Fri Apr-12-2024: Engineer Stops Global Cyber Attack, NIST Tackles Backlog, AI in Brand Spoofing

[00:00:00] It's Friday, April 12, 2024, and I'm Dave Solt. Three things to know today.

[00:00:08] Alone, Microsoft Engineer thwarts a potential global cyber attack from a Linux backdoor discovery.

[00:00:14] NIST tackles the vulnerability database backlog with public private consortium

[00:00:19] and staff reassignments, and safeguarding SMBs, the dual role of AI in preventing

[00:00:26] and detecting brand spoofing attacks. This is the Business of Tech.

[00:00:33] You're looking for security solutions for your MSP, and Bitdefender is new ones for you.

[00:00:39] With advanced protection, simplified management, 24x7 analyst-led security,

[00:00:44] thread hunting, and end-end protection options, it's time to check out Bitdefender's new offerings.

[00:00:50] With the ability to customize the security solution for what you and your customers need,

[00:00:55] you'll find a cost-effective selection with adaptive and scalable security.

[00:00:59] Want to check it out? Bitdefender would love to schedule a demo for you. Just visit bitdefender.com

[00:01:06] or the link in the show. There are a ton of cybersecurity stories to cover today,

[00:01:13] so let's do the commercial ones first. I didn't want to miss this story from last week.

[00:01:19] One guy saved us all from a massive supply chain attack. Andreas Froenoid,

[00:01:25] software engineer at Microsoft, inadvertently discovered a backdoor hidden in a piece of software

[00:01:30] that's part of Linux. This backdoor could have led to a major cyberattack with significant

[00:01:35] damage. His findings were sent to open-source software developers who quickly developed a fix,

[00:01:41] but detected the backdoor would have given its creators access to millions of computers

[00:01:45] worldwide. The attacker's identity remains unknown, but the sophistication of the attack

[00:01:50] suggests the involvement of a nation with advanced hacking capabilities.

[00:01:56] The price of Zero Day exploits is rising as companies strengthen their products against

[00:02:00] attackers. Startup ProudFence is offering millions of dollars for tools to hack iPhones,

[00:02:06] Android devices, WhatsApp, and iMessage. These Zero Days rely on unpatched vulnerabilities

[00:02:11] and software commonly acquired by companies like CrowdFence and Zerodium to be sold to government

[00:02:17] agencies or contractors. The price increase is attributed to the improved security measures

[00:02:22] implemented by companies like Apple, Microsoft, and Google. As exploiting vulnerabilities

[00:02:28] becomes more challenging, the cost of Zero Day exploits is expected to continue increasing.

[00:02:34] A misconfigured SaaS application caused a recent data breach at Home Depot.

[00:02:38] The breach exposed employee information and highlights the growing problem of SaaS-based attacks.

[00:02:44] Security experts emphasize the need for firms to improve their SaaS security practices

[00:02:50] and implement controls to prevent data breaches. Why do we care?

[00:02:55] If you ever wonder about, can one person make a difference, remember that just one guy

[00:03:00] spotted a massive issue. See something say something is a cliche for a reason.

[00:03:07] SaaS misconfigurations are an area of interest for ongoing security management.

[00:03:12] My continued interest in cloud and SaaS management is because of this issue. It's

[00:03:17] an ongoing monitoring and management problem and one that's still significantly difficult to

[00:03:22] handle in a multi-tenant, multi-customer way. SISA and NIST have been busy,

[00:03:29] so let's cover that as we look at moves by the federal government and cyber.

[00:03:33] I previously discussed how the U.S. National Institute of Standards and Technologies facing

[00:03:38] a backlog of vulnerability analysis in the national vulnerability database due to a lack

[00:03:44] of interagency support. NIST has fallen behind in adding essential enrichment information to new

[00:03:50] CVE entries, and the institute analyzed only 199 of the 3,370 CVEs it received last month.

[00:03:59] New information is that NIST is working to establish a public-private consortium to improve the

[00:04:05] NVD as prioritizing analysis of the most significant vulnerabilities from reassigning

[00:04:11] staff to deal with the backlog. The Cybersecurity and Infrastructure Security Agency has

[00:04:17] directed federal agencies to investigate if Russian hackers stole Microsoft account details.

[00:04:23] The hackers gain access to sensitive information from agencies by compromising

[00:04:27] Microsoft's corporate email accounts, and SISA has deemed the stolen emails a grave risk to

[00:04:32] the federal government. Affected agencies have been instructed to take immediate remediation

[00:04:37] action, reset credentials, and perform a cybersecurity impact analysis.

[00:04:42] And according to a report from the U.S. Cyber Safety Review Board, the 2023 Microsoft

[00:04:48] cloud email breach that impacted federal agencies was preventable and attributed

[00:04:53] to Microsoft's inadequate security culture. The report highlights a cascade of errors by

[00:04:58] Microsoft, including failure to detect compromises and inaccurate public statements.

[00:05:04] The board recommends major changes at restoration of security as a top

[00:05:08] corporate priority for Microsoft. That report is also noted as causing significant damage

[00:05:14] to Microsoft's reputation with the U.S. government.

[00:05:17] And SISA has made its malware next-gen analysis system publicly available, allowing any organization

[00:05:24] or person to submit malware samples for analysis. The system, designed to handle the growing

[00:05:29] workload of cyber threat analysis, offers advanced analysis capabilities and encourages

[00:05:35] registration and submission suspicious files for analysis. However, only SISA analysts and

[00:05:43] vetted individuals can access the analysis report.

[00:05:48] The Pentagon has officially established the Office of the Assistant Secretary of Defense

[00:05:52] for Cyber Policy, giving cybersecurity the focus and attention intended by Congress.

[00:05:58] Ashley Manning will lead the office until a Senate-confirmed leader is appointed

[00:06:02] and President Biden has nominated Michael Sulimer for the position.

[00:06:07] Why do we care? NIST is a linchpin in the U.S.'s approach to technology,

[00:06:12] so it's funding and ability to execute my care.

[00:06:15] I continue to wonder about reputational damage. Sure, the story-saving damage is there.

[00:06:22] I suspect the change will come with increased standards and requirements, not an exit.

[00:06:27] That's good news for the rest of us. Our search to make a difference.

[00:06:31] Let's start with a piece in the Atlantic called The Flaw That Could Ruin Generative AI.

[00:06:44] A technical problem called memorization poses a significant threat to generative AI companies.

[00:06:50] Large language models can reproduce copyrighted texts, undermining the fair use argument.

[00:06:57] Lawsuits filed by Universal Music Group and The New York Times highlight the issue

[00:07:01] and its potential impact on the generative AI industry.

[00:07:05] And speaking of generative AI, medical economics reports on the ability of chatbots to replace

[00:07:11] doctors. A recent American Journal of Preventative Medicine study evaluated the accuracy of AI

[00:07:17] models, CHAC GPT-4 and BARM, in providing preventative medicine and primary care recommendations.

[00:07:24] The findings showed that CHAC GPT-4 had 28.6% accurate responses, 42.8% accurate with missing

[00:07:31] information and 28.6% inaccurate responses. BARD, however, demonstrated higher accuracy rates

[00:07:39] with 53.6% accurate responses, 28.6% accurate with missing information, and 17.18% inaccurate

[00:07:47] responses. Both models struggled with immunization-related questions, and CHAC GPT-4's outdated

[00:07:54] recommendations highlighted the need for continuous updates in AI systems.

[00:07:59] Or let's consider the dual role of SMB brand spoofing with an article from Dark Reading.

[00:08:05] While AI makes it easier for adversaries to impersonate brands and carry out spoofing attacks,

[00:08:11] it also enables organizations to detect and block such attacks.

[00:08:15] Smalled-amidstide businesses are particularly vulnerable to brands spoofing, and AI-powered

[00:08:20] security tools can help them fight back. SMBs face numerous cyberattacks,

[00:08:25] brand spoofing being a pernicious threat. AI-generated fake content makes it easier

[00:08:31] for hackers to impersonate smaller brands. However, security architects are using AI

[00:08:36] to develop tools that can detect and block impersonation attacks, providing SMBs with

[00:08:41] better defense capabilities. In addition to AI, implementing solutions like DMARC and

[00:08:46] maintaining open communication with customers and vendors can also help prevent brand spoofing.

[00:08:53] And a harrowing look at the deep fake nudes in high schools in the New York Times.

[00:08:58] I'll quote in early paragraphs. In October, some 10th grade girls at Westfield High

[00:09:03] School, including Ms. Manny's 14-year-old daughter Francesca, alerted administrators

[00:09:08] that boys in their class had used artificial intelligence software to fabricate sexually

[00:09:14] explicit images of them, nor circulating the fake pictures. Five months later,

[00:09:20] the Manny's and other families say the district has done little to publicly address the doctored

[00:09:25] images or update school policies to hinder exploitative AI use. End quote.

[00:09:32] That's not the only example in the article, and technologists should understand this issue.

[00:09:38] Why do we care? That New York Times article is sensitive enough that the AI editors I work with

[00:09:45] refuse to analyze it. That should tell you something. Understanding these challenges

[00:09:50] is the first key step in delivering high-value services to customers. Like all technologies,

[00:09:56] there are balances to strike, and your role is knowing which tool for which job,

[00:10:01] and setting those policies.

[00:10:03] Today's episode is supported by Huntress. You want to focus on your clients and are always

[00:10:11] looking for ways to get more time. Use Huntress' fully-managed cybersecurity platform to fight off

[00:10:18] cyber threats. Huntress is more than cybersecurity software for endpoints and identities. It's a

[00:10:24] 24x7 security operations center. It's security awareness training, community engagement,

[00:10:30] and dedicated partner support with an average CSAT score of 99.3%. Technology can only get you so far.

[00:10:38] Human expertise is what's needed to truly elevate and protect small businesses,

[00:10:44] and you get that with Huntress. Secure your clients and help them thrive with the

[00:10:48] number one rated EDR for SMBs on G2. Visit huntress.com slash MSP radio to find out more.

[00:10:57] Thanks for listening. Today is National Grilled Cheese Sandwich Day.

[00:11:02] Need I say more? Have a question you want answered? Take those lists or questions and

[00:11:06] I answer them on the Live Wednesday show. Send them in to question at MSPRadio.com.

[00:11:12] Next week, our live show, 3PM on YouTube and LinkedIn.

[00:11:16] You got a comment or a thought on a story? Put it in the comments if you're on YouTube

[00:11:19] or reach out on LinkedIn if you're listening to the podcast. You'll get this week's

[00:11:23] live episode on the podcast feed on Saturday and on Sunday, an interview with John Gillum

[00:11:29] talking about managing AI risks and fighting those AI-generated content pieces and how they do it.

[00:11:36] Have a great weekend and I'll talk to you on Monday.

[00:11:40] The Business of Tech is written and produced by me, Dave Sobel, under Ethics Guidelines,

[00:11:45] post it at businessov.tech. If you like the content, please make sure to hit that like

[00:11:50] button, follow or subscribe. It's free and easy and the best way to support the show

[00:11:56] and help us grow. You can also check out our Patreon where you can join the Business of Tech

[00:12:01] community at patreon.com slash MSP Radio or buy our Why Do We Care Merch at businessov.tech.

[00:12:10] Finally, if you're interested in advertising on this show, visit mspradio.com slash engage.

[00:12:17] Once again, thanks for listening to me and I will talk to you again on our next episode

[00:12:22] of the Business of Tech. Part of the MSP Radio Network