Archive for August 23, 2024

Horizon3.ai Publishes New Findings Related To NTLM Credential Theft in Python Windows Apps

Posted in Commentary with tags on August 23, 2024 by itnerd

Naveen Sunkavally, chief architect at Horizon3.ai, has just published new research called: “NTLM Credential Theft in Python Windows Applications.” 

“NTLMv2 hash theft is a well-known credential harvesting technique made possible by the insistence of Windows to automatically authenticate to anything it possibly can. It’s a staple technique used in internal pentests with tools such as responder or ntlmrelayx, exploiting issues such as legacy LLMNR/NBT-NS protocols being enabled or forced authentication vulnerabilities like PetitPotam. It has also been exploited over the Internet, typically by abusing Microsoft Outlook, as described in recent cases by Proofpoint and Microsoft,” Naveen said.

When auditing web applications, NTLMv2 hash theft is possible on Windows hosts through the exploitation of Server-Side Request Forgery (SSRF) or XML External Entities (XXE) vulnerabilities. Much has been written on the topic, and new vulnerabilities continue to be found. 

Naveen details new SSRF vulnerabilities leading to NTLMv2 hash disclosure in three of the most popular Python frameworks: 

  • Gradio by Hugging Face, which powers several popular AI tools; 
  • Jupyter Server, which underpins Jupyter Notebook and JupyterLab; and 
  • Streamlit from Snowflake

The vulnerabilities Naveen exposes relate to how these Python frameworks retrieve files. Specifically, in Python, any file system operation performed on insufficiently validated input can lead to the leakage of NTLMv2 hashes. The vulnerabilities disclosed in the post can be exploited by unauthenticated attackers, and they have come up in real-world pentests conducted by NodeZero. He also covers an interesting Python bug affecting older versions of Python on Windows that could assist in NTLMv2 hash theft.

The post also recommends fix actions. Naveen concludes: “Windows is the predominant operating system in enterprises, and Python is the language of choice for AI. With AI making a big splash into the mainstream over the last few years, we’re seeing increased usage of Python applications on Windows. This comes with new risk because traditionally Python apps have been developed and run on Linux-based systems, where the security risks are different than on Windows. We believe the specific issue of NTLMv2 hash theft in Python apps is likely heavily under-reported, and something that all parties –defenders, developers, appsec practitioners, bug bounty hunters, etc. — should be on the lookout for.”

NTLM Credential Theft in Python Windows Applications: https://www.horizon3.ai/attack-research/disclosures/ntlm-credential-theft-in-python-windows-applications/

Leave a comment »

ServiceNow Research Shows That The Key to AI Adoption is Humans

Posted in Commentary with tags on August 23, 2024 by itnerd

New research is out from ServiceNow measuring AI maturity of organizations across industries shows that 56% of Canadian AI pacesetters—those who are seeing success (and ROI) deploying GenAI—are using AI in collaboration with human workers to boost efficiency.  

Prioritizing human needs in AI development is crucial to ensuring deployment is trusted and useful. AI needs to become a collaborative partner rather than just a transactional tool—a necessary step to drive the transformational change the technology promises.   

But the new research has also found that less than half of Canadian respondents (46%) say that their organization has the right mix of talent/skills to execute their AI strategy, and only 39% feel that they have good visibility into the deployment and use of AI in their organization – pointing to a need for reskilling / upskilling and AI education and governance initiatives for the organizations falling behind pacesetters.  

You can read the research here.

Leave a comment »

Samsung’s Galaxy Watch Ultra Apparently Isn’t All That Rugged…. And Samsung Apparently Won’t Have Your Back If You Run Into Issues With Your Galaxy Watch Ultra

Posted in Commentary with tags on August 23, 2024 by itnerd

Well, this has to be embarrassing for Samsung. A Reddit post has an unlucky owner of a Samsung Galaxy Watch Ultra who had the action button fall off on him about a month into owning it. Bad as that is, the fact that Samsung isn’t willing to help by replacing a watch that is only a month old is worse:

I received my brand new Galaxy Watch Ultra on July 20th and I posted on here a few days back about how the action button fell off. I went back and forth with Samsung trying to get them to replace it, but they refused and told me to send it in for repair because it was under warranty. I sent it in and now they are telling me that it is out of warranty and I have to pay to get it fixed. I am still going back and forth with Samsung repair and customer service, and I’m getting nowhere.

This is really bad. The watch is supposed to be designed to be rugged. So the fact that this not only happened to this Reddit user, but Samsung won’t honour the warranty really makes Samsung look shady. And it reminds me of the behaviour of ASUS when it came to warranty claims which is a story that surfaced earlier this year. The bad press forced the company to say that they would do better. But I didn’t buy that at the time and and I still don’t. How does the warranty issues of ASUS relate to Samsung? Companies aren’t bad because their products fall apart. They are bad if they don’t stand behind their product. Samsung in this case isn’t standing behind a product that was designed to be rugged, but clearly isn’t. That reflects poorly on Samsung and should make anyone who is considering buying a Samsung product think twice as clearly Samsung doesn’t have your back.

1 Comment »