Security Leftovers
-
LWN ☛ Security updates for Friday
Security updates have been issued by Debian (chromium, imagemagick, and iwd), Fedora (chromium, firefox, and pdns-recursor), Mageia (nodejs and yarnpkg), Red Hat (firefox, postgresql, and postgresql:15), and SUSE (bind, mozilla-nss, openssh, php-composer2, python-pycryptodome, python-uamqp, python310, and tiff).
-
LWN ☛ Stenberg: DISPUTED, not REJECTED
The Curl project has previously had problems with CVEs issued for things that are not security issues. On February 21, Daniel Stenberg wrote about the Curl project's most recent issue with the CVE system, saying: I keep insisting that the CVE system is broken and that the database of existing CVEs hosted by MITRE (and imported into lots of other databases) is full of questionable content and plenty of downright lies. A primary explanation for us being in this ugly situation is that it is simply next to impossible to get rid of invalid CVEs.
-
Diffoscope ☛ Reproducible Builds (diffoscope): diffoscope 258 released
The diffoscope maintainers are pleased to announce the release of diffoscope version
258. This version includes the following changes: [...] -
OpenVAS vs. Nessus: Top Vulnerability Scanners Compared
Nessus and OpenVAS are both popular vulnerability assessment tools. See if either of them are right for your needs.
-
Pen Test Partners ☛ Advice for manufacturers on the coming PSTI regulation
TL;DR PSTI: The UK Product Security and Telecommunications Infrastructure (Product Security) Act Regulations effective from 29 April 2024 Assess how, where, why, and when you may be affected [...]
-
India Times ☛ Hackers for sale: What we've learned from China's massive cyber leak
A massive data leak from Chinese cybersecurity firm I-Soon has offered a rare glimpse into the inner workings of Beijing-linked hackers. I-Soon is yet to confirm the leak is genuine and has not responded to a request for comment from AFP.
-
Hong Kong Free Press ☛ Massive data leak shows Chinese firm hacked foreign gov’ts and activists, analysts say
A Chinese tech security firm was able to breach foreign governments, infiltrate social control media accounts and hack personal computers, a massive data leak analysed by experts this week revealed.
-
Security Week ☛ AT&T Says the Outage to Its US Cellphone Network Was Not Caused by a Cyberattack [Ed: Windows breach? Windows botnets?]
AT&T said the hourslong outage to its U.S. cellphone network Thursday appeared to be the result of a technical error, not a malicious attack.
-
CS Monitor ☛ When cellphone outages strike, landlines can help – if you have one
Landlines are handy to have when mobile networks go down – but they’ve disappeared from nearly 3 in 4 American households. The shift is part of a broader evolution in our expectations around communication.
-
Security Week ☛ 230k Individuals Impacted by Data Breach at Australian Telco Tangerine
Tangerine Telecom says attackers stole the personal information of 230,000 individuals from a legacy customer database.
-
Security Week ☛ Apple Shortcuts Vulnerability Exposes Sensitive Information
High-severity vulnerability in Fashion Company Apple Shortcuts could lead to sensitive information leak without user’s knowledge.
-
SANS ☛ Simple Anti-Sandbox Technique: Where's The Mouse, (Fri, Feb 23rd)
Malware samples have plenty of techniques to detect if they are running in a "safe" environment. By safe, I mean a normal computer with a user between the keyboard and the chair, programs running, etc. These techniques are based on checking the presence of specific processes, registry keys, or files. The hardware can also be a good indicator (are some devices present or not)...
/blockquote> -
Security Week ☛ ‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery
ConnectWise ScreenConnect vulnerability tracked as CVE-2024-1709 and SlashAndGrab exploited to deliver ransomware and other malware.
-
Security Week ☛ In Other News: Spyware Vendor Shutdown, Freenom-Meta Settlement, 232 Threat Groups
Noteworthy stories that might have slipped under the radar: Spyware vendor Variston is reportedly shutting down, Crowdstrike tracks 232 threat actors, Meta and Freenom reach settlement.
-
Bruce Schneier ☛ AIs [cr]acking Websites
New research:
LLM Agents can Autonomously Hack Websites
Abstract: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents.
In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs...
-
Integrity/Availability/Authenticity
-
Troy Hunt ☛ Troy Hunt: Thanks FedEx, This is Why we Keep Getting Phished
What makes this situation so ridiculous is that while we're all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like "here, hold my beer" as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.
-