SEC Breach Reports Could Be More Useful; Class Action Over Photobucket Images in AI Training; Microsoft Addresses MFA Bypass Issue; and Lots of Security Updates

There was a lot of industry comment on the first draft of the SEC disclosure regulations that led to these results. After all those comments, being 'baffled' by the rules is a real stretch, especially since companies have for years been dealing with the long-standing definition of what is or is not a 'material event' which a Supreme Court decision loads with loopholes on usefulness, as this FASB guidance points out: 'The shorthand in the accounting and auditing literature for this analysis is that financial management and the auditor must consider both "quantitative" and "qualitative" factors in assessing an item's materiality.'

John Pescatore

Beyond reporting the minimum information required by the SEC, companies need to consider what best suits their customers, despite an SEC filing being slated towards their investors/owners, which could be opposing requirements. This could be a case where industry develops best practices rather than waiting on regulators so they can balance these needs. I am a fan of transparent honest disclosure versus rumor and speculation which can be at best distracting and at worst cost business.

Lee Neely

This shouldn't come as a surprise to anyone. Company legal teams have had time to fully digest the rule changes and come up with common language to describe cyber incidents and what, if any, effect it may have on the company. They tend to err on the side of 'less is more' when it comes to communicating cyber incidents.

Curtis Dukes

To this observer it appears that businesses are reporting defensively without a finding of materiality. This may tend to bury any useful signal in noise.

William Hugh Murray

This is another area where default opt-out is really needed but the US has consistently allowed industry to avoid that.

John Pescatore

It is past time for regulation to shift the balance of power to the subjects of PII. Courts should be more lenient in recognizing classes and imputing damages. The abuses are now both obvious and significantly damaging to the public good.

William Hugh Murray

The hard part about biometric data is that, unlike a password, you really can't change it if it gets released. Trends in the US and EU indicate there is increased focus, and corresponding lawsuits/fines, on protection of privacy data. As a user, make sure you understand the controls on your data when storing it online. If you're holding biometric data to include images, or obtaining the data from a third party, have a clear understanding of what the user has consented to. Don't become another example of case law.

Lee Neely

This lawsuit will be followed closely by many companies that have collected similar data over the years. Technology has changed dramatically in that time and it's doubtful the original user agreement included this use case. We'll see if the company's automatic change in terms will hold up in court. Yet another reason why this country needs a national data privacy law.

Curtis Dukes

Many attackers still actively exploit rate-limiting API issues. The researchers found they could brute force the 6-digit TOTP by sending many requests. Even though Microsoft has fixed this, if you were in the Red Team space, I would highly recommend reading their article and writeup because generating the requests is somewhat of a neat trick.

Moses Frost

The time delay between successive prompts should be greater than the life of the OTP and, perhaps as suggested by Peter Capek, go up exponentially.

William Hugh Murray

This was a race condition. The TOTP guideline, RFC-6238, suggests codes be changed every 30 seconds, and it also suggests implementers allow a longer window to allow for time variances, delays/etc. In this case Microsoft had implemented a 3-minute window, and didn't have any rate limit throttling, which allowed a large number of possible codes to be sent. In 24 sessions (about 70 minutes) an attacker has better than a 50% chance of guessing the right code. While Microsoft has deployed a fix, you still need to make sure that the password you're using with your account is strong and not compromised, as the exploit requires having that password. Better still, implement stronger phishing-resistant options for MFA.

Lee Neely

Don't overlook the Adobe and Apple updates while digesting the Microsoft list. Yes, CVE-2024-41938 is being actively exploited, so you need to deploy the updates. Adobe updates hit not only your licensed products, Photoshop, Illustrator, Animate, etc., but also the free Adobe Reader. You're going to need to push those as well as monitor your Creative Cloud users to make sure they update.

Lee Neely

This is another file transfer application with critical vulnerabilities. Is this another MoveIT-style breach? If you are aware of any file transfer applications at the edge of your network, I recommend keeping these up to date and being observant.

Moses Frost

This flaw, bypassing the fix to CVE-2024-50623, allows an unauthenticated user to execute arbitrary bash or PowerShell commands on the host system, to include taking advantage of autorun configurations, is being actively exploited, likely by the Termite ransomware group and possibly others. It goes without saying that file transfer system weaknesses are blood in the water and have been successfully leveraged to exfiltrate data (MoveIT?). Apply the (new) updates post-haste, disable autorun on those systems and hand the IOCs to your threat hunters. Cleo has published scripts to help find the IOCs.

Lee Neely

Often in the rush to patch, developers miss the root cause with additional vulnerabilities being discovered. This is a good reminder for Dev teams to refocus on quality engineering as the key part of DevSecOps. For end-users, follow the guidance from the company.

Curtis Dukes

Ivanti has been struggling to get their arms around maintaining the security of products with all the companies they've acquired of late Ñ it's good to see them increasing the focus on scanning these tools. Beyond applying updates as they are released (e.g., update to CSA 5.0.3 now), make sure that your management consoles are not exposed to the Internet, and better still, only allow approved connections to these services. Don't limit that approach to Ivanti services; management interfaces are a target, so don't make things any easier to attack than they need to be.

Lee Neely

While these numbers are starting to look like "patch Tuesday," Apple does not release updates on a schedule. Apple updates are rarely worse than the problems they address. Apple customers should enable automatic updates. (Settings>General>software update>Automatic updates>on)

William Hugh Murray

Apple has updates for both mobile and desktop OS's. While this update includes Ventura (macOS 13) you should be migrating those users to Sonoma or Sequoia; Apple really only supports the current two versions. Apple is not indicating any of the flaws are being actively exploited, but the flaws addressed can be highly disruptive, including app crashing and memory leaks. Code reuse means that some of the vulnerabilities apply to multiple versions and platforms, so make sure you're pushing updates across your entire Apple inventory. After you update your mobile fleet, you may get calls about Apple Mail categories hiding messages Ñ try the legacy list view.

Lee Neely

The flaw comes from the return from the unauthorized user detection, which doesn't properly deny these requests, returning a response rather than the required boolean or WP_Error, which then evaluates to true, allowing the requests to succeed. CVE-2024-11972, CVSS score 9.8, is fixed in veriosn 1.9.0. Make sure both the ThemeHunk theme and Hunk Companion plugin are updated: typically you'll have both and want to update them concurrently. Make sure your WP firewall is checking/blocking exploits of CVE-2024-11972.

Lee Neely

WordPress Plugins come with little provenance, support, or representations of quality. They should be used only by design and intent, never by default, and carefully managed when used.

William Hugh Murray

The DNT setting, while well intended, didn't really work as it was never a fully ratified standard and websites/advertisers refused to implement it. While it's not clear if the GPC setting will be more effective, it has a better chance as its ties to privacy laws should help adoption. For now, the best option is to use browser privacy extensions like uBlock Origin, Privacy Badger, or privacy-enhanced browsers all of which are designed to not send extra information to web sites in the first place.

Lee Neely

While the Electrica attack is likely politically based, relating to the annulled election, this ransomware has been spotted elsewhere targeting electrical, education, healthcare and government systems. Beyond making sure that your control systems are segmented, updated, not internet accessible and use MFA, hunt for indicators of the Lynx and INC ransomware (Lynx is based on INC.) Make sure you're monitoring your OT/ICS networks for unexpected/unusual behavior; leveraging tools which understand these protocols and can passively discover can be illuminating.

Lee Neely

One of the few companies in their 8-K filing that acknowledges a material impact on Company operations. Let's hope that they're forthcoming on details of the attack, so we all may learn.

Curtis Dukes

In today's climate, it's dangerous to assume your cyber insurance will cover an incident like this. It's a good time to sit down with your insurer and have a hard talk about what they will and will not cover, to include any changes you should have been implementing.

Lee Neely