Fortinet Acknowledges Data Breach; Mandatory 2FA and SVN Passwords for WordPress Developers; Ireland's Data Protection Commission is Investigating Google AI's GDPR Compliance

I have yet to see the datasets personally. From what the threat actor says, this appears to be related to all their SharePoint data. 440GB of something is not small in any way. This may be one of the most significant vendor breaches in quite some time. This will take time to download and review, so expect fall out from this for some time.

Moses Frost

The attacker claims they exploited a weakness in their Azure SharePoint site, accessing about 440GB and the Fortinet CEO walked away from ransom negotiations. While I'm not so sure 440GB qualifies as a limited amount of data, they still have the latitude of material impact to temper the requirement of filing the K-8. This has been a bit of a rough year for Fortinet, with critical fixes in January and February, as well as FortiGate firewall compromises in June, which means they need to downshift into full transparency, particularly with recent DLP and cloud security acquisitions, which they could highlight for their role in reducing the scope of the compromise or mitigating future incidents, so they can focus on remediation and mitigations rather than responding to external claims.

Lee Neely

Increasing security on supply chain attacks, particularly for such a common target (WordPress) is vastly needed, and if you're developing WordPress plugins or enhancements, you need to jump on this or you're SOL come October 1. For those of us with WP sites, we still want to remain diligent, ensuring we're keeping everything automatically updated, removing unused plugins and deploying security modules or plugins to give you every advantage.

Lee Neely

WordPress joining a growing list of organizations that now mandate the use of MFA on hosted accounts. Perhaps the recent Snowflake security incident helped drive the decision by WordPress to mandate an additional form of identification for account access. Bottom line: overdue but a good thing nonetheless.

Curtis Dukes

Nothing can be more essential to SECDEVOPS than developer accountability and change control.

William Hugh Murray

This is similar to the reason X (formerly Twitter) were asked by the DPC to suspend their use of the data of people based in the EU to train its AI solution Grok https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-welcomes-conclusion-proceedings-relating-xs-ai-tool-grok. Under GDPR and the recent EU Artificial Intelligence (AI) Act there are a lot of obligations placed on organisations to ensure the rights of individuals are not infringed by AI solutions. If your organisation is based in the EU and you are looking to implement AI solutions you should read this guide from the Irish Data Protection Commission on "AI, Large Language Models and Data Protection" https://dataprotection.ie/en/dpc-guidance/blogs/AI-LLMs-and-Data-Protection.

Brian Honan

Of note here: know where your privacy data is being processed, particularly with services incorporating AI/LLMs into their service offering, and if you're processing privacy data be aware of the relevant privacy laws, GDPR, CCPA, etc. Some like the GDPR have restrictions on location of processing and the completion of a DPIA, and even user consent prior to processing backed up with substantial penalties for getting this wrong. This isn't the first case of the EU pumping the brakes on LLM's being trained on personal data. Previously, OpenAI/ChatGPT was temporarily banned in Italy for similar concerns, Meta paused plans for Meta AI in Europe over privacy concerns, and X consented to suspend training it's Grok chatbot on public posts from European users without prior consent. As these are resolved, there should be a model for the rest of us to learn from and emulate, resulting in a less litigious experience operating in the EU.

Lee Neely

Don't forget there is an AI race going on and the winner likely will drive this technology advancement into the future. One nation doesn't give its citizens a choice as their data, including facial recognition, is collected over and over again and is used to train LLMs. At least other nations do attempt to protect the privacy and data rights of their citizens. We have to find a middle ground else we're basically ceding this technology to one country.

Curtis Dukes

This designation will put the data centers on par with water, energy and emergency services systems when it comes to government support for recovery from and preparation for critical incidents. This will also likely result in increased scrutiny from government agencies to ensure these data centers are secure and contingencies are in place to minimize risk of damage to essential services and data. This comes on the heels of a proposed £3.75 billion investment in Europe's largest datacenter in Hertfordshire.

Lee Neely

I suspect that the UK government would have supported data centers during critical incidents regardless of the designation given the growing importance of the cloud for e-commerce and business operations. At least now it has been formalized.

Curtis Dukes

I suspect that many data centers with critical government services should be protected. If you consider the NHS Critical Infrastructure, the systems behind it must also be critical.

Moses Frost

Despite all the hype around nation state attackers, the various regulations and proposed regulations being implemented around cybersecurity, the various cybersecurity tools that promise to protect us, it is frustrating and frankly disheartening to see organisations suffering breaches of this magnitude from an individual who is still legally a child. Perhaps the individual arrested in this case has a lot of technical skills, but if your organisation can be breached by a teenager you have much more to worry about other than nation state attackers and APTs.

Brian Honan

The incident started September 1stand they are getting closer to service restoration. TfL is, in addition to changing all passwords, also re-ID proofing all staff to make sure only verified users have access. TfL is also committing to make any unexpected costs right for travelers, for example asking them to keep track of your where they had to pay a fare outside Oyster or Zip cards so TfL can issue a refund when things are back online.

Lee Neely

Public transit is essential to London. It appears as though it continues to operate in part because administrative systems were isolated from mission critical applications. However, it also appears as though the reliance on passwords for user authentication is implicated in this breach.

William Hugh Murray

Chrome Safety Check was first rolled out in 2020, it checked stored passwords for compromise, encouraged browser updates and warned when sites were deemed unsafe by their Safe Browsing service. It continues to evolve, now running in the background on mobile devices, it started running in the background on desktops last year and will now also automatically cancel notifications deemed deceptive rather than just flagging them if the site is deemed dangerous. Chrome Safety Check can be disabled on desktop browsers under the Security and Privacy Settings, you likely want it on for most users to help raise the bar on secure browsing. These services are also available in Chromium browsers' Privacy/Security settings (Edge, Opera, Brave, etc.).

Lee Neely

Anything we can do to automate security checks is a good thing -- thank you Google for pushing the security envelope. Yes, it might be an annoyance at first, but users will adjust and come to like the additional layer of security. Hopefully, other major browser developers will follow Google's example.

Curtis Dukes

Chrome will continue to get stronger and stronger in this regard. Expect to see some newer developments in this area.

Moses Frost

You should be pushing this update starting this weekend, if not sooner. Updates to the Windows Installer and Windows Update which can be leveraged for RCE and privilege escalation should be enough to warrant not waiting. If that isn't enough, successful exploits are already showing up in active attacks. The good news is the weekend is upon us, so users will be less disrupted by the pushed updates.

Lee Neely

Neither the number nor the severity are going down.

William Hugh Murray

PAN-OS has had its share of bugs like this. I am used to upgrading firewalls, protecting the management interfaces, and staying vigilant. The other bug around PAN-OSÕs Browser Service is just a standard update to the system, just like you would upgrade Chrome.

Moses Frost

CVE-2024-8686, command injection flaw, CVSS score 8.6, is specific to PAN-OS 11.2.2 and the fix is to update to 11.2.3 or higher. The Prisma Access (chromium-based) Browser flaws have CVSS scores ranging from 4.3 to 8.8 where scored; affect versions under 128.91.2869.7 and are fixed in version 128.138.2888.2. Skip the list of which flaws are in which browser version, and deploy version 128.138.2888.2.

Lee Neely

Another case of a challenging matrix of affected versions and fixes. If you're running under 17.3.2, it may be simplest to get to the most current version rather than applying one of three fixed versions (17.3.2, 17.2.5 or 17.1.7), which you'll ultimately need to get to 17.3.2 or higher.

Lee Neely

If you're an old-fart like me, the idea of not being online in K-12 schools seems reasonable, until you realize this not only means printed bus schedules, manual attendance taking, but also online tools like Google Classroom will also have to use printed curricula, and traditional standalone teaching aids. The district is working to balance education and technology, publishing their reopening plan on the district web site as back-to-school 2.0 along with details, timeline and a FAQ relating to the incident. https://www.highlineschools.org/about/news/news-details/~board/district-news/post/back-to-school-20: Back to School 2.0

Lee Neely

Internet access is as essential to modern education as libraries, and cafeterias.

William Hugh Murray