— AI's impact on cybersecurity, Microsoft Red Sun zero-day, HSBC password controversy
Quick recap. The Cloud Security Office Hours meeting focused on discussing recent developments in AI's impact on cybersecurity, particularly around Microsoft's Mythos AI tool and its potential to accelerate vulnerability discovery and exploitation. Participants debated whether AI significantly changes cloud security practices or merely accelerates existing trends, with Neil and Matt suggesting that while AI increases speed, the fundamental security approaches remain similar. The group also discussed a concerning trend of companies like Dave's employer replacing human resources with AI, which raised questions about job security and potential legal implications. Additionally, the team examined a reported password policy change at HSBC that required passwords to be entered in all uppercase, which sparked debate about whether this represented a security issue or a database migration problem. The conversation ended with discussions about the importance of zero trust architectures and resilient systems as defenses against faster security threats, regardless of whether they originate from AI-powered attacks.
Show 7 discussion topics
AI in HR and Payroll Discussion
The team discussed various updates and topics, including technical issues with audio during the meeting and the challenges of consumer laptop updates. Dave shared concerns about his company's decision to replace HR and payroll functions with AI, which sparked discussion about the potential legal implications. The group also briefly touched on a new Microsoft Defender zero-day vulnerability. Throughout the meeting, participants engaged in casual conversation and shared links to relevant content, including a custom challenge coin.
Microsoft Red Sun Zero Day
The team discussed a Microsoft Red Sun Zero Day exploit that leverages Cloud Files API and OP lock race conditions to gain system privileges through Windows Defender. Bartek explained how the exploit uses file locks to create a race condition where Defender gets stuck in a remediation loop, allowing attackers to redirect file writes to system directories. The group noted that while Microsoft initially rejected this as a design issue, the exploit could potentially affect any privileged service writing files in unprivileged locations, making it an OS-level vulnerability.
Cloud Security Team Updates
The team discussed several topics including the nature of Defender, which was clarified to be primarily user space rather than kernel-level. Rev shared an idea about creating humorous management risk acceptance stamps for cybersecurity conferences. The group also discussed the Signal chat group for Cloud Security Office Hours, with Neil warning about the high volume of messages. D inquired about getting a pull request accepted on GitHub, which Neil agreed to review. Shawn announced recent website updates, including a new CTF page and news page improvements.
Cybersecurity Threat Naming Conventions
The group discussed the importance of consistent threat actor naming conventions across cybersecurity organizations, with Neil explaining how Microsoft and CrowdStrike have struggled with harmonizing their naming systems over the past decade. The conversation then shifted to analyzing a potential phishing message from HSBC India about password requirements, with participants debating whether the message was legitimate or a fake attempt. The discussion highlighted common password policy issues in banking systems, including problems with special character requirements and database upgrades.
HSBC Password Security Concerns
The team discussed a news story about HSBC India requiring customers to use all-uppercase passwords, which raised security concerns about potential plain text password storage. Neil explained the difference between storing plain text passwords and hashed passwords, noting that proper password storage should use one-way cryptographic hashing. The group debated whether HSBC might have been using an algorithm that converts passwords to uppercase before hashing, which would explain why existing passwords only work when entered in all uppercase. Ryan pointed out that the Cyber Security News post was from April 1st, suggesting it might be an April Fools prank.
AI Impact on Cloud Security
The group discussed the impact of AI on cloud security, with Neil expressing skepticism about Anthropic's Mythos project, noting that while it may have marketing value, it doesn't fundamentally change existing security approaches. Jay shared insights from an executive advisory board meeting, predicting a "Wild West" period of two years where large enterprises will make mistakes implementing AI solutions, potentially leading to legal issues, business disputes, and unexpected costs. The discussion also touched on concerns about job security in the face of AI automation, with participants noting that while AI may improve some attacker behaviors and defense capabilities, it's not a complete replacement for human expertise.
AI Impact on Security Challenges
The group discussed the impact of AI on security and business, particularly focusing on the speed at which vulnerabilities can be discovered and exploited. Matt expressed concerns about the economic viability of AI-powered businesses, predicting potential challenges for companies like Oracle within 1-2 years. The discussion highlighted that while AI may make attackers more effective, the real challenge lies in organizations' ability to respond quickly to threats through improved infrastructure, zero trust methodologies, and defense-in-depth strategies rather than just speed of patching. The conversation also touched on the broader security landscape, including the importance of supply chain security and the potential of eBPF and post-exploitation techniques in addressing vulnerabilities.