Biz & IT – Page 26

Maximum-severity GitLab flaw allowing account hijacking under active exploitation

Biz & IT, exploits, gitlab, Security, vulnerabilities / Paul Patrick / May 3, 2024

A 10 OUT OF 10 —

The threat is potentially grave because it could be used in supply-chain attacks.

Dan Goodin – May 2, 2024 7: 02 pm UTC

A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January.

A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn’t have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account.

While exploits require no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.

On Wednesday, the US Cybersecurity and Infrastructure Security Agency said it is aware of “evidence of active exploitation” and added the vulnerability to its list of known exploited vulnerabilities. CISA provided no details about the in-the-wild attacks. A GitLab representative declined to provide specifics about the active exploitation of the vulnerability.

The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2020 and pushed malware to more than 18,000 of its customers, 100 of whom received follow-on hacks. Other recent examples of supply chain attacks are here, here, and here.

These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all.

According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances.

The biggest concentration of IP addresses was in India, followed by the US, Indonesia, Algeria, and Thailand.

The number of IP addresses showing vulnerable instances has fallen over time. Shadowserver shows that there were more than 5,300 addresses on January 22, one week after GitLab issued the patch.

The vulnerability is classed as an improper access control flaw.

CISA has ordered all civilian federal agencies that have yet to patch the vulnerability to do so immediately. The agency made no mention of MFA, but any GitLab users who haven’t already done so should enable it, ideally with a form that complies with the FIDO industry standard.

GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.

Maximum-severity GitLab flaw allowing account hijacking under active exploitation Read More »

Hacker free-for-all fights for control of home and office routers everywhere

Biz & IT, botnets, malware, routers, Security / Mike M. / May 2, 2024

Rows of 1950s-style robots operate computer workstations.

Cybercriminals and spies working for nation-states are surreptitiously coexisting inside the same compromised name-brand routers as they use the devices to disguise attacks motivated both by financial gain and strategic espionage, researchers said.

In some cases, the coexistence is peaceful, as financially motivated hackers provide spies with access to already compromised routers in exchange for a fee, researchers from security firm Trend Micro reported Wednesday. In other cases, hackers working in nation-state-backed advanced persistent threat groups take control of devices previously hacked by the cybercrime groups. Sometimes the devices are independently compromised multiple times by different groups. The result is a free-for-all inside routers and, to a lesser extent, VPN devices and virtual private servers provided by hosting companies.

“Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization layers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious activities more difficult,” Trend Micro researchers Feike Hacquebord and Fernando Merces wrote. “This shared interest results in malicious internet traffic blending financial and espionage motives.”

Pawn Storm, a spammer, and a proxy service

A good example is a network made up primarily of EdgeRouter devices sold by manufacturer Ubiquiti. After the FBI discovered it had been infected by a Kremlin-backed group and used as a botnet to camouflage ongoing attacks targeting governments, militaries, and other organizations worldwide, it commenced an operation in January to temporarily disinfect them.

The Russian hackers gained control after the devices were already infected with Moobot, which is botnet malware used by financially motivated threat actors not affiliated with the Russian government. These threat actors installed Moobot after first exploiting publicly known default administrator credentials that hadn’t been removed from the devices by the people who owned them. The Russian hackers—known by a variety of names including Pawn Storm, APT28, Forest Blizzard, Sofacy, and Sednit—then exploited a vulnerability in the Moobot malware and used it to install custom scripts and malware that turned the botnet into a global cyber espionage platform.

The Trend Micro researchers said that Pawn Storm was using the hijacked botnet to proxy (1) logins that used stolen account credentials and (2) attacks that exploited a critical zero-day vulnerability in Microsoft Exchange that went unfixed until March 2023. The zero-day exploits allowed Pawn Storm to obtain the cryptographic hash of users’ Outlook passwords simply by sending them a specially formatted email. Once in possession of the hash, Pawn Storm performed a so-called NTLMv2 hash relay attack that funneled logins to the user accounts through one of the botnet devices. Microsoft provided a diagram of the attack pictured below:

Trend Micro observed the same botnet being used to send spam with pharmaceutical themes that have the hallmarks of what’s known as the Canadian Pharmacy gang. Yet another group installed malware known as Ngioweb on botnet devices. Ngioweb was first found in 2019 running on routers from DLink, Netgear, and other manufacturers, as well as other devices running Linux on top of x86, ARM, and MIPS hardware. The purpose of Ngioweb is to provide proxies individuals can use to route their online activities through a series of regularly changing IP addresses, particularly those located in the US with reputations for trustworthiness. It’s not clear precisely who uses the Ngioweb-powered service.

The Trend Micro researchers wrote:

In the specific case of the compromised Ubiquiti EdgeRouters, we observed that a botnet operator has been installing backdoored SSH servers and a suite of scripts on the compromised devices for years without much attention from the security industry, allowing persistent access. Another threat actor installed the Ngioweb malware that runs only in memory to add the bots to a commercially available residential proxy botnet. Pawn Storm most likely easily brute forced the credentials of the backdoored SSH servers and thus gained access to a pool of EdgeRouter devices they could abuse for various purposes.

The researchers provided the following table, summarizing the botnet-sharing arrangement among Pawn Storm and the two other groups, tracked as Water Zmeu and Water Barghest:

It’s unclear if either of the groups was responsible for installing the previously mentioned Moobot malware that the FBI reported finding on the devices. If not, that would mean routers were independently infected by three financially motivated groups, in addition to Pawn Storm, further underscoring the ongoing rush by multiple threat groups to establish secret listening posts inside routers. Trend Micro researchers weren’t available to clarify.

The post went on to report that while the January operation by the FBI put a dent in the infrastructure Pawn Storm depended on, legal constraints prevented the operation from preventing reinfection. What’s more, the botnet also comprised virtual public servers and Raspberry Pi devices that weren’t affected by the FBI action.

“This means that despite the efforts of law enforcement, Pawn Storm still has access to many other compromised assets, including EdgeServers,” the Trend Micro report said. “For example, IP address 32[.]143[.]50[.]222 was used as an SMB reflector around February 8, 2024. The same IP address was used as a proxy in a credential phishing attack on February 6 2024 against various government officials around the world.”

Hacker free-for-all fights for control of home and office routers everywhere Read More »

Anthropic releases Claude AI chatbot iOS app

AI, Anthropic, Biz & IT, chatgpt, chatgtp, Claude, Claude 3, Claude Opus, large language models, machine learning, openai, Opus / Mike M. / May 2, 2024

AI in your pocket —

Anthropic finally comes to mobile, launches plan for teams that includes 200K context window.

Benj Edwards – May 1, 2024 9: 36 pm UTC

Enlarge / The Claude AI iOS app running on an iPhone.

Anthropic

On Wednesday, Anthropic announced the launch of an iOS mobile app for its Claude 3 AI language models that are similar to OpenAI’s ChatGPT. It also introduced a new subscription tier designed for group collaboration. Before the app launch, Claude was only available through a website, an API, and other apps that integrated Claude through API.

Like the ChatGPT app, Claude’s new mobile app serves as a gateway to chatbot interactions, and it also allows uploading photos for analysis. While it’s only available on Apple devices for now, Anthropic says that an Android app is coming soon.

Anthropic rolled out the Claude 3 large language model (LLM) family in March, featuring three different model sizes: Claude Opus, Claude Sonnet, and Claude Haiku. Currently, the app utilizes Sonnet for regular users and Opus for Pro users.

While Anthropic has been a key player in the AI field for several years, it’s entering the mobile space after many of its competitors have already established footprints on mobile platforms. OpenAI released its ChatGPT app for iOS in May 2023, with an Android version arriving two months later. Microsoft released a Copilot iOS app in January. Google Gemini is available through the Google app on iPhone.

Enlarge / Screenshots of the Claude AI iOS app running on an iPhone.

Anthropic

The app is freely available to all users of Claude, including those using the free version, subscribers paying $20 per month for Claude Pro, and members of the newly introduced Claude Team plan. Conversation history is saved and shared between the web app version of Claude and the mobile app version after logging in.

Speaking of that Team plan, it’s designed for groups of at least five and is priced at $30 per seat per month. It offers more chat queries (higher rate limits), access to all three Claude models, and a larger context window (200K tokens) for processing lengthy documents or maintaining detailed conversations. It also includes group admin tools and billing management, and users can easily switch between Pro and Team plans.

Anthropic releases Claude AI chatbot iOS app Read More »

Here’s your chance to own a decommissioned US government supercomputer

AI, Biz & IT, Cheyenne, Earth sciences, gsa, IT, machine learning, retrotech, supercomputer, Tech, US government, wyoming / Mike M. / May 1, 2024

But can it run Crysis —

145,152-core Cheyenne supercomputer was 20th most powerful in the world in 2016.

Benj Edwards – Apr 30, 2024 9: 52 pm UTC

Enlarge / A photo of the Cheyenne supercomputer, which is now up for auction.

On Tuesday, the US General Services Administration began an auction for the decommissioned Cheyenne supercomputer, located in Cheyenne, Wyoming. The 5.34-petaflop supercomputer ranked as the 20th most powerful in the world at the time of its installation in 2016. Bidding started at $2,500, but it’s price is currently $27,643 with the reserve not yet met.

The supercomputer, which officially operated between January 12, 2017, and December 31, 2023, at the NCAR-Wyoming Supercomputing Center, was a powerful (and once considered energy-efficient) system that significantly advanced atmospheric and Earth system sciences research.

“In its lifetime, Cheyenne delivered over 7 billion core-hours, served over 4,400 users, and supported nearly 1,300 NSF awards,” writes the University Corporation for Atmospheric Research (UCAR) on its official Cheyenne information page. “It played a key role in education, supporting more than 80 university courses and training events. Nearly 1,000 projects were awarded for early-career graduate students and postdocs. Perhaps most tellingly, Cheyenne-powered research generated over 4,500 peer-review publications, dissertations and theses, and other works.”

UCAR says that Cheynne was originally slated to be replaced after five years, but the COVID-19 pandemic severely disrupted supply chains, and it clocked in two extra years in its tour of duty. The auction page says that Cheyenne recently experienced maintenance limitations due to faulty quick disconnects in its cooling system. As a result, approximately 1 percent of the compute nodes have failed, primarily due to ECC errors in the DIMMs. Given the expense and downtime associated with repairs, the decision was made to auction off the components.

A photo gallery of the Cheyenne supercomputer up for auction.

With a peak performance of 5,340 teraflops (4,788 Linpack teraflops), this SGI ICE XA system was capable of performing over 3 billion calculations per second for every watt of energy consumed, making it three times more energy-efficient than its predecessor, Yellowstone. The system featured 4,032 dual-socket nodes, each with two 18-core, 2.3-GHz Intel Xeon E5-2697v4 processors, for a total of 145,152 CPU cores. It also included 313 terabytes of memory and 40 petabytes of storage. The entire system in operation consumed about 1.7 megawatts of power.

Just to compare, the world’s top-rated supercomputer at the moment—Frontier at Oak Ridge National Labs in Tennessee—features a theoretical peak performance of 1,679.82 petaflops, includes 8,699,904 CPU cores, and uses 22.7 megawatts of power.

The GSA notes that potential buyers of Cheyenne should be aware that professional movers with appropriate equipment will be required to handle the heavy racks and components. The auction includes seven E-Cell pairs (14 total), each with a cooling distribution unit (CDU). Each E-Cell weighs approximately 1,500 lbs. Additionally, the auction features two air-cooled Cheyenne Management Racks, each weighing 2,500 lbs, that contain servers, switches, and power units.

As of this writing, 12 potential buyers have bid on this computing monster so far. The auction closes on May 5 at 6: 11 pm Central Time if you’re interested in bidding. But don’t get too excited by photos of the extensive cabling: As the auction site notes, “fiber optic and CAT5/6 cabling are excluded from the resale package.”

Here’s your chance to own a decommissioned US government supercomputer Read More »

Health care giant comes clean about recent hack and paid ransom

Biz & IT, Change Healthcare, prescriptions, ransomware, Security / Mike M. / May 1, 2024

HEALTH CARE PROVIDER, HEAL THYSELF —

Ransomware attack on the $371 billion company hamstrung US prescription market.

Dan Goodin – Apr 30, 2024 8: 44 pm UTC

Change Healthcare, the health care services provider that recently experienced a ransomware attack that hamstrung the US prescription market for two weeks, was hacked through a compromised account that failed to use multifactor authentication, the company CEO told members of Congress.

The February 21 attack by a ransomware group using the names ALPHV or BlackCat took down a nationwide network Change Healthcare administers to allow healthcare providers to manage customer payments and insurance claims. With no easy way for pharmacies to calculate what costs were covered by insurance companies, payment processors, providers, and patients experienced long delays in filling prescriptions for medicines, many of which were lifesaving. Change Healthcare has also reported that hackers behind the attacks obtained personal health information for a “substantial portion” of the US population.

Standard defense not in place

Andrew Witty, CEO of Change Healthcare parent company UnitedHealth Group, said the breach started on February 12 when hackers somehow obtained an account password for a portal allowing remote access to employee desktop devices. The account, Witty admitted, failed to use multifactor authentication (MFA), a standard defense against password compromises that requires additional authentication in the form of a one-time password or physical security key.

“The portal did not have multi-factor authentication,” Witty wrote in comments submitted before his scheduled testimony on Wednesday to the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations. “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data.” Witty is also scheduled to appear at a separate Wednesday hearing before the Senate Committee on Finance.

Witty didn’t explain why the account, on a portal platform provided by software maker Citrix, wasn’t configured to use MFA. The failure is likely to be a major focus during Wednesday’s hearing.

After burrowing into the Change Healthcare network undetected for nine days, the attackers deployed ransomware that prevented the company from accessing its IT environment. In response, the company severed its connection to its data centers. The company spent the next two weeks rebuilding its entire IT infrastructure “from the ground up.” In the process, it replaced thousands of laptops, rotated credentials, and added new server capacity. By March 7, 99 percent of pre-incident pharmacies were once again able to process claims.

Witty also publicly confirmed that Change Healthcare paid a ransom, a practice that critics say incentivizes ransomware groups who often fail to make good on promises to destroy stolen data. According to communications uncovered by Dmitry Smilyanets, product management director at security firm Recorded Future, Change Healthcare paid $22 million to ALPHV. Principal members of the group then pocketed the funds rather than sharing it with an affiliate group that did the actual hacking, as spelled out in a pre-existing agreement. The affiliate group published some of the stolen data, largely validating a chief criticism of ransomware payments.

“As chief executive officer, the decision to pay a ransom was mine,” Witty wrote. “This was one of the hardest

decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Bleeping Computer reported that Change Healthcare may have paid both ALPHV and the affiliate through a group calling itself RansomHub.

Two weeks ago, UnitedHealth Group reported the ransomware attack resulted in a $872 million cost in its first quarter. That amount included $593 million in direct response costs and $279 million in disruptions. Witty’s written testimony added that as of last Friday, his company had advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of providers that were left financially struggling during the prolonged outage. UnitedHealth Care reported $99.8 billion in sales for the quarter. The company had an annual revenue of $371.6 billion in 2023.

Payment processing by Change Healthcare is currently about 86 percent of its pre-incident levels and will increase as the company further restores its systems, Witty said. The number of pharmacies it serves remains a “fraction of a percent” below pre-incident levels.

Health care giant comes clean about recent hack and paid ransom Read More »

AWS S3 storage bucket with unlucky name nearly cost developer $1,300

Amazon, amazon s3, AWS, Biz & IT, Cloud Storage, Tech / Mike M. / May 1, 2024

Not that kind of bucket list —

Amazon says it’s working on stopping others from “making your AWS bill explode.”

Kevin Purdy – Apr 30, 2024 7: 43 pm UTC

A blue bucket, held by red and yellow brackets, being continuously filled and overflowing — Enlarge / Be careful with the buckets you put out there for anybody to fill.

Getty Images

If you’re using Amazon Web Services and your S3 storage bucket can be reached from the open web, you’d do well not to pick a generic name for that space. Avoid “example,” skip “change_me,” don’t even go with “foo” or “bar.” Someone else with the same “change this later” thinking can cost you a MacBook’s worth of cash.

Ask Maciej Pocwierz, who just happened to pick an S3 name that “one of the popular open-source tools” used for its default backup configuration. After setting up the bucket for a client project, he checked his billing page and found nearly 100 million unauthorized attempts to create new files on his bucket (PUT requests) within one day. The bill was over $1,300 and counting.

Nothing, nothing, nothing, nothing, nothing … nearly 100 million unauthorized requests.

“All this actually happened just a few days after I ensured my client that the price for AWS services will be negligible, like $20 at most for the entire month,” Pocwierz wrote over chat. “I explained the situation is very unusual but it definitely looked as if I didn’t know what I’m doing.”

Pocwierz declined to name the open source tool that inadvertently bum-rushed his S3 account. In a Medium post about the matter, he noted a different problem with an unlucky default backup. After turning on public writes, he watched as he collected more than 10GB of data in less than 30 seconds. Other people’s data, that is, and they had no idea that Pocwierz was collecting it.

Some of that data came from companies with customers, which is part of why Pocwierz is keeping the specifics under wraps. He wrote to Ars that he contacted some of the companies that either tried or successfully backed up their data to his bucket, and “they completely ignored me.” “So now instead of having this fixed, their data is still at risk,” Pocwierz writes. “My lesson is if I ever run a company, I will definitely have a bug bounty program, and I will treat such warnings seriously.”

As for Pocwierz’s accounts, both S3 and bank, it mostly ended well. An AWS representative reached out on LinkedIn and canceled his bill, he said, and was told that anybody can request refunds for excessive unauthorized requests. “But they didn’t explicitly say that they will necessarily approve it,” he wrote. He noted in his Medium post that AWS “emphasized that this was done as an exception.”

In response to Pocwierz’s story, Jeff Barr, chief evangelist for AWS at Amazon, tweeted that “We agree that customers should not have to pay for unauthorized requests that they did not initiate.” Barr added that Amazon would have more to share on how the company could prevent them “shortly.” AWS has a brief explainer and contact page on unexpected AWS charges.

The open source tool did change its default configuration after Pocwierz contacted them. Pocwierz suggested to AWS that it should restrict anyone else from creating a bucket name like his, but he had yet to hear back about it. He suggests in his blog post that, beyond random bad luck, adding a random suffix to your bucket name and explicitly specifying your AWS region can help avoid massive charges like the one he narrowly dodged.

AWS S3 storage bucket with unlucky name nearly cost developer $1,300 Read More »

Mysterious “gpt2-chatbot” AI model appears suddenly, confuses experts

AI, AI benchmarks, AI vibes, Biz & IT, Chatbot Arena, Ethan Mollick, GPT-3, GPT-3.5, GPT-4, GPT-4.5, GPT-5, gpt2-chatbot, lmsys, machine learning, openai, sam altman, Simon Willison / Mike M. / May 1, 2024

Robot fortune teller hand and crystal ball

On Sunday, word began to spread on social media about a new mystery chatbot named “gpt2-chatbot” that appeared in the LMSYS Chatbot Arena. Some people speculate that it may be a secret test version of OpenAI’s upcoming GPT-4.5 or GPT-5 large language model (LLM). The paid version of ChatGPT is currently powered by GPT-4 Turbo.

Currently, the new model is only available for use through the Chatbot Arena website, although in a limited way. In the site’s “side-by-side” arena mode where users can purposely select the model, gpt2-chatbot has a rate limit of eight queries per day—dramatically limiting people’s ability to test it in detail.

So far, gpt2-chatbot has inspired plenty of rumors online, including that it could be the stealth launch of a test version of GPT-4.5 or even GPT-5—or perhaps a new version of 2019’s GPT-2 that has been trained using new techniques. We reached out to OpenAI for comment but did not receive a response by press time. On Monday evening, OpenAI CEO Sam Altman seemingly dropped a hint by tweeting, “i do have a soft spot for gpt2.”

Enlarge / A screenshot of the LMSYS Chatbot Arena “side-by-side” page showing “gpt2-chatbot” listed among the models for testing. (Red highlight added by Ars Technica.)

Benj Edwards

Early reports of the model first appeared on 4chan, then spread to social media platforms like X, with hype following not far behind. “Not only does it seem to show incredible reasoning, but it also gets notoriously challenging AI questions right with a much more impressive tone,” wrote AI developer Pietro Schirano on X. Soon, threads on Reddit popped up claiming that the new model had amazing abilities that beat every other LLM on the Arena.

Intrigued by the rumors, we decided to try out the new model for ourselves but did not come away impressed. When asked about “Benj Edwards,” the model revealed a few mistakes and some awkward language compared to GPT-4 Turbo’s output. A request for five original dad jokes fell short. And the gpt2-chatbot did not decisively pass our “magenta” test. (“Would the color be called ‘magenta’ if the town of Magenta didn’t exist?”)

A gpt2-chatbot result for “Who is Benj Edwards?” on LMSYS Chatbot Arena. Mistakes and oddities highlighted in red.

Benj Edwards
A gpt2-chatbot result for “Write 5 original dad jokes” on LMSYS Chatbot Arena.

Benj Edwards
A gpt2-chatbot result for “Would the color be called ‘magenta’ if the town of Magenta didn’t exist?” on LMSYS Chatbot Arena.

Benj Edwards

So, whatever it is, it’s probably not GPT-5. We’ve seen other people reach the same conclusion after further testing, saying that the new mystery chatbot doesn’t seem to represent a large capability leap beyond GPT-4. “Gpt2-chatbot is good. really good,” wrote HyperWrite CEO Matt Shumer on X. “But if this is gpt-4.5, I’m disappointed.”

Still, OpenAI’s fingerprints seem to be all over the new bot. “I think it may well be an OpenAI stealth preview of something,” AI researcher Simon Willison told Ars Technica. But what “gpt2” is exactly, he doesn’t know. After surveying online speculation, it seems that no one apart from its creator knows precisely what the model is, either.

Willison has uncovered the system prompt for the AI model, which claims it is based on GPT-4 and made by OpenAI. But as Willison noted in a tweet, that’s no guarantee of provenance because “the goal of a system prompt is to influence the model to behave in certain ways, not to give it truthful information about itself.”

Mysterious “gpt2-chatbot” AI model appears suddenly, confuses experts Read More »

Critics question tech-heavy lineup of new Homeland Security AI safety board

AI, AI ethics, AI safety, alphabet, Amazon, Anthropic, Biz & IT, DHS, Dr. Margaret Mitchell, executive order, Google, Joe Biden, machine learning, Meta, microsoft, NVIDIA, openai, Policy, President Biden, sam altman, Satya Nadella, Sundar Pichai / Paul Patrick / April 30, 2024

Adventures in 21st century regulation —

CEO-heavy board to tackle elusive AI safety concept and apply it to US infrastructure.

Benj Edwards – Apr 29, 2024 8: 15 pm UTC

A modified photo of a 1956 scientist carefully bottling

On Friday, the US Department of Homeland Security announced the formation of an Artificial Intelligence Safety and Security Board that consists of 22 members pulled from the tech industry, government, academia, and civil rights organizations. But given the nebulous nature of the term “AI,” which can apply to a broad spectrum of computer technology, it’s unclear if this group will even be able to agree on what exactly they are safeguarding us from.

President Biden directed DHS Secretary Alejandro Mayorkas to establish the board, which will meet for the first time in early May and subsequently on a quarterly basis.

The fundamental assumption posed by the board’s existence, and reflected in Biden’s AI executive order from October, is that AI is an inherently risky technology and that American citizens and businesses need to be protected from its misuse. Along those lines, the goal of the group is to help guard against foreign adversaries using AI to disrupt US infrastructure; develop recommendations to ensure the safe adoption of AI tech into transportation, energy, and Internet services; foster cross-sector collaboration between government and businesses; and create a forum where AI leaders to share information on AI security risks with the DHS.

It’s worth noting that the ill-defined nature of the term “Artificial Intelligence” does the new board no favors regarding scope and focus. AI can mean many different things: It can power a chatbot, fly an airplane, control the ghosts in Pac-Man, regulate the temperature of a nuclear reactor, or play a great game of chess. It can be all those things and more, and since many of those applications of AI work very differently, there’s no guarantee any two people on the board will be thinking about the same type of AI.

This confusion is reflected in the quotes provided by the DHS press release from new board members, some of whom are already talking about different types of AI. While OpenAI, Microsoft, and Anthropic are monetizing generative AI systems like ChatGPT based on large language models (LLMs), Ed Bastian, the CEO of Delta Air Lines, refers to entirely different classes of machine learning when he says, “By driving innovative tools like crew resourcing and turbulence prediction, AI is already making significant contributions to the reliability of our nation’s air travel system.”

So, defining the scope of what AI exactly means—and which applications of AI are new or dangerous—might be one of the key challenges for the new board.

A roundtable of Big Tech CEOs attracts criticism

For the inaugural meeting of the AI Safety and Security Board, the DHS selected a tech industry-heavy group, populated with CEOs of four major AI vendors (Sam Altman of OpenAI, Satya Nadella of Microsoft, Sundar Pichai of Alphabet, and Dario Amodei of Anthopic), CEO Jensen Huang of top AI chipmaker Nvidia, and representatives from other major tech companies like IBM, Adobe, Amazon, Cisco, and AMD. There are also reps from big aerospace and aviation: Northrop Grumman and Delta Air Lines.

Upon reading the announcement, some critics took issue with the board composition. On LinkedIn, founder of The Distributed AI Research Institute (DAIR) Timnit Gebru especially criticized OpenAI’s presence on the board and wrote, “I’ve now seen the full list and it is hilarious. Foxes guarding the hen house is an understatement.”

Critics question tech-heavy lineup of new Homeland Security AI safety board Read More »

UK outlaws awful default passwords on connected devices

Biz & IT, connected devices, DDoS, iot, iot passwords, passwords, Policy, Security, Smart Home, Tech / Paul Patrick / April 30, 2024

Tacking an S onto IoT —

The law aims to prevent global-scale botnet attacks.

Kevin Purdy – Apr 29, 2024 7: 45 pm UTC

If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all.

A new version of the 2022 Product Security and Telecommunications Infrastructure Act (PTSI) is now in effect, covering just about everything that a consumer can buy that connects to the web. Under the guidelines, even the tiniest Wi-Fi board must either have a randomized password or else generate a password upon initialization (through a smartphone app or other means). This password can’t be incremental (“password1,” “password54”), and it can’t be “related in an obvious way to public information,” such as MAC addresses or Wi-Fi network names. A device should be sufficiently strong against brute-force access attacks, including credential stuffing, and should have a “simple mechanism” for changing the password.

There’s more, and it’s just as head-noddingly obvious. Software components, where reasonable, “should be securely updateable,” should actually check for updates, and should update either automatically or in a way “simple for the user to apply.” Perhaps most importantly, device owners can report security issues and expect to hear back about how that report is being handled.

Violations of the new device laws can result in fines up to 10 million pounds (roughly $12.5 million) or 4 percent of related worldwide revenue, whichever is higher.

Besides giving consumers better devices, these regulations are aimed squarely at malware like Mirai, which can conscript devices like routers, cable modems, and DVRs into armies capable of performing distributed denial-of-service attacks (DDoS) on various targets.

As noted by The Record, the European Union’s Cyber Resilience Act has been shaped but not yet passed and enforced, and even if it does pass, would not take effect until 2027. In the US, there is the Cyber Trust Mark, which would at least give customers the choice of buying decently secured or genially abandoned devices. But the particulars of that label are under debate and seemingly a ways from implementation. At the federal level, a 2020 bill tasked the National Institutes of Standard and Technology with applying related standards to connected devices deployed by the feds.

UK outlaws awful default passwords on connected devices Read More »

Account compromise of “unprecedented scale” uses everyday home devices

Biz & IT, credential stuffing, okta, Security / Paul Patrick / April 30, 2024

STUFF THIS —

Credential-stuffing attack uses proxies to hide bad behavior.

Dan Goodin – Apr 29, 2024 7: 35 pm UTC

Authentication service Okta is warning about the “unprecedented scale” of an ongoing campaign that routes fraudulent login requests through the mobile devices and browsers of everyday users in an attempt to conceal the malicious behavior.

The attack, Okta said, uses other means to camouflage the login attempts as well, including the TOR network and so-called proxy services from providers such as NSOCKS, Luminati, and DataImpulse, which can also harness users’ devices without their knowledge. In some cases, the affected mobile devices are running malicious apps. In other cases, users have enrolled their devices in proxy services in exchange for various incentives.

Unidentified adversaries then use these devices in credential-stuffing attacks, which use large lists of login credentials obtained from previous data breaches in an attempt to access online accounts. Because the requests come from IP addresses and devices with good reputations, network security devices don’t give them the same level of scrutiny as logins from virtual private servers (VPS) that come from hosting services threat actors have used for years.

“The net sum of this activity is that most of the traffic in these credential-stuffing attacks appears to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” according to an advisory that Okta published over the weekend.

Okta’s advisory comes two weeks after Cisco’s Talos security team reported seeing a large-scale credential compromise campaign that was indiscriminately assailing networks with login attempts aimed at gaining unauthorized access to VPN, SSH, and web application accounts. These login attempts used both generic and valid usernames targeted at specific organizations. Cisco included a list of more than 2,000 usernames and almost 100 passwords used in the attacks, along with nearly 4,000 IP addresses that are sending the login traffic. The attacks led to hundreds of thousands or even millions of rejected authentication attempts.

Within days of Cisco’s report, Okta’s Identity Threat Research team observed a spike in credential-stuffing attacks that appeared to use a similar infrastructure. Okta said the spike lasted from April 19 through April 26, the day the company published its advisory.

Okta officials wrote:

Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone, or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.

Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.

People who want to ensure that malicious behavior isn’t routed through their devices or networks should pay close attention to the apps they install and the services they enroll in. Free or discounted services may be contingent on a user agreeing to terms of service that allow their networks or devices to proxy traffic from others. Malicious apps may also surreptitiously provide such proxy services.

Okta provides guidance for network administrators to repel credential-stuffing attacks. Chief among them is protecting accounts with a strong password—meaning one randomly generated and consisting of at least 11 characters. Accounts should also use multifactor authentication, ideally in a form that is compliant with the FIDO industry standard. The Okta advisory also includes advice for blocking malicious behavior from anonymizing proxy services.

Account compromise of “unprecedented scale” uses everyday home devices Read More »

Hackers try to exploit WordPress plugin vulnerability that’s as severe as it gets

Biz & IT, Security, SQL injection, vulnerability, wordpress / Paul Patrick / April 27, 2024

GOT PATCHES? —

WP Automatic plugin patched, but release notes don’t mention the critical fix.

Dan Goodin – Apr 26, 2024 7: 07 pm UTC

Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.

The vulnerability resides in WordPress Automatic, a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.

Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.

“This vulnerability is highly dangerous and expected to become mass exploited,” Patchstack researchers wrote on March 13.

Fellow web security firm WPScan said Thursday that it has logged more than 5.5 million attempts to exploit the vulnerability since the March 13 disclosure by Patchstack. The attempts, WPScan said, started slowly and peaked on March 31. The firm didn’t say how many of those attempts succeeded.

WPScan said that CVE-2024-27596 allows unauthenticated website visitors to create admin‑level user accounts, upload malicious files, and take full control of affected sites. The vulnerability, which resides in how the plugin handles user authentication, allows attackers to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. From there, they can upload and execute malicious payloads that rename sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.

Successful attacks typically follow this process:

SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.

Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.

Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.

File Renaming: Attacker may rename the vulnerable WP‑Automatic file, to ensure only he can exploit it.

WPScan researchers explained:

Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites. Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.

The attacks began shortly after March 13, 15 days after ValvePress released version 3.92.1 without mentioning the critical patch in the release notes. ValvePress representatives didn’t immediately respond to a message seeking an explanation.

While researchers at Patchstack and WPScan are classifying CVE-2024-27956 as SQL injection, an experienced developer said his reading of the vulnerability is that it’s either improper authorization (CWE-285) or a subcategory of improper access control (CWE-284).

“According to Patchstack.com, the program is supposed to receive and execute an SQL query, but only from an authorized user,” the developer, who didn’t want to use his name, wrote in an online interview. “The vulnerability is in how it checks the user’s credentials before executing the query, allowing an attacker to bypass the authorization. SQL injection is when the attacker embeds SQL code in what was supposed to be only data, and that’s not the case here.”

Whatever the classification, the vulnerability is about as severe as it gets. Users should patch the plugin immediately. They should also carefully analyze their servers for signs of exploitation using the indicators of compromise data provided in the WPScan post linked above.

Hackers try to exploit WordPress plugin vulnerability that’s as severe as it gets Read More »

Apple releases eight small AI language models aimed at on-device use

AI, Apple, Biz & IT, chatgpt, chatgtp, CoreNet, IPhone, Llama 3, machine learning, Meta, microsoft, openai, OpenELM, Phi-3, small language models / Paul Patrick / April 26, 2024

Inside the Apple core —

OpenELM mirrors efforts by Microsoft to make useful small AI language models that run locally.

Benj Edwards – Apr 25, 2024 8: 55 pm UTC

An illustration of a robot hand tossing an apple to a human hand. — Getty Images

In the world of AI, what might be called “small language models” have been growing in popularity recently because they can be run on a local device instead of requiring data center-grade computers in the cloud. On Wednesday, Apple introduced a set of tiny source-available AI language models called OpenELM that are small enough to run directly on a smartphone. They’re mostly proof-of-concept research models for now, but they could form the basis of future on-device AI offerings from Apple.

Apple’s new AI models, collectively named OpenELM for “Open-source Efficient Language Models,” are currently available on the Hugging Face under an Apple Sample Code License. Since there are some restrictions in the license, it may not fit the commonly accepted definition of “open source,” but the source code for OpenELM is available.

On Tuesday, we covered Microsoft’s Phi-3 models, which aim to achieve something similar: a useful level of language understanding and processing performance in small AI models that can run locally. Phi-3-mini features 3.8 billion parameters, but some of Apple’s OpenELM models are much smaller, ranging from 270 million to 3 billion parameters in eight distinct models.

In comparison, the largest model yet released in Meta’s Llama 3 family includes 70 billion parameters (with a 400 billion version on the way), and OpenAI’s GPT-3 from 2020 shipped with 175 billion parameters. Parameter count serves as a rough measure of AI model capability and complexity, but recent research has focused on making smaller AI language models as capable as larger ones were a few years ago.

The eight OpenELM models come in two flavors: four as “pretrained” (basically a raw, next-token version of the model) and four as instruction-tuned (fine-tuned for instruction following, which is more ideal for developing AI assistants and chatbots):

OpenELM features a 2048-token maximum context window. The models were trained on the publicly available datasets RefinedWeb, a version of PILE with duplications removed, a subset of RedPajama, and a subset of Dolma v1.6, which Apple says totals around 1.8 trillion tokens of data. Tokens are fragmented representations of data used by AI language models for processing.

Apple says its approach with OpenELM includes a “layer-wise scaling strategy” that reportedly allocates parameters more efficiently across each layer, saving not only computational resources but also improving the model’s performance while being trained on fewer tokens. According to Apple’s released white paper, this strategy has enabled OpenELM to achieve a 2.36 percent improvement in accuracy over Allen AI’s OLMo 1B (another small language model) while requiring half as many pre-training tokens.

Enlarge / An table comparing OpenELM with other small AI language models in a similar class, taken from the OpenELM research paper by Apple.

Apple

Apple also released the code for CoreNet, a library it used to train OpenELM—and it also included reproducible training recipes that allow the weights (neural network files) to be replicated, which is unusual for a major tech company so far. As Apple says in its OpenELM paper abstract, transparency is a key goal for the company: “The reproducibility and transparency of large language models are crucial for advancing open research, ensuring the trustworthiness of results, and enabling investigations into data and model biases, as well as potential risks.”

By releasing the source code, model weights, and training materials, Apple says it aims to “empower and enrich the open research community.” However, it also cautions that since the models were trained on publicly sourced datasets, “there exists the possibility of these models producing outputs that are inaccurate, harmful, biased, or objectionable in response to user prompts.”

While Apple has not yet integrated this new wave of AI language model capabilities into its consumer devices, the upcoming iOS 18 update (expected to be revealed in June at WWDC) is rumored to include new AI features that utilize on-device processing to ensure user privacy—though the company may potentially hire Google or OpenAI to handle more complex, off-device AI processing to give Siri a long-overdue boost.

Apple releases eight small AI language models aimed at on-device use Read More »