Mastodawn

Ian Wright Jun 19, 2024

Some UK hospitals appear to be publicly documenting their own Cybersecurity weaknesses. The Guy's and St Thomas' NHS Foundation Trust meeting notes from 20th December 2023 state: "There was discussion about how the Trust routinely monitors and manages cyber security arrangements where the Trust had interfaces with third parties, for example the Pathology Business Unit (PBU)". https://www.guysandstthomas.nhs.uk/media/13533/Board%2Bof%2BDirectors%2Bmeeting%2Bpapers%2B-%2BWednesday%2B31%2BJanuary%2B2024

Meeting notes from 28th February 2024 also note that "Cyber security remained a high risk, and the Trust had not met the standards for the NHS data security protection toolkit self-assessment in recent years." https://www.guysandstthomas.nhs.uk/media/13680/Board%2Bof%2BDirectors%2Bmeeting%2Bpapers%2B-%2BWednesday%2B24%2BApril%2B2024

On 3rd June the hospital declared a critical incident when Synnovis (their pathology services provider) was the victim of a ransomware attack. I can't help but wonder if they essentially painted a big target on themselves here.

These meeting notes also refer to other ongoing cybersecurity activities and known areas of risk. It would be trivial to automatically scrape and analyse all of these meeting notes and then use that data to focus future attacks on other NHS trusts. Accountability and transparency are good things, but publicly documenting security risks before they have been addressed is never a good idea. #ransomware #nhs

Ian Wright Jun 11, 2024

Apple integrate an LLM into everything and the response is "that looks cool" but when Microsoft announced Recall the world went into meltdown. This isn't entirely surprising, Apple genuinely seem to be trying to address the privacy aspects of LLMs while Microsoft's recent security and privacy track record is... shall we just say... less than perfect.

Perception does matter. If Microsoft's past mistakes mean it is now harder for them to roll out innovative new features then they could be in real trouble.

Ian Wright Jun 5, 2024

The latest Zyxel NAS vulnerabilities paint a clear picture of a complete product security failure. Zyxel advise installing the patches for "optimal protection". I disagree, applying these patches is a waste of time.

The only way to achieve "optimal protection" is by disconnecting these devices from the network, I think it is highly disingenuous of Zyxel to suggest any other course of action. https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

Zyxel security advisory for multiple vulnerabilities in NAS products | Zyxel Networks

CVEs: CVE-2024-29972, CVE-2024-29973, CVE-2024-29974, CVE-2024-29975, CVE-2024-29976 Summary Zyxel has released patches addressing command injection and remote code execution vulnerabilities in two NAS products that have reached end-of-vulnerability-support. Users are advised to install them for optimal protection. What are the vulnerabilities? CVE-2024-29972 **UNSUPPORTED WHEN ASSIGNED** This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. CVE-2024-29973 **UNSUPPORTED WHEN ASSIGNED** This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request. CVE-2024-29974 **UNSUPPORTED WHEN ASSIGNED** This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. CVE-2024-29975 **UNSUPPORTED WHEN ASSIGNED** This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device. CVE-2024-29976 **UNSUPPORTED WHEN ASSIGNED** This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device. What versions are vulnerable—and what should you do? Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*. Affected model Affected version Patch availability NAS326 V5.21(AAZF.16)C0 and earlier V5.21(AAZF.17)C0 NAS542 V5.21(ABAG.13)C0 and earlier V5.21(ABAG.14)C0 *Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023. Got a question? Please contact your local service rep or visit Zyxel’s Community for further information or assistance. Acknowledgment Thanks to Timothy Hjort from Outpost24 for reporting the issues to us. Revision history 2024-6-4: Initial release.

Ian Wright May 30, 2024

mle✨May 30, 2024

another week, another critical ivanfortitrix vuln. I realize ripping out appliances and software is no small task, but at what point does the cost of total time spent patching and maintaining these surpass any value they add?

Ian Wright May 22, 2024

Cyber Safety Review Board (March 2024): "Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made"

Microsoft (May 2024): "We have completely reimagined the entirety of the PC – from silicon to the operating system, the application layer to the cloud – with AI at the center, marking the most significant change to the Windows platform in decades."

That seems to be going about as well as expected.

Ian Wright May 21, 2024

A brief look at the risk of exposing Microsoft’s Remote Desktop (RDP) directly to the Internet. TL;DR: Don't do it. https://www.secmatics.com/blog/peering-down-the-rdp-rabbit-hole #rdp #remotedesktop #cybersecurity

Secmatics - Peering Down the Remote Desktop Rabbit Hole

We take a brief look at the risk of exposing Microsoft’s Remote Desktop (RDP) directly to the Internet. TL;DR: Don't do it.

Secmatics

Ian Wright Apr 24, 2024

Some thoughts on the MITRE breach: https://www.secmatics.com/news/vpns-considered-dangerous #cybersecurity #infosec #incident #databreach

Secmatics - MITRE Breach: VPNs Considered Dangerous?

MITRE, the company that maintains the Common Vulnerabilities and Exposures (CVE) database, was recently breached due to a vulnerability in their own VPN infrastructure.

Secmatics

Ian Wright Apr 11, 2024

Oooo, a webinar invite: "Automate financial reporting with generative AI". Why yes, that sounds like a perfectly sensible thing to do. I mean, what could possibly go wrong? 😱

Ian Wright Apr 9, 2024

A look at the real implications of the XZ backdoor. https://www.secmatics.com/blog/dear-open-source-can-we-ever-trust-you-again

#xzbackdoor #cybersecurity #opensource

Secmatics - Dear Open Source, Can we ever trust you again?

CVE-2024-3094: Taking a look at the real implications of the XZ backdoor.

Secmatics

Ian Wright Apr 3, 2024

The Cyber Safety Review Board's report on the Summer 2023 Microsoft Exchange Online intrusion:

"However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key." https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

This not surprising. As I noted last year:

"One of the main design goals of a secure key management system is to ensure that you have full traceability of the keys and know exactly what hardware and software components could have accessed them. Without such a system it is next to impossible to retrace all of the direct and indirect touch points at which a key could potentially have been compromised" https://www.secmatics.com/blog/losing-the-keys-to-the-kingdom

#microsoft #cybersecurity

Web	https://www.secmatics.com
Blog	https://www.secmatics.com/blog