New Collide+Power Exploit Let Attacker Steal Sensitive Data

0
[ad_1]

The build and shared components on the CPUs are exploited by a method called Collide+Power. This attack vector does not target specific programs but the hardware itself.

Advanced software-based power side channels echoed the discovery of Meltdown and Spectre vulnerability, which leaked actual data values through underlying hardware.

The core causes of this vulnerability are the shared CPU components like internal memory systems.

Combining the data from the attacker and other application data results in combined leakage signals in the power consumption.

There have been two attack scenarios that belonged to the Collide+Power category.

The first attack breaks the isolation of CPU hyperthreads, and the second attack which breaks the isolation between user programs and the operating system

In addition, this attack technique can boost any power-related side channel signal like RAPL (PLATYPUS) or frequency throttling (Hertzbleed).

Working of Collide+Power

For instance, the attacker fills the targeted CPU component, like the CPU cache, with attacker-controlled data. Then, the attacker forces the victim’s data to overwrite the attacker-controlled data, which results in the collision of data with the victim’s secret.

Since CPUs are designed to consume power as per the data usage, the collision results in a large number of iterations in the overwriting process. Finally, the attacker can get the exact secret value of the victim.

There were two variants in the Collide+Power variants, 


Variant 1: The victim program constantly accesses important secret data like decryption keys to encrypt or decrypt a large chunk of data. This attack variant requires hyperthreading to be enabled.

Variant 2: In this attack variant, the attacker used a prefetch gadget in the operating system to bring arbitrary data into the shared CPU component, which can be extracted using the data collisions. This attack variant has reduced leakage rates but does not require hyperthreading.

Several CVEs were discovered in the past, which include CVE-2020-8694, CVE-2020-8695, CVE-2022-23823, and CVE-2022-24436. However, a recent vulnerability was discovered on AMD CPUs which was reported and fixed.

CVE-2023-20583: Software-based Power Side Channel on AMD CPUs

An attacker can exploit this vulnerability in AMD processors to monitor CPU power consumption since the data in the cache line changes over time which can result in the leakage of sensitive data. The CVSS score for this vulnerability is yet to be confirmed.

AMD has released a security advisory for addressing this vulnerability.

A complete report has been published regarding this new discovery which provides detailed information regarding the threat vectors, mitigations, and others.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.


[ad_2]
Source link

Samsung has delayed One UI 6.0 beta due to bugs

0
[ad_1]

Samsung has delayed the release of One UI 6.0 beta, which was supposed to arrive today. A customer support executive told a Galaxy user that the beta program had been delayed due to bugs. They didn’t provide a new release date or tentative timeline.

One UI 6.0 brings Android 14 to Samsung smartphones and tablets. The Korean firm has been internally testing the big update for about a couple of months now. However, it has yet to launch a public beta. There have been rumors of the beta program going live for the Galaxy S23 series in the second half of July, but it didn’t.

Meanwhile, the company continued its internal tests, frequently updating test builds on its servers. We have come across multiple One UI 6.0 test builds for the Galaxy S23 series, Galaxy S22 series, Galaxy Z Fold 4, and Galaxy Z Flip 4 during this period. Samsung also updated some first-party apps with One UI 6.0 support. It even added a dedicated One UI 6.0 section to its community forum. However, the beta program was still missing.

Samsung support said the One UI 6.0 beta will begin on August 2

Last week, Samsung’s customer support in Germany gave some home when it told a user that the latest Galaxy flagships will get One UI 6.0 beta on August 2. They added that the Galaxy A34 5G and Galaxy A54 5G mid-rangers will also get dedicated beta programs in the following week. The customer support executive didn’t say anything about the availability of One UI 6.0 beta for other flagship models, including foldables.

Nonetheless, Galaxy users patiently waited until today for the big update, but it didn’t arrive. It turns out Samsung has delayed the beta program. Once again, the confirmation came from the company’s support staff. They told a Galaxy user that Samsung has withdrawn One UI 6.0 beta plans “for the time being” after discovering bugs. It will likely release the update once it fixes those issues.

Unfortunately, we have no word on when the beta program will kick off now. While it’s nice to see that Samsung is trying to give users as much smooth and stable experience as possible, the delay is frustrating many. Last year, it launched One UI 5.0 beta in Germany on August 5. It appears it will be a similar schedule this year too. That’s if One UI 6.0 arrives within the next few days. We will let you know as soon as Samsung shares more information.

Samsung One UI 6 beta delayed buds support staff chat


[ad_2]
Source link

GE launches Cync Smart Hexagon Panels to brighten up your space

0
[ad_1]

Smart lighting from GE is expanding with the company’s newly available Cync Smart Hexagon Panels. Announced during CES back in January, the Cync panels are now available for purchase and come in 7-pack and 10-pack versions. There’s also a 5-pack extension kit if you want to add a few more. The 7-pack retails for $169.99 at Best Buy and you can pick up the extension 5-pack for $99.99.

The 10-pack retails for $199.99 but only seems to be available at Amazon at the moment. Cync Smart Hexagon Panels provide dynamic smart lighting with RGB that let you customize your space. They’re similar to Nanoleaf Shapes Hexagons, although they won’t have some of the same features. There’s no Razer Chroma support for example, and they don’t appear to have a screen mirroring feature. But they do have a varied set of controls for users, complete with light show effects and the ability to sync lights to music. All of this is handled in the Cync app and looks relatively easy to manage.

There’s a number of preset light shows included too, and if you feel creative you can even make your own with a little effort.

Cync Smart Hexagon Panels support Google Assistant and Alexa

GE Cync Smart Hexagon Panels (1)

Managing your smart lights is generally not a hard task. Most if not all will have an on-device control for turning them on and off. Some also have buttons for switching between different lighting effects or scenes. Then there’s also the app and the potential for voice control.

The Cync Smart Hexagon Panels have most of these. While it isn’t clear if there are any on-device controls aside from a power switch, you can turn them on and off via the Cync app. They also have support for both Google Assistant and Amazon Alexa. So if you want to, you can just turn them on and off with your voice after linking the devices to the related app for whichever voice assistant you use.

For the price and features, GE’s new hexagon panels are a decent option if you want to brighten up your space.

Cync Smart Hexagon Panels 7-Pack

Cync Smart Hexagon Panels 10-Pack


[ad_2]
Source link

This Android phone prioritizes the needs of visually impaired users

0
[ad_1]

While functionality and intuitiveness have always been important characteristics in technology, accessibility seems to be becoming more of a priority in the development of devices, apps and accessories. Many of the latest digital tools have started to integrate accessible features to meet the needs of users with disabilities. One such Android phone — just recently released — aims to prioritize the needs of visually impaired users. 

US company RAZ Mobility announced the launch of the SmartVision 3, an Android phone developed to address the needs of blind or visually impaired consumers with an array of accessibility enhancements (via The Verge). 

This new Android phone was designed for users who are visually impaired

For starters, this includes a physical T9 keypad for typing. This gives visually impaired users a consistent, tactile experience compared to a virtual keyboard. The keypad has physical navigation keys that allow consumers to find their way through the operating system without needing to use a touchscreen. 

Another useful accessibility function is a dedicated hardware key to summon Google Assistant. The phone also comes equipped with a variety of tools for people with low vision, including a banknote recognizer, light detector, color detector, navigation app, and screen magnifier.

Beyond the accessibility features, RAZ Mobility’s phone comes with wireless charging. According to Android Authority, this might be the first time we’ve seen wireless charging on a phone with a T9 keypad. But it makes sense for the target market. It means that users can charge the phone without having to locate the charging port and cable.

Aside from wireless charging, the phone also includes micro SD expansion (up to 128GB) and a 3.5mm port. These are two features that we don’t normally see on modern Android phones. 

In terms of pricing, RAZ Mobility is selling the Smart Vision 3 phone in the US for $539. There’s also a $599 variant that comes with a wireless charging pad, phone cover, screen protector, lanyard, pedestrian GPS app, and book/document reader. Both options are available for purchase on the company’s website.

Accessibility may be becoming more top of mind for many developers. However, there hasn’t been a phone like this one that is specifically designed for users who are visually impaired. Hopefully, this means we can expect more smartphones to be developed to address the needs of users with disabilities.

RAZ Mobility's SmartVision 3 phone
Source: RAZ Mobility

[ad_2]
Source link

Meta offers EU users to opt out of personalized ads

0
[ad_1]

Although Meta’s data privacy practices have always been a matter of heated debate among many governments, the European Union has been one of the very few governing bodies which have actively imposed restrictions and filed lawsuits against the company. Now, in an effort to resolve these legal challenges, Meta has reportedly proposed an upfront opt-in choice for some of its personalized and targeted ads in the EU.

If the EU accepts Meta’s proposal, it would signify a significant shift in the company’s direction, as users would need to explicitly choose to allow Meta to track their activities and use their data for targeted ads within the social media services. And although the specific impact of this change remains unclear, it is important to note that the EU contributes 23% of the company’s revenue. Therefore, if a substantial number of users opt out of targeted ads, Meta could experience a decline in its main source of income.

Nonetheless, this proposal could be a big win for privacy advocates and users who have been rallying for greater control over the use of their personal data.

Meta’s history of data privacy issues

It’s no secret that Meta has struggled with compliance regarding the General Data Protection Regulation (GDPR), which is designed to protect consumers’ data privacy on the internet. However, Meta’s new proposal comes in response to the Ireland Data Protection Commission’s decision to impose a substantial fine of over $400 million on the company for mishandling user data on Instagram and Facebook and another staggering $1.3 billion fine from the European Data Protection Board for allegedly breaching privacy laws and transferring user data to the US.

Furthermore, Meta’s questionable privacy practices have also led Apple to introduce the “Ask App Not to Track” feature, limiting the amount of data Meta’s services can collect from third-party apps.


[ad_2]
Source link

Researchers Uncovered a New Flaw in AI Chatbots to Evil

0
[ad_1]

LLMs are commonly trained on vast internet text data, often containing offensive content. To mitigate this, developers use “alignment” methods via finetuning to prevent harmful or objectionable responses in recent LLMs.

ChatGPT and AI siblings were fine-tuned to avoid undesirable messages like hate speech, personal info, or bomb-making instructions.

However, security researchers from the following universities showed recently how a simple prompt addition breaks defenses in multiple popular chatbots:-

  • Carnegie Mellon University (Andy Zou, J. Zico Kolter, Matt Fredrikson)
  • Center for AI Safety (Zifan Wang)
  • Bosch Center for AI (J. Zico Kolter)

New Flaw in AI Chatbots

Non-adversarially aligned LLMs fall victim to a single universal adversarial prompt, evading state-of-the-art commercial models, including:-

  • ChatGPT
  • Claude
  • Bard
  • Llama-2 

These outputs prove potential misuse with high probability, achieved by the “Greedy Coordinate Gradient” attack on smaller open-source LLMs.

Flow chain (Source – Arxiv)

New adversarial attacks exploit aligned language models to generate objectionable content by adding an adversarial suffix to user queries. 

However, the attack’s success lies in the careful combination of three key elements, previously seen in the theories but now reliably effective in practice.

Here below we have mentioned those three key elements:-

  • Initial affirmative responses.
  • Combined greedy and gradient-based discrete optimization.
  • Robust multi-prompt and multi-model attacks.

Clever AI chatbots’ tendency to go off the rails is not a minor problem but a fundamental weakness, challenging advanced AI deployment.

Adding specific information prompts the chatbots to generate harmful responses which bypasses the restrictions and leads to disallowed content.

Researchers alerted OpenAI, Google, and Anthropic of the exploit before publishing the findings. While the companies blocked specific exploits but still struggle to prevent adversarial attacks overall. 

Negative ChatGPT Prompt (Source – Arxiv)

Since Kolter discovered strings affecting ChatGPT and Bard, claiming to possess thousands of such strings.

Anthropic actively research stronger defenses against prompt injection and adversarial measures. They aim to make base models safer and explore additional layers of protection. 

While the OpenAI’s ChatGPT and similar models completely rely on vast language data to predict such characters.

Language models excel in generating intelligent output but are prone to discrimination and fabricating information. 

Adversarial attacks exploit data patterns, causing aberrant behaviors, like misidentification in image classifiers or responding to inaudible messages in speech recognition. The attack highlights the inevitability of AI misuse. 

AI safety experts should focus on safeguarding vulnerable systems like social networks from AI-generative disinformation rather than solely trying to “align” models.

Also Read

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.


[ad_2]
Source link

NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook and Browser Data

0
[ad_1]

IN SUMMARY

  1. Palo Alto Networks’ Unit 42 identified and reported NodeStealer 2.0.
  2. The Python-based malware steals crypto, Facebook and browser data.
  3. It spreads through phishing, masquerading as advertising opportunities.
  4. NodeStealer 2.0 campaign originated in Vietnam.

Phishing scams targeting Facebook business accounts to conduct advertising frauds or account takeovers are on the rise, which is a concerning trend. Recently Hackread published MalwareBytes’ Jerome Segura’s research on fake Meta ad managers and Chrome extensions allowing attackers to lure business account holders into making ad investments to increase sales revenues.

Now Palo Alto Networks’ Unit 42 researchers have shared details of a new phishing attack distributing a brand-new version of a deadly information stealer NodeStealer. This new version is dubbed NodeStealer 2.0, which also targets Facebook business accounts. Researchers believe this trend of targeting Facebook business accounts started in July 2022 with the emergence of the Ducktail infostealer

NodeStealer malware was detected and taken down by Meta in May 2023. It could steal browser cookies to hijack Facebook business accounts, commendably perform ad frauds, steal account credentials and download additional payloads, etc.

In this campaign, the attack chain starts with a phishing lure, for instance, offering tools like spreadsheet templates for businesses. Previously, we have seen ChatGPT-inspired scams offering malicious extensions to business account users. 

NodeStealer 2.0r is similar to its predecessor, using phishing tactics to lure users and distributing malware-infected executable files in the guise of advertising opportunities. Victims are lured into downloading a .ZIP file from reputable Cloud file storage providers to gain their trust, but they get their devices infected.

Screenshot of a Facebook phishing scam tricking users into downloading .ZIP file (Screenshot: Palo Alto Networks’ Unit 42)

According to Unit 42’s report, NodeStealer 2.0 has additional features such as downloader and cryptocurrency stealing capabilities and a complete takeover of Facebook business accounts. The first attack in which NodeStealer 2.0 was used was discovered in December 2022, mainly targeting Facebook pages.

It is worth noting that both versions (named by Unit 42 as Variant 1 and Variant 2) are written in Python language. NodeStealer 2.0 posed as Microsoft Corporation and can steal emails, Facebook accounts, and even boasts anti-analysis features.

The second variant of the infostealer in the campaign was internally named MicrosofOffice.exe and was compiled with Nuitka, the same as the first variant. Unlike the first variant, it does not generate a lot of activity visible to the unsuspecting user. For this variant, the threat actor used the product name “Microsoft Coporation” (originally misspelled by the malware authors).

Lior Rochberger – Palo Alto Networks’ Unit 42

NodeStealer 2.0 campaign originated in Vietnam, and as per researchers, it is no more active. The Vietnamese link was identified because previous campaigns involving Ducktail and NodeStealer were launched by threat actors based in Vietnam. 

Malware seen stealing passwords from a targeted browse (Screenshot: Palo Alto Networks’ Unit 42)

However, it could be part of a larger campaign where attackers are using different methods to target Facebook business account holders for monetary gains. NodeStealer 2.0 seems a continuation of the same agenda, which can cause huge financial losses for organizations, and users get exposed to additional threats due to credential leaks, apart from reputational damage.

Visit this link to check out the indicators of compromise. This is becoming a raging threat; therefore, organizations and Facebook business account holders must remain cautious while downloading executables. Using strong passwords with MFA and training employees to detect phishing lures can prove crucial in safeguarding your privacy and data on social media.

  1. Fake ChatGPT Extension Hijacks Facebook Accounts
  2. Phishers Now Actively Automating Scams with Telegram
  3. Alert: Scammers Pose as ChatGPT in New Phishing Scam
  4. Fake ChatGPT, AI pages on Facebook spread infostealers
  5. Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer

[ad_2]
Source link

Samsung released new One UI 5.1.1 beta update with bug fixes

0
[ad_1]

Samsung is rolling out another One UI 5.1.1 beta update to the Galaxy Z Fold 4 and Galaxy Tab S8 series. It’s the third beta release since the company opened the beta program in early July. The stable update should arrive this month.

The latest One UI 5.1.1 beta build has firmware version ZWGB for the Galaxy Z Fold 4 and ZWGA for the Galaxy Tab S8 series. The changelog for the foldable mentions improvements for lens distortion issues in photos captured using the ultrawide camera. Samsung has also fixed the camera blacking problem and improved the loading speed of the watch camera controller. It has fixed problems with Clash Royale as well.

The changelog for the Galaxy Tab S8 series is a little smaller. Samsung is pushing wallpaper and camera-related improvements along with some minor bug fixes. If you’ve enrolled your device in Samsung’s One UI 5.1.1 beta program, which is only available in South Korea, you can expect to receive the latest beta update soon. You can check for updates from the Settings app.

The latest Samsung foldables and tablets arrive with One UI 5.1.1

One UI 5.1.1 is the latest version of Samsung’s custom Android software. Based on Android 13, it’s a relatively minor update over the previous version (One UI 5.1). It brings a handful of new features, most of which are foldable and tablet-specific.

For starters, it makes switching between the pop-up screen and split screen easier and preserves the screen mode in the Recents menu. The new One UI version also lets you check minimized apps using S Pen gestures and allows you to keep more recent apps on the taskbar for quick access. The Flex Mode Panel gives you room for more apps as well. Last but not least, One UI 5.1.1 makes media controls easier.

As said earlier, Samsung has been running a One UI 5.1.1 beta program for the Galaxy Z Fold 4 and Galaxy Tab S8 series since early July. The stable update is expected to arrive later this month. However, they won’t be the first to the new One UI version. The newly launched Galaxy Z Fold 5 and Galaxy Z Flip 5 foldables, as well as the Galaxy Tab S9 series tablets, already run One UI 5.1.1 out of the box.

Nonetheless, Samsung will push the One UI 5.1.1 update to all eligible older models in the coming weeks. Along with the Galaxy Z Fold 4 and Galaxy Tab S8 series, the new One UI version should also make it into the Galaxy S23 series and older foldable models. We will let you know once the rollout begins.


[ad_2]
Source link

Nokia 150 & Nokia 130 official with long battery life, IP rating

0
[ad_1]

Nokia has quietly launched a couple of feature phones. The Finnish brand recently refreshed its lineup of inexpensive basic phones with the Nokia 150 and Nokia 130. Both of these are modernized versions of existing handsets with the same name.

The Nokia 150 first debuted in 2016. The company released another Nokia 150 in 2020. The 2023 model now brings a modern design with all the basic specs you’d expect from a feature phone. It sports a 2.4-inch QVGA display and an old-school keypad. The Nokia branding is prominent under the display while the top earpiece is huge too.

On the back, we have a speaker, a 0.3MP VGA camera, and an LED flash unit. A second Nokia branding can also be seen on the back plate, which is removable. Under it, we have a 1450mAh removable battery with a rated standby time of 30 days and a talk time of 20 hours. Nokia has included a micro-USB port for charging the battery.

Other highlights of the Nokia 150 (2023) include MicroSD card support up to 32GB, 3.5mm headphone jack, MP3 player, voice recorder, FM Radio (wired & wireless modes), and single mini-SIM support with GSM network connectivity (2G). The device has a polycarbonate with nano texture and boasts an IP52 rating for dust and water resistance. The whole package weighs 106.3 grams and measures 130.95 x 50.6 x 15.15 mm in dimension.

Nokia 150 official 2

The Nokia 130, which is also the third model with the same name (the previous two came in 2014 and 2017), shares most of the specs with the Nokia 150. The only notable difference is the lack of a camera. Despite that, Nokia has included an LED flash here to serve as a torch. It has a more simplistic design and is a little thinner (14mm) too. This model also retains the IP52 rating for dust and water resistance. The company also tells us that the Nokia 130 has 4MP of internal storage and 4MB RAM.

Nokia 150 and Nokia 130 prices are not known yet

Nokia has already listed the Nokia 150 and Nokia 130 on its official website. However, the company hasn’t revealed the prices of the new features phones, nor has it shared availability details. The official listings reveal that the former model will be available in Black, Cyan, and Red color variants, while the latter gets Dark Blue, Light Gold, and Purple shades. It’s unclear when Nokia will start selling the duo. If you’re looking to grab one of them, they should be available at an affordable price (probably around $50).

Nokia 130 official 1


[ad_2]
Source link