September 27, 2023
In this Episode:
Edwin Kwan: Researchers have published a paper demonstrating how a malicious website can exploit a vulnerability in the GPU to perform a cross origin attack, and get access to sensitive visual data displayed by other websites.
Katy Craig: SIn a pivotal move to fortify the security of U. S. election systems, the Information Technology Information Sharing Analysis Center recently hosted the inaugural Election Security Research Forum. The focus was on systems encountered by voters at polling sites, from digital scanners to ballot marking devices.
Kadi McKean: Your phone and computer can be unwitting hosts to malicious software, all because you clicked on that enticing ad. How can we protect ourselves from this silent menace, when even the ads we encounter daily are potential vectors of intrusion?
Today is Wednesday, September 27th, 2023. From Sourced Network Productions in New York City, It’s 5:05. I’m Mark Miller sitting in today for Hillary Coover. We’ll be covering these stories plus updates from the floor of DevOps World in Jersey City. Today’s episode begins with Edwin Kwan from Sydney, Australia.
The Stories Behind the Cybersecurity Headlines
Using Graphics Cards to Steal Website Data
Your computer graphics card could be exposing sensitive data to malicious websites.
This is Edwin Kwan from Sydney, Australia.
Researchers have published a paper demonstrating how a malicious website can exploit a vulnerability in the GPU, the graphics processing unit, to perform a cross origin attack, and get access to sensitive visual data displayed by other websites.
The vulnerability arises from the way modern GPUs perform data compression for performance improvements. This optimization creates a side channel attack which can be exploited by an attacker to reveal information about the visual data.
The published proof of concept only works in Chrome and Edge browsers and has an additional requirement where the page being linked to by the malicious website must not be configured to deny being embedded by cross origin websites. The attack works on all six major GPU suppliers, which are Apple, Intel, AMD, Qualcomm, Arm, and NVIDIA. It also works across a range of devices including both computers and mobile devices.
The threat from this vulnerability is currently considered to be low due to the multiple requirements needed in order for the attack to be successful. The researchers will be presenting their research paper at the 45th IEEE Symposium on Security and Privacy.
– Hertz Bleed: https://www.hertzbleed.com/gpu.zip/
– Ars Technica: https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/
Spyware Disguised as Online Ads
Picture this. You’re innocently scrolling through your favorite websites, catching up on the latest news and trends. Little do you know, danger lurks in the shadows of those seemingly harmless online ads. In a world where technology is both a blessing and a curse, Spyware has found a cunning disguise; online advertisements.
It’s no secret that companies and the government can now track your online activity when combined with your location. But more invasive yet is spyware, malicious software that a government agent, private investigator, or criminal installs on someone’s phone or computer without their knowledge or consent.
What info can they see? Pretty much everything. Calls, texts, emails, voicemails. They can even record keystrokes, take screenshots, and other various activities. What’s worse, some forms of spyware take it a step further and can take control of a phone and go as far as turning on the microphone and camera.
While malicious software for ads has been a practice for years, spyware is new in that it targets a narrow group of people and is designed to clandestinely obtain sensitive information and monitor the target’s activities .
So who is using spyware? According to data collected by Carnegie’s Global Inventory of Commercial Spyware and Digital Forensics, at least 74 government agencies contracted with commercial firms to obtain spyware between 2011 and 2023. When looking at the client makeup, 44 countries who purchased spyware were classified as autocracies, and 30 were classified as democracies.
This article unveils a hidden threat shedding light on a stealthy infiltration of spyware through the very ads that fund our beloved websites. It unravels the unsettling truth. Your phone and computer can be unwitting hosts to malicious software, all because you clicked on that enticing ad.
Long story short, this article poses the question. How can we protect ourselves from this silent menace, when even the ads we encounter daily are potential vectors of intrusion? As we navigate this digital landscape, this report serves as a wake up call, urging us to stay vigilant in an era where our online experiences may come at a hidden cost.
So the next time you see an ad pop up on your screen, remember, it’s not just trying to sell you a product, it might be trying to sell you out.
This is Kadi McKean in Alexandria, Virginia.
– The Conversation: https://theconversation.com/spyware-can-infect-your-phone-or-computer-via-the-ads-you-see-online-report-213685
– Carnegie Endowment: https://carnegieendowment.org/2023/03/14/why-does-global-spyware-industry-continue-to-thrive-trends-explanations-and-responses-pub-89229
Milestone Initiative: Voting Machine Testing
In a pivotal move to fortify the security of U. S. election systems, the Information Technology Information Sharing Analysis Center, ITISAC, recently hosted the inaugural Election Security Research Forum.
Over three days, trusted security researchers gained access to cutting edge election technology under the principles of coordinated vulnerability disclosure. The focus was on systems encountered by voters at polling sites, from digital scanners to ballot marking devices.
This is Katy Craig in San Diego, California.
This event marked a crucial turning point as it fostered relationships between security experts and election technology providers, promising to elevate the security and resilience of voting systems.
The ITISAC’s Executive Director, Scott Algier, noted the event’s significance and lessons learned. Researchers had hands on experience with election tech from major players like Elections Systems & Software, Hart InterCivic, and Unison Voting Solutions. The MITRE Corporation and its National Election Security Lab played key roles in facilitating this interaction, ensuring equipment safety. The Center for Internet Security supported researcher travel expenses.
The forum also facilitated direct engagement between security experts and technology creators. Discussions covered various aspects of America’s election infrastructure and strategies to harness this momentum for enhanced security.
Stay tuned to 5:05 Updates on how this groundbreaking initiative will shape the future of U. S. election security.
This is Katy Craig, stay safe out there.
Live at DevOps World with Mike Vizard
Trac Bannon: Hello there. This is Trace Bannon reporting from Jersey City, New Jersey. Hey, today I’m here with Mike Vizard from Techstrong Group, and we are at the DevOps World Tour in Jersey City. Mike, I really just want to ask you a couple of questions about what you’re seeing today. First of all, what brought you here today?
Mike Vizard: A plane. No, seriously. What was the impetus? Why did you want to be here? I’m curious to see how AI is going to play out in the land of DevOps because it feels like, to me, the developers are getting all the benefits of AI in terms of being able to write all this code, but how all that’s going to work its way through the pipeline is a mystery at this point because it seems like we’re going to have massive code bases and no way to really manage it just yet.
Trac Bannon: I completely agree with that. I’m looking, you know, from some of our research and discussions we’ve had at the entire SDLC, from vision the whole way through fielded operations. Tremendous amount of opportunity and it’s not quite there yet. Hey, what else are you seeing from a trends perspective? What are you seeing, uh, trends so far on the floor?
Mike Vizard: It’s interesting to me to look at what their strategy is here, because on the one hand, you have Jenkins, which is the biggest CICD platform out there, and it hasn’t had an update in for years, and this is good news in terms of scale. But there’s this other thing now called the DevSecOps platform, and I guess it connects to the controller from Jenkins, but it seems to me it’s a complete rewrite of the underlying CICD, and so what are organizations supposed to do? Do I kind of gently degrade Jenkins over the years, and move to this thing? Am I going to have two CICD platforms running at the same time? Um, I think there’s a lot of questions about how you’re going to manage this transition, and it might take a few years, and, you know, it’s kind of a gut check moment.
Trac Bannon: Absolutely. I think we’re going to end up with a lot more questions than answers today, but that’s okay, because we’re here with a lot of smart folks, and we’ll be able to answer and ask a lot more of them. So, Mike, I want to say thank you a whole lot, and we’ll talk to you soon.
Mike Vizard: Alright. Always happy to see you guys.
Live at DevOps World with Trac Bannon and Topo Pal
Trac Bannon: Really for me the draw here was two fold. I’m always foot stomping about the architecture. I need to make sure people understand it starts with the vision and we’ve got to decompose things in order to be able to take them forward.
I love to get face to face with my friends like Topo and see folks here. I also wanted to find out a little bit more about what other people are thinking about with generative AI.
Bob Bannon: Okay, alright. So I saw you nodding, Topo, so I’m going to assume that you’re kind of in agreement with the reason to come here. Did you get out of it what you intended to?
Topo Pal: I came here to, first of all, talk about the book that we wrote, I wrote, with co authored actually, with eight other people, including me, nine. Uh, so that was purpose one, and then I wanted to see where things are going from CloudBees platform standpoint.
So I got a good picture about what is coming and what’s going to happen. And then the third, which is the biggest reason, that I got to see known people like Tracy. Thank you.
Trac Bannon: We really are getting together because it’s been a long lockdown period and we’re still just coming out of that.
Bob Bannon: Okay, well, there you go. We’re wrapping it up here at the DevOps World Tour in Jersey City. And it’s been a great time and definitely be back again.