×
Security

Schneider Electric Ransomware Crew Demands $125k Paid in Baguettes (theregister.com) 22

Schneider Electric confirmed that it is investigating a breach as a ransomware group Hellcat claims to have stolen more than 40 GB of compressed data -- and demanded the French multinational energy management company pay $125,000 in baguettes or else see its sensitive customer and operational information leaked. The Register: And yes, you read that right: payment in baguettes. As in bread. Schneider Electric declined to answer The Register's specific questions about the intrusion, including if the attackers really want $125,000 in baguettes or if they would settle for cryptocurrency.

A spokesperson, however, emailed us the following statement: "Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment. Our Global Incident Response team has been immediately mobilized to respond to the incident.âSchneider Electric's products and services remain unaffected."

Google

Google's Big Sleep LLM Agent Discovers Exploitable Bug In SQLite (scworld.com) 35

spatwei writes: Google has used a large language model (LLM) agent called "Big Sleep" to discover a previously unknown, exploitable memory flaw in a widely used software for the first time, the company announced Friday.

The stack buffer underflow vulnerability in a development version of the popular open-source database engine SQLite was found through variant analysis by Big Sleep, which is a collaboration between Google Project Zero and Google DeepMind.

Big Sleep is an evolution of Project Zero's Naptime project, which is a framework announced in June that enables LLMs to autonomously perform basic vulnerability research. The framework provides LLMs with tools to test software for potential flaws in a human-like workflow, including a code browser, debugger, reporter tool and sandbox environment for running Python scripts and recording outputs.

The researchers provided the Gemini 1.5 Pro-driven AI agent with the starting point of a previous SQLIte vulnerability, providing context for Big Sleep to search for potential similar vulnerabilities in newer versions of the software. The agent was presented with recent commit messages and diff changes and asked to review the SQLite repository for unresolved issues.

Google's Big Sleep ultimately identified a flaw involving the function "seriesBestIndex" mishandling the use of the special sentinel value -1 in the iColumn field. Since this field would typically be non-negative, all code that interacts with this field must be designed to handle this unique case properly, which seriesBestIndex fails to do, leading to a stack buffer underflow.

Security

Inside the Massive Crime Industry That's Hacking Billion-Dollar Companies (wired.com) 47

Cybercriminals have breached dozens of major companies including AT&T, Ticketmaster and Hot Topic by exploiting "infostealer" malware that harvests login credentials from infected computers, an investigation has found. The malware, spread through pirated software and social media, has infected 250,000 new devices daily, according to cybersecurity firm Recorded Future. Russian developers create the malware while contractors distribute it globally, deliberately avoiding former Soviet states. Hot Topic suffered potentially the largest retail hack ever in October when attackers accessed 350 million customer records using stolen developer credentials. Google and Microsoft are racing to patch vulnerabilities, but malware makers quickly adapt to new security measures.
IT

What Happened After Remote Workers Were Offered $10,000 to Move to Tulsa? (seattletimes.com) 115

Five years ago remote workers were offered $10,0000 to move to Tulsa, Oklahoma for at least a year. Since then roughly 3,300 have accepted the offer, according to the New York TImes. [Alternate URL here.] But more importantly, now researchers are looking at the results: Their research, released this month, surveyed 1,248 people — including 411 who had participated in Tulsa Remote and others who were accepted but didn't move or weren't accepted but had applied to the program — and found that remote workers who moved to Tulsa saved an average of $25,000 more on annual housing costs than the group that was chosen but didn't move... Nearly three-quarters of participants who have completed the program are still living in Tulsa. The program brings them together for farm-to-table dinners, movie nights and local celebrity lectures to help build community, given that none have offices to commute to.
The article says every year the remote workers contribute $14.9 million in state income taxes and $5.8 million in sales taxes (more than offsetting the $33 million spent over the last five years). And additional benefits could be even greater. "We know that for every dollar we've spent on the incentive, there's been about a $13 return on that investment to the city," the program's managing director told Fortune — pointing out that the remote workers have an average salary of $100,000. (500 of the 3,300 even bought homes...)

The Tulsa-based George Kaiser Family Foundation — which provides the $10,000 awards — told the New York Times it will continue funding the program "so long as it demonstrates to be a community-enhancing opportunity." And with so much of the population now able to work remotely, the lead author on the latest study adds that "Every heartland mayor should pay attention to this..."
United States

Millions of U.S. Cellphones Could Be Vulnerable to Chinese Government Surveillance (washingtonpost.com) 73

Millions of U.S. cellphone users could be vulnerable to Chinese government surveillance, warns a Washington Post columnist, "on the networks of at least three major U.S. carriers."

They cite six current or former senior U.S. officials, all of whom were briefed about the attack by the U.S. intelligence community. The Chinese hackers, who the United States believes are linked to Beijing's Ministry of State Security, have burrowed inside the private wiretapping and surveillance system that American telecom companies built for the exclusive use of U.S. federal law enforcement agencies — and the U.S. government believes they likely continue to have access to the system.... The U.S. government and the telecom companies that are dealing with the breach have said very little publicly about it since it was first detected in August, leaving the public to rely on details trickling out through leaks...

The so-called lawful-access system breached by the Salt Typhoon hackers was established by telecom carriers after the terrorist attacks of Sept. 11, 2001, to allow federal law enforcement officials to execute legal warrants for records of Americans' phone activity or to wiretap them in real time, depending on the warrant. Many of these cases are authorized under the Foreign Intelligence Surveillance Act (FISA), which is used to investigate foreign spying that involves contact with U.S. citizens. The system is also used for legal wiretaps related to domestic crimes.

It is unknown whether hackers were able to access records about classified wiretapping operations, which could compromise federal criminal investigations and U.S. intelligence operations around the world, multiple officials told me. But they confirmed the previous reporting that hackers were able to both listen in on phone calls and monitor text messages. "Right now, China has the ability to listen to any phone call in the United States, whether you are the president or a regular Joe, it makes no difference," one of the hack victims briefed by the FBI told me. "This has compromised the entire telecommunications infrastructure of this country."

The Wall Street Journal first reported on Oct. 5 that China-based hackers had penetrated the networks of U.S. telecom providers and might have penetrated the system that telecom companies operate to allow lawful access to wiretapping capabilities by federal agencies... [After releasing a short statement], the FBI notified 40 victims of Salt Typhoon, according to multiple officials. The FBI informed one person who had been compromised that the initial group of identified targets included six affiliated with the Trump campaign, this person said, and that the hackers had been monitoring them as recently as last week... "They had live audio from the president, from JD, from Jared," the person told me. "There were no device compromises, these were all real-time interceptions...." [T]he duration of the surveillance is believed to date back to last year.

Several officials told the columnist that the cyberattack also targetted senior U.S. government officials and top business leaders — and that even more compromised targets are being discovered. At this point, "Multiple officials briefed by the investigators told me the U.S. government does not know how many people were targeted, how many were actively surveilled, how long the Chinese hackers have been in the system, or how to get them out."

But the article does include this quote from U.S. Senate Intelligence Committee chairman Mark Warner. "It is much more serious and much worse than even what you all presume at this point."

One U.S. representative suggested Americans rely more on encrypted apps. The U.S. is already investigating — but while researching the article, the columnist writes, "The National Security Council declined to comment, and the FBI did not respond to a request for comment..." They end with this recommendation.

"If millions of Americans are vulnerable to Chinese surveillance, they have a right to know now."
AI

AI Bug Bounty Program Finds 34 Flaws in Open-Source Tools (scworld.com) 23

Slashdot reader spatwei shared this report from SC World: Nearly three dozen flaws in open-source AI and machine learning (ML) tools were disclosed Tuesday as part of [AI-security platform] Protect AI's huntr bug bounty program.

The discoveries include three critical vulnerabilities: two in the Lunary AI developer toolkit [both with a CVSS score of 9.1] and one in a graphical user interface for ChatGPT called Chuanhu Chat. The October vulnerability report also includes 18 high-severity flaws ranging from denial-of-service to remote code execution... Protect AI's report also highlights vulnerabilities in LocalAI, a platform for running AI models locally on consumer-grade hardware, LoLLMs, a web UI for various AI systems, LangChain.js, a framework for developing language model applications, and more.

In the article, Protect AI's security researchers point out that these open-source tools are "downloaded thousands of times a month to build enterprise AI Systems."

The three critical vulnerabilties have already been addressed by their respective companies, according to the article.
Security

Is AI-Driven 0-Day Detection Here? (zeropath.com) 25

"AI-driven 0-day detection is here," argues a new blog post from ZeroPath, makers of a GitHub app that "detects, verifies, and issues pull requests for security vulnerabilities in your code."

They write that AI-assisted security research "has been quietly advancing" since early 2023, when researchers at the DARPA and ARPA-H's Artificial Intelligence Cyber Challenge demonstrated the first practical applications of LLM-powered vulnerability detection — with new advances continuing. "Since July 2024, ZeroPath's tool has uncovered critical zero-day vulnerabilities — including remote code execution, authentication bypasses, and insecure direct object references — in popular AI platforms and open-source projects." And they ultimately identified security flaws in projects owned by Netflix, Salesforce, and Hulu by "taking a novel approach combining deep program analysis with adversarial AI agents for validation. Our methodology has uncovered numerous critical vulnerabilities in production systems, including several that traditional Static Application Security Testing tools were ill-equipped to find..." TL;DR — most of these bugs are simple and could have been found with a code review from a security researcher or, in some cases, scanners. The historical issue, however, with automating the discovery of these bugs is that traditional SAST tools rely on pattern matching and predefined rules, and miss complex vulnerabilities that do not fit known patterns (i.e. business logic problems, broken authentication flaws, or non-traditional sinks such as from dependencies). They also generate a high rate of false positives.

The beauty of LLMs is that they can reduce ambiguity in most of the situations that caused scanners to be either unusable or produce few findings when mass-scanning open source repositories... To do this well, you need to combine deep program analysis with an adversarial agents that test the plausibility of vulnerabilties at each step. The solution ends up mirroring the traditional phases of a pentest — recon, analysis, exploitation (and remediation which is not mentioned in this post)...

AI-driven vulnerability detection is moving fast... What's intriguing is that many of these vulnerabilities are pretty straightforward — they could've been spotted with a solid code review or standard scanning tools. But conventional methods often miss them because they don't fit neatly into known patterns. That's where AI comes in, helping us catch issues that might slip through the cracks.

"Many vulnerabilities remain undisclosed due to ongoing remediation efforts or pending responsible disclosure processes," according to the blog post, which includes a pie chart showing the biggest categories of vulnerabilities found:
  • 53%: Authorization flaws, including roken access control in API endpoints and unauthorized Redis access and configuration exposure. ("Impact: Unauthorized access, data leakage, and resource manipulation across tenant boundaries.")
  • 26%: File operation issues, including directory traversal in configuration loading and unsafe file handling in upload features. ("Impact: Unauthorized file access, sensitive data exposure, and potential system compromise.")
  • 16%: Code execution vulnerabilities, including command injection in file processing and unsanitized input in system commands. ("Impact: Remote code execution, system command execution, and potential full system compromise.")

The company's CIO/cofounder was "former Red Team at Tesla," according to the startup's profile at YCombinator, and earned over $100,000 as a bug-bounty hunter. (And another co-founded is a former Google security engineer.)

Thanks to Slashdot reader Mirnotoriety for sharing the article.


Security

Okta Fixes Login Bypass Flaw Tied To Lengthy Usernames 32

Identity management firm Okta said Friday it has patched a critical authentication bypass vulnerability that affected customers using usernames longer than 52 characters in its AD/LDAP delegated authentication service.

The flaw, introduced on July 23 and fixed October 30, allowed attackers to authenticate using only a username if they had access to a previously cached key. The bug stemmed from Okta's use of the Bcrypt algorithm to generate cache keys from combined user credentials. The company switched to PBKDF2 to resolve the issue and urged affected customers to audit system logs.
Security

Inside a Firewall Vendor's 5-Year War With the Chinese Hackers Hijacking Its Devices (wired.com) 33

British cybersecurity firm Sophos revealed this week that it waged a five-year battle against Chinese hackers who repeatedly targeted its firewall products to breach organizations worldwide, including nuclear facilities, military sites and critical infrastructure. The company told Wired that it traced the attacks to researchers in Chengdu, China, linked to Sichuan Silence Information Technology and the University of Electronic Science and Technology.

Sophos planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds: Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.

"The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."

Windows

Want To Keep Getting Windows 10 Updates? It'll Cost You $30 (pcworld.com) 95

With Windows 10 support set to expire on October 14, 2025, Microsoft is offering a one-time, one-year Extended Security Updates plan for consumers. "For $30, you'll receive 'critical' and 'important' security updates -- basically security patches that will continue to protect your Windows 10 PC from any vulnerabilities," reports PCWorld. "That $30 is for one year's worth of updates, and that's the only option at this time." From the report: Microsoft has been warning users for years that Windows 10 support will expire in 2025, specifically October 14, 2025. At that point, Windows 10 will officially fall out of support: there will be no more feature updates or security patches. On paper, that would mean that any Windows 10 PC will be at risk of any new vulnerabilities that researchers uncover.

Previously, Microsoft had quietly hinted that consumers would be offered the same ESU protections offered to businesses and enterprises, as it did in December 2023 and again in an "editor's note" shared in an April 2024 support post, in which the company said that "details will be shared at a later date for consumers." That time is now, apparently.

Back in December 2023, Microsoft offered the ESU on an annual basis to businesses for three years, one year at a time. The fees would double each year, charging businesses hundreds of dollars for the privilege. Consumers won't be offered the same deal, as a Microsoft representative said via email that it'll be a "one-time, one-year option for $30."

Canada

Chinese Attackers Accessed Canadian Government Networks For Five Years (theregister.com) 11

Canada's Communications Security Establishment (CSE) revealed a sustained cyber campaign by the People's Republic of China, targeting Canadian government and private sector networks over the past five years. The report also flagged India, alongside Russia and Iran, as emerging cyber threats. The Register reports: The biennial National Cyber Threat Assessment described the People's Republic of China's (PRC) cyber operations against Canada as "second to none." Their purpose is to "serve high-level political and commercial objectives, including espionage, intellectual property (IP) theft, malign influence, and transnational repression." Over the past four years, at least 20 networks within Canadian government agencies and departments were compromised by PRC cyber threat actors. The CSE assured citizens that all known federal government compromises have been resolved, but warned that "the actors responsible for these intrusions dedicated significant time and resources to learn about the target networks."

The report also alleges that government officials -- particularly those perceived as being critical of the Chinese Communist Party (CCP) -- were attacked. One of those attacks includes an email operation against members of Interparliamentary Alliance on China. The purpose of the cyber attacks is mainly to gain information that would lead to strategic, economic, and diplomatic advantages. The activity appears to have intensified following incidents of bilateral tension between Canada and the PRC, after which Beijing apparently wanted to gather timely intelligence on official reactions and unfolding developments, according to the report. Canada's private sector is also in the firing line, with the CSE suggesting "PRC cyber threat actors have very likely stolen commercially sensitive data from Canadian firms and institutions." Operations that collect information that could support the PRC's economic and military interests are priority targets.

Microsoft

Microsoft Delays Recall Again (theverge.com) 47

Microsoft is once again delaying the roll out of its controversial Recall feature for Copilot Plus PCs. From a report: The software giant had planned to start testing Recall, which creates screenshots of mostly everything you see or do on a Copilot Plus PC, with Windows Insiders in October. Now, Microsoft says it needs more time to get the feature ready.

"We are committed to delivering a secure and trusted experience with Recall. To ensure we deliver on these important updates, we're taking additional time to refine the experience before previewing it with Windows Insiders," says Brandon LeBlanc, senior product manager of Windows, in a statement to The Verge. "Originally planned for October, Recall will now be available for preview with Windows Insiders on Copilot Plus PCs by December."

IT

300% Price Hikes Push Disgruntled VMware Customers Toward Broadcom Rivals (arstechnica.com) 123

After closing a $69 billion deal to buy virtualization technology company VMware a year ago, Broadcom wasted no time ushering in big changes to the ways customers and partners buy and sell VMware offerings -- and many of those clients aren't happy. ArsTechnica: To get a deeper look at the impact that rising costs and overhauls like the end of VMware perpetual license sales have had on VMware users, Ars spoke with several companies in the process of quitting the software due to Broadcom's changes. Here's what's pushing them over the edge.

For some, VMware prices more than tripled under Broadcom Broadcom closed its VMware acquisition in November 2023, and by December 2023, the company announced that it would stop selling perpetual VMware licenses. VMware products were previously sold under 8,000 SKUs, but they have now been combined into a few bundle packages. Additionally, higher CPU core requirements per CPU subscription have made VMware more expensive for some reseller partners.

"As on-premises virtualization projects move from [enterprise license agreements] and perpetual licenses to new bundling, socket-to-core ratios, and consumption models, the costs and pricing can increase two or three times," Gartner's 2024 Hype Cycle for Data Center Infrastructure Technologies report that released in June reads. Numerous VMware customers I spoke with said their VMware costs rose 300 percent after Broadcom's takeover. Some companies have cited even higher price hikes -- including AT&T, which claimed that Broadcom proposed a 1,050 percent price hike. AT&T is suing Broadcom over perpetual license support and says it has looked into VMware alternatives.

Canada

Canada Predicts Hacking From India as Diplomatic Feud Escalates (bloomberg.com) 96

Canada is bracing for Indian government-backed hacking as the two nations' diplomatic relationship nosedives to its lowest ebb in a generation. From a report: "We judge that official bilateral relations between Canada and India will very likely drive Indian state-sponsored cyber threat activity against Canada," the Canadian Centre for Cyber Security said in its annual threat report published Wednesday, adding that such hackers are probably already conducting cyber-espionage.

This month, Prime Minister Justin Trudeau's cabinet and Canadian police have ramped up a remarkable campaign of public condemnations against India, accusing Narendra Modi's officials of backing a wave of violence and extortion against Canadians on Canadian soil -- particularly those who agitate for carving out a separate Sikh state in India called Khalistan. India has rejected the accusations and believes some Khalistan activists to be terrorists harbored by Canada.

Security

Fired Employee Allegedly Hacked Disney World's Menu System to Alter Peanut Allergy Information (404media.co) 135

An anonymous reader shares a report: A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World's restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.

The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in once case, broke the software for several weeks.

"The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies," the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants. Disney's menus have extensive "allergy friendly" sections.

Slashdot Top Deals