iLeakage attack steals emails, passwords from Apple devices and browsers
A team of academics from Georgia Tech, University of Michigan, and Ruhr University Bochum, have created a new speculative side-channel attack they call iLeakage that according to Bleeping Computer, not only works on all recent Apple devices, but can also extract information from the Safari browser, as well as Firefox, Tor, and Edge on iOS. “At core, it is a timerless Spectre attack that bypasses standard side-channel protections implemented by all browser vendors.” More details on the methods used for bypassing Apple’s mitigations are available in the technical paper the researchers published. A link is available in the show notes to this episode.
(Bleeping Computer and iLeakage.com)
CISA protests potential 25% budget cut as “catastrophic”
This from Eric Goldstein, executive assistant director for cybersecurity at CISA, speaking at a House Homeland Security cybersecurity and infrastructure protection subcommittee hearing on federal cybersecurity, held Wednesday. The 25% cut to CISA’s budget has been proposed by House Republicans. Goldstein said that CISA will effectively be “in a period of stasis where even as our adversaries evolve,” adding that such cuts would “federal networks more vulnerable to attacks from U.S. adversaries like Russia, China, Iran and North Korea.”
Surge in hyper-volumetric HTTP DDoS attacks
The threat landscape has entered a new chapter, says Cloudflare, noting that “the number of hyper-volumetric HTTP DDoS attacks recorded in the third quarter of 2023 surpasses every previous year.” This is according to a report that the company shared with Bleeping Computer. It says, “over 89 of these attacks exceeded 100 million requests per second (rps), and the largest one peaked at 201 million rps, three times larger than the previous record, which occurred in February 2023.” The report also explains that the increase in severity of these attacks is due to a new technique named ‘HTTP/2 Rapid Reset,’ which threat actors have leveraged as a zero-day since August 2023.
Google expands bug bounty program to include generative AI attacks
Google has announced an expansion of its Vulnerability Rewards Program to place greater focus on AI based attacks. Its newly published guidelines seek to address the difficulties involved in determining the sources of data in extraction issues, as well as topics such as model manipulation and bias. Google also stated, they are also “expanding our open source security work to make information about AI supply chain security universally discoverable and verifiable.”
(Engadget)
Huge thanks to this week’s episode sponsor, Vanta
Seiko’s August ransomware attack lost 60,000 items
Following up on a story we brought you in August, the watchmaking company Seiko is now stating that the ransomware incident that occurred in that month has resulted in the breach of “60,000 items of personal data from customers, employees, business partners and job applicants.” The company says the items include basic customer PII, but not credit card information, also, standard contact information for parties involved in B2B operations, and finally job applicant information. The company is in the process of restoration and making contact with all affected parties. BlackCat/ALPHV took credit for the August attack.
Grammarly fixes sign-in vulnerabilities
The writing and editing tool Grammarly has stated that is has fixed some user login vulnerabilities that were affecting its social sign-in service through an Open Authentication (OAuth), a common protocol. The company was alerted to the vulnerabilities by researchers at Salt Security. No Grammarly accounts were compromised. According to The Record, “Salt Labs, the security company’s research team, noted that thousands of other websites using widely seen social sign-in mechanisms are likely vulnerable to the same type of attack, putting billions of individuals around the globe at risk.”
Leica adds content credentials to camera technology
In an effort to compete with AI-generated issues and protect photographers’ intellectual property, camera manufacturer Leica has announced the inclusion of what it calls a “nutritional label” on images taken by the camera. This label contains metadata on images taken, with a digital signature that can be listed on its Content Credentials site. Participation with the Content Credentials feature is on an opt-in basis.
(ZDNet)
Microsoft’s Scattered Spider warning
Microsoft has described the group as “one of the most dangerous financial criminal groups,” pointing to its “operational fluidity and its ability to incorporate SMS phishing, SIM swapping, and help desk fraud into its attack model.” The group has been seen using impersonation techniques, with members posing as newly hired employees in its target firms in order to blend in. The group is also known by other names, including Octo Tempest, 0ktapus, Scatter Swine, and UNC3944.