eMail subject: Sensitive Data Filter Easily Bypassed in Microsoft Recall; German Authorities Sinkhole Android Malware; CISA Invites Comment on New Cyber Incident Plan

A good reminder that 'Secure By Design' of complex software is often an oxymoron, especially in overhyped, competitive areas like digital 'currencies' and artificial 'intelligence.' Given Microsoft's heavily publicized re-commitment to security and their revenue in selling security add-on services, I'm surprised that they release a product that claimed to have a 'Filter Sensitive Information' feature which is to security as a perpetual motion machine is to gas mileage.

John Pescatore

This is a feature that no customers seem to have requested yet they are being forced to take on an insecure and privacy-invasive feature. Microsoft really needs to recall this product until it is fit for purpose from a security point of view and provides value to users.

Brian Honan

No surprise here; Recall, like any tool, can be misused or abused and data leaks. As originally announced Microsoft seemed to think that Recall was simply a part of the operating system and that everyone would use it. It is better thought of as a tool or app that should be used only by design and intent, never by default. As I understand it, the default for individuals is that Recall is off, for enterprises it is set globally by administration.

William Hugh Murray

Recall remains opt-in and requires a Copilot+ PC to operate. Recall's sensitive data filtering is still evolving, so use caution testing it. Given that it is positioned to be your one-stop digital memory, expect users to want to enable and use it, particularly if it's enabled on their new home computers, so you're going to need to understand the risks and have sufficient sign-off before wide deployment.

Lee Neely

There are valid use cases for the Recall AI feature; however, one must also weigh the security risks in using new technology. At least the database where the screenshots are kept is encrypted now.

Curtis Dukes

The 'Badbox' software was found preinstalled on consumer electronics devices. We have written a few times over the last couple of decades about cases like this, and there appears to be an uptick during holidays when more of these devices are being sold. In the past, the issue has sometimes been traced back to infected devices used during the manufacturing process. After the holidays, malware is often found on 'open box' devices sold without first resetting them.

Johannes Ullrich

Well done BSI! What's disappointing though, from a World Cyber Health perspective is the large number of outdated operating systems running. The question becomes should the manufacturers who shipped the devices equipped with malware be held accountable.

Curtis Dukes

The BadBox malware is installed via supply chain compromise; it is embedded in the firmware and not user removable. The best protection is to make sure that any Android based device is Play Protect certified, which includes extensive testing to ensure quality and user security. Google provides a list of certified devices on their Android TV website. You can also check the check the certification status via the Google Play Store app. See Check and fix Play Protect Certification status: https://support.google.com/googleplay/answer/7165974

Lee Neely

We regularly see consumer devices being shipped with malicious software, and it is high time vendors provided a higher duty of care to their customers. Interestingly the EU Cyber Resilience Act (the CRA), which requires vendors of devices with digital services to comply with minimum security standards, came into force on the 10th of this month. Vendors will have until December 11 2027 to ensure they comply with the act - https://digital-strategy.ec.europa.eu/en/news/cyber-resilience-act-enters-force-make-europes-cyberspace-safer-and-more-secure

Brian Honan

I doubt the 2016 document had much influence, and the overly broad definition of a 'Significant Cyber Incident' will guarantee the same for this version.

John Pescatore

It's been eight years, time for an update. That said, every Federal entity should already have an Incident Response Plan that they regularly exercise. Ditto for the Private sector. If not, then they are not practicing a standard duty of care for the information they're entrusted with.

Curtis Dukes

China has several "Typhoon" groups. Volt (or Vault) Typhoon, stealth & espionage, focuses on critical infrastructure, Salt Typhoon, data persistence, targeting ISPs and Telecommunications; Flax Typhoon, hijacking IOT devices. This NCIRP update is intended to help address cyber incidents which came from the 2016 Presidential Policy Directive 41 (PPD-41) and is working to incorporate input from the private sector and provide guidance for incident response and reporting; you should compare with your plans for any ideas. The comment period goes through January 15, 2025, and comments need to be submitted through the Federal Register's request for comment on the NCIRP update page: https://www.federalregister.gov/documents/2024/12/16/2024-29395/request-for-comment-on-the-national-cyber-incident-response-plan-update

Lee Neely

Anything worthy of being called a plan specifies who will do what and when they will do it. While called a plan, this document is better thought of as hopeful guidance.

William Hugh Murray

By default the Prometheus endpoint allows for unauthenticated access, which allows lots of system information to be accessed. Make sure you're not only limiting external access to those agents, but also requiring authenticated access. In addition, watch your debug/pprof endpoints for resource exhaustion - these should only be internally reachable.

Lee Neely

This report focused on four Android devices, two of which were compromised by Cellebrite, the others by unspecified means, while the owners were being interviewed by Serbian authorities, the implication being the civilians were unaware of the tampering at that time. The best mitigation is keeping your devices updated and backed up. Consider that if you're asked to surrender your device to authorities, locked or otherwise, that you should treat it as compromised afterwards and look to replacement or factory wipe options.

Lee Neely

While it's convenient to make HMIs available over the Internet, this also exposes them to exploit. If you must, then make sure they are protected by a strong passord, or even better, MFA, and you're going to have to monitor for inappropriate behavior. Keep systems updated. The mitigations for risks of exposure seem worse than setting up a VPN/Remote access solution to view these HMIs.

Lee Neely

Any internet-facing device should be protected. Knowing your environment, which encompasses CIS Controls 1-3, is foundational to an effective cybersecurity program. The fact sheet only amplifies this point.

Curtis Dukes

At this point it appears the exfiltrated data includes names, SSNs, DOBs, addresses, and some banking information affecting as many as 300,000 Rhode Islanders. The Brain Cipher ransomware gang is taking credit for the attack. The state is posting updates on the RIBridges incident via their Depart of Administration web site: https://admin.ri.gov/ribridges-alert

Lee Neely

The goal was increased visibility to the Kubernetes control plane for all their Kubernetes instances. Unfortunately, the monitoring had a large footprint which essentially exhausted resources on large clusters. Kudos for wanting full visibility to better manage the environment, but a few points off for not adequately modeling the impact of the change. In the excitement of getting the data you want with increased monitoring, it is easy to misread the resource impact, particularly without a production workload. Service restoration was complicated as the clusters were essentially locked out making it slow to back out the changes. Add this scenario to your testing and roll-back planning.

Lee Neely

The Nitrogen ransomware gang is taking credit for the attack, claiming to have exfiltrated 650GB of customer data, likely including full name, social security number, driver's license, credit/debit card and account numbers as well as DOB. SRP doesn't seem to have a member-facing site detailing the breach, something they should correct, and as an added distraction, the firm of Markovits, Stock & DeMarco LLC has already initiated a class action lawsuit investigation. SRP is offering members credit restoration/identity theft coverage; don't wait for a breach, if you don't have coverage get that settled, your future self will appreciate it.

Lee Neely