2024-09-30 — Cast of Special Characters - Talkin' Bout [Infosec] News

Summary

Podcast Summary: "Cast of Special Characters"
Talkin' About [Infosec] News, Powered by Black Hills Information Security
Release Date: October 2, 2024

1. Introduction

In the latest episode of Talkin' About [Infosec] News, the Black Hills Information Security team dives deep into several pressing topics within the information security landscape. Hosted by the BHIS team members—John Strand, Hal, Corey, Ryan, and Kelly—the discussion is filled with insightful analyses, spirited debates, and a touch of humor, ensuring an engaging listen for both seasoned professionals and newcomers alike.

2. Password Guidance Update

Discussion Highlights:

The episode kicks off with an intensive debate over the recent password guidance updates, primarily focusing on the National Institute of Standards and Technology (NIST) recommendations.

NIST Standards Critique:

The hosts express strong opinions about the new NIST guidelines, especially concerning password length and complexity requirements.
- Hal's Frustration:
  [37:31]
  "This shits perpetuating and it's not getting better. Like, seriously, if they want to do password complexity requirements, tell people to use a passphrase and make it like 21 characters and then be done with it."
- Corey's Sarcasm:
  [37:49]
  "Think like the people you Facebook, the people you sign in with generate OAuth."
Minimum and Maximum Password Lengths:

The hosts scrutinize the mandate of having a minimum of eight characters, arguing that it’s insufficient in the current threat landscape. They also discuss the recommendation to allow a maximum of 64 characters, questioning its necessity.
- John Strand's Observation:
  [39:36]
  "But there’s nothing in this that says you can’t just pick password, is that right?"
- Hal's Rant:
  [39:44]
  "They have this math up here where they talk about, L is set for 6 months and 12 minutes... It’s amazing how outdated these standards are."

Notable Quotes:

Hal on Password Policies:
[44:05]
"NIST invites people to submit their comments and guidelines to dig comments at nist government by 11. October 7th. I'm going to write an email."
Corey on Password Spray:
[43:28]
"What the hell are you doing allowing UDP through your frickin firewall anyway?"

3. CUPS Vulnerability in Linux/BSD

Discussion Highlights:

A significant portion of the episode is dedicated to dissecting a newly disclosed vulnerability in the Common UNIX Printing System (CUPS), which affects Linux, macOS, and BSD systems.

Vulnerability Breakdown:

Corey provides an in-depth explanation of the CUPS vulnerability, emphasizing its limited real-world impact due to specific requirements for exploitation.
- Corey's Analysis:
  [08:07]
  "So the vulnerabilities finally announced on Thursday... it’s a vulnerability in CUPS which of course affects every, not only Linux machine in the world, but Max and BSD and okay..."
Impact and Hype:

The hosts debate the actual risk posed by the vulnerability, arguing that while it was overhyped, it serves as a valuable lesson for penetration testers and system administrators.
- Hal on Hype vs. Reality:
  [11:15]
  "So what you’re saying is Linux is insecure and we shouldn’t use it?"
- John Strand on Customer Impact:
  [17:04]
  "This is IoT for sure. It’s a lot of IoT."

Notable Quotes:

John Strand on Exploit Potential:
[10:48]
"I could set up a situation to exploit this RCE... I will buy you a burrito if you can point to an in-the-wild compromise."
Hal on Service Utilization:
[13:36]
"I have never heard anybody that’s like, you know, what we need on this Linux server? CUPS."

4. US Capitol Data Breach Allegations

Discussion Highlights:

The conversation shifts to recent claims of a massive cyber attack targeting the US Capitol, raising concerns about the security of congressional data.

Nature of the Breach:

The hosts clarify that while sensitive information related to Congress members was discovered via info stealers, there’s no concrete evidence pointing to a coordinated cyber attack.
- John Strand's Clarification:
  [23:55]
  "This is just someone going back through info stealers and finding a bunch of Congress members, which is terrifying and valid research. But isn’t really anything saying it was hit by a cyber attack."
Political Implications:

The team discusses the potential political fallout and the recurring nature of such breaches, drawing parallels to previous incidents.
- Corey's Insight:
  [25:03]
  "Maybe there's a path forward with European privacy frameworks, but in the US, it’s lagging."

Notable Quotes:

Hal on Data Exposure:
[24:27]
"If a real threat actor were to make a post on breach forms... it would make the news because it makes that data more accessible."

5. AI Security Issues: ChatGPT Memory Exploit

Discussion Highlights:

A noteworthy segment addresses a vulnerability in ChatGPT that allows attackers to inject false information into the AI's memory, posing new security challenges.

Exploit Explanation:

John Strand explains that attackers can manipulate ChatGPT’s memory settings to store malicious instructions, which can be reused in future interactions.
- John Strand on AI Attack:
  [54:10]
  "Someone discovered a vulnerability in ChatGPT that allowed attackers to store false information and malicious instructions in a user’s long-term memory settings."
Security Implications:

The hosts debate whether this is a fundamental flaw in AI or merely an issue with the implementation of AI systems.
- Hal on AI Risks:
  [56:44]
  "We've seen it a number of times with Microsoft. Tay is my favorite example."

Notable Quotes:

Hal on Future AI Threats:
[56:44]
"We've seen it a number of times with Microsoft. Tay is my favorite example."
Ryan on Memory Control:
[58:01]
"Turning it off isn't that big of a deal... But at the end of the day, I didn’t even know it was there."

6. Udemy's AI Ingestion Controversy

Discussion Highlights:

The team discusses concerns surrounding Udemy's opt-in AI ingestion for all lessons, raising ethical and compensation issues for course instructors.

AI-Generated Content:

Hal highlights that Udemy is processing instructors' lessons through large language models (LLMs) without compensating the original creators.
- Hal on Udemy's Practices:
  [63:26]
  "They are literally taking instructors... and then they're distilling it down through an LLM... customers can come and ask questions and get answers around that."
Impact on Content Creators:

The conversation delves into the lack of reimbursement or recognition for the experts whose content feeds these AI systems.
- Corey's Concern:
  [68:12]
  "It is an effort to replace that type of expert... without reimbursing them."

Notable Quotes:

Hal on Content Exploitation:
[63:05]
"There's no money going to the instructors or the experts that created the content that is fueling those LLMs."
John Strand on AI Inflation:
[67:55]
"AI is getting smarter because it’s siphoning in more data. What happens when it starts siphoning in the data that it made?"

7. Kia Car Hacking Incident

Discussion Highlights:

A segment is dedicated to a vulnerability allowing attackers to control Kia vehicles via their online systems using only the license plate number.

Vulnerability Details:

Ryan brings up a case where hackers exploited Kia’s online system to gain complete control of the car.
- Ryan on Kia Hack:
  [60:27]
  "There was a way to hack a Kia through its online system and have complete control of the car. And all you needed was its license plate number."
Penetration Testing Shortcomings:

Hal critiques the inadequacies in Kia’s web application penetration testing, emphasizing the lack of comprehensive business logic testing.
- Hal's Critique:
  [61:08]
  "It's a way better. We should pivot."

Notable Quotes:

Hal on Web App Testing:
[61:52]
"They didn’t do any business logic error testing or trying to jump over to."
John Strand on Cyber Weapon:
[62:15]
"That should be illegal."

8. General Discussions and Rants

Discussion Highlights:

Throughout the episode, the hosts engage in lively debates and rants about various topics, including:

Frustration with NIST Standards:

A recurring theme is the hosts' dissatisfaction with the current NIST password guidelines, deeming them outdated and inadequate for modern security needs.
AI Regulation and Future Outlook:

The speakers express skepticism about impending AI regulations, fearing that existing legislative measures are too slow to address the rapid advancements and associated risks.
Ethical Concerns in Information Security:

The hosts discuss the moral implications of data breaches and the ethical responsibilities of both organizations and individuals in safeguarding information.

Notable Quotes:

Hal's Doomsday Vision:
[71:33]
"We were doing a doomsday panel. That's gonna be amazing."
Kelly on AI Regulations:
[69:36]
"The California AI bill was vetoed by the governor... So the Wild West continues for artificial intelligence."

Conclusion

In "Cast of Special Characters," the Black Hills Information Security team provides a comprehensive analysis of current cybersecurity threats and trends, from outdated password policies and critical vulnerabilities to the ethical dilemmas posed by AI advancements. Their candid discussions and expert insights offer listeners a nuanced understanding of the evolving infosec landscape, highlighting both the challenges and the need for proactive security measures.

Key Takeaways:

Password Security:
The necessity for more robust and updated password policies that reflect current technological capabilities and threat landscapes.
Vulnerability Management:
Understanding the real impact of vulnerabilities like the CUPS issue and avoiding the pitfalls of overhyping security threats.
AI and Security:
Recognizing the new classes of attacks emerging from AI implementations and the importance of securing AI systems against memory and data manipulation.
Ethical Considerations:
Addressing the exploitation of expert content by AI platforms without proper compensation or acknowledgment.

Listeners are encouraged to stay informed, adopt best security practices, and engage in ongoing education to navigate the complexities of information security effectively.

Summary

Podcast Summary: "Cast of Special Characters"
Talkin' About [Infosec] News, Powered by Black Hills Information Security
Release Date: October 2, 2024

1. Introduction

2. Password Guidance Update

Discussion Highlights:

The episode kicks off with an intensive debate over the recent password guidance updates, primarily focusing on the National Institute of Standards and Technology (NIST) recommendations.

NIST Standards Critique:

The hosts express strong opinions about the new NIST guidelines, especially concerning password length and complexity requirements.
- Hal's Frustration:
  [37:31]
  "This shits perpetuating and it's not getting better. Like, seriously, if they want to do password complexity requirements, tell people to use a passphrase and make it like 21 characters and then be done with it."
- Corey's Sarcasm:
  [37:49]
  "Think like the people you Facebook, the people you sign in with generate OAuth."
Minimum and Maximum Password Lengths:

The hosts scrutinize the mandate of having a minimum of eight characters, arguing that it’s insufficient in the current threat landscape. They also discuss the recommendation to allow a maximum of 64 characters, questioning its necessity.
- John Strand's Observation:
  [39:36]
  "But there’s nothing in this that says you can’t just pick password, is that right?"
- Hal's Rant:
  [39:44]
  "They have this math up here where they talk about, L is set for 6 months and 12 minutes... It’s amazing how outdated these standards are."

Notable Quotes:

Hal on Password Policies:
[44:05]
"NIST invites people to submit their comments and guidelines to dig comments at nist government by 11. October 7th. I'm going to write an email."
Corey on Password Spray:
[43:28]
"What the hell are you doing allowing UDP through your frickin firewall anyway?"

3. CUPS Vulnerability in Linux/BSD

Discussion Highlights:

A significant portion of the episode is dedicated to dissecting a newly disclosed vulnerability in the Common UNIX Printing System (CUPS), which affects Linux, macOS, and BSD systems.

Vulnerability Breakdown:

Corey provides an in-depth explanation of the CUPS vulnerability, emphasizing its limited real-world impact due to specific requirements for exploitation.
- Corey's Analysis:
  [08:07]
  "So the vulnerabilities finally announced on Thursday... it’s a vulnerability in CUPS which of course affects every, not only Linux machine in the world, but Max and BSD and okay..."
Impact and Hype:

The hosts debate the actual risk posed by the vulnerability, arguing that while it was overhyped, it serves as a valuable lesson for penetration testers and system administrators.
- Hal on Hype vs. Reality:
  [11:15]
  "So what you’re saying is Linux is insecure and we shouldn’t use it?"
- John Strand on Customer Impact:
  [17:04]
  "This is IoT for sure. It’s a lot of IoT."

Notable Quotes:

John Strand on Exploit Potential:
[10:48]
"I could set up a situation to exploit this RCE... I will buy you a burrito if you can point to an in-the-wild compromise."
Hal on Service Utilization:
[13:36]
"I have never heard anybody that’s like, you know, what we need on this Linux server? CUPS."

4. US Capitol Data Breach Allegations

Discussion Highlights:

The conversation shifts to recent claims of a massive cyber attack targeting the US Capitol, raising concerns about the security of congressional data.

Nature of the Breach:

The hosts clarify that while sensitive information related to Congress members was discovered via info stealers, there’s no concrete evidence pointing to a coordinated cyber attack.
- John Strand's Clarification:
  [23:55]
  "This is just someone going back through info stealers and finding a bunch of Congress members, which is terrifying and valid research. But isn’t really anything saying it was hit by a cyber attack."
Political Implications:

The team discusses the potential political fallout and the recurring nature of such breaches, drawing parallels to previous incidents.
- Corey's Insight:
  [25:03]
  "Maybe there's a path forward with European privacy frameworks, but in the US, it’s lagging."

Notable Quotes:

Hal on Data Exposure:
[24:27]
"If a real threat actor were to make a post on breach forms... it would make the news because it makes that data more accessible."

5. AI Security Issues: ChatGPT Memory Exploit

Discussion Highlights:

A noteworthy segment addresses a vulnerability in ChatGPT that allows attackers to inject false information into the AI's memory, posing new security challenges.

Exploit Explanation:

John Strand explains that attackers can manipulate ChatGPT’s memory settings to store malicious instructions, which can be reused in future interactions.
- John Strand on AI Attack:
  [54:10]
  "Someone discovered a vulnerability in ChatGPT that allowed attackers to store false information and malicious instructions in a user’s long-term memory settings."
Security Implications:

The hosts debate whether this is a fundamental flaw in AI or merely an issue with the implementation of AI systems.
- Hal on AI Risks:
  [56:44]
  "We've seen it a number of times with Microsoft. Tay is my favorite example."

Notable Quotes:

Hal on Future AI Threats:
[56:44]
"We've seen it a number of times with Microsoft. Tay is my favorite example."
Ryan on Memory Control:
[58:01]
"Turning it off isn't that big of a deal... But at the end of the day, I didn’t even know it was there."

6. Udemy's AI Ingestion Controversy

Discussion Highlights:

The team discusses concerns surrounding Udemy's opt-in AI ingestion for all lessons, raising ethical and compensation issues for course instructors.

AI-Generated Content:

Hal highlights that Udemy is processing instructors' lessons through large language models (LLMs) without compensating the original creators.
- Hal on Udemy's Practices:
  [63:26]
  "They are literally taking instructors... and then they're distilling it down through an LLM... customers can come and ask questions and get answers around that."
Impact on Content Creators:

The conversation delves into the lack of reimbursement or recognition for the experts whose content feeds these AI systems.
- Corey's Concern:
  [68:12]
  "It is an effort to replace that type of expert... without reimbursing them."

Notable Quotes:

Hal on Content Exploitation:
[63:05]
"There's no money going to the instructors or the experts that created the content that is fueling those LLMs."
John Strand on AI Inflation:
[67:55]
"AI is getting smarter because it’s siphoning in more data. What happens when it starts siphoning in the data that it made?"

7. Kia Car Hacking Incident

Discussion Highlights:

A segment is dedicated to a vulnerability allowing attackers to control Kia vehicles via their online systems using only the license plate number.

Vulnerability Details:

Ryan brings up a case where hackers exploited Kia’s online system to gain complete control of the car.
- Ryan on Kia Hack:
  [60:27]
  "There was a way to hack a Kia through its online system and have complete control of the car. And all you needed was its license plate number."
Penetration Testing Shortcomings:

Hal critiques the inadequacies in Kia’s web application penetration testing, emphasizing the lack of comprehensive business logic testing.
- Hal's Critique:
  [61:08]
  "It's a way better. We should pivot."

Notable Quotes:

Hal on Web App Testing:
[61:52]
"They didn’t do any business logic error testing or trying to jump over to."
John Strand on Cyber Weapon:
[62:15]
"That should be illegal."

8. General Discussions and Rants

Discussion Highlights:

Throughout the episode, the hosts engage in lively debates and rants about various topics, including:

Frustration with NIST Standards:

A recurring theme is the hosts' dissatisfaction with the current NIST password guidelines, deeming them outdated and inadequate for modern security needs.
AI Regulation and Future Outlook:

The speakers express skepticism about impending AI regulations, fearing that existing legislative measures are too slow to address the rapid advancements and associated risks.
Ethical Concerns in Information Security:

The hosts discuss the moral implications of data breaches and the ethical responsibilities of both organizations and individuals in safeguarding information.

Notable Quotes:

Hal's Doomsday Vision:
[71:33]
"We were doing a doomsday panel. That's gonna be amazing."
Kelly on AI Regulations:
[69:36]
"The California AI bill was vetoed by the governor... So the Wild West continues for artificial intelligence."

Conclusion

Key Takeaways:

Password Security:
The necessity for more robust and updated password policies that reflect current technological capabilities and threat landscapes.
Vulnerability Management:
Understanding the real impact of vulnerabilities like the CUPS issue and avoiding the pitfalls of overhyping security threats.
AI and Security:
Recognizing the new classes of attacks emerging from AI implementations and the importance of securing AI systems against memory and data manipulation.
Ethical Considerations:
Addressing the exploitation of expert content by AI platforms without proper compensation or acknowledgment.

Listeners are encouraged to stay informed, adopt best security practices, and engage in ongoing education to navigate the complexities of information security effectively.

wavePod

2024-09-30 — Cast of Special Characters

Powered by Wave AI

Summary

1. Introduction

2. Password Guidance Update

3. CUPS Vulnerability in Linux/BSD

4. US Capitol Data Breach Allegations

5. AI Security Issues: ChatGPT Memory Exploit

6. Udemy's AI Ingestion Controversy

7. Kia Car Hacking Incident

8. General Discussions and Rants

Conclusion

Summary

1. Introduction

2. Password Guidance Update

3. CUPS Vulnerability in Linux/BSD

4. US Capitol Data Breach Allegations

5. AI Security Issues: ChatGPT Memory Exploit

6. Udemy's AI Ingestion Controversy

7. Kia Car Hacking Incident

8. General Discussions and Rants

Conclusion