to verify the authenticity of that request through another channel.
 
cmk said:
The data stored on your computer is most likely already encrypted (e.g. BitLocker), and most communication in and out of it also is, e.g. https. So your data is fairly safe if your computer is stolen, or if someone were to eavesdrop on your network comms.

But many attacks will happen because you are being tricked into clicking a link, running some script, opening an attachment etc. And at that point those protection mechanisms do not really work anymore - since you yourself unlocked the computer by logging in. Any malicious script that you inadvertently run, will do so "in your name", and you (of course) have access to your own data.

We have all been told to not click those links in random emails/text messages etc from unknown senders, and this is another area where AI tools can help an attacker, by making more deceptive approaches to fool people into doing what they should not.

Today it is quite possible to generate audio/video clips that sound and look like your boss, given that the attacker has a small sample of real data (photos/recordings). So if you have a voicemail from your boss instructing you to do some interesting stuff, like transfer money, adding new admin accounts, disabling some security mechanism, resetting a password etc, it might be a good idea to verify the authenticity of that request through another channel.
Click to expand...
It's getting worse.

A couple weeks ago, a zero-click vulnerability was disclosed for older versions of MS Outlook (2013, 2016, and 2019, I think). For a zero-click vulnerability, all you have to do is open an email. This past weekend, I saw an article about a new zero-click for (an undisclosed version of) MS Outlook. Reading between the lines, it looks like it affects the M365 version of Outlook.

As far as Bitlocker and the TPM...a number of vulns have been discovered on older TPMs. Better to have it enabled than not, but even it isn't an absolute protection.
 
Last edited:
You must log in or register to reply here.

Members online

... and 1030 more.
Total: 19,052 (members: 1,080, guests: 17,972)

Forum statistics

Threads
55,622
Messages
1,183,424
Members
97,049
Latest member
Safarigear
 

 

 

Proudly sponsored by

Latest posts

Latest profile posts

John A Flaws
John A Flaws wrote on Horbs's profile.
500 schuler magazine.jpg
500 schuler bore.jpg
500 and 425 rifles.jpg
500 and 425 magaizne.jpg
•••
cwpayton
cwpayton wrote on Goat416's profile.
Goat416 welcome to the forum ,youve got some great pics and Im sure trophy's
•••
G
ghay wrote on professor's profile.
Hello,
Would you consider selling just the Barnes 235's and 250g TTSX's?
•••
Hunt27
Hunt27 wrote on Tra3's profile.
Spain, i booked through a consultant, i book almost everything through him now and he's done me right. his contact 724 986 7206 if interested and he will have more info to share,
•••
B
Berryman56
I hunted elephant with Luke Samaris in 2005. It was my fourth safari and I tell you he is a fine gentleman the best. I got the opportunity to meet Patty Curtis, although never hunted with him but enjoyed our conversation around our tent in the Selous. Very sad for a tough guy to leave this world the way he did. Let’s pray the murderers are caught. I hope to see Luke in Nashville.
•••

Share this page

 
Top