Alignment between these domains is quickly becoming a strategic imperative.

Source: Panther Media GmbH via Alamy Stock

COMMENTARY

With an increasingly complex threat landscape and the progression of threat-actor tactics, effective cybersecurity is non-negotiable. At the same time, staffing challenges and an uncertain economy have made it increasingly challenging to manage your attack surface and keep would-be threat actors at bay.

That's not for lack of effort — or expenditure. Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. That's a 14% increase over 2023. Gartner expects that expenditures for IT will reach a whopping $5.1 trillion in 2024.

Amid all this, companies are striving for disruptive innovation and progress while keeping a close eye on budgets. Many workers are feeling spread thin, with more data and endpoints than ever and not enough qualified talent to be found. As a chief information officer (CIO), I can attest that I've seen this crunch particularly within the global IT space. This is not a good moment for IT to be stressed out and overworked. The stakes are simply too high.

So, how can organizations mitigate threats while maintaining momentum?

It's time to finally break down the silos between IT and security. That starts by fostering alignment between the CIO and chief information security officer (CISO).

**Streamlined, Secure — or Both?**

Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.

**Access, Please: The CIO Imperative**

For many CIOs, it's common to be focused on streamlining and efficiency, especially given staffing challenges. Additionally, CIOs and IT teams work to ensure continuous access to optimized tools that help employees get their jobs done. Sixty-one percent of IT professionals admit that negative technology experiences directly impact their morale, underscoring the palpable connection between tech efficiency and employee engagement.

Lack of access to the right tools can contribute to "shadow IT." Conversely, streamlined, efficient operations enhance speed and elevate the digital employee experience.

**Standing Guard: The CISO Imperative**

Meanwhile, my peers in the CISO role dial in to ensure organizations are as secure as possible. This is a critical and constantly moving target, as threat actors continue to find new avenues of attack. Effective cybersecurity prevents all manner of problems, ranging from the inconvenient (unexpected downtime) to the catastrophic (a major breach).

I have an enormous amount of respect for the CISO role, as should everyone impacted by security. (And that's all of us.) In 2022, the average cost of a single data breach was $4.5 million — not counting ransomware costs. Meanwhile, nearly 87% of businesses grapple with a shortfall in IT security staff. This talent crunch severely threatens organizations’ defenses against evolving cyber threats.

**Exploring the Overlap**

Both CIO and CISO roles seek to optimize business outcomes, though we often take differing approaches. "Streamlined" and "secure" are frequently mutually exclusive, particularly if your organization lacks the right tools.

There are several areas impacting both IT and security. Just two include:

*   Influx of devices and data: It's anticipated that more than 180 zettabytes of data will be floating around by 2025. If you thought we were already facing a data firehose, you haven't seen anything yet. The more data produced, the more streamlined operations must be to manage relevant data effectively — and the more importance must be placed on data protection.
    

*   Shifting work environments posing challenges: The mix of remote, hybrid, and in-person work environments — plus the increasing reliance on personal devices used to access company data — makes things more challenging for both IT and security.
    

Problems like these aren't theoretical — they’re real. According to Duke University research, "more than 80 percent of U.S. companies indicate their systems have been successfully hacked in an attempt to steal, change or make public important data." Meanwhile, the digital employee experience is more critical than ever in the battle to attract, engage, and retain top talent — so any tools and policies must be user friendly and secure.

I like to think of these challenges as shared opportunities. 

**Unlock the Collaborative Potential of CIOs and CISOs**

This is where alignment comes in. IT and security may have been siloed, but that could change. The past few years have shown change is not only possible but essential for survival. 

Breaking down the silos between your IT and security leaders doesn't diminish their roles, it elevates them.

Collaborative IT and security leaders, and their teams, enjoy the benefits of:

*   Financial optimization through consolidation: Streamlining vendor and technology portfolios for optimized spending and resource utilization.
    

*   Elevated employee engagement: Eradicating shadow IT and fortifying digital business for heightened engagement and security. 
    

*   Heightened enterprise resilience: Bolstering cybersecurity measures to curtail risks and fortify the organizational backbone.
    

Fostering alignment between these teams will vary, but there are a few universal principles to keep in mind:

*   Loop in your applicable executive(s), e.g., your CEO, from the start. They should be on board with and involved in facilitating this alignment.
    

*   Clarify objectives and define roles. Seek commonalities with your counterpart to identify overlap and gaps. 
    

*   Make yourself open for regular communication and collaboration — and find out if there are cross-training initiatives available.
    

*   In collaboration with applicable executives, adopt a unified approach to performance metrics, reporting mechanisms, risk management, data governance, and compliance.
    

*   Work together when making decisions on technology adoption, resource allocation, and budgeting.
    

*   Tooling should be a shared responsibility to ensure coverage and observability are always meeting key performance indicators (KPIs).
    

The endgame with these tactics is a more efficient operation to make life easier for both parties. Worth noting: Intelligent hyperautomation can be a massive benefit in streamlining processes and amplifying operational efficiency.

IT and security alignment is a strategic necessity. This collaborative effort fosters mutual accountability and improves overall security by eliminating data silos that hinder response times and hide crucial insights.

**About the Author(s)**

Chief Information Officer, Ivanti

Robert Grazioli is chief information officer (CIO) of Ivanti, responsible for all of its global IT systems and SaaS Operations, including the integration of Ivanti acquisitions over the past two years. Bob originally joined Ivanti in June 2020 as vice president of SaaS operations. Bob brings more than 25 years of global experience spanning the financial services and the software industry. He has been involved in some of the biggest software acquisitions in the industry over the past 10 years and has been responsible for some of the largest SaaS offerings in the industry. In addition, Bob has oversight of Customer Zero, taking Ivanti’s SaaS operations to the next level through leveraging our own learnings to benefit the needs of our customers.

Why CIO &amp; CISO Collaboration Is Key to Organizational Resilience

Apple Security Advisory 06-10-2024-1 - visionOS 1.2 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-06-10-2024-1 visionOS 1.2

visionOS 1.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214108.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27817: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

CoreMedia  
Available for: Apple Vision Pro  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27831: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

Disk Images  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27832: an anonymous researcher

Foundation  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27801: CertiK SkyFall Team

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27836: Junsung Lee working with Trend Micro Zero Day Initiative

IOSurface  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27828: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory protections  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27840: an anonymous researcher

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27815: an anonymous researcher, and Joseph Ravichandran  
(@0xjprx) of MIT CSAIL

libiconv  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27811: Nick Wellnhofer

Messages  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27800: Daniel Zajork and Joshua Zajork

Metal  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-27802: Meysam Firouzi (@R00tkitsmm) working with Trend Micro  
Zero Day Initiative

Metal  
Available for: Apple Vision Pro  
Impact: A remote attacker may be able to cause unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-27857: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Safari  
Available for: Apple Vision Pro  
Impact: A website's permission dialog may persist after navigation away  
from the site  
Description: The issue was addressed with improved checks.  
CVE-2024-27844: Narendra Bhati of Suma Soft Pvt. Ltd in Pune (India),  
Shaheen Fazim

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: The issue was addressed by adding additional logic.  
WebKit Bugzilla: 262337  
CVE-2024-27838: Emilio Cobos of Mozilla

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 268221  
CVE-2024-27808: Lukas Bernhard of CISPA Helmholtz Center for Information  
Security

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improvements to the file  
handling protocol.  
CVE-2024-27812: Ryan Pickren (ryanpickren.com)

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed with improvements to the noise  
injection algorithm.  
WebKit Bugzilla: 270767  
CVE-2024-27850: an anonymous researcher

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: An integer overflow was addressed with improved input  
validation.  
WebKit Bugzilla: 271491  
CVE-2024-27833: Manfred Paul (@_manfp) working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: The issue was addressed with improved bounds checks.  
WebKit Bugzilla: 272106  
CVE-2024-27851: Nan Wang (@eternalsakura13) of 360 Vulnerability  
Research Institute

WebKit Canvas  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed through improved state management.  
WebKit Bugzilla: 271159  
CVE-2024-27830: Joe Rutkowski (@Joe12387) of Crawless and @abrahamjuliot

WebKit Web Inspector  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 270139  
CVE-2024-27820: Jeff Johnson of underpassapp.com

Additional recognition

ImageIO  
We would like to acknowledge an anonymous researcher for their  
assistance.

Transparency  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZnfN8ACgkQX+5d1TXa  
IvoomBAA23557a2KB9vrRnWu5nGWe5qidODwqadX9qUbErqlx6Hm0IMcKEGlaNjc  
i1BKib0QXYgh9IVzwn0/Q6GZX9mncM1EKJfjPVHJjdMPAXue9Dec7PeuSr4mQHUD  
bVUh9TS+ejQo9w06AQRdVDOGRl3uXX1E90h4uMVUPOXLkiobYJMlEdU4OAAaJ2MV  
qJvfQsTyzRNy4ciaFpc+5opWmaFse1AueE+Sjz30ed9tEjbyHML+yoy39HqAMheT  
lECfaKGLp28XyxsKCKW8+F5j83R4Rwi7U0nLROiRSukrwzq+Gbi52n/BTBvlxTc3  
Ng/4drldksgm9Uu6M9rRQFSRFBFKulK9Zxrj3qUK4Q6HvCTB+N4/gE7Yf11TyxPl  
+HkwG/ScIw9S4bB88FhA8rYMKIGIlZfDfh8NHCx3Wc11LE+p6LzX2RxQNKaSjgnf  
c1+VHJ3SwX/2mbtBdfPJdu5Qr6ofhanpsCiczJP2FkuSVGCPVIoq8Vam75rrueLn  
SLCHqgVker14Z12Q3XYRjyQrsI8nftu0pGZdYruAfw93Od0tTuX6i7G9VopHPRor  
1Y6JevWkhAC54KGWDmB2SRc6e3AZRaiAE25QE6I3nwAwRUCo2JZEjoQWfxYry1l2  
G5lga3qFvcbyriNoJPUfcKU7EzPYurVbY5rqpnUFi+xTtz1iyEw=  
=9AfP  
-----END PGP SIGNATURE-----

Apple Security Advisory 06-10-2024-1

Democratic leader Hakeem Jeffries has joined US intelligence officials in ignoring repeated inquiries about Israel’s “malign” efforts to covertly influence US voters.

Federal lawmakers in the US have dodged repeated inquiries over the past week about a covert operation ordered by the Israeli government to artificially boost support among Americans for its war in Gaza. At the same time, senior White House officials charged with advising President Joe Biden on matters of national security are claiming to have no knowledge of the operation—first disclosed publicly more than four months ago.

The operation, formally tied to the Israeli government by a New York Times reporter last week, kicked off in October 2023 following the surprise attack by Hamas in southern Israel. Researchers internationally began work to expose the campaign in February, identifying a flood of “suspicious accounts” on US-based social networking apps, most masquerading as Americans avowing support for the Israeli military response.

In addition to eroding support for the United Nations Relief and Works Agency, which provides assistance to 5.6 million Palestinian refugees, a chief aim of the Israeli operation, researchers say, was to sway the opinions of Black Americans. Per the Times—which cited four current and former Israeli officials in confirming their government had commissioned the campaign—its primary targets included the account of US congressman Hakeem Jeffries, the leader of the Democrats in the House, among others who are “Black and Democratic.”

Accounts tied to the operation—many of which, at the time of writing, remain active on X, despite being suspended on other platforms—promoted a Black Lives Matter hashtag and shared images of Martin Luther King Jr. alongside fabricated quotes. A website created for the operation included articles with titles such as “The leaders of the Civil Rights Movement and Their Support of Jewish People and Israel.”

Several examples of accounts used in the operation, many of which were created weeks prior to the Hamas attack on October 7 that killed an estimated 1,200 people, advertised themselves as “Christian.” One of the stolen identities used in the operation, first identified by a researcher in Qatar, was that of Kyle Jean-Baptiste, an up-and-coming Broadway star who died in 2015 after falling from a fire escape.

**Got a Tip?**

_If you have information about the work of the intelligence community or its congressional overseers, contact Dell Cameron at dell\_cameron@wired.com or via Signal at dell.3030._

Multiple inquiries placed with senior members of Jeffries’ staff, including his communications director, Andy Eichar, have gone unacknowledged for nearly a week. WIRED has attempted to resolve whether Jeffries ever received notification of the operation from US intelligence while Congress was in the midst of debating $14 billion in funding to supplement Israel’s war effort.

Israeli forces have killed more than 36,000 Palestinians since Hamas’ October 7 attack, according to Gaza health officials’ estimates, including dozens last Thursday at a United Nations school compound, where the Israeli military is accused of making “improper use” of a US-made bomb.

With the exception of the White House’s National Security Council, which on Thursday claimed to have no knowledge of the operation, and Senate Intelligence Committee chair Mark Warner, whose office told WIRED it planned to request a briefing on the matter, press inquiries concerning Israel’s attempts to secretly influence US opinion on the war have been met with a stonewall.

It is unclear whether Biden may have received a briefing on the operation that included information not shared with his own national security advisers. Said a spokesperson for the National Security Council: “We take all allegations of foreign malign influence seriously.”

The Office of the Director of National Intelligence, led by Avril Haines—formerly No. 2 at the CIA—declined to say whether US intelligence had any knowledge of the operation prior to the June 5 New York Times’ story. It would not reveal whether it issued any notifications to Jeffries or any other US officials targeted by Israel.

The ODNI maintains what it calls a “disclosure framework” for notifying victims of influence operations connected with US elections. It is unclear, however, whether the ODNI considers the operation election-related, despite national elections approaching and the deep political divide among US voters over Congress’ support for the Israeli war effort.

Haines has previously spoken publicly on how US intelligence responds to this scenario: “When relevant intelligence is collected concerning a foreign influence operation aimed at our election,” she said, a “notification framework” exists to ensure “appropriate notice is given to those who are being targeted so that they can take action.”

Multiple attempts to solicit comment over the past week from the House Intelligence Committee have likewise gone unacknowledged by representatives Mike Turner and Jim Himes, the committee’s chair and ranking member, respectively. It is unclear whether they are taking steps similar to their Senate counterparts to investigate the matter.

Many of the Israeli operation’s fake posts were found to have been generated using ChatGPT, the digital assistant software developed by OpenAI, which is being integrated into everything from Apple’s new iPhones to the next Microsoft Windows operating system. Notably, OpenAI’s CEO, Sam Altman, was recently appointed an adviser to the Homeland Security Department. According to the agency, his role is to advise the US government on how to “prevent and prepare for AI-related disruptions.”

Both OpenAI and social media giant Meta have publicly confirmed that the operation was launched by a Tel Aviv–based company called Stoic. Neither US company, however, has disclosed having any knowledge of Stoic being commissioned by the Israeli government.

Oft described as an Israeli “campaign marketing firm,” Stoic is reminiscent of Russia’s Internet Research Agency, which similarly used fake accounts registered on social media to promote the Kremlin’s interests, namely by working to influence the outcome of the 2016 US presidential election. OpenAI disclosed earlier this month that Stoic had similarly been tracked using fraudulent accounts in an effort to influence the outcome of India’s recent elections.

Meta and OpenAI have not responded to requests for comment.

A US intelligence assessment published in February that identified threats from foreign countries accused of launching malign influence operations against the US references Israel dozens of times; however, it strictly portrays the Middle East ally as the victim of such campaigns.

The annual assessment, published by the ODNI three days after Israel’s “multi-platform deception operation” was first revealed publicly by Marc Owen Jones—an assistant professor of Qatar University specializing in disinformation—speaks only broadly of the influence efforts of US rivals and contains few if any details about any specific operations. The report mentions, for instance, that the Chinese government “reportedly targeted” US politicians on TikTok using accounts run by a propaganda office ahead of the 2022 midterm elections.

The revelation of Israel’s involvement follows months of hearings in Washington concerning the impact of what US intelligence calls “malign foreign influence campaigns.” Much of the focus by lawmakers centered on allegations that China might potentially manipulate TikTok to sway public opinion in the US.

Jeffries, who is rumored to be the Democratic party’s next choice to become Speaker of the House, was among the 360 US representatives to support taking drastic steps in April that may soon lead to a ban on TikTok in US app stores.

Jeffries has joined other US leaders in extending an invitation to Israeli prime minister Benjamin Netanyahu to address Congress next month. A letter from Jeffries and Senate minority leader Mitch McConnell to the prime minister last week read: “To build on our enduring relationship and to highlight America's solidarity with Israel, we invite you to share the Israeli government's vision for defending democracy, combatting terror, and establishing a just and lasting peace in the region.”

_Update 1 pm ET, June 11, 2024: Added additional details about the Israeli influence campaign._

US Leaders Dodge Questions About Israel’s Influence Campaign

It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oracle - Linux kernel for Oracle Cloud systems

Details

It was discovered that the ATA over Ethernet (AoE) driver in the Linux  
kernel contained a race condition, leading to a use-after-free  
vulnerability. An attacker could use this to cause a denial of service  
or possibly execute arbitrary code. (CVE-2023-6270)

It was discovered that a race condition existed in the AppleTalk  
networking subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-51781)

In the Linux kernel, the following vulnerability has been  
resolved: netfilter: nft_set_rbtree: skip end interval element from gc  
rbtree lazy gc on insert might collect an end interval element that has  
been just added in this transactions, skip end interval elements that  
are not yet active. (CVE-2024-26581)

In the Linux kernel, the following vulnerability has been  
resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The  
variable rmnet_link_ops assign a bigger maxtype which leads to a global  
out-of- bounds read when parsing the netlink attributes. (CVE-2024-26597)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 104.1  
    azure - 104.1  
    gcp - 104.1  
    generic - 104.1  
    gke - 104.1  
    gkeop - 104.1  
    ibm - 104.1  
    lowlatency - 104.1  
    oracle - 104.1

Ubuntu 18.04 LTS  
    generic - 104.1  
    lowlatency - 104.1

Ubuntu 22.04 LTS  
    aws - 104.1  
    azure - 104.1  
    gcp - 104.1  
    generic - 104.1  
    gke - 104.1  
    ibm - 104.1  
    lowlatency - 104.1  
    oracle - 104.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-6270  
-   CVE-2023-51781  
-   CVE-2024-26581  
-   CVE-2024-26597

Kernel Live Patch Security Notice LSN-0104-1

Digital sharing is the norm in romantic relationships. But some access could leave partners vulnerable to inconvenience, spying, and abuse.

“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice.

In new research that Malwarebytes will release this month, romantic partners revealed that the degree to which they share passwords, locations, and devices with one another can invite mild annoyances—like having an ex mooch off a shared Netflix account—serious invasions of privacy—like being spied on through a smart doorbell—and even stalking and abuse.

Importantly, this isn’t just about jilted exes. This is also about people in active, committed relationships who have been pressured or forced into digital sharing beyond their limit.

The proof is in the data.

When Malwarebytes surveyed 500 people in committed relationships, 30% said they regretted sharing location tracking with their partner, 27% worried about their partners tracking them through location-based apps and services, and 23% worried that their current partner had accessed their accounts without their permission.

Plenty of healthy, happy relationships share digital access through trust and consent. For those couples, mapping out how to digitally separate and insulate their accounts from one another “when things go wrong” could seem misguided.

But for the many spouses, girlfriends, boyfriends, and partners who do not fully trust their significant other—or who are still figuring out how much to trust someone new—this exercise should serve as an act of security.

Here’s what people can think about when working through just how much of their digital lives to share.

****Inconvenient, annoying, and just plain bothersome****

A great deal of digital sharing within couples occurs on streaming platforms. One partner has Netflix, the other has Hulu, the two share Disney+, and years down the line, the couple can’t quite tell who is in charge of Apple Music and who is supposed to cancel the one-week free trial to Peacock.

This logistical nightmare, already difficult for people who are not in a committed relationship, is further complicated after a breakup (or during the relationship if one partner is particularly sensitive about their weekly algorithmic recommendations from Spotify).

If an ex maintains access to your streaming accounts even after a breakup, there’s little chance for abuse, but the situation can be aggravating. Maybe you don’t want your ex to know that you’re watching corny rom-coms, or that you’re absolutely going through it on your seventh replay of Spotify’s “Angry Breakup Mix.” These are valid annoyances that will require a password reset to boot your ex out of the shared account.

But there’s one type of shared account that should raise more caution than those listed above: A shared online shopping account, like Amazon.

With access to a shared online shopping account, a spiteful ex could purchase goods using your saved credit card. They could also keep updates on your location should you ever move and change addresses in the app. This isn’t the same threat as an ex having your real-time location, but for some individuals—particularly survivors of domestic abuse who have escaped their partner—any leak of a new address presents a major risk.

****Non-consensual tracking, monitoring, and spying****

When couples move into the same home, it can make sense to start sharing a variety of location-based apps.

Looking for a vacation rental online for your next getaway? You’re (hopefully) lodging together. Ordering delivery because nobody wants to make dinner? That order is being sent to the same shared address. Even some credit cards offer specific bonuses on services like Lyft, incentivizing some couples to rely more heavily on one account to score extra credits.

While sharing access between these types of accounts can increase efficiency, it’s important to know—and this may sound obvious—that many of these same shared location-based apps can reveal locations to a romantic partner, even after a breakup.

Your vacation could be revealed to an ex who is abusing their previously shared login privileges into services like Airbnb or Vrbo, or by someone peering into the trip history of a shared Uber account that discloses that a car was recently taken to the airport. Food delivery apps, similarly, can reveal new addresses after a move—a particular risk for survivors of domestic abuse who are trying to escape their physical situation.

In fact, any account that tracks and provides access to location—including Google’s own “Timeline” feature and fitness tracking devices made by Strava—could, in the wrong hands, become a security risk for stalking and abuse.

The vulnerabilities extend farther.

With the popularity of Internet of Things devices like smart doorbells and baby monitors, some partners may want to consider how safe they are from spying in their own homes. Plenty of user posts on a variety of community forums claim that exes and former spouses weaponized video-equipped doorbells and baby monitors to spy on a partner.

These scenarios are frightening, but they are part of a larger question about whether you should share your location with your partner. With the proper care and discussion, your location-sharing will be consensual, respected, and convenient for all.

****Stalking and abuse****

When discussing the risks around digital sharing between couples, it’s important to clarify that trustworthy partners do not become abusive simply because of their access to technology. A shared food delivery app doesn’t guarantee that a partner will be spied on. A baby monitor with a live video stream is sometimes just that—a baby monitor.

But many of the stories shared here expose the dangers that lie within arm’s reach for abusive partners. The technology alone cannot be blamed for the abuse. Instead, the technology must be scrutinized simply because of its ubiquitous use in today’s world.

The most serious concerns regarding digital access are the potential for stalking and abuse.

For partners that share devices and device passcodes, the notorious threat of stalkerware makes it easy for an abusive partner to pry into a person’s photos, videos, phone calls, text messages, locations, and more. Stalkerware can be installed on a person’s device in a matter of minutes—a low barrier of entry for couples that live with one another and who share each other’s device passcodes.

For partners who share a vehicle, a recent problem has emerged. In December, The New York Times reported on the story of a woman who—despite obtaining a restraining order against her ex-husband—could not turn off her shared vehicle’s location tracking. Because the car was in her husband’s name, he was able to reportedly continue tracking and harassing her.

Even shared smart devices have become a threat. According to reporting from The New York Times in 2018, survivors of domestic abuse began calling support lines with a bevvy of new concerns within their homes:

> “One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there.”

The survivors’ stories all pointed to the abuse of shared smart devices.

Whereas the solutions to many of the inconveniences and annoyances that can come with shared digital access are simple—a reset password, a removal of a shared account—the “solutions” for technology-enabled abuse are far more complex. These are problems that cannot be solely addressed with advice and good cybersecurity hygiene.

If you are personally experiencing this type of harassment, you can contact the National Network to End Domestic Violence on their hotline at 1-800-799-SAFE.

****Making sure things go right****

Sharing your life with your partner should be a function of trust, and for many couples, it is. But, in the same way that it is impossible for a cybersecurity company to ignore even one ransomware attack, it’s also improper for this cybersecurity and privacy company to ignore the reality facing many couples today.

There are new rules and standards for digital access within relationships. With the right information and the right guidance, hopefully more people will feel empowered to make the best decisions for themselves.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 When things go wrong: A digital sharing warning for couples 

Apple has announced the launch of a "groundbreaking cloud intelligence system" called Private Cloud Compute (PCC) that's designed for processing artificial intelligence (AI) tasks in a privacy-preserving manner in the cloud.
The tech giant described PCC as the "most advanced security architecture ever deployed for cloud AI compute at scale."
PCC coincides with the arrival of new generative AI (

Apple Launches Private Cloud Compute for Privacy-Centric AI Processing

In response to recent public outcry, Recall is getting new security accouterments. Will that be enough to quell concerns?

Source: Photo 12 via Alamy Stock Photo

Microsoft is adding new security measures to assuage widely publicized concerns over its new "Recall" AI feature. Some, though, still aren't convinced the company went far enough.

It's now just eight days until Microsoft releases Recall, a new artificial intelligence (AI)-driven program that will periodically take, store, and analyze screenshots of Copilot+ PCs as they're being used day-to-day. Recall is supposed to act like a kind of memory bank, allowing users to instantly find and reference things they've come across recently: apps, websites, images, and documents.

From the outset, Recall has been criticized as a potential goldmine for personal data theft. The noise got loud enough that, on Friday, Microsoft announced three new security-oriented updates for it:

*   In a reversal of its initial stance, Microsoft will now ship Recall turned off by default.
    
*   Users will need to enroll in Windows Hello in order to enable it, and so-called "proof of presence" will be required to use its primary features.
    
*   Recall data will be encrypted, and only decrypted and accessible once a user authenticates via Windows Hello.
    

Though they may represent a step in the right direction, experts remain skeptical that these changes will be enough to protect users' most sensitive passwords, photos, personally identifying information (PII), and financial information from hackers.

**Risks in Recall: A Case Study**

Many security experts cringed when Recall was announced, but few more than Marc-André Moreau, CTO of Devolutions. He worried that Windows' newest toy would inevitably capture and store visible passwords from his company's software for managing remote connections. With such passwords in hand, hackers would be able to easily connect to and manipulate any victim PC.

"Looking at documentation for how Recall works," he recalls, "it literally said that it wouldn't make an effort of removing sensitive information, credentials, or PII — anything which you would want scraped out, it would just keep in local files."

Microsoft's logic, it seemed, was that because Recall screenshots were stored only on the user's machine, they would remain safe from remote access. "Microsoft has this new chip which makes it possible to do the processing locally, and they thought that everybody would be fine since the data isn't uploaded to the cloud," Moreau explains. "But you wouldn't install a keylogger on your machine just because the files are stored locally. Files can be grabbed by malware. So why would you enable Recall?"

To demonstrate the point, he performed a simple red team exercise. In his telling, "I didn't have to do much. I just set up an environment, used some tool that somebody made online to force-install it, and then I installed \[Devolutions'\] Remote Desktop Manager. I clicked 'view password,' then 'record,' and then I found the database. I opened it, and I could see the extracted password alongside the screenshot that includes the password."

> Here's Recall capturing temporarily visible passwords from Remote Desktop Manager in a test Azure VM. It's less effective that I would have thought, the search results are screenshots, and it's unclear how one can obtain the full OCR text it used for the match pic.twitter.com/RUiLs57bKz  
> — Marc-André Moreau (@awakecoding) June 3, 2024

Other researchers have also found simple ways of accessing sensitive data in Recall screenshots. One has already developed and released an open source tool to help speed up the job.

To try to protect his customers, Moreau next looked for a way to exclude his company's software from Recall by default. He came up short.

**Are Microsoft's New Updates Enough?**

Users will have more control over their data privacy now, thanks to Microsoft's turning off Recall by default.

Moreau is skeptical, though, that Windows Hello can be fully and properly integrated into Recall without delaying its preview release, which is mere days away. "I'm in software, things don't happen that fast," he says.

Dark Reading reached out to Microsoft for comment on how it will be able to marry Windows Hello and Recall in time for June 18. In response, Microsoft said in a statement: "As we shared in our May 3 blog, security is our top priority at Microsoft, in line with our ⁠Secure Future Initiative (SFI), and we are evaluating Recall through that lens. As we implement SFI across Microsoft, we may shift some feature release dates and will update our public roadmaps as this happens."

In the barely a month since that blog post, and Satya Nadella's letter "prioritizing security above all else," for some critics, Recall recalls other AI products that are getting rushed to market.

Ironically, AI could well solve these programs' most pressing security flaws. "I could upload a Recall screenshot to ChatGPT today and tell it to identify the data which looks sensitive, and it will be able to," Moreau notes. "They could have used their AI chip to help solve this \[data leakage\] but they didn't even try. They were too eager to ship."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Modifies 'Recall' AI Feature Amid Privacy, Security Failings

Pseudonymous masking has made credit card transactions more secure, but Visa has even greater plans for tokenization: giving users control of their data.

Source: basiczto via Shutterstock

In 2014, Visa introduced its tokenization service, allowing customers to pay for goods and services without giving away their credit card details.

A decade later, the shift to tokenization has become a great success. The company has issued more than 10 billion tokens, which typically replace a card number in a digital wallet, such as Apple Pay or Google Pay. These tokens — fueled more than $40 billion in e-commerce transactions in the past year, according to Visa, accounting for 29% of all transactions processed by the financial giant. Perhaps even more significantly, tokens see 60% less fraud, leading to the prevention of more than $650 million in fraud in the past year, the company said.

The success is driven by the security technology's ease of use, with digital wallets playing host for most consumers' tokens, says Mark Nelsen, senior vice president and head of consumer platform products for Visa.

"Merchants like it because you get less abandonment, you get higher conversion rate, and, oh, you get lower fraud at the same time," he says. "It seems simple in theory, but there's a lot of technology — as you can imagine — behind the scenes that makes it work at scale."

The tokenization of digital payments has arguably been the greatest success to date for the pseudonymous technology. But the future holds new applications, including the increase of user privacy and the decrease of data loss in case of breach.

**What's Accelerating Tokenization**

In 2020, Visa marked the issuance of its 1 billionth token, a milestone that took six years to reach. Social distancing during the pandemic and consumers' greater comfort with the technology accelerated adoption, leading to 9 billion more tokens created for payment cards in the past four years, according to the financial giant.

The next great push for tokenization will be to improve privacy and data quality, Nelsen says. Passkeys are essentially a tokenization technology that replaces a password with an authentication process using a user's device and, typically, a biometric.

In the future, Visa aims to make tokenization even more widespread, replacing more user data with tokens. The upcoming Visa Token Service can be used to protect nearly any data, including sensitive data, and gives consumers full control over with whom they share their data. At any point in time, the consumer could log into their issuer's banking app, see all of the places where they have shared their data, and revoke some of those permission, Nelsen says.

"Because it's tokenized, they now have life cycle management, and so they could say to the bank, 'Hey, I want to disable or revoke access to my data for these merchants because they don't need to have access to my data anymore,'" he says. "We think it creates a really nice framework for how we could manage data going forward."

The company plans to launch its first Visa Token Service pilots later this year.

**How Tokenization Hides Data**

While tokenization of nonpayment data has gradually grown in popularity, especially as the discipline of data science has taken off over the past decade, managing the process is often complex.

Unlike encryption, tokens can directly replace sensitive data, adhering to the data format so that legacy systems can store the data. Financial institutions, for example, can use tokens to replace credit cards because a 16-digit token can be generated and stored in the place of the 16-digit account number.

A combination of tokenization and encryption can help companies comply with regulations and protect sensitive data, says Brent Johnson, CISO at Bluefin, a data security firm.

"Without an authenticated API to 'detokenize' the data and decode the token, the token is useless to hackers," he says.

**Vaulted or Vaultless Tokenization?**

Most businesses are data pack rats — throwing away perfectly good data is antithesis to their strategy. Yet keeping data around poses risks in the case of a data breach. So companies typically use one of two methods of tokenization: Vaulted systems store the mapping of tokens to data in a vault but allow employees to use the tokenized version, while vaultless systems use an encryption-like mapping that can restore data for authorized users.

There is no reason for companies to leave nontokenized data around, says Todd Moore, global head of data security products at Thales, a data protection firm.

"Tokenization should be a part of an organization's overall security strategy, \[but\] encryption and associated key management remains the best way to protect long-term sensitive data," he says. "Many global privacy regulations recognize the combination of using encryption and tokenization, like pseudonymization, as an adequate form of data protection."

Tokenization should not just be used for databases but also to mask privacy-regulated data with tokenization, which can help companies retain some use of the information while meeting their regulatory obligations, says Bluefin's Johnson.

In fact, by pushing tokenization out to the user's machine, companies can make their data life cycles more secure, he says.

"Companies should ... use tokenization to immediately tokenize data upon entry into a Web form or e-commerce page, further extending its use beyond protecting data in storage," Johnson says. "Vaultless tokenization provides the easiest way to secure an organization's data as most of the organization's systems will never see the original data strings, and only a very few, limited, heavily controlled systems are allowed to transform tokens back to sensitive data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tokenization Moves Beyond Payments to Personal Privacy

Cryptocurrency users beware: A malicious ComfyUI node steals sensitive data like passwords, crypto wallet addresses, etc. Stay safe…

Cryptocurrency users beware: A malicious ComfyUI node steals sensitive data like passwords, crypto wallet addresses, etc. Stay safe by using reputable sources and enabling two-factor authentication.

Cryptocurrency enthusiasts, beware! Security researchers at VPNMentor have reported a malicious custom node on the popular Stable Diffusion user interface_,_ ComfyUI to steal sensitive data like passwords, credit card details, and crypto wallet addresses.

According to VPNMentor’s report shared with Hackread.com, this malicious custom node, dubbed “ComfyUI\_LLMVISION,” has been uploaded by a user named “u/AppleBotzz” on Reddit, and is potentially putting users at risk by stealing sensitive data.

Another Reddit user, u/\_roblaughter\_, discovered and reported it after noticing login attempts on their accounts after installing the compromised node.

For your information, the ComfyUI interface is designed for workflow customization and productivity enhancement, enhancing user experience and productivity when working with the powerful AI text-to-image generation model. It, by default, uses Python-built mini-programs called custom nodes to extend its functionality, automate tasks, perform computations, or connect to external services not natively supported by ComfyUI.

“ComfyUI\_LLMVISION” presents itself as a user-friendly ComfyUI extension but in reality, it is programmed to steal sensitive data like passwords, credit card details, and browsing history, and transfer it to the attacker’s Discord server.

According to VPNMentor’s investigation, ComfyUI\_LLMVISION’s installation on ComfyUI forces the Python package manager to install several packages, including malicious versions of OpenAI and anthropic Python. 

Within these limitations, a function runs an encoded PowerShell command, which downloads the third stage of the malware and runs it. The second stage can steal crypto wallets, screenshot the user’s screen, steal device information, get IP info, and steal files with specific keywords or extensions.

It becomes hard to detect since it is concealed within custom install files for OpenAI and Anthropic libraries. However, it must be noted that ComfyUI remains secure. 

The incident highlights the need for caution when integrating third-party components into AI workflows. Recent developments, like the sale of FraudGPT or WormGPT and hijacked Bing chat responses, show the versatile nature of risks associated with AI advancements.

To protect against risks associated with open-source, third-party AI tools, exercise caution when downloading and installing custom nodes or extensions, prefer reputable repositories and developers, regularly scan systems for malware, and use strong, unique passwords for all online accounts. Enabling two-factor authentication can further enhance security. 

1.  VMCONNECT: Malicious PyPI Package Mimick Python Tools
2.  AMOS Stealer Variant Targets Safari Cookies, Crypto Wallets
3.  New Malware “BunnyLoader 3.0” Steals Credentials and Crypto
4.  Python in Threat Intelligence: Analyzing, Mitigating Cyber Threats
5.  JaskaGO Malware Targets Mac, Windows for Crypto, Browser Data

Malicious Node on ComfyUI Steals Data from Crypto, Browser Users

A list of topics we covered in the week of June 3 to June 9 of 2024

June 7, 2024 - Google has announced it will delete Location History (Timeline) data and store new data locally, starting December 2024.

June 6, 2024 - Car parts provider Advance Auto Parts seems to be the next victim of a major data breach related to cloud provider Snowflake.

June 6, 2024 - A husband, now indicted, allegedly used seven Apple AirTags to stalk his ex-wife over a period of several weeks. His trial begins this month.

June 6, 2024 - A worried researcher has created a tool to demonstrate exactly how much of a security backdoor Microsoft is creating with Recall.

June 5, 2024 - Financially motivated sextortion of teenage boys is the fastest-growing global cybercrime, according to the FBI and Homeland Security.

Tag

#apple