Vulnerability Prioritization In The Real World – PSW #858

This was presented at Shmoocon 2025, and is very scary. The high level is: "Here’s the issue: If a service (e.g., Slack) relies solely on these two claims, ownership changes to the domain won’t look any different to Slack. When someone buys the domain of a defunct company, they inherit the same claims, granting them access to old employee accounts." - So, registering domains of expired startups, then creating a G-Suite account for them, then authenticating via oAuth to services, gets you access to services that were once used by the startup. The fix has to be implemented by Google, and they claim this is not an issue at the moment. WTH?

The ESP32 is used for BT communications on this board. The article did not go into how, or if, the ESP32 is protected in any way (e.g. Secure Boot, which is available on the ESP32 platform). I'm curious if any protections were put in place on this chip, or the firmware. I'm also curious if you can pull the firmware off the ESP32 chip and reverse it what lies inside, that is, if it is not encrypted (which is possible as well: https://github.com/PBearson/ESP32FlashEncryption_Tutorial). The ESP32 only has 4 eFuse blocks available, which gets pretty limiting if you need to rotate a key...

Ah, everyone's favorite task, updating your NVIDIA display driver! The highest CVSS score is 7.1: "NVIDIA GPU display driver for Windows and Linux contains a vulnerability where data is written past the end or before the beginning of a buffer. A successful exploit of this vulnerability might lead to information disclosure, denial of service, or data tampering."

It's interesting to look at some of the data from this botnet analysis: The top industries targeted include telecommunications (people's routers?), and the top models of IoT devices are TP-Link and Zyxel.

"Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources." - I'm not certain if that also includes hardware components, but lets just say that it does as the 213-page mandate talks about hardware A LOT (https://www.federalregister.gov/documents/2025/01/16/2025-00592/securing-the-information-and-communications-technology-and-services-supply-chain-connected-vehicles). How are companies going to comply with this mandate? A better solution: lets put in place exhaustive checks on the supply chain so we can source from anywhere, but validate the results. Hardware and software (firmware too), can come from anywhere, and any of it can have supply chain security impacts. Rather than banning sources of hardware/firmware/software, we must be checking all of it!

People are up in arms about this one, statement from Bambu: "These updates will introduce authorization controls that require official authorization for critical printer operations. Furthermore, unauthorized third-party software will be prohibited from executing critical operations." - I believe people are worked up over nothing on this one...I believe it impacts people using 3rd party slicers (I find Bambu Studio to work just fine). I am curious, though I do not believe so, if it impacts xTouch (which I was planning on implementing). More info: https://www.tomshardware.com/3d-printing/bambu-lab-security-update-will-remove-orcaslicers-access

How does everyone feel about this?

The EO touches on many of the topics that we discuss regularly, particularly last week. Nation state threats (e.g. China, Russia, Ethiopia); AI, Quantum computing; SW supply chain; secure-by-design; and regulatory SW security requirements.

A Presidential Document by the Executive Office of the President on 01/17/2025.

U.S. Treasury Secretary Janet Yellen's computer was hacked and unclassified files were accessed as part of a broader breach of the Treasury Department by Chinese state-sponsored hackers.

The allegedly stolen data includes private GitHub repositories, Docker builds, source code and other information.

The data breach led to personal information such as names, contact details, dates of birth, medical information, Social Security numbers, and other related information being compromised. According to the company, no credit card or banking information was affected. So, just PPI data...nothing to see here.

First, I'll save you the googling... on·tol·o·gy /änˈtäləjē/ noun: ontology; plural noun: ontologies 1.the branch of metaphysics dealing with the nature of being. 2.a set of concepts and categories in a subject area or domain that shows their properties and the relations between them.

MITRE released D3FENDTM 1.0, a cybersecurity ontology designed to standardize vocabulary for employing techniques to counter malicious cyber threats. Funded by the National Security Agency and OUSD, D3FEND 1.0 aims to provide a stable, extensible, and integration-friendly framework for cybersecurity operations and strategic decision-making.

Standardize vocabulary... BRILLIANT!

Zara Dar’s six-minute explainer video “So what are Integrals?” has a little over half a million views with 450 likes and an 87 percent positive “thumbs up” review rate.

A flying robot the size of a postage stamp can hover for up to 15 minutes without breaking, and it can perform acrobatic manoeuvres. However, the robot is currently unable to fly untethered, as the team have yet to miniaturise a power source and the electronics that control it – though they hope to improve this with future designs.

I tried to get ChatGPT to give me current news stories and sources. Sometimes, it just made them up. Sometimes, it gave me sources and stories from a year ago. Sometimes it cited stories that supposedly came from one site but came from completely different sites. Some links that said they were about one topic actually pointed somewhere entirely different.

In December, BBC News accused Apple's AI of sending a false push notification attributed to the news outlet reporting that Luigi Mangione, arrested for the murder of UnitedHealthcare chief executive Brian Thompson, had died by suicide. In January, the National Union of Journalists and journalism body Reporters Without Borders publicly urged Apple to remove the generative AI feature, the latter criticising "the inability of AI systems to systematically publish quality information, even when it is based on journalistic sources."

A single HTTP request to the ChatGPT API can be used to flood a targeted website with network requests from the ChatGPT crawler. Due to this amplification, the attacker can send a small number of requests to ChatGPT API, but the victim will receive a very large number of requests. The API is also vulnerable to prompt injection--the crawler answers queries.

Sage Copilot is an AI assistant for the UK-based business software maker's accounting tools. A customer found when they asked it to show a list of recent invoices, the AI pulled data from other customer accounts including their own.

GeoSpy can predict with high accuracy the location of photos based on features inside the image itself—such as vegetation, architecture, and the distance between buildings—in seconds, with the company now marketing the tool to law enforcement officers and government agencies.