Stolen Cred Bizarre, US CyberSec, Stealing Cars With Headlights, & AI Censorship – PSW #780
In the security news, FBI seizes one of the biggest stolen credential markets, Is catching ransomware the baseline for detection and response? Potential outcomes of the US National Cybersecurity Strategy, Thieves are using headlights to steal cars, China wants to censor generative AI, Tesla sued for snooping on owners through built-in cameras, All that and more, on this episode of Paul’s Security Weekly.
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape.
We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register.
Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Hosts
- 1. 40% of IT security pros told not to report data loss
According to Bitdefender's 2023 Cybersecurity Assessment report, three quarters of US respondents experienced an intrusion of some kind in the past year. 40 percent of IT infosec folk polled said they were told to not report security incidents, and that climbs to 70.7 percent in the US, far higher than any other country.
- 2. Overview of Google Play threats sold on the dark web
The price of a loader able to deliver a malicious or unwanted app to Google Play ranges between $2,000 and $20,000. The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners and even dating apps.
- 3. Leaked intelligence document shows that Egypt, a longtime US ally, secretly planned to provide Russia with 40,000 rockets and gunpowder: report
The Washington Post obtained a series of classified files posted in February and March to the gaming platform Discord. A top secret document, dated February 17, features discussion from Egyptian officials about how to supply their Russian counterparts with gunpowder and artillery from Egyptian factories. The US has said there is no proof that Egypt sold the 40,000 rockets to Russia.
- 4. Leaked Pentagon documents reveal South Korea’s turmoil over sending arms to Ukraine
The latest revelation made by the documents tells how the United States has been spying on South Korea and divulges information about Seoul's stand on the Ukraine war. The reveal has the potential to wreck relations between the two countries. The discussion about whether or not to send ammunition to Ukraine happened on March 1, 2023, between two of South Korean President Yoon Suk Yeol's senior national security advisors.
- 5. The mounting human and environmental costs of generative AI
The article's main point, that too much computing power is used for AI, did not impress me. But the second figure is interesting, showing AI's incredibly rapid growth, increasing by a factor of 10 every year.
- 6. Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories
Repo jacking is an attack on GitHub repositories, where attackers are able to hijack GitHub repositories by reregistering previously used usernames. We found 439 GitHub users that do not exist anymore. These users have 529 GitHub repositories that are used by packages.
- 7. NPR quits Twitter after being falsely labeled as ‘state-affiliated media’
NPR will no longer post fresh content to its 52 official Twitter feeds, becoming the first major news organization to go silent on the social media platform. In explaining its decision, NPR cited Twitter's decision to first label the network "state-affiliated media," the same term it uses for propaganda outlets in Russia, China and other autocratic countries.
- 8. CISA publishes update to Zero Trust Maturity Model
The updated maturity model adds an additional maturity stage – optimal – alongside traditional, initial and advanced, which were included in the agency’s initial guidance document. The Zero Trust Maturity Model’s five pillars — identity, devices, networks, applications and workloads, and data — are meant to be a guide for federal agencies zero trust strategy implementations and most agencies have started off focusing on identity and data questions.
- 9. Amazon’s Palm Reading Payment Option Will Soon Come to Whole Foods Market
Amazon is continuing to expand its contactless payments service, Amazon One, via partnerships with several retailers—including Whole Foods Market, which will be letting consumers pay with just the palm of their hands in 11 of its locations in Colorado. Whole Foods Market shoppers will need to link both their palm and payment card at a participating point-of-sale station or kiosk. Once that’s completed, they’ll be able to check out by holding their hand above the scanner before leaving the store.
- 10. Ukrainian hackers say they have compromised Russian spy who hacked Democrats in 2016
Ukrainian hackers claim to have broken into the emails of a senior Russian military spy wanted by the Federal Bureau of Investigation for hacking the Hillary Clinton campaign and other senior U.S. Democrats ahead of Donald Trump's election to the presidency in 2016. It wasn't immediately clear what information the hackers had managed to steal or how significant it was. Morgachev's inbox could potentially hold insight into Russia's hacking operations, including the operation against Clinton and the Democrats.
- 11. Biden Administration Weighs Possible Rules for AI Tools Like ChatGPT
In a first step toward potential regulation, the Commerce Department on Tuesday put out a formal public request for comment on what it called accountability measures, including whether potentially risky new AI models should go through a certification process before they are released. “We believe that powerful AI systems should be subject to rigorous safety evaluations,” OpenAI said in a recent blog post. “Regulation is needed to ensure that such practices are adopted, and we actively engage with governments on the best form such regulation could take.”
- 12. Don’t use public phone charging stations: FBI
The FBI is warning people to not use public phone charging stations, which have become increasingly popular in places like airports and shopping malls.
The problem is that hackers have found a way to introduce malware and other software onto devices through the public stations, the FBI said.
- 13. Let Me Unwind That For You: Exceptions to Backward-Edge Protection
"Backward-edge control-flow hijacking" is the technical term for the typical aleph0-type buffer overflow exploit, taking over code execution when a function returns. These attacks are mitigated by stack canaries and shadow stacks, which place return addresses on a separate stack inaccessible to the attacker. However, the attacker can cause an exception to gain control of execution. This is a well-known attack on Windows: Structured Exception Handler exploits. This paper extends this attack to Linux, calling it Catch Handler Oriented Programming or CHOP. They found 442 bugs potentially exploitable by this technique in open-source projects written in C++.
- 14. Iran installs cameras to find women not wearing hijab
Women seen not covering their hair would receive a "warning text messages as to the consequences", police said. This would help prevent "resistance against the hijab law", police said.
- 15. Tesla workers shared images from car cameras, including “scenes of intimacy”
From 2019 to at least mid-2022, Tesla employees used an internal messaging system to share "sometimes highly invasive videos and images recorded by customers' car cameras," according to a lengthy Reuters report based on interviews with nine former Tesla employees. Some of the recordings caught Tesla customers in embarrassing situations. One ex-employee described a video of a man approaching a vehicle completely naked. Whether sharing has stopped is unclear.
- 16. WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches
Code-reuse attacks take control of a process without injecting code. Modern mitigations, ASLR, DEP, and CFI make code-reuse exploits more challenging. Unfortunately, compiler optimizations may undermine these security guarantees. For instance, compilers may introduce doublefetch vulnerabilities that lead to concurrency issues such as Time-Of-Check to Time-Of-Use (TOCTTOU) attacks. In this work, we propose a new attack vector, called WarpAttack, that exploits compiler-introduced double-fetch optimizations to mount TOCTTOU attacks and bypass codereuse mitigations. We study the mechanism underlying this attack and present a practical proof-of-concept exploit against the latest version of Firefox. There are over 2000 vulnerable "gadgets" in just six popular programs: Chrome, Firefox, Apache, JVM, 7-Zip, and Texstudio, on five popular operating systems: Fedora, Debian, Ubuntu, Windows, and MacOS.
- 17. NYPD robocops: Hulking, 400-lb robots will start patrolling New York City
The department experimented with Boston Dynamics' Spot in 2021 and shut the project down after a public outcry from civil liberties groups. The idea is being brought back by NYC's new mayor, Eric Adams. For active patrol work, the NYPD plans to deploy one Knightscope K5 robot. This is a 400-lb, 5-foot-tall wheeled robot that looks like a real-life giant R2-D2. The egg-shaped robot has no appendages and is mostly just a ball of sensors.
- 18. Elon Musk reportedly purchases thousands of GPUs for generative AI project at Twitter
Despite recently calling for a six-month pause in the development of powerful AI models, Twitter CEO Elon Musk recently purchased roughly 10,000 GPUs for a generative AI project within Twitter. Business Insider reports that it's a large language model (LLM), the type of generative AI tech that powers ChatGPT. The firm could potentially utilize its massive library of user tweets to help train the model for natural language output. In late March, Musk was a signatory on a widely publicized open letter that called for a six-month moratorium on the development of AI models. Critics claimed that Musk wanted a "pause" so his companies could catch up with OpenAI.