Your LG TV could be the biggest security vulnerability in your home or your office, new research from Bitdefender has found.
The LG WebOS TV operating system’s versions 4 through 7 are seemingly riddled with security vulnerabilities that allow hackers to add themselves as a user, take over the device and exploit command injection vulnerabilities to their hearts delight.
Over 91,000 devices are exposed via their internet connection, despite the vulnerable service’s intended use being LAN access only.
Triple escalation of vulnerabilities
The first vulnerability, tracked as CVE-2023-6317, allows the hacker to skirt around the TV’s authorization mechanisms and by changing a single variable, add themselves as a user on the TV. Next, by abusing the vulnerability tracked as CVE-2023-6318, the hacker can give themselves total access to the device paving the way for command injection.
By abusing two more vulnerabilities, tracked as CVE-2023-6319 and CVE-2023-6320, the hacker can either manipulate a music lyrics library to allow OS command injection, or the attacker can manipulate a specific API endpoint to inject authenticated commands.
A patch was released to address these vulnerabilities on March 22, being made available for the above models from April 10, so it is worth checking the OS system version of vulnerable LG TV devices to ensure the patch has been installed.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
If someone were to infect your Meta Quest VR headset with malware, they could trick you into seeing things in the virtual world which weren’t real, experts have warned.
Academics from Cornell University recently published a paper describing the possibility of hijacking people’s VR sessions and controlling their interactions with internal applications, external servers, and more.
As per the paper, hackers could, in theory, insert what they call an “Inception Layer” between the VR Home Screen and the VR User/Server. For example, the victim could open their banking app in virtual reality, and see their usual balance, while being completely bankrupt in reality. The hackers could also, potentially, trick the victim into initiating a wire transfer, while being completely oblivious to what’s actually going on.
VR phishing
Things can get even more crazy when you throw in generative AI, deepfakes, and other upcoming technology. People could end up thinking they were talking with their friends, coworkers, and bosses, in VR, while being taken for all they have, in the background.
While the threats sound ominous, it’s important to note that the researchers didn’t really explore the possibility of compromising these VR headsets. Whether or not they have a vulnerability that could be exploited this way is unknown at the time. What’s more, there is no proof-of-concept, no malware that could be able to pull such an attack off.
Instead, the researchers were just interested in whether or not people would notice anything was amiss if such an infection did occur.
In total, 27 people were tested to see if they would notice anything strange during their session of Beat Saber. The only visual clue was a little flickering on the home screen before playing the game. In total, 10 people noticed the change, nine of which attributed it to an innocuous system glitch.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In other words, prepare to read about elaborate phishing scams in the metaverse.
It’s every researcher’s worst nightmare. A careless click on an e-mail and years of laboratory data are instantaneously encrypted by hackers. Or a piece of legacy lab equipment is compromised through its ancient, zero-security connection to the Internet. The machine might have been a godsend for running experiments from home during the COVID-19 pandemic, but now it’s an open door to those who wish to exploit your institutional intranet. In this viral infection, you, embarrassingly, are patient zero.
The list of hacked academic institutions, research centres and infrastructure makes alarming reading. It includes the School of Medicine at the University of California, San Francisco (UCSF); the Fred Hutchinson Cancer Center in Seattle, Washington; the Berlin Museum of Natural History; the Atacama Large Millimeter/submillimeter Array (ALMA) telescope in Chile; the Japan Aerospace Exploration Agency in Tokyo; the University of Wollongong in Australia; and the British Library in London.
Cyberattacks on knowledge institutions are increasing: what can be done?
But that list hardly scratches the surface — and certainly doesn’t reflect the many incursions that have been attempted. Research institutions are essentially under siege. “At the University of São Paulo, there are daily attempts to breach security protocols,” says Ildeberto Aparecido Rodello, director of the Information Technology Center at the university’s Ribeirão Preto campus in Brazil. The same goes for CERN, Europe’s particle-physics lab near Geneva, Switzerland. “We’ve been lucky in the past couple of years that we haven’t had any breaches which are worth calling a breach,” says Stefan Lueders, CERN’s head of computer security. “There are attackers outside who are constantly probing the organization for weaknesses.”
It can be hard to appreciate the scale of these operations, says James Fleming, chief information officer at the Francis Crick Institute in London. “The kind of actors who perform cyberattacks at scale are hugely efficient: they automate the vast majority of their processes,” he says. “The data our firewall collects shows that bots are trying different passwords to log onto accounts and different systems, or trying to find the vulnerabilities, tens of thousands of times a week.”
The problem is, universities and other research institutions can be soft targets. They thrive on data-sharing and openness and have a vast and highly mobile workforce, most of whom are less focused on cybersecurity than on the ability to access their systems from wherever they happen to be. “We’re here to share research and we’re open by design, which makes us weak to cybercrime,” says Sarah Lawson, chief information security officer at University College London. “Education has been heavily targeted over the last few years, and the statistics tell us that that’s on the rise.”
What’s more, she adds, universities haven’t conventionally invested in cyber defence, putting them on the back foot in what she likens to “a game of whack-a-mole”: eventually, you are going to lose. “It’s not if,” she says, “it’s when.”
Devastating consequences
When that happens, the consequences can be catastrophic. In a ransomware attack, for instance, precious files could be stolen or encrypted so that they cannot be accessed, unless the file owner pays the attacker. “You really have very few options,” Fleming says. “You can either just wipe everything and take the hit, or you can end up with a financial penalty.” UCSF took the second option after a 2020 breach of their systems, choosing to pay a ransom of US$1.14 million.
But if everything is backed up and no sensitive data have been compromised, the first option might not be too bad, Fleming says. “You hard-wipe all the machines and reformat all the hard drives, and then you do a rebuild. You maybe lose a week of productive time.”
That does depend on the scale of the attack and the preparedness of your institution, however. The British Library is now performing a “full technical rebuild and recovery” on its digital infrastructure after an October 2023 cyberattack, which occurred as the library was updating its core technology infrastructure. “The work will now be accelerated,” a spokesperson told Nature. It’s too early to say how long that will take or what it will cost, they add, but The Financial Times has estimated a price tag of around £7 million (US$9 million).
The British Library in London has had to rebuild its digital infrastructure after a cyberattack in October 2023.Credit: Old Town Tourist/Alamy
Recovering from the attack on the ALMA observatory, which happened in October 2022, took “a bit less than seven weeks”, according to Jorge Ibsen, head of ALMA’s computing department. But the financial hit can only be guessed at, he says. “The best estimate would be 13% of the annual operational cost, which is the fraction of days within a year we could not deliver to our mission.” As for details of what the recovery entailed, and the measures taken since, Ibsen is keen to keep them under wraps. “Given the nature of this threat, we cannot further discuss details about our specific cybersecurity strategy,” he says.
Institutional cyberattacks don’t always end with a ransom payment or rebuild of digital infrastructure. For one thing, paying a ransom doesn’t necessarily preclude bad actors from weaponizing or releasing data. And there could be legal repercussions. For instance, some people who were affected by the attack at the Fred Hutchinson Cancer Center, in November 2023, have filed class-action lawsuits against the centre.
Unplug and shut down
What about the individuals who are compromised? When it happens to you, what should you do? Unanimously, these heads of cybersecurity plead that you communicate with them — after turning off and disconnecting whatever device has been hacked. “Pull out the plugs and shut it down. Close it and then seek advice,” Lawson says.
11 ways to avert a data-storage disaster
That said, prevention is always better than cure, and a properly prepared human can be a powerful firewall. “Update your software regularly; implement firewall and antivirus solutions; control access and permissions to your systems; encrypt sensitive data,” Rodello says. He even suggests engaging cybersecurity specialists to conduct regular audits and provide guidance on improving your lab’s digital safety.
After all, most academics are not trained IT professionals, and DIY solutions can be dangerous. Lawson says she can’t help but admire cybercriminals’ ability to manipulate their targets. “They’re the best psychologists in the world,” she says. “They will use every technique in the book to find the way into your money. And they’re really good at it.”
It might seem obvious, but another tip is to back up data somewhere secure — and, if possible, somewhere off-site. And don’t overlook the software you wrote yourself. “Ideally, people use proper software libraries and they run tests to make sure of its security,” Lawson says. “But we do have problems with people who don’t think about that.” Great researchers, she appreciates, are rarely focused on the fact that many criminals are out to ruin their lives.
Evolving threats
Those working in the health-care sector are at especially high risk. “The health-care system currently is one of the number-one targets for hacking because of the financial benefit that people can gain from getting a health record,” says Anthony Cartwright, an anaesthesiologist at the Cleveland Clinic in Abu Dhabi, United Arab Emirates, who has written about the cybersecurity risks in health care (A. J. Cartwright J. Clin. Monit. Comput. 37, 1123–1132; 2023).
Some vulnerabilities arose during the COVID-19 pandemic, Cartwright says, when many hospital staff began working from home. In many cases, those systems have not been updated. “They’re now accessing hospital network systems on an unsecured personal network. Often, that computer in the house will be shared between the mum, dad, brother or sister.” In other words, anything could get on there.
Such systems need to be updated, of course. But don’t overlook common-sense precautions, such as keeping passwords private. Cartwright was struck by a television segment filmed in a hospital during the pandemic. “As the camera panned around to one of the nurses at the control desk, there was a piece of paper giving the password — and you could read it on screen,” he says. “The Wi-Fi password was right there, on TV.”
NatureTech hub
That said, thanks to government initiatives such as the 1996 US Health Insurance Portability and Accountability Act (HIPAA), health-care workers are often more security-savvy than are academic researchers, reckons Anton Dahbura, executive director of Johns Hopkins University’s Information Security Institute in Baltimore, Maryland. “It’s much more top of mind and it’s been instilled in the culture.”
At the same time, however, bad actors are getting more sophisticated. Although some hacks are for sport or to advance a political agenda — hacktivists targeting scientists working on controversial research, for instance — cybersecurity professionals are increasingly concerned about state-level actors whose aim is to destabilize critical infrastructure or steal intellectual property. “Universities hold a lot of important, proprietary and sensitive information,” Dahbura says. Scientific research institutes such as genomics labs “hold information that adversaries, in particular nation states, would love to have”, he points out. “It’s no different than hacking into a research and development lab of a pharmaceutical company, except that it’s probably easier at a university.”
Whatever the motivation, no one wants to be the one who let an attacker in. Lueder offers a simple mantra: “Stop, think, don’t click!” This is how you prevent the majority of hacking attempts, he says. “The Internet has made us all so curious that we click on things without knowing what they are. The brain can be really stupid.”
Someone broke into almost a dozen IMF email accounts, but it’s yet unknown what they did with the information found there.
The International Monetary Fund (IMF), a UN financial agency funded by 190 member countries, confirmed the breach in a press release published late last week, as well as in a short statement given to BleepingComputer.
According to the press release, the IMF detected the breach in mid-February this year, after which it brought in independent cybersecurity experts to launch an in-depth investigation and determine the nature of the breach. The investigation determined that 11 IMF email accounts were compromised.
Connections to Microsoft
“We have no indication of further compromise beyond these email accounts at this point in time,” the IMF said in the announcement. “The investigation into this incident is continuing.”
Following the discovery, the IMF took certain “remediation actions”, but did not elaborate what that exactly means. It said that the impacted accounts were re-secured.
“The IMF takes prevention of, and defense against, cyber incidents very seriously and, like all organizations, operates under the assumption that cyber incidents will unfortunately occur. The IMF has a robust cybersecurity program in place to respond quickly and effectively to such incidents,” it concluded in the press release.
In a short statement given to BleepingComputer, the IMF confirmed using Microsoft 365, but stressed that the incident “does not appear to be part of Microsoft targeting.”
Earlier this year, Microsoft announced it was being targeted by a Russian state-sponsored threat actor known as Midnight Blizzard. This group dwelled on Microsoft’s systems for a month, and stole roughly two dozen corporate emails.
A few days after the news broke, Hewlett Packard Enterprise (HPE) reported of Russian hackers also breaching some of its Microsoft Office 365 email accounts and stealing sensitive data found there.
Researchers have found a way to pull out over a million pieces of information from the memory of GPTs such as ChatGPT. Using fairly simple prompts they have demonstrated that it’s not too hard to get this data from AI systems such as ChatGPT and other similar large language models.
This news is concerning for users as it means that people with bad intentions could do the same thing to get to private information. Watch the demonstration video below to learn how the researchers carried out the attacks on the AI models forcing it to reveal training data which included personal details. If an AI system leaks data, it could accidentally share personal things that were used to teach it. This makes us wonder if the companies that make these AI systems are doing enough to keep our information safe and respect our privacy.
Copyright Issues with AI
The risks extend beyond individual privacy concerns. The extracted data may encompass copyrighted materials, potentially triggering significant legal challenges for AI developers. In instances where AI systems are found to be utilizing and disseminating such copyrighted content, the entities responsible for these systems might face legal repercussions, including litigation.
ChatGPT hacked
Here are some other articles you may find of interest on the subject of ChatGPT :
AI Alignment Isn’t Perfect
AI alignment is all about making AI systems that are safe and good for us. But the research shows that these methods aren’t stopping AI systems from remembering and possibly leaking sensitive information. This is a big problem. It means that the safety measures we have now aren’t strong enough to keep our information private.
The AI Data Retention Dilemma
AI systems can remember and maybe share the data they were trained on. This is a tricky situation. On one side, remembering lots of data can make an AI system better at its job. But on the other side, it could lead to private information getting out. We need to find a careful balance between making AI systems that work well and keeping data safe.
The researchers who found out about this problem told OpenAI, the company behind ChatGPT, before they told everyone else. This kind of honesty is really important. It helps make sure that everyone can work together to fix the security problems with AI. However it is still possible to use similar prompts to obtain training data from ChatGPT.
The Need for AI Security and Transparency
The bigger picture here is about keeping AI systems secure and making sure companies are open about how they use and protect our data. As someone who uses these systems, you should know how your information is being handled. AI companies need to be clear about their security steps and the risks that come with their AI systems.
The possibility of AI systems giving away the data they were trained on is a real concern. It could affect your privacy and the rights of people who create content. AI companies need to take this seriously and make their AI systems safer to prevent any leaks of information. As a user, it’s important to stay informed about how your data is protected and how open the companies you depend on are. AI has a lot of potential, but its success depends on trust and strong security.
Filed Under: Technology News, Top News
Latest timeswonderful Deals
Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, timeswonderful may earn an affiliate commission. Learn about our Disclosure Policy.