Self-driving cars, like the human drivers that preceded them, need to see what’s around them to avoid obstacles and drive safely. The most sophisticated autonomous vehicles typically use lidar, a spinning radar-type device that acts as the eyes of the car. Lidar provides constant information about the distance to objects so the car can decide what actions are safe to take. But these eyes, it turns out, can be tricked. New research reveals that expertly timed lasers shined at an approaching lidar system can create a blind spot in front of the vehicle large enough to completely hide moving pedestrians and other obstacles.
The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7. CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow.
File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. “These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company revealed in an advisory. The breach resulted in the access of some API keys used by Dropbox developers as well as “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”
A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on charges that he acted as a core developer for Raccoon, a popular “malware-as-a-service” offering that helped paying customers steal passwords and financial data from millions of cybercrime victims. KrebsOnSecurity has learned that the defendant was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion.
Twitter users with “verified” status have been bombarded by phishing attempts via email and on the platform itself, after Elon Musk’s arrival as owner, according to reports. The self-proclaimed “chief twit,” who sacked the board of the social networking firm to become sole director, wants to charge “blue tick” verified users $8 each per month to retain their status and be enrolled in the site’s premium service, Blue. It’s widely seen as a potential way to make money from the perpetually under-performing platform, while reducing the number of bots and inauthentic accounts. However, the publicity surrounding the move has already attracted cyber-criminals. Some verified users posted screenshots of a phishing email they received from a twittercontactcenter@gmail domain, asking them to click through to confirm their identity, or risk losing their status. Doing so would take them to a phishing page where they’re asked to submit various account details, which could be subsequently used to hijack those accounts.