Buzzwords of the Day 9-27-2023

news
Written By JORT

#This Week’s Buzzwords:

declare -a Buzzword = { "Net Neutrality", "AI/LLM", "Exploits"}

$Buzzword{0} = "Net Neutrality" - This might actually be a win!

This week the FCC announced their plans to reinstate Net Neutrality laws enacted in 2015 as a proactive measure to safeguard even distributed access to the internet by ISP's. In a nutshell, the concept of "neutrality" online (the 'net') is the idea that all web traffic is "created equal", in the sense of providing access across the internet. It means an ISP like Comcast, Verizon, etc. could not strike a deal with Netflix to provide faster service for its customers to Netflix while slowing down their access to competitors like Hulu, Disney+, etc. These rules were established in the early 1990s and was only repealed in 2017 by Ajit Pai during the Trump Administration. The FTC's move to re-instate preexisting legislation protecting Net Neutrality is a tremendous win for consumers in a space where a small handful of CEO's have a tremendous influence over regulation.

Source context:

$Buzzword{1} = "AI/LLM" - Co-Pilot for the Masses & Writer's Winning!

As reported across the web this week, Microsoft pushed a hefty update to Windows 11 users chock-full of "AI" integration. MS Paint (yes, that MS Paint) now supports background removal and a 'smart' selection tool (similar to Photoshop's magic lasso). More noticeably, Windows 11 users can now access Microsoft's LLM "Co-Pilot" from a button on the taskbar. It opens a side panel and connects the user to a cloud server running the LLM. It offers helpful suggestions for user prompts and can launch some Windows services (like settings menus) from user input, requiring an on-screen click to confirm the action. While this addtiional input can frustrate users, it is important to note the immense security risks of allowing a cloud-based system access to granular settings/user control.

Linus Sebastain (of LinusTechTips) recently showcased the tool on his podcast, The WAN Show, and asked the tool to disable his WiFi. While it answered the initial question incorrectly (it opened the Settings page for Bluetooth control), it also explained that it does not have access to control hardware interaction such as disconnecting a network interface or running a *Non-Windows* application.

When I prompted to open a third-party applicaiton installed on my system, Co-Pilot responded explaining they are unable to launch third-party apps for security, which was quickly removed from the chat window and replaced by "Hmm…let’s try a different topic. Sorry about that. What else is on your mind?". While it is a limited use case, I was able to reproduce this behavior by asking for a number of different third-party applications.*

To this user, Co-Pilot seems to fall somewhere between "Clippy" and what could be construed as a very rudimentary artificial assistant. Microsoft indicates on their notes that Co-Pilot can integrate the user's Outlook calendar and emails, and they are sure to push additional functionality moving forward.

*Note - these examples are experiential, anecdotal, and technically isolated; individual user results may vary.

~~~

With LLM assistants coming to practically every Windows 11 machine in operation (and promised future integration into the Microsoft 365 suite), the Writers Guild of America's strike's progress towards protecting creators against corporate abuse of LLMs is a tremendous win. This technology is here to stay, and proper regulation of IP rights is necessary to properly integrate these models into workflows. Per details provided by WGA spokespeople, new protections will go into place safeguarding materials used to "train" LLMs and writer credits for scripts written with AI assistance. This is significant as, in this early stage of development, it is often impossible to discern between content uniquely generated by an LLM and content reproduced (perhaps with very slight edits) by the LLM. Ultimately, the dataset training these models will determine their viability, and the WGA's stance on offering the fruits of decades of labor for free is crystal clear - They're Not Gonna Take It.

Source Context:

$Buzzword{2} = "Exploits" - Wow, That's A Lot of Vulnurablilites

This was a busy week for Incident Response teams, starting at Sony Entertainment. Hackers dumped over 3GB of confidential data earlier this week; the current reported culprit is "RansomedVC" (though there are disputing claims of responsibility amongst hacktivist circles). Reportedly, the culprits have uploaded over stolen data from Sony's "internal network", which leaked RansomedVC splash screen indicates is avialable for purchase, "due to sony not wanting to pay". Rival actor MajorNelson reportedly leaked the same/similar information (and claims RansomedVC is trying to steal credit for their work). Per BleepingComputer, the data leaked by both parties includes security certificates, a license generator for emulated titles, incident response/other internal policy, Sony's proprietary IP protection program (called 'qasop'), and more. These tools in particular, especially together, would make the process of emulating ('illegally' reproducing) Sony titles for any actors who are sufficiently motivated.

~~~

Shifting to hardware, pro-active Team Red testers have developed a remarkable "proof-of-concept" exploit to hijack compressed image data processed by the end-user's GPU to reconstruct whole or partial screen images. The exploit leverages the Same Origin Policy (which allows websites to share origin data on an ad-hoc basis, such as logging into Website A using credentials from Social Media Site B), and reaches out to the end-user's GPU for information regarding the pixels it is displaying on the screen. This works because modern web browsers often compress pages with multiple data sources into a smaller number of elements (iframes). Upon accessing a malicious site through a Chromium*-based browser (i.e. Google Chrome, Microsoft Edge, etc.) the exploit beings exporting copies of the iframes containing pixels displayed by the GPU inside fields such as "username" or "password". While website coding often restricts automated or third-party access to these fields as text data, the GPU's only job is to render the pixels themselves. Security researchers and analytics were suprised at this exploit, as it opens up a new perspective into how hardware and software interact as technology evolves.

Note - this exploit appears to be isolated as a proof-of-concept developed by active 'team red' researchers, and does not appear to have been used to compromise any data as of yet. The exploit is a two-pronged attack, requiring both a software install on the target machine *and* for the infected machine to access a malicious site. Attack completion times appear to vary based on the device hardware (iGPU vs. dedicated GPU, varying display technology & compression schema, etc.) but arstechnica reports average processing times of between 25 - 220 minutes for a successful attack (in their example, stealing the pixels displayed for a target user's Wikipedia credentials).

*it appears this exploit depends on Chromium-based communication protocols, which only means that attack vectors for alternative browsers have not been developed yet.

~~~

Even developers are not safe this week - BleepingComputer reports that hundreds of GitHub repos have been compromised by a bot-based attack (Dependabot). Per reports, the bot scans GitHub to find projects with vulnerabilities, issues a pull request, and injects malicious code into the project. The only problem? **There is a real Dependabot, and it's not this one*. The good news from a security standpoint, is that the attack itself requires access to the end-user's access token (which is why safeguarding passwords, 2FA elements, or any personalized tokens is crucial). From reports and inspection of the malicious code, it appears "FakeDependaBot" injects a password-stealing snippet into all .jss (Javascript) files in the repository. For the most part, it seems these attacks have been concentrated in Indonesia; though the discovery of the exploit is a terrific reminder to protect any personalized access credentials stored on a local machine.

Source Context:

JORT

Tinkerer, Linux enthusiast, data hoarder, dungeon master, cat parent, and learner of things.

Previous

Buzzwords of the Day 10-4-203
Next

Buzzwords of the Day 9-20-2023