Table of Contents
Snowflake Data Leak Puts at Least 165 Clients at Risk
Whistleblower Speaks About Negligence at Microsoft Prior to SolarWinds Attack
Apple Intelligence: What to Expect and Security Implications
NSO Group Declares Government Officials and Military Leaders “Legitimate Targets”
EU Considers Bill That Would Mandate the Mass Scanning of Digital Messages
Ilya Sutskever Founds Safe Superintelligence Following Dramatic Exit From OpenAI
Active Directory Defense Startup Achieves Unicorn Status
Snowflake Data Leak Puts at Least 165 Clients at Risk
What happened:
Incident response firm Mandiant reports that hackers may have stolen a “significant volume of data” from cloud storage industry giant Snowflake and its customers.
What to know:
At least 165 victims have been identified, including TicketMaster and LendingTree.
The threat isn’t over; TechCrunch confirms that hundreds of Snowflake customer credentials are still circulating online.
Snowflake defends its own security in official statement, blaming customers for putting their own credentials at risk by forgoing multifactor authentication.
Snowflake reports it is working on a plan to obligate customer use of MFA and other security features; however, they have yet to provide a timeline or specific plan of action.
Business impact:
Companies utilizing Snowflake, partnering with, or relying on any vendors that utilize Snowflake should take immediate action to determine if they’ve been affected; especially important to confirm that MFA is being broadly enforced.
Snowflake’s denial of wrongdoing and criticism of clients’ security practices sets a new precedent; service providers will not take responsibility for data leaks that leverage customer account access—companies have to take access to SAAS applications as entirely their own risk.
What to do:
Check with vendors and partners to see if they use or are connected to parties that use Snowflake.
Encourage employees to uphold rigorous use of MFA, especially if your company is a Snowflake customer, on everything, not just “high risk” applications.
For more information, check out this article.
Whistleblower Speaks about Negligence at Microsoft Prior to SolarWinds Attack
What happened:
Andrew Harris, former Microsoft employee, provides insight about his experience at the company prior to the devastating SolarWinds cyberattack, revealing that he flagged the potential for “SAML attacks” years before they occurred
What to know:
Despite Harris’ warnings about the potential severity of the bug, Microsoft repeatedly brushed off his concerns.
Harris states their deprioritization of the security risk was undergirded by a mindset of profit-over-security, as Microsoft viewed getting a piece of an upcoming cloud computing deal with the USFG as a business imperative.
In 2019, Harris’ worst fears came true, as Russian hackers took advantage of the SAML weakness to perpetrate the SolarWinds cyberattack, one of the worst in US history, in which over 18,000 accounts were breached, including various divisions of the US government, most alarmingly the National Nuclear Security Administration
Business impact:
Scale of SolarWinds cyberattack was such that even parties that weren’t directly affiliated with SolarWinds were affected by the hack; consequently, the full impact and extent of the intrusion is still being explored to this day
Prioritization of profit over customers points to a troubling trend in Microsoft’s internal culture, despite its supposed policy of putting security “above all else”
What to do:
Companies should consider the impact of Microsoft products in their own cyber ecosystems, examine the extent to which another breach in Microsoft’s security would affect them, and review ways to mitigate this risk
For more information, check out this article.
Apple Intelligence: What to Expect and Security Implications
What happened:
Apple has finally released details about their new AI project, “Apple Intelligence,” which aims to integrate generative AI into Apple smartphones, creating a “semi-autonomous,” personalized AI assistant
What to know:
The AI will be trained using your phone’s (e.g., your) personal data; however, Apple promises to keep as much of the AI training process and subsequent computations as possible on the device itself to minimize security anxieties
What can’t be done directly with your phone’s hardware will be sent to and processed by Apple’s “Private Cloud Compute System,” which Apple promises will be as secure as possible
For more computationally taxing queries, users will have the option to voluntarily run their inputs through ChatGPT, although Apple makes no promises about OpenAI’s own data privacy procedures
Business impact:
Apple Intelligence feature poised to boost iPhones sales, foreshadowing possible Apple boom
Could benefit certain businesses through faster schedule optimization and workflow acceleration
Company data could be processed through this system without company approval due to the fact that individuals get to make the decision about when to use ChatGPT on their phone (which won’t be handled by Apple’s Private Cloud)
The widespread introduction of this technology could necessitate increased mobile device security for companies to minimize security risks.
What to do:
Individuals privy to and handling sensitive company information should be especially conscientious about what their own Apple Intelligence is trained on and has access to
Companies should explore the implementation of Mobile Device Management (MDM) software and related technologies to increase the security of employees’ personal devices.
For more information, check out these articles.
NSO Group Declares Government Officials and Military Leaders “Legitimate Targets”
What happened:
In a statement from court documents related to NSO Group’s ongoing legal battle against WhatsApp (which accuses them of unjustly infecting over 1,400 devices with spyware), NSO Group, Pegasus spyware manufacturer, states all government officials and military leaders are legitimate targets for their products by nature of their jobs
What to know:
This statement stands as a significant revelation of the expected use cases of their technologies, which, according to their mission statement, are only to be used “to prevent acts of terrorism, large-scale drug trafficking, pedophile networks, and other serious criminal acts”
Their most recent comment, though, makes no mention of the company’s mission statement, and insinuates a broader intended use for the technology
NSO Group is no stranger to ethical scrutiny, as their technology was rumored to have been used to track journalist Jamal Khashoggi in the weeks leading up to his assassination, and has even been blacklisted by the Biden administration, which cited concerns that the company has acted “contrary to the foreign policy and national security interests of the US”
Business impact:
The result of WhatsApp’s lawsuit against NSO Group will determine to what extent NSO Group, and other commercial surveillance companies, will be held accountable for malicious uses and impacts of their technologies
How the trial ends will also define the efficacy of legal action against malware developers, and inform companies exploited by malware developers on how to proceed legally
For more information, check out this article.
EU Considers Bill that Would Mandate the Mass Scanning of Digital Messages
What happened:
On 6/20, the EU was scheduled to assume a position on a bill that would mandate the mass scanning of all digital messages in the EU; however, the vote was canceled on short notice, and a new vote has yet to be announced as of the writing of this article
What to know:
The bill’s stated goal is to automatically scan digital messages in order to flag content that may contain “child sexual abuse material”
Critics claim that it is a fundamental violation of the right to individual privacy within personal correspondence
Business impact:
Subjects all EU digital correspondence to surveillance
Potentially massive security risks due to the undermining of end-to-end encryption (even encrypted messages will be scanned)
What to do:
Track updates on this legislation if your company is impacted by European business
Consider how the passing of such a bill may impact your company and data security
For more information, check out this article.
Ilya Sutskever Founds Safe Superintelligence Following Dramatic Exit From OpenAI
What happened:
After drawn out tensions and an eventual falling out with OpenAI leadership in May about how to deal with AI safety, Ilya Sutskever has announced the launch of his own company, Safe Superintelligence, which will, as the name implies, focus exclusively on the development and regulation of safe superintelligent AI
What to know:
Safe Superintelligence is being designed from the bottom up as a for profit entity, and is currently recruiting talent
Business impact:
How OpenAI will fare after losing one of its key scientific minds remains to be seen, but one thing is certain: the trajectory of the company has been altered by Ilya’s exit, with speculation that OpenAI will take a less cautious approach to development in the future
For more information, check out this article.
Active Directory Defense Startup Achieves Unicorn Status
What happened:
Semperis valuation surpasses $1 billion after successfully raising $125 million from JP Morgan and Hercules Capital
What to know:
Semperis’ offers extensive hybrid AD threat detection services, which automatically monitor and repel entry attempts to on premise AD and Entra ID, while providing a cohesive, real-time view of AD and Entra ID security
Semperis’ unique specialization in Active Directory makes it stand out within the cybersecurity industry, and despite not even having an IPO yet it has already received significant accolades and praise from big names such as Deloitte
Semperis to devote its new funding to R&D and Business Development
According to CEO, IPO is on the horizon
Business impact:
Semperis’ runaway success highlights the importance of and a growing need for AD defense going into the future
What to do:
Companies should investigate ways to protect their AD systems if they aren’t already, and ensure that the measures they’re taking are as rigorous and up to date as they can be
For more information, check out this article.