Snowden Revelations, Cult of The Dead Cow Saves The Internet, & Stealing Your Pixels – PSW #800

The patches Apple released last week for zero-day vulnerabilities were prompted by the discovery that they had been used to introduce Predator spyware onto the mobile phone of an Egyptian politician. The vulnerabilities could be chained to infect targeted devices with spyware by redirecting them to websites using HTTP rather than HTTPS.

The three CVE's behind last week's release of iOS/iPadOS, macOS, watchOS and Safari updates. KEV directs agencies to deploy updates by 10/18. May wish to go faster. CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability

The latest BIND security updates include patches for two high-severity DoS vulnerabilities that can be exploited remotely. The first vulnerability (CVE-2023-3341) is a stack exhaustion flaw in control channel code. The second (CVE-2023-4236) is “a flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure.”BIND version 9.18.19 and BIND Supported Preview Edition version 9.18.19-S1.

Data Breaches Nearly 900 US schools are impacted by the MOVEit hack at the educational nonprofit National Student Clearinghouse.

Look for MOVEit IOCs, move off MOVEit.

Between 2011 and 2021, more than 9 million Kia and Hyundai vehicles were sold without engine immobilizers installed. The devices prevent cars from being hotwired, but their absence from the Kia and Hyundai vehicles has resulted in a significant spike in the theft of those automobiles. Kia and Hyundai are facing multiple lawsuits. Software updates have hit about half the vehicles, Reports it's not a reliable fix. Add Immobilizer to list of needed features when purchasing a vehicle.

Starting in January 2024, Google will remove Gmail basic HTML view and redirect users to Standard view. When Standard view was introduced in 2013, users had the option of switching to Basic if they had slow connections; Basic lacked some of the features available in Standard view. The “Set Basic HTML as default view” option is no longer available.

After Canadian Prime Minister Justin Trudeau recently claimed that India killed Canadian activist Hardeep Singh Nijjar for campaigning to set up an autonomous state for Sikhs in India, a group of threat actors dubbed "Indian Cyber Force" breached the network of the Ontario-based Bristol Dental Clinic and left behind messages in support of India.

Hundreds of Latin American banking customers have been targeted with a novel variant of a banking trojan called "BBTok," which creates convincing but fake versions of the website interfaces of more than 40 Brazilian and Mexican banks to trick targets into sharing their two-factor authentication (2FA) and/or payment card information.

After the chatbot answers one of your queries, hitting the Google button will “double check” your response. Bard will read the response and evaluate whether there is content across the web to substantiate it. When a statement can be evaluated, you can click the highlighted phrases and learn more about supporting or contradicting information found by Search.

The LLM's response to a prompt automatically generates a series of verification questions that test the factual claims of the baseline responses. The response is improved, incorporating any discovered inconsistencies. With CoVe, Llama 65B outperformed leading models like ChatGPT, InstructGPT, and PerplexityAI in long-form generation tasks.

Compared to older generations, younger generations have reported higher rates of victimization in phishing, identity theft, romance scams, and cyberbullying. The Deloitte survey shows that Gen Z Americans were three times more likely to get caught up in an online scam than boomers were (16 percent and 5 percent, respectively).

Veilid aims to replace the advertising giants that run social media platforms with an alternative suite of open-source, serverless, peer-to-peer and mobile-first applications. By creating an application framework that puts privacy first, Veilid tries to put tools in the hands of developers to let them build applications with a fundamentally different ethos than today’s advertising-driven internet economy. The project is aiming to release its first flagship application, VeilidChat, in the coming months.

Microsoft is looking to hire someone to lead the company’s technical assessment for integrating small modular nuclear reactors and microreactors “to power the datacenters that the Microsoft Cloud and AI reside on”. Much of the hope for the next generation of nuclear reactor technology in the U.S. is pinned on smaller nuclear reactors.

The Biden administration is looking to introduce rules that require public cloud operators to disclose to the authorities when any customer purchases a level of compute resources that come in above a certain as-yet unspecified threshold.

A viral account is using off-the-shelf facial recognition tech to dox random people on the internet for the amusement of millions of viewers. One victim said they “felt a bit violated really.” TikTok has decided to not remove it from the platform. TikTok told me the account does not violate its policies; one social media policy expert I spoke to said TikTok should reevaluate that position.

From CISA: Microsoft, Google, and Mozilla reported that around 70% of the serious vulnerabilities Microsoft assigns a CVE [Common Vulnerability and Exposure] each year are memory safety problems. Recommendations: 1-Implement memory safety mitigations in hardware; 2-Use memory safe programming languages like Rust.

Microsoft is now supporting a Rust-based platform for Windows driver development, following in the footsteps of Linux.

Chinese cyber actors known as BlackTech can modify router firmware without detection and exploit routers’ domain-trust relationships. The authoring agencies have observed PRC-linked cyber actors leveraging this exploitation of routers to pivot from global subsidiary companies to corporate headquarter networks in the U.S. and Japan.

A great summary of open-source LLMs, including CodeGen: Streamlining Software Development from SalesForce and BLOOM: Fostering Scientific Collaboration, trained on 46 natural world languages and 13 programming languages.

This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases. There's urgency for this since South Korea found "spy chips" in Chinese weather measuring equipment last month (see next article).

South Korea's National Intelligence Service (NIS) has found malicious code embedded in the chips of weather-measuring instruments made in China. The malicious code can eavesdrop on its surroundings and "steal information through radio frequencies". NIS says that while it dealt with Chinese malware (software-based backdoors) in the past, the incident marks the first time it found a "hardware backdoor" in Chinese-made equipment.

GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. GPU.zip starts with a malicious website that places a link to the webpage it wants to read inside of an iframe. Normally, the same origin policy prevents either site from inspecting the content of the other. But data compression GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.