AI can find bugs and flaws, but don't forget the cybersecurity basics
It happened again.
This time, a company left a million passports, driver's licenses, and selfies in a publicly exposed web storage bucket that anyone could access using only their web browser, no password needed. The data was hosted on Amazon Web Services, which means the customer had to jump through a multi-step process to set the storage bucket to public, and yet they did just that. This wasn't even the first huge public exposure of government-issued IDs, after I reported on another batch of some 223,000 documents that spilled online last year; and, of course, there was also the Discord age verification data breach.
This story is the latest example of a damaging breach — in this case, people's identity documents — caused by a basic security issue that could have been easily avoided. This exposure puts those people at risk of identity theft at a time when online age checks are increasingly the norm.
At the same time during my daily reporting beat, I'm hearing more and more about AI, which makes sense, since for better or worse it's having a broad effect on cybersecurity at large. It's an important conversation to have (including layoffs, people's mental health, and the environmental costs), while also acknowledging that companies are still making the same cybersecurity mistakes that plagued the web ten or twenty-plus years ago.
Generally speaking, I see largely two major themes of discussion about how AI models could affect the future cybersecurity landscape.
The first is about how AI models are making it easier to discover security vulnerabilities in a company's technology stack, whereas it might take a human attacker far longer. That's arguably (ostensibly) why some AI companies have limited access to their models; the logic being that the models in the wrong hands could pose a cybersecurity risk to companies that have yet to bolster their cyber posture.
The other is that malicious hackers could use AI to actively conduct cyberattacks. This is where AI models are used to find and exploit security weaknesses, perhaps using two or more vulnerabilities chained together, to break into a system or network. Some of the government tests with access to the latest AI models carried out successful autonomous, multi-stage attacks on vulnerable networks that had weaker security postures. The same tests on more complex networks saw limited-to-mixed results.
We are already seeing AI models finding security flaws in source code, often at a greater volume than human researchers, which is helping companies to patch more bugs in their software. The recent mass-slew of patches in the popular Firefox browser is an encouraging example, even if most of the bugs are not meaningfully exploitable. Cloudflare, meanwhile, has explored some of the limitations of AI, including discovering false positives, innocuous bugs, and fixing issues while introducing entirely new ones. Other security companies have had similar experiences.
I appreciate that there is a lot of excitement and buzz around AI. The capabilities with AI are changing rapidly, and there may be a point where this post doesn't hold up as much. But at the same time, it's also important to not forget the cybersecurity basics. If the government assessments of AI cyber capabilities of today are anything to go by, it's all the more reason to invest in strong cyber foundations and best practices to make it more difficult for an attack to succeed.
~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.
Or, you can submit a one-time tip to show your support!
If we look back at some of the more damaging and impactful data breaches — from the types of taken data, to the downstream fallout for customers, and the scale of the data thefts — many of these intrusions can be attributed to relatively simple cybersecurity flaws or weaknesses.
When I say basic, we're talking accounts protected with a password but no multi-factor authentication, staff being allowed to download dodgy software with malware hidden inside, and — as mentioned — mistakenly setting a company's sensitive files to "public."
To name a few:
- Most recently, education tech giant Instructure was hacked — twice — by the ShinyHunters hackers, whose intrusion methods of choice rely on voice phishing and social engineering trickery. ShinyHunters and other overlapping groups have been on a voice-phishing rampage of late, and successfully hacked dozens of high profile companies — universities, tech companies, and data giants — by calling employees on the phone.
- Iranian government-backed hackers broke into U.S. medical tech giant Stryker earlier this year by using an employee's credentials that were likely stolen after they installed information-stealing malware buried in dodgy software downloaded onto their work computer (or logging in from their compromised personal device). After getting access to Stryker's centralized dashboard, the hackers remotely wiped tens of thousands of employee devices in seconds.
- Separately, CNN ($) also reported that Iranian hackers are accessing fuel storage tank sensors at gas stations, which have been left connected to the internet but without a password.
- Not to be forgotten: Data analytics giant Snowflake didn't enforce multi-factor authentication on the accounts of its customers, some of which are Fortune 500 giants, allowing hackers to log in with passwords stolen from — you guessed it, infostealing malware — and downloaded their customers' data from their clouds. That included customers like AT&T, ticketing giant Ticketmaster, and Santander Bank.
- And, multibillion dollar health tech giant Change Healthcare, a subsidiary of UnitedHealth Group, allowed ransomware hackers to break in and steal most of America's health data also because it wasn't using multi-factor authentication. The ransomware hackers also used a stolen password to allow them to log right in.
We don't know if these attacks would have ultimately succeeded by another means. But by doing the basic security measures, it raises the digital perimeter higher and increases the challenge for attackers trying to break in. Password management, using multi-factor authentication (or better yet, device-based authentication for work-issued computers), being unable to install unapproved or dodgy apps on your computers, and keeping your software up-to-date (subject to your own priority patching policies, of course) cuts out most of the top attack vectors.
There is no such thing as absolute security, just as no fortress is entirely impenetrable. But given the option of painstakingly chipping away at a security bug until a necessary breakthrough — or reusing a stolen password and just walking through the digital front door — both an Al attacker and a human hacker would surely be inclined to take the easiest route.
Thank you so much for reading ~this week in security~. If you liked this article, please share it! Feel free to reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.
