Home

Podfeet Podcasts

Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits – 2024 June 9

  • by Bart Busschots

    • Deep Dive — You Probably Want to Avoid Microsoft Recall, at Least for Now!

    At their recent Build developers conference Microsoft announced a new line of ARM-based laptops with built-in AI chips branded as Copilot+ PCs, with one of the headline features being Recall.

    The idea is that Recall will constantly monitor everything you do on your PC, save snapshots of that information to a multi-gigabyte local database, and then use it to train and feed the Windows Copilot AI assistant built into Windows 11.

    In theory, this could be extremely useful, but the data it collects is unimaginably powerful, so it needs massive protection, and Microsoft chose to launch the feature into Preview (Microsoft jargon for Beta) without fleshing out such protections, though they did promise they’d add more controls before rolling the feature out to corporate customers as Generally Available (Microsoft Jargon for coming out of Beta).

    Security researchers were quick to start playing with the feature to see what they could find, and it wasn’t good:

    1. The feature was on by default, with the ability to opt-out via the control panel
    2. Two data types are exempt automatically:
      1. DRM-protected content
      2. Private browser tabs (definitely in Edge, not sure if it’s in all browsers)
    3. The data is stored in a simple SQLite database and was initially only protected by standard disk encryption features
    4. The data is easy to access while the user is logged in — a GitHub project with an extractor tool for extracting the most valuable data from the data store appeared just a few days after launch!

    The initial response to the feature was extremely critical, and Microsoft have responded with some changes:

    1. The feature will be moved from opt-out to opt-in
    2. The SQLite database will be encrypted
    3. The encryption is being upgraded from standard disk encryption to just-in-time encryption protected by Windows Hello

    Opinion by Bart: this is the kind of feature that has the power to be spectacularly useful, and if I was confident in the protections provided, I would love to have something like it on the Mac. But, I’m shocked at how far short of the mark Microsoft have fallen in terms of the levels of protections they thought were acceptable at launch. The tweaks they have announced are all good, but they’re nowhere near enough IMO. Personally, I would need to see the following before I even considered enabling this:

    1. Hardware-level protection — like the secure enclave, this should be a write-only data store, with data and prompts flowing in, and only answers flowing out. It should not be possible to read the raw data store, just like private keys cannot be read from a secure enclave.
    2. OS-level APIs for marking items on screen as sensitive, and enough time for those to be widely adopted by all the apps I use.

    Links

    Deep Dive — Snowflake, an Example of a Supply-Chain Attack

    TL;DR the following significant data breaches have been linked to Snowflake:

    1. Coolmaster, makers of popular cooling kits for PC gaming — www.bleepingcomputer.com/… & www.bleepingcomputer.com/…
      > “This data breach included cooler master corporate, vendor, sales, warranty, inventory and hr data as well as over 500,000 of their fanzone members personal information, including name, address, date of birth, phone, email + plain unencrypted credit card information containing name, credit card number, expiry and 3 digits cc code,” the threat actor told BleepingComputer
    2. Ticket Masterwww.bleepingcomputer.com/… & www.bleepingcomputer.com/…

      [The breach contains] customers’ full details (i.e., names, home and email addresses, and phone numbers), as well as ticket sales, order, and event information …

      They also contain customer credit card information, including hashed credit card numbers, the last four digits of the card numbers, credit card and authentication types, and expiration dates, with financial transactions spanning from 2012 to 2024.

    3. Advance Auto Partswww.bleepingcomputer.com/…

      380 million customer profiles (name, email, mobile, phone, address, and more), 140 million customer orders, and 44 million Loyalty / Gas card numbers (with customer details)

    4. Santander (major European bank), breached earlier in May, with affected users already notified — www.bleepingcomputer.com/…

    Heads Up — the remainder of this story is not a typical Security Bits story because there is nothing we regular folks need to, or even can, do to protect ourselves. The rest of this story is purely here to help interested listeners/readers better understand an important current trend in cybercrime.

    If you’re a cybercriminal, you have one goal — make money! You’re incentivised to find the most efficient way to perpetrate attacks that produce the most for your investment. This is why cybercriminals like to attack companies that provide services to companies, i.e. to compromise the supply chain.

    We’ve just seen a dramatic example of this approach with a series of high-profile breaches linked back to a single service provider — Snowflake. According to their website they provide:

    “A single, fully managed platform that powers the AI Data Cloud. Snowflake securely connects businesses globally across any type or scale of data to productize AI, applications and more in the enterprise.”

    Snowflake has some very high profile clients, including Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union & Yamaha, so you can see why they would be appealing to an attacker.

    It’s not clear exactly what happened, and there are conflicting reports, but we do know that attackers gained access to the Snowflake customer accounts for Santander, Coolmaster, Ticketmaster & Advance Auto Parts. This let the attackers steal a lot of very sensitive data.

    According to reporting from Bleeping Computer the attack started back in October, with an info-stealer malware infection on a staff PC within Snowflake. Bleeping Computer claim that attackers initially tried to extort Snowflake for $20M, but when they wouldn’t play ball, they moved on to target Snowflake’s customers directly by stealing data and selling it on the black market.

    Snowflake insist the problem is with customers not protecting their accounts properly, and that none of their systems were hacked. They also warned their customers that they were seeing an increase in attacks against Snowflake accounts.

    “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.”

    “We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.”

    “Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication”

    Some key points that strike me about this story:

    1. As more and more IT Services are out-sourced to Software-as-a-Service (SaaS) providers, end users are being forced to implicitly trust ever more unknown third parties — we can choose who we do business with, but we can’t know or vet who those companies outsource to 🙁
    2. Cybercriminals are investing a lot of time and effort into going after big SaaS providers, behaving almost like nation-state Advanced Persistent Threats — in this case they appear to have spent months quietly expanding their foothold within Snowflake and exfiltrating data before finally showing their hand by selling the stolen data.
    3. For goodness sake — use 2FA/MFA everywhere!!!

    Links

    ❗ Action Alerts

    Worthy Warnings

    Notable News

    Top Tips

    Palate Cleansers

    Legend

    When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

    Emoji Meaning
    🎧 A link to audio content, probably a podcast.
    A call to action.
    flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
    📊 A link to graphical content, probably a chart, graph, or diagram.
    🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
    💵 A link to an article behind a paywall.
    📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
    🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top