Another Computer Security PSA

[sgt_zim]

By "computer" I also mean smart phones, because that's what they are - computers that can also easily be used as telephones.

We have noticed quite the uptick in reported 0-day vulnerabilities (unknown vulnerabilities) over the last 10 months or so. Our thinking when AI first started being a thing was that it would probably take maybe 3 years for the bad guys to start weaponizing AI. Bad news. It didn't take them 3 years.

No operating system is safe. Even software developers who are very good at what they do, are very conscientious about security, make a lot of security mistakes. Most software developers aren't that good. There are actually software tools called SAST and DAST that scan and test code for vulnerabilities. I look through the reports generated by these tools for our developers with some regularity. I won't say the reports are all horrible, but there's a reason we renew licensing for them both every year.

The bad guys are going to use AI to discover vulnerabilities that have likely existed for years that nobody ever knew about. In a recent test, some researchers spun up some bots with AI to do just this, and about 50% of their testing found 0-day vulns. Keep in mind, they're still fairly primitive with the AI-based attacks, but they will get more sophisticated with it.

Finding a 0-day prior to AI was painstaking work, and only the guys who were *really* good at super-nerdery were capable of it. We're talking people who are capable of PhD level math or computer science, even if they were not degreed. AI has changed that. I can copy what these guys have done, but coming up with an original, 0-day attack...I just don't pack the gear to be able to do that.

I said all that to say this: patching has become more important than ever. Folks on Win XP/Vista/7/8/8.1 need new computers with Win 11 (and I hate W 11, I won't be upgrading to it from 10, but I'm a nerd and have other options).

 

[Papa72]

Great info, but scarey….thanks! I supposed were all on borrowed time with AI.

 

[DillonG]

Are there any obvious signs to indicate a 0-day, AI attack on a computer or device? Thank you for this post.

By "computer" I also mean smart phones, because that's what they are - computers that can also easily be used as telephones.

We have noticed quite the uptick in reported 0-day vulnerabilities (unknown vulnerabilities) over the last 10 months or so. Our thinking when AI first started being a thing was that it would probably take maybe 3 years for the bad guys to start weaponizing AI. Bad news. It didn't take them 3 years.

No operating system is safe. Even software developers who are very good at what they do, are very conscientious about security, make a lot of security mistakes. Most software developers aren't that good. There are actually software tools called SAST and DAST that scan and test code for vulnerabilities. I look through the reports generated by these tools for our developers with some regularity. I won't say the reports are all horrible, but there's a reason we renew licensing for them both every year.

The bad guys are going to use AI to discover vulnerabilities that have likely existed for years that nobody ever knew about. In a recent test, some researchers spun up some bots with AI to do just this, and about 50% of their testing found 0-day vulns. Keep in mind, they're still fairly primitive with the AI-based attacks, but they will get more sophisticated with it.

Finding a 0-day prior to AI was painstaking work, and only the guys who were *really* good at super-nerdery were capable of it. We're talking people who are capable of PhD level math or computer science, even if they were not degreed. AI has changed that. I can copy what these guys have done, but coming up with an original, 0-day attack...I just don't pack the gear to be able to do that.

I said all that to say this: patching has become more important than ever. Folks on Win XP/Vista/7/8/8.1 need new computers with Win 11 (and I hate W 11, I won't be upgrading to it from 10, but I'm a nerd and have other options).

 

[sgt_zim]

Are there any obvious signs to indicate a 0-day, AI attack on a computer or device? Thank you for this post.

No different than any other attack.

A 0-day is just a novel, never-before-seen attack on some vulnerability nobody but the attacker(s) knew about.

Patching fixes known problems. Of course, the OS vendors (MS, Apple, all the Linux distros) can't offer patches for vulnerabilities they didn't know about.

 

[DillonG]

No different than any other attack.

A 0-day is just a novel, never-before-seen attack on some vulnerability nobody but the attacker(s) knew about.

Patching fixes known problems. Of course, the OS vendors (MS, Apple, all the Linux distros) can't offer patches for vulnerabilities they didn't know about.

This might be a dumb question, but would an encryption service help me keep more of my information protected?

 

[sgt_zim]

This might be a dumb question, but would an encryption service help me keep more of my information protected?

From ransomware? No. Ransomware will encrypt what you've already encrypted, but it'll use a different key to do the encrypting, a key that you'd have to pay for to decrypt what the ransomware encrypted. Encrypting your important documents isn't a bad idea. It won't keep them from being re-encrypted by ransomware, but as long as your private key is safe and secure, at least the bad guys won't be able to obtain valuable info from it if they steal it.

Suppose you had a 1 cubic foot strong box with your important docs in it, with a nice padlock on it. Then imagine somebody grabs your strongbox and puts it in a 2 cubic foot strongbox with their own padlock on it. If you want to get to your strongbox, you're going to need the key to get into the other strongbox first.

BitDefender has pretty good ransomware protection. Most AV does these days.

 

[DillonG]

Thank you for the information. Very appreciative to have you as a subject-matter expert on the forum.

 

[BourbonTrail]

Zim, has anybody started red teaming their own software with AI bots to find vulnerabilities prior to version release? Or is everyone just using manual red teaming, patching stuff and waiting for attacks to identify vulnerabilities?

 

[sgt_zim]

One thing to help you guys understand this a little better.

Operating systems are comprised of 10s of thousands of executable programs (in windows, they will end with either .exe or .dll for the most part); or they might be powershell scripts (end with .ps1).

Most attacks look for a way for the attacker to escalate their privileges, either to administrator or (even worse) SYSTEM or (worst of all) at the UEFI/hardware layer. A 0-day attack just found a new vulnerability in one of those EXEs or DLLs, a vuln that allows them to escalate privilege.

Every known attack (there are millions of them by now) was at one time in the past a 0-day attack.

 

[sgt_zim]

Zim, has anybody started red teaming their own software with AI bots to find vulnerabilities prior to version release? Or is everyone just using manual red teaming, patching stuff and waiting for attacks to identify vulnerabilities?

We're behind the curve on that kind of red teaming. We don't have the bandwidth to catch up without bringing in new bodies, and we have about 25 people on the security team. Likely we'll farm that out to a 3rd party vendor like Trace3 or similar.

I can't reveal what's in our security stack, but we probably manage about 30 different kinds of security tools. I'm the SME for 5 of them: WAF (because I'm the only guy who can write regex and have web dev experience), endpoint zero trust, DAST, identity threat detection, and API security. Three of those are on my plate because I used to be a web application developer and my learning curve for configuring them was a lot shorter. We only have 1 other guy on the team with any dev experience at all, and he is a robotics/ICS/SCADA developer, not web apps.

Security guys with actual dev experience are expensive. I'm paid above what my actual paygrade says I should be paid.

 

[cmk]

This might be a dumb question, but would an encryption service help me keep more of my information protected?

The data stored on your computer is most likely already encrypted (e.g. BitLocker), and most communication in and out of it also is, e.g. https. So your data is fairly safe if your computer is stolen, or if someone were to eavesdrop on your network comms.

But many attacks will happen because you are being tricked into clicking a link, running some script, opening an attachment etc. And at that point those protection mechanisms do not really work anymore - since you yourself unlocked the computer by logging in. Any malicious script that you inadvertently run, will do so "in your name", and you (of course) have access to your own data.

We have all been told to not click those links in random emails/text messages etc from unknown senders, and this is another area where AI tools can help an attacker, by making more deceptive approaches to fool people into doing what they should not.

Today it is quite possible to generate audio/video clips that sound and look like your boss, given that the attacker has a small sample of real data (photos/recordings). So if you have a voicemail from your boss instructing you to do some interesting stuff, like transfer money, adding new admin accounts, disabling some security mechanism, resetting a password etc, it might be a good idea to verify the authenticity of that request through another channel.

 

[sgt_zim]

The data stored on your computer is most likely already encrypted (e.g. BitLocker), and most communication in and out of it also is, e.g. https. So your data is fairly safe if your computer is stolen, or if someone were to eavesdrop on your network comms.

But many attacks will happen because you are being tricked into clicking a link, running some script, opening an attachment etc. And at that point those protection mechanisms do not really work anymore - since you yourself unlocked the computer by logging in. Any malicious script that you inadvertently run, will do so "in your name", and you (of course) have access to your own data.

We have all been told to not click those links in random emails/text messages etc from unknown senders, and this is another area where AI tools can help an attacker, by making more deceptive approaches to fool people into doing what they should not.

Today it is quite possible to generate audio/video clips that sound and look like your boss, given that the attacker has a small sample of real data (photos/recordings). So if you have a voicemail from your boss instructing you to do some interesting stuff, like transfer money, adding new admin accounts, disabling some security mechanism, resetting a password etc, it might be a good idea to verify the authenticity of that request through another channel.

It's getting worse.

A couple weeks ago, a zero-click vulnerability was disclosed for older versions of MS Outlook (2013, 2016, and 2019, I think). For a zero-click vulnerability, all you have to do is open an email. This past weekend, I saw an article about a new zero-click for (an undisclosed version of) MS Outlook. Reading between the lines, it looks like it affects the M365 version of Outlook.

As far as Bitlocker and the TPM...a number of vulns have been discovered on older TPMs. Better to have it enabled than not, but even it isn't an absolute protection.

 

[wesheltonj]

Any Mac or iOS problems?

 

[sgt_zim]

Any Mac or iOS problems?

AI-generated zero days will ultimately target all operating systems.

OSX was always relatively immune before because it's as much effort to come up with a novel exploit for it but far fewer targets from which to choose. AI ends the effort part. If you're going to put 1000 man hours into coming up with a unique exploit, do you want to target 95% of the desktop/laptop market, or 5% of it?

My own experience with OSX tells me they have any even shittier dev culture than MS. The absolutely retarded things they've released into production are mind-blowing.

 

[CoElkHunter]

Thanks so much for sharing this information with us and especially for technically challenged people like me.

 

[CoElkHunter]

I just read an article where Southwest Airlines and FedEx weren't affected by the recent CrowdStrike software update fiasco because they both are using 32 year old Windows 3.2 operating systems. Hmmm.

 

[spike.t]

We're behind the curve on that kind of red teaming. We don't have the bandwidth to catch up without bringing in new bodies, and we have about 25 people on the security team. Likely we'll farm that out to a 3rd party vendor like Trace3 or similar.

I can't reveal what's in our security stack, but we probably manage about 30 different kinds of security tools. I'm the SME for 5 of them: WAF (because I'm the only guy who can write regex and have web dev experience), endpoint zero trust, DAST, identity threat detection, and API security. Three of those are on my plate because I used to be a web application developer and my learning curve for configuring them was a lot shorter. We only have 1 other guy on the team with any dev experience at all, and he is a robotics/ICS/SCADA developer, not web apps.

Security guys with actual dev experience are expensive. I'm paid above what my actual paygrade says I should be paid.

I haven't a clue what you are talking about .....

 

[sgt_zim]

I haven't a clue what you are talking about .....

"Red Teams" are (usually in-house) good guys who are sanctioned to try and break/break into networks to try and find weaknesses, then report their findings to senior leadership.

Networks and the computers in them are a dynamic environment, so red-teaming needs to be continuous. Just because a red team may find 10 weaknesses today, which are fixed tomorrow, doesn't mean new weaknesses aren't going to be introduced the day after tomorrow.

While there are certainly physical components within any network - routers, switches, computers, cabling, firewalls, etc - a network is just a very large logical abstraction. It's easy for any given administrator operating in that abstraction to do something within their domain of expertise that causes problems in other parts of that abstraction. Even with a well-oiled and experienced team of experts within each of those separate domains (communications - routing and switching; infrastructure - computers; security with their fingers in everything; developers writing code and creating new applications), things just get overlooked no matter how diligent the teams are.

I'm loathe to use buzzwords, but security folks have to look at things holistically. Most people in security got there after having spent a lot of time in comms, infrastructure, or software development. We have to understand at a pretty fine level of detail how all the parts should fit together securely, and is why we're generally paid so much more than other domain specialists.

 

[sgt_zim]

I just read an article where Southwest Airlines and FedEx weren't affected by the recent CrowdStrike software update fiasco because they both are using 32 year old Windows 3.2 operating systems. Hmmm.

There are a lot of hospitals on old operating systems as well - their networks are usually "air gapped," meaning that there is no physical connection to the interwebs. If you can't connect to a network, you can't break into a network.