Red Hat Security Advisory 2024-1982-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1982.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: thunderbird security updateAdvisory ID:        RHSA-2024:1982-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1982Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2024-3302====================================================================Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 115.10.0.Security Fix(es):* Mozilla: Denial of Service using HTTP/2 CONTINUATION frames (CVE-2024-3302)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3302References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2273383

Red Hat Security Advisory 2024-1982-03

Internal emails suggest that the company continued to provide gunshot data to police in cities where its contracts had been canceled.

When Mayor Brandon Johnson announced in February that Chicago would stop using the gunshot-detection system known as ShotSpotter by year’s end, local activists were elated.

Ever since 2021, when the police fatally shot 13-year-old Adam Toledo while responding to a ShotSpotter alert, the Stop ShotSpotter Campaign has been pressuring the city to ditch the technology. Johnson’s decision not to renew the Windy City’s contract with ShotSpotter was seen as the culmination of the campaign’s efforts.

But ending the contract may not be enough to remove the company’s more than 2,500 sensors from neighborhoods on the city’s South and West Sides, where they’re disproportionately located. Internal emails reviewed by _South Side Weekly_ and WIRED suggest that ShotSpotter keeps its sensors online and, in some instances, provides gunshot-detection alerts to police departments in cities where its contracts have expired or been canceled. The emails raise new questions about whether the more than 2,500 sensors in Chicago will be turned off and removed, regardless of Johnson’s decision.

“We continue to focus on serving the City of Chicago with our critical gunshot detection technology service during our contractual term,” a ShotSpotter spokesperson wrote in a statement. “Nothing has changed regarding our singular purpose to close the public safety gap by enabling law enforcement agencies globally to more efficiently and effectively respond to incidents of criminal gunfire … where gunshot wound victims’ lives are in the balance.”

An organizer who’s been active in the push to cancel ShotSpotter’s contract in Chicago wasn’t surprised that the company has continued to work with police behind the scenes in cities where contracts have ended.

“I think it’s exactly what cops and corporations do,” says Nathan Palmer, an organizer with the Stop ShotSpotter Campaign and Black Youth Project 100. “Especially when we’re thinking about Chicago, it would benefit ShotSpotter to keep the mics up and working so that they can also throw lobbying money at whoever’s gonna oppose Mayor Brandon Johnson in the next election.”

ShotSpotter, which rebranded as SoundThinking in 2023, has a customer base of roughly 170 cities, according to its most recent filing with the US Securities and Exchanges Commission. Chicago is not the first to deem the ShotSpotter technology not worth the cost. (By the time the city’s contract extension ends in November, ShotSpotter will have cost Chicago more than $57 million since then-mayor Rahm Emanuel inked a comprehensive deal with the company in 2018.)

San Antonio, San Diego, and Dayton, Ohio, have all joined a growing list of cities that have publicly cut ties with ShotSpotter. Confidential company emails reviewed by the _Weekly_ and WIRED, however, indicate that the company never completely pulled its technology out of some cities.

An October 2023 email sent to John Fountain, a director of field and network operations at SoundThinking who left the company in December, described how the company continued to secretly offer its help to police in cities where contracts had lapsed. The email, which addressed a shortage of sensors in a city with an active contract, apparently referred to Clark Dunson, SoundThinking’s director of systems engineering.

“I would like to imagine we can pull some \[sensors\] from an old coverage area … Maybe San Diego and Indianapolis,” wrote the sender, whose name was redacted. “Last time we looked to remove sensors from an old coverage area I know Clark flipped out since we still work with police using those sensors (which I did not know).”

A spokesperson for SoundThinking declined to answer detailed questions about what services the company has provided to police departments after contracts are up and instead emailed a statement. “SoundThinking believes this confidential information was illegally disclosed by ex-employees and is currently pursuing civil and criminal remedies against the private parties responsible,” the statement read. “Due to this ongoing litigation, we cannot comment specifically on the leaked materials; however, we will continue to object to the use of our stolen data and reinforce the safety and privacy risks of disclosing individual sensor locations.”

ShotSpotter is suing two former employees who the company alleges posted confidential company information on Twitter after one was fired in November.

In February, WIRED reported ShotSpotter sensor locations based on leaked company data showing more than 25,000 microphones arrayed across the globe. Those maps revealed active sensors remained in both San Diego and Indianapolis. The Indianapolis Metropolitan Police recently told the _Indianapolis Star_ that it does not have a contract with the company after piloting technology from three different gunshot-detection companies in 2022.

“The evaluation of whether or not gunshot detection technology system is right for Indianapolis is still ongoing,” a police spokesperson told the _Star_. The statement added that the department believed it was ShotSpotter’s responsibility to remove its sensors.

ShotSpotter doesn’t sell its sensors to cities. Instead, the company uses a software-as-service model, billing cities for the software and applications that allow police to access ShotSpotter alerts. When a contract expires, the company apparently doesn’t always retrieve its sensors.

An email from Fountain dated from December 2022 estimated that there were a “few hundred sensors still installed” in San Diego and that they are “active even if the market isn’t.”

Fountain again noted that removing any sensors from San Diego would require Clark Dunson’s approval. “Clark is really pushy and he likes to tinker around with those coverage area\[s\] but I imagine we can pull a few here and there,” he wrote.

In August 2023, Dunson sent an internal email that said ShotSpotter had been providing “test alerts” to police in San Diego and San Antonio. “As a last resort we can pull sensors away from San Diego or San Antonio if needed but Lee \[Lim, a SoundThinking tech-support engineer\] has been working with the PD in those areas giving test alerts and tracking down detections for them.”

The San Diego Police Department denied that sensors in that city are active or collecting any data. SDPD also claimed to have never asked the company for help with gunshot detections in any incidents involving homicides or shootings.

“At this time, there is no contract and there is no plan to move forward with the company,” a spokesperson for the department wrote in an email. San Diego and ShotSpotter entered into an agreement that allows the company to leave its sensors on city property. “However, as of September 2021, the equipment is deactivated, cannot collect any data, and is inoperable.”

But emails the _Weekly_ and WIRED obtained via a California Public Records Act request show that ShotSpotter stayed in touch with SDPD for more than 15 months after the city’s contract expired in September 2021. In those emails, ShotSpotter support staff routinely address SDPD as a “ShotSpotter Customer.”

These weren’t just mass marketing emails that all customers past and present are frequently subjected to. The emails we obtained show that in October 2021, after the contract had lapsed, ShotSpotter also provided an SDPD officer with an “investigative lead summary” about a shooting in San Diego, including the precise location and the number of rounds detected, upon SDPD’s request.

ShotSpotter also sent SDPD emails updating the department about routine scheduled maintenance in October 2022 and how the company planned to address the “extremely high volume of fireworks activities” around New Year’s Day in 2023.

“Despite our efforts, we may occasionally miss a gunshot in error,” wrote Dinh Nguyen, a technical support engineer at ShotSpotter, in a December 2022 email to SDPD. “You may also experience some delays in the publication of incidents.”

ShotSpotter is not on a list of surveillance technologies the SDPD is required to frequently publish as a part of a sweeping surveillance ordinance passed by the San Diego City Council in August 2022 and amended in January of this year.

A San Diego councilmember whose district includes several of the neighborhoods where ShotSpotter sensors were installed in 2016 said that their “office is aware of the ShotSpotter situation” via a spokesperson. In July 2021, the then-District Four councilmember requested the city remove sensors from his district, which helped scuttle the contract renewal.

“A request to remove such \[sensors\] has been forwarded to the San Diego Police Department and the mayor’s office,” a spokesperson for current District Four councilmember Henry L. Foster III (who was sworn in in April) wrote in an email to the _Weekly_ and WIRED. “Devices that have not been approved in accordance with the Surveillance Ordinance should not be installed and or operational by the City of San Diego or third party.”

San Diego mayor Todd Gloria’s office did not respond to requests for comment.

In 2021, San Diego’s city council pulled a scheduled vote on a four-year extension to ShotSpotter from its agenda, effectively sunsetting the city’s agreement with the company. Although Gloria’s office said in statements at the time that it would bring the extension back up in the city council, there is no indication that it did.

Based on a map of the secret locations of every ShotSpotter sensor in the country published by WIRED, there are still about 30 active sensors in San Diego, most of which are clustered near UC San Diego’s La Jolla campus and the Scripps Institution of Oceanography.

When asked to comment on whether SDPD receives and responds to ShotSpotter alerts from these active sensors, a spokesperson for the department directed questions to the UCSD police. UCSD did not respond to requests for comment.

The _Weekly_ and WIRED requested emails sent between San Antonio Police Department and ShotSpotter dated after the city’s contract with ShotSpotter expired in the fall of 2017. In March, the SAPD filed an appeal with the Texas attorney general, seeking to have the responsive records withheld under a laundry list of exemptions provided for by the state’s public records act. The police provided sealed records to the Texas AG to review. The AG is expected to decide whether to release the records by May.

SAPD said that after the contract lapsed, the department never asked ShotSpotter for assistance, and no arrests were made based on detections provided by the company.

Records produced in response to a separate public records request show that ShotSpotter sent four-term San Antonio mayor Ron Nirenbergt at least two marketing emails months after the city council voted not to include ShotSpotter in its budget for the upcoming fiscal year. The company does not appear to have communicated with his office after November 2018, however. Nirenberg’s office did not respond to requests for comment.

“To me it sounds like, on their part, another strategic business decision, and that’s what they’re doing in every city,” says Palmer, the Stop ShotSpotter organizer. “It sounds like a business decision, because they don’t actually care about public safety.”

_This story was copublished in collaboration between_ Southside Weekly _and_ WIRED.

ShotSpotter Keeps Listening for Gunfire After Contracts Expire

Red Hat Security Advisory 2024-1961-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1961.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch security updateAdvisory ID:        RHSA-2024:1961-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1961Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2023-3812====================================================================Summary: An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.Security Fix(es):* kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags (CVE-2023-3812)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3812References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2224048

Red Hat Security Advisory 2024-1961-03

It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line.

Kevin Bocek, Chief Innovation Officer, Venafi

April 23, 2024

5 Min Read

Source: Bakhtiar Zein via Alamy Stock Photo

COMMENTARY

OWASP recently released its top 10 list for large language model (LLM) applications, in an effort to educate the industry on potential security threats to be aware of when deploying and managing LLMs. This release is a notable step in the right direction for the security community, as developers, designers, architects, and managers now have 10 areas to clearly focus on. 

Similar to the National Institute of Standards and Technology (NIST) framework and Cybersecurity and Infrastructure Security Agency (CISA) guidelines provided for the security industry, OWSAP's list creates an opportunity for better alignment within organizations. With this knowledge, chief information security officers (CISOs) and security leaders can ensure the best security precautions are in place around the use of LLM technologies that are quickly evolving. LLMs are just code. We need to apply what we have learned about authenticating and authorizing code to prevent misuse and compromise. This is why identity provides the kill switch for AI, which is the ability to authenticate and authorize each model and their actions, and stop it when misuse, compromise, or errors occur.

**Adversaries Are Capitalizing on Gaps in Organizations**

As security practitioners, we've long talked about what adversaries are doing, such as data poisoning, supply chain vulnerabilities, excessive agency and theft, and more. This OWASP list for LLMs is proof that the industry is recognizing where risks are. To protect our organizations, we have to course correct quickly and be proactive. 

Generative artificial intelligence (GenAI) is putting a spotlight on a new wave of software risks that are rooted in the same capabilities that made it powerful in the first place. Every time a user asks an LLM a question, it crawls countless Web locations in an attempt to provide an AI-generated response or output. While every new technology comes with new risks, LLMs are especially concerning because they're so different from the tools we're used to.

Almost all of the top 10 LLM threats center around a compromise of authentication for the identities used in the models. The different attack methods run the gamut, affecting not only the identities of model inputs but also the identities of the models themselves, as well as their outputs and actions. This has a knock-on effect and calls for authentication in the code-signing and creating processes to halt the vulnerability at the source.

**Authenticating Training and Models to Prevent Poisoning and Misuse**

With more machines talking to each other than ever before, there must be training and authentication of the way that identities will be used to send information and data from one machine to another. The model needs to authenticate the code so that the model can mirror that authentication to other machines. If there's an issue with the initial input or model — because models are vulnerable and something to keep a close eye on — there will be a domino effect. Models, and their inputs, must be authenticated. If they aren't, security team members will be questioning if this is the right model they trained or if it's using the plug-ins they approved. When models can use APIs and other models' authentication, authorization must be well defined and managed. Each model must be authenticated with a unique identity.

We saw this play out recently with AT&T's breakdown, which was dubbed a "software configuration error," leaving thousands of people without cellphone service during their morning commute. The same week, Google experienced a bug that was very different but equally concerning. Google's Gemini image generator misrepresented historical images, causing diversity and bias concerns due to AI. In both cases, the data used to train GenAI models and LLMs — as well as the lack of guardrails around it — was the root of the problem. To prevent issues like this in the future, AI firms need to spend more time and money to adequately train the models and inform the data better. 

In order to design a bulletproof and secure system, CISOs and security leaders should design a system where the model works with other models. This way, an adversary stealing one model does not collapse the entire system, and allows for a kill-switch approach. You can shut off a model and keep working and protecting the company's intellectual property. This positions security teams in a much stronger way and prevents any further damages. 

**Acting on Lessons From the List **

For security leaders, I recommend taking OWASP's guidance and asking your CISO or C-level execs how the organization is scoring on these vulnerabilities overall. This framework holds us all more accountable for delivering market-level security insights and solutions. It is encouraging that we have something to show our CEO and board to illustrate how we're doing when it comes to risk preparedness. 

As we continue to see risks arise with LLMs and AI customer service tools, like we just did with Air Canada's chatbot giving a reimbursement to a traveler, companies will be held accountable for mistakes. It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line. 

In conclusion, this list serves as a great framework for rising Web vulnerabilities and the risks we need to pay attention to when using LLMs. While more than half of the top 10 risks are ones that are essentially mitigated and calling for the kill switch for AI, companies will need to evaluate their options when deploying new LLMs. If the right tools are in place to authenticate the inputs and models, as well as the models' actions, companies will be better equipped to leverage the AI kill-switch idea and prevent further destruction. While this may seem daunting, there are ways to protect your organization amid the infiltration of AI and LLMs in your network.

**About the Author(s)**

Chief Innovation Officer, Venafi

As Chief Innovation Officer, Kevin is leading Venafi’s growth in new innovations, and is at the forefront of Venafi’s cutting-edge machine identity management for workload identity, Kubernetes and AI. He also drives Venafi’s technology ecosystem and developer community to futureproof customer success and is responsible for the company’s Machine Identity Management Development Fund, which has sponsored innovations with more than 50 developers globally. Kevin brings more than 25 years of experience in cybersecurity with industry leaders including RSA Security, PGP Corporation, IronKey, CipherCloud, Thales, nCipher, and Xcert.

Lessons for CISOs From OWASP's LLM Top 10

The threat actor is deploying multiple connections into victim environments to maintain persistence and steal data.

Source: RooM the Agency via Alamy Stock Photo

An advanced persistent threat (APT) group known as ToddyCat is collecting data on an industrial scale from government and defense targets in the Asia-Pacific region.

Researchers from Kaspersky tracking the campaign described the threat actor this week as using multiple simultaneous connections into victim environments to maintain persistence and to steal data from them. They also discovered a set of new tools that ToddyCat (which is a common name for the Asian palm civet) is using to enable data collection from victim systems and browsers.

**Multiple Traffic Tunnels in ToddyCat Cyberattacks**

"Having several tunnels to the infected infrastructure implemented with different tools allow \[the\] attackers to maintain access to systems even if one of the tunnels is discovered and eliminated," Kaspersky security researchers said in a blog post this week. "By securing constant access to the infrastructure, \[the\] attackers are able to perform reconnaissance and connect to remote hosts."

ToddyCat is a likely Chinese-language speaking threat actor that Kaspersky has been able to link to attacks going back to at least December 2020. In its initial stages, the group appeared focused on just a small number of organizations in Taiwan and Vietnam. But the threat actor quickly ramped up attacks following the public disclosure of the so-called ProxyLogon vulnerabilities in Microsoft Exchange Server in February 2021. Kaspersky believes ToddyCat might have been among a group of threat actors that targeted the ProxyLogon vulnerabilities even prior to February 2021, but says it has not found evidence yet to back up that conjecture.  

In 2022, Kaspersky reported finding ToddyCat actors using two sophisticated new malware tools dubbed Samurai and Ninja to distribute China Chopper — a well-known commodity Web shell used in the Microsoft Exchange Server attacks — on systems belonging to victims in Asia and Europe.

**Maintaining Persistent Access, Fresh Malware**

Kaspersky's latest investigation into ToddyCat's activities showed the threat actor's tactic to maintain persistent remote access to a compromised network is to establish multiple tunnels to it using different tools. These include using a reverse SSH tunnel to gain access to remote network services; using SoftEther VPN, an open source tool that enables VPN connections via OpenVPN, L2TP/IPSec, and other protocols; and using a lightweight agent (Ngrok) to redirect command-and-control from an attacker-controlled cloud infrastructure to target hosts in the victim environment.

In addition, Kaspersky researchers found ToddyCat actors to be using a fast reverse proxy client to enable access from the Internet to servers behind a firewall or network address translation (NAT) mechanism.

Kaspersky's investigation also showed the threat actor using at least three new tools in its data-collection campaign. One of them is malware that Kaspersky had dubbed "Cuthead" that allows ToddyCat to search for files with specific extensions or words on the victim network, and to store them in an archive.

Another new tool that Kaspersky found ToddyCat using is "WAExp." The malware's task is to search for and collect browser data from the Web version of WhatsApp. 

"For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data," Kaspersky researchers said. WAExp allows the attacks to gain access to this data by copying the browser's local storage files, the security vendor noted.  

The third tool meanwhile is dubbed "TomBerBil," and allows ToddyCat actors to steal passwords from Chrome and Edge browsers.

"We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest," Kaspersky said. "The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system."

The security vendor recommends that organizations block IP addresses of cloud services that provide traffic tunneling and limit the tools that administrators can use to access hosts remotely. Organizations also need to either remove or closely monitor any unused remote access tools in the environment and encourage users not to store passwords in their browsers, Kaspersky said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

ToddyCat APT Is Stealing Data on 'Industrial Scale'

Over the weekend, President Joe Biden signed legislation not only reauthorizing a major FISA spy program but expanding it in ways that could have major implications for privacy rights in the US.

The ability of the United States to intercept and store Americans’ text messages, calls, and emails in pursuit of foreign intelligence was not only extended but enhanced over the weekend in ways likely to remain enigmatic to the public for years to come.

On Saturday, US president Joe Biden signed a controversial bill extending the life of a warrantless US surveillance program for two years, bringing an end to a months-long fight in Congress over an authority that US intelligence agencies acknowledge has been widely abused in the past.

At the urging of the agencies and with the help of powerful bipartisan allies on Capitol Hill, the program has also been extended to cover a wide range of new businesses, including US data centers, according to recent analysis by legal experts and civil liberties organizations that were vocally opposed to its passage.

Section 702 of the Foreign Intelligence Surveillance Act, or FISA, allows the US National Security Agency (NSA) and Federal Bureau of Investigation (FBI), among other agencies, to eavesdrop on calls, texts, and emails traveling through US networks, so long as one side of the communication is foreign.

Americans caught up in the program face diminished privacy rights.

While the government requires a foreign target to commence a wiretap, Americans are often party to those intercepted conversations. And although US attorney general Merrick Garland insisted in a statement on Saturday that the updates to the 702 program “ensure the protection of Americans' privacy and civil liberties,” and that the government never intentionally targets Americans, the government nevertheless reserves the right to store their communications and access them later without probable cause.

“Section 702 is supposed to be used only for spying on foreigners abroad,” says Dick Durbin, chair of the Senate Judiciary Committee. “Instead, sadly, it has enabled warrantless access to vast databases of Americans’ private phone calls, text messages, and emails.”

Under the law, the government can retain communications captured by the 702 program for half a decade or more—indefinitely, so long as the government makes no effort to decrypt them.

A trade organization representing some of the world’s largest tech companies came out against plans to expand Section 702 in the final hours of the debate, claiming that a new provision authored by House Intelligence Committee members would damage the competitiveness of US technologies, “arguably imperiling the continued global free flow of data between the US and its allies.”

US intelligence obtains its vast surveillance power through yearly certifications doled out by a secret court. The certifications permit the NSA in particular to force businesses in the US—categorized as “electronic communications service providers,” or ECSPs—to cooperate with the program, collecting data and installing wiretaps on the agency’s behalf.

Years ago, the government sought to unilaterally expand the definition of ECSP under the law, seeking to compel the cooperation of whole new categories of businesses. That effort was beaten back by the FISA court in 2022, in a ruling that stated only Congress has the “competence and constitutional authority” to rewrite the law.

On the spy community’s behalf, the House Intelligence Committee introduced an amendment last year to codify the sought-after expansion of the 702 program, broadening the definition of what it means to be an ECSP.

With the backing of party leaders, the House and Senate intel committees maintained an outsize influence over the bill’s trajectory through Congress, lobbying lawmakers hand-in-hand with the intelligence community to defeat a slate of popular reforms, including a House amendment that would have required the FBI to obtain search warrants before accessing the communications of Americans collected under Section 702.

The House and Senate judiciary committees, which oversee the work of the US Justice Department, have traditionally held jurisdiction over FISA. However, much of their authority was sapped after the House speaker, Mike Johnson, adopted the pro-surveillance views of the intel committee members, which align with those of the White House.

Legal experts—including a rare few attorneys who’ve argued cases before the FISA court in the past—say the new ECSP text ensnares owners of facilities housing equipment used to store and carry data, as well as commercial landlords and virtually anyone with access to communications equipment in those spaces. The text, they argue, may be interpreted by the government as granting it authority to compel the assistance of “delivery personnel, cleaning contractors, and utility providers,” among others.

Criticism of the 702 program largely stems from revelations of abuse in a declassified court filing from 2022, which describes rampant misuse of the 702 database by the FBI. Investigators at the bureau have been caught unlawfully scouring 702 data for information on American protesters, journalists, and political donors. On at least one occasion, an FBI analyst worked to access the communications of a sitting member of Congress.

The FBI instituted scores of new procedures in an attempt to clamp down on the abuse internally, practices that are now codified under the law. House and Senate intelligence members say codifying the policies will serve as a sufficient bulwark against further abuse. Civil libertarians who have pursued new warrant requirements under FISA—an amendment that was dropped after a tie vote in the House of Representatives last week—argue, conversely, that the FBI should not be trusted to oversee itself in the wake of recent scandal.

Liza Goitein, a FISA expert and senior director at the Brennan Center of Justice at New York University School of Law, says the bill signed by Biden on Saturday represents “a gift to any president who may wish to spy on political enemies.”

“Although some senators fought valiantly to protect Americans’ civil liberties, they could not overcome the barrage of false and misleading statements from the administration and surveillance hawks on the congressional intelligence committees,” says Goitein. “This is a truly shameful episode in the history of the US Congress, and sooner or later, the American people will pay the price.”

The Next US President Will Have Troubling New Surveillance Powers

Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

PRESS RELEASE

TEL AVIV, Israel -- (BUSINESS WIRE)-- Miggo, a cybersecurity startup introducing the first Application Detection and Response (ADR) platform, announced today $7.5 million in seed funding led by global cybersecurity VC firm YL Ventures with the participation of CCL (Cyber Club London), cybersecurity leaders from Elastic and Everon and former CISOs of Google, Zscaler and Nike. Miggo's ADR platform addresses a critical gap in application security by enabling security teams to detect and respond to targeted application attacks in real-time.

2023 saw a rise in high-profile application attacks that went undetected by traditional tools. The MOVEit, Microsoft SharePoint, Ivanti Gateway and GoAnywhere breaches highlight critical AppSec blind spots of application behavior in runtime and how attackers are hedging their bets on this well-known, ongoing security gap. According to Justin Somaini, Partner at YL Ventures and former CISO of Unity, SAP and Yahoo!, “Applications in production constitute one of the few true blind spots of today’s security programs. Last year’s incidents alone underscore how critically we need to secure the application layer. This is a space that still needs a lot of innovation to address what traditional tools cannot.”

Today, applications are the primary target of nearly 80% of data attacks, according to Verizon’s 2023 Data Breach Investigations Report. More recent shifts to distributed application architecture, which requires multiple chains of trust between different services, have further broadened the domain’s threat landscape. Attackers can manipulate flows between services without detecting existing security sensors like EDR, WAF and CNAPP tools. The only way to identify such malicious activity is with direct views into applications while they're running.

Under the leadership of Daniel Shechter, CEO and co-founder, and Itai Goldman, CTO and co-founder, Miggo developed a platform that analyzes interactions and data flows within applications to detect and mitigate attacks before they can escalate into breaches. "We need to proactively tackle this massive and largely unseen attack surface. Not only do we need precise detection and response for unexpected behaviors directly in live application environments, but also insight and understanding into the inner workings of today’s distributed applications as they run," explained Shechter.

Miggo's technology precisely discovers and maps the architecture of distributed applications to establish behavioral baselines and monitor for deviations from intended design or code execution flows. Leveraging live in-application context, Miggo determines if a deviation indicates that the application is exploitable, under active exploitation or backdoored, and initiates targeted mitigations to contain breaches by pinpointing the offender and affected areas to recommend precise remediation strategies.

The combined ability to detect live threats to applications and respond within the applications themselves are key innovations, according to CISO Mike Melo. “Miggo is finally providing transparency for our most significant attack vector with the exact tools each stakeholder requires to protect and defend mission-critical assets. ADR is the unified solution we need to not only give us application-layer visibility and control but also dramatically lower our mean time to detect and respond to application attacks,” he said.

Discover how Miggo can safeguard your applications against the next generation of cyber threats. Visit miggo.io for more information and to schedule a demo.

About Miggo  
Miggo is the first Application Detection and Response platform, providing the visibility, response and understanding you need to prevent application breaches. Using in-application context to shed light on your biggest attack surface, Miggo’s ADR enables businesses to monitor how applications behave in runtime and stop attackers from manipulating chains of trust between distributed services. With Miggo, monitor application weak spots and identify and mitigate attacks in real-time. Visit miggo.io for more information.

About YL Ventures  
YL Ventures funds and supports visionary cybersecurity entrepreneurs from seed to scale to help them evolve transformative ideas into market-leading companies. The firm accelerates company growth with tailored support through its powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of multidisciplinary experts. Based in Silicon Valley, New York and Tel Aviv, YL Ventures manages five funds with $800M in total AUM. The firm has a track record of seeding cybersecurity unicorns such as Axonius and Orca Security and its portfolio companies have been successfully acquired by high-profile, global industry leaders including Palo Alto Networks, Microsoft, Okta and Proofpoint. In 2022, YL Ventures ranked 8th out of over 250 venture capital firms in PitchBook’s prestigious Global Manager Performance Score League Tables and was the only cybersecurity-focused VC to secure a top 10 spot.

Miggo Launches Application Detection and Response (ADR) Solution

By Deeba Ahmed
Shadowboxing in Search Results: Tuta Mail De-ranked and Disappearing on Google!
This is a post from HackRead.com Read the original post: Tuta Mail (Tutanota) Accuses Google of Censoring Its Search Results

Is Google hiding Tuta Mail from search results? Here’s the controversy surrounding Tuta Mail’s search ranking and dig deeper into the potential violation of Europe’s DMA. Learn about algorithmic bias, the importance of search transparency, and how users can navigate a potentially unfair digital marketplace.

For many users seeking privacy-focused email solutions, the popular open-source encrypted email service Tuta Mail (previously Tutanota) is a great alternative to mainstream providers. However, the company recently raised concerns about its visibility in Google search results. 

****Tuta Mail Being De-ranked on Google?****

Hanover, Germany-based Tuta Mail, the world’s second-largest secure email service provider, isn’t appearing on Google for search terms like “encrypted email” or “secure email”. Moreover, a dramatic drop in search ranking for “Tutanota login” is observed, suggesting a potential violation of the European Digital Markets Act (DMA).

What happens when Tutanota login is typed in Google (Screenshot: Hackread.com)

According to Tuta Mail’s blog, its users in Germany cannot view Tuta’s website as the first result but only on their Android app on Google Play. It may have severe implications for Tuta’s business, despite being a Google-specific issue, because on other search engines, like Bing or DuckDuckGo, there’s no such issue. This lack of search visibility for relevant keywords can hinder Tuta’s ability to compete in the email service market and put them at a disadvantage. 

****Why Might Google Be De-ranking Tuta Mail?****

Tuta Mail’s lower ranking in Google search results could be due to various factors, including relevance, algorithmic bias, and technical issues. Google’s search algorithms prioritize user experience, and other email service providers may have higher relevance scores. Technical glitches or indexing problems can cause temporary website disappearance from search results, but this is highly unlikely for an established service like Tuta Mail. It is a complex issue and Google must address it to ensure transparency and user awareness. 

What’s more concerning is that it violates the DMA, which promotes fair competition for privacy-conscious companies. The DMA being a new regulation, is evolving its enforcement of search engine practices. If Tuta Mail has evidence of Google manipulating search results, they could file a complaint.

****Not the First Time for Tuta:****

Tuta Mail has been facing blockages from multiple sides. In 2022, Hackread.com reported Microsoft blocking Tutanota/Tuta Mail email addresses from registering for Microsoft Teams accounts, despite the service having over 2 million registered users.

Russia also blocked Tuta in certain parts of the country in February 2020 without notifying the team about the reason whereas the service has been blocked in Egypt since October 2019.

In a comment to Hackread.com, Matthias Pfau, co-founder of Tuta Mail, criticized Google’s monopoly over search engine results, specifically its impact on determining what to show and what not to show.

> _“This issue is limited to Google only. But due to Google’s search dominance in Europe and North America, the drop we see in search results directly affects our business: When potential users are not able to find our website on Google, it means we lose business. Google must stop this unfair limitation of showing our website in search results immediately. We have tried to contact Google directly, but since this did not work, we have to make the issue public.”_
> 
> Matthias Pfau, co-founder of Tuta Mail

1.  How Internet Censorship Affects You – Pros & Cons
2.  Google to Delete Inactive Gmail Accounts From Today
3.  Top 10 worst countries for Internet freedom & censorship
4.  Simple Yet Vital Tips to Send Documents Securely via Email
5.  Google Incognito Mode: New Disclaimer Reveals Data Tracking

Tuta Mail (Tutanota) Accuses Google of Censoring Its Search Results

Red Hat Security Advisory 2024-1904-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1904.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:1904-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1904Issue date:         2024-04-18Revision:           03CVE Names:          CVE-2024-2609====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 115.10.0 ESR.Security Fix(es):  * GetBoundName in the JIT returned the wrong object (CVE-2024-3852)* Out-of-bounds-read after mis-optimized switch statement (CVE-2024-3854)* Incorrect JITting of arguments led to use-after-free during garbage collection (CVE-2024-3857)* Permission prompt input delay could expire when not in focus (CVE-2024-2609)* Integer-overflow led to out-of-bounds-read in the OpenType sanitizer (CVE-2024-3859)* Potential use-after-free due to AlignedBuffer self-move (CVE-2024-3861)* Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10 (CVE-2024-3864)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-2609References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2275547https://bugzilla.redhat.com/show_bug.cgi?id=2275549https://bugzilla.redhat.com/show_bug.cgi?id=2275550https://bugzilla.redhat.com/show_bug.cgi?id=2275551https://bugzilla.redhat.com/show_bug.cgi?id=2275552https://bugzilla.redhat.com/show_bug.cgi?id=2275553https://bugzilla.redhat.com/show_bug.cgi?id=2275555

Tag

#sap