AI Cyber Challenge announced at Black Hat
Officials with the Biden administration launched the DARPA-led initiative at the event. Over the next two-years, this will look for systems able to proactively find and remediate software vulnerabilities. OpenAI, Microsoft, Google, and Anthropic partnered with DARPA on the challenge. DARPA will offer $20 million in prizes, with $7 million dedicated to competitors from small businesses. The Open Source Security Foundation will also advise on the challenge, with competitors asked to open-source the winning project.
(Engadget)
Tencent typing app had real time “eavesdropper”
Researchers at the human rights group Citizen Lab found that the popular Songou Input Method app, used for typing Chinese characters, contained a “troubling” encryption vulnerability. Citizen Lab estimates over 455 million people use the app. Keystrokes from the app go to China-based servers for processing. The researchers found encryption issues with Songou’s “EncryptWall” implementation that could expose typed content to a third party.Tencent is Songou’s parent company. THe researchers contacted Songou and it resolved the vulnerabilities.
Google adds cellular security to Android
These new features will roll out with Android 14, expected for a full release later this month. These new cellular protections will enable turning off 2G support on devices, including with fleet provisioning. This will combat man-in-the-middle attacks with Stingray cell-site simulators. Since Android 12, users could disable 2G in settings, but this will offer enterprise provisioning for the first time. The OS update will also disable support for “null-ciphered cellular connectivity.” This will prevent devices from sending voice or SMS data over connections with no cellular link layer cipher.
Intel patches Downfall
Yesterday we reported on the disclosed of the so-called Downfall vulnerability impacting many Intel processors. It came as part of what is now a lineage of side-channel attacks on Big Blue silicon, opening the door to stealing secrets stored in Intel’s SGX. Intel released patches for the flaws. These include options to disable them, as they could impose significant performance impacts to some vectorization-heavy workloads. Daniel Moghimi, the Google engineer that discovered Downfall, reported the bugs to Intel a year ago.
(Wired)
Thanks to our sponsor, Conveyor
It auto-generates precise, accurate answers to entire questionnaires with accuracy far superior to existing tools on the market. It’s so accurate, your customers can now use it in our new ‘upload questions to trust portal’ feature. It’s exactly as it sounds. Customers can upload questions and the AI will generate instant answers based on your trust portal content.
Try a free proof of concept with your own data and see why top SaaS companies are making the switch from outdated RFP software and other portal solutions.
Learn more at www.conveyor.com.
Hospitals still taking ransomware on the chin
Two stories in the last 24 hours illustrate the continuing ransomware problems plaguing medical organizations. Last week, Prospect Medical Holdings disclosed a ransomware attack impacting 16 hospitals. As of this week, Prospect Medical said systemwide outages remain. This saw ambulances diverted and appointments canceled at the sites.
In distressingly similar news, the Mayanei Hayeshua Medical Center in Israel saw a ransomware attack shut down its administrative systems. This outage did not impact medical gear and already admitted patients remain treated at the facility. However the hospital temporarily shut down new admissions and moved emergency care to other hospitals. No recovery timelines for either of the victims.
16shop PhaaS platform shutdown
In a joint operation, Interpol and Group-IB worked to take down the platform, arresting three of its operators over the last year and a half. As part of it’s phishing-as-a-service operation, 16shop offered kits to target various payment and ecommerce accounts. According to telemetry, the group created over 150,000 phishing pages, used to compromise at least 70,000 users, typically stealing credit card information.
Irish police leak staff data
In response to a Freedom of Information requires, the Police Service of Northern Ireland accidentally published the names, roes, and locations of all staff, both police and civilian. It did not disclose home addresses. The FOI request that resulted in the leak wasn’t nearly so broad, asking for a listing of ranks and grades within PSNI’s staff. Due to the presence of paramilitary groups in the country, many PSNI employees keep their jobs secret from friends and family. The agency published the spreadsheet with the staff information online for roughly two hours.
(BBC)
SCOTUS denies Epic motion in App Store dispute
In Epic Games’ continuing legal dispute with Apple over its App Store policies, the US Supreme Court declined to play hardball. While lower courts ruled against most of Epic’s antitrust claims, a judge did determine Apple violated California’s Unfair Competition Law with its anti-steering rules. This prevented developers from linking users to direct payments. So that was Epic’s only significant win. However a Ninth Circuit COurt of Appeals ordered a stay on that ruling back in July, providing 90 days for Apple to appeal to the Supreme Court. Epic filed a motion to vacate that stay, trying to strip Apple’s anti-steering rules immediately before any appeal. However Justice Elena Kagan denied that motion with no further comment.
Remembering the creator of Vim
Dutch engineer Bram Moolenaar released the widely used Vim text editor back in 1991, continuing to update the app until a few weeks ago. However his family disclosed on a Google Group that Moolenaar passed away on August 3rd at the age of 62. Started as a clone of the Unix editor vi, the app gained considerable capabilities over the years. Moolenaar also served as an early adopter of charityware with Vim, donating proceeds to a Ugandan relief fund. He also worked at Google for 15 years as a software engineer. Goodnight sweet prince.