SSD AI/ML, Salsa for your Software, Hacking Smart TVs with IR, & Getting Papercuts – PSW #782

I believe this could be a good measure to stop ransomware. Thoughts?

I don't know why this is news, but its fun to follow.

Feed them some brains? This should be a pretty easy thing to detect, look for low-bandwidth across the servers and a few packets sent/received, low CPU consumption, and turn those bad boys off. Though, its hard to turn things off, when you do there is change someone will complain (sorry Lee, love you man). Do as I say, not as I do, and communicate when turning off servers and services! The benefit is a reduction in attack surface and cost, so its time well spent.

I think this means the version of grub2 on Debian is either not in the DB or in the DBX. It was tough to follow, but it's been fixed in any case.

Wow, harsh: "This gets to be the spectral chicken forever more as punishment. Next time AMD can try again, and if they manage to get their act together and publish something before I get to write the code and invent a name for a magical bit, they get to name it how they like." - The former AMD engineer, who is now again an AMD engineer, proposed a change made by an Intel engineer, but gets denied by said Intel engineer and Linux kernel maintainer. And that's how Spectral Chicken will live on forever, or at least for now.

Still unpacking this: "Instead of relying on the cache system like many other side-channel attacks, this new attack leverages a flaw in transient execution that makes it possible to extract secret data from user memory space through timing analysis."

"When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect."

Changing the SecretKey in Flask is important: *"When a user logs in, the web application sends a session cookie that includes a user identifier back to the end user’s browser. The web application signs the cookie with a SECRETKEY, a value that is supposed to be randomly generated and typically stored in a local configuration file. With every web request, the browser sends the signed session cookie back to the application. The application then validates the signature on the cookie to re-authenticate the user prior to processing the request."*

"Our research re-examines the general belief that clicking an IR remote control is a homely and safe thing to do. We have developed a HOMESPY attack and evaluate its performance using test data of received signal and our offline IR code database. Our studies show that IR signals at home can be easily sniffed by an IoT device sitting in the same room, and attackers can uniquely reproduce the key pressed by the victim and derive sensitive information via semantic extraction techniques. In the era of IoT, many smart devices are connected to the Internet and support IR for compatibility with universal IR controllers. This means the invisible IR vulnerability presented in this paper will continue to cause significant threats to smart home security."

Whoops: "This function is normally called throughout the software only after a user has had their password validated through a login flow. However, here in the SetupCompleted flow, the logic accidentally validates the session of the anonymous user. This type of web application vulnerability is called Session Puzzling." - Logic flaws are hard. This isn't they forgot to authenticate the user, its they authenticated the anonymous user. Another reference here: https://arstechnica.com/information-technology/2023/04/exploit-released-for-9-8-severity-papercut-flaw-already-under-attack/

Google did an audit of Intel TDX; there were vulnerabilities. However, this audit was done before the code was shipped, so it was fixed before it ever landed on any computer. Bravo! Google has a vested interest in this, as do all cloud providers.

"A GitHub Action that uses pip-audit to scan Python dependencies for known vulnerabilities."

Sounds like it could be a sneaky attack: "The same configurable mechanism by which errdaemon handles events written to /dev/error, could also be used by adversaries to construct a persistence mechanism, with errdaemon being configured to perform malicious activities when an appropriately constructed message is logged by a user." - Also, I wonder just how much AIX is out there? Apparently, not much: https://www.osnews.com/story/135756/in-case-you-thought-aix-had-a-future/

Really glad they fixed this, it could have gotten out of control: "By exploiting the GhostToken vulnerability, attackers can hide their malicious application from the victim’s Google account application management page. Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account." - Also, a good reminder to cleanup your Google account app permissions.

I put a backdoor in your death star, check the thermal exhaust port: "Briefly, the researchers noticed that the threat actors are using the Eval PHP plugin to infect websites with backdoors. For this, they first sneakily install the vulnerable plugin on a target website. This step remains easy given the plugin’s availability on the official WordPress plugin repository."

ESET security researchers have revealed that various enterprise-level, corporate-grade routers being sold on the secondary market could be used by hackers to breach corporate environments or to steal customer information. According to ESET, it bought 18 used core routers and discovered that the full configuration data was still accessible on more than half the routers that still worked properly.

Imagine an OS which changes from everything is a file to everything is a table. A database which has transaction logs for changes, making roll-back quick and easy, and also logs for forensicating.

Hackers are exploiting a vulnerability in an unsupported WordPress plugin to inject malicious PHP code into web pages. Eval PHP has not been updated for a decade, yet researchers noted a sudden surge in Eval PHP downloads over the past months. The attackers are installing the plugin on compromised sites to establish backdoors.

Google has fixed a flaw in its Cloud Platform (GCP) that could be exploited to backdoor accounts using malicious OAuth applications. The issue was reported to Google in June 2022; the fix was released in a patch earlier this month.

Three vulnerabilities — two of them critical — were reported last week in the Easy UPS Online Monitoring Software from Schneider Electric’s American Power Conversion (APC).

Researchers from Mandiant investigating the recently disclosed 3CX supply chain attack say that attack was made possible by an earlier attack against a different supply chain. The earlier attack targeted Trading Technologies’ X-TRADER installer, adding a backdoor. In their blog, Mandiant writes, ”The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise.”

Symantec’s Threat Hunter Team says that the XTrader supply chain attack that affected 3CX attack also affected at least four other organizations – two in the energy sector and two in the financial sector. A trojanized version of the XTrader installer was used to compromise 3CX systems, which allowed that company’s software to become compromised as well.

After compromising a Windows host and having obtained local administrator privileges, the following type of secrets can be retrieved: Secrets in LSASS process, Secrets in registry such as LSA secrets, and DPAPI (Data Protection API) secrets. This article describes them and lists tools to extract them. The secrets include hashes, cleartext credentials, Kerberos tickets, and more. The tools use memory dumps and known vulnerable kernel drivers.

After years of scrambling to remediate the security fallout from design flaws in the processor feature known as “speculative execution,” chipmakers have invested more in advanced security testing. GOOGLE CLOUD AND Intel released results today from a nine-month audit of Intel's new hardware security product: Trust Domain Extensions (TDX). The analysis revealed 10 confirmed vulnerabilities, including two that researchers at both companies flagged as significant. One related to loose ends from a cryptographic integrity feature that had been dropped from the product. The other was in Intel's Authenticated Code Modules, which are cryptographically signed chunks of code that are built to run in the processor at a particular time. The vulnerability involved a small window in which an attacker could have hijacked the mechanism to execute malicious code.

Intel® Trust Domain Extensions (Intel® TDX) is introducing new, architectural elements to help deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software. These hardware-isolated TDs include: Secure-Arbitration Mode (SEAM), Intel® Total Memory Encryption-Multi Key (Intel TME-MK) engine, and Remote attestation designed to provide evidence of TD executing on a genuine, Intel TDX system and its TCB version.

Qualcomm chipsets are backdoored. "During our security research we found that smart phones with Qualcomm chip secretly send personal data to Qualcomm. This data is sent without user consent, unencrypted, and even when using a Google-free Android distribution. This is possible because the Qualcomm chipset itself sends the data, circumventing any potential Android operating system setting and protection mechanisms."

Microsoft is reportedly working on its own AI chips that can be used to train large language models and avoid a costly reliance on Nvidia. The Information reports that Microsoft has been developing the chips in secret since 2019, and some Microsoft and OpenAI employees already have access to them to test how well they perform for the latest large language models like GPT-4.

The Digital Services Act imposes risk management requirements for companies designated by the European Commission as Very Large Online Platforms and Very Large Online Search Engines. They will have to identify, analyse and mitigate a wide array of risks on their platforms. The risk mitigation plans of designated platforms' and search engines will be subject to an independent audit and oversight by the European Commission.

China is building sophisticated cyber weapons to “seize control” of enemy satellites, rendering them useless for data signals or surveillance during wartime, according to a leaked US intelligence report.

Yokosuka City will begin using ChatGPT to help with administrative tasks. Employees could use the chatbot to “summarize sentences, check spelling errors, and create ideas.” With ChatGPT handling rote administrative tasks, “staff can focus on work that can only be done by people, pushing forward an approach that brings happiness for our citizens,” said the news release.

Stability AI released a new family of open source AI language models called StableLM.
With refinement, StableLM could be used to build an open source alternative to ChatGPT. StableLM is currently available in alpha form on GitHub in 3 billion and 7 billion parameter model sizes, with 15 billion and 65 billion parameter models to follow. Like other recent "small" LLMs like Meta's LLaMA, Stanford Alpaca, Cerebras-GPT, and Dolly 2.0, StableLM purports to achieve similar performance to OpenAI's benchmark GPT-3 model while using far fewer parameters—7 billion for StableLM verses 175 billion for GPT-3.

At the BSides SF 2023 CTF, GPT-4 straight up solved some challenges for me. For challenges that GPT-4 didn't solve on its own, it provided incredibly helpful tips, or quickly wrote scripts that would have been tedious or time consuming for me to write myself.

The Cigent Secure SSD+ has an on-board processor that uses machine learning algorithms to constantly monitor disk accesses and will step in to block access if it detects ransomware activity,.

Inmates are suing Sirchie Acquisition Co., manufacturer of the NARK II kits, and Premier Biotech, a retailer that sells them, in federal court for negligence. The NIK Public Safety brand field tests used in California’s prisons are unreliable. A judge ruled in 2018 that the test kit “does not meet a scientific admissibility standard.” The tests are small plastic pouches holding vials of chemicals. They’re cheap, roughly $2 apiece, and easy to use. Officers open the pouch and add the substance to be tested. The tests are designed to produce specific colors when mixed with drugs like heroin, cocaine or methamphetamine. But dozens of items, including foods and household cleaners, trigger similar reactions.

For the third edition of CYSAT, the European event entirely dedicated to cybersecurity for the space industry, taking place on 26-27 April 2023 at Station F in Paris, the European Space Agency (ESA) set up a satellite test bench to simulate attempts to seize control of OPS-SAT, a nanosatellite operated by the agency for demonstration purposes.

In this work, we discover a vulnerability that the change of the EFLAGS register in transient execution may have a side effect on the Jcc (jump on condition code) instruction after it in Intel CPUs. Based on our discovery, we propose a new side-channel attack that leverages the timing of both transient execution and Jcc instructions to deliver data. This attack doesn't rely on the cache system and doesn't need to reset the EFLAGS register manually to its initial state before the attack, which may make it more difficult to detect or mitigate. We implemented this side-channel on machines with Intel Core i7-6700, i7-7700, and i9-10980XE CPUs. In the first two processors, we combined it as the side-channel of the Meltdown attack, which could achieve 100% success leaking rate.