Blog entry by Les Bell

Les Bell
Security News: 2023-06-01
by Les Bell - Thursday, 1 June 2023, 9:51 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Vulnerability Summary for the Week of 22 May 2023

The US Cybersecurity & Infrastructure Security Agency has released a vulnerability summary listing vulns which were added to NIST's National Vulnerability Database (NVD) during the week commencing 22 May 2023. Just skimming the bulletin provides a sobering reminder of the struggle we face in securing our systems: the list of "High" severity vulns (those with a CVSS base score of 7.0 to 10.0) contains 115 entries in a huge array of software - everything from low-level drivers to applications for managing restaurant reservations and old age homes (including three applications I use myself!).

Uncredited, Vulnerability Summary for the Week of May 22, 2023, bulletin, 30 May 2023. Available online at https://www.cisa.gov/news-events/bulletins/sb23-150.

Latest Kali Linux Arrives

It's surprising to realise that everybody's favourite pen-testing platform, Kali Linux, has now been with us for ten years. Kali provides a broad range of pen-testing tools in a single package which can be downloaded either as an installer image for a dedicated hardware platform, or as a virtual machine image which, although it does not provide full access to the underlying hardware, makes an excellent platform for experimentation and education.

The 2023.2 release of Kali offers a number of updates:

  • New VM image for Microsoft Hyper-V - With “Enhanced Session Mode” (xRDP over HvSocket) out of the box
  • Xfce audio stack update: PulseAudio replaced by PipeWire - Better audio for Kali’s default desktop
  • i3 desktop overhaul - i3-gaps merged with i3 tiling window manager
  • Desktop updates - Easy file hash calculation in Xfce File Manager
  • GNOME 44 - Gnome Shell version bump
  • Icons & menus updates - New apps and icons in menu

These are all nice, but most users will be more interested in the new tools added to the network repositories for this release:

  • Cilium-cli - Install, manage & troubleshoot Kubernetes clusters
  • Cosign - Container Signing
  • Eksctl - Official CLI for Amazon EKS
  • Evilginx - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
  • GoPhish - Open-Source Phishing Toolkit
  • Humble - A fast security-oriented HTTP headers analyzer
  • Slim(toolkit) - Don’t change anything in your container image and minify it
  • Syft - Generating a Software Bill of Materials from container images and filesystems
  • Terraform - Safely and predictably create, change, and improve infrastructure
  • Tetragon - eBPF-based Security Observability and Runtime Enforcement
  • TheHive - A Scalable, Open Source and Free Security Incident Response Platform
  • Trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
  • Wsgidav - Generic and extendable WebDAV server based on WSGI

You can download Kali Linux release 2023.2 at https://www.kali.org/get-kali/.

Uncredited, Kali Linux 2023.2 Release (Hyper-V & PipeWire), blog post, 30 May 2023. Available at https://www.kali.org/blog/kali-linux-2023-2-release/.

Amazon Fined Over $US30 Million For Privacy Breaches

Amazon has been fined a total of over $US 30 million by the US Federal Trade Commission for two separate privacy violations.

In the first, Amazon settled for $US5.8 million over spying on female customers by a former employee, using Ring cameras placed in bedrooms and bathrooms. The company also agreed to pay $US25 million to settle alegations it violated the privacy rights of children when it failed to delete Alexa recordings at the request of parents, keeping them for longer than necessary. Amazon disagrees with the FTC's claims, but settled regardless.

The FTC is also probing Amazon's $US1.7 billion acquisition of iRobot Corp., which would give the online retail giant even more visibility into its customers' homes.

Bartz, Diane, Amazon's Ring used to spy on customers, FTC says in privacy settlement, Reuters, 31 May 2023. Available online at https://www.reuters.com/legal/us-ftc-sues-amazoncoms-ring-2023-05-31/.

Lawyers Beware: ChatGPT Hallucinates About Cases

A New York lawer and his colleagues are learning the hard way about the dangers of trusting your work to artificial intelligence, being ordered to show cause why they should not be sanctioned in the US District Court for the Southern District of New York for citing non-existent cases.

Steven Schwartz of the firm Levidow, Levidow, & Oberman had been acting for a plaintiff in a case filed against airline Avianca in a New York state court. When Avianca got the case moved to the federal court, Schwartz had a problem - he was not admitted to practice in that court - so his firm decided to have his colleague, Peter LoDuca, file the documents while Schwartz did the legwork behind the scenes.

Only, Schwarz didn't do the work himself, using ChatGPT to "supplement" his research. Unfortunately, the document he filed in opposition to a motion to dismiss was "replete with citations to non-existent cases", according to Federal Judge Kevin Castel, who apparently does do his own homework. "Six of the submitted cases appear to be bogus judicial decisions with bogus quotes and bogus internal citations."

Not only do the filings contain names of fictitious cases but also excerpts from the fictional decisions, citing precedents that do not exist. Schwartz counters, with a ChatGPT conversation transcript as evidence,  that he asked the AI chatbot whether a case was real and was assured that it is, and "can be found on legal research databases such as Westlaw and LexisNexis", as could the other cases.

Schwartz and LoDuca will appear before the judge on 8 June to show cause why they and their firm should not be sanctioned. The obvious moral of the story is . . . obvious.

Brodkin, Jon, Lawyer cited 6 fake cases made up by ChatGPT; judge calls it “unprecedented”, Ars Technica, 31 May 2023. Available online at https://arstechnica.com/tech-policy/2023/05/lawyer-cited-6-fake-cases-made-up-by-chatgpt-judge-calls-it-unprecedented/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink