Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

World Backup Day - You Know What To Do (Don't You?)

Today is 31 March, which for more than a decade has been World Backup Day. While we, as information assurance professionals, are well aware of the need to protect our data (aren't we?), our employees, friends and associates are often not up to speed on this requirement. Now is the time to re-energize your awareness campaigns, not to mention ensuring that enterprise backup strategies and procedures are fully up-to-date and tested.

The World Backup Day web site provides some useful - albeit scary - statistics:

• 21% of people have never made a backup
• 29% of data loss cases are caused by accident (implying 71% are deliberate?)
• 113 phones are lost or stolen every minute, and
• 30% of all computers are already infected with malware

Now is a good time to promote the 3-2-1 backup strategy:

You should have three copies of your data (that's the production data and two separate backups) on two different media (e.g. disk and tape) with one copy stored off-site for disaster recovery.

Consider this just the bare minimum; there are so many options for personal system backup these days it is easy to meet this basic level and exceed it. We have SSD's and magnetic media, RAID arrays, external USB hard drives and flash drives, high-capacity LTO tape drives, optical media such as Bluray-R and cloud storage. Plus we have a wide range of software to manage all of this on both desktop (Windows, Mac, Linux) and NAS/server platforms.

In our office, all desktop and laptop machines are backed up to external hard drives using R-Drive Image to run a grandfather-father-son rotational backup scheme as a nightly batch job (we chose R-Drive image (https://www.drive-image.com/) after a semi-exhaustive comparison - and yes, it has earned its price several times over following failure of a 1 TB SSD). I also store all work on a NAS, using the Windows 'offline files' feature to keep a local copy on laptops for use while traveling and as a backup, and the NAS itself is backed up both locally and off-site.

Remember: any backup media - and this includes cloud storage - should be protected to the same level as the original data requires; this may require encryption, particularly in the cloud. And don't forget to backup external resources such as web site content - and this does not mean saving a database backup in an unprotected directory on the web server, or in unprotected AWS buckets.

Uncredited, World Backup Day, web site, undated. Available online at https://www.worldbackupday.com.

ChatGPT Leaks User Data

OpenAI has revealed that its ChatGPT AI chatbot leaked information including the titles of active users' chat history and the first message of newly-created conversations. Perhaps more significantly, it also exposed the payment data for 1.2% of ChatGPT Plus customers, including their first and last name, email address, payment address, the last four digits of their credit card number (thank you, PCI-DSS!) and the card expiry date.

The word 'active', above, is significant - the vulnerability that underlies this discovery is in the Redis client library, redis-py, which OpenAI uses to cache user information in their server instances. For a period of approximately nine hours on Monday, 20 March, a change to the OpenAI server caused a spike in Redis request cancellations, creating a small probability for each connection to return bad data. Since the problem was in this cache subsystem, it only affected currently active sessions, with the possibility that a subscriber would see another user's data rather than his own.

OpenAI's admins took the service offline and their developers immediately contacted the Redis development team to develop a bug fix which was quickly deployed and service restored. All affected users were contacted, but the risk seems to be low.

While everyone ponders the broader impact of artificial intelligence, it's important to remember these systems are still just software, with many of the vulnerabilities of simpler applications.

Uncredited, March 20 ChatGPT outage: Here’s what happened, OpenAI blog, 24 March 2023. Available online at https://openai.com/blog/march-20-chatgpt-outage.

Robertson, Adi, FTC should stop OpenAI from launching new GPT models, says AI policy group, The Verge, 30 March 2023. Available online at https://www.theverge.com/2023/3/30/23662101/ftc-openai-investigation-request-caidp-gpt-text-generation-bias.

CISA Adds Ten New Known Exploited Vulnerabilities

The US Cybersecurity & Infrastructure Security Agency has added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities are being actively exploited in the wild, making it important to prioritize their patching or at least deployment of compensating controls:

• CVE-2013-3163 Microsoft Internet Explorer Memory Corruption Vulnerability
• CVE-2014-1776 Microsoft Internet Explorer Memory Corruption Vulnerability
• CVE-2017-7494 Samba Remote Code Execution Vulnerability
• CVE-2022-42948 Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability
• CVE-2022-39197 Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
• CVE-2021-30900 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
• CVE-2022-38181 Arm Mali GPU Kernel Driver Use-After-Free Vulnerability
• CVE-2023-0266 Linux Kernel Use-After-Free Vulnerability
• CVE-2022-3038 Google Chrome Use-After-Free Vulnerability
• CVE-2022-22706 Arm Mali GPU Kernel Driver Unspecified Vulnerability

Note that some of these vulnerabilities go back a very, very long way - 2013? Seriously? - and the fact that they are still being exploited indicates that somebody, somewhere is asleep at the wheel

CISA, CISA Adds Ten Known Exploited Vulnerabilities to Catalog, alert, 30 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/30/cisa-adds-ten-known-exploited-vulnerabilities-catalog.

Whistle Blown on Russian Cyberwarfare Efforts

A whistleblower, probably connected to a Moscow cybersecurity consultancy named 'Vulkan', has released a tranche of documents which reveal links between Vulkan, the Russian foreign intelligence agency (the SVR), military intelligence (the GRU and GOU), and the domestic intelligence agency (the FSB) - the latter a collaboration which could never have happened during the Soviet era, when the agencies were traditional enemies.

The software engineers at Vulkan are alleged to have worked for the agencies to support offensive security operations, train others to attack national infrastructure (particularly in Ukraine, but documents also reveal targets in the US and Switzerland), spread disinformation online and surveil and control those sections of the Internet under Russian control.

Documents link Vulkan to several projects, including Scan-V, a tool which builds a database of vulnerabilities across the Internet, and which is possibly used by Sandworm (Unit 74455 - who are also behind NotPetya and the Cyclops Blink botnet) and a system known as Amezit, which is used to surveil and control the Internet in the Commonwealth of Independent States. Another project, Crystal-2V, is used to train operatives in cyber-attacks on transport infrastructure.

The whistleblower, who leaked the documents to Munich-based investigative startup Paper Trail Media, has taken a huge risk by making them public. Eleven different media outlets, including the Guardian, Washington Post and Le Monde have been sifting through the documents and we can expect a lot more detail to emerge in coming days.

Harding, Luke, Stiliyana Simeonova, Manisha Ganguly and Dan Sabbagh, ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics, The Guardian, 31 March 2023. Available online at https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.