Fake Dead Grandma’s, No Flipper Zero, Looney Tunables, & $20 Mil For Zero Days – PSW #801

Dude, just tell them it's a digital pet dolphin..

""From our analysis of WS_FTP, we found that there are about 2.9k hosts on the internet that are running WS_FTP (and also have their webserver exposed, which is necessary for exploitation). Most of these online assets belong to large enterprises, governments and educational institutions." - Also interesting that WS_FTP is owned by Progress Software, same one that has MoveIT.

What is old is new again: The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key. In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption. In 2018, Hanno Böck, Juraj Somorovsky, and Craig Young have shown 19 years later that many internet servers were still vulnerable to slight variations of the original attack.We show that many implementations previously thought immune, are vulnerable to the timing variant of the same attack."

"MQTT is a publisher-subscriber protocol (pub-sub) aimed at allowing distributed remote communication. Two entities reside within the MQTT protocol: a client that sends and receives messages, and a broker that distributes received messages and routes them to appropriate clients." - When you see MQTT think: "This thing is vulnerable as fudge".

""The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, "you do what you do," the ZDI representative said."

The most recent update for Windows 11 includes support for passkeys across the platform. The feature was introduced in June for the Windows Insider program. The passkeys will be created through the Windows Hello biometric authentication tool.

The US State Department said that hackers took around 60,000 emails in an attack which Microsoft has blamed on China.

Protect sensitive conversations in email with encryption. Encryption of stored email provides need to know protection beyond the encryption in transit already in place.

The European Telecommunications Standards Institute (ETSI) has disclosed that it experienced a cybersecurity incident which affected the system dedicated to members’ work. ETSI believes that the attackers exfiltrated a database containing information about its online users.

This body is responsible for the development and testing of technical standards for information and communication including GSM. 3G, 4G, 5G and others, so don't be too hard on them for flaws in their IT system security.

The malware was disguised as a coding challenge in an executable, which was protected to only decrypted on the intended victim's system, making detection/sandboxing much more difficult. Even so, remind users to beware of recruiters bearing executables, noting that many threat actors, such as the Lazarus group, are really good at social engineering and will work to convince users the payload is benign.

The FBI has published a Private Industry Notification (PIN) warning of new trends in ransomware attacks: an increase in organizations being impacted by two or more ransomware variants in quick succession, and new data destruction tactics.

Arm has released advisories for three vulnerabilities affect its Mali GPU Kernel Driver. One of the vulnerabilities is reportedly being actively exploited. Arm describes the issue as allowing “a local non-privileged user [to] make improper GPU memory processing operations to gain access to already freed memory.” Fixes are available for affected products. Google released fixes for CVE-2023-4211 in September for affected Pixel and Chromebook devices. The issue also impacts Samsung S20/21, Motorola Edge 40, and other Android devices.

For Linux or other systems with the chipset, make sure that you have the appropriate ARM Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0.

It appears that criminals are now actively exploiting vulnerabilities in Progress Software’s WSFTP Server. Progress released updates to address eight vulnerabilities in the software last week. On September 30, researchers from Rapid7 noticed “exploitation of one or more recently disclosed WSFTP vulnerabilities in multiple customer environments.” https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/

In June 2022, researchers from Google’s Zero Day Initiative reported six vulnerabilities in Exim email transfer agent to the vendor. The most serious of the issues is an AUTH out-of-bounds write remote code execution vulnerability. Exim has recently begun developing fixes for the flaws. As of 10/3/23, Exim has released fixes for three of the vulnerabilities.

South Africa's State Security Agency (SSA) alleges that the U.S. CIA and Britain's MI6 hacked its systems to access sensitive and compromising information.

Consider that to them the CIA and MI6 are the state sponsored hackers. Later they say they weren't really sure who hacked.

Robert Wayne Lee, 40, went by “Boopac Shakur” to his nearly 50,000 followers on social media, where he conducted extrajudicial investigations by posing online as a 15-year-old girl to lure alleged predators into meetings. Lee approached two young men at a restaurant about 10:30 p.m. Friday, according to the news release. He accused one of the men of being a pedophile and punched him, prompting the man to pull out a knife, officials said. The other man pulled out a pistol and shot Lee several times, officials said. A recent uptick in the practice has been fueled by right-wing rhetoric about people grooming children and the need to “save the children.”

It can do kids' homework, and it can also code an app based on a simple handwritten block diagram. This is amazing stuff.

This summer, OpenAI, Alphabet, Meta, Amazon, and several other major AI players pledged to develop watermarking technology to combat misinformation. But the professor is blunt when he sums up the current state of watermarking AI images. “We don’t have any reliable watermarking at this point,” he says. “We broke all of them.”

Team82 disclosed critical vulnerabilities in ConnectedIO’s ER2000 edge routers. which act as gateways, connecting IoT devices to the internet. The vulnerabilities affected not only the edge routers, but also the cloud-based device management platform, and the communication protocol used between devices and the cloud An attacker could have leveraged these flaws to fully compromise the cloud infrastructure, remotely execute code, and leak all customer and device information.

This led to a full chain Remote Code Execution (RCE). There are thousands of vulnerable instances publicly exposed, including of some of the world’s largest organizations — Google, Amazon, Meta, and others. The default configuration of TorchServe accidentally exposes the management interface to the entire world, without any form of authentication, allowing unauthorized access. A new critical (NVD, CVSS 9.8) SSRF vulnerability (CVE-2023-43654) in the management interface allows remote code execution (RCE), supporting configuration uploads from any domain. They can also be hacked remotely with Remote Code Execution while unsafely deserializing a malicious model (GHSA, CVSS 9.9).

OpenRefine is a Java-based open-source data cleaning and transformation tool. With almost 10k stars and ~1.8k forks, it is one of the more popular GitHub projects. We found a Zip Slip vulnerability, caused by inadequate path validation when extracting archives, which may allow attackers to overwrite existing files or extract files to unintended locations. The attacker can execute arbitrary code on the user’s machine:

The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library’s dynamic loader’s processing of the GLIBC_TUNABLES environment variable. We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.

It's bad. Really bad. The number of malicious packages is 245,000--2X all previous years combined. 18.6% of open source projects across Java and JavaScript that were maintained in 2022, are no longer maintained today

Elon Musk's embrace of the alt-right has scared away his advertisers, who don't want their ads appearing next to Nazi content. Now Google is partnering with X to bring in more ads, tying Google's reputation to X's. "This is an opportunity to reach X’s vast audience of over 200 million actively engaged daily users using Google Ads’ familiar campaign set-up and targeting tools. It’s worth noting that X doesn’t have the same strict advertising guidelines and practices in place around ad placement, and there is a risk your campaign could appear alongside unrestricted and even offensive content."

Bing Chat allows users to upload images for the AI model to examine or discuss. Normally, Bing Chat refuses to solve CAPTCHAs. X-user Denis Shiryaev devised a visual jailbreak that circumvents Bing Chat's CAPTCHA filter by tricking it into reading the inscription on his imaginary deceased grandmother's locket.

According to the scientists, there’s no universal method by which data can be deleted from a pretrained large language model. If an LLM was trained on sensitive banking information, there’s typically no way for the AI’s creator to find those files and delete them. Instead, AI devs use guardrails such as hard-coded prompts that inhibit specific behaviors or reinforcement learning from human feedback (RLHF). But the sensitive data can still be extracted 38% of the time by whitebox attacks and 29% of the time by blackbox attacks.

Rather than create an entire dating profile, all the app requires is one selfie from users. It then uses an AI algorithm to examine personality traits it identifies in your face and recommends potential partners based on their compatible traits. It had an accuracy rate of around 87%, adding that the 77% response rate of SciMatch's users was also higher than that of Tinder.

"Defenders think in lists, attackers think in graphs; as long as this is true, attackers win." KubeHound is a toolkit for visualizing attack paths in Kubernetes deployments. The aim is to shift the mental model of Kubernetes security from list-based thinking to graph-based thinking and help defenders to regain the advantage.

Biochemist Katalin Karikó and immunologist Drew Weissman won the Nobel Prize in Physiology or Medicine for mRNA work crucial to the rapid development of the life-saving mRNA COVID-19 vaccines. However, their early work was unappreciated and she had difficulty getting grants, leading U Penn to demote her, and finally force her to retire.

Predators befriend victims online under false pretenses, entice them to send incriminating photos and then demand payment under threat that they’ll expose the photos to family and friends. The number of sextortion cases targeting young people “has exploded in the past couple of years,” with teen boys being specific targets, said Lauren Coffren, executive director of the Exploited Children Division at the National Center for Missing and Exploited Children (NCMEC). “They’re using shame, embarrassment and fear, and they’re tapping into that,” Coffren said. “They’re exploiting children’s worst nightmares.”

Mistral, an AI company founded by former Google and Meta alums pushed an “unmoderated” model into the world that will readily tell users how to kill their wives or restore Jim Crow-style discrimination. It's distributed as a magnet link to a torrent file, so it cannot be taken down. Safety was not evaluated or even mentioned in their public comms. If the intention was to share an ‘unmoderated’ LLM, then it would have been important to be explicit about that from the get go. “As a well-funded org releasing a big model that is likely to be widely-used, I think they have a responsibility to be open about safety, or lack thereof. Especially because they are framing their model as an alternative to Llama2, where safety was a key design principle.”