Categories: News
Categories: Privacy
Tags: Social media

Tags:  privacy

Tags:  policies

Tags:  fines

Tags:  legislation

Tags:  scraping

Tags:  advertising

Social media platforms are making a lot of money with targeted advertising. To improve the targeting, they want us much of your data as you are willing to give up...



(Read more...)




The post Consumer privacy and social media appeared first on Malwarebytes Labs.

Looking at the privacy related stories of 2022, it’s not hard to see that much of the focus was on the social media giants. Banning TikTok is slowly becoming a trend among US states. Google and Facebook’s owner Meta was fined on several occasions for amounts that would have put other companies out of business, and Twitter fell victim to a power struggle that made victims left and right.

**Social media**

The problem for social media users is that there will always be voices telling them it’s their own fault. But is it really? Can you blame users for being unable to stop using apps that have algorithms which are fine-tuned to a tee to keep them hooked. Social media platforms like TikTok are designed to serve you the content you have shown an interest in. The result? According to research, the average American teenager spends 7 hours and 22 minutes on their phone every day.

For many users, social media is a way to stay in touch with people to a level that would be impossible if they have to resort to physical contact or even phonecalls. For others, social media a way of showing the fruits of their creativity. For some, it’s a way of keeping up with current events, some of which is fake news.

It’s easy to tell social media users that they are responsible for providing their personal data themselves. In a breach you can point at the company that was supposed to keep your data safe, but when it comes to social media you are expected to read hundreds of pages of legalese and understand that the platforms will share your data with third parties.

For companies, social media platforms have become invaluable tools in education, marketing and communication. Stop using them and you are giving the advantage to your competition, allowing them to take your place.

**Cookies and advertising**

Internet giants like Meta (Facebook, Instagram) and Alphabet (Google) depend on advertising. Advertising represented 98% of Facebook’s $86 billion revenue in 2020, and more than 80% of Alphabet’s revenue comes from Google ads, which generated $147 billion in 2020.

Now that awareness, regulation, and tools to control cookies have become mainstream, these advertising moguls have started looking at other ways to capitalize on their user numbers. Google has started experimenting with its FLoC alternative and others have looked at alternatives like TrustPID.

**Harvesting data**

Social networking companies harvest huge amounts of sensitive data about their users’ activities, interests, personal characteristics, political views, purchasing habits, and online behavior. Although in most cases the data is gathered solely to increase the effectivity of advertising and making it more targeted, the data could be used for far more nefarious reasons if they fall into the wrong hands.

And, let’s face it, the personal data that social media platforms collect and retain are vulnerable to hacking, scraping, and data breaches.

**Spying**

Scraping data by and for advertisers is not the only concern about social media. The Chinese owned TikTok app has been under a lot of scrutiny, and a few US states have officially banned TikTok from state-owned or state-leased smartphones, laptops, and other internet-enabled devices.

Federal Communications Commissioner (FCC) Brendan Carr called for TikTok to be banned in America, months after deeming it an unacceptable security risk, and calling for Apple and Google to completely remove the app from their app stores. FBI Director Christopher Wray expressed deep concerns about China's influence on US citizens via TikTok.

**Alternatives**

Yes, there are alternatives for popular social media. With a change of management at Twitter, part of the infosec community migrated to Mastodon, a decentralized platform. But as the Twitter case has demonstrated, migrating to a different platform only appeals to users within certain communities and most companies are waiting to add these new platforms to their outreach potential, let alone migrate from the old and proven to the new and unknown.

**Privacy policies**

I fear that having easy to find and understand privacy policies might not chase away existing users, but an often-heard complaint is that the privacy policy that is presented to a new user is hard to understand, full of loopholes and exceptions, and often not much more than a long-winded waiver which can be subject to one-sided change at any given moment.

**Private information**

When it comes to social media, there are three main methods of leaking information.

*   The information you post voluntarily. Everything from which restaurants you visited, to sharing how happy you are about soft drugs getting legalized, can come back to bite you later. More importantly, it provides people and advertisers with information about what kind of person you are.
*   The information your connections share about you. For example, remember how much fun we had together when we went to this event or that location? You can’t stop their sharing, so limit the number of connections to those that will understand if you ask them not to share that kind of information without checking first.
*   The information you provide to the company running the social media service. And not just your birthday, recovery email address, and phone number, but also about your online behavior, your shopping preferences, and which topics you are into.

What all this information has in common is that once it’s out there, it’s impossible to make it disappear. If you share, post, and click with that in the back of your mind, you’re a long way towards responsible use of social media.

**Countermeasures**

It is doubtful whether the countermeasures we have tried so far have made more than a little dent in the money-making machines that are social media companies. Legislation and fines are tackled by some of the best lawyers that money can buy. And as long as the optimized algorithms keep us hooked, users will keep going back and give up their privacy voluntarily.

All we can do is remind users of the dangers, and inform them about methods that are less harmful than giving all their data up for free. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Consumer privacy and social media

Skyhawk Synthesis extends cloud security misconfiguration detection across multiple clouds, the company says — throwing cloud security posture management in for free.

At this point, multicloud networks are the default. Estimates of multicloud adoption in the enterprise range from 80% to 92%, which means from "most people" to "almost everyone." And yet organizations continue to struggle with correctly configuring multicloud environments. In a recent study, Aqua Security found that 82% of companies left their cloud storage open to the public. Again, that's "most people" levels of misconfiguration. Clearly something needs to be done to improve cloud security configuration, and Skyhawk Security has a suggestion.

The Radware spinoff recently launched its Skyhawk Synthesis platform, which combines cloud threat detection and response (CDR), cloud infrastructure entitlement management (CIEM), identity threat detection and response (ITDR), and cloud security posture management (CSPM) into a unified environment. Because Skyhawk considers it a baseline capability, the company is offering its CSPM solution as a "freemium," including complete posture management and hardening, compliance reports, and governance enforcement for up to 1,000 assets.

The point of using all those approaches is to automate cloud security maintenance as much as possible to conserve the efforts and attention of security staff. Skyhawk Synthesis uses machine learning to identify critical runtime sequences and then monitors the environment to flag when the sequences are activated in a potentially dangerous way. Focusing on the most dangerous events, the company claimed, can reduce the occurrence of false alerts, which have long been lamented as time-wasting burdens on security staff's attention.

According to Skyhawk, Synthesis Platform uses behavioral analytics and context-based event correlation to pick up on breaches, then presents the alerts in the CDR Runtime Hub interface. The curation allows human analysts to react quickly to real threats instead of jumping at false alarms, the company said.

Chen Burshan, CEO of Skyhawk Security, said in a statement, "This bridges the gap between having an exhaustive list of misconfigurations and vulnerabilities to having awareness that those issues are being used to compromise your infrastructure."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Skyhawk Security Launches Multicloud Runtime Threat Detection and Response Platform

Ticketmaster testified in the Senate that a cyberattack was to blame for the high-profile Taylor Swift concert sales collapse, but some senators aren't so sure.

When armies of Taylor Swift fans in November were locked out of being able to purchase tickets for her upcoming The Eras tour, the so-called "Swifties" demanded answers.

And the Senate agreed.

This week, Ticketmaster testified in Senate Judiciary Committee hearings that it's not the company's monopoly on the live music market that caused the Swifty sales collapse — it was instead a cyberattack, executives said.

"There was unprecedented demand for Taylor Swift tickets," according to the opening testimony, shared ahead of the hearing with Dark Reading. "We knew bots would attack that on-sale, and planned accordingly."

However, Ticketmaster added that it received triple the amount of bot traffic that it had ever experienced, with bots both attempting to purchase tickets as well as breach the ticket sales servers for access codes.

"While the bots failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales," according to the company, which added that the difference in this instance is that instead of bots attempting to beat humans to the tickets, these bots were also attacking the system itself.

Some senators, including Marsha Blackburn, a Republican from Tennessee, didn't agree with Ticketmaster's assessment that the company was prepared in advance for the Taylor Swift swarm.

"This is unbelievable," Blackburn said during the hearing. She added, "Why is it that you have not developed an algorithm to sort out what is a bot and what is a consumer?"

Ticketmaster asked the Senate to consider stronger anti-bot legislation, enforcement, and penalties, but that does little to help shore up systems for future blockbuster tour event sales against an increasingly aggressive legion of shopper bots.

"It is absolutely an ever-growing arms in race in terms of fighting the bots," Berchtold said in response to Senator Blackburn's questioning. "These are bots that are trying to impersonate people on an automated basis. They are faster and putting American consumers at a disadvantage."

**When Bot Traffic Looks Like a DDoS Attack**

Rather than a targeted, intentional distributed denial-of-service (DDoS) attack, Ticketmaster's outage was simply the result of the system getting crushed under a tidal wave of traffic. But the result was the same: disruption.

"Botnets are often used to launch DDoS attacks; they're also used to do other things such as attempting to quickly (and unfairly!) snap up tickets to popular events the moment they go on sale," Roland Dobbins, a DDoS expert and principal engineer with Netscout, explains to Dark Reading. 

He adds, "Even though the intent in the latter scenario isn’t to cause an outage — which defeats the purpose of the bot-driven purchases — high levels of aggressive, bot-driven, 'flash crowd' transactions can effectively constitute an unintentional application-layer DDoS attack against the online ticket vending system, if all the key elements in the system’s service delivery chain haven’t been designed with resilience, scale, and defense against application-layer DDoS attacks in mind."

**SeatGeek Had Similar, but Not as Serious, Swift Sales Problems**

Although it was also bogged down under a similar traffic spike, Ticketmaster competitor Seat Geek was able to sell tickets to 52 Taylor Swift concerts without the same technical failures, the company explained to Politico, blaming Ticketmaster's troubles on its market monopoly.

"Ticketmaster’s outage, recovery time, and continued lack of a solution are the results of a monopoly’s complacency," SeatGeek said in a statement. "No competition means no incentive to innovate and iron out problems that they’ve experienced in the past."

**Bot & DDoS Attack Defense Differ**

Online retailers trying to protect against both bots and DDoS attacks need to adopt different approaches for each, Boaz Gelbord, senior vice president and chief security officer at Akamai, explains to Dark Reading in reaction to the Ticketmaster Senate testimony.

"Organizations face an increasing array of cyber-threats during 'hype events' such as flash sales or online commercial events," Gelbord says. "These can include both DDoS attacks aimed at bringing down the event and bots that aim to subvert the legitimate sales process. The goals of these attacks differ and they also require different protection."

DDoS protection is about putting up infrastructure and application defenses prior to an attack, while thwarting bots requires "a deeper understanding of the behavior to determine which traffic is legitimate and which is automated," Gelbord explains.

**Battling the Bot Problem**

Online brands experienced a 71% increase in bot attacks in 2022 over 2021, with bad bots making up nearly a third of online traffic, Michael Pezely points out in response to the Ticketmaster hearing.

"All these trends were reflected in Ticketmaster’s own experience with the Taylor Swift tour," Pezely adds. "While 3.5 million fans preregistered as verified fans, according to Ticketmaster, 3.5 billion purchase attempts were made."

Pezely urges online retailers to consider a holistic artificial intelligence (AI) approach to battling the bot problem.

"Fighting AI with AI will continue to be part of the solution. Merchants, whether they’re selling PlayStations, sneakers, or tickets, can counter the bots with learning machines that provide the intelligence to understand the identity and intent behind each order," Pezely explains. "That understanding allows merchants to turn to automation to block illegitimate orders."

Ticketmaster Blames Bots in Taylor Swift 'Eras' Tour Debacle

**CHICAGO****,** **Jan. 24, 2023** **/PRNewswire/ --** This week, we mark Data Privacy Day, dedicated to creating awareness around how to best protect your data and information online. There are growing risks associated with the collection, processing and storage of personal data, both on the individual and corporate levels. Even today, most people do not know how to respond when their rights are violated in a data breach or leak. Keeper Security is sharing password best practices to keep accounts and data protected against threat actors. The aim is to educate consumers and businesses around privacy, and help them to protect themselves against the growing risk of data breaches. 

The safety of an individual's identity, data and online accounts relies heavily on the strength of their passwords, even when so-called passwordless options such as biometrics are used. Individuals must understand the difference between weak and strong passwords, particularly as a breach could impact the organization they work for, resulting in millions of dollars in damages. This is a pervasive threat, as data shows that 81% of hacking-related data breaches are due to stolen or weak passwords. 

"Data Privacy Day provides an opportunity to elevate the critical importance of cybersecurity in all of our lives. The digital transformation shows no signs of slowing down, and with ever more connected devices from smartphones to smart fridges, we must all take concrete steps to protect ourselves," said Darren Guccione, CEO and Co-founder at Keeper Security. "It is imperative everyone utilize strong and unique passwords for all of their accounts, and store those passwords in a secure, encrypted vault to reduce their risk of an attack. The existential reality is that anyone can become a victim of cybercrime."

**Think before you share, open or click:**

One critical measure to protect yourself online is to avoid sharing personal information with anyone unless absolutely necessary. Watch out for links in emails from suspicious or unknown senders and learn what the tell-tale signs of a phishing attempt are. Only download attachments when you are sure they are safe.

It's human nature to believe what we see, which is why aesthetics and user interface often trick users into clicking on a malicious, incorrect URL. The key is to ensure the URL matches the authentic website. When a password manager is used, it automatically identifies when a site's URL doesn't match what's in the user's vault. This is a critical tool for preventing the most common attacks, including phishing scams.

**Improve your password habits:** 

*   Do not use any combination of characters that is easy to guess.   
*   Avoid using the same password across multiple accounts as well as including any personal information.   
*   Recognizable keystroke patterns or short passwords should also be avoided. 
*   Don't use repeated letters or numbers as a password.  
*   Instead, use lengthy combinations of letters, symbols and numbers.   
*   Creating a memorable phrase called a passphrase, replacing certain letters with numbers or symbols in a random order.   
*   Creating mnemonic passwords, inspired by notable events for example.   

**Use a password manager:**  

The best way for online users to secure their passwords is to implement a secure password manager. An effective password manager will allow individuals to create random combinations of characters for their passwords and save these in a password vault. This way users won't need to write them down or remember them, which is what tends to make them more vulnerable to breach.   

A zero-trust and zero-knowledge password manager creates an even more secure environment for users to store their passwords. Even in the worst case scenario of a breach, the stored data is encrypted in cipher text, meaning it cannot be accessed and is impossible to read by a human or machine.

**About Keeper Security Inc.** 

Keeper Security is transforming the way people and organizations around the world secure their passwords, secrets and confidential information. Keeper's easy-to-use cybersecurity platform is built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance. Trusted by millions of individuals and thousands of organizations globally, Keeper is the leader for best-in-class password management, secrets management, privileged access, secure remote access and encrypted messaging. Protect what matters at KeeperSecurity.com.

Keeper Security Shares Password Best Practices Ahead of Data Privacy Day

Machine learning offers great opportunities, but it still can't replace human experts.

Machine intelligence has captured the human imagination since the invention of the first modern computer in the mid-20th century. And the latest milestone in artificial intelligence, ChatGPT, has reinvigorated our pervasive interest in AI's ability to simplify the way we work.

ChatGPT's advancements in machine learning are impressive: Its high-quality outputs feel close to human. The strides it represents for AI systems signal that even more remarkable achievements are close to reality. But while ChatGPT suggests that the full potential of AI is drawing nearer, the reality is it still isn't quite here. Right now, there are great opportunities for machine learning to augment human intelligence, but it still cannot replace human experts.

**The Obstacles Between ChatGPT and the Future It Promises**

A complete reliance on AI can only happen if any given AI technology is proven more effective than all the other tools used to serve the same purpose. And AI hasn't yet developed to run entirely autonomously. Narrow AI (ANI) often describes the AI we see today: AI designed for a single task, such as a chatbot or image generator. ANI still requires human supervision and some manual configuration to function and is not always run and trained upon the latest data and intelligence. In this case, Reinforcement Learning from Human Feedback (RLHF), which allows the model to learn from correct and incorrect responses to requests, helped train ChatGPT.

Our human inputs into AI systems pose a significant challenge as well. Machine learning models can be colored by our personal views, culture, upbringing, and world perspectives, limiting our ability to create models that entirely remove bias. If improperly used and trained, ANI can further ingrain our biases into our work, systems, and culture. We've even seen bug bounties dedicated to removing AI bias, underscoring these challenges. Complete dependence would be problematic unless we can identify how to build more robust AI systems that mitigate human bias.

**It's Foolish to Rely Fully on AI for Cybersecurity**

The growing threat landscape, diversification of attack vectors, and highly resourced cybercriminal groups necessitate a multipronged approach that leverages the strengths of both human and machine intelligence. A survey conducted in 2020 found 90% of cybersecurity professionals believed cybersecurity technology is not as effective as it should be and is partially responsible for the continued success of attackers. Fully trusting AI will only exacerbate many organizations' already significant overreliance on these ineffective automation and scanning tools, and vulnerability reports generated by AI with "confidently wrong" false positives can even add friction to remediation efforts.

Technology has its place, but nothing will compare to what a skilled human with a hacker mindset can produce. The type of high-severity vulnerabilities found by many hackers requires creativity and a contextual understanding of the affected system. A vulnerability report written by ChatGPT compared with one developed end to end by a hacker demonstrates this gap in proficiency. When tested, the former's report was repetitive, lacked specificity, and failed to provide accurate information, while the latter offered full context and detailed mitigation guidance.

**AI Can Supercharge Your Security Team**

There is a middle ground. Artificial intelligence _can_ accomplish tasks faster and more efficiently than any one person. That means AI can make work much easier for cybersecurity professionals.

Ethical hackers already use existing AI tools to help write vulnerability reports, generate code samples, and identify trends in large data sets. The diverse skill set of the hacker community fills the capability gaps of AI. Where AI really helps is providing hackers and security teams with the most critical component for vulnerability management: speed.

With nearly half of organizations lacking the confidence to close their security gaps, AI can play an instrumental role in vulnerability intelligence. AI's ability to reduce time to remediation by helping teams process large data sets faster could supercharge how quickly internal teams analyze and categorize vast swaths of their unknown attack surface.

**Narrow AI Could Help Address Major Industry Challenges**

We're already seeing governments recognize the potential of narrow AI: The Cybersecurity and Infrastructure Security Agency (CISA) lists AI as one possible vulnerability intelligence solution for software supply chain security. When the daily minutiae of important cybersecurity work is eliminated, the humans behind the technology are freed to pay closer attention to their attack surface, remediate vulnerabilities better, and build stronger strategies to defend against cyberattacks.

Soon, ANI could unlock even more potential from the hackers and cybersecurity professionals that use it. Instead of worrying about AI taking their jobs, security professionals should cultivate a diverse skill set that complements AI tooling while also maintaining a keen awareness of its current limitations. AI is far from replacing human thought, but that doesn't mean it cannot help create a better future. For an industry with a significant skills gap, AI could make all the difference in building a safer Internet.

Chat Cybersecurity: AI Promises a Lot, But Can It Deliver?

Hackers cleverly cobbled together a suite of open source software — including a novel RAT — and hijacked servers owned by ordinary businesses.

We imagine that the world’s most successful hackers write their own dangerous code and invest heavily in the technologies they use to breach their targets. In recent months, however, a new cluster of attacks succeeded with just the opposite approach.

According to a report out Jan. 24 from SentinelOne, a threat actor compromised a number of organizations across China and Taiwan by creating a Frankenstein's monster-style composite of preexisting open source components. Among them: multiple tools for escalating user privileges in Windows machines, and for establishing persistence and allowing remote code execution.

In addition to adopting other hackers' code, the attackers freely adopted other organizations' infrastructure, too. In staging their malware, the hackers puppeteered servers located in China, Hong Kong, Singapore, and Taiwan, many of which were hosted by perfectly ordinary businesses, including an art gallery, a retailer for baby products, and companies in the gaming and gambling industries.

Researchers from SentinelOne named the campaign "DragonSpark" — a portmanteau referencing the attackers' Chinese-language links, and "SparkRAT," an open source remote access Trojan (RAT) never seen in the wild until now.

**An Open Source Party**

To gain initial access to their targets, the DragonSpark attackers sought out Internet-exposed Web servers and MySQL database servers. Then, with a foot in the door, they began deploying open source malware.

"Open source tools and existing infrastructure are very practical to threat actors," Aleksandar Milenkoski, senior threat researcher at SentinelOne, tells Dark Reading. This is especially true of "actors involved in cybercrime activities without many resources and in-depth technical readiness to develop their own tool set and setup an intricate infrastructure, but aiming for large-scale, opportunistic attacks at the same time."

The DragonSpark attackers carried out their opportunistic attacks with programs like SharpToken and BadPotato, which enable the execution of commands at the level of the Windows operating system. SharpToken also provides visibility to user and process information; it allows a user to freely add, delete, or modify passwords of system users. BadPotato, the researchers noted, had been previously used by other Chinese threat actors in an espionage campaign.

Next in the arsenal was GotoHTTP, which facilitates persistence, file transfer, and remote screen viewing. But the most notable malware of all was SparkRAT — "a very recent development on the threat landscape," Milenkoski noted. DragonSpark represents "the first concrete observation of threat actors using SparkRAT as part of larger campaigns."

Released in its current version on Nov. 1, 2022, SparkRAT is a jack of all trades. It's compatible with not only Windows but also Linux and macOS systems. Its most notable features are as follows, as the researchers outlined:

*   _**"Command execution:** including execution of arbitrary Windows system and PowerShell commands;_
*   _**System manipulation:** including system shutdown, restart, hibernation, and suspension;_
*   _**File and process manipulation:** including process termination as well as file upload, download, and deletion; and_
*   _**Information theft:** including exfiltration of platform information (CPU, network, memory, disk, and system uptime information), screenshot theft, and process and file enumeration."_

SparkRAT, SharpToken, Bad Potato, and GotoHTTP are all freely available to download online. As open-source tools, their use also makes attribution more difficult.

**Links to China**

All of the targets of DragonSpark were organizations based in East Asia. Many of them "have a large customer base," Milenkoski observes, "leading to the belief that the threat actors may be targeting customer data." Whether the motive was cybercrime or espionage was not determined.

Though unable to attribute anyone specific, the researchers considered it "highly likely" that the DragonSpark attackers were Chinese speakers. That is, in part, explained by the fact that most of their infrastructure and targets were located in East Asia. Additionally, the Web shell they used to deploy their malware — a well-known tool called China Chopper — and all of the open source tools described above were originally developed by Chinese-speaking developers and vendors.

This is consistent with recent activity in the world of Chinese threat actors. An alert published last summer by the Cybersecurity and Infrastructure Security Agency (CISA) highlighted how state-sponsored APTs from the People's Republic "often mix their customized toolset with publicly available tools."

All signs point to more of these kinds of attacks going forward. SparkRAT in particular, though nascent to the scene, "is regularly updated with new features," the SentinelOne researchers noted, adding that "the RAT will remain attractive to cybercriminals and other threat actors in the future."

'DragonSpark' Malware: East Asian Cyberattackers Create an OSS Frankenstein

The t2'23 Call For Papers has been announced. It will take place May 4th through the 5th, 2023 in Helsinki, Finland.

    Call For Papers 2023Tired of your bosses suspecting conference trips to exotic locations being just a ploy to partake in Security Vacation Club? Prove them wrong by coming to Helsinki, Finland on May 4-5 2023! Guaranteed lack of sunburn, good potential for rain or slush. In case of great spring weather, though, no money back.CFP and registration both open. Read further if still unsure.Maui, Miami, Las Vegas, Tel Aviv or Wellington feel so much sunnier once you’ve experienced the lack of infinity pools in Northern Europe. Instead of pools and palms trees, we can offer you actual saunas and a high tech environment, which is a weird combination of demoscene, widespread Linux adoption, mobile Internet with uncapped flat rate data and a long history of IRC and imageboards.What defines a conference? For t2 it has always been that intimate welcoming atmosphere of a small event, which makes both audience and speakers approachable. There are enough regulars to create the feeling of a community, but not too many that a first-comer would feel being left out. On the content side, we have always been and always will be a technical security conference, emphasizing the cutting edge, world class research. This is an event for the community. Our focus[1] is on technical excellence, not politics or player hating.t2’23 offers you an audience with a taste for technical security presentations containing original content. This is your chance to showcase the latest research and lessons in EDR simulation and healthcheck spoofing, hardware insecurity, inferring information from interference, cloud-scale forensics or persistance automation, new vulnerability classes, AI exploitation, virtual machines inside parsers, elegant exploitation of old vulnerability classes, modern defense, dropping zero days during presentations, state of the art memory corruption mitigation bypasses, evasions, safe cracking, satellite and space security, remote vehicle access, or whatever research lights up the eyes of seasoned conference visitors. For the hackers by the hackers.The advisory board will be reviewing submissions until 2023-03-17. Slide deck submission final deadline 2023-04-20 for accepted talks.First come, first served. Submissions will not be returned.Quick facts for speakers+ presentation length 60-120 minutes, in English+ complimentary travel and accommodation for one person[6]+ decent speaker hospitality benefits+ no marketing or product propagandaStill not sure if this is for you? Check out the blast from the past[2].The total amount of attendees, including speakers and organizers is limited to 99. Advisory Board recognize[3] the OG Finnish sauna culture is an acquired taste and can promise the lack of sweaty, partially or fully nude sauna-goers at all conference functions.[0] hunter2[1] https://t2.fi/about/eula/[2] https://t2.fi/schedules/[3] https://youtu.be/Oj8JBBAM5jY?t=40[6] except literally @nudehaberdasher and @0xcharlieHow to submitFill out the form at https://if.t2.fi/action/cfpHow to registerBuy your ticket at https://t2.fi/registration/

t2'23 Call For Papers

Ubuntu Security Notice 5822-1 - It was discovered that Samba incorrectly handled the bad password count logic. A remote attacker could possibly use this issue to bypass bad passwords lockouts. This issue was only addressed in Ubuntu 22.10. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5822-1  
January 24, 2023

samba vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Samba.

Software Description:  
- samba: SMB/CIFS file, print, and login server for Unix

Details:

It was discovered that Samba incorrectly handled the bad password count  
logic. A remote attacker could possibly use this issue to bypass bad  
passwords lockouts. This issue was only addressed in Ubuntu 22.10.  
(CVE-2021-20251)

Evgeny Legerov discovered that Samba incorrectly handled buffers in  
certain GSSAPI routines of Heimdal. A remote attacker could possibly use  
this issue to cause Samba to crash, resulting in a denial of service.  
(CVE-2022-3437)

Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos  
keys. A remote attacker could possibly use this issue to elevate  
privileges. (CVE-2022-37966, CVE-2022-37967)

It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure  
Channel. A remote attacker could possibly use this issue to elevate  
privileges. (CVE-2022-38023)

Greg Hudson discovered that Samba incorrectly handled PAC parsing. On  
32-bit systems, a remote attacker could use this issue to escalate  
privileges, or possibly execute arbitrary code. (CVE-2022-42898)

Joseph Sutton discovered that Samba could be forced to issue rc4-hmac  
encrypted Kerberos tickets. A remote attacker could possibly use this issue  
to escalate privileges. This issue only affected Ubuntu 20.04 LTS and  
Ubuntu 22.04 LTS. (CVE-2022-45141)

WARNING: The fixes included in these updates introduce several important  
behavior changes which may cause compatibility problems interacting with  
systems still expecting the former behavior. Please see the following  
upstream advisories for more information:

https://www.samba.org/samba/security/CVE-2022-37966.html  
https://www.samba.org/samba/security/CVE-2022-37967.html  
https://www.samba.org/samba/security/CVE-2022-38023.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   samba                           2:4.16.8+dfsg-0ubuntu1

Ubuntu 22.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu1

Ubuntu 20.04 LTS:  
   samba                           2:4.13.17~dfsg-0ubuntu1.20.04.4

This update uses a new upstream release, which includes additional bug  
fixes. In general, a standard system update will make all the necessary  
changes.

References:  
   https://ubuntu.com/security/notices/USN-5822-1  
   CVE-2021-20251, CVE-2022-3437, CVE-2022-37966, CVE-2022-37967,  
   CVE-2022-38023, CVE-2022-42898, CVE-2022-45141

Package Information:  
   https://launchpad.net/ubuntu/+source/samba/2:4.16.8+dfsg-0ubuntu1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1  
   https://launchpad.net/ubuntu/+source/samba/2:4.13.17~dfsg-0ubuntu1.20.04.4

Ubuntu Security Notice USN-5822-1

Apple Security Advisory 2023-01-23-8 - Safari 16.3 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-01-23-8 Safari 16.3Safari 16.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213600.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved checks.WebKit Bugzilla: 245464CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, JimingWang, JiKai Ren and Hang Shu of Institute of Computing Technology,Chinese Academy of SciencesWebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 248268CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEWebKit Bugzilla: 248268CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEAdditional recognitionWebKitWe would like to acknowledge Eliya Stein of Confiant for theirassistance.Safari 16.3 may be obtained from the Mac App Store.All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPImAACgkQ4RjMIDkeNxmOtA/8C2w5NPXlcGH2m1GpCgxiEDQ/SreXYbyKbflivbXDwE1L+XAzTMhRIHF5KjcqvjaoBh4oHN7IfQNq12/YE3+RMDF03J0sTefTT7SeLjN0wKM92jcqFWSGsLNIUrsO3+jP89/2Di4IY3E07mu7iiZzgi8zGUPoMOxqJK8zpfYFXVe5LVyOfI3ETe2RnjH7et/tvW4KgVGyS4+tVHvC6Dts7efEKC10vgc4xdlWH69OHqUYT2eP7bX909MKt8qnl5YW/W155rKWeZrngRP5gbwAWv6+Q5Jh6X/TZYi1S/5HEgBSUdn/8Cto9A2v5FLZJLtYdoO137FqFMxH8ePWGGaL2JOVkeVYRZgkBnqZWMw4CUFgA6zW8i20e/aYk1IaJsQzgrXzYEDjoXIq1MXgO5egY6pQNIyKtutRSpskWhoOFRXjKHLna0W1R+l6YvfIpprHPlOae7koSwJJqQbq/XvD3XECtrf0xGqFiD5ntCNysFcy5hAEoswVpzkz8368C6OU/bwOuryTlrImLDEsgJBozJk6CGhNgFMg81xzCMt7SzOqTR7u50P3VOki9wt38tejRZyWTJiy3Tke/WlxrN0xl6vnBPsfDX7EW8+xC17mFAJlpnxy3f5Z1mdQq6mG51oZtFSgQR1cKUek/fnKpBNiauEk7A+Amm0nfzlpBT+4rKw=YCs8-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-8

Apple Security Advisory 2023-01-23-6 - macOS Big Sur 11.7.3 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3

macOS Big Sur 11.7.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213603.

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Big Sur  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.85.0.  
CVE-2022-35252

dcerpc  
Available for: macOS Big Sur  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Screen Time  
Available for: macOS Big Sur  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

WebKit  
Available for: macOS Big Sur  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Windows Installer  
Available for: macOS Big Sur  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

macOS Big Sur 11.7.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
NxmcTxAA5RgSSuSbRaEzLzDYMXICkEWJLRFDxirCePXlty57qxD+Edl/f7rZhvxx  
nt5f0TTSVV2D4j+bb1MC/qFgINJ2SV31UY3nQXg+k85QeCyjEMXQDgIk5QBJd40E  
gcPXFOQULvHJAhyKAvNexGqyRTUk4GqifPZNwXFxKC/tsPahr/Bh6OP+l7CkhG7Y  
XiDuKLpL7ssAMl6sf7Lg5H114P/6pPwKM949mYzUz+0CH6uXQ7oWSx/KirbR3HD8  
W3FQY/iS3hzG6EALUbFWKjxXPHRv/59TQElizLVqfxLQCjSokxyDiW5OehMeefQs  
8dFDCMbpbQFC0RBVFVCS3fzhCNu24LfihyUmz9//Azguv3HJhbuZ/kz70JhsLW9F  
6mGlbXA/w2rAWXpJ2fRsHSqpZw9jiX1FlfUH+h3T8cmtnfZDduV0AEvCIK8Zp/nq  
S6+sZ3i5VtQyUGZc3FKTQVTeMPrXhyLCXlfiCXMfo04P11AJNxOqSHgBH43N8pNp  
drRKydDb+u8QpxUzuaxbyn2dgoEaxwRke6jspkPFPZ/ipj8eNLIn2FqQx8CGXCDL  
2k/+/a4M/zsGcr39kuGjcXNba6YbXnA8HwWqmKeMwQ+3VTMwf6C2x0h6OBQGIGcv  
MyrKHkVVE9KyPk9AULiw4BJYX7MMBmSbpf2OEDP3d06d6e1ljv8=  
=hYz5  
-----END PGP SIGNATURE-----

Tag

#mac