Join the NIST Privacy Framework Team | Further Develop the Data Governance & Management Profile

Dear Colleagues,    

Building on the valuable stakeholder feedback received during the Ready, Set, Update! Privacy Framework 1.1 + DGM Profile Workshop this past June, we are pleased to announce that we will host a series of public working sessions this fall to further shape the joint NIST Frameworks Data Governance and Management (DGM) Profile. This next phase in the DGM Profile development will offer stakeholders the opportunity to engage in collaborative discussions to shape the content of the DGM Profile Initial Public Draft.

The first set of working sessions will take place the week of September 9, 2024 and will be dedicated to the topic of data governance and management activities. These working sessions will be virtual and will consist of both guided and open discussions. Each session will cover the same material, so there is no need to attend more than one.

To accommodate participants across various time zones, we will hold the virtual sessions during the following days and times:

All information relative to the working sessions, including registration, is available on the Privacy Framework’s New Projects page. Pre-read materials will be released in advance of the working sessions.

We invite you to bring your expertise and join us as we advance the development of this important resource! If you have any questions, feel free to reach out to us at privacyframework@nist.gov.


Best,  

NIST Privacy Framework Team 

Register Here

Multiple Vulnerabilities in SolarWinds Web Help Desk

Multiple vulnerabilities have been discovered in SolarWinds Web Help Desk (WHD), the most severe of which could allow for remote code execution. WHD is a SolarWinds IT help desk solution. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
Threat Intelligence CISA reports CVE-2024-28986 is being actively exploited in the wild.​​​
Systems Affected
Web Help Desk prior to 12.8.3 Hotfix 2
Risk
Government:
– Large and medium government entities: High – Small government entities: High
Businesses: – Large and medium business entities: High
– Small business entities: High
Home Users: Low
Recommendations
Apply appropriate updates provided by SolarWinds to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Reference
SolarWinds: 
https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2

Multiple Vulnerabilities in Google Chrome

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat Intelligence Google is aware that an exploit for CVE-2024-7971 exists in the wild.
Systems Affected
Chrome prior to 128.0.6613.84/.85 for Windows and Mac Chrome prior to 128.0.6613.84 for Linux
Risk
Government:
– Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Recommendations
Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
Reference
Google: 
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Employment Scams Delivered Via Text Messages Increase

Employment scams are increasing, and scammers are devising new methods to target unsuspecting job seekers. Recently observed scams more frequently begin with a text message, initiating conversations about a potential job opportunity. The scammer claims to be a recruiter who expresses interest in the target’s compatibility for a vacant position and attempts to ascertain the target’s willingness to explore the opportunity further. The message outlines the position’s benefits, which include remote work, flexible hours, and potential average daily pay ranging from $100 to $1,000 or more.
They may inquire about work experience, salary expectations, and other typical employment concerns. To avoid detection, they often request to continue the conversation on an encrypted chat platform like WhatsApp. Legitimate companies typically do not request that applicants send materials through instant messaging services.
Once the conversation moves to a different platform, they may ask for personal information, such as a Social Security number (SSN), a photo of the target’s driver’s license, and banking details, claiming they need to set up direct deposit. Scammers may also ask job seekers to pay processing or application fees or to pay for training. The victim may receive a fraudulent invoice for equipment, with instructions to pay using cash, Zelle, or PayPal and a promise of reimbursement.
Consumer advocates warn that a weakening US labor market may make job seekers more susceptible to these scams. According to the Federal Trade Commission (FTC) data, consumers have lost nearly $24 million to job and employment agency text scams this year. Users are more likely to read text messages than answer phone calls, making text messages a preferred contact method for scammers. Recent data from the Identity Theft Resource Center shows that the number of reported job scams increased by 118 percent from 2022 to 2023, and researchers predict a further increase this year.
Recommendations
Educate yourself and others about these and similar scams. Legitimate businesses typically will not ask you to contact them via social media platforms. Refrain from clicking on or contacting unknown telephone numbers found in unsolicited pop-up notifications, or links and attachments delivered via emails or text messages. Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds. Confirm the legitimacy of requests by contacting the careers section of a company’s official website or consider calling the company’s human resources department to verify if the job offer is legitimate.  Report malicious cyber activity to the FTC, FBI’s IC3, and the  NJCCIC.

Brand Impersonation Scams Continue

Businesses in the Information Technology sector act as critical service providers and part of a supply chain, store sensitive information, provide access to other accounts, and frequently engage with customers. These businesses deliver essential and frequently used services, such as email and other communications, cloud storage, online shopping, and more, increasing the likelihood that users will quickly respond to messages or inquiries from familiar and trustworthy brands. As of the second quarter of 2024, this sector ranks at the top of the list in brand impersonation and is an attractive and valuable target. Threat actors continue impersonating major technology companies, such as Google, Zoom, Facebook, Microsoft, and Apple, and their legitimate products and services. They use social engineering to lure their targets through communications or malicious ads, introduce scare tactics, and attempt to steal personal data, financial information, account credentials, and funds.

In the past month, PINEAPPLE and FLUXROOT hacker groups leveraged Google Cloud serverless projects to deliver and communicate with their malware, host and direct targets to phishing websites, and run malware and execute malicious scripts. In a separate campaign, threat actors abused Google Ads to post malicious ads that appeared official and verified by Google. If the user clicked on the malicious ad, they were redirected to a fake Google Authenticator site that inadvertently led to a signed payload hosted on GitHub. If installed, personal data would be at risk of being stolen via the attacker-controlled phishing website. 

Additionally, threat actors targeted cryptocurrency investors and NFT holders, invited them to a Zoom meeting, and provided a malicious link that, if clicked, downloaded malware, added itself to the Windows Defender exclusion list, and stole funds. In a separate campaign, threat actors used Facebook to create fake pages, groups, ads, and content of popular generative artificial intelligence (AI) brands with malicious links that, if clicked, downloaded malware to steal passwords, cryptocurrency wallets, and information stored in the browser. Furthermore, threat actors spoofed the caller ID to display Microsoft’s name or number. They impersonated Microsoft employees or representatives to make fraudulent calls to trick potential victims into divulging personal or financial information.

Image Source: Malwarebytes

Threat actors are impersonating Google’s entire product line via malicious Google Search ads to direct potential victims to spoofed websites and Microsoft and Apple tech support scams. These malicious ads point to Google Search, Translate, Flights, Analytics, Calendar, Earth, Maps, Meet, and more. Upon closer inspection, the URLs of these ads are hosted on Looker Studio and contain an image of the Google Search home page that displays in full-screen mode. When the image is clicked, an embedded link launches a new tab to redirect the victim to a fake Microsoft or Apple alert page attempting to hijack the browser, play a recording, claim that the computer has been blocked, and advise the victim to contact support via the provided phone number. The threat actors behind the fake support number purport to be Microsoft or Apple representatives and persuade victims to purchase gift cards or log into their bank accounts to pay for the phony repair.

The NJCCIC’s email security solution detected multiple credential phishing campaigns targeting New Jersey State employees using legitimate products and services of major technology companies. In one campaign, threat actors utilize several products of the Google suite, including Gmail, Calendar, Forms, and Meet, to send phishing emails as calendar invitations to verify Bitcoin funds will be transferred. A Gmail user sends the calendar invitation to the target and other purported guests utilizing Gmail accounts, and it claims funds are currently being withdrawn to create a sense of urgency. One link in the calendar invitation directs the target to a Google Meet session, which initially displays that no camera was found and prompts the user for permission to access their microphone. Then, instead of waiting to be let into the session, the target can sign in with their Google account credentials. To supposedly validate the particulars, another link in the calendar invitation directs the target to a Google Forms page and, if submitted, displays a Bitcoin-themed landing page, utilizing the hxxps://globalminingbit[.]top domain, to receive Bitcoin bonus funds. After several redirects, clicking multiple buttons, and communicating with a chat representative, the target is prompted for their name, email address, financial information, and account information to receive the funds.

Threat actors are also sending fraudulent Zoom invitations in credential phishing campaigns. If the Zoom link is clicked, targets are directed to a fraudulent Microsoft SharePoint page with the organization’s branding, pointing to a newly registered hxxps://thepivoproject[.]com domain appended with the target’s email address and followed by a client identifier with random characters. If credentials are submitted on this phishing page, they are sent to the threat actors in the background.

Recommendations

  • Refrain from answering unexpected calls from unknown contacts. When receiving unsolicited phone calls, do not respond to any requests for sensitive information or access.
  • Avoid responding to messages, clicking links, or opening attachments from unknown or unverified senders, and exercise caution with emails from known senders.
  • Confirm the legitimacy of requests by contacting the sender via a separate means of communication, such as by phone, using contact information obtained from official sources before responding, divulging sensitive information, or providing funds.
  • Navigate directly to legitimate websites and verify before submitting account credentials or providing personal or financial information.
  • Use strong, unique passwords and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Reduce your digital footprint so that threat actors cannot easily target you.
  • Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.

Microsoft 365 Virtual Training Day: Fundamentals

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Microsoft 365 Fundamentals to learn how to simplify the adoption of cloud services while supporting strong security, compliance, privacy, and trust. Also, discover how applications such as Microsoft Teams and Microsoft Viva help improve productivity, facilitate collaboration, and optimize communications. After completing this training, you’ll be eligible to take the Microsoft 365 Fundamentals certification exam at 50% off the exam price. You will have the opportunity to: Find out how the productivity, collaboration, and endpoint management capabilities of Microsoft 365 empower people to stay connected and get more done across hybrid environments. Discover how Microsoft 365 security, compliance, and identity solutions help secure an entire digital estate, simplify compliance, and reduce risk. Explore the pricing models, licensing, and billing options available to meet the needs of your organization. Join us at an upcoming two-part Microsoft 365 Fundamentals event:
Delivery Language: English
Closed Captioning Language(s): English
  September 05, 2024 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada)
September 06, 2024 | 12:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada) 
  September 16, 2024 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada)
September 17, 2024 | 12:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada) 
 
  September 26, 2024 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada)
September 27, 2024 | 12:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada) 
 
  
Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.
 

NIST to Revise Special Publication 800-135 Rev. 1 | Recommendation for Existing Application-Specific Key Derivation Functions

In July 2023, NIST’s Crypto Publication Review Board initiated a review process for NIST Special Publication (SP) 800-135 Revision 1, Recommendation for Existing Application-Specific Key Derivation Functions  (2011) and received public comments.

In May 2024 NIST proposed revising SP 800-135 Rev. 1. No public comments were received in response to that proposal.

NIST has decided to revise SP 800-135 Rev. 1. See the full announcement for more details, links to comments received, and ways to monitor future developments.

Read More

Microsoft.Source Newsletter | AI for Developers

Featured
Code Samples Explore Microsoft Copilot for Microsoft 365 extensibility samples > Use this collection of samples to build Copilot extensions. Build Teams message extensions and Microsoft Graph connectors to extend Copilot for Microsoft 365.  
What’s New
Blog Explore tools and resources that will help you do more with AI > Use Copilot to be a more productive developer, add AI into your apps, and build customized copilot experiences for your organization.  
Product Announcement OpenAI’s fastest model, GPT-4o mini is now available on Azure AI > GPT-4o mini allows you to deliver stunning applications faster and at a lower cost. Try it at no cost in the Azure OpenAI Studio Playground.  
Product Announcement Dev Proxy v0.19 with simulating LLM APIs and new Azure API Center integrations > Learn about new capabilities in the latest Dev Proxy release and discover how Dev Proxy can help you achieve more with APIs. #Azure #LLMs #AI  
Events See Local Events >
In Person and Virtual What to expect at Microsoft Ignite this year / November 18 -22 > Experience keynotes, attend sessions, meet with partners and customers, and so much more. Join us in Chicago or online!  
Virtual Event GitHub Universe / October 29-30 / San Francisco > Join thousands of developers, cloud architects, cybersecurity professionals, and more to fine tune your skills and learn the latest in AI, DevEx, and security.  
In person and Online Microsoft Fabric Conference / Sept. 24–27 / Sweden > Join us for the latest Microsoft Fabric news, workshops, and networking opportunities.  
Securing AI Apps on Azure / On demand > Learn how to secure your AI apps on Azure using Microsoft Entra in this multi-part series.  
On demand .NET Conf: Focus on AI > Did you miss the special .NET Conf event? Watch the on demand videos now and see how you can integrate AI into your .NET applications.  
Events See Local Events >
In Person and Virtual What to expect at Microsoft Ignite this year / November 18 -22 >Experience keynotes, attend sessions, meet with partners and customers, and so much more. Join us in Chicago or online!  
Virtual Event GitHub Universe / October 29-30 / San Francisco > Join thousands of developers, cloud architects, cybersecurity professionals, and more to fine tune your skills and learn the latest in AI, DevEx, and security.  
In person and Online Microsoft Fabric Conference / Sept. 24–27 / Sweden > Join us for the latest Microsoft Fabric news, workshops, and networking opportunities.  
Securing AI Apps on Azure / On demand > Learn how to secure your AI apps on Azure using Microsoft Entra in this multi-part series.  
On demand .NET Conf: Focus on AI > Did you miss the special .NET Conf event? Watch the on demand videos now and see how you can integrate AI into your .NET applications.  
Learning
Learning Hub Get skilled up and ready with the AI learning hub on Microsoft Learn > The AI learning hub provides trusted resources for developers to gain the skills needed to power AI transformation with the Microsoft Cloud.  
Learn Plan Microsoft Fabric Analytics Engineer Learn Plan > This plan will prepare you for Exam DP-600 and your future as a Microsoft Certified Fabric Analytics Engineer.  
Learn Hub Start your Copilot journey on the Copilot learning hub > The Copilot learning hub on Microsoft Learn is the place where technology professionals find resources to help them develop skills to put Microsoft Copilot to work.  

Announcing NIST Symposium on Unleashing AI Innovation, Enabling Trust

NIST will convene a hybrid symposium on September 24-25, 2024, in Washington, D.C., to discuss recent efforts by the NIST AI Innovation Lab (NAIIL) to help unleash artificial intelligence (AI) innovations in ways which enable trust. 

Participants will learn about recent and ongoing efforts, and contribute to NIST’s vision for the work ahead, including opportunities to expand its collaborations with the AI community. Responsible for a variety of NIST’s AI efforts and headquartered within the agency’s Information Technology Laboratory, NAIIL advances AI measurement methods and guidelines, including their incorporation into international standards. 

The 1.5 day event will take place at The George Washington University in Washington, D.C. Limited in-person and unlimited remote participation is available. The symposium will feature discussions about the most recent developments and next steps in key issues relating to AI innovation and trust. Sessions will build on NIST’s past, ongoing, and planned efforts.

For more information and to register: https://www.nist.gov/news-events/events/2024/09/unleashing-ai-innovation-enabling-trustRegister Now

Implementation Challenges in Privacy-Preserving Federated Learning

In this post, we talk with Dr. Xiaowei Huang, Dr. Yi Dong, Dr. Mat Weldon, and Dr. Michael Fenton, who were winners in the UK-US Privacy-Enhancing Technologies (PETs) Prize Challenges. We discuss implementation challenges of privacy-preserving federated learning (PPFL) – specifically, the areas of threat modeling and real world deployments.

In research on PPFL, the protections of a PPFL system are usually encoded in a threat model that defines what kinds of attackers the system can defend against. Some systems assume that attackers will eavesdrop on the system’s operation but won’t be able to affect its operation (a so-called honest but curious attacker), while others assume that attackers may modify or break the system’s operation (an active or fully malicious attacker). Weaker attackers are generally…

Read the Blog