Holiday News Edition Featuring Special Guests – PSW #809
In the Security News: If we still can’t change default passwords, we all lose, The Flipper Zero, NO CVE FOR YOU, New tools that are not new at all, The BIOS logo attack vector, a $15 router that has secrets, turns out AI is stupid, and SLAM, dun dun ot, Spectre based on linear address masking,
Hosts
- 1. US govt warns that sanctions swerving GPUs will fall under their ‘control the very next day’
- 2. Diamond Sleet supply chain compromise distributes a modified CyberLink installer
- 3. Extracting Training Data from ChatGPT
- 4. GreyNoise Labs – Details and Caveats for ownCloud information disclosure (CVE-2023-49103)
- 5. Exploitation of Unitronics PLCs used in Water and Wastewater Systems
As long as we still need to advise this: "Ensure the Unitronics PLC default password “1111” is not in use." - We will be vulnerable, and attackers will be wildly successful.
- 6. 2 municipal water facilities report falling to hackers in separate breaches
- 7. The Flipper Zero has gotten a bad rap but I love this little hacking tool
Its gets a bad rap, for a whole host of reasons. This article leaves out A LOT. For example, there is not one mention of GPIO in the entire article. For me, this is the most powerful feature as it allows for add-ons and a ton of possibilities.
- 8. Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100
But no CVE was issued...
- 9. New Tool Set Found Used Against Organizations in the Middle East, Africa and the US
I think we need to re-define what "new" means: "This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities. Threat actors have used this along with the other two tools in multiple attacks targeting organizations across the U.S., Middle East and Africa. Its C2 infrastructure dates back to 2020."
- 10. UEFI exploit ‘worse than BlackLotus’ pwns PCs using images
I covered an article a while back that talked about instant boot PCs and issues with BIOS logos. This is a problem and one that I believe has existed for some time.
- 1. Forescout Vedere Labs discloses 21 new vulnerabilities affecting OT/IoT routers – Forescout
- 2. [CRITICAL] Bountysource is Insolvent, do not use! · Issue #1586 · bountysource/core
- 3. Update On The BLUFFS Bluetooth Vulnerability
- 4. Hacker Tools Origin Stories
- 5. iPhones have been exposing your unique MAC despite Apple’s promises otherwise
- 6. Man buys $15 router from thrift store and discovers millionaire’s dirty secrets
- 1. The Inside Story of Microsoft’s Partnership with OpenAI
A long, detailed explanation of how the near-collapse and revival of OpenAI happened. My main takeaway is that Microsoft’s chief executive, Satya Nadella, is very good at his job. Microsoft faced a severe crisis, with their new Copilot suite of products based on OpenAI technology, and that company suddenly and inexplicably firing its CEO. Microsoft skillfully and calmly guided the parties to a solution that restored Sam Altman to lead OpenAI, removed the troublemakers from the board, and gave Microsoft a board seat at OpenAI.
- 2. GenAI is highly inaccurate for business use — and getting more opaque
Large Language. Models make a lot of mistakes responding to normal prompts -- from 3 to 27%. But when asked to look up data in SQL databases, they are much worse. They return accurate responses to most basic business queries just 22% of the time. And for intermediate and expert-level queries, accuracy plummeted to 0%.
- 3. ‘It’s not a public service, it’s toxic’: welcome to the world of gossip surveillance
TikTokers are sharing strangers’ conversations, hoping to expose gossipers to the very people they’re talking about. Is the humiliation worth it? This is a new form of privacy invasion.
- 4. Secure by Design Alert: How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity
An excellent recommendation from CISA, explaining how products should be designed so ordinary users will be reasonably secure, when using the default setup.
- 5. Researchers Made an IQ Test for AI, Found They’re All Pretty Stupid
Artificial intelligence programs still struggle with basic problem-solving skills that people excel at. In fact, their complete lack of understanding of the physical world and lack of planning abilities puts them way below cat-level intelligence, never mind human-level.
- 6. Amazon will offer human benchmarking teams to test AI models / Companies can evaluate AI models before use.
Model Evaluation on Bedrock has two components: automated evaluation and human evaluation.. The automated tests assess the model’s performance on metrics like robustness, accuracy, or toxicity for tasks like summarization, text classification, question and answering, and text generation. The human tests can be customized, including tests for toxicity, empathy and friendliness.
- 7. SLAM: SPECTRE BASED ON LINEAR ADDRESS MASKING
A new covert channel exploits Spectre on modern CPUs with Spectre mitigations enabled. It works on many modern processors, and attacks a common code pattern that appears tens of thousands of times in the Linux kernel. In a demo , they leak the root password hash within half a minute on a last-generation Ubuntu system. The mitigation is to disable Linear Address Masking or LAM.
- 8. I’m watching ‘AI upscaled’ Star Trek and it isn’t terrible
Star Trek fans have been using AI in an attempt to make a version of the acclaimed series Deep Space 9 that looks decent on modern TVs.. It’s actually quite good.
