• chevron_right

    Unexpected 3DS update breaks many common homebrew hacking methods / ArsTechnica · 6 days ago - 17:37

A few of the 3DS variations that were once supported by Nintendo.

Enlarge / A few of the 3DS variations that were once supported by Nintendo. (credit: Mark Walton)

It has been years since Nintendo stopped producing its Nintendo 3DS line of portable hardware and months since the company officially shut down the 3DS eShop for new downloadable game purchases. But those facts haven't stopped the company from issuing a new firmware update that seems at least partly focused on impeding some of the most common methods for installing homebrew software on the defunct console.

Monday night's surprise release of 3DS firmware Ver. 11.17.0-50 is the first official system update for the console since last September and the fifth update since the hardware was officially discontinued in 2020. The official patch notes for the sudden update cover the now-standard (if vague) promise of "further improvements to overall system stability and other minor adjustments [that] have been made to enhance the user experience."

But console hacking groups quickly noticed that downloading the update ruined many of the documented hacking methods that could previously be used to install custom 3DS firmware.

Read 6 remaining paragraphs | Comments

Interesting essay on the poisoning of LLMs—ChatGPT in particular:

Given that we’ve known about model poisoning for years, and given the strong incentives the black-hat SEO crowd has to manipulate results, it’s entirely possible that bad actors have been poisoning ChatGPT for months. We don’t know because OpenAI doesn’t talk about their processes, how they validate the prompts they use for training, how they vet their training data set, or how they fine-tune ChatGPT. Their secrecy means we don’t know if ChatGPT has been safely managed.

They’ll also have to update their training data set at some point. They can’t leave their models stuck in 2021 forever.

Once they do update it, we only have their word— pinky-swear promises —that they’ve done a good enough job of filtering out keyword manipulations and other training data attacks, something that the AI researcher El Mahdi El Mhamdi posited is mathematically impossible in a paper he worked on while he was at Google .

  • Sc chevron_right

    FBI Disables Russian Malware / Schneier · Wednesday, 10 May - 15:26

Reuters is reporting that the FBI “had identified and disabled malware wielded by Russia’s FSB security service against an undisclosed number of American computers, a move they hoped would deal a death blow to one of Russia’s leading cyber spying programs.”

The headline says that the FBI “sabotaged” the malware, which seems to be wrong.

Presumably we will learn more soon.

  • Sc chevron_right

    AI Hacking Village at DEF CON This Year / Schneier · Monday, 8 May - 15:33

At DEF CON this year, Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI will all open up their models for attack.

The DEF CON event will rely on an evaluation platform developed by Scale AI, a California company that produces training for AI applications. Participants will be given laptops to use to attack the models. Any bugs discovered will be disclosed using industry-standard responsible disclosure practices.

  • chevron_right

    Those scary warnings of juice jacking in airports and hotels? They’re nonsense / ArsTechnica · Monday, 1 May - 11:00 · 1 minute

Those scary warnings of juice jacking in airports and hotels? They’re nonsense

Enlarge (credit: Aurich Lawson | Getty Images)

Federal authorities, tech pundits, and news outlets want you to be on the lookout for a scary cyberattack that can hack your phone when you do nothing more than plug it into a public charging station. These warnings of “juice jacking,” as the threat has come to be known, have been circulating for more than a decade.

Earlier this month, though, juice jacking fears hit a new high when the FBI and Federal Communications Commission issued new, baseless warnings that generated ominous-sounding news reports from hundreds of outlets. NPR reported that the crime is "becoming more prevalent, possibly due to the increase in travel." The Washington Post said it's a “significant privacy hazard” that can identify loaded webpages in less than 10 seconds. CNN warned that just by plugging into a malicious charger, "your device is now infected." And a Fortune headline admonished readers: "Don’t let a free USB charge drain your bank account."

The Halley’s Comet of cybersecurity scares

The scenario for juice jacking looks something like this: A hacker sets up equipment at an airport, shopping mall, or hotel. The equipment mimics the look and functions of normal charging stations, which allow people to recharge their mobile phones when they're low on power. Unbeknownst to the users, the charging station surreptitiously sends commands over the charging cord’s USB or Lightning connector and steals contacts and emails, installs malware, and does all kinds of other nefarious things.

Read 38 remaining paragraphs | Comments

  • chevron_right

    Pro-Russian hackers target elected US officials supporting Ukraine / ArsTechnica · Thursday, 30 March - 12:19

Locked out.

Enlarge / Locked out. (credit: Sean Gladwell / Getty Images )

Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine, using attacks that attempt to compromise their email accounts, researchers from security firm Proofpoint said.

The campaign, which also targets officials of European nations, uses malicious JavaScript that’s customized for individual webmail portals belonging to various NATO-aligned organizations, a report Proofpoint published Thursday said. The threat actor—which Proofpoint has tracked since 2021 under the name TA473—employs sustained reconnaissance and painstaking research to ensure the scripts steal targets’ usernames, passwords, and other sensitive login credentials as intended on each publicly exposed webmail portal being targeted.

Tenacious targeting

“This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe,” Proofpoint threat researcher Michael Raggi wrote in an email. “Since late 2022, TA473 has invested an ample amount of time studying the webmail portals of European government entities and scanning publicly facing infrastructure for vulnerabilities all in an effort to ultimately gain access to emails of those closely involved in government affairs and the Russia-Ukraine war.”

Read 10 remaining paragraphs | Comments

  • Sc chevron_right

    Hacks at Pwn2Own Vancouver 2023 / Schneier · Monday, 27 March - 03:33 · 1 minute

An impressive array of hacks were demonstrated at the first day of the Pwn2Own conference in Vancouver:

On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3.

The first to fall was Adobe Reader in the enterprise applications category after Haboob SA’s Abdul Aziz Hariri ( @abdhariri ) used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.

The STAR Labs team ( @starlabs_sg ) demoed a zero-day exploit chain targeting Microsoft’s SharePoint team collaboration platform that brought them a $100,000 reward and successfully hacked Ubuntu Desktop with a previously known exploit for $15,000.

Synacktiv ( @Synacktiv ) took home $100,000 and a Tesla Model 3 after successfully executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla-Gateway in the Automotive category. They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.

Oracle VirtualBox was hacked using an OOB Read and a stacked-based buffer overflow exploit chain (worth $40,000) by Qrious Security’s Bien Pham ( @bienpnn ).

Last but not least, Marcin Wiązowski elevated privileges on Windows 11 using an improper input validation zero-day that came with a $30,000 prize.

The con’s second and third days were equally impressive.

  • Sc chevron_right

    Mass Ransomware Attack / Schneier · Thursday, 23 March - 02:56

A vulnerability in a popular data transfer tool has resulted in a mass ransomware attack :

TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward.

However, while the number of victims of the mass-hack is widening, the known impact is murky at best.

Since the attack in late January or early February—the exact date is not known—Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files.