Source Code Revealed, Resume Prompt Injection, iPhones Be Updating, & Florida Man – PSW #805
In the Security News: If an exploit falls in the forest do I still need to patch?, Reflections on trusting trust: the source code revealed, prompt injection in your resume, iPhones be updating, a deep dive into vulnerable kernel drivers and wiping SPI flash, cheap to exploit software, to ransom or steal?, oh OAuth, Florida man, door bell shenanigans, don’t pay the ransom, the White House and AI, and quantum teleportation via measurement-induced entanglement. All that and more on this episode of Paul’s Security Weekly!
Announcements
Security Weekly Listeners: We are celebrating the milestone of reaching over 1,000 members of our CISO community. The Cybersecurity Collaboration Forum is a one-stop shop for executive collaboration comprised of CISOs across various industries. If you want to be part of this growing community of CISOs, join us as a member or technology partner. To learn more, visit: securityweekly.com/cybersecuritycollaboration
Hosts
- 1. Why ACPI?
Without a better alternative, quit bitching.
- 2. Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest App
- 3. Shielder – CVE-2023-33466 – Exploiting Healthcare Servers with Polyglot Files
"Sometimes, ignoring CVEs without a public exploit might be tempting (this counts for both attackers and defenders). However, a working exploit is often behind the corner, and it only requires understanding a bit the system we’re testing and a few experiments!" - Amazing write-up. However, it underscores this point: Just because you believe an exploit doesn't exist doesn't mean someone has not, or cannot, create one. This makes vulnerability priority even more difficult.
- 4. research!rsc: Running the “Reflections on Trusting Trust” Compiler
This is a very interesting read to say the least. There is a lot to unpack. It will take me some more time to be able to explain some of what's happening here. I also find it interesting how this post came to be as Ken gave a recent presentation, was asked a question about the famous paper, and then stated that "no one ever ask for it" in reference to the source code. The author of this post was the only one who asked and provided an amazing analysis, complete with modern examples and defenses.
- 5. Inject My PDF: Prompt Injection for your Resume
These neat tricks are used to make you the best candidate for a job if they are using AI to evaluate your resume.
- 6. Rumor: Apple developing means of updating firmware for iPhones sealed inside their boxes
Interesting: "The iOS 17.2 beta SDK that comes with the latest Xcode 15.1 beta also helps corroborate this report. There are three new internal frameworks named FactoryOTALogger, FactoryOTANetworkUtils, and FactoryOTAWifiUtils enable wireless OTA firmware updates by using a special external device." - Provided the update mechanism is secure (or secure enough), there is little downside to doing this?
- 7. A Deep Dive into TPM-based BitLocker Drive Encryption
- 8. Java Deserialization Vulnerability Still Alive
- 9. Release v2.7.1.1 · six2dez/reconftw
- 10. Hunting Vulnerable Kernel Drivers – VMware Security Blog
Whoa: "The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now." Protections are just silly: "All discovered drivers give full control of the devices to non-admin users. TAU could load them all on HVCI-enabled Windows 11 except five drivers." - This is outstanding research and looks like they were able to overwrite SPI flash using a vulnerable driver. This makes me excited.
- 11. Find Raspberry Pi computers in stock – rpilocator
- 12. Building an Exploit for FortiGate Vulnerability CVE-2023-27997
- 13. It’s Cheap to Exploit Software — and That’s a Major Security Problem
There is a lot to unpack here: "I believe the future requires three things. First, more security engineers and engineering: Hiring security engineers that have development backgrounds and getting engineering leadership buy in on the concept of increasing the cost to exploit software. Second, shifting our focus from tools that clean up detection and response to building tools that raise the cost to exploit. Third, not building new tools in an isolated, security-centric world, but in conjunction with developer stakeholders and considering the needs of the business to ship fast."
- 14. New Android App Expands Flipper Zero Bluetooth Spam Attack Capabilities
Remediation steps are included here. Good to know. Now I have to do this on my primary phone and have other devices to test the "attacks". Let's be clear, this is just annoying, for the moment...
- 15. CCleaner says hackers stole users’ personal data during MOVEit mass-hack
Interesting how they just decided to steal rather than ransom: "The never-before-seen vulnerability allowed the notorious Clop ransomware to steal sensitive data from thousands of organizations that stored data on these internet-connected systems. Researchers tracking the mass-hacks say more than 2,500 organizations have confirmed MOVEit-related data breaches since May, amounting to at least 66 million individuals — though, the true number of affected people is likely far higher."
- 16. How Kaspersky obtained all stages of Operation Triangulation
- 17. Oh-Auth – Abusing OAuth to take over millions of accounts
Best explanation of OAuth in graphical form ever. The "attack" is so simple: "In other words, the first thing you need to do as a developer, before making an API request to Facebook to receive the identity, is to verify the access token. Otherwise, your implementation is not secure. Yes – it is the responsibility of the developer to verify the access token. What can possibly go wrong?"
- 18. F5 fixes BIG-IP auth bypass allowing remote code execution attacks
"Threat actors can only exploit devices that have the Traffic Management User Interface (TMUI) exposed to the internet and do not affect the data plane. " - Why are we exposing management interfaces to the Internet? If we could just not do that, the Internet would be a safer place...
- 19. A man from Orlando was sentenced to prison for SIM
"Crooks conduct SIM swapping attacks to take control of victims’ phone numbers tricking the mobile operator employees into porting them to SIMs under the control of the fraudsters. Once hijacked a SIM, the attackers can steal money, cryptocurrencies and personal information, including contacts synced with online accounts. The criminals could hijack social media accounts and bypass 2FA services based on SMS used by online services, including financial ones."
- 20. Holiday fun with my UniFi G4 Doorbell Pro!
Shennangins: "As Halloween has arrived, I thought it might nice to style the outside of my house using all of the RGB exterior lighting I've installed, and to play a custom sound from the doorbell when visitors press the button. It's pretty quick to do this and you might spend most of the time finding a suitable audio file to play when the button is pressed!" - What if other people could change the ringer on your doorbell?
- 1. Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
- 2. F5 Warns of Critical Vulnerability in BIG-IP
F5 has published an advisory regarding a critical unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. The flaw affects BIG-IP versions 13.x through 17.x
wo flaws here: CVE-2023-46747, CVSS score 9.8, unauthenticated remote code execution, which can give an attacker full admin rights, and CVE-20232-46748, CVSS score 8.8, SQLi vulnerability. When reading the affected versions, note that F5 only checks products that have not reached technical end of life, so don't assume you're not vulnerable if you're on an older release
- 3. Google Chrome Now Upgrading to HTTPS for All Users
Users of Google’s Chrome browser now have all unsecure HTTP requests automatically upgraded to HTTPS. The feature was rolled out to a limited pool of users in July; as of October 16, the feature is enabled for all users on the Stable channel.
- 4. Security Agency Rolls Out Protective DNS for Schools
This is a feel good story. The UK National Cyber Security Centre (NCSC) is rolling out eligibility for its Protective Domain Name Service (PDNS) to schools. NCSC developed PDNS to prevent DNS from being used to spread malware. The service is available to eligible educational organizations at no cost.
- 1. Alliance of 40 countries to vow not to pay ransom to cybercriminals, US says
Forty countries in a U.S.-led alliance plan to sign a pledge never to pay ransom to cybercriminals and to work toward eliminating the hackers' funding mechanism, a senior White House official said on Tuesday.
- 2. Biden signs executive order to oversee and invest in AI
The order is broad, and its focuses range from civil rights and industry regulations to a government hiring spree. “AI policy is like running into a decathlon, and there’s 10 different events here,” the official said.
- 3. FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
The Executive Order directs the following actions: New Standards for AI Safety and Security Protecting Americans’ Privacy Advancing Equity and Civil Rights Standing Up for Consumers, Patients, and Students Supporting Workers Promoting Innovation and Competition Advancing American Leadership Abroad Ensuring Responsible and Effective Government Use of AI
- 4. White House unveils AI.gov in a historic move towards comprehensive AI oversight
A new era in AI governance The website will serve as the go-to resource for information on AI safety and security standards, civil rights guidance and labor market impacts. It also aims to streamline the recruitment process for AI positions within the federal government, signaling an earnest effort to cultivate a robust public sector AI workforce.
- 5. Police urged to double use of facial recognition software
Policing minister Chris Philp has written to force leaders in England and Ales suggesting the target of exceeding 200,000 searches of still images against the police national database by May using facial recognition technology.
He also is encouraging police to operate live facial recognition (LFR) cameras more widely.
In response to the plans, a cross-party group of MPs and peers this month also called for an “immediate stop” to the use of live facial recognition surveillance by police and private companies.
- 6. Hackers can force iOS and macOS browsers to divulge passwords and much more
Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices.
Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.
- 7. Elon Musk just lost $28 billion as Tesla took a beating. Now Toyota says ‘people are waking up to reality’ that EV adoption will be an uphill battle
Toyota’s chairman and former CEO, Akio Toyoda, has long been a skeptic of the electric vehicle hype train—it was a big reason he stepped down from the top job at the Japanese carmaker earlier this year. Now, he can finally say, “I told you so.” With Elon Musk’s Tesla reporting disastrous third-quarter earnings last week, investors are realizing that EVs are no silver bullet for profit. “People are finally seeing reality,” Toyoda said on Wednesday.
- 8. Hot fuzz: Cascade finds dozens of RISC-V chip bugs using random data storm
Boffins from ETH Zurich have devised a novel fuzzer for finding bugs in RISC-V chips and have used it to find more than three dozen. Current CPU fuzzers have limitations that make them less effective. For example, they may not cover the entire instruction set architecture (ISA) or they may not manage control flow well, which means that bugs get missed.
- 9. Google Researchers Unveil Unique Form of Quantum Teleportation
Measurement causes quantum uncertainty to vanish in a process called "the collapse of the wave function", introduced in 1927 by Heisenberg. But exactly what is a measurement? Researchers at Google Quantum AI and Stanford University have observed a “measurement-induced phase transition” — in a system of up to 70 qubits. This is by far the largest system in which measurement-induced effects have been explored.
They demonstrated a novel form of quantum teleportation that emerged naturally from the measurements: by measuring all but two distant qubits in a weakly entangled state, stronger entanglement was generated between those two distant qubits. The ability to generate measurement-induced entanglement across long distances enables the teleportation observed in the experiment.
- 10. The Wiki-Slack Attack
When you share a Wikipedia link on Slack, Slack reformats the page. This can create a URL that was not present on the Wikipedia page, because Slack removes the carriage return at the end of a paragraph with a footnote. So this text:
Hackers are evil.[1] Net hackers with our product!
will be rendered in Slack as containing this url: evil.net
- 11. Risky Biz News: SEC charges SolarWinds and its CISO
Very good reactions here from the infosec pro community, pointing out:
Because the SEC case revolves around many of SolarWinds' internal documents and chats, security experts expect to see companies record cybersecurity issues far less and only when they have to.
They were targeted by an attacker that few others could repel--and after poring over all internal communications for months, the best the SEC could come up with is closer to innuendo than any evidence of a conspiracy to deceive the investors.
- 12. Democrats Introduce Bill to Regulate Law Enforcement’s Use of Facial Recognition Technology
The bill requires that a warrant be obtained that shows probable cause an individual committed a serious violent felony before FRT is deployed.
- 13. Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime
For four years, maybe longer, Prolific Puma has operated in the shadows, unrecognized by defenders. Prolific Puma provides an underground link shortening service to criminals, helping them evade detection while they distribute phishing, scams, and malware.