September 6, 2023
In this Episode:
Marcel Brown: September 6th, 2001. Microsoft announces that consumers can pre-order Windows XP. Windows XP would remain Microsoft’s flagship operating system for over five years until the release of Windows Vista in January of 2007.
Edwin Kwan: A UK supermarket chain is recalling four types of children’s snacks as the website published on the packaging has been compromised. Usually when a supermarket recalls a food item, it’s due to an issue with the food content. In this instance, the recall is due to the website listed on the packaging.
Hillary Coover: Concerned about the security of your conversations with AI chatbots? Discover how a hidden threat called ‘prompt injection’ could be compromising your privacy and data safety.
Trac Bannon: Microsoft recently rolled out its August Patch Tuesday updates, and it’s crucial for everyone, from individual users to large organizations, to pay attention. Microsoft addressed a staggering total of 73 Common Vulnerabilities and Exposures (CVEs).
Katy Craig: Today we’re talking about a high-alert vulnerability in Ivanti MobileIron Sentry, versions 9.18.0 and below. If you’re using one of these vulnerable versions of Ivanti MobileIron Sentry, you’re essentially handing over the keys to the kingdom.
Olimpiu Pop: Do you have a router in your house that is connected to the internet? Yes, those have firmware too. Firmware that more often than not, we forget to update. Who would hack you? The number of regular folks attacked is growing and proof to this is the vulnerability affecting Zyxel routers.
The Stories Behind the Cybersecurity Headlines
Edwin Kwan
Website on Children’s Snack Compromised and Serving Porn
A UK supermarket chain is recalling four types of children’s snacks as the website published on the packaging has been compromised.
This is Edwin Kwan from Sydney, Australia.
Usually when a supermarket recalls a food item, it’s due to an issue with the food content. In this instance, the recall is due to the website listed on the packaging.
The snacks being recalled are for four types of Paw Patrol-themed snacks. The website printed on the snack’s packaging was compromised and was serving explicit content. The website was found to be serving adult content in Chinese, but only on mobile devices. When accessed from a computer, the website shows a temporarily unavailable notice citing violations of regulations of the Chinese Ministry of Industry and Information technology.
Customers who have purchased the snacks are advised to refrain from viewing the website and return the product to the nearest store for a full refund.
Resources
– https://twitter.com/WhichUK/status/1696825137394340262
– https://www.bleepingcomputer.com/news/security/childrens-snack-recalled-after-its-website-caught-serving-porn/
Hillary Coover
Prompt Injection Could Compromise Security in Chatbots
Concerned about the security of your conversations with AI chatbots? Discover how a hidden threat called ‘prompt injection’ could be compromising your privacy and data safety.
Hi, this is Hillary Coover in Washington, DC.
Generative AI chatbots like OpenAI’s ChatGPT and Google’s Bard are vulnerable to indirect prompt injection attacks, where hidden instructions can make them behave in unintended ways.
These attacks have become a significant concern for the cybersecurity industry as generative AI systems are increasingly adopted by corporations and startups. While there isn’t a single solution, common security practices are being implemented to reduce the risks. Google’s DeepMind is actively working on understanding AI vulnerabilities, especially in the context of prompt injection, which has become more problematic with the internet connectivity of Large Language Models, or LLMs.
Prompt injection attacks can be categorized into two types: direct and indirect. Direct prompt injections occur when users try to make a large language model provide unintended responses, like hate speech. However, the more concerning form is indirect prompt injection, where malicious instructions come from third parties, like hidden instructions within a website or a PDF. The common risk in both types is that whoever inputs data into the LLM can have significant influence over its output, allowing for potential manipulation of its responses. This concern is shared by security experts and underscores the need for safeguards against such attacks.
Security researchers have demonstrated the potential dangers of indirect prompt injections, showcasing how they could be used to steal data and remotely run code on machines. Prompt injections are considered the top vulnerability for those using large language models, with numerous examples of such attacks having been observed. The National Cybersecurity Center, a branch of the UK’s GCHQ, has also highlighted the risk of prompt injection attacks. While ongoing research aims to address the issue, there are currently no foolproof mitigations.
Various organizations, including OpenAI, Microsoft, and Nvidia, are actively working on security measures to combat indirect prompt injections. These efforts include the use of specially trained models, guardrails to restrict LLMs, and user authentication for plugins. Security best practices, such as establishing trust boundaries and implementing the principle of least privileges, are recommended when integrating LLMs into systems. Ultimately, while the attack surface may be new, the underlying security principles remain the same, emphasizing the importance of careful integration and risk reduction measures.
Resources
– https://www.wired.com/story/generative-ai-prompt-injection-hacking/
It is Known Exploited Vulnerability, or KEV Wednesday, featuring stories from Trac Bannon, Katy Craig, and Olimpiu Pop. We’ll start with Trac Bannon.
Trac Bannon
Microsoft’s August Patch Tuesday addresses 73 CVEs
Microsoft recently rolled out its August Patch Tuesday updates, and it’s crucial for everyone, from individual users to large organizations, to pay attention.
Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.
Microsoft addressed a staggering total of 73 Common Vulnerabilities and Exposures (CVEs). These were categorized into six critical vulnerabilities and 67 that are deemed important. The update is comprehensive, affecting a wide range of products and components- everything from the .NET Core, to ASP.NET, to Microsoft Exchange Server and the Windows Kernel.
The vulnerabilities primarily concerned Remote Code Execution (RCE) issues, accounting for 31.5% of the total patched vulnerabilities and Elevation of Privilege (EoP) vulnerabilities, which made up 24.7%. RCE and EoP are security flaws that could let hackers either execute malicious code remotely or gain higher level permissions on an affected system.
One significant disclosure is CVE-2023-38180, a Denial of Service, (DoS) issue in .NET and Visual Studio, that has been exploited as a zero-day vulnerability. That means it was actively exploited before the patch was released.
The Microsoft Message Queuing (MSMQ) component had a set of critical RCE vulnerabilities, identified as CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911. Microsoft also addressed a notable Elevation of Privilege issue with Microsoft Exchange Server under CVE-2023-21709.
Additionally, multiple elevation of privilege vulnerabilities were found in the Windows Kernel. And yes, Microsoft also released a “defense in-depth” advisory known as ADV230003 from Microsoft Office to provide an extra layer of security against feature bypass vulnerabilities.
For the data nerds, myself included, here are the total CVE counts by impact:
-Remote Code Execution- 23 CVEs
-Elevation of Privilege- 18 CVEs
-Spoofing 12 CVEs
-Information Disclosure had nine associated CVEs
-Bypass Security Features clocked in with three associated CVEs.
As we should come to expect, Microsoft has provided guidance on how to identify and patch vulnerable systems. Make sure to act promptly to protect your systems from these security flaws.
Head over to 505updates.com for today’s resources.
Something to noodle on.
Resources
– https://www.tenable.com/blog/microsofts-august-2023-patch-tuesday-addresses-73-cves-cve-2023-38180
– https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38180
– https://github.com/advisories/GHSA-vmch-3w2x-vhgq
Katy Craig
High-alert Vulnerability in Ivanti MobileIron Sentry
Today we’re talking about a high-alert vulnerability in Ivanti MobileIron Sentry, versions 9.18.0 and below. This one’s got a name and a number: CVE-2023-38035, and it scored a whopping 9.8 on the severity scale. That’s right, folks. This one’s CRITICAL.
This is Katy Craig in San Diego, California.
What’s the deal? The issue lies in the MICS Admin Portal. It’s got what’s called an “insufficiently restrictive Apache HTTPD configuration.” In layman’s terms, that’s like having a front door lock that a toddler could pick. Attackers could waltz right past the login screen and into the admin interface like they own the place.
Why is this a big deal? Well, if you’re using one of these vulnerable versions of Ivanti MobileIron Sentry, you’re essentially handing over the keys to the kingdom.
Action item: update, update, and do it yesterday! With a severity score of 9.8, this isn’t something to put on the back burner.
Keep your systems updated because when it comes to vulnerabilities, this one’s not playing around.
This is Katy Craig. Stay safe out there.
Resources
– NIST: https://505updates.com/katycraig/
Olimpiu Pop
Critical Vulnerability in Zyxel Routers
Industrial controls are Achilles’ heel of modern society. We like to have things as automated as possible, but we fail to ask ourself how secure they are, or what are the implications of their hacking?
I know, you probably don’t have a multi-megawatt wind turbine in your backyard, but most probably you have some kind of appliance connected to the web. To make things easy, do you have a router in your house that is connected to the internet? Yes, those have firmware too. Firmware that more often than not, we forget to update. Who would hack you? The number of regular folks attacked is growing and proof to this is the vulnerability affecting Zyxel routers.
The critical vulnerability has a score of 9.8 out of 10 and it was recorded in 2017- that’s right, six years ago. Believe it or not, it was not long ago added to the Known Vulnerability Database by CISA. More particularly, we are talking about a command injection vulnerability in the Remote System Log Forwarder, which could allow a remote unauthenticated attacker to execute some OS commands by sending a crafted HTTP request.
Even if the producing company declared it ” legacy” and is not supporting them anymore, there are still plenty of them out there. Probably used by folks who don’t know what firmware even means.
The patch is available and newer versions are not affected. Links to detailed resources can be found on 505updates.com.
Olimpiu Pop reported from Transylvania, Romania.
Resources
– https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerability-in-p660hn-t1a-dsl-cpe
– https://www.cve.org/CVERecord?id=CVE-2017-18368
– https://nvd.nist.gov/vuln/detail/CVE-2017-18368
– https://www.cisa.gov/news-events/alerts/2023/08/07/cisa-adds-one-known-exploited-vulnerability-catalog
Marcel Brown
This Day, September 6th, in Tech History
This is Marcel Brown serving you up some technology history for September 6th.
September 6th, 2001. The US Justice Department announced that it would no longer seek to break up Microsoft during the next phase of its landmark antitrust case. The US Court of Appeals had earlier in June already overturned Thomas Penfield Jackson’s ruling that Microsoft be broken up into two companies. However, it upheld the lower court’s conclusion that Microsoft was a monopoly.
By announcing that it was no longer seeking the breakup of Microsoft, the Justice Department clarified its intentions that it would pursue other remedies. Additionally, it clarified the confusion over whether Microsoft’s Windows XP would be shipped as expected. Also, on September 6th, 2001, Microsoft announces that consumers can pre-order Windows XP. Windows XP would remain Microsoft’s flagship operating system for over five years until the release of Windows Vista in January of 2007.
September 6th, 2008. After five months of delays, the high resolution earth observation satellite, GeoEye-1, is launched from Vandenberg Air Force Base. Owned by the corporation, GeoEye, Inc., GeoEye-1 is capable of taking high resolution images with detail of down to 16 inches. However, the US government has restricted that resolution for its own use.
Commercial usage is limited to resolutions with detail down to 20 inches. As the exclusive licensee of the images for online mapping purposes, Google had its logo on the Delta II Rocket that was used to launch GeoEye-1.
That’s your technology history for today. For more, tune in tomorrow and visit my website thisdayintechhistory.com.
Resources
– http://thisdayintechhistory.com/09/06