Tag: disturbing | SpinSafe

Wallarm highlights disturbing trends in API security threats

November 8, 2023/in Internet Security

Wallarm has released its Q3 2023 API ThreatStats report which sheds light on the escalating threats targeting APIs and revealing vulnerabilities that have impacted industry giants such as Netflix, VMware, and SAP.

The report’s revamped ‘Top 10 API Security Threats’ compilation outlines 239 vulnerabilities discovered during the quarter, with injections taking the lead.

Injections involve inserting malicious data or code into APIs, leading to unauthorised access and data breaches. Notably, SQL and XML-based attacks were prevalent, underscoring the importance of robust security measures to prevent such breaches.

33 percent of the vulnerabilities (79 out of 239) were linked to authentication, authorisation, and access control (AAA). Well-established safeguards such as OAuth, single-sign-on (SSO), and JSON Web Token (JWT) were compromised in high-profile organisations like Sentry and WordPress.

Sentry, for its part, faced incorrect credential validation—potentially exposing developers’ projects to unauthorised access. WordPress suffered from plugin broken authentication, leaving millions of users’ data vulnerable to theft.

The report also spotlighted the concerning rise in API data leaks, ranking fourth on the list of security threats. Complex tech stacks have made these leaks more prevalent, with Netflix, VMware, and SAP falling victim.

Ivan Novikov, CEO of Wallarm, urged business leaders and cybersecurity professionals to acknowledge the gravity of these threats:

“Whether caused by malicious actors or internal carelessness, this report is a wake-up call for business leaders and cybersecurity professionals to include protection against threats to APIs and other leaks in their product security programs.

Established security frameworks, like OWASP API Security Top-10, are one way to get started but have limitations in addressing today’s complex API security needs.

This real-time data-driven threat list complements and extends the OWASP framework by identifying unaddressed threats and vulnerabilities, enhancing overall security posture.”

Wallarm’s report serves as a wake-up call, urging…

Source…

Disturbing trend of malware being spread to Android devices through fake alerts

October 18, 2023/in Computer Security

Malicious actors have once again found a new way to exploit unsuspecting victims. Recently, Italian cybersecurity researchers at D3Labs uncovered a disturbing trend of malware being spread to Android devices through fake volcano eruption alerts. These criminals are exploiting the IT-Alert service, a public alert system used by the Italian government to disseminate crucial information during emergency situations.

Deceptive Strategy

To lure unsuspecting victims into downloading malicious software, the cybercriminals created a deceptive website that mimicked the IT Alert service. This fake website warned users about the possibility of volcanic eruptions and the potential for a national earthquake. It urged visitors to download an app that would help them monitor the situation in their region. Importantly, this ruse was directed exclusively at Android users, as the website redirected to the actual IT Alert website when accessed via a desktop browser or an iOS device.

Malicious Payload

Once a user fell for this trick and clicked on the download button, a file labeled “IT-Alert.apk” was downloaded to their device. This innocuous-seeming file, however, contained the SpyNote malware. SpyNote is a notorious strain of malware known for targeting financial institutions and is typically sold via Telegram by its creator, who goes by the alias CypherRat.

Infiltrating User Devices

After the malware is installed, it prompts users to grant permission for the app to run in the background. This seemingly innocent request opens the door to malicious actors gaining full control over the victim’s smartphone, thanks to its accessibility services. With this control, these malevolent actors can monitor, manage, and even modify the device’s resources and features, along with enabling remote access capabilities.

This insidious technique also makes it incredibly challenging for victims to uninstall the application, update already uninstalled apps, or install new ones, further complicating the removal of the malware.

Spying and Data Theft

SpyNote’s capabilities are vast and invasive. It can independently manipulate…

Source…

The 5 most disturbing ways AI is currently being used

July 2, 2023/in Internet Security

Artificial Intelligence — it’s brilliant, isn’t it? I love AI so much I want ChatGPT to adopt me and tell me it’s proud. That’s the kind of innocent wholesome experience I want with AI, anyway. Unlike most of the disturbing things your average rotter would get up to if given the chance.

And that’s the problem, they have had the chance. In fact, at this very minute, beyond the surface layer applications of AI being used in software like Midjourney or Meta MusicGen to make us all feel like Pablo Picasso or Rick Rubin, there are nefarious forces at play doing all sorts of wrong with the same tech that powers even Microsoft’s lovable AI chatbot, Bing Chat.

So readers, let’s hop aboard the Good Ship Laptop and sail our way down a river of doom and gloom, chowing down on black pills as if they were Skittles along the way. Let’s do away with the glamor and gloss that is our supposed co-existence with AI.

Instead, we should face up to how likely it is that our digital deities aren’t here to carve out a human utopia, but a putrid dystopia of crime, violence, blackmail, surveillance, and profiling as we slog our way through the wanton misery that is the most disturbing ways AI is currently being used.

1. Omni-present surveillance

Split screen of AI learning pose of researchers on left and recreating poses from Wi-Fi signals on right

(Image credit: “DensePose From WiFi”, J. Geng, D. Huang, F. De La Torre)

We fundamentally misunderstand the limits of the Large Language Models (LLMs) we are currently interacting with.

According to texperts/techsperts Tristan Harris and Aza Raskin of the Center for Humane Technology, if there was any hope that we as a species would view the book Nineteen Eighty-Four as a warning and not an instruction manual it likely just died.

The pair spoke earlier in the year about how we fundamentally misunderstand the limits of the Large Language Models (LLMs) we are currently interacting with in software like Google Bard or ChatGPT. We presume that by language we mean human language, when in reality, to a computer, everything is a language. This has allowed researchers to train an AI on brain scan images and have the AI begin to loosely decode the thoughts in our head with impressive accuracy.

A future where privacy is no longer an option. Potentially,…

Source…

Southern District of Texas | Gymnastics coach gets max in disturbing child pornography case

May 17, 2023/in Internet Security

GALVESTON, Texas – A 55-year-old McKinney resident has been sentenced to 20 years in prison for transportation of child pornography, announced U.S. Attorney Alamdar S. Hamdani.

Darren Frank McCoy pleaded guilty Dec. 1, 2022, admitting he was previously a gymnastics and cheerleading coach in Texas and Alabama. He had recorded teens in various stages of undress without their knowledge or consent and had unlawfully transported those images and videos as well as disturbing images of child pornography.

Today U.S. District Judge Jeffery V. Brown ordered him to serve a total of 240 months in federal prison to be immediately followed by a 10 years of supervised release. At the hearing, the court heard from one woman whom McCoy recorded while she was a minor. She discussed how her life has been seriously impacted by McCoy’s conduct, describing how he stole her childhood experiences without her even knowing it and that she feels rage, anger and sadness and lack of empathy toward him. Another victim described how McCoy sexually abused her from the time she was 12 until the age of 18. She detailed how she suffers from post-traumatic stress disorder and anxiety. McCoy was a gymnastics coach to these women.

“Darren McCoy is the definition of a predator,” said Hamdani. “We encourage our children to engage in sports, believing that they will be safe when doing so. Instead, these athletes were betrayed. This so-called coach surreptitiously recorded teens and sexually abused a minor for several years. Hopefully, knowing the only bars he will see now are behind a federal prison cell will give his victims some long-awaited peace.”

On Nov. 30, 2019, McCoy had been on a cruise ship which docked in the Galveston Port of Entry. Authorities sent him to secondary inspection after learning of a prior child pornography investigation from 2015.

There, they found images of child pornography on his laptop which led them to seize other electronic devices including his phone which also yielded numerous pornographic images.

They also found nine videos on McCoy’s flash drive which appeared to be taken with a hidden camera. These videos, which appeared to be taken approximately a decade…

Source…

Tag Archive for: disturbing

Deceptive Strategy

Malicious Payload

Infiltrating User Devices

Spying and Data Theft