Ford Cars With WiFi Are Vulnerable To Pwnage

Posted in Commentary with tags , on August 12, 2023 by itnerd

My wife and I have avoided owning any “connected” cars because of the fact that if you connect anything to the Internet, it can potentially be pwned by hackers. Fiat/Chrysler who is now known as Stellantis found that out a few years ago where some white hat hackers demonstrated that these cars can be fully taken over remotely. Which in turn led to a huge recall.

Now it seems to be Ford’s turn. Texas Instruments has identified a flaw that allows a nearby attacker via WiFi to trigger a buffer overflow using a specially crafted frame because a flaw in the driver that is used to run the WiFi subsystem. Ford uses this WiFi subsystem in their SYNC3 infotainment system which is found in the following list of vehicles at the very least:

  • Ford EcoSport (2021 – 2022)
  • Ford Escape (2021 – 2022)
  • Ford Bronco Sport (2021 – 2022)
  • Ford Explorer (2021 – 2022)
  • Ford Maverick (2022)
  • Ford Expedition (2021)
  • Ford Ranger (2022)
  • Ford Transit Connect (2021 – 2022)
  • Ford Super Duty (2021 – 2022)
  • Ford Transit (2021 – 2022)
  • Ford Mustang (2021 – 2022)
  • Ford Transit CC-CA (2022)

Ford has put out a press release that says the following:

Ford learned from a supplier that a security researcher discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. Immediately, and in collaboration with them, we began developing and validating measures to address the vulnerability.   

To date, we’ve seen no evidence that this vulnerability has been exploited, which would likely require significant expertise and would also include being physically near an individual vehicle that has its ignition and Wi-Fi setting on. Our investigation also found that if this vulnerability was exploited, however unlikely, it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking.  

Soon, Ford will issue a software patch online for download and installation via USB. In the interim, customers who are concerned about the vulnerability can simply turn off the Wi-Fi functionality through the SYNC 3 infotainment system’s Settings menu. Customers can also find out online if their vehicles are equipped with SYNC 3. 

Needless to say, Ford owners with SYNC3 should install this patch whenever this patch appears. And for the record, I am not buying what Ford is saying here completely. I say that because the bulletin from Texas Instruments says this:

The CVSS base score for this issue can range from 8.8 to 9.6. The higher base score reflects a Confidentiality and Integrity impact of High. However, some systems can have a Confidentiality or Integrity Impact of Low depending on the characteristics of the host processor executing the WL18xx MCP driver and whether the disclosure or modification of the memory that can be accessed represents a direct or serious loss.

So, depending on how Ford uses this driver, this could be kind of an minimal to non-issue, or it could be extremely bad. I for one would like to see Ford shed more light on this as would either reassure Ford owners if it is the former, or push them to turn off WiFi until the patch comes out. The fact that Ford is suggesting (not recommending to be clear) that people who are concerned turn off the WiFi in their cars kind of suggests to me that it might be the latter. But I have zero evidence to back that up. It’s just a hunch on my part.

I for one hope Ford gets this patch out quickly. And this reinforces the fact that my wife and I when we get our next car will lean towards one that is “disconnected.”

Leave a comment »

Fortra Introduces New Integrations for Offensive Security

Posted in Commentary with tags on August 11, 2023 by itnerd

Global cybersecurity software and services provider Fortra today announced new integrations for its offensive security solutions that streamline capabilities for vulnerability management, penetration testing, and red teaming. Working together, the solutions apply the same techniques used by threat actors to identify and exploit gaps in an organizations’ security. With this proactive security approach, customers can find and fix weaknesses in their security posture before they are exploited. 

Fortra’s offensive security solutions, including Frontline Vulnerability Manager (VM), Core Impact penetration testing software, Cobalt Strike adversary simulation software, and Outflank Security Tooling are now interoperable, providing data centralization, easy information sharing, reduced console fatigue, accelerated time-to-remediation, among other benefits.  

Fortra’s offensive security offerings come in five configurations for an enhanced security stance and centralized control:    

  • Essentials – Combines Fortra’s Frontline VM, the industry’s most comprehensive SaaS vulnerability management solution, with Fortra’s powerful penetration testing platform, Core Impact, to scan, evaluate and prioritize security vulnerabilities and remediation efforts throughout an organization’s network. 
  • Advanced – Combining Fortra’s penetration testing and adversary simulation software solutions, Core Impact and Cobalt Strike, this provides a robust view of vulnerabilities through advanced ransomware and phishing simulations and comprehensive reporting, while also giving teams the ability to collaborate in real time.  
  • Elite – Combines Frontline VM, Core Impact, and Cobalt Strike, allowing customers to evaluate security, identify vulnerabilities and proactively reduce risk. These combined vulnerability management, penetration testing, and adversary simulation tools run at the same time and are interoperable, streamlining the process to identify, analyze and prioritize vulnerabilities. 
  • Red Team – Built to integrate seamlessly into Cobalt Strike’s flexible command and control framework, Outflank Security Tooling extends a company’s red teaming capabilities. Together, these tools can deploy more sophisticated adversary simulation and assess overall security posture and vulnerability.  
  • Advanced Red Team – Combines Core Impact, Cobalt Strike and Outflank Security Tooling to safely evaluate security gaps, defenses and security strategies using the same tactics as today’s threat actors. Together, these solutions provide a holistic security testing methodology for advanced red teamers. 

  For more information about Fortra’s offensive security capabilities, visit: https://www.fortra.com/products/bundles/offensive-security.  

Leave a comment »

Flashpoint Research: Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime; Clop Claims To Post Victim Names on August 15

Posted in Commentary with tags on August 11, 2023 by itnerd

Here’s a couple of topics that Flashpoint’s research team has been keep tabs on this week. 

  1. Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime

KEY TAKEAWAYS

  • “FraudGPT,” likely also referred to as “ChatGPT Fraud Bot,” is a bot targeting online actors who want to commit illicit activity. 
  • This and similar tools, such as “WormGPT,” emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. 
  • Flashpoint procured access to this bot and determined that it appears to have similar functionality to WormGPT. FraudGPT provides answers to questions that could enable cybercrime and that other bots, such as ChatGPT, refuse to answer.
  • For example, unlike ChatGPT, FraudGPT is willing to provide malware samples. However, the malware sample it provided was not highly effective.
  • It also provided a list of Dark Web markets upon request, though the list was outdated.      
  • Ultimately, the threat posed by FraudGPT and other similar tools likely depends on how their operators use them.
  • The dual-edged nature of technology is evident; while advancements like ChatGPT can be created with ethical intentions, their underlying technology can easily be repurposed for malicious activities.

BACKGROUND: Threat actors are advertising AI chatbots that have allegedly been trained on illicit content from the cyber underground and can be leveraged to commit fraud and enable illegal activity. Sellers are advertising an increasing number of fraud-related chatbots. Observed subscription prices include US$100 a month or several hundred dollars a year.

Several of these tools emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. However, researchers and malicious actors have found ways to work around some of ChatGPT’s restrictions, such as by using prompt injection attacks.

“FraudGPT,” also known as “Chat GPT Fraud Bot,” is a malicious Telegram-based chatbot that purportedly provides AI-generated content that can be used for a variety of fraud and cybercrime purposes. FraudGPT is similar to the malicious AI bot “WormGPT,” which Flashpoint profiled in July 2023. FraudGPT emerged on Dread shortly after WormGPT began making headlines. FraudGPT’s answers are often similar to those of WormGPT, but when asked identical prompts, it offers its own answers. While WormGPT uses a fingerprint login via a URL, FraudGPT is accessed via Telegram. FraudGPT’s responses incorporate rude commentary as well as disclaimers regarding the illegality of the advice.

Additional available tools, such as “WolfGPT” and “XXXGPT,” also advertise similar capabilities. However, it is unclear how effective these tools are in enabling malicious online actors. The proliferation of these types of tools will likely continue as members of illicit communities seek to use them to enhance their capabilities. However, as researchers test these bots, it appears that their answers have some limitations. In some cases, the malicious chatbots decline to answer questions, do not answer them in detail, or warn the user not to engage in illegal activity. The severity of the risks posed by these tools thus likely depends on the actors using them.

  1. Clop Claims To Post Victim Names on August 15

Clop posted the following message on their ransomware leak site, indicating that they will start publishing data from companies that are infected but have not contacted Clop: 

Now we post many company name and proof we have their secrets and data. Some company do not speed to us and decide to stay quiet. We are very reasonable operators and when right situation we offer deep discount to block you data from being sold and publish. Advice you to contact us and begin discussion on how to block publicate of data. On 15 August we start publishing of every company on list that do not contact. You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data. Also all data go on torrent and speed of download is very quick. YOU NOT HIDING MORE.

As of August 9, 2023, analysts have observed 659 victims that have appeared on the ransomware blog, or publicly disclosed or reported on the incident. For context, they have identified approximately 260 victims on Clop’s ransomware blog, and 486 on CRA through responsible disclosure or reporting. Several of these victims result from third-party compromise and may not be directly affected. They cannot accurately assess the total number of additional victims that may appear on the ransomware blog beginning on August 15. 

Leave a comment »

Moneris Supports TTC with Solution For Credit And Debit Payments

Posted in Commentary with tags , on August 11, 2023 by itnerd

Starting August 15, it’ll be easier and more convenient for passengers who take the TTC in Toronto to pay their fare as the transit system will have an option to tap an Interac debit or credit card on PRESTO devices.

Moneris, Canada’s largest provider of innovative solutions for mobile, online and in-store payments, is excited to be supporting the TTC with an open loop payment solution, which will provide a seamless and secure process for paying, giving commuters more options and convenient ways to pay.  

Moneris is proud to work with transit authorities and their technology partners across the country to improve rider experience. They have been long-time partners to multiple transit systems like STL in Quebec, Translink in BC and others across Ontario for Metrolinx. 

Leave a comment »

ONCD/CISA Have A Request For Information On Open Source security

Posted in Commentary with tags on August 11, 2023 by itnerd

The ONCD / CISA has issued a Request for Information on security areas in open source software, and seeking insights on their long-term focus and prioritization:

The security and resiliency of open-source software is a national security, economic, and a technology innovation imperative. Because open-source software plays a vital and ubiquitous role across the Federal Government and critical infrastructure, vulnerabilities in open-source software components may cause widespread downstream detrimental effects. The Federal Government recognizes the immense benefits of open-source software, which enables software development at an incredible pace and fosters significant innovation and collaboration. In light of these factors, as well as the status of open-source software as a free public good, it may be appropriate to make open-source software a national public priority to help ensure the security, sustainability, and health of the open-source software ecosystem.

Allen Drennan, Co-Founder & Principal, Cordoniq had this comment on this initiative:

It is critical that we prioritize the primary open-source, security software infrastructure that runs the Internet. A significant portion of the Internet uses open-source security stacks such as OpenSsl for cryptography and PKI for both clients and server, and history has shown that major vulnerabilities in these components have wide-spread implications (think Heartbleed).  Ideally ONCD and CISA need to derive a overall plan that not just involves how to identify and rectify issues in open source security stacks, it needs to come up with a plan to react to issues in the event they arise so widespread malware attacks can be mitigated.

Open source software can’t become the Wild West as that will simply end badly. Thus this is a good move to make sure that this does not happen and open source software can be used safely regardless of the use case.

Leave a comment »

HP sees attackers combine simple methods to fool detection tools and deploy multi-language malware

Posted in Commentary with tags on August 10, 2023 by itnerd

new threat blog from HP Wolf Security’s threat research team has just gone online. The blog shows how opportunistic threat actors can use simple techniques and inexpensive cybercrime tools to bypass Windows security features and anti-virus scanners. HP Sure Click protects users from this type of attack, as it enabled HP to capture the malware trace. The blog also outlines HP’s analysis of the attack and describes mitigations for organizations that aren’t protected. In this case, threat actors used a mix of simple-but-effective and clever tricks to infect victim PCs with AsyncRAT, a remote access trojan that steals sensitive information:

  • The art of illusion: What’s in a name? By simply mislabelling unusual file types (such as batch files) as something more familiar (like a PDF), attackers can trick users into clicking on malicious attachments. This basic technique takes advantage of Windows hiding file extensions by default. i.e., if you save a batch (.bat) file as “hello.pdf.bat”, it will show up as “hello.pdf” in Windows File Explorer. While this technique is not new, we see it being used more frequently by commodity threat actors.
  • Ones and zeroes – Attackers are artificially inflating their malicious files by padding them with millions of meaningless ones and zeros. Some were almost 2GB in size, too large for many anti-malware scanners to analyze, allowing malware to slip past a critical detection measure. Because the inflated section follows a repeating pattern, the malware can be compressed into an archive file only a few megabytes large – ideal for spreading the malware in spam campaigns.
  • Here comes the clever part: multi-language malware – by using multiple programming languages, the threat actor evaded detection by encrypting the payload using a crypter written in Go, before disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.
    • In-memory execution of .NET files from C++ requires in-depth knowledge of undocumented Windows internals, but threat actors can access these techniques through tools sold in hacker forums. 

 The blog is here for your reading pleasure. 

Leave a comment »

ARPA Launches $20 Million AI Cyber Challenge To Hunt & Fix AI Vulnerabilities

Posted in Commentary with tags , on August 10, 2023 by itnerd

The US Defense Advanced Research Projects Agency (DARPA) has just launched the AI Cyber Challenge –  a new competition that challenges the nation’s top AI and cybersecurity talent to automatically find and fix software vulnerabilities, defend critical infrastructure from cyberattacks. The Challenge offers $20 million in prize money. 

AIxCC will allow two tracks for participation: the Funded Track and the Open Track. Funded Track competitors will be selected from proposals submitted to a Small Business Innovation Research solicitation. Up to seven small businesses will receive funding to participate. Open Track competitors will register with DARPA via the competition website and will proceed without DARPA funding. 

Teams on all tracks will participate in a qualifying event during the semifinal phase, where the top scoring teams (up to 20) will be invited to participate in the semifinal competition. Of these, the top scoring teams (up to five) will receive monetary prizes and continue to the final phase and competition. The top three scoring competitors in the final competition will receive additional monetary prizes.

Chloé Messdaghi, Head of Threat Research, Protect AI, said: 

“We applaud the administration for its recognition of the crucial role the hacker community can play in identifying, codifying and closing the major security gaps that AI and ML platforms embody, foster or at the least, don’t address.  

“Protect AI has just launched the Huntr platform to pay security researchers for discovering vulnerabilities in open-source software, focusing exclusively on AI/ML threat research. We launched Huntr specifically because we noticed two things. 

“First, people in security aren’t aware of all of the vulnerabilities inherent in AI & ML or that improper usage can create and amplify. A platform that helps bug bounty hunters find vulns is critically important to helping drive new generations of safe, secure and effective AI-driven technologies and systems. 

“Also, we are offering educational content for security professionals to help them learn and grow as a community through our MLSecOps community platform.  

“Again, it’s great to see the Administration, the cybersecurity community and the hacker community come together to help ensure a safe future. The hacker community has been committed to and contributing to exactly this type of future for the last two decades.”

This is a good initiative by DARPA as we need to get ahead of any AI related vulnerabilities before a threat actor takes advantage of them. Hopefully we see more of this.

Leave a comment »

Google’s Messages App Now Defaults To RCS In Latest Move To Replace SMS

Posted in Commentary with tags on August 10, 2023 by itnerd

Google has announced it’s making its Messages by Google app more secure by making RCS the default for both new and existing Messages app users and end-to-end encryption for group chats is now also fully available to all RCS users.   “RCS is the modern industry standard for dynamic and secure messaging.  And now, all of your RCS conversations in Messages by Google are end-to-end encrypted, including group chats, which keeps them private between you and the people you’re messaging,” Google says.  With RCS enabled, users can take advantage of more advanced messaging features similar to those iMessage users have, like: 

  • Sharing high-res photos and videos 
  • See typing indicators  
  • Get read receipts 
  • Send messages over mobile data and Wi-Fi 
  • Rename, edit and remove themselves from group chats 
  • Use end-to-end encryption 

 Since rolling out RCS to U.S. Android users in 2019, Google has been pressuring Apple to adopt the technology in iMessage by launching a website to explain why RCS benefits consumers, but Apple has expressed in court filings, it has no interest in making a version of iMessage for Android. 

Ted Miracco, CEO, Approov Mobile Security had this to say:   

“Securing the mobile ecosystem is an important focus for both Google and Apple. RCS helps the Android ecosystem by adding some important security features that can help mitigate phishing messages, such as encryption and verified sender information. However, no messaging platform, including iMessage, is completely immune to phishing attempts. It’s still important for users to be cautious and exercise good judgment when interacting with messages. A more secure mobile environment is in everyone’s best interest, so we support this move by Google.”

I’m pretty sure that Apple doesn’t support this move as they have no need to do so. We’ll see how this latest move by Google works out.

Leave a comment »

Rogers Is Being Used In A Very Aggressive #Scam

Posted in Commentary with tags , on August 9, 2023 by itnerd

I haven’t been a customer of Canadian Telco Rogers for over a year. Thus when I got this email in my inbox, I was suspicious:

This email had me saying “this is a phishing email for sure.” And that was confirmed when I looked at the email address that it was sent from:

That’s not from rci.rogers.com which is Rogers corporate email domain. It isn’t even from rogers.com which is the email domain for Rogers Internet customers which should still ring alarm bells, but would at least be more likely to fool someone less tech savvy than I who gets this email. So, what’s the play here. Let’s find out by clicking the link which you should NEVER EVER DO:

After clicking the link, I was presented with this web page. If you look at the URL bar, this isn’t from Rogers as it doesn’t end in Rogers.com or something similar. It also has a clock at the bottom to get you to act on this “offer” if you want to call it that. You’ll also note that the website wants to send you notifications. If you’re presented with a prompt like this, you should decline to do so. I’ll show you why in a minute. What happens next is that it leads me through a survey. Here’s question 3 of 7 to illustrate this:

After you go through this nonsense, you get take to this site where you need to fill out your details:

Again, this isn’t a Rogers site. And again, you’ll note that there’s a prompt to show notifications. I put in some bogus info and got this page:

So, the endgame is that they want to get you to hand over your credit card details for a device that is supposed to be “free”. This form does validate that the credit card is active which illustrates a level of sophistication by the threat actors.

What about those requests to allow notifications? Well, seconds after I clicked allow, which again you should NEVER EVER DO, I got this:

Wow. A two for one. You get a credit card scam and a pop-up scam. I don’t see that every day. Clicking on the McAfee one got me this:

I also clicked on some of the other pop ups and got everything from gift card scams to investment scams. Clearly these threat actors are trying to get you in some way shape or form. And to add to this, all these scams go to different domains which prompt you to accept more notifications. Thus making your browser more and more of a dumpster fire. Fortunately for me, I reset my browser back to factory defaults to make all of this go away. But less savvy users may be unable to do so and fall for something or get frustrated.

The bottom line is that clearly there’s an aggressive threat actor using Rogers name to perpetrate a very aggressive scam. If you get this email, delete it and move on with your day. And I’ll be reporting this to Rogers so that they’re aware of this as well which won’t make the threat actors behind this too happy I’m sure.

1 Comment »

Twitter Slapped With $350K Fine For Contempt

Posted in Commentary with tags on August 9, 2023 by itnerd

Twitter is $350K lighter in the wallet because of the fact that they didn’t instantly comply with the Special Counsel’s request for access to Donald Trump’s Twitter account:

The US special counsel who is investigating Donald Trump obtained a search warrant for the former president’s Twitter account in January, and the social media platform delayed complying, a court filing on Wednesday showed.

The delay in compliance prompted a federal judge to hold Twitter in contempt and fine it $350,000, the filing showed.

The US special counsel, Jack Smith, has brought two indictments against Trump. The first case surrounds Trump’s alleged mishandling of classified documents, the second concerns alleged efforts to overturn the results of the 2020 presidential election and over.

Twitter really is playing with fire here. Angering the Justice Department is a really bad idea, and Elon is likely going to find this out the hard way. Much I like to say that Elon should smarten up before he gets burned. But there’s no chance that he will smarten up. Thus, fans of Elon, all three of them should prepare for impact.

Leave a comment »

« Older Entries
Newer Entries »