Launched in partnership with Immunefi, bounty to promote Web3 security.

**VANCOUVER, BC****,** **May 17, 2023** **/PRNewswire/ --** LayerZero Labs, the team that launched the leading cross-chain messaging protocol LayerZero, today announced that it has launched a $15 million bug bounty in partnership with Immunefi, the leading bug bounty and security services platform for Web3, protecting over $60 billion in user funds.

The bug bounty will be the largest in the history of the software industry and shows LayerZero's undying commitment to security as well as the developers and users in the LayerZero ecosystem. LayerZero Labs is offering a maximum reward of $15M for each new vulnerability found by participants who uncover vulnerabilities at the highest severity level. With this incentive, LayerZero Labs is setting a new bar for bug bounties across all areas of the software industry.

"With the launch of the largest bug bounty in the world we hope that LayerZero's commitment to Web3 security and the individuals who make the community stronger is clear," commented Bryan Pellegrino, CEO of LayerZero Labs. "We care deeply about building the safest, most used messaging protocol in the world."

"We're thrilled to partner with LayerZero to launch the world's biggest bounty and help ensure the safety of its ecosystem," said Mitchell Amador, Founder and CEO at Immunefi. "We've paved the way to reach the highest security standards in the industry and worked to provide projects with the necessary structure and access to the strongest security talent. LayerZero's bounty is a testament to what we should continue moving towards, and that's an undeniable commitment to security."

Immunefi has facilitated the most significant bug bounties in the software industry, with over $75 million in rewards paid out. It is the largest and most widely adopted bug bounty platform in Web3, where a massive community of leading security talent review projects' blockchain and smart contract code, find and responsibly disclose vulnerabilities, and get paid for making the ecosystem safer.

The terms and conditions of the bug bounty, including eligibility criteria, can be found here: https://immunefi.com/bounty/layerzero/. Vulnerabilities must meet the criteria determined by LayerZero Labs at its sole discretion.

**About Immunefi**

Immunefi is the leading bug bounty and security services platform for Web3, which features the world's largest bounties. Immunefi guards over $60 billion in user funds across projects like Synthetix, Chainlink, SushiSwap, Polygon, Bancor, MakerDAO, TheGraph, Optimism, and others. The company has paid out the most significant bug bounties in the software industry, amounting to over $75 million, and has pioneered the scaling Web3 bug bounties standard.

For more information, please visit https://immunefi.com

**About LayerZero Labs**

LayerZero Labs is the team that launched the leading blockchain messaging protocol LayerZero. LayerZero's advanced messaging infrastructure seamlessly connects over 30 blockchains and facilitates transparent and secure cross-chain messaging from one easy-to-use interface. Since going live in March 2022, the LayerZero protocol has processed more than 10 million messages with thousands of mainnet contracts being deployed by thousands of developer teams. Backed by leading venture capital firms including a16z, Sequoia, Binance Labs, Christie's, Lightspeed, Opensea, Bond, Samsung Next, and GBV, LayerZero was recently valued at $3 billion. Developers building on LayerZero can create interoperable, omnichain dApps, which will lead to the establishment of a unified digital asset ecosystem.

For additional information on LayerZero, visit: https://layerzero.network/

LayerZero Labs Launches $15M Bug Bounty; Largest in the World

In unflattenString8 of Sensor.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-269014004

_Published May 1, 2023 | Updated May 3, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-05-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-05-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-05-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39617

A-175190844

EoP

High

11, 12, 12L

CVE-2022-20338

A-171966843

EoP

High

11, 12, 12L

CVE-2023-20993

A-261588851

EoP

High

11, 12, 12L, 13

CVE-2023-21109

A-261589597

EoP

High

11, 12, 12L, 13

CVE-2023-21117

A-263358101

EoP

High

13

CVE-2023-20914

A-189942529

ID

High

11

CVE-2023-21104

A-259938771

ID

High

12L, 13

CVE-2023-20930

A-250576066

DoS

High

11, 12, 12L, 13

CVE-2023-21116

A-256202273 \[2\]

EoP

Moderate

11, 12, 12L, 13

**Frameworks**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21110

A-258422365

EoP

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20444

A-197296414 \[2\] \[3\] \[4\] \[5\]

EoP

High

11, 12

CVE-2023-21107

A-259385017

EoP

High

11, 12, 12L, 13

CVE-2023-21112

A-252763983

ID

High

11, 12, 12L, 13

CVE-2023-21118

A-269014004 \[2\] \[3\]

ID

High

11, 12, 12L, 13

CVE-2023-21103

A-259064622 \[2\]

DoS

High

11, 12, 12L, 13

CVE-2023-21111

A-256819769 \[2\]

DoS

High

11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

Permission Controller

CVE-2021-39617, CVE-2023-20914

**2023-05-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-05-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2023-21102

A-260821414  
Upstream kernel \[2\]

EoP

High

EFI

CVE-2023-21106

A-265016072  
Upstream kernel

EoP

High

GPU

**Kernel components**

The vulnerability in this section could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2023-0266

A-265303544  
Upstream kernel

EoP

Moderate

Kernel

**Kernel LTS**

The following kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch.

   

References

Android Launch Version

Kernel Launch Version

Minimum Launch Version

A-239830686

12

5.10

5.10.136

A-239977583

12

5.4

5.4.210

A-239978386

11

5.4

5.4.210

A-251538603

13

5.10

5.10.136

A-251540658

13

5.15

5.15.72

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

   

CVE

References

Severity

Subcomponent

CVE-2022-46394

A-267360595 \*

High

Mali

CVE-2022-46395

A-267357916 \*

High

Mali

CVE-2022-46396

A-259984805 \*

High

Mali

CVE-2022-46891

A-260149319 \*

High

Mali

CVE-2023-26085

A-261701167 \*

High

Arm NNAPI Driver

**Imagination Technologies**

This vulnerability affects Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of this issue is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2021-0877

A-273754094 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2023-20694

A-271785766  
M-ALPS07733998 \*

High

preloader

CVE-2023-20695

A-271788841  
M-ALPS07734012 \*

High

preloader

CVE-2023-20696

A-271788842  
M-ALPS07856356 \*

High

preloader

CVE-2023-20699  

A-271788844  
M-ALPS07696073 \*

High

adsp

CVE-2023-20697

A-271785768  
M-ALPS07589148 \*

High

keyinstall

CVE-2023-20698

A-271785769  
M-ALPS07589144 \*

High

keyinstall

CVE-2023-20726

A-271785764  
M-ALPS07735968 \*

High

mnld

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Subcomponent

CVE-2022-47469

A-273383823  
U-2143205 \*

High

Kernel

CVE-2022-47470

A-273397872  
U-2143207 \*

High

Kernel

CVE-2022-47486

A-273401256  
U-2143210 \*

High

Kernel

CVE-2022-47487

A-273397882  
U-2079517 \*

High

Android

CVE-2022-47488

A-273409059  
U-2064944 \*

High

Kernel

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-21665

A-271879598  
QC-CR#3400722

High

Display

CVE-2023-21666

A-271879644  
QC-CR#3400780

High

Display

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-25713

A-258057293 \*

High

Closed-source component

CVE-2022-33273

A-258057450 \*

High

Closed-source component

CVE-2022-33305

A-258057367 \*

High

Closed-source component

CVE-2022-34144

A-258057329 \*

High

Closed-source component

CVE-2022-40504  

A-258057235 \*

High

Closed-source component

CVE-2022-40508

A-258057197 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-05-01 or later address all issues associated with the 2023-05-01 security patch level.
*   Security patch levels of 2023-05-05 or later address all issues associated with the 2023-05-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-05-01\]
*   \[ro.build.version.security\_patch\]:\[2023-05-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-05-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-05-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-05-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

May 1, 2023

Bulletin Published

1.1

May 3, 2023

Bulletin revised to include AOSP links

CVE-2023-21118: Android Security Bulletin—May 2023

Retired hardware and forgotten cloud virtual machines are a trove of insecure confidential data. Here's how to ameliorate that weakness.

The stories are both infamous and legendary. Surplus computing equipment purchased at auction contains thousands of files with private information, including employee health records, banking information, and other data covered by a multitude of state and local privacy and data laws. Long-forgotten virtual machines (VMs) with confidential data are compromised — and no one knows. Enterprise-class routers with topology data about corporate networks are sold on eBay. With so much confidential data made available to the public on a daily basis, what else are companies exposing to potential attackers?

The fact is a lot of data gets exposed regularly. Last month, for example, cybersecurity vendor ESET reported that 56% of decommissioned routers sold on the secondary market contained sensitive corporate material. This included such configuration data as router-to-router authentication keys, IPsec and VPN credentials and/or hashed passwords, credentials for connections to third-party networks, and connection details for some specific applications.

Cloud-based vulnerabilities that result in data leaks are usually the result of misconfigurations, says Greg Hatcher, a former instructor at the National Security Agency and now CEO and co-founder of White Knight Labs, a cybersecurity consultancy that specializes in offensive cyber operations. Sometimes the data is put at risk deliberately but naively, he notes, such as proprietary code finding its way into ChatGPT in the recent Samsung breach.

Confidential data, such as credentials and corporate secrets, are often stored in GitHub and other software repositories, Hatcher says. To search for multifactor authentication or bypasses for valid credentials, attackers can use MFASweep, a PowerShell script that attempts to log into various Microsoft services using a provided set of credentials that attempts to identify if MFA is enabled; Evilginx, a man-in-the-middle attack framework used for phishing login credentials along with session cookies; and other tools. These tools can find access vulnerabilities into a variety of systems and applications, bypassing existing security configurations.

Having both a hardware and software asset inventory is essential, Hatcher says. The hardware inventory should include all devices because the security team needs to know exactly what hardware is on the network for maintenance and compliance reasons. Security teams can use a software asset inventory to protect their cloud environments, since they cannot access most cloud-based hardware. (The exception is a private cloud with company-owned hardware in the service provider's data center, which would fall under the hardware asset inventory as well.)

Even when applications are deleted from retired hard disks, the unattend.xml file in the Windows operating system on the disk still holds confidential data that can lead to breaches, Hatcher says.

"If I get my hands on that and that local admin password is reused throughout the enterprise environment, I now can get an initial foothold," he explains. "I already can move laterally throughout the environment."

**Sensitive Data Might Not Stay Hidden**

Short of physically destroying disks, the next best option is overwriting the entire disk — but that option can sometimes be overcome as well.

Oren Koren, co-founder and chief product officer of Tel Aviv-based Veriti.ai, says service accounts are an often-ignored source of data that attackers can exploit, both on production servers and when databases on retired servers are left exposed. Compromised mail transfer agents, for example, can act as a man-in-the-middle attack, decrypting simple mail transfer protocol (SMTP) data as it is being sent from production servers.

Similarly, other service accounts could be compromised if the attacker is able to determine the account's primary function and find which security components are turned off to meet that goal. An example would be turning off data analysis when super-low latency is required.

Just as service accounts can be compromised when left unattended, so can orphaned VMs. Hatcher says that in popular cloud environments, VMs are often not decommissioned.

"As a red teamer and a penetration tester, we love these things because if we get access to that, we can actually create persistence within the cloud environment by popping in \[and\] popping a beacon on one of those boxes that can talk back to our \[command-and-control\] server," he says. "Then we can kind of hold onto that access indefinitely."

One file type that often gets short shrift is unstructured data. While rules are generally in place for structured data — online forms, network logs, Web server logs, or other quantitative data from relational databases — the unstructured data can be problematic, says Mark Shainman, senior director of governance products at Securiti.ai. This is data from nonrelational databases, data lakes, email, call logs, Web logs, audio and video communications, streaming environments, and multiple generic data formats often used for spreadsheets, documents, and graphics.

"Once you understand where your sensitive data exists, you can put in place specific policies that protect that data," says Shainman.

**Access Policies Can Remediate Vulnerabilities**

The thought process behind sharing data often identifies potential vulnerabilities.

Says Shainman: "If I'm sharing data with a third party, do I put specific encryption or masking policies in place, so when that data is pushed downstream, they have the ability to leverage that data, but that sensitive data that exists within that environment is not exposed?"

Access intelligence is a group of policies that allows specific individuals to access data that exists within a platform. These policies control the ability to view and process data at the permission level of the document, rather than on a cell basis on a spreadsheet, for example. The approach bolsters third-party risk management (TPRM) by allowing partners to access data approved for their consumption; data outside that permission, even if it is accessed, cannot be viewed or processed.

Documents such as NIST's Special Publication 800-80 Guidelines for Media Sanitation and the Enterprise Data Management (EDM) Council's security frameworks can help security pros define controls for identifying and remediating vulnerabilities related to decommissioning hardware and protecting data.

Making Sure Lost Data Stays Lost

Categories: News
Categories: Personal
Categories: Privacy
Google used its annual I/O conference keynote to announce anti-stalking updates.



(Read more...)




The post Google adds unwanted tracker detection to Find My Device network appeared first on Malwarebytes Labs.

Last week we reported that Google and Apple were looking for input on a draft specification to alert users in the event of suspected unwanted tracking. Apple and Google said other tracker makers like Samsung, Tile, Chipolo, eufy Security, and Pebblebee have expressed interest in their draft.

Now, Google has used its annual I/O conference keynote to announce updates to its Find My Device network aimed at stopping unwanted tracking by devices with built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Google’s expected Grogu.

The basic principle of these tags is that anyone with the matching app and permissions on their device (usually a phone) contributes to find the last location where the tag was detected. The idea is that you attach a tag to the objects you are afraid of misplacing or losing, such as your keys or your laptop, or even you car, and when you need to find the object you can look in the app and see where it last made contact with a device. This type of contact is usually made over Bluetooth.

After several complaints and reports that these tracking devices were used to track people rather than finding lost objects, some states introduced bills to ban the use of trackers to aid stalking. But while a bill can deter, it doesn’t stop people with criminal intentions directly. Nor do these bills stop the car thieves that planted AirTags on expensive cars, so they could find the cars at home where they were less well protected.

The new features of the Find My Device network allow Android users to find more devices. The update, which is expected this summer, will also alert users about trackers that are registered to another user, but still look like they are following you around.

This could happen if a criminal planted a tag on your laptop so they could track its location. If you keep your laptop close, the tag will stand out, because it does not belong to you but stays in your neighborhood anyway. With the expected Android update, any tracker compatible with the Find My Device network will show up on your app.

If an alert is received from a tracker other than your own, you can then locate the device. These warnings can eventually be expected to work on both Android and Apple devices.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google adds unwanted tracker detection to Find My Device network

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.
Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."
Of the 38 vulnerabilities, six are rated Critical and

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.

Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."

Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft.

This is aside from 18 flaws – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates.

Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said, crediting Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra for reporting the flaw.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply vendor fixes by May 30, 2023.

Also of note are two publicly known flaws, one of which is a critical remote code execution flaw impacting Windows OLE (CVE-2023-29325, CVSS score: 8.1) that could be weaponized by an actor by sending a specially crafted email to the victim.

Microsoft, as mitigations, is recommending that users read email messages in plain text format to protect against this vulnerability.

The second publicly known vulnerability is CVE-2023-24932 (CVSS score: 6.7), a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), which was resolved in January 2022.

"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled," Microsoft said in a separate guidance.

"This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device."

It's worth noting that the fix shipped by Microsoft is disabled by default and requires customers to manually apply the revocations, but not before updating all bootable media.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device," Microsoft cautioned. "Even reformatting of the disk will not remove the revocations if they have already been applied."

The tech giant said it's taking a phased approach to completely plug the attack vector to avoid unintended disruption risks, an exercise that's expected to stretch until the first quarter of 2024.

"Modern UEFI-based Secure Boot schemes are extremely complicated to configure correctly and/or to reduce their attack surfaces meaningfully," firmware security firm Binarly noted earlier this March. "That being said, bootloader attacks are not likely to disappear anytime soon."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Cisco
*   Citrix
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   Synology
*   Veritas
*   VMware
*   Zoho, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug

OpenAI has new tools that give you more control over your information—although they may not go far enough.

There’s a chance that ChatGPT knows personal details about you—and if it doesn’t, it might just make something up. As OpenAI’s generative text chatbot has boomed in popularity over the past six months, the risks of the system being trained on data vacuumed up from the web have become clearer.

Data regulators around the world are investigating issues with how OpenAI gathered the data it uses to train its large language models, the accuracy of answers it provides about people, and other legal concerns about the use of its generative text systems. Europe’s data regulators have joined forces to look at OpenAI after Italy temporarily banned ChatGPT from the country. And Canada is also investigating the technology’s potential privacy risks.

In Europe, GDPR laws require companies and organizations to demonstrate lawful reasons for handling people’s personal information and to let people access information about them, be informed of how their information is used, and demand that errors be rectified. In some cases, they can ask that certain types of data be erased. The way people’s personal information has been used in training data has been an early area of concern for EU regulators.

As people have experimented with the chatbot, asking it questions about their lives and friends, a range of potential problems have emerged. OpenAI warns that ChatGPT may provide inaccurate information, and people have found that it makes up jobs and hobbies. It has cooked up false newspaper articles that had even the alleged human authors wondering if they were real. It generated incorrect statements saying a law professor was involved in a sexual harassment scandal, and it said a mayor in Australia had been implicated in a bribery scandal—he is preparing to sue for defamation.

It’s not just individuals who are concerned about how data is used. Samsung has banned employees from using generative AI tools, in part over fears about how data is stored on external servers and the risk that company secrets could ultimately be disclosed to other users. (There are separate issues around copyright and intellectual property.)

In response to the scrutiny—particularly from the Italian data regulator, which has now allowed ChatGPT back into the country after OpenAI made changes to its service—the company has introduced tools and processes that allow people more control over at least some of their data. Here’s how to use them.

Get Your Data Removed From ChatGPT

ChatGPT and GPT-4 generate their human-like answers statistically—predicting which words are likely to follow others after seeing millions of examples of sentences written by human authors. OpenAI has been secretive about the data it has trained its large language models on, so nobody outside the company knows exactly how much of the web (including people’s personal information) it has scraped in the process.

OpenAI says its large language models are trained on three sources of information: data taken from the web, data that the company licenses from others, and the information people feed it through chats. This can include information about individuals. “A large amount of data on the internet relates to people, so our training information does incidentally include personal information,” OpenAI explains in a post, stating that it takes steps to reduce the amount it gathers.

OpenAI has now introduced a Personal Data Removal Request form that allows people—primarily in Europe, although also in Japan—to ask that information about them be removed from OpenAI’s systems. It is described in an OpenAI blog post about how the company develops its language models.

The form primarily appears to be for requesting that information be removed from answers ChatGPT provides to users, rather than from its training data. It asks you to provide your name; email; the country you are in; whether you are making the application for yourself or on behalf of someone else (for instance a lawyer making a request for a client); and whether you are a public person, such as a celebrity.

OpenAI then asks for evidence that its systems have mentioned you. It asks you to provide “relevant prompts” that have resulted in you being mentioned and also for any screenshots where you are mentioned. “To be able to properly address your requests, we need clear evidence that the model has knowledge of the data subject conditioned on the prompts,” the form says. It asks you to swear that the details are correct and that you understand OpenAI may not, in all cases, delete the data. The company says it will balance “privacy and free expression” when making decisions about people’s deletion requests.

Daniel Leufer, a senior policy analyst at digital rights nonprofit Access Now, says the changes that OpenAI has made in recent weeks are OK but that it is only dealing with “the low-hanging fruit” when it comes to data protection. “They still have done nothing to address the more complex, systemic issue of how people’s data was used to train these models, and I expect that this is not an issue that’s just going to go away, especially with the creation of the EDPB taskforce on ChatGPT,” Leufer says, referring to the European regulators coming together to look at OpenAI.

“Individuals also may have the right to access, correct, restrict, delete, or transfer their personal information that may be included in our training information,” OpenAI’s help center page also says. To do this, it recommends emailing its data protection staff at dsar@openai.com. People who have already requested their data from OpenAI have not been impressed with its responses. And Italy’s data regulator says OpenAI claims it’s “technically impossible” to correct inaccuracies at the moment.

How to Delete Your ChatGPT Chat History

You should be cautious of what you tell ChatGPT, especially given OpenAI’s limited data-deletion options. The conversations you have with ChatGPT can, by default, be used by OpenAI in its future large language models as training data. This means the information could, at least theoretically, be reproduced in answer to people’s future questions. On April 25, the company introduced a new setting to allow anyone to stop this process, no matter where in the world they are.

When logged in to ChatGPT, click on your user profile in the bottom left-hand corner of the screen, click **Settings**, and then **Data Controls**. Here you can **toggle off Chat History & Training**. OpenAI says turning your chat history off means data you input into conversations “won’t be used to train and improve our models.”

As a result, anything you enter into ChatGPT—such as information about yourself, your life, and your work—shouldn’t be resurfaced in future iterations of OpenAI’s large language models. OpenAI says when chat history is turned off, it will retain all conversations for 30 days “to monitor for abuse” and then they will be permanently deleted.

When your data history is turned off, ChatGPT nudges you to turn it back on by placing a button in the sidebar that gives you the option to enable chat history again—a stark contrast to the “off” setting buried in the settings menu.

How To Delete Your Data From ChatGPT

Plus: Apple and Google plan to stop AirTag stalking, Meta violated the FTC’s privacy order, and how to tell if your car is tracking you.

In December 2020, security giant Mandiant revealed it had been hacked. Its disclosure was the first public sign of the SolarWinds hack, a Russian-orchestrated supply chain attack that's widely regarded as one of the biggest espionage hacks ever. Among its victims were the US Departments of Homeland Security, Energy, and Justice. This blow-by-blow retelling of the historic SolarWinds attack, from Kim Zetter, charts the ways the hackers pulled off the attack—and how they were eventually caught.

Anti-abortion group the American College of Pediatricians (ACPeds) suffered a significant data breach this week. The doctors' organization, which sued the US government to ban the abortion drug mifepristone, left an unsecured Google Drive on its website, exposing a decade's worth of email exchanges, financial and tax records, and more sensitive data. The details give an unprecedented view of the organization, which has been described as a “hate group” for its views on LGBTQ people.  While ACPeds—which is not a school at all—characterizes itself as a “scientific organization,” leaked records show its deeply evangelical Christian mission.

Security experts have promised a future where passwords will cease to exist for the best part of a decade. However, that reality took a big step forward this week—really!—as Google launched passkey logins for billions of people. The technique uses cryptographic keys that are stored on your devices to replace your old, insecure passwords.

Elsewhere, cops in the US, Europe, and nine other countries have arrested 288 people for their involvement in the dark web drug markets, including the site Monopoly Market, which was quietly taken offline in 2021. Facebook owner Meta has added new tools to its business accounts in an attempt to thwart bad actors abusing them, including who can become account administrators and access lines of credit.

But that’s not all. Each week, we round up the news we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Russian ships with underwater operations equipment have been identified as being near the sites of the Nord Stream gas pipeline explosions in the days before the blasts, according to a joint investigation from national broadcasters in Denmark, Norway, Sweden, and Finland. Journalists at the publications combined intercepted radio broadcasts from the ships with satellite images to pinpoint their locations and track their paths. It is the latest example of investigators piecing together different sources of data, from varying unconnected sources, to reveal new details about real-world events.

Three ships, according to the investigation, sailed from naval bases in Russia to near the blast sites in June and September 2022. All of the ships had turned off their location tracking AIS services, an act often described as “going dark” and commonly used for disguising activity. Among the vessels were the navy research ship Sibiryakov and a tugboat called SB-123, which is said to be capable of launching mini-submarines. (In November 2022, WIRED reported on the presence of “ghost ships” around the time of the explosions, but had no information on their identity.)

Separately, another Russian vessel, the SS-750, was near the pipelines four days before they were blown up. In response to a public records request, the Danish Defense Command confirmed to the Information, a Danish news site, that it had 26 photos of the SS-750 near the sites.

Since the explosions at the Nord Stream 1 and 2 pipelines in September, there has been no official confirmation, with supporting evidence, of who may have been behind the blasts. The investigation from the Nordic journalists says the ships’ behavior was unusual but does not conclude what they were doing near the Nord Stream sites. Russia has denied being involved in the attacks, pointing fingers at both the UK and US. Other reports have claimed a pro-Ukranian group may have conducted the attack, which Ukraine has denied. Official investigations into the blasts are still ongoing in multiple European countries and the exact cause of the explosions is still unclear.

The US Federal Trade Commission is planning to impose a “blanket ban” on Meta and its companies—Instagram, Messenger, Facebook, WhatsApp, and VR firm Horizon Worlds—from making money from the data of people under 18. This could potentially mean the company would not be able to use data from these users to show them targeted advertisements and could only use the information it collects for providing its services or security purposes. The FTC also says that Meta would not be able to start using data collected before people turned 18 for commercial purposes.

The proposal comes as the FTC alleged Meta hasn’t complied with a previous 2020 privacy order it agreed to as part of a $5 billion settlement. In a statement, the FTC says Meta has “misled parents about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.” The proposed changes would be a modification to the FTC’s previous order, and it says it may also limit how Meta uses face recognition technology and require it to provide extra protection for users. Mark Zuckerberg’s firm has 30 days to respond to the FTC, which then may alter its plans.

How do you know if you are being stalked with an AirTag? If you have an iPhone running a newish version of iOS, then you should receive push notifications if an AirTag that doesn’t belong to you is following you around. However, if you own an Android device, you have to go through the extra step of downloading an app to discover if you are being tracked—a high burden for people in potentially abusive situations. Apple and Google said this week they are now working together to create a common standard for all phones to detect Bluetooth trackers that are being used to stalk or harass people. The proposal is also backed by Samsung and Bluetooth tracker manufacturers. The plan comes years after Apple’s cheap devices were first released without the additional privacy protections Apple added after the AirTags launch.

In 2017, the NotPetya cyberattack—the most devastating in history—caused more than $10 billion in damage to the companies and organizations it impacted. Among them was pharmaceutical giant Merck, which lost hundreds of millions of dollars as a result of the malware. This week, a New Jersey court ruled that Merck's insurers have to cover losses from the cyberattack. The insurers had argued the use of the malware, which has been linked to Russia, should be considered a warlike act and, as a result, would not fall under insurance policies.

The judges didn't agree. “The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action,” they wrote in a decision. “Coverage could only be excluded here if we stretched the meaning of 'hostile' to its outer limit.” The decision comes as US president Joe Biden's administration looks to shift the liability for security issues to companies that are impacted.

Whether you know it or not, your car is a data goldmine. Within a few minutes, it is possible to "fingerprint" you based on the data your vehicle collects. Some consider the amount of data that vehicles grab a national security threat. A new free tool, from vehicle privacy company Privacy4Cars, aims to reveal how much data your car and its manufacturer can collect about you. Entering your vehicle identification number (VIN) into the tool will tell you whether your car collects "identifiers, location data, biometrics, and data synced from mobile phones," as well as what data manufacturers sell to third parties, such as data brokers.

Russian ‘Ghost Ships’ Identified Near the Nord Stream Blasts

Categories: News
Categories: Privacy
Tags: Google

Tags:  Apple

Tags:  AirTag

Tags:  Tile

Tags:  Samsung

Tags:  Bluetooth

Tags:  trackers

Tags:  stalking

Tags:  car thieves

Google and Apple want to create a specification for tech that alerts users when they're being tracked by AirTags and similar devices.



(Read more...)




The post Google and Apple cooperate to address unwanted tracking  appeared first on Malwarebytes Labs.

Google and Apple have announced that they are looking for input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have stated that they will support the specification in future products.

The specification will consist of a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Google’s expected Grogu.

The basic principle of these tags is that anyone with the matching app and permissions on their device (usually a phone) contributes to find the last location where the tag was detected. The idea is that you attach a tag to the objects you are afraid of misplacing or losing, such as your keys or your laptop, or even you car, and when you need to find the object you can look in the app and see where it last made contact with a device. This type of contact is usually made over Bluetooth.

After several complaints and reports that these tracking devices were used to track people rather then finding lost objects, some states introduced bills to ban the use of trackers to aid stalking. But a bill doesn’t stop those that had criminal intentions anyway. Nor do these bills stop the car thieves that planted AirTags on expensive cars, so they could find the cars at home where they were less well protected.

Apple and Google's specification aims to set a standard for apps that can detect and warn users about Bluetooth-trackers, and if needed tell the user how to disable them. The alliance between the two tech giants ensures that this can be done from Android phones and iPhones. Earlier, Apple introduced an app called “Tracker Detect” which made it possible to look for item trackers that are separated from their owner and that are compatible with Apple’s Find My network. The proposed specification would allow users to find Bluetooth trackers of various vendors in pretty much the same way.

The draft for the “Datatracker” specification says that the goal is to help protect the privacy of individuals from unwanted tracking by location-tracking accessories.

> “Location-tracking accessories provide numerous benefits to consumers, but, as with all technology, it is possible for them to be misused. Misuse of location-tracking accessories can result in unwanted tracking of individuals or items for nefarious purposes such as stalking, harassment, and theft.  Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals.”

The best practices outlined in the specification are aimed at location-enabled accessories that are small, not easily discoverable, and use Bluetooth Low Energy (LE) as the transport protocol. Interested parties are invited and encouraged to review and comment over the next three months. Following the comment period, Google and Apple will partner to address feedback and will release a production implementation of the specification for unwanted tracking alerts by the end of 2023 that will then be supported in future versions of Android and iOS.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google and Apple cooperate to address unwanted tracking 

wfc-pkt-router suffers from a vulnerability where it can wrongly bind to an external network interface instead of the VPN tunnel.

wfc-pkt-router can wrongly bind to external network interface instead of VPN tunnel

There is a daemon called \"wfc-pkt-router\" (the \"IMS packet router daemon\" according to https://github.com/ItsLynix/samsung_a53x_dump/blob/36de1bc4f9a9b3646809805b9feaf2f4396177e5/vendor/etc/init/init.s5e8825.rc) on some Samsung-based phones, including Pixel 7 and (according to that github link) Samsung a53xnaxx (?). When WiFi Calling is active, this daemon is responsible for forwarding IP packets between the baseband (/dev/umts_wfc1 on Pixel 7) and an IPSec tunnel provided by Android. wfc-pkt-router creates a raw socket bound to a specific interface (using SO_BINDTODEVICE) and forwards raw IP packets between the interface-bound socket and the baseband (/dev/umts_wfc1).

Some other mechanism outside wfc-pkt-router (I have no idea how that works) apparently causes Android to set up an IPSec tunnel with a local IP address that is also known to the baseband. When the baseband starts using an IPSec tunnel via wfc-pkt-router, it has to tell wfc-pkt-router which interface to bind to. The baseband does this by telling wfc-pkt-router the local IP address of the IPSec tunnel; wfc-pkt-router then scans through the list of network interfaces (using getifaddrs()) and searches for a matching interface. If multiple interfaces match, it picks the *newest* interface with the right IP address.

The main problem with this is that multiple interfaces can have the same local IP address. IPSec interfaces are created dynamically, so they are typically created later than WiFi interfaces or such, which means an address collision with a WiFi interface is not a problem *as long as the IPSec interface exists*; but the interfaces associated with USB ethernet adapters or VPN apps can be dynamically created after the IPSec interface creation.

I have experimentally tested on a Pixel 7 that, if a USB ethernet adapter is inserted after the IPSec interface was created, and the DHCP server assigns the same IP address that is also used for the IPSec tunnel, traffic intended for the IPSec tunnel flows bidirectionally between the baseband and the ethernet adapter - I saw an outgoing SIP connection attempt that I could intercept and reply to. (This requires that the IP address used inside IPSec is IPv4 - I have seen one provider that uses IPv4 inside the IPSec tunnel and another one that uses IPv6.)

I recommend that you give wfc-pkt-router the right interface name somehow instead of letting it search for the right interface based on IP address.

--- Additional Comments ---

Because of the bug, the baseband's SIP connection does *NOT* go through the IPSec tunnel. So the protections provided by IPSec become irrelevant.

The normal flow of data for wifi calling is like this:

1. baseband generates a TCP SYN packet  
2. baseband puts the TCP SYN packet in an unencrypted IP packet  
3. baseband sends the unencrypted IP packet to wfc-pkt-router (on the AP)  
4. wfc-pkt-router sends the unencrypted IP packet to "ipsec*" network interface  
5. Linux kernel IPSec/xfrm layer encrypts the IP packet  
6. Linux kernel sends encrypted IP packet over wifi or whatever

But when the bug is hit, the data flow is instead like this:

1. baseband generates a TCP SYN packet  
2. baseband puts the TCP SYN packet in an unencrypted IP packet  
3. baseband sends the unencrypted IP packet to wfc-pkt-router (on the AP)  
4. wfc-pkt-router sends the unencrypted IP packet to eth0 network interface

So the unencrypted IP packet from the baseband is directly sent out of the phone. The other direction works the same way.

Samsung Device Solution BU's PSIRT (dsprodsec) let me know that they plan to list this in their bulletin as:

CVE-2023-29092  
Improper handling of  parameters while binding network interface  
Exynos Mobile Processor and  Modem  
Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080  
Denial of Service  
Attacker insert malicious configured USB ethernet adapter  
Binding wrong resource can occur due to improper handling of parameters while binding network interface  
3.1 Low CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

https://source.android.com/docs/security/bulletin/pixel/2023-04-01 says CVE-2023-29092 was fixed at the 2023-04-05 patch level.

This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is 2023-05-08.

Related CVE Numbers: CVE-2023-29092wasfixedatthe2023-04-05patchlevel,CVE-2023-29092.

Found by: jannh@google.com

wfc-pkt-router Incorrect Bind

Out-of-bounds Read vulnerability while processing CMD_COLDWALLET_BTC_SET_PRV_UTXO in bc_core trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer  
Samsung Electronics (UK) Limited  
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

**Cookies**

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

**Essential Cookies**: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie

Domain

Purpose

JSESSIONID

security.samsungmobile.com

to keep login session

lastActivityTime

security.samsungmobile.com

to save the user's last activity time to automatically logout after 30 minutes of inactivity

**Managing Cookies and Other Technologies**

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Tag

#samsung