TLDR Information Security 2024-06-10

Club Penguin data breach ๐Ÿง, Hidden Risk of AI ๐Ÿค–, DuckDuck Go anonymous AI Chat ๐Ÿ’ฌ

๐Ÿ”“
Attacks & Vulnerabilities

Nasty bug with very simple exploit hits PHP just in time for the weekend (5 minute read)

Security researchers warn of a critical PHP vulnerability that allows trivial remote code execution on Windows devices. Within 24 hours of its disclosure and patch release, scans for vulnerable servers were detected. Experts strongly recommend checking and patching PHP servers immediately to mitigate risks.

750k Impacted by Frontier Communications Data Breach (3 minute read)

Frontier Communications suffered a data breach and the personal information of over 750,000 individuals, including names, addresses, emails, dates of birth, phone numbers, and Social Security numbers got leaked.

Club Penguin Fans Breached Disney Confluence Server, Stole 2.5G of Data (2 minute read)

A leak of data from Disney's internal Confluence server was published to 4chan last week. The data was thought to only contain archives about Club Penguin but was revealed to also contain new information about Disney's corporate strategies, advertising plans, internal tools, business projects, and internal infrastructure. One of the tools was a high-performance asynchronous messaging library and the other was a show authoring and playback tool that allows Disney producers and authors to create non-linear experiences using real world input from sensors in Disney parks.
๐Ÿง 
Strategies & Tactics

How to Secure the SaaS Apps of the Future (6 minute read)

This post introduces the identity problems that modern SaaS apps face and the more complex ways that attackers hunt for access. It lays out SSO, user provisioning (via SCIM), and programmatic access to logs as requirements for modern SaaS apps. It also proposes proof-of-possession, continuous access evaluation profiles, and universal logout for SaaS apps of the future.

The Hidden Risks of AI: An Offensive Perspective on Emerging Threat Vectors (3 minute read)

This post explores potential AI threat vectors through an offensive mindset. It discusses mitigation strategies and acknowledges the need for further development of AI security solutions as adoption rapidly increases.

Encryption At Rest: Whose Threat Model Is It Anyway? (12 minute read)

This post discusses the importance of encryption at rest for web and cloud applications to protect sensitive data. It highlights the need for a clear threat model and proper key management when implementing encryption at rest. It also emphasizes the risks of confused deputy attacks and the importance of understanding the nuances of encryption strategies.
๐Ÿง‘โ€๐Ÿ’ป
Launches & Tools

AieMDR (Product Launch)

AirMDR utilizes AI for triaging security events, investigating alerts, and deploying response and containment measures.

Kubelet CSR Approver (GitHub Repo)

Kubelet CSR Approver is a Kubernetes controller designed to automatically approve kubelet-serving CSRs after validating a configurable series of security checks.

Betterscan CE (GitHub Repo)

Betterscan is an orchestration toolchain that uses state-of-the-art tools to scan your source code and infrastructure IaC and analyze your security and compliance risks.
๐ŸŽ
Miscellaneous

Google's $2.3 million check helped the company get a trial by judge instead of jury (3 minute read)

The U.S. Justice Department's antitrust lawsuit against Google's alleged adtech monopoly will proceed as a bench trial before a judge this fall, after Google filed a $2.3 million cashier's check to cover potential damages, avoiding a potentially unpredictable jury trial.

DuckDuckGo Offers โ€œAnonymousโ€ Access to AI Chatbots Through New Service (2 minute read)

DuckDuckGo unveiled a new AI Chat service that allows users to freely converse with mid-range LLMs while attempting to preserve privacy. The available models include OpenAI's GPT-3.5 Turbo, Anthropic's Claude 3 Haiku, Meta's Llama 3, and Mistral's Mixtral 8x7B. DuckDuckGo notes that in the case of GPT-3.5 Turbo and Claude 3 Haiku, the data needs to be sent to remote servers outside of DuckDuckGo, so the privacy experience is not as strong.

Microsoft 'recalls' screenshot feature after outcry (3 minute read)

Microsoft is revising its controversial "Recall" feature for Copilot+ PCs after privacy concerns. Originally designed to capture desktop screenshots, Microsoft is now making Recall an opt-in feature with improved privacy and security safeguards.
โšก๏ธ
Quick Links

Apple to Launch Standalone Passwords App in iOS 18 and macOS 15 (1 minute read)

Apple plans to increase the accessibility of its password manager by breaking it out into a standalone app.

Adobe Responds to Vocal Uproar Over New Terms of Service Language (3 minute read)

Amid controversy over changes to its Terms of Services, Adobe claims that it does not train Firefly Gen AI models and will never assume ownership over a customer's work.

Trail of Bits: Announcing AI/ML safety and security trainings (2 minute read)

Trail of Bits has announced that it will be providing AI/ML safety and security training for organizations that covers fundamentals, vulnerabilities, risk assessment, and mitigation strategies for securing AI/ML systems.
Curated news ๐Ÿ“ฐ, research ๐Ÿง‘โ€๐Ÿ”ฌ, and tools ๐Ÿ”’ for information security professionals
Join 300,000 readers for