Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Source Code. Show all posts
Source Code
Data Breach GitHub New York Times Repository Source Code

New York Times Source Code Leaked Online


 

In January 2024, an exposed GitHub token led to a significant breach of The New York Times' repositories. The incident was initially identified and addressed swiftly by the company, but details have only recently emerged. The breach came to light after the stolen data was posted on the 4chan message board. An anonymous user shared a torrent link to a 273GB archive containing the pilfered data, marking one of the most substantial leaks in recent memory.

The leaked data includes around 5,000 repositories, comprising 3.6 million files. A notable portion of this data contains IT documentation, infrastructure tools, and a variety of source code. Among the stolen information is the source code for the popular game Wordle, which The New York Times acquired in 2022. The leak was first noticed by VX-Underground, a group known for monitoring and documenting malware samples and cybersecurity incidents.

The threat actor responsible for the leak reportedly accessed the repositories using an exposed GitHub token. This token granted them unauthorised access to the company’s code, enabling them to download and leak a vast amount of data. The breach's details were confirmed by The New York Times, which clarified that the exposed credentials were for a cloud-based third-party code platform, specifically GitHub.

The New York Times assured that the breach did not affect its internal corporate systems or its operations. In an official statement, the company highlighted that continuous monitoring for anomalous activity is part of their security measures. They emphasised that there was no indication of unauthorised access to Times-owned systems, underscoring their proactive approach in identifying and mitigating the breach promptly.

This leak is the second pressing incident disclosed on 4chan within the same week. Earlier, a leak involving 415MB of internal documents for Disney's Club Penguin game was reported. Sources indicate that this leak was part of a larger breach of Disney’s Confluence server, resulting in the theft of 2.5 GB of internal corporate data. It remains unclear if the same individual or group is responsible for both the New York Times and Disney breaches.

The breach of The New York Times' GitHub repositories stresses upon the importance of stringent digital security measures. As companies increasingly rely on cloud-based platforms for their operations, ensuring the security of access credentials and continuous monitoring for unauthorised activities are crucial steps in safeguarding sensitive information.


Read more »
Source Code
Cyberint Data Breach Fanap GhostSec Hacktivists Iran government Iranian Surveillance Software Source Code

GhostSec: Hacktivist Breach Iranian Surveillance Software


Hacking group GhostSec confirmed that they have taken down Fanap Behnama – Iran’s privacy-invading software – and also mentioned details of its surveillance capabilities. 

Apparently, GhostSec exposed 20GB of data that involved source code relating to face recognition and motion detection systems of the Iranian software company – Fanap – which is appointed as a comprehensive surveillance system by the Iranian government, monitoring its citizens.

Following the confirmation, GhostSec revealed the intentions of making the data public and has also made a telegram channel ‘Iran Exposed’ to share further information about the breach. It says it is planning to share pieces of the Behnama code, along with various components including configuration files and API data, and that after all the data has been uploaded, detailed explanations will be given.

"This is not about technology and software, it's about the privacy of the people, civil liberties and a balance of power[…]Also publishing the source code for the public presenting this Fanap's lovely AI face recognition and various other privacy invading features and tools. We're simply making the fight a bit more equal," says GhostSec.

The group claims to have found equipment for facial recognition-based video surveillance, utilized in the Pasargad Bank Car GPS and tracking system, as well as a car numberplate identification system—which may have an impact on hijab alerts—and a facial recognition system used for producing ID cards.

Additionally, it claims that the Single Sign-On (SSO) platform, which the regime uses for online user authentication, is connected to the Fanap system. According to cybersecurity firm Cyberint, "This integration compiles intricate aspects of citizens’ lives, not only to determine access privileges for services but also to construct a virtual profile for facial recognition.”

"The group maintains that this evaluation is rooted in the software code, substantiating indisputable evidence of the software’s capabilities and deployment," adds Cyberint. 

GhostSec initially claimed responsibility for taking down the fanap-infra.com website but later disclosed that a different website connected to the Fanap software company was only accessible within Iran. In addition, the company's primary GitHub repository was made private, probably in response to the GhostSec attack. "That mean[s], they are scared. That mean[s] it's time to hit harder," GhostSec said.

Read more »
User Privacy
AI Chatbot ChatGPT Data Breach LLM Microsoft OpenAI Source Code User Privacy

ChatGPT Sparking Security Concerns

 

Cyberhaven, a data security company, recently released a report in which it found and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million employees at its client companies due to the potential leakage of sensitive information to the LLM, including client data, source code, and regulated information.

The appeal of ChatGPT has skyrocketed. It became the fastest-growing consumer application ever released after only two months of release when it reached 100 million active users. Users are drawn to the tool's sophisticated skills, but they are also concerned about its potential to upend numerous industries.ChatGPT was given 300 billion words by OpenAI, the firm that created it. These words came from books, articles, blogs, and posts on the Internet, as well as personally identifiable information that was illegally stolen.

Following Microsoft's $1 billion investment in the parent company of ChatGPT, OpenAI, in January, ChatGPT is expected to be rolled out across all Microsoft products, including Word, Powerpoint, and Outlook.

Employees are providing sensitive corporate data and privacy-protected information to large language models (LLMs), like ChatGPT, which raises concerns that the data may be incorporated into the models of artificial intelligence (AI) services, and that information may be retrieved at a later time if adequate data security isn't implemented for the service.

The growing acceptance of OpenAI's ChatGPT, its core AI model, the Generative Pre-trained Transformer, or GPT-3, as well as other LLMs, businesses, and security experts have started to be concerned that sensitive data consumed as training data into the models could reemerge when prompted by the appropriate queries. Some are acting: JPMorgan, for instance, restricted employees' access to ChatGPT, and Amazon, Microsoft, and Wal-Mart cautioned staff to use generative AI services carefully.

Some AI-based services, outside of those that are GPT-based, have sparked concerns about whether they are risky. For example, Otter.ai, an automated transcription service, converts audio files into text while automatically identifying speakers, allowing for the tagging of crucial words and phrases, and underlining of key phrases. Journalists have raised concerns about the company's storage of that information in its cloud.

Cyberhaven's Ting predicts that the adoption of generative AI apps will continue to grow and be used for a variety of tasks, including creating memos and presentations, identifying security incidents, and interacting with patients. His predictions are based on conversations with the clients of his company.

Because only a few individuals handle the majority of the dangerous requests, education could have a significant impact on whether data leaks from a particular organization. According to Ting of Cyberhaven, less than 1% of employees are accountable for 80% of the instances of providing critical data to ChatGPT.

The LLM's access to sensitive data and personal information is also being restricted by OpenAI and other businesses: Nowadays, when ChatGPT is asked for personal information or sensitive corporate data, canned responses are used as an excuse not to cooperate.


Read more »
Source Code disclosure vulnerability
Data Breach Dropbox Repository Security Breach Source Code Source Code disclosure vulnerability

Dropbox Security Breach: Unauthorized Access to 130 Source Code Repositories

 

File hosting service, Dropbox reveals on Tuesday that it was the victim of a phishing campaign. The security breach allowed the unidentified threat actor to acquire unauthorized access to one of its GitHub accounts, compromising 130 of its source code repositories. 
 
"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," Dropbox published in an advisory. 
 
Dropbox discovered the breach on October 14, after GitHub reported the company of suspicious activities that began a day before the alert was sent. 
 
Upon further investigation of the security breach, it was disclosed that the source code accessed by the threat actors, contained the development team’s credentials, primarily API keys used by the team. 
 
"The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)." the company added in the published advisory. 
 
The cyberattack was introduced more than a month after both GitHub and CircleCI reported accounts of phishing attacks. The phishing campaign was allegedly designed in order to access GitHub credentials via fraudulent notifications purporting to be from the CI/CD platform. 
 
These fraudulent emails notified the online users that their CircleCI session has expired, ploying the victims into logging in through their GitHub credentials. 
 
"These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," explains Dropbox. 
 
Alongside, GitHub in an advisory, stated, "While GitHub itself was not affected, the campaign has impacted many victim organizations." In regards to the recent phishing attacks, Dropbox confirmed that the attackers did not have access to customers’ accounts, password, or payment information, and its core apps infrastructure were not impacted in the breach. "Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled." the company noted.  
 
Furthermore, Dropbox told that it has been working on securing its environment following the security breach, using WebAuthn and hardware tokens or biometric factors.
Read more »
Source Code
Data Breach Data Leak Samsung Secret Key Secret Keys Source Code

Thousands of Secret Keys Discovered in Leaked Samsung Source Code

 

Thousands of secret keys were exposed in the recently stolen Samsung source code, according to an analysis, including several that might be extremely beneficial to nefarious actors. GitGuardian, a business that specialises in Git security scanning and secret detection, conducted the research. 

The firm's analysts examined source code that was recently stolen by a cybercrime outfit known as Lapsus$. In recent weeks, the hackers claim to have hacked into several large corporations, including NVIDIA, Samsung, Ubisoft, and Vodafone. They appear to have acquired source code from the victims in numerous cases, some of which have been made public. Cybercriminals claim to have stolen 190 GB of data from Samsung, and the tech giant has verified that the hacked data contained the source code of Galaxy devices. 

More than 6,600 secret keys were discovered during GitGuardian's analysis of the exposed Samsung source code, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys. The number of valid keys revealed is yet to be determined by the firm's researchers. However, 90 percent are likely related to internal systems, which may be more difficult for an attacker to use, according to their research. The remaining keys, which number around 600, can give attackers access to a wide range of systems and services. 

“Of the more than 6,600 keys found in Samsung source code roughly 90% are for Samsung's internal services and infrastructure, whilst the other 10%, critically, could grant access to Samsung's external services or tools such as AWS, GitHub, artifactory and Google,” explained Mackenzie Jackson, developer advocate at GitGuardian. 

The exposure of specific keys, according to Casey Bisson, head of product and developer relations at code security firm BluBracket, might lead to the TrustZone environment on Samsung devices being hacked. Researchers are yet to determine whether the revealed keys undermine the TrustZone, which holds sensitive data like fingerprints and passwords and acts as a security barrier against Android malware attacks. 

Bisson told SecurityWeek, “If the leaked data allows the malware to access the TrustZone environment, it could make all data stored there vulnerable. If Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment. Compromised keys would make this a more significant attack than Nvidia, given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.”

GitGuardian reviewed the source code leaked from Amazon's live streaming service Twitch, from which hackers obtained and made public around 6,000 internal Git repositories, a few months ago. AWS keys, Twilio keys, Google API keys, database connection strings, and GitHub OAuth keys were among the secrets found by GitGuardian in those repositories.
Read more »
Vodafone
Cyber Security Cybersecurity Source Code Vodafone

Vodafone Investigates Source Code Theft Claims

Vodafone launched an inquiry after a group of hackers claimed that they stole a hundred GBs of source codes from the telecom company. The cybercrime group calls itself 'Lapsus$," which claims to have obtained around 200 GBs of source code files, representing around 5,000 GitHub repositories. According to a statement in an email, Vodafone confirmed that it knows about the situation, and an investigation has been started. 

The company said that it is currently enquiring about the claim with law agencies to verify its credibility. But, in general, the types of repositories referenced in the claim have proprietary source code and don't contain customer data. 

As of now, the hackers have not exposed any Vodafone source code which they claim to have stolen. However, they are asking tens of thousands of users that subscribed to their Telegram channel to what leak next- Vodafone, e-commerce company MercadoLibre, or Portuguese media company Impresa. The poll ends on March 13. The attack on Impresa resulted in disruption, MercadoLibre confirmed in an SEC filing that source code and 300,000 users' data were leaked. 

Last month, Vodafone Portugal has accused of service problems on a 'malicious cyberattack,' however, it's not clear if the cases are linked. Lapsus$ group has also leaked source codes and other information from NVIDIA and Samsung. 

NVIDIA confirmed that hackers stole employee credentials and signature certificates. Threat actors stole 190 GB of data from Samsung, confirmed the theft of source codes linked to Galaxy devices, however, it said that employee and customer data wasn't compromised. 

The hackers are thinking of getting big ransom payments from affected companies for not publishing the leaked data. From NVIDIA, threat actors asked the company to open-source drivers and delete a feature that restricts Ethereum mining capabilities in a few of the graphics cards. 

"The hackers gained access to the company’s Amazon Web Services account and sent emails and text messages to subscribers, the statement said. The hackers accessed some subscriber information, but Impresa said it had no evidence they got hold of subscribers’ passwords or credit card details," says Security Week.

Read more »
Vulnerability and Exploits
Microsoft Microsoft Azure Source Code Vulnerability and Exploits

Azure App Service Vulnerability Exposes Source Code Repositories

 

Microsoft has discreetly begun informing certain Azure users that a significant security flaw in the Azure App Service has exposed hundreds of source code repositories. 

Microsoft's disclosure follows more than two months after it had been disclosed by Israeli cloud security startup Wiz, and only weeks after Redmond secretly patched the weakness and notified "a limited subset of customers" who were thought to be in danger. 

The Microsoft Security Response Center highlighted the weakness in an alert as a problem wherein customers can accidentally set the.git folder to be generated in the content root, putting them at risk of unauthorized disclosure of information. 

“This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public. We have notified the limited subset of customers that we believe are at risk due to this and we will continue to work with our customers on securing their applications,” Microsoft said. 

App Service Linux users who launched applications utilizing Local Git after files were generated or updated in the content root directory may be affected, according to the business. 

The mix of the.git folder in the content folder and the application that delivers static content renders the program vulnerable to source code leakage, according to Redmond. 

The weakness is described in a different technical note by the Wiz research team as the unsafe default behavior in the Azure App Service that disclosed the source code of client applications built in PHP, Python, Ruby, or Node that have been published employing "Local Git." The vulnerability, called "NotLegit," has existed since September 2017 and has most likely been exploited in the wild, according to the business. 

The Wiz researchers highlighted exploitation as "extremely easy," adding that there are indications that unidentified malicious actors have already been launching exploits. 

“To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the company said.

 “As this exploitation method is extremely easy, common, and is actively being exploited, we encourage all affected users to overview their application’s source code and evaluate the potential risk,” Wiz added. 

Wiz researchers in Israel have already been proactively uncovering and publicizing huge security vulnerabilities in Microsoft's flagship Azure cloud computing platform, with ChaosDB and OMIGOD being two instances.
Read more »
Vulnerabilities and Exploits
Source Code Threat actors Trojan Source Technique Vulnerabilities and Exploits

Hacker Can Conceal Flaws in Source Code by Applying Trojan Source Technique

 

Threat actors might use a new class of vulnerabilities to implant aesthetically misleading malware in a fashion that is semantically lawful but modifies the logic described by the source code, essentially opening the door to even more first-party and supply chain dangers. 

CVE-2021-42574 and CVE-2021-42694 impact compilers for all common programming languages, including C, C++, C#, JavaScript, Java, Rust, Go, and Python. 

Compilers are programs that convert high-level human-readable source code into lower-level forms like assembly language, object code, or machine code, which may subsequently be performed by the OS. 

The technique "exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper. 

The matter revolves around Unicode's bidirectional (or Bidi) algorithm, which also supports both left-to-right (e.g., English) and right-to-left (e.g., Arabic or Hebrew) languages, and also includes what is known as bidirectional overrides, that also permits writing left-to-right words inside a right-to-left sentence, or vice versa, allowing the text of a different reading path to be embedded inside massive blocks of text. 

While a compiler's outcome is anticipated to correctly implement the source code provided to it, discrepancies introduced by implanting Unicode Bidi override characters into comments and strings could indeed facilitate a situation in which the display sequence of characters tries to present reasoning that differs from the logical reasoning. 

To look at it another way, the attack specifically targets the encoding of source code files to construct targeted security flaws, instead of deliberately introducing logical bugs, so that it can visually rearrange tokens in source code which, while resolved in a completely appropriate sense, deceives the compiler into uniquely processing the code and changing drastically the program flow — for example, trying to remark appear as though it were code. 

"In effect, we anagram program A into program B," the researchers surmised. "If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected." 

"The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses," the researchers noted. "As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses."
Read more »
Subscribe to: Posts (Atom)