AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 04/12/2023

Did someone really hack into the Oldsmar, Florida, water treatment plant? New details suggest maybe not. 

It was the kind of doomsday scenario cybersecurity experts had been warning about for years: hackers infiltrate a small water utility and try to poison the local population. And that’s exactly what appeared to happen in February 2021 in Oldsmar, Florida. News of hackers remotely tampering with levels of lye at the local water treatment facility alarmed officials, shocked the public and has been served as a siren call for the need to safeguard the most sensitive U.S. networks from malicious hackers attempting cause serious physical harm and even death. In the years since Oldsmar authorities first announced the incident, officials in Washington also have regularly pointed to the case as exhibit No. 1 for more cyber investments — and regulations — for U.S. critical infrastructure. 


Prohibition of AI that ‘subverts state power’ in China may chill its nascent industry 

Chinese regulators have proposed restrictive rules around AI models like ChatGPT being built in the country, requiring user identification, security reviews, and prohibiting “any content that subverts state power, advocates the overthrow of the socialist system, incites splitting the country or undermines national unity.” The rules come hot on the heels of Chinese tech companies rolling out their versions of general purpose large language models, versatile AI systems that can converse in natural language and carry out a surprising number of tasks. While the reception of Sensetime, Baidu, and Alibaba’s models over the last month suggests they’re somewhat behind the likes of GPT-4, it’s clear the industry there is equally dedicated to developing these capabilities. 


Researchers Uncover 7000 Malicious Open Source Packages 

Security vendor Sonatype detected 6933 malicious open source packages in the month of March alone, bringing the total discovered since 2019 to 115,165. Info-stealers comprised a significant number of these malicious components, including copycats of the popular W4SP stealer, such as one called “microsoft-helper” from an author self-described as “idklmao.” “The name of the package, microsoft-helper, might be the bad actors’ attempt to disguise its malicious nature, maybe with the goal of potentially adding it as a dependency of a popular package they’ve already owned,” Sonatype explained. “However, the author’s name, composed by abbreviations, didn’t even try to pretend it was from a legit author.” 


How the cops buy a “God view” of your location data, with Bennett Cyphers: Lock and Code S04E09 

The list of people and organizations that are hungry for your location data—collected so routinely and packaged so conveniently that it can easily reveal where you live, where you work, where you shop, pray, eat, and relax—includes many of the usual suspects. Advertisers, obviously, want to send targeted ads to you and they believe those ads have a better success rate if they’re sent to, say, someone who spends their time at a fast-food drive-through on the way home from the office, as opposed to someone who doesn’t, or someone whose visited a high-end department store, or someone who, say, vacations regularly at expensive resorts. Hedge funds, interestingly, are also big buyers of location data, constantly seeking a competitive edge in their investments, which might mean understanding whether a fast food chain’s newest locations are getting more foot traffic, or whether a new commercial real estate development is walkable from nearby homes.  


OpenAI offers bug bounty for ChatGPT — but no rewards for jailbreaking its chatbot 

OpenAI has launched a bug bounty, encouraging members of the public to find and disclose vulnerabilities in its AI services including ChatGPT. Rewards range from $200 for “low-severity findings” to $20,000 for “exceptional discoveries,” and reports are submittable via crowdsourcing cybersecurity platform BugcrowdNotably, the bounty excludes rewards for jailbreaking ChatGPT or causing it to generate malicious code or text. “Issues related to the content of model prompts and responses are strictly out of scope, and will not be rewarded,” says OpenAI’s Bugcrowd page. 


Related Posts