For the first time this year, it's back-to-back. Let's go!
Introduction
This week's review covers multiple domains that you can classify under the subject of computer security. These are the supposed "dangers" of Artificial intelligence, malware, users privacy, and software vulnerabilities. Get ready, because it looks tasty 😋.
Warning of AI’s danger, pioneer Geoffrey Hinton quits Google to speak freely
It's the year 2023, and it's the AI buzz, and now, notable people in tech fear that we're going too fast. One such person is Geoffrey Hinton who, recently, quit his job at Google to talk "freely" about Artificial Intelligence due to the rise of ChatGPT, and other Large Language Models (LLMs). The following excerpt is why you should read the article:
Hinton is also worried about a proliferation of false information in photos, videos, and text, making it difficult for people to discern what is true. He also fears that AI could upend the job market, initially complementing human workers but eventually replacing them in roles like paralegals, personal assistants, and translators who handle routine tasks.
Hinton's long-term worry is that future AI systems could threaten humanity as they learn unexpected behavior from vast amounts of data.
LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads
Do not trust every Google ads that you see out there, and sure, that's not an exaggeration. In this article, the researchers discovered that "LOBSHOT" spreads via rogue advertisements for legitimate applications. That means you should think twice before clicking the advert link for that software that you longed for. Want more convincing? Read the following excerpt:
Once installed, it makes Windows Registry changes to set up persistence and siphons data from over 50 cryptocurrency wallet extensions present in web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox.
Hackers Promise AI, Install Malware Instead
It's the season of ChatGPT and other Generative AI but be careful on any software that promises to be ChatGPT or other AI tools. Although this story is about Facebook, it can occur on any platform or social media. And here is why:
Over the course of the past month, security analysts with the social-media giant have found malicious software posing as ChatGPT or similar AI tools, chief information security officer Guy Rosen said in a briefing.
Meta has seen “threat actors” hawk internet browser extensions that promise generative AI capabilities but contain malicious software designed to infect devices, according to Rosen.
Apple and Google Join Forces to Stop Unauthorized Location-Tracking Devices
If you don't authorize it, then it should not know your location. That's what two tech giants have teamed up to do and the implementation might land before the end of 2023. The following excerpt has more:
The goal is to standardize the alerting mechanisms and minimize opportunities for misuse across Bluetooth location-tracking devices from different vendors. To that end, Samsung, Tile, Chipolo, eufy Security, and Pebblebee have all come on board.
Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads
Malware can be stealthy but, somehow, the "good" guys always fish them out. That's the case of the "Fleckpe" malware that appears as an innocent-looking application and managed over 600,000 downloads from the Play Store. It's scary because of the following:
The payload, for its part, is designed to contact a remote server and transmit information about the compromised device (e.g., Mobile Country Code and Mobile Network Code), following which the server responds back with a paid subscription page.
The malware subsequently opens the page in an invisible web browser window and attempts to subscribe on the user's behalf by abusing its permissions to access notifications and obtain the confirmation code required to complete the step.
Android Security Update Patches Kernel Vulnerability Exploited by Spyware Vendor
Patch! Patch!! Patch!!! That's it. But why? 🤨 Here is why 👇:
A vast majority of the security holes have been assigned a ‘high severity’ rating and they can be exploited for privilege escalation, DoS attacks, and information disclosure.
WordPress custom field plugin bug exposes over 1M sites to XSS attacks
If you're using "Advanced Custom Fields" or "Advanced Custom Fields Pro", you should update to the latest version, immediately. The following excerpt will convince you why this is important:
The CVE-2023-30777 flaw stems from the 'admin_body_class' function handler, which failed to properly sanitize the output value of a hook that controls and filters the CSS classes (design and layout) for the main body tag in the admin area of WordPress sites.
An attacker can leverage an unsafe direct code concatenation on the plugin's code, specifically the '$this→view' variable, to add harmful code (DOM XSS payloads) in its components that will pass to the final product, a class string.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.