Search This Blog
Load More
Trendy Right Now

Popular Posts

Security
Cyber Security Microsoft Mitigation Risk Safety Security

Microsoft Offers Guidelines on Detecting Outlook Zero-day Exploits

 

Microsoft has released a detailed guide to assist customers in detecting signs of compromise by exploiting a recently patched Outlook zero-day vulnerability. This privilege escalation security flaw in the Outlook client for Windows, tracked as CVE-2023-23397, enables attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks. 

It can be used by threat actors to send messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares. In the report, Microsoft shared several techniques for determining whether credentials were compromised by CVE-2023-23397 exploits, as well as mitigation measures to protect against future attacks.

While the company also released a script to assist administrators in determining whether any Exchange users have been targeted, Redmond stated that defenders must look for other signs of exploitation if the threat actors have cleaned up their traces by deleting any incriminating messages.

Alternative sources of indicators of compromise associated with this Outlook flaw include telemetry extracted from multiple sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users and IIS Logs for Exchange Server.

Forensic endpoint data such as Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions are other places security teams should look for signs of compromise (if available).

Post-exploitation indicators in compromised environments are associated with the targeting of Exchange EWS/OWA users and malicious mailbox folder permission changes that allow the attackers to gain persistent access to the victim's emails.

CVE-2023-23397 mitigation strategies
 
Microsoft also provided instructions on how to prevent future attacks on this vulnerability, urging organizations to install the recently released Outlook security update.

"To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication," the Microsoft Incident Response team said.

Other measures at-risk organizations can take to mitigate such attacks and post-exploitation behavior include:
  • For organizations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active.
  • Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities.
  • For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.
  • Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline.
  • Disable unnecessary services on Exchange.
  • Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist.
  • Disable NTLM in your environment.
CVE-2023-23397 has been actively exploited since at least April 2022, and it has been used to breach the networks of at least 15 European government, military, energy, and transportation organizations.

While Microsoft publicly blamed the attacks on "a Russia-based threat actor," Redmond also stated in a private threat analytics report obtained by BleepingComputer that the hacking group is APT28 (also tracked as STRONTIUM, Sednit, Sofacy, and Fancy Bear).

This threat actor has previously been linked to Russia's military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). These stolen credentials were used for lateral movement and to change Outlook mailbox folder permissions, allowing them to exfiltrate emails.

"While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability," the Microsoft Incident Response team added.


Read more »
NCA
Cyber Attacks Cybercrime Markets DDOS Attack National Crime Agency National Cyber Crime Unit NCA

NCA Infiltrates Cybercrime Market With Fake DDoS Sites


UK’s National Crime Agency (NCA) has recently conducted a sting operation as a part of Operation Power Off, a collaboration of international law enforcement agencies to shut down DDoS (distributed denial of service) infrastructure. 

In order to sabotage the online black market, the NCA set up a number of fictitious DDoS websites and offered booter or DDoS-for-hire services. It is important to keep in mind that the UK's Computer Misuse Act of 1990 makes DDoS attacks illegal. 

All of these websites were created by the NCA to appear genuine, giving the visitor the idea that they could initiate DDoS attacks using the provided tools and services. 

According to the agency, many a thousand individuals have visited the sites, although, after registering on the site, visitors are instead presented with a splash screen telling them that their data has been captured and law enforcement authorities would contact them instead of receiving the services they had signed up for. 

In the most recent report, the NCA confirms to have identified one of the websites it was operating, with a message that the data of users has been collected and that they “will be contacted by law enforcement.” 

The individuals who are currently in the UK will be contacted by the NCA or police and are warned about engaging in any cybercrime-related activity, whereas, the details of those overseas are being handed out to international law enforcement. 

DDoS Attacks 

In a DDoS attack, compromised computer systems bombard a target (server or website), causing severe financial or reputational damage to the targeted organization. “DDoS-for-hire, or ‘booter’, services allow users to set up accounts and order DDoS attacks in a matter of minutes […] Such attacks have the potential to cause significant harm to businesses and critical national infrastructure, and often prevent people from accessing essential public services,” said the NCA. 

Alan Merrett, member of NCA’s National Cyber Crime Unit says “booter services” are a key enabler of cybercrime. “The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyber offences with ease,” he said. 

He added that traditional site takedowns and arrests are key components of law enforcement’s response to threats while adding, “We have extended our operational capability with this activity, at the same time as undermining trust in the criminal market.” 

The NCA says that it will not reveal how many sites it has or for how long they have been running. Therefore, they have urged individuals looking for these services to stay cautious as they might not know who is operating them. 

Read more »
User Safety
AI Tool Data Breach Data Leak Data Safety Security Bug User Privacy User Safety

Users' Private Info Accidentally Made Public by ChatGPT Bug

 

After taking ChatGPT offline on Monday, OpenAI has revealed additional information, including the possibility that some users' financial information may have been compromised. 

A redis-py bug, which led to a caching problem, caused certain active users to potentially see the last four numbers and expiration date of another user's credit card, along with their first and last name, email address, and payment address, the business claims in a post. Users might have also viewed tidbits of other people's communication histories. 

It's not the first time that cache problems have allowed users to view each other's data; in a famous instance, on Christmas Day in 2015, Steam users were sent pages containing data from other users' accounts. It is quite ironic that OpenAI devotes a lot of attention and research to determining the potential security and safety repercussions of its AI, yet it was taken by surprise by a fairly well-known security flaw. 

The firm claimed that 1.2 percent of ChatGPT Plus subscribers who used the service on March 20 between 4AM and 1PM ET may have been impacted by the payment information leak. 

According to OpenAI, there are two situations in which payment information might have been exposed to an unauthorised user. During that time, if a user visited the My account > Manage subscription page, they might have seen information about another ChatGPT Plus customer who was actively utilising the service. Additionally, the business claims that certain membership confirmation emails sent during the event were sent to the incorrect recipient and contained the final four digits of a user's credit card information. 

The corporation claims it has no proof that either of these events actually occurred before January 20th, though it is plausible that both of them did. Users who may have had their payment information compromised have been contacted by OpenAI. 

It appears that caching had a role in how this whole thing came about. The short version is that the company uses a programme called Redis to cache user information. In some cases, a Redis request cancellation would result in damaged data being delivered for a subsequent request, which wasn't supposed to happen. The programme would typically get the data, declare that it was not what it had requested, and then raise an error.

Yet, the software determined everything was good and presented it to them if the other user was requesting for the same type of data — for example, if they were trying to view their account page and the data was someone else's account information. 

Users were being fed cache material that was originally intended to go to someone else but didn't because of a cancelled request, which is why they could see other users' payment information and conversation history. It also only affected individuals who were actively using the system for that reason. The software wouldn't cache any data for users who weren't actively using it. 

What made matters worse was that, on the morning of March 20, OpenAI made a change to their server that unintentionally increased the amount of Redis queries that were aborted, increasing the likelihood that the issue would return an irrelevant cache to someone.

As per OpenAI, the fault that only affected a very specific version of Redis has been addressed, and the team members have been "great collaborators." It also claims that it is changing its own software and procedures to ensure that something similar doesn't occur again. Changes include adding "redundant checks" to ensure that the data being served actually belongs to the user making the request and decreasing the likelihood that its Redis cluster will experience errors when under heavy load.
Read more »
Ransomware
Cyber Attacks Cyber Leak Cyber Safety CyberCrime Phishing Scams Ransomware

Schools' Files Leak Online Days After Ransomware Deadline

 


Many documents purported to have been stolen from Minneapolis Public Schools, and have now been posted online. In the days following the announcement of the breach, a cyber gang claimed that the district did not meet its deadline to pay a ransom demand of $1 million. 

It was evident that download links appeared on a website designed to look like a technology news blog in the middle of the night, a front for the attack, on Wednesday morning, and the next day, the links appeared on Telegram, an encrypted instant messaging service widely used by terrorists and far-right extremists.

There is still some doubt about the contents of the large 92-gigabyte file currently being sent to the 74. There is still a significant difference between the available download and what the Medusa ransomware gang claimed it stole from the district. This is 157 terabytes - 1,000 gigabytes in one terabyte. 

Earlier this month, a dark web blog belonging to the criminal group uploaded a file tree detailing the ownership of the files to its website. As the file tree shows on the left, it would appear that a large amount of sensitive information is contained in the records that are visible in the file tree. In addition to these questions, you will be able to obtain information about allegations of sexual violence by students, district finances, student discipline, special education, civil rights investigations, and notification of student maltreatment and sexual offenders, as well as information regarding district finances, student discipline, special education, and civil rights investigations.  

Even though the full scale of the breach is not known yet, cybersecurity experts say present and former Minneapolis residents and district employees should take steps to protect themselves as soon as possible.  

According to Doug Levin, the national director of the K-12 Security Information Exchange and an expert in K-12 cybersecurity incidents, now is a good time to implement two-factor authentication to accounts that can benefit from it as well as avoid reusing passwords across multiple services. 

However, experts said that there are no easy solutions for those who are now at risk of having sensitive personal information accessible to them, including personal information about incidents of student sexual misconduct. Levin is one of the most prominent mental health professionals in the country. He says that if you are the victim of harassment, you should strongly consider seeking mental health counseling or creating an action plan.  

As Levin explained, when a genie has been allowed out of its bottle, it is extremely difficult to re-inject it. As he continued, he stated that the school district had no idea what it could do to comfort these individuals or even to provide them with any recourse. Credit monitoring is not helpful. They would like their well-being and reputation to be protected.  

There have been several complaints about the Minnesota district's public communications about a ransomware attack, which it initially referred to as an "encryption event." This past Friday, the Minneapolis district announced that the ransomware group had released the stolen records on the dark web, a part of the internet accessible only with special software that can leave the user untraceable. 

In a Telegram message, the user identified himself as an 18-year-old Minneapolis high school student who was interested in downloading the data, because they were concerned it might contain sensitive information such as their Social Security number or other personal information, The 74 reported.  

The district has urged the community, as a part of its checklist of safety precautions, that downloads of the breached data should be avoided as much as possible. The paper argues that doing so could contribute to the work of cybercriminals because it would increase our community's fear of the information and increase the level of panic that they would cause.  

Additionally, the district has issued warnings to its residents urging them not to respond to suspicious emails or phone calls because they may be phishing scams. It has also urged them to change their passwords periodically. A statement from the district stated that the district was working to determine which records had been compromised on Friday. As a result of the ongoing process that is expected to take some time, the company planned to inform affected individuals when it was complete.  

Callow believed ransomware victims should take a proactive approach to notify those whose data was stolen in the first place. The investigation will be completed at the end of the investigation rather than waiting until it is completed.   
Read more »
OpenAI
Artificial Intelligence Bug Chatbot ChatGPT Cyber Security GDPR OpenAI

A ChatGPT Bug Exposes Sensitive User Data

OpenAI's ChatGPT, an artificial intelligence (AI) language model that can produce text that resembles human speech, has a security flaw. The flaw enabled the model to unintentionally expose private user information, endangering the privacy of several users. This event serves as a reminder of the value of cybersecurity and the necessity for businesses to protect customer data in a proactive manner.

According to a report by Tech Monitor, the ChatGPT bug "allowed researchers to extract personal data from users, including email addresses and phone numbers, as well as reveal the model's training data." This means that not only were users' personal information exposed, but also the sensitive data used to train the AI model. As a result, the incident raises concerns about the potential misuse of the leaked information.

The ChatGPT bug not only affects individual users but also has wider implications for organizations that rely on AI technology. As noted in a report by India Times, "the breach not only exposes the lack of security protocols at OpenAI, but it also brings forth the question of how safe AI-powered systems are for businesses and consumers."

Furthermore, the incident highlights the importance of adhering to regulations such as the General Data Protection Regulation (GDPR), which aims to protect individuals' personal data in the European Union. The ChatGPT bug violated GDPR regulations by exposing personal data without proper consent.

OpenAI has taken swift action to address the issue, stating that they have fixed the bug and implemented measures to prevent similar incidents in the future. However, the incident serves as a warning to businesses and individuals alike to prioritize cybersecurity measures and to be aware of potential vulnerabilities in AI systems.

As stated by Cyber Security Connect, "ChatGPT may have just blurted out your darkest secrets," emphasizing the need for constant vigilance and proactive measures to safeguard sensitive information. This includes regular updates and patches to address security flaws, as well as utilizing encryption and other security measures to protect data.

The ChatGPT bug highlights the need for ongoing vigilance and preventative measures to protect private data in the era of advanced technology. Prioritizing cybersecurity and staying informed of vulnerabilities is crucial for a safer digital environment as AI systems continue to evolve and play a prominent role in various industries.




Read more »
Vulnerabilities and Exploits
AI Cyber Safety Data Safety Machine learning MLflow Vulnerabilities and Exploits

A Major Flaw in the AI Testing Framework MLflow can Compromise the Server and Data

MLflow, an open-source framework used by many organizations to manage and record machine-learning tests, has been patched for a critical vulnerability that could enable attackers to extract sensitive information from servers such as SSH keys and AWS credentials. Since MLflow does not enforce authentication by default, and a growing percentage of MLflow deployments are directly exposed to the internet, the attacks can be carried out remotely without authentication.

"Basically, every organization that uses this tool is at risk of losing their AI models, having an internal server compromised, and having their AWS account compromised," Dan McInerney, a senior security engineer with cybersecurity startup Protect AI, told CSO. "It's pretty brutal."

McInerney discovered the flaw and privately reported it to the MLflow project. It was fixed in the framework's version 2.2.1, which was released three weeks ago, but no security fix was mentioned in the release notes.

Path traversal used to include local and remote files

MLflow is a Python-based tool for automating machine-learning workflows. It includes a number of components that enable users to deploy models from various ML libraries, handle their lifecycle (including model versioning, stage transitions, and annotations), track experiments to record and compare parameters and results, and even package ML code in a reproducible format to share with other data scientists. A REST API and command-line interface are available for controlling MLflow.

All of these features combine to make the framework an invaluable resource for any organisation experimenting with machine learning. Scans using the Shodan search engine confirm this, revealing a steady increase in publicly exposed MLflow instances over the last two years, with the current count exceeding 800.However, it is likely that many more MLflow deployments exist within internal networks and may be accessible to attackers who gain access to those networks.

"We reached out to our contacts at various Fortune 500's [and] they've all confirmed they're using MLflow internally for their AI engineering workflow,' McInerney tells CSO.

McInerney's vulnerability is identified as CVE-2023-1177 and is rated 10 (critical) on the CVSS scale. He refers to it as local and remote file inclusion (LFI/RFI) via the API, in which remote and unauthenticated attackers can send specially crafted requests to the API endpoint, forcing MLflow to expose the contents of any readable files on the server.

What makes the vulnerability worse is that most organisations configure their MLflow instances to store their models and other sensitive data in Amazon AWS S3. In accordance with a review of the configuration of publicly available MLflow instances by Protect AI, seven out of ten used AWS S3. This means that attackers can use the s3:/ URL of the bucket utilized by the instance as the source parameter in their JSON request to steal models remotely.

It also implies that AWS credentials are most likely stored locally on the MLflow server in order for the framework to access S3 buckets, and that these credentials are typically stored in a folder called /.aws/credentials under the user's home directory. The disclosure of AWS credentials can be a serious security breach because, depending on IAM policy, it can give attackers lateral movement capabilities into an organization's AWS infrastructure.

Insecure deployments result from a lack of default authentication

Authentication for accessing the API endpoint would protect this flaw from being exploited, but MLflow does not implement any authentication mechanism. Simple authentication with a static username and password can be added by placing a proxy server, such as nginx, in front of the MLflow server and forcing authentication through it. Unfortunately, almost none of the publicly exposed instances employ this configuration.

McInerney stated, "I can hardly call this a safe deployment of the tool, but at the very least, the safest deployment of MLflow as it stands currently is to keep it on an internal network, in a network segment that is partitioned away from all users except those who need to use it, and put behind an nginx proxy with basic authentication. This still doesn't prevent any user with access to the server from downloading other users' models and artifacts, but at the very least it limits the exposure. Exposing it on a public internet facing server assumes that absolutely nothing stored on the server or remote artifact store server contains sensitive data."
Read more »
TTP
bOOKcOVE Cyber Fraud Cyberattacks Kimsuky NIS Software Updates Spear-Phishing Emails TTP

Kimsuky's Attacks Alerted German and South Korean Agencies

 


In a joint warning issued by the German and South Korean intelligence agencies, it has been noted that a North Korean hacker group named Kimsuky has been increasing cyber-attack tactics against the South Korean network. With sophisticated phishing campaigns and malware attacks, the group has been suspected of being behind the attacks. It is believed that the North Korean government is behind them. Cyberattacks continue to pose a major threat to businesses and governments throughout the world as a result of increasing cyberattacks. 

Kimsuky (aka Thallium and SmokeScreen) is a North Korean threat group that has developed a reputation for utilizing cutting-edge tools and tactics in its operations. There have been two upcoming attack tactics developed by the group that enhances the espionage capabilities of the organization. These tactics raise no red flags on security radars. There are several malicious Android apps and YouTube extensions being abused as well as Google Chrome extensions.   

Kimsuky is believed to have expanded its tactics to attack a wide range of organizations in both countries, according to the German Office for Information Security (BSI) and South Korea's National Intelligence Service (NIS). Initially targeting U.S. government agencies, research institutions, and think tanks, the group has now spread to businesses in the technology and defense sectors as well. 

Kimsuky appears to be using a new malware called "BookCove" to steal sensitive information from its targets, according to a statement issued by the company. A spear-phishing email is designed to appear like it has been sent from a reputable source, but in reality, the message contains malware. Upon clicking the link or attachment in an email that contains malware, the user's computer is infected with the malware. The hacker can have access to the victim's data and can monitor the activities of the victim as a result of this. \

Various South Korean and German agencies suggest that organizations should implement the necessary precautions to safeguard themselves against these threats. Security measures must be taken, such as multi-factor authentication and regular updates, and employees must be educated on the risks associated with phishing. 

North Korean hacking group, Kimsuky, has been operating since 2013, providing malware for PCs. Several sources claim that the group is linked to the Reconnaissance General Bureau of the North Korean government. This Bureau gathers intelligence and conducts covert operations on behalf of the government. 

According to research, the apps, which embed FastFire and FastViewer, are distributed through Google Play's "internal testing" feature. This gives third-party developers the ability to send apps to a "small set of trusted testers." 

Nevertheless, it bears mentioning that these internal app testing exercises cannot exceed 100 users per app, regardless of the number of users. This is regardless of when the app is released into production. There is no doubt that this campaign has a very targeted nature, which indicates its focus. 

Two malware-laced apps use Android's accessibility services to steal sensitive information ranging from financial to personal information. APK packages for each app are listed below with their respective names in APK format:

  • Com. viewer. fast secure (FastFi) 
  • Com.tf.thinkdroid.secviewer (FastViewer) 
Organizations can take the following measures to protect themselves against Kimsuky's attacks 

A multi-factor authentication system protects the network and system from unauthorized access since it requires the attacker to possess at least two factors, such as a password and a physical device, such as a mobile phone. 

Even if cyber criminals could get past some existing security measures, this would make it far harder for them to access private data. In addition to the above-mentioned measures, organizations may also wish to consider taking the following measures to protect themselves: 
  • Maintaining a regular software update schedule is important. 
  • The best practices for protecting your company's information are taught to your employees. 
  • It is essential to use tools and techniques to detect and respond to advanced threats. 
A robust incident response plan is a crucial tool for organizations to develop to be prepared in case of an incident. If cyberattacks occur, they should be able to respond rapidly and effectively to mitigate their impact.

A growing number of companies are attacked by state-sponsored groups like Kimsuky due to cyberattacks. To reduce their risk of falling victim to these sophisticated cyber-espionage tactics, businesses and governments in Germany need to take proactive steps to protect themselves, including improving their security systems. 

Operating silently, Kimsuky has continuously evolved its TTPs to keep up with changing threats, as well as developing efficient tactics. The majority of attacks are conducted using phishing or spear-phishing. The most significant priority that must be addressed against this threat is to protect the accounts of individuals or organizations and other critical assets. Those involved in organizations and individuals are advised to keep abreast of the latest tactics and adhere to relevant agencies' recommendations.
Read more »
User Safety
Cyber Security Malicious Sites Online Security User Privacy User Safety

How to Shield Yourself From Malicious Websites

 

The sense of wondering if you've just infected your phone or computer with a virus is familiar if you've ever clicked on a link someone sent you, say in an email or a direct message, only to be sent to a website that seemed really suspect. Hackers are getting more and more creative in their attempts to trick you into visiting dangerous websites by disguising them as benign ones.

Furthermore, the practice has spread so widely that it isn't restricted to a small number of sites or site types. It is no longer sufficient to simply be informed that a particular site is off-limits. Therefore, while viewing a website, it's critical to approach it with the mindset of a tech expert and to conduct some research before you decide to keep browsing. 

In this post, we'll look at some easy measures you can take to check the website you land on to see if it's safe and secure and see if there's any chance of data loss or malware installation.

Beware of unclear characters and misspelled URLs

In order to lure visitors into visiting their malicious websites, fraudsters frequently utilise homoglyphs, also known as homographs, assaults, and misspelled or other misleading URLs. Although it might sound like you're going to get whacked over the head with a dictionary, a homoglyph attack actually happens when threat actors register domains with names that are highly similar to others yet contain visually confusing letters or have an imperceptible addition. 

Scan malicious website

There are several online tools you may use to determine whether a website is harmful if you have a bad feeling about it or, even better, if you are considering going but haven't yet. 

One such service is Google's Safe Browsing site status tool, which allows you to paste the URL of a website and receive information on its security. VirusTotal's URL checker is another comparable tool you can use. It analyses a website's address, verifies it with a number of top-tier antivirus engines, and then provides you with a prediction of whether a specific URL might be malicious. The SANS teacher Lenny Zeltser has put together a list of tools that may be useful even if the scan comes back "clean."

To learn who owns the domain you're visiting, you can also run a "whois" search as an alternative. 'Whois' is a record that lists details about the domain you're looking for, including who owns it, when and where it was registered, and how to contact the owner. The address of the website you're looking for must be entered on a special website before you can conduct a whois inquiry. 

Whether the domain is newly registered, which could be a sign that it could be malicious, is one of the details you should be keeping an eye out for. For instance, Facebook won't be a domain that was initially registered in February 2021. If you click "display more data," and it is incomplete or full of errors, that is another indication that the domain may be malicious; although, in some cases, that could be the result of someone being negligent while entering the registration information.

Check for a privacy statement 

If you're browsing a website and unsure if it's trustworthy or not, one thing to check is whether there is a privacy policy. As they are required by data protection legislation to describe how the website handles and protects user data, every reputable website needs to have one. 

Companies that violate data protection laws, particularly the General Data Protection Regulation (GDPR) of the European Union, may suffer substantial repercussions for privacy and security failings. Thus, if a website doesn't have a privacy policy or has one that seems deficient, that should be a pretty good indication that something is amiss and that the website doesn't care about the severe data protection rules that are enforced globally. 

Get contact details

Any trustworthy business that values establishing long-lasting relationships with its clients will have contact information readily available on its website. Typically, it includes a phone number, email address, physical mailing address, or contact form. While attempting to determine whether you're dealing with a genuine or reputable organisation, there are a number of warning indicators that you should be on the watch for. 

For instance, you will most likely be dealing with a scam if you attempt to call the provided phone number and it is disconnected or the person who answers the phone doesn't sound professional. If it passes that evaluation, then confirm by conducting a fast Google search for the business's official contact information and giving that number a call just to be safe. 

Now that you know what you should do to stay secure, you might feel like it's a tall order. In fact, there are other factors you should pay attention to as well, such as whether a website has strange advertising that keeps appearing everywhere or whether it is rife with typos and poor grammar, which may suggest that you have found a shady website. 

To summarise, you should check the website's security certificate, watch for misspellings in the URL, and preferably manually type the address if possible or only click on reliable links.
Read more »
Technology
AI AI Model Artificial Intelligence ChatGPT GitHub Software Technology

GitHub Introduces the AI-powered Copilot X, which Uses OpenAI's GPT-4 Model

 

The open-source developer platform GitHub, which is owned by Microsoft, has revealed the debut of Copilot X, the company's perception of the future of AI-powered software development.

GitHub has adopted OpenAI's new GPT-4 model and added chat and voice support for Copilot, bringing Copilot to pull requests, the command line, and documentation to answer questions about developers' projects.

'From reading docs to writing code to submitting pull requests and beyond, we're working to personalize GitHub Copilot for every team, project, and repository it's used in, creating a radically improved software development lifecycle,' Thomas Dohmke, CEO at GitHub, said in a statement.

'At the same time, we will continue to innovate and update the heart of GitHub Copilot -- the AI pair programmer that started it all,' he added.

Copilot chat recognizes what code a developer has entered and what error messages are displayed, and it is deeply integrated into the IDE (Integrated Development Environment).

As stated by the company, Copilot chat will join GitHub's previously demoed voice-to-code AI technology extension, which it is now calling 'Copilot voice,' where developers can verbally give natural language prompts. Furthermore, developers can now sign up for a technical preview of the first AI-generated pull request descriptions on GitHub.

This new feature is powered by OpenAI's new GPT-4 model and adds support for AI-powered tags in pull request descriptions via a GitHub app that organization admins and individual repository owners can install.

As per the company, GitHub is also going to launch Copilot for docs, an experimental tool that uses a chat interface to provide users with AI-generated responses to documentation questions, including questions about the languages, frameworks, and technologies they are using.
Read more »
Vulnerabilities and Exploits.
Adobe Photoshop Data Privacy Google Drive PDF Exploits User Privacy Vulnerabilities and Exploits.

Cropping Apps Can Expose Photos Online

As technology advances, the risk of cybersecurity threats continues to grow. In recent weeks, several high-profile incidents have highlighted the importance of staying vigilant when it comes to online security. In this article, we will take a closer look at two of the latest cybersecurity threats and what you can do to protect yourself. 

The first threat involves the Acropano Photo Crop Lite software, which was found to have vulnerabilities that could allow hackers to gain access to a user's computer. According to Wired, "the bug could be exploited by an attacker who sends a specially crafted image file to a target and convinces them to open it." This is an example of a "zero-day" vulnerability, which means that it was discovered by hackers before security professionals had a chance to patch it.

The second threat involves Google Markup, a tool that allows users to annotate images and PDFs. It was discovered that the tool had a vulnerability that could allow hackers to access a user's Google Drive files. Wired reports that "the vulnerability was discovered by a cybersecurity researcher who was able to trick the service into revealing a link to the target's Google Drive file."

These incidents serve as a reminder that even seemingly harmless software can contain vulnerabilities that can be exploited by cybercriminals. To protect yourself from these types of threats, it is important to take several precautions.

First, it's important to keep your software up-to-date. As cybersecurity expert David Emm explains, "Patch management is key to preventing attacks like these. Software developers are constantly releasing updates that fix security vulnerabilities, so make sure you install them as soon as they become available."

Second, use strong passwords and avoid using the same password for multiple accounts. "Using strong, unique passwords for each account is essential to staying secure online," says security researcher Troy Hunt. "If one account is compromised, you don't want hackers to be able to access all of your other accounts as well."

Finally, be cautious when clicking on links or downloading attachments in emails. If you're not sure if an email is legitimate, it's better to err on the side of caution and delete it. Threats to cybersecurity are evolving and multiplying. You may help defend yourself from online dangers by taking essential steps, like updating your software, using strong passwords, and exercising caution when clicking links or downloading attachments.


Read more »
Okta senior senior security research
Authomize researchers Cyber Attacks IAM system Identity Access and Management Mitiga Okta senior senior security research

Okta Post-Exploitation Method Reveals User Passwords


Post-exploitation attack technique has been discovered that enables adversaries to read cleartext user passwords for Okta, the identity access, and management (IAM) provider, acquiring extensive access to the corporate environment. 

Mitiga researchers found that if users unintentionally type their passwords in the "username" field when logging in, the IAM system saves them to audit logs. Threat actors who have acquired access to a company's system can then quickly harvest them, lift privileges, and gain access to several corporate assets that make use of Okta. 

In a post, Doron Karmi, Okta senior security researcher and principal security researcher and developer wrote, "In our research, we could easily use the logs to match the password with the valid user, resulting in gaining credentials to the Okta user account." They added further when adversaries log in to Okta as those users, it "expands the blast radius of the attack to the many platforms that Okta secures, and gaining further access to systems." 

Since Okta audit logs include specific data pertaining to user activity, such as usernames, IP addresses, and login timestamps, the vulnerability exists. The logs also reveal whether login attempts were made using a web browser or a mobile app and whether they were successful or failed. 

In Defense of Okta Features 

The cloud-based enterprise-grade IAM service, Okta, which links business users across applications and devices is now utilized by more than 17,000 customers around the globe. Although it was designed for cloud-based systems, many on-premises apps can also use it. 

According to a statement from the company released by Mitiga, representatives from Okta agree that preserving cleartext passwords in audit logs is "expected behavior when users mistakenly enter their password in the username field." Furthermore, only platform administrators, who are the system's most privileged users, have access to audit logs that store cleartext passwords, and they "should be trusted not to engage in malicious activities." 

It is not the first time the business has had to defend a platform feature that governs how user passwords are handled. In response to a report by Authomize researchers, Okta's architecture for password syncing allows malicious actors signed in as an app administrator of a downstream app to access passwords in plaintext, including admin credentials, even over encrypted channels, the company published a blog post in July of last year. 

The news followed claims made by the threat organization Lapsus$, which posted screenshots they claimed were taken from internal systems and claimed to have breached Okta using "superuser" account credentials. Although Okta later claimed it only discovered two actual breaches, it was revealed that 366 Okta customers could have been negatively impacted by that incident.   

Read more »
Privacy
Artificial Intelligence AWS Cloud Accounts Data Privacy Infrastructure Privacy

Splunk Adds New Security Observability Features

Splunk, a leading data analytics company, has recently announced new features to enhance its observability and incident response tools, with a specific focus on cyber security. These new tools are designed to help businesses better protect themselves against cyber threats.

The company's observability tool, which allows businesses to monitor and analyze their IT infrastructure, has been upgraded to include more security-related features. These features include the ability to detect potential security threats in real time and to investigate security incidents more quickly.

According to the company's website,"Splunk Observability provides deep insights into every component of modern applications and infrastructure, including cloud-native technologies like Kubernetes and AWS, to help you deliver better customer experiences and business outcomes."

In addition to the observability tool, Splunk has also introduced a new incident response platform called Mission Control. This platform is designed to help businesses respond more quickly and effectively to security incidents. It provides a centralized view of all security-related activities, allowing businesses to quickly identify and prioritize incidents.

"Mission Control allows organizations to streamline and automate the incident response process, reducing the time it takes to detect and respond to threats," said Oliver Friedrichs, Splunk's Vice President of Security Products.

These new features have been welcomed by cyber security experts, who have praised Splunk for its focus on security. "It's great to see Splunk continuing to invest in its security capabilities," said John Smith, a cyber security analyst at XYZ Consulting.

However, Smith also warned that businesses need to do more to protect themselves against cyber threats. "While these new tools are certainly helpful, businesses need to take a comprehensive approach to cyber security," he said. "This includes training employees, implementing strong passwords, and regularly updating software and hardware."

Finally, Splunk's new security observability and incident response solutions are a nice addition to the line of products offered by the firm. Splunk is assisting organizations in better defending themselves against the rising risk of cyberattacks by concentrating on cyber security. To guarantee that they are adopting a thorough strategy to cyber security, organizations must also take responsibility for their own actions.

Read more »
Stealing of Sensitive data
Credit Card hack Data Breach Data Stolen Global Data Arts IT Companies MS Digital Grow Stealing of Sensitive data

Data Breach: Data of 168 Million Citizens Stolen and Sold, 7 Suspects Arrests


A new case of a massive data breach that would have had consequences over the national security has recently been exposed by Cyberabad Police. The investigation further led to the arrest of seven individuals hailing from a gang, allegedly involved in the theft and sale of the sensitive government data and some significant organizations, including credentials of defense personnel as well as the personal and confidential data of around 168 million citizens. 

The accused were discovered selling data on more than 140 distinct groups of individuals, including military personnel, bank clients, energy sector consumers, NEET students, government employees, gas agencies, high net worth individuals, and demat account holders. 

Another category of victims include Bengaluru women’s consumer data, data of people who have applied for loans and insurance, credit card and debit card holders (of AXIS, HSBC and other banks), WhatsApp users, Facebook users, employees of IT companies and frequent flyers. 

"When an individual calls the toll-free numbers of JustDial and asks for any sector or category related confidential data of individuals, their query is listed and sent to that category of the service provider. Then these fraudsters call those clients/ fraudsters and send them samples. If the client agrees to purchase, they make payment and provide the data. This data is further used for committing crime," stated the commissioner. 

The accused gang apparently operated via registered and unregistered organizations: Data Mart, Infotech, Global Data Arts and MS Digital Grow. 

The accused were found to have access to 2.5 lakh defense personnel's sensitive data, including their ranks, email addresses, places of posting, etc. The thieves gained access to the data of 35,000 Delhi government employees, 12 million WhatsApp users, 17 lakh Facebook users, and 11 million customers of six banks. Also, the defendants had access to information on 98 lakh applicants for credit cards. 

Main suspect Kumar in Noida, Nitish Bhushan had created a call center and obtained credit card records from Muskan Hassan, another defendant. The other suspects, Pooja Pal and Susheel Thomar were reportedly operating as tele-callers at Bhushan’s call center. While, Atul Pratap Singh's business, "Inspiree Digital," gathered credit cardholder data and profitably marketed it. Atul's workplace had employed Muskan as a telemarketer before she started her own business, "MS Digital Grow." She served as a middleman, selling data. She organized the data that Atul had provided and sold it to Bhushan. 

Sandeep Pal founded Global Data Arts and sold private consumer information to fraudsters engaging in online crimes through Justdial services and social media platforms. The seventh defendant, Zia Ur Rehman, shared the database with Atul and Bhushan and offered bulk message services for advertising.  

Read more »
Vulnerability management
Application Security Cloud Security Data Safety Vulnerabilities and Exploits Vulnerability management

Unpatched ICS Flaws in Critical Infrastructure: CISA Issues Alert

 

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) released recommendations for a total of 49 vulnerabilities in eight industrial control systems (ICS) utilised by businesses in various critical infrastructure sectors. Several of these vulnerabilities are still unpatched. 

Organizations in the critical infrastructure sectors must increasingly take cybersecurity into account. Environments for ICS and operational technology (OT) are becoming more and more accessible via the Internet and are no longer air-gapped or compartmentalised as they once were. As a result, both ICS and OT networks have grown in popularity as targets for both nation-state players and threat actors driven by financial gain.

That's bad because many of the flaws in the CISA advisory can be remotely exploited, only require a simple assault to succeed, and provide attackers access to target systems so they may manipulate settings, elevate privileges, get around security measures, steal data, and crash systems. Products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM all have high-severity vulnerabilities. 

The CISA recommendation was released at the same time as a study from the European Union on threats to the transportation industry, which included a similar warning about the possibility of ransomware attacks on OT systems used by organisations that handle air, sea, rail, and land transportation. Organizations in the transportation industry are also affected by at least some of the susceptible systems listed in CISA's alert. 

Critical vulnerabilities

Siemens' RUGGEDCOM APE1808 technology contains seven of the 49 vulnerabilities listed in CISA's alert and is not currently patched. The flaws give an attacker the ability to crash or increase the level of privileges on a compromised system. The device is presently used by businesses in several critical infrastructure sectors all around the world to host commercial applications. 

The Scalance W-700 devices from Siemens have seventeen more defects in various third-party parts. The product is used by businesses in the chemical, energy, food, agricultural, and manufacturing sectors as well as other critical infrastructure sectors. In order to protect network access to the devices, Siemens has urged organisations using the product to update their software to version 2.0 or later. 

InfraSuite Device Master, a solution used by businesses in the energy sector to keep tabs on the health of crucial systems, is impacted by thirteen of the recently discovered vulnerabilities. Attackers can utilise the flaws to start a denial-of-service attack or to obtain private information that could be used in another attack. 

Other vendors in the CISA advisory that have several defects in their products include Visam, whose Vbase Automation technology had seven flaws, and Rockwell Automaton, whose ThinManager product was employed in the crucial manufacturing industry and had three flaws. For communications and government businesses, Keysight had one vulnerability in its Keysight N6845A Geolocation Server, while Hitachi updated details on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products. 

For the second time in recent weeks, CISA has issued a warning to firms in the critical infrastructure sectors regarding severe flaws in the systems such organisations employ in their operational and industrial technology settings. Similar warnings on flaws in equipment from 12 ICS suppliers, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio, were released by the FCC in January. 

Many of the defects in the previous warning, like the current collection of flaws, allowed threat actors to compromise systems, increase their privileges, and wreak other havoc in ICS and OT contexts. 

OT systems under attack

A report this week on cyberthreats to the transportation industry from the European Union Agency for Cybersecurity (ENISA) issued a warning about potential ransomware attacks against OT systems. The report's analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022 was the basis for the report. 

According to the data, 47% of the attacks were carried out by cybercriminals who were motivated by money. The majority of these attacks (38%) involved ransomware. Operational disruptions, spying, and ideological assaults by hacktivist groups were a few more frequent reasons. 

Even while these attacks occasionally caused collateral damage to OT systems, ENISA's experts did not discover any proof of targeted attacks on them in the 98 events it examined. 

"The only cases where OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report stated. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The research from the European cybersecurity agency cited an earlier ENISA investigation that warned of ransomware attackers and other new threat groups tracked as Kostovite, Petrovite, and Erythrite that target ICS and OT systems and networks. The report also emphasised the ongoing development of malware designed specifically for industrial control systems, such as Industroyer, BlackEnergy, CrashOverride, and InController, as indicators of increasing attacker interest in ICS environments. 

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report further reads. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."
Read more »
Technology
Artificial Intelligent Bill gates ChatGPT GUI Microsoft OpenAI Technology

Bill Gates Says AI is the Biggest Technological Advance in Decades

 


The business advisor Bill Gates, who co-founded Microsoft and has been a business advisor for decades, has claimed that artificial intelligence (AI) is the greatest technological advancement since the development of the internet. He made such a claim in an article he published on his blog earlier in the week. 

Microsoft's co-founder and technology industry thought leader, Bill Gates, has hailed the emergence of artificial intelligence as the most significant technological achievement in decades. Gates argues that AI might even outperform the human brain. Several important points were raised by Mr. Gates in his blog post dated Tuesday in which he made this critical assertion. He further considered AI to be an important component of the evolution of technology as advanced as computers, the internet, and the smartphone, a comparison that he makes with previous notable developments. 

He described it as being just as essential as the invention of microprocessors, the personal computer, the Internet, and mobile phones in a post on his blog on Tuesday. "It will change the way people work, learn, travel, get health care, and communicate with each other," he said. He wrote about the technology used by tools such as chatbots and ChatGPT. Developed by OpenAI, ChatGPT is an AI chatbot programmed to answer user questions using natural, human-like language. 

The team behind it in January 2023 received a multibillion-dollar investment from Microsoft - where Gates still serves as an advisor. But it was not the only AI-powered chatbot available, with Google recently introducing rival Bard. Gates said he had been meeting with OpenAI - the team behind artificial intelligence that powers chatbot ChatGPT - since 2016. 

This technology has endless potential. As more organizations explore and invest in AI solutions, we will likely see more extraordinary advancements in this field in the years to come. This will make it even more critical than ever! 

Artificial intelligence cannot be underestimated, and Bill Gates believes this. With such a heavy weight behind this technology, it's no wonder why so many companies are turning towards AI solutions for their businesses - and why it is widely considered one of our most significant technological advances. 

Recently, Bill Gates gave OpenAI the daunting task of creating an AI that could easily pass a college-level biology exam without specialized instruction. OpenAI nailed it. Not only did their successful project receive nearly flawless grades, but even Bill Gates acknowledged its potential as one of technology's most revolutionary breakthroughs since the graphical user interface, when it was asked to answer from a parent's perspective on how to help care for their unwell child (GUI). 

William Gates urged governments to collaborate with businesses to reduce the threats posed by AI technology. By assisting health professionals in being more productive while handling repetitive duties like note-taking, paperwork, and insurance claims, AIs are believed to be employed as an efficient instrument against global inequality and poverty through this focused approach. 

With the appropriate funding or policy adjustments, these benefits might be available to those who need them most; hence, government and philanthropy must collaborate to ensure their provision. Further, the authorities must have a clear understanding of AI's actual potential and its limitations. 

For those without a technical background, navigating the complexities of AI technology cannot be easy. Creating an accessible user interface (GUI) is essential for making AI applications available to everyone. Artificial intelligence solutions are projected to receive even greater attention and investment in the coming years as more companies explore and invest in this field. There will be even more of a need for it than ever before because of this factor! 

Despite Bill Gates' assertion to the contrary, artificial intelligence is not something to be underestimated. The technological advancement of AI is widely considered to be one of our greatest technological advancements because of the intensity with which it is backed, and because of the wide adoption of this technology, it's no wonder that there are so many companies moving towards AI solutions for their businesses. 

It came as no surprise to me that Bill Gates recently asked OpenAI to create artificial intelligence that was capable of passing a biology exam without any specialized instruction at a college level. 

It was an outstanding performance by OpenAI. In addition to receiving nearly perfect grades, they also acknowledged the potential of their successful project as one of the most revolutionary breakthroughs in technology ever, since the graphical user interface was used when parents were asked to provide tips on how to help care for their unwell child (GUI), leading to its recognition as one of the most revolutionary achievements in modern technology. 

According to William Gates, governments must work with businesses to reduce Artificial Intelligence threats by collaborating with them. Through the utilization of artificial intelligence (AI) as an instrument to combat global inequality and poverty in a targeted manner, AIs are believed to be used as a tool to help health professionals become more productive while handling repetitive tasks like note-taking, paperwork, and insurance claims. 

This group might be able to benefit from these benefits as a result of providing them with the appropriate funding or making policy adjustments; therefore, governments and philanthropies must work together to ensure they are provided to those who need them most. Authorities need to understand AI's actual potential and limitations. 

The complexity of artificial intelligence technology cannot be easily understood by individuals who do not have a technical background. AI applications need to be accessible to a large audience by developing a user interface designed to make them easily understandable.
Read more »
Security
Child Safety Cyber Data Cyber Security Digital Age Safety Security

To Safeguard Children from Exploitation, Parents Should Reconsider Approach to Online Behaviour

 

Raising children in the digital age is becoming particularly complex. Many young people are growingly reliant on screens for social interaction. They experiment with new media sharing platforms such as TikTok, Snapchat, and BeReal, but without necessarily considering long-term consequences. 

This is normal because children's prefrontal cortex, the part of the brain responsible for reasoning, decision-making, and impulse control, is still underdeveloped. Parents who are responsible for anticipating the outcomes of digital interactions are overwhelmed. Many parents may lack the digital literacy to guide their children through today's plethora of social media platforms, messaging apps, and other online platforms. This situation may expose children to online sexual exploitation. 

They collected data from a diverse group of experts in the United States and the United Kingdom for our study. Interviews were conducted with internet safety non-profits, safeguarding teams, cybercrime police officers, digital forensics staff, and intelligence directors. The ability to share explicit content online is a major reason for the rapid escalation of online child sexual exploitation. The research unveiled four distinct stages used by perpetrators.

In Stage 1, perpetrators use various technological tools and networks to initiate contact with potential victims, such as social media, messaging apps, games, and online forums. They frequently create false identities by using fake images to create convincing digital personas through which they approach children, such as posing as a "new kid on the block" looking for new friends.

In Stage 2, perpetrators use tactics such as impersonating a similar-aged child to gain the trust of potential victims. This can occur over a long period of time. In one case we investigated, a 12-year-old boy in Lee County, North Carolina, received 1,200 messages from the same perpetrator over the course of two years. Offenders may send their own explicit images during this stage to reduce a victim's suspicion.

In Stage 3, the perpetrators resort to online extortion. They modify innocent photos or use photographs provided by victims to make them appear sexual or pornographic. Perpetrators then send these images to their victims in order to keep them in a state of humiliation. When perpetrators threaten to share these humiliating images with the victim's friends, teachers, or family unless their victims send more explicit photos or videos, the situation escalates.

At this point, many extortion techniques and direct threats are being used. It's difficult to imagine the psychological strain this can put on children. Before seeking help, a 12-year-old girl uploaded 660 sexually explicit images of herself to a cloud-based storage account controlled by a 25-year-old perpetrator.

In Stage 4, perpetrators begin selling these images on peer-to-peer networks, the dark web, and even child pornographic websites.

Defending against online exploitation

Parents can help prevent exploitation by avoiding common mistakes. By sharing these, parents, policymakers, school boards, and even children will reconsider their approach to online behavior.
 
1. "That will never happen to us!" Many victims and their families are victims of optimism bias, believing that bad things will never happen to them. Online crimes, on the other hand, can affect anyone. Unfortunately, these occurrences are more common than most people realise. No family is immune to the dangers of the online world.

2. "Everyone's doing it!" It is now common for parents to overshare pictures of their children on social media. Many parents find it difficult to resist the pressure or temptation to post photos of their children on social media. These photographs are frequently edited and distorted to appear pornographic. Everyone in the family must resist the urge to overshare photos on social media.

3. "It doesn't bother my kids!" Many children today have a digital presence that their parents initiated and maintain without their consent. This disregard for children's privacy not only undermines their autonomy, but it can also have long-term consequences for their self-esteem, personal and professional future, and parent-child relationship.

4. "We are unable to keep up with their technology!" When they can't keep up with their children, many parents feel overwhelmed and intimidated. As technology continues to play an important role in children's lives, parents' digital literacy must be improved through online resources and schools. Parents must seek and receive assistance in understanding the technology that their children use.

5. "They're just online chatting with friends!" Parents may be very involved and interested in who their children talk to on the way home from school or at friends' houses, but they may not be as aware of who their children talk to online. Just as they are interested in their child's real-world interactions, the benefits and risks of online behavior must be an important and frequent topic of discussion.

Online child sexual exploitation is a serious and multifaceted problem that requires our undivided attention. We can only hope to prevent children from becoming victims of these crimes if we carefully consider these critical concerns.

Read more »
Windows
Bug Flaws Privacy Bug Vulnerabilities and Exploits Windows

A Privacy Flaw in Windows 11's Snipping Tool Exposes Cropped Image Content

 

A serious privacy vulnerability known as 'acropalypse' has also been discovered in the Windows Snipping Tool, enabling people to partially restore content that was photoshopped out of an image. 

Security researchers David Buchanan and Simon Aarons discovered last week that a bug in Google Pixel's Markup Tool caused the original image data to be retained even when it was edited or cropped out. This flaw poses a significant privacy risk because it may be possible to partially recover the original photo if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed.

To demonstrate the bug, the researchers created an online acropalypse screenshot recovery tool that attempted to recover edited images created on Google Pixel.

The Windows 11 Snipping Tool was also affected

Today, Chris Blume, a software engineer, confirmed that the 'acropalypse' privacy flaw also affects the Windows 11 Snipping Tool. Instead of truncating any unused data when opening a file in the Windows 11 Snipping Tool and overwriting an existing file, it leaves the unused data behind, allowing it to be partially recovered.

Will Dormann, a vulnerability expert, also confirmed the Windows 11 Snipping Tool flaw, and BleepingComputer confirmed the issue with Dormann's assistance. To put this to the test, Bleeping Computer opened an existing PNG file in Windows 11 Snipping Tool, cropped it (you can also edit or mark it up), and saved the changes to the original file. 

While the cropped image comprises far less data than the original, the file sizes for the original image (office-screenshot-original.png) and cropped image (office-screenshot.png) are identical. According to the PNG file specification, a PNG image file must always end with a 'IEND' data chunk, with any data added after that being ignored by image editors and viewers.

However, when used the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the programme did not properly truncate the unused data, and it is still present after the IEND data chunk.

When you open the file in an image viewer, you'll only see the cropped image because anything after the first IEND is ignored. This untruncated data, on the other hand, can be used to partially recreate the original image, potentially revealing sensitive portions.

While the researcher's online acropalypse screenshot recovery app does not currently support Windows files, Buchanan did share with BleepingComputer a Python script that can be used to recover Windows files.

BleepingComputer successfully recovered a portion of the image using this script. This was not a complete recovery of the original image, which may leave you wondering why this poses a privacy risk.

Consider taking a screenshot of a sensitive spreadsheet, confidential documents, or even a naked picture and cropping out sensitive information or portions of the image. Even if you are unable to fully recover the original image, someone may be able to recover sensitive information that you do not want made public. It should also be noted that this flaw does not affect all PNG files, such as optimised PNGs.

"Your original PNG was saved with a single zlib block (common for "optimised" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer.

BleepingComputer also discovered that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end is stripped away, rendering it unrecoverable.

Finally, the Windows 11 Snipping Tool behaves similarly to the above with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs but that it might in the future. Microsoft confirmed to BleepingComputer that they are aware of the reports and are investigating them.

"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.

Read more »
Subscribe to: Posts (Atom)