Spoutible API vulnerability leaks user data
Spoutible is one of the innumerable social networks that popped up in late 2022 after Elon Musk bought the company then known as Twitter. Security researcher Troy Hunt detailed a vulnerability in its API, finding attackers could use it to obtain a username, real names, email address, IP address, and phone number. In a statement, Spoutible said the API didn’t leak decrypted passwords, but Hunt found it could allow for obtaining hashed passwords, 2FA codes, and reset tokens. Effectively this provides all the tools needed to takeover accounts without alerting the user. Spoutible patched the API as of February 4th. Both the company and Hunt recommend resetting passwords and enabling 2FA.
Illicit service cranks out fake IDs
404 Media’s Joseph Cox profiled OnlyFake, which claims to use neural networks to create realistic fake IDs for $15. This allowed the reporter to instantly create a convincing California driver’s license with arbitrary information on it. This ID passed an identity verification process on the cryptocurrency exchange OKX. The service also advertises on Telegram its ability to generate other faked identity documents. The service also adds appropriate metadata to make photos of the faked IDs appear legitimate, adding in device, time, date, and location information.
Sudo coming to Windows
The sudo terminal command is a standard in Linux, allowing lower privileged users to execute as root or other elevated roles without giving them full access. Now a leaked Insider version of Windows Server 2025 shows a new setting for a Windows sudo command. The build shows the feature available by enabling developer mode and doesn’t actually seem to work, the setting panel just shows it as an option. As an Insider Preview build, it remains unclear if Microsoft will ship the feature. No evidence Microsoft plans to bring the feature to Windows 11.
US sanctions Iranians over cyberattacks
The US Department of the Treasury’s Office of Foreign Assets Control announced sanctions against six senior officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command. The US identified that agency as responsible for December 2023 attacks against Unitronics programmable logic controllers. The IRGC used its “CyberAv3ngers” persona in these attacks, mostly targeting water plants. The sanctions block all US-based assets for these individuals and put criminal penalties on companies doing business with them.
Huge thanks to our sponsor, Vanta
Vanta is the leading Trust Management Platform that helps you centralize your efforts to establish trust and enable growth across your organization.
Over 6,000 companies partner with Vanta to automate compliance, strengthen security posture, streamline security reviews, and reduce third-party risk.
To learn more, go to vanta.com/ciso and watch their 3-minute product demo.
Meta’s Oversight Board calls on changes to manipulated media policy
This came as part of a decision from the board agreeing with Meta’s decision to not remove a misleadingly edited video of US President Joe Biden. The board sided with Meta as under its narrowly defined policy the video wasn’t edited with AI tools and featured “obvious” edits. Even in agreement, the board called on changes to the policy ahead of 2024 elections. It said Meta should focus on specific harms it wants to prevent, rather than on a video’s method of creation. It also called on extending the policy to audio as well as video content.
(Engadget)
Using AI to review police body cam footage
Pro Publica published a report on the challenge of reviewing video footage from body worn cameras on police, citing that Axon, the largest provider of police camera video storage, now stores over 100 petabytes of video. It highlighted the Paterson, New Jersey, police department using a contract with Truleo, that offers AI processing tools letting administrators identify patterns of behavior or review pre-flagged videos from bodycams. It also highlighted research efforts from universities to address this problem, as well as commercial competitors like Polis Solutions DARPA-spinoff TrustStat.
Microsoft collaborates with news orgs to use GenAI
The company announced these new collaborations, billed as a way to help these organizations refine policy around AI usage, train reports on the new tools, and find ways to build newsroom efficiency. This will include research tools for Semafor’s breaking news feed Signals, a tuition-free program for using these tools at the Craig Newmark Graduate School of Journalism, and support for the AI newsroom tool company Nota. These organizations will receive support from Microsoft and commit to share findings with the wider industry.
New Ivanti zero-day under mass exploitation
Last week we reported on a new server-side request forgery zero-day disclosed by Ivanti impacting its Connect Secure and Policy Secure offerings. This allows attackers to bypass authentication and access system resources. The monitoring service Shadowserver reports seeing over 170 attacking IPs now targeting the exploit, far exceeding attacks agains the previously disclosed zero-days. The security firm Rapid7 released proof of concept code for the flaw on February 2nd, but Shadowserver reports seeing the rise in exploits hours prior to its release.
DEF CON 32 canceled and uncanceled
The organizers of DEF CON announced that the annual conference was in peril after its venue for the last 25 years, Caesars in Las Vegas, abruptly terminated its contract, leaving it without a home seven months before the event. After looking for an alternative venue able to handle its size, the organizers announced it will still take place from August 8th through 11th at the Las Vegas Convention Center, with workshops and training at the Sahara.
(DEFCON)