Saturday, March 25, 2023

Ars Technica

ChatGPT gets “eyes and ears” with plugins that can interface AI with the world

Enlarge (credit: Aurich Lawson | Getty Images) On Thursday, OpenAI announced a plugin system for its ChatGPT AI assistant. The plugins give ChatGPT the ability to interact with the wider world through the Internet, including booking flights, ordering groceries, browsing...

Huge collection of vintage Apple computers goes to auction next week

Enlarge / I mostly recognize this early laptop from its resemblance to a similar-looking computer in the film 2010. It's up for auction along with hundreds of other old Apple computers. (credit: Julien's Auctions) If you've been thinking your home...

If your Netgear Orbi router isn’t patched, you’ll want to change that pronto

Enlarge / An Orbi 750 series router. (credit: Netgear) If you rely on Netgear’s Orbi mesh wireless system to connect to the Internet, you’ll want to ensure it’s running the latest firmware now that exploit code has been released for...

Computerworld

Russia’s iPhone ban and the digital supply chain

Russia’s Kremlin ordered officials to stop using iPhones, apparently over concerns the devices could be vulnerable to Western intelligence agencies, Reuters reports. When surveillance-as-a-service firms sit exposed for brazenly undermining device security, it's hard to think there isn't an argument there. But the bigger story isn’t the harm to...

Patch Office and Windows now to resolve two zero-days

Microsoft has resolved 80 new CVEs this month in addition to four earlier CVEs, bringing the number of security issues addressed in this month's Patch Tuesday release to 84. Unfortunately, we have two zero-day flaws in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a "Patch Now" release requirement for both...

Feds to Microsoft: Clean up your security act — or else

The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily...

CSO

Critical flaw in WooCommerce can be used to compromise WordPress websites

WooCommerce, a popular plug-in for running WordPress-based online stores, contains a critical vulnerability that could allow attackers to take over websites. Technical details about the vulnerability have not been published yet, but the WooCommerce team released updates and attackers could reverse-engineer the patch."Although what we know at this time...

Cyberpion rebrands as Ionix, offering new EASM visibility improvements

SaaS-based external attack surface management (EASM) company Cyberpion has rebranded as Ionix, at the same time adding a clutch of new cybersecurity capabilities to its namesake offering.Designed to provide a “wider coverage and deeper focus” into its customers’ internet-facing assets and connected dependencies, the revamp of Ionix's system will...

Android-based banking Trojan Nexus now available as malware-as-a-service

Italian cybersecurity firm Cleafy has found “Nexus”, a new Android Trojan capable of hijacking online accounts and siphoning funds from them, to be targeting customers from 450 banks and cryptocurrency services worldwide.First observed in June 2022 as a variant of SOVA, another Android banking Trojan, Nexus has since improved...

Dark Reading

CyberSecure Announces Strategic Alliance

The joint partnership represents expanded market opportunities.

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

In two days, ethical researchers from 10 countries have unearthed more than 22 zero-day bugs in a wide range of technologies at the annual hacking contest.

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub hastens to replace its RSA SSH host key after an exposure mishap threatens users with man-in-the-middle attacks and organization impersonation.

Zoom Zoom: 'Dark Power' Ransomware Extorts 10 Targets in Less Than a Month

A new threat actor is racking up victims and showing unusual agility. Part of its success could spring from the use of the Nim programming language.

Errata Security

C can be memory-safe

The idea of memory-safe languages is in the news lately. C/C++ is famous for being the world's system language (that runs most things) but also infamous for being unsafe. Many want to solve this by hard-forking the world's system code, either by changing C/C++ into something that's memory-safe, or rewriting everything...

I’m still bitter about Slammer

Today is the 20th anniversary of the Slammer worm. I'm still angry over it, so I thought I'd write up my anger. This post will be of interest to nobody, it's just me venting my bitterness and get off my lawn!!Back in the day, I wrote "BlackICE", an intrusion...

The RISC Deprogrammer

I should write up a larger technical document on this, but in the meanwhile is this short (-ish) blogpost. Everything you know about RISC is wrong. It's some weird nerd cult. Techies frequently mention RISC in conversation, with other techies nodding their head in agreement, but it's all wrong....

F-Secure

FireEye

Forbes

The DEA Quietly Turned Apple’s AirTag Into A Surveillance Tool

Apple’s quarter-sized location tracker was hidden in a pill press by the DEA to conduct surveillance. The AirTag’s small size and reliability could make it an attractive tool for cops.

Jack Dorsey’s Block Slammed For Failure To Stop Criminals Abusing Cash App

Cash App’s Barcelona-based business fined for anti-money laundering and terrorist financing failures, while Hindenburg Research shorts owner Block, citing ‘Wild West’ approach to compliance.

New EU Greenwashing Rules Fail To Prevent Misinformation, Say Campaign Groups

Consumer and environmental groups have hit out at new EU anti-greenwashing rules that they say fail to prevent companies spreading misinformation about their products.

Google Security

OSV and the Vulnerability Life Cycle

Posted by Oliver Chang and Andrew Pollock, Google Open Source Security Team It is an interesting time for everyone concerned with open source vulnerabilities. The U.S. Executive Order on Improving the Nation's Cybersecurity requirements for vulnerability disclosure programs and assurances for software used by the US government will go...

Thank you and goodbye to the Chrome Cleanup Tool

Posted by Jasika Bawa, Chrome Security Team Starting in Chrome 111 we will begin to turn down the Chrome Cleanup Tool, an application distributed to Chrome users on Windows to help find and remove unwanted software (UwS). Origin story The Chrome Cleanup Tool was introduced in 2015...

Google Trust Services now offers TLS certificates for Google Domains customers

Andy Warner, Google Trust Services, and Carl Krauss, Product Manager, Google DomainsWe’re excited to announce changes that make getting Google Trust Services TLS certificates easier for Google Domains customers. With this integration, all Google Domains customers will be able to acquire public certificates for their websites at no additional...

Graham Cluley

Danger USB! Journalists sent exploding flash drives

If you were sent a USB stick anonymously through the post, would you plug it into your computer? Perhaps you'll think twice when you hear what happened to these Ecuadorian journalists. Read more in my article on the Hot for Security blog.

Europe’s transport sector terrorised by ransomware, data theft, and denial-of-service attacks

A new report from ENISA, the European Union Agency for Cybersecurity, looking at cyberattacks targeting the European transport network over a period of almost two years, has identified that ransomware has become the prominent threat. Read more in my article on the Tripwire State of Security blog.

Fake GPT Chrome extension steals Facebook session cookies, breaks into accounts

The world has gone ChatGPT bonkers. Which makes it an effective lure for cybercriminals who may want to break into accounts...

IBM Security

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart...

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity...

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience.  Many companies must now protect their...

Info Security Buzz

What Is Shoulder Surfing? How Does It Affect Cybersecurity

We rely primarily on technology to protect our sensitive data, including financial information, personal information, and corporate secrets, in the extremely digital world we live in today. Our personal and sensitive information is vulnerable to being obtained by evil people as technology is widely adopted. One of the methods...

Future-Proofing Your Business Against Insider Threats

In today’s digital world, businesses face various cybersecurity threats, including malware, hacking, and phishing scams. Insider threats, unfortunately, are widely ignored. These threats could emerge from former or present staff members, professionals, or affiliates with access to sensitive company data. Insiders can cause considerable harm to a business, either...

The Revolutionizing Power of AI In Cybersecurity

AI in cybersecurity positively affects the rapid evolution of technology, and the threat landscape for cyber-attacks has increased. Cybercriminals are developing increasingly complex attacks, making it increasingly difficult for businesses to keep up with their security measures. This is where Artificial Intelligence (AI) plays a huge role, as it...

Infosec Island

Infosecurity Magazine

CISA Unveils Ransomware Notification Initiative

Provides businesses with early warnings to evict threat actors before they can encrypt data

WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites

The vulnerability could allow an unauthenticated attacker to gain admin privileges and take over a website

GitHub Updates Security Protocol For Operations Over SSH

The move reportedly did not stem from a compromise of GitHub systems or customer information

Krebs on Security

Google Suspends Chinese E-Commerce App Pinduoduo Over Malware

Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting...

Why You Should Opt Out of Sharing Data With Your Mobile Provider

A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this...

Feds Charge NY Man as BreachForums Boss “Pompompurin”

The U.S. Federal Bureau of Investigation (FBI) this week arrested a New York man on suspicion of running BreachForums, a popular English-language cybercrime forum where some of the world biggest hacked databases routinely first show up for sale. The forum’s administrator “Pompompurin” has been a thorn in the side...

Naked Security

WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!

Admin-level holes in websites are always a bad thing... and for "bad", read "worse" if it's an e-commerce site.

S3 Ep127: When you chop someone out of a photo, but there they are anyway…

Listen now - latest episode. Full transcript inside.

Windows 11 also vulnerable to “aCropalypse” image data leakage

Turns out that the Windows 11 Snipping Tool has the same "aCropalypse" data leakage bug as Pixel phones. Here's how to work around the problem...

Google Pixel phones had a serious data leakage bug – here’s what to do!

What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?

PC Mag

Malware Steals Data By Adjusting Screen Brightness

Malware on an air-gapped computer can transmit data like Morse code by changing screen brightness in a way that's invisible to the naked eye but easily recorded with a camera.

Hackers Pose as Wall Street Journal Reporter to Phish Victims

Watch out for suspicious interview requests. 'The main focus of this phishing campaign was stealing email account information of the victims, and finding information about their contacts/networks,' the cybersecurity experts at Certfa Lab warned on Wednesday.

Google Photos Videos Were Shared With Strangers

Google's Takeout service was designed to let people download their data, but accidentally sent videos from Google Photos accounts to strangers.

SC Magazine

Dish customers struggle with service disruptions weeks after ransomware attack

Customers complain that they are still having payment issues and are not able to contact customer service weeks after Dish Network suffered a ransomware attack.

LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling

Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements

Patch released for critical vulnerability in WooCommerce Payments plug-in

WooCommerce Payments runs on more than 6 million websites, so security teams that use the platform need to patch immediately or risk unauthenticated administrative takeover of their websites.

Schneier on Security

Friday Squid Blogging: Creating Batteries Out of Squid Cells

This is fascinating: “When a squid ends up chipping what’s called its ring tooth, which is the nail underneath its tentacle, it needs to regrow that tooth very rapidly, otherwise it can’t claw its prey,” he explains. This was intriguing news ­ and it sparked an idea in Hopkins lab where...

A Hacker’s Mind News

My latest book continues to sell well. Its ranking hovers between 1,500 and 2,000 on Amazon. It’s been spied in airports. Reviews are consistently good. I have been enjoying giving podcast interviews. It all feels pretty good right now. You can order a signed book from me here. For those of you...

Exploding USB Sticks

In case you don’t have enough to worry about, people are hiding explosives—actual ones—in USB sticks: In the port city of Guayaquil, journalist Lenin Artieda of the Ecuavisa private TV station received an envelope containing a pen drive which exploded when he inserted it into a computer, his employer said. Artieda...

SecureMac

Apple backup tips for World Backup Day

Backup tips for Apple users on World Backup Day. The post Apple backup tips for World Backup Day appeared first on SecureMac.

Checklist 321: Not Phoning It In

ICE breaks its own rules; Customer Proprietary Network Information and your privacy; the Kremlin ditches smartphones. The post Checklist 321: Not Phoning It In appeared first on SecureMac.

Checklist 320: Speedy Scams and Securing iCloud

SVB scams and how to spot them. Plus: Simple steps to make iCloud safer. The post Checklist 320: Speedy Scams and Securing iCloud appeared first on SecureMac.

Security Affairs

CISA announced the Pre-Ransomware Notifications initiative

The US Cybersecurity and Infrastructure Security Agency (CISA) announced the Pre-Ransomware Notifications service to help organizations stop ransomware attacks before damage occurs. The US Cybersecurity and Infrastructure Security Agency announced a new Pre-Ransomware Notification initiative that aims at alerting organizations of early-stage ransomware attacks. The principle behind the initiative is simple, ransomware...

Critical flaw in WooCommerce Payments plugin allows site takeover

A patch for a critical vulnerability in the WooCommerce Payments plugin for WordPress has been released for over 500,000 websites. On March 23, 2023, researchers from Wordfence observed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2. The WooCommerce Payments...

Cisco fixed multiple severe vulnerabilities in its IOS and IOS XE software

Cisco addressed tens of vulnerabilities in its IOS and IOS XE software, six of these issues have been rated ‘high severity’. Cisco published the March 2023 Semiannual IOS and IOS XE Software Security Advisory that addresses several vulnerabilities in IOS and IOS XE software. Below is the list of flaws...

SecurityWeek

US Charges 20-Year-Old Head of Hacker Site BreachForums

The US Justice Department charged Conor Brian Fitzpatrick, founder of BreachForums, a major underground website for computer hackers. The post US Charges 20-Year-Old Head of Hacker Site BreachForums appeared first on SecurityWeek.

Tesla Hacked Twice at Pwn2Own Exploit Contest

Researchers at French offensive hacking shop Synacktiv demonstrated successful exploit chains against Tesla’s newest electric car to take top billing at the annual Pwn2Own contest. The post Tesla Hacked Twice at Pwn2Own Exploit Contest appeared first on SecurityWeek.

CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections

The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments. The post CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections appeared first on SecurityWeek.

TechRepublic

DevSecOps puts security in the software cycle

Addressing cybersecurity can be a challenge when the focus is on speed in software development and production life cycles. The post DevSecOps puts security in the software cycle appeared first on TechRepublic.

Even after armed with defense tools, CISOs say successful cyberattacks are ‘inevitable’: New study

Cisco’s just-released 2023 Cybersecurity Index shows companies will invest more in security, but the solution may be a larger tent, not more umbrellas. The post Even after armed with defense tools, CISOs say successful cyberattacks are ‘inevitable’: New study appeared first on TechRepublic.

Massive adversary-in-the-middle phishing campaign bypasses MFA and mimics Microsoft Office

Microsoft has already seen millions of phishing emails sent every day by attackers using this phishing kit. Learn how to protect your business from this AitM campaign. The post Massive adversary-in-the-middle phishing campaign bypasses MFA and mimics Microsoft Office appeared first on TechRepublic.

The Guardian

Why is TikTok banned from government phones – and should rest of us be worried?

UK has removed app over concerns data can be monitored by Chinese state, but public remain vulnerableTikTok is wildly popular, with more than 1 billion people consuming its short video posts around the world. But the app is less favoured by politicians in key markets such as the US...

Voice system used to verify identity by Centrelink can be fooled by AI

Exclusive: Voiceprint program used by millions of Australians to access data held by government agencies shown to have a serious security flaw Get our morning and afternoon news emails, free app or daily news podcastA voice identification system used by the Australian government for millions of people has a...

Labor plan to beef up government’s cyber powers faces Senate block

A paper expanding on greater ability to intervene during hacks – especially on private companies – causes alarm among Coalition and GreensFollow our Australia news live blog for the latest updatesGet our morning and afternoon news emails, free app or daily news podcastLabor could face Senate difficulties if it...

The Hacker News

OpenAI Reveals Redis Bug Behind ChatGPT User Data Exposure Incident

OpenAI on Friday disclosed that a bug in the Redis open source library was responsible for the exposure of other users' personal information and chat titles in the upstart's ChatGPT service earlier this week. The glitch, which came to light on March 20, 2023, enabled certain users to view brief descriptions...

Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware. The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials...

THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps

Any app that can improve business operations is quickly added to the SaaS stack. However, employees don't realize that this SaaS-to-SaaS connectivity, which typically takes place outside the view of the security team, significantly increases risk. Whether employees connect through Microsoft 365, Google Workspace, Slack, Salesforce, or any other app,...

The Register

CISA unleashes Untitled Goose Tool to honk at danger in Microsoft’s cloud

Not a headline we expected to write today American cybersecurity officials have released an early-warning system to protect Microsoft cloud users.…

Github publishes RSA SSH host keys by mistake, issues update

Getting connection failures? Don't panic. Get new keys Github has updated its SSH keys after accidentally publishing the private part to the world. Whoops.…

French parliament says oui to AI surveillance for 2024 Paris Olympics

Liberté, égalité, reconnaissance faciale for all Despite the opposition of 38 civil society groups, the French National Assembly has approved the use of algorithmic video surveillance during the 2024 Paris Olympics.…

The Security Ledger

Episode 249: Intel Federal CTO Steve Orrin on the CHIPS Act and Supply Chain Security

Paul speaks with Steve Orrin, the Federal CTO at Intel Corp about representing Intel and its technologies to Uncle Sam and the impact of the CHIPS Act a massive new federal investment in semiconductors. The post Episode 249: Intel Federal CTO Steve Orrin on the CHIPS Act and Supply...

Malicious Automation is driving API Security Breaches

Removing the ability to automate against a vulnerable API is a huge step forward, as automation is a key enabler for both the exploitation and the extraction of large amounts of sensitive data. The post Malicious Automation is driving API Security Breaches appeared first on The Security Ledger with Paul...

Spotlight: Making the Most of Cyber Threat Intelligence with Itsik Kesler of KELA

In this Spotlight episode of the Security Ledger podcast, I interview Itsik Kesler, the CTO of the threat intelligence firm Kela about the evolution of threat intelligence and findings from the company’s latest State of Cybercrime Threat Intelligence report. The post Spotlight: Making the Most of Cyber Threat Intelligence with Itsik Kesler of...Read...

Threatpost

Tripwire

Interpol arrests thousands of scammers in operation “First Light 2022”

Law enforcement agencies around the world appear to have scored a major victory in the fight against fraudsters, in an operation that seized tens of millions of dollars and seen more than 2000 people arrested. Operation “First Light 2022”, running for two months from March 8 2002 until May...

Troy Hunt

Weekly Update 339

Presently sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.Why can't I audio right? It's my 339th video and I still make mistakes 🙂 But it came good and we got a decent show out of...

Weekly Update 338

Presently sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.I'm going lead this post with where I finished the video because it brought the biggest smile to Charlotte's and my faces this week:This. Is. Amazing 😍...

To Infinity and Beyond, with Cloudflare Cache Reserve

Presently sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.What if I told you... that you could run a website from behind Cloudflare and only have 385 daily requests miss their cache and go through to...

We Live Security

Highlights from TikTok CEO’s Congress grilling – Week in security with Tony Anscombe

Here are some of the key moments from the five hours of Shou Zi Chew's testimony and other interesting news on the data privacy front The post Highlights from TikTok CEO’s Congress grilling – Week in security with Tony Anscombe appeared first on WeLiveSecurity

What TikTok knows about you – and what you should know about TikTok

As TikTok CEO attempts to placate U.S. lawmakers, it’s time for us all to think about the wealth of personal information that TikTok and other social media giants collect about us The post What TikTok knows about you – and what you should know about TikTok appeared first on WeLiveSecurity

Understanding Managed Detection and Response – and what to look for in an MDR solution

Why your organization should consider an MDR solution and five key things to look for in a service offering The post Understanding Managed Detection and Response – and what to look for in an MDR solution appeared first on WeLiveSecurity

Wired

The TikTok Hearing Revealed That Congress Is the Problem

The interrogation of CEO Shou Zi Chew highlighted US lawmakers’ own failure to pass privacy legislation.

TikTok Paid for Influencers to Attend the Pro-TikTok Rally in DC

The embattled social media company brought out the checkbook to ensure at least 30 of its biggest assets—creators—were in DC to help fend off critics.

Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data

Image-editing tools from Google and Microsoft contain the “aCropalypse” bug, which can reveal information users intentionally removed.

The TikTok CEO’s Face-Off With Congress Is Doomed

On Thursday, Shou Zi Chew will meet a rare united front in the US Congress against the Chinese-owned social media app that has lawmakers in a tizzy.

ZDNet