Biz & IT – Page 18

Ivanti warns of critical vulnerability in its popular line of endpoint protection software

Biz & IT, endpoint protection, exploit, ivanti, Security, vulnerability / Ryan Harris / January 6, 2024

RCE STANDS FOR REMOTE CODE EXECUTION —

Customers of the Ivanti Endpoint Protection Manager should patch or mitigate ASAP.

Dan Goodin – Jan 5, 2024 10: 33 pm UTC

Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks.

The vulnerability, in a class known as a SQL injection, resides in all supported versions of the Ivanti Endpoint Manager. Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39336, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10.

“If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication,” Ivanti officials wrote Friday in a post announcing the patch availability. “This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.”

RCE is short for remote code execution, or the ability for off-premises attackers to run code of their choice. Currently, there’s no known evidence the vulnerability is under active exploitation.

Ivanti has also published a disclosure that is restricted only to registered users. A copy obtained by Ars said Ivanti learned of the vulnerability in October. The private disclosure in full is:

It’s unclear what “attacker with access to the internal network” means. Under the official explanation of the Common Vulnerability Scoring System, the code Ivanti used in the disclosure, AV:A, is short for “Attack Vector: Adjacent.” The scoring system defined it as:

The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical or logical (e.g. local IP subnet) network…

In a thread on Mastodon, several security experts offered interpretations. One person who asked not to be identified by name, wrote:

Everything else about the vulnerability [besides the requirement of access to the network] is severe:

Attack complexity is low

Privileges not required

No user interaction necessary

Scope of the subsequent impact to other systems is changed

Impact to Confidentiality, Integrity and Availability is High

Reid Wightman, a researcher specializing in the security of industrial control systems at Dragos, provided this analysis:

Speculation but it appears that Ivanti is mis-applying CVSS and the score should possibly be 10.0.

They say AV:A (meaning, “adjacent network access required”). Usually this means that one of the following is true: 1) the vulnerable network protocol is not routable (this usually means it is not an IP-based protocol that is vulnerable), or 2) the vulnerability is really a person-in-the-middle attack (although this usually also has AC:H, since a person-in-the-middle requires some existing access to the network in order to actually launch the attack) or 3) (what I think), the vendor is mis-applying CVSS because they think their vulnerable service should not be exposed aka “end users should have a firewall in place”.

The assumption that the attacker must be an insider would have a CVSS modifier of PR:L or PR:H (privileges required on the system), or UI:R (tricking a legitimate user into doing something that they shouldn’t). The assumption that the attacker has some other existing access to the network should add AC:H (attack complexity high) to the score. Both would reduce the numeric score.

I’ve had many an argument with vendors who argue (3), specifically, “nobody should have the service exposed so it’s not really AV:N”. But CVSS does not account for “good network architecture”. It only cares about default configuration, and whether the attack can be launched from a remote network…it does not consider firewall rules that most organizations should have in place, in part because you always find counterexamples where the service is exposed to the Internet. You can almost always find counterexamples on Shodan and similar. Plenty of “Ivanti Service Managers” exposed on Shodan for example, though, I’m not sure if this is the actual vulnerable service.

A third participant, Ron Bowes of Skull Security, wrote: “Vendors—especially Ivanti—have a habit of underplaying security issues. They think that making it sound like the vuln is less bad makes them look better, when in reality it just makes their customers less safe. That’s a huge pet peeve. I’m not gonna judge vendors for having a vuln, but I am going to judge them for handling it badly.”

Ivanti representatives didn’t respond to emailed questions.

Putting devices running Ivanti EDM behind a firewall is a best practice and will go a long way to mitigating the severity of CVE-2023-39336, but it would likely do nothing to prevent an attacker who has gained limited access to an employee workstation from exploiting the critical vulnerability. It’s unclear if the vulnerability will come under active exploitation, but the best course of action is for all Ivanti EDM users to install the patch as soon as possible.

Ivanti warns of critical vulnerability in its popular line of endpoint protection software Read More »

A “ridiculously weak“ password causes disaster for Spain’s No. 2 mobile carrier

BGP, Biz & IT, boder gateway protocol, Security / Mike M. / January 5, 2024

Orange España, Spain’s second-biggest mobile operator, suffered a major outage on Wednesday after an unknown party obtained a “ridiculously weak” password and used it to access an account for managing the global routing table that controls which networks deliver the company’s Internet traffic, researchers said.

The hijacking began around 9: 28 Coordinated Universal Time (about 2: 28 Pacific time) when the party logged into Orange’s RIPE NCC account using the password “ripeadmin” (minus the quotation marks). The RIPE Network Coordination Center is one of five Regional Internet Registries, which are responsible for managing and allocating IP addresses to Internet service providers, telecommunication organizations, and companies that manage their own network infrastructure. RIPE serves 75 countries in Europe, the Middle East, and Central Asia.

“Things got ugly”

The password came to light after the party, using the moniker Snow, posted an image to social media that showed the orange.es email address associated with the RIPE account. RIPE said it’s working on ways to beef up account security.

Enlarge / Screenshot showing RIPE account, including the orange.es email address associated with it.

Security firm Hudson Rock plugged the email address into a database it maintains to track credentials for sale in online bazaars. In a post, the security firm said the username and “ridiculously weak” password were harvested by information-stealing malware that had been installed on an Orange computer since September. The password was then made available for sale on an infostealer marketplace.

Enlarge / Partially redacted screenshot from Hudson Rock database showing the credentials for the Orange RIPE account.

HJudson Rock

Researcher Kevin Beaumont said thousands of credentials protecting other RIPE accounts are also available in such marketplaces.

Once logged into Orange’s RIPE account, Snow made changes to the global routing table the mobile operator relies on to specify what backbone providers are authorized to carry its traffic to various parts of the world. These tables are managed using the Border Gateway Protocol (BGP), which connects one regional network to the rest of the Internet. Specifically, Snow added several new ROAs, short for Route Origin Authorizations. These entries allow “autonomous systems” such as Orange’s AS12479 to designate other autonomous systems or large chunks of IP addresses to deliver its traffic to various regions of the world.

In the initial stage, the changes had no meaningful effect because the ROAs Snow added announcing the IP addresses—93.117.88.0/22 and 93.117.88.0/21, and 149.74.0.0/16—already originated with Orange’s AS12479. A few minutes later, Snow added ROAs to five additional routes. All but one of them also originated with the Orange AS, and once again had no effect on traffic, according to a detailed writeup of the event by Doug Madory, a BGP expert at security and networking firm Kentik.

The creation of the ROA for 149.74.0.0/16 was the first act by Snow to create problems, because the maximum prefix length was set to 16, rendering any smaller routes using the address range invalid

“It invalidated any routes that are more specific (longer prefix length) than a 16,” Madory told Ars in an online interview. “So routes like 149.74.100.0/23 became invalid and started getting filtered. Then [Snow] created more ROAs to cover those routes. Why? Not sure. I think, at first, they were just messing around. Before that ROA was created, there was no ROA to assert anything about this address range.”

A “ridiculously weak“ password causes disaster for Spain’s No. 2 mobile carrier Read More »

Mandiant, the security firm Google bought for $5.4 billion, gets its X account hacked

account hijack, Biz & IT, Google, Mandiant, Security, Twitter / Ryan Harris / January 4, 2024

SORRY, CHANGE PASSWORD —

Scammer impersonates legitimate cryptocurrency wallet, then pivots to trolling Mandiant.

Dan Goodin – Jan 4, 2024 1: 32 am UTC

Google-owned security firm Mandiant spent several hours trying to regain control of its account on X (formerly known as Twitter) on Wednesday after an unknown scammer hijacked it and used it to spread a link that attempted to steal cryptocurrency from people who clicked on it.

“We are aware of the incident impacting the Mandiant X account and are working to resolve the issue,” company officials wrote in a statement. “We’ve since regained control over the account and are currently working on restoring it.” The statement didn’t answer questions asking if the company had determined how the account was compromised.

The hacked Mandiant account was initially used to masquerade as one belonging to Phantom, a company that offers a wallet for storing cryptocurrency. Posts on X encouraged people to visit a malicious website to see if their wallet was one of 250,000 that were eligible for an award of tokens. Over several hours, X employees played tug-of-war with the unknown scammer, with scam posts being removed only to reappear, according to people who followed the events.

Mandiant profile page claiming to be affiliated with “friendly crypto wallet” Phantom.
One of the scam posts spread by the hijacked Mandiant account.

Eventually, the scammer changed the @mandiant username and reappeared under a new username. After using the account to promote a fake website impersonating Phantom and promising free tokens, it posted the cryptic message: “check bookmarks when you get account back.” It also chided Mandiant to “change password please.”

Post saying “change password please”
Post saying to check bookmarks

At the time this post went live on Ars, the Mandiant profile displayed the message “This account doesn’t exist.”

Enlarge / Mandiant profile declaring “this account doesn’t exist.”

Mandiant is one of the leading security companies and best known for helping clients investigate and recover from major network compromises. That vantage point gives it major insights into threat actors, many of them backed by nation-states, and the often previously unknown tactics, techniques, and procedures they use to compromise the security of some of the world’s most powerful and well-resourced organizations. Google purchased Mandiant in 2022 for $5.4 billion, which, at the time, was its second-biggest acquisition ever.

Many questions remain about Mandiant’s measures to secure its X account. Among them: Was it protected by a strong password and any form of two-factor authentication? Last month, someone claimed to have discovered the social media site was vulnerable to a “reflected XSS,” a type of vulnerability that can sometimes be used to compromise the security of accounts when a legitimate user currently logged in clicks on a malicious link in a different browser tab. The user said they reported the vulnerability through legitimate channels but that the submission didn’t qualify under the X bug bounty program.

“Clicking a crafted link or going to some crafted web pages would allow attackers to take over your account (posting, liking, updating your profile, deleting your account, etc.),” Chaofan Shou, a University of California at Berkeley Ph.D. candidate, wrote last month.

Enlarge / December 12 post by UC Berkeley Ph.D. candidate Chaofan Shou.

Attempts to reach Phantom for comment were unsuccessful.

Mandiant, the security firm Google bought for $5.4 billion, gets its X account hacked Read More »

4-year campaign backdoored iPhones using possibly the most advanced exploit ever

0day, Apple, Biz & IT, iPhones, malware, operation triangulation, Security, spyware / Blake Jones / December 28, 2023

NO ORDINARY VULNERABILITY —

“Triangulation” infected dozens of iPhones belonging to employees of Moscow-based Kaspersky.

Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

“The exploit’s sophistication and the feature’s obscurity suggest the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our analysis hasn’t revealed how they became aware of this feature, but we’re exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering.”

Four zero-days exploited for years

Other questions remain unanswered, wrote Larin, even after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don’t know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM’s CoreSight

The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action.

With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn’t survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.

A fresh infusion of details disclosed Wednesday said that “Triangulation”—the name Kaspersky gave to both the malware and the campaign that installed it—exploited four critical zero-day vulnerabilities, meaning serious programming flaws that were known to the attackers before they were known to Apple. The company has since patched all four of the vulnerabilities, which are tracked as:

Besides affecting iPhones, these critical zero-days and the secret hardware function resided in Macs, iPods, iPads, Apple TVs, and Apple Watches. What’s more, the exploits Kaspersky recovered were intentionally developed to work on those devices as well. Apple has patched those platforms as well. Apple declined to comment for this article.

Detecting infections is extremely challenging, even for people with advanced forensic expertise. For those who want to try, a list of Internet addresses, files, and other indicators of compromise is here.

Mystery iPhone function proves pivotal to Triangulation’s success

The most intriguing new detail is the targeting of the heretofore-unknown hardware feature, which proved to be pivotal to the Operation Triangulation campaign. A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel. On most other platforms, once attackers successfully exploit a kernel vulnerability they have full control of the compromised system.

On Apple devices equipped with these protections, such attackers are still unable to perform key post-exploitation techniques such as injecting malicious code into other processes, or modifying kernel code or sensitive kernel data. This powerful protection was bypassed by exploiting a vulnerability in the secret function. The protection, which has rarely been defeated in exploits found to date, is also present in Apple’s M1 and M2 CPUs.

Kaspersky researchers learned of the secret hardware function only after months of extensive reverse engineering of devices that had been infected with Triangulation. In the course, the researchers’ attention was drawn to what are known as hardware registers, which provide memory addresses for CPUs to interact with peripheral components such as USBs, memory controllers, and GPUs. MMIOs, short for Memory-mapped Input/Outputs, allow the CPU to write to the specific hardware register of a specific peripheral device.

The researchers found that several of MMIO addresses the attackers used to bypass the memory protections weren’t identified in any so-called device tree, a machine-readable description of a particular set of hardware that can be helpful to reverse engineers. Even after the researchers further scoured source codes, kernel images, and firmware, they were still unable to find any mention of the MMIO addresses.

4-year campaign backdoored iPhones using possibly the most advanced exploit ever Read More »

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on.

alphv, Biz & IT, fbi, ransomware, Security, tor / Mike M. / December 20, 2023

DUELING SEIZURES —

In a bizarre twist, both groups issue dueling notices to ransomware website.

Dan Goodin – Dec 20, 2023 9: 08 pm UTC

Enlarge / Shortly after the FBI posted a notice saying it had seized the dark-web site of AlphV, the ransomware group posted this notice claiming otherwise.

The FBI spent much of Tuesday locked in an online tug-of-war with one of the Internet’s most aggressive ransomware groups after taking control of infrastructure the group has used to generate more than $300 million in illicit payments to date.

Early Tuesday morning, the dark-web site belonging to AlphV, a ransomware group that also goes by the name BlackCat, suddenly started displaying a banner that said it had been seized by the FBI as part of a coordinated law enforcement action. Gone was all the content AlphV had posted to the site previously.

Around the same time, the Justice Department said it had disrupted AlphV’s operations by releasing a software tool that would allow roughly 500 AlphV victims to restore their systems and data. In all, Justice Department officials said, AlphV had extorted roughly $300 million from 1,000 victims.

An affidavit unsealed in a Florida federal court, meanwhile, revealed that the disruption involved FBI agents obtaining 946 private keys used to host victim communication sites. The legal document said the keys were obtained with the help of a confidential human source who had “responded to an advertisement posted to a publicly accessible online forum soliciting applicants for Blackcat affiliate positions.”

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa O. Monaco said in Tuesday’s announcement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Within hours, the FBI seizure notice displayed on the AlphV dark-web site was gone. In its place was a new notice proclaiming: “This website has been unseized.” The new notice, written by AlphV officials, downplayed the significance of the FBI’s action. While not disputing the decryptor tool worked for 400 victims, AlphV officials said that the disruption would prevent data belonging to another 3,000 victims from being decrypted.

“Now because of them, more than 3,000 companies will never receive their keys.”

As the hours went on, the FBI and AlphV sparred over control of the dark-web site, with each replacing the notices of the other.

One researcher described the ongoing struggle as a “tug of Tor,” a reference to Tor, the network of servers that allows people to browse and publish websites anonymously. Like most ransomware groups, AlphV hosts its sites over Tor. Not only does this arrangement prevent law enforcement investigators from identifying group members, it also hampers investigators from obtaining court orders compelling the web host to turn over control of the site.

The only way to control a Tor address is with possession of a dedicated private encryption key. Once the FBI obtained it, investigators were able to publish Tuesday’s seizure notice to it. Since AlphV also maintained possession of the key, group members were similarly free to post their own content. Since Tor makes it impossible to change the private key corresponding to an address, neither side has been able to lock the other out.

With each side essentially deadlocked, AlphV has resorted to removing some of the restrictions it previously placed on affiliates. Under the common ransomware-as-a-service model, affiliates are the ones who actually hack victims. When successful, the affiliates use the AlphV ransomware and infrastructure to encrypt data and then negotiate and facilitate a payment by bitcoin or another cryptocurrency.

Up to now, AlphV placed rules on affiliates forbidding them from targeting hospitals and critical infrastructure. Now, those rules no longer apply unless the victim is located in the Commonwealth of Independent States—a list of countries that were once part of the former Soviet Union.

“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere,” the AlphV notice said. The notice said that AlphV was also allowing affiliates to retain 90 percent of any ransom payments they get, and that ‘VIP’ affiliates would receive a private program on separate isolated data centers. The move is likely an attempt to stanch the possible defection by affiliates spooked by the FBI’s access to the AlphV infrastructure.

The back and forth has prompted some to say that the disruption failed, since AlphV retains control of its site and continues to possess the data it stole from victims. In a discussion on social media with one such critic, ransomware expert Allan Liska pushed back.

“The server and all of its data is still in possession of FBI—and ALPHV ain’t getting none of that back,” Liska, a threat researcher at security firm Recorded Future, wrote.

Enlarge / Social media post by Liska arguing the FBI maintains access to AlphV infrastructure.

“But, hey you are correct and I am 100% wrong. I encourage you, and all ransomware groups to sign up to be an ALPHV affiliate now, it is definitely safe. Do it, Chicken!”

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. Read More »

Xfinity waited 13 days to patch critical Citrix Bleed 0-day. Now it’s paying the price

Biz & IT, citrixbleed, Comcast, network breach, Security, Xfinity / Ryan Harris / December 19, 2023

MORE CITRIX BLEED CASUALTIES —

Data for almost 36 million customers now in the hands of unknown hackers.

Dan Goodin – Dec 19, 2023 11: 14 pm UTC

A parked Comcast service van with the — Enlarge / A Comcast Xfinity service van in San Ramon, California on February 25, 2020.

Getty Images | Smith Collection/Gado

Comcast waited 13 days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with password data and other sensitive information belonging to 36 million Xfinity customers.

The breach, which was carried out by exploiting a vulnerability in network hardware sold by Citrix, gave hackers access to usernames and cryptographically hashed passwords for 35.9 million Xfinity customers, the cable TV and Internet provider said in a notification filed Monday with the Maine attorney general’s office. Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August. Comcast didn’t patch its network until October 23, 13 days after a patch became available and five days after the report of the in-the-wild attacks exploiting it.

“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Comcast is still investigating precisely what data the attackers obtained. So far, Monday’s disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcast’s cable television and Internet division.

Citrix Bleed has emerged as one of the year’s most severe and widely exploited vulnerabilities, with a severity rating of 9.4 out of 10. The vulnerability, residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, can be exploited without any authentication or privileges on affected networks. Exploits disclose session tokens, which the hardware assigns to devices that have already successfully provided login credentials. Possession of the tokens allows hackers to override any multi-factor authentication in use and log into the device.

Other companies that have been hacked through Citrix Bleed include Boeing; Toyota; DP World Australia, a branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and law firm Allen & Overy.

The name Citrix Bleed is an allusion to Heartbleed, a different critical information disclosure zero-day that turned the Internet on its head in 2014. That vulnerability, which resided in the OpenSSL code library, came under mass exploitation and allowed the pilfering of passwords, encryption keys, banking credentials, and all kinds of other sensitive information. Citrix Bleed hasn’t been as dire because fewer vulnerable devices are in use.

A sweep of the most active ransomware sites didn’t turn up any claims of responsibility for the hack of the Comcast network. An Xfinity representative said in an email that the company has yet to receive any ransom demands, and investigators aren’t aware of any customer data being leaked or of any attacks on affected customers.

Comcast is requiring Xfinity customers to reset their passwords to protect against the possibility that attackers can crack the stolen hashes. The company is also encouraging customers to enable two-factor authentication. The representative declined to say why company admins didn’t patch sooner.

Xfinity waited 13 days to patch critical Citrix Bleed 0-day. Now it’s paying the price Read More »

A song of hype and fire: The 10 biggest AI stories of 2023

AI, AI ethics, AI hype, AI safety, Anthropic, audio synthesis, Bing Chat, Biz & IT, chatgpt, chatgtp, encylopedia, Features, greg brockman, image synthesis, large language models, machine learning, Meta, Meta AI, microsoft, MidJourney, openai, sam altman, Stable Diffusion, text synthesis, video synthesis, will smith, x-risk, Yann LeCun / Ryan Harris / December 18, 2023

An illustration of a robot accidentally setting off a mushroom cloud on a laptop computer. — Getty Images | Benj Edwards

“Here, There, and Everywhere” isn’t just a Beatles song. It’s also a phrase that recalls the spread of generative AI into the tech industry during 2023. Whether you think AI is just a fad or the dawn of a new tech revolution, it’s been impossible to deny that AI news has dominated the tech space for the past year.

We’ve seen a large cast of AI-related characters emerge that includes tech CEOs, machine learning researchers, and AI ethicists—as well as charlatans and doomsayers. From public feedback on the subject of AI, we’ve heard that it’s been difficult for non-technical people to know who to believe, what AI products (if any) to use, and whether we should fear for our lives or our jobs.

Meanwhile, in keeping with a much-lamented trend of 2022, machine learning research has not slowed down over the past year. On X, former Biden administration tech advisor Suresh Venkatasubramanian wrote, “How do people manage to keep track of ML papers? This is not a request for support in my current state of bewilderment—I’m genuinely asking what strategies seem to work to read (or “read”) what appear to be 100s of papers per day.”

To wrap up the year with a tidy bow, here’s a look back at the 10 biggest AI news stories of 2023. It was very hard to choose only 10 (in fact, we originally only intended to do seven), but since we’re not ChatGPT generating reams of text without limit, we have to stop somewhere.

Bing Chat “loses its mind”

In February, Microsoft unveiled Bing Chat, a chatbot built into its languishing Bing search engine website. Microsoft created the chatbot using a more raw form of OpenAI’s GPT-4 language model but didn’t tell everyone it was GPT-4 at first. Since Microsoft used a less conditioned version of GPT-4 than the one that would be released in March, the launch was rough. The chatbot assumed a temperamental personality that could easily turn on users and attack them, tell people it was in love with them, seemingly worry about its fate, and lose its cool when confronted with an article we wrote about revealing its system prompt.

Aside from the relatively raw nature of the AI model Microsoft was using, at fault was a system where very long conversations would push the conditioning system prompt outside of its context window (like a form of short-term memory), allowing all hell to break loose through jailbreaks that people documented on Reddit. At one point, Bing Chat called me “the culprit and the enemy” for revealing some of its weaknesses. Some people thought Bing Chat was sentient, despite AI experts’ assurances to the contrary. It was a disaster in the press, but Microsoft didn’t flinch, and it ultimately reigned in some of Bing Chat’s wild proclivities and opened the bot widely to the public. Today, Bing Chat is now known as Microsoft Copilot, and it’s baked into Windows.

US Copyright Office says no to AI copyright authors

Enlarge / An AI-generated image that won a prize at the Colorado State Fair in 2022, later denied US copyright registration.

Jason M. Allen

In February, the US Copyright Office issued a key ruling on AI-generated art, revoking the copyright previously granted to the AI-assisted comic book “Zarya of the Dawn” in September 2022. The decision, influenced by the revelation that the images were created using the AI-powered Midjourney image generator, stated that only the text and arrangement of images and text by Kashtanova were eligible for copyright protection. It was the first hint that AI-generated imagery without human-authored elements could not be copyrighted in the United States.

This stance was further cemented in August when a US federal judge ruled that art created solely by AI cannot be copyrighted. In September, the US Copyright Office rejected the registration for an AI-generated image that won a Colorado State Fair art contest in 2022. As it stands now, it appears that purely AI-generated art (without substantial human authorship) is in the public domain in the United States. This stance could be further clarified or changed in the future by judicial rulings or legislation.

A song of hype and fire: The 10 biggest AI stories of 2023 Read More »

How Microsoft’s cybercrime unit has evolved to combat increased threats

Biz & IT, cybercrime, microsoft, Security, syndication / Ryan Harris / December 17, 2023

a more sophisticated DCU —

Microsoft has honed its strategy to disrupt global cybercrime and state-backed actors.

Lily Hay Newman, wired.com – Dec 17, 2023 12: 05 pm UTC

Microsoft's Cybercrime Center. — Microsoft’s Cybercrime Center.

Microsoft

Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft’s Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.

The DCU is fueled, of course, by Microsoft’s massive scale and the visibility across the Internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.

In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.

The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.

The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.

“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”

The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.

Still, the DCU’s particular progression was the result of Microsoft’s unique dominance during the rise of the consumer Internet. As the group’s mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU’s unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.

“There’s simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”

Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.

“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.

“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”

How Microsoft’s cybercrime unit has evolved to combat increased threats Read More »

UniFi devices broadcasted private video to other users’ accounts

Biz & IT, privacy, Security, ubiquiti, unifi, video / Ryan Harris / December 14, 2023

CASE OF MISTAKEN IDENTITY —

“I was presented with 88 consoles from another account,” one user reports.

Dan Goodin – Dec 14, 2023 9: 34 pm UTC

an assortment of ubiquiti cameras — Enlarge / An assortment of Ubiquiti cameras.

Users of UniFi, the popular line of wireless devices from manufacturer Ubiquiti, are reporting receiving private camera feeds from, and control over, devices belonging to other users, posts published to social media site Reddit over the past 24 hours show.

“Recently, my wife received a notification from UniFi Protect, which included an image from a security camera,” one Reddit user reported. “However, here’s the twist—this camera doesn’t belong to us.”

Stoking concern and anxiety

The post included two images. The first showed a notification pushed to the person’s phone reporting that their UDM Pro, a network controller and network gateway used by tech-enthusiast consumers, had detected someone moving in the backyard. A still shot of video recorded by a connected surveillance camera showed a three-story house surrounded by trees. The second image showed the dashboard belonging to the Reddit user. The user’s connected device was a UDM SE, and the video it captured showed a completely different house.

Less than an hour later, a different Reddit user posting to the same thread replied: “So it’s VERY interesting you posted this, I was just about to post that when I navigated to unifi.ui.com this morning, I was logged into someone else’s account completely! It had my email on the top right, but someone else’s UDM Pro! I could navigate the device, view, and change settings! Terrifying!!”

Two other people took to the same thread to report similar behavior happening to them.

Other Reddit threads posted in the past day reporting UniFi users connecting to private devices or feeds belonging to others are here and here. The first one reported that the Reddit poster gained full access to someone else’s system. The post included two screenshots showing what the poster said was the captured video of an unrecognized business. The other poster reported logging into their Ubiquiti dashboard to find system controls for someone else. “I ended up logging out, clearing cookies, etc seems fine now for me…” the poster wrote.

Yet another person reported the same problem in a post published to Ubiquiti’s community support forum on Thursday, as this Ars story was being reported. The person reported logging into the UniFi console as is their routine each day.

“However this time I was presented with 88 consoles from another account,” the person wrote. “I had full access to these consoles, just as I would my own. This was only stopped when I forced a browser refresh, and I was presented again with my consoles.”

Ubiquity on Thursday said it had identified the glitch and fixed the errors that caused it.

“Specifically, this issue was caused by an upgrade to our UniFi Cloud infrastructure, which we have since solved,” officials wrote. They went on:

1. What happened?

1,216 Ubiquiti accounts (“Group 1”) were improperly associated with a separate group of 1,177 Ubiquiti accounts (“Group 2”).

2. When did this happen?

December 13, from 6: 47 AM to 3: 45 PM UTC.

3. What does this mean?

During this time, a small number of users from Group 2 received push notifications on their mobile devices from the consoles assigned to a small number of users from Group 1.

Additionally, during this time, a user from Group 2 that attempted to log into his or her account may have been granted temporary remote access to a Group 1 account.

The reports are understandably stoking concern and even anxiety for users of UniFi products, which include wireless access points, switches, routers, controller devices, VoIP phones, and access control products. As the Internet-accessible portals into the local networks of users, UniFi devices provide a means for accessing cameras, mics, and other sensitive resources inside the home.

“I guess I should stop walking around naked in my house now,” a participant in one of the forums joked.

To Ubiquiti’s credit, company employees proactively responded to reports, signaling they took the reports seriously and began actively investigating early on. The employees said the problem has been corrected, and the account mix-ups are no longer occurring.

It’s useful to remember that this sort of behavior—legitimately logging into an account only to find the data or controls belonging to a completely different account—is as old as the Internet. Recent examples: A T-Mobile mistake in September, and similar glitches involving Chase Bank, First Virginia Banks, Credit Karma, and Sprint.

The precise root causes of this type of system error vary from incident to incident, but they often involve “middlebox” devices, which sit between the front- and back-end devices. To improve performance, middleboxes cache certain data, including the credentials of users who have recently logged in. When mismatches occur, credentials for one account can be mapped to a different account.

In an email, a Ubiquiti official said company employees are still gathering “information to provide an accurate assessment.”

UniFi devices broadcasted private video to other users’ accounts Read More »

Ukrainian cells and Internet still out, 1 day after suspected Russian cyberattack

Biz & IT, cellular, cyberattack, Internet, russia, Security, Ukraine / Ryan Harris / December 13, 2023

PLEASE STAND BY —

Hackers tied to Russian military take responsibility for hack on Ukraine’s biggest provider.

Dan Goodin – Dec 14, 2023 1: 33 am UTC

Enlarge / A service center for “Kyivstar”, a Ukrainian telecommunications company, that provides communication services and data transmission based on a broad range of fixed and mobile technologies.

Getty Images

Ukrainian civilians on Wednesday grappled for a second day of widespread cellular phone and Internet outages after a cyberattack, purportedly carried out by Kremlin-supported hackers, hit the country’s biggest mobile phone and Internet provider a day earlier.

Two separate hacking groups with ties to the Russian government took responsibility for Tuesday’s attack striking Kyivstar, which has said it serves 24.3 million mobile subscribers and more than 1.1 million home Internet users. One group, calling itself Killnet, said on Telegram that “an attack was carried out on Ukrainian mobile operators, as well as on some banks,” but didn’t elaborate or provide any evidence. A separate group known as Solntsepek said on the same site that it took “full responsibility for the cyberattack on Kyivstar” and had “destroyed 10,000 computers, more than 4,000 servers, and all cloud storage and backup systems.” The post was accompanied by screenshots purporting to show someone with control over the Kyivstar systems.

In the city of Lviv, street lights remained on after sunrise and had to be disconnected manually, because Internet-dependent automated power switches didn’t work, according to NBC News. Additionally, the outage prevented shops throughout the country from processing credit payments and many ATMs from functioning, the Kyiv Post said.

The outage also disrupted air alert systems that warn residents in multiple cities of incoming missile attacks, a Ukrainian official said on Telegram. The outage forced authorities to rely on backup alarms.

“Cyber specialists of the Security Service of Ukraine and ‘Kyivstar’ specialists, in cooperation with other state bodies, continue to restore the network after yesterday’s hacker attack,” officials with the Security Service of Ukraine said. “According to preliminary calculations, it is planned to restore fixed Internet for households on December 13, as well as start the launch of mobile communication and Internet. The digital infrastructure of ‘Kyivstar’ was critically damaged, so the restoration of all services in compliance with the necessary security protocols takes time.”

Kyivstar suspended mobile and Internet service on Tuesday after experiencing what company CEO Oleksandr Komarov said was an “unprecedented cyberattack” by Russian hackers. The attack represents one of the biggest compromises on a civilian telecommunications provider ever and one of the most disruptive so far in the 21-month Russia-Ukraine war. Kyivstar’s website remained unavailable at the time this post went live on Ars.

According to a report by the New Voice of Ukraine, hackers infiltrated Kyivstar’s infrastructure after first hacking into an internal employee account.

Solntsepek, one of two groups taking responsibility for the attack, has links to “Sandworm,” the name researchers use to track a hacking group that works on behalf of a unit within the Russian military known as the GRU. Sandworm has been tied to some of the most destructive cyberattacks in history, most notably the NotPetya worm, which caused an estimated $10 billion in damage worldwide. Researchers have also attributed Ukrainian power outages in 2015 and 2016 to the group.

Ukrainian cells and Internet still out, 1 day after suspected Russian cyberattack Read More »

Dropbox spooks users with new AI features that send data to OpenAI when used

AI, AI privacy, Biz & IT, chatgpt, chatgtp, data privacy, dropbox, large language models, machine learning, openai, privacy / Ryan Harris / December 13, 2023

adventures in data consent —

AI feature turned on by default worries users; Dropbox responds to concerns.

Benj Edwards – Updated Dec 13, 2023 7: 41 pm UTC

On Wednesday, news quickly spread on social media about a new enabled-by-default Dropbox setting that shares Dropbox data with OpenAI for an experimental AI-powered search feature, but Dropbox says data is only shared if the feature is actively being used. Dropbox says that user data shared with third-party AI partners isn’t used to train AI models and is deleted within 30 days.

Even with assurances of data privacy laid out by Dropbox on an AI privacy FAQ page, the discovery that the setting had been enabled by default upset some Dropbox users. The setting was first noticed by writer Winifred Burton, who shared information about the Third-party AI setting through Bluesky on Tuesday, and frequent AI critic Karla Ortiz shared more information about it on X.

Wednesday afternoon, Drew Houston, the CEO of Dropbox, apologized for customer confusion in a post on X and wrote, “The third-party AI toggle in the settings menu enables or disables access to DBX AI features and functionality. Neither this nor any other setting automatically or passively sends any Dropbox customer data to a third-party AI service.“

Critics say that communication about the change could have been clearer. AI researcher Simon Willison wrote, “Great example here of how careful companies need to be in clearly communicating what’s going on with AI access to personal data.”

A screenshot of Dropbox's third-party AI feature switch. — Enlarge / A screenshot of Dropbox’s third-party AI feature switch.

Benj Edwards

So why would Dropbox ever send user data to OpenAI anyway? In July, the company announced an AI-powered feature called Dash that allows AI models to perform universal searches across platforms like Google Workspace and Microsoft Outlook.

According to the Dropbox privacy FAQ, the third-party AI opt-out setting is part of the “Dropbox AI alpha,” which is a conversational interface for exploring file contents that involves chatting with a ChatGPT-style bot using an “Ask something about this file” feature. To make it work, an AI language model similar to the one that powers ChatGPT (like GPT-4) needs access to your files.

According to the FAQ, the third-party AI toggle in your account settings is turned on by default if “you or your team” are participating in the Dropbox AI alpha. Still, multiple Ars Technica staff who had no knowledge of the Dropbox AI alpha found the setting enabled by default when they checked.

In a statement to Ars Technica, a Dropbox representative said, “The third-party AI toggle is only turned on to give all eligible customers the opportunity to view our new AI features and functionality, like Dropbox AI. It does not enable customers to use these features without notice. Any features that use third-party AI offer disclosure of third-party use, and link to settings that they can manage. Only after a customer sees the third-party AI transparency banner and chooses to proceed with asking a question about a file, will that file be sent to a third-party to generate answers. Our customers are still in control of when and how they use these features.”

Right now, the only third-party AI provider for Dropbox is OpenAI, writes Dropbox in the FAQ. “Open AI is an artificial intelligence research organization that develops cutting-edge language models and advanced AI technologies. Your data is never used to train their internal models, and is deleted from OpenAI’s servers within 30 days.” It also says, “Only the content relevant to an explicit request or command is sent to our third-party AI partners to generate an answer, summary, or transcript.”

Disabling the feature is easy if you prefer not to use Dropbox AI features. Log into your Dropbox account on a desktop web browser, then click your profile photo > Settings > Third-party AI. This link may take you to that page more quickly. On that page, click the switch beside “Use artificial intelligence (AI) from third-party partners so you can work faster in Dropbox” to toggle it into the “Off” position.

This story was updated on December 13, 2023, at 5: 35 pm ET with clarifications about when and how Dropbox shares data with OpenAI, as well as statements from Dropbox reps and its CEO.

Dropbox spooks users with new AI features that send data to OpenAI when used Read More »

Broadcom ends VMware perpetual license sales, testing customers and partners

Biz & IT, Broadcom, Software, Tech, virtualization, vmware / Blake Jones / December 12, 2023

saas —

Already-purchased licenses can still be used but will eventually lose support.

Scharon Harding – Dec 12, 2023 10: 04 pm UTC

Broadcom has moved forward with plans to transition VMware, a virtualization and cloud computing company, into a subscription-based business. As of December 11, it no longer sells perpetual licenses with VMware products. VMware, whose $61 billion acquisition by Broadcom closed in November, also announced on Monday that it will no longer sell support and subscription (SnS) for VMware products with perpetual licenses. Moving forward, VMware will only offer term licenses or subscriptions, according to its VMware blog post.

VMware customers with perpetual licenses and active support contracts can continue using them. VMware “will continue to provide support as defined in contractual commitments,” Krish Prasad, senior vice president and general manager for VMware’s Cloud Foundation Division, wrote. But when customers’ SnS terms end, they won’t have any support.

Broadcom hopes this will force customers into subscriptions, and it’s offering “upgrade pricing incentives” that weren’t detailed in the blog for customers who switch from perpetual licensing to a subscription.

These are the products affected, per Prasad’s blog:

VMware Aria Automation
VMware Aria Suite
VMware Aria Operations
VMware Aria Operations for Logs
VMware Aria Operations for Networks
VMware Aria Universal
VMware Cloud Foundation
VMware HCX
VMware NSX
VMware Site Recovery Manager
VMware vCloud Suite
VMware vSAN
VMware vSphere

Subscription-based future

Broadcom is looking to grow VMware’s EBITDA (earnings before interest, taxes, depreciation, and amortization) from about $4.7 billion to about $8.5 billion in three years, largely through shifting the company’s business model to subscriptions, Tom Krause, president of the Broadcom Software Group, said during a December 7 earnings call, per Forbes.

“This shift is the natural next step in our multi-year strategy to make it easier for customers to consume both our existing offerings and new innovations. VMware believes that a subscription model supports our customers with the innovation and flexibility they need as they undertake their digital transformations,” VMware’s blog said.

With changes effective immediately upon announcement, the news might sound abrupt. However, in May, soon after announcing its plans to acquire VMware, Broadcom CEO Hock Tan signaled a “rapid transition” to subscriptions.

At the time, Tan pointed to the importance of maintaining current VMware customers’ happiness, as well as leveraging the VMware sales team already in place. However, after less than a month of the deal’s close, reports point to concern among VMWare customers and partners.

Customer and partner concerns

VMware’s blog said “the industry has already embraced subscription as the standard for cloud consumption.” For years, software and even hardware vendors and investors have been pushing IT solution provider partners and customers toward recurring revenue models. However, VMware built much of its business on the perpetual license model. As noted by The Stack, VMware in February noted that perpetual licensing was the company’s “most renowned model.”

VMware’s blog this week listed “continuous innovation” and “faster time to value” as customer benefits for subscription models but didn’t detail how it came to those conclusions.

“Predictable investments” is also listed, but it’s hard to imagine a more predictable expense than paying for something once and having supported access to it indefinitely (assuming you continue paying any support costs). Now, VMware and its partners will be left convincing customers that their finances can afford a new monthly expense for something they thought was paid for. For Broadcom, though, it’s easier to see the benefits of turning VMware into more of a reliable and recurring revenue stream.

Additionally, Broadcom’s layoffs of at least 2,837 VMware employees have brought uncertainty to the VMware brand. A CRN report in late November pointed to VMware partners hearing customer concern about potential price raises and a lack of support. C.R. Howdyshell, CEO of Advizex, which reportedly made $30 million in VMware-tied revenue in 2022, told the publication that partners and customers were experiencing “significant concern and chaos” around VMware sales. Another channel partner noted to CRN the layoff of a close VMware sales contact.

But Broadcom has made it clear that it wants to “complete the transition of all VMware by Broadcom solutions to subscription licenses,” per Prasad’s blog.

The company hopes to convince skeptical channel partners that they’ll see the way, too. VMware, like many tech companies urging subscription models, pointed to “many partners” having success with subscription models already and “opportunity for partners to engage more strategically with customers and deliver higher-value services that drive customer success.”

However, because there’s no immediate customer benefit to the end of perpetual licenses, those impacted by VMware’s change in business strategy have to assess how much they’re willing to pay to access VMware products moving forward.

Broadcom ends VMware perpetual license sales, testing customers and partners Read More »