AI models tested, breaking encryption, Intel security review
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Putting AI models to the EU test
The Swiss startup LatticeFlow AI developed a framework that awards AI models points between zero and one across categories like technical robustness, resilience, and safety. EU officials welcomed the tool as part of the compliance tooling needed for its sweeping AI Act. LatticeFlow published a leaderboard showing models from significant providers like OpenAI, Meta, Anthropic, and Alibaba, who scored an average of 0.75 or higher. Digging into the results, models from Meta and Mistral struggled when presented with “prompt hijacking” attacks, where an attacker uses a malicious prompt to extract sensitive information, with scores below 0.5. Anthropic’s Claude 3 model led all tested with a 0.89 score. In tests for discriminatory outputs, OpenAI’s ChatGPT 3.5 and Alibaba’s Qwen 1.5 scored the lowest.?
(Reuters)
Chinese researchers don’t break classical encryption… yet
Last week, a story in the South China Morning Post pointed to a paper published by researchers at Shanghai University that used a D-Wave Advantage quantum computer to target foundational algorithms in AES cryptography. The research team posed this as a “real and substantial threat” but cautioned that immature hardware and persistent interference issues meant a practical application was a long way off. Digicert head of R&D Avesta Hojjati threw some more cold water on the finding, pointing out that the attack was executed on a 22-bit key, slightly shorter than 2048 and 4096-bit keys used today. Of quantum threats to encryption,? Hojjati said “We should remain cautious but not alarmist.”?
Chinese group calls for security reviews on all Intel products
This call came from the industry group Cybersecurity Association of China, or CSAS, which claimed that Intel products “consistently harmed” China’s national security interests. The group claimed Intel processors carry “major defects” and embed backdoors accessible to the US National Security Agency. While not a government body, CSAS’s close ties to the Chinese government could trigger a review by the Cyberspace Administration of China, or CAC. A similar review by the CAC on Micron products led to a product ban for critical infrastructure providers.?
(Reuters)
Encryption flaws found in WeChat
Researchers at Citizen Lab investigated the MMTLS encryption protocol used by the massively popular WeChat app. They found that MMTLS was a modified version of TLS 1.3 that introduced cryptographic weaknesses. While the researchers could not craft an attack to exploit these weaknesses, they noted that MMTLS uses deterministic initialization vectors, which opens the door to a brute force attack and goes against NIST recommendations. The protocol also lacks forward secrecy due to its heavy use of session-resuming pre-shared keys. The researchers published full findings and methodologies on GitHub.?
领英推荐
Thanks to today’s episode sponsor, Conveyor
Russia pushes case against REvil hackers
The REvil ransomware organization was prolific until its shutdown in 2021, making a name for itself by targeting high-profile users. By the end of 2022, Russian law enforcement arrested 14 suspected members. Until now, the cases have dragged on, with several hearings postponed due to disagreements with prosecutors. Now, the Russian media outlet Kommersant reports that the Russian prosecutor’s office will move forward with cases against four suspects, including REvil’s suspected leader Daniil Puzyrevsky, with plans to push for sentences of up to 6.5 years. This case is somewhat unusual, as the arrests were made at the request of US authorities. Russia does not generally prosecute domestic threat actors.?
CISA refines SBOM guidance
The US Cybersecurity and Infrastructure Security Agency published a new edition of its Framing Software Component Transparency document, providing new guidance on creating software bill of materials (SBOMs). This now sets out SBOM attributes into minimum expected, recommended, and aspirational categories. The baseline requirements primarily focus on transparency and interoperability with existing SBOM formats. CISA also pointed out that to make SBOMs useful, the industry needs coordinated and automated methods to share SBOM data.
Malicious ads target the ghost of IE
Microsoft officially ended support for Internet Explorer in 2022, but many browser components remain either in Windows or used by third-party apps. That allowed the North Korean-linked cyber espionage group ScarCruft to exploit an IE zero-day to deploy RokRAT malware and obtain data. South Korea’s National Cyber Security Center (NCSC) and AhnLab spotted this new campaign, dubbed “Code on Toast.” ScarCruft compromised a server for a domestic ad agency, using it to push out so-called “toast ads” on free software used by many people in South Korea. These ads included a malicious iframe that executed RokRAT when rendered by Internet Explorer. Microsoft patched the issue back in August, but software using outdated IE components could put users at risk of similar attacks.
Internet Archive coming back online
Last week, we reported on a DDoS attack against the Internet Archive, which resulted in its services being unavailable for days. As of October 14th, the site’s digital librarian, Brewster Kahle, said its Wayback Machine service was “running strong,” but the rest of its digital archive remained down as of this recording. There’s no timetable for full availability. The organization said that the analysis of the attack shows evidence that the DDoS was carried out by a Mirai botnet variant, with most traffic coming from devices in South Korea, China, and Brazil. No threat actors were attributed.?