Stolen Cred Bizarre, US CyberSec, Stealing Cars With Headlights, & AI Censorship – PSW #780

According to Bitdefender's 2023 Cybersecurity Assessment report, three quarters of US respondents experienced an intrusion of some kind in the past year. 40 percent of IT infosec folk polled said they were told to not report security incidents, and that climbs to 70.7 percent in the US, far higher than any other country.

The price of a loader able to deliver a malicious or unwanted app to Google Play ranges between $2,000 and $20,000. The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners and even dating apps.

The Washington Post obtained a series of classified files posted in February and March to the gaming platform Discord. A top secret document, dated February 17, features discussion from Egyptian officials about how to supply their Russian counterparts with gunpowder and artillery from Egyptian factories. The US has said there is no proof that Egypt sold the 40,000 rockets to Russia.

The latest revelation made by the documents tells how the United States has been spying on South Korea and divulges information about Seoul's stand on the Ukraine war. The reveal has the potential to wreck relations between the two countries. The discussion about whether or not to send ammunition to Ukraine happened on March 1, 2023, between two of South Korean President Yoon Suk Yeol's senior national security advisors.

The article's main point, that too much computing power is used for AI, did not impress me. But the second figure is interesting, showing AI's incredibly rapid growth, increasing by a factor of 10 every year.

Repo jacking is an attack on GitHub repositories, where attackers are able to hijack GitHub repositories by reregistering previously used usernames. We found 439 GitHub users that do not exist anymore. These users have 529 GitHub repositories that are used by packages.

NPR will no longer post fresh content to its 52 official Twitter feeds, becoming the first major news organization to go silent on the social media platform. In explaining its decision, NPR cited Twitter's decision to first label the network "state-affiliated media," the same term it uses for propaganda outlets in Russia, China and other autocratic countries.

The updated maturity model adds an additional maturity stage – optimal – alongside traditional, initial and advanced, which were included in the agency’s initial guidance document. The Zero Trust Maturity Model’s five pillars — identity, devices, networks, applications and workloads, and data — are meant to be a guide for federal agencies zero trust strategy implementations and most agencies have started off focusing on identity and data questions.

Amazon is continuing to expand its contactless payments service, Amazon One, via partnerships with several retailers—including Whole Foods Market, which will be letting consumers pay with just the palm of their hands in 11 of its locations in Colorado. Whole Foods Market shoppers will need to link both their palm and payment card at a participating point-of-sale station or kiosk. Once that’s completed, they’ll be able to check out by holding their hand above the scanner before leaving the store.

Ukrainian hackers claim to have broken into the emails of a senior Russian military spy wanted by the Federal Bureau of Investigation for hacking the Hillary Clinton campaign and other senior U.S. Democrats ahead of Donald Trump's election to the presidency in 2016. It wasn't immediately clear what information the hackers had managed to steal or how significant it was. Morgachev's inbox could potentially hold insight into Russia's hacking operations, including the operation against Clinton and the Democrats.

In a first step toward potential regulation, the Commerce Department on Tuesday put out a formal public request for comment on what it called accountability measures, including whether potentially risky new AI models should go through a certification process before they are released. “We believe that powerful AI systems should be subject to rigorous safety evaluations,” OpenAI said in a recent blog post. “Regulation is needed to ensure that such practices are adopted, and we actively engage with governments on the best form such regulation could take.”

The FBI is warning people to not use public phone charging stations, which have become increasingly popular in places like airports and shopping malls.

The problem is that hackers have found a way to introduce malware and other software onto devices through the public stations, the FBI said.

"Backward-edge control-flow hijacking" is the technical term for the typical aleph0-type buffer overflow exploit, taking over code execution when a function returns. These attacks are mitigated by stack canaries and shadow stacks, which place return addresses on a separate stack inaccessible to the attacker. However, the attacker can cause an exception to gain control of execution. This is a well-known attack on Windows: Structured Exception Handler exploits. This paper extends this attack to Linux, calling it Catch Handler Oriented Programming or CHOP. They found 442 bugs potentially exploitable by this technique in open-source projects written in C++.

Women seen not covering their hair would receive a "warning text messages as to the consequences", police said. This would help prevent "resistance against the hijab law", police said.

From 2019 to at least mid-2022, Tesla employees used an internal messaging system to share "sometimes highly invasive videos and images recorded by customers' car cameras," according to a lengthy Reuters report based on interviews with nine former Tesla employees. Some of the recordings caught Tesla customers in embarrassing situations. One ex-employee described a video of a man approaching a vehicle completely naked. Whether sharing has stopped is unclear.

Code-reuse attacks take control of a process without injecting code. Modern mitigations, ASLR, DEP, and CFI make code-reuse exploits more challenging. Unfortunately, compiler optimizations may undermine these security guarantees. For instance, compilers may introduce doublefetch vulnerabilities that lead to concurrency issues such as Time-Of-Check to Time-Of-Use (TOCTTOU) attacks. In this work, we propose a new attack vector, called WarpAttack, that exploits compiler-introduced double-fetch optimizations to mount TOCTTOU attacks and bypass codereuse mitigations. We study the mechanism underlying this attack and present a practical proof-of-concept exploit against the latest version of Firefox. There are over 2000 vulnerable "gadgets" in just six popular programs: Chrome, Firefox, Apache, JVM, 7-Zip, and Texstudio, on five popular operating systems: Fedora, Debian, Ubuntu, Windows, and MacOS.

The department experimented with Boston Dynamics' Spot in 2021 and shut the project down after a public outcry from civil liberties groups. The idea is being brought back by NYC's new mayor, Eric Adams. For active patrol work, the NYPD plans to deploy one Knightscope K5 robot. This is a 400-lb, 5-foot-tall wheeled robot that looks like a real-life giant R2-D2. The egg-shaped robot has no appendages and is mostly just a ball of sensors.

Despite recently calling for a six-month pause in the development of powerful AI models, Twitter CEO Elon Musk recently purchased roughly 10,000 GPUs for a generative AI project within Twitter. Business Insider reports that it's a large language model (LLM), the type of generative AI tech that powers ChatGPT. The firm could potentially utilize its massive library of user tweets to help train the model for natural language output. In late March, Musk was a signatory on a widely publicized open letter that called for a six-month moratorium on the development of AI models. Critics claimed that Musk wanted a "pause" so his companies could catch up with OpenAI.