Cyber Security Headlines: More markup leaks, Clop victims go public, Big Tech lobbies on spy law

Another image editor leaks data

Earlier this week, security researchers revealed that the Markup tool on Pixel devices allowed people to partially recover content edited out of an image. Now software engineer Chris Blume confirmed a similar issue impacts the Windows 11 Snipping Tool. When saving over an original image file with an edited one, the Snipping Tool does not properly truncate data. The PNG specification states that image files end in an ‘IEND’ data chunk, but the Snipping Tool leaves data from the original image after the IEND chunk. It’s not visible in the PNG file, but a simple Python script can partially recover content. Microsoft said it’s looking into the issue.

(Bleeping Computer)

More Clop victims come forward

The ransomware group Clop claimed it compromised 130 organizations earlier this year using a compromise in the GoAnywhere file transfer service. On it’s leak site, Clop did not yet name all victims. However this week new victims came forward. The Canadian financing firm Investissement Quebec and Hitachi Energy both said a ransomware group obtained some employee information. Both pointed to security incidents at Fortra, which develops GoAnywhere, as the cause. Fortra did not answer media inquiries about other victims, but did release a patch to the exploit in February. Other victims that came forward include Community Health Systems, Hatch Bank, and the enterprise data management company Rubrik. 

(TechCrunch)

Big tech lobbies to limit spying law

Bloomberg’s sources say several big tech companies, including Meta, Alphabet, and Apple, have pushed Congress to limit Section 702 of the Foreign Intelligence Surveillance Act. The law is set to expire at the end of 2023. As passed in 2008, the law allows agencies to compel companies to turn over communications and other data on non-US citizens living outside the US without a warrant. With the renewal of the law, tech companies want the ability to disclose information on government requests about users, what data they disclosed, and restrictions on how the information disclosed can be used.  

(Bloomberg)

CISA expands cybersecurity committee

This week the US Cybersecurity and Infrastructure Security Agency added more than a dozen new members to its advisory committee, which works with director Jen Easterly on policies and programs. This members include CSOs from the NFL, VMware, General Motors, and Google’s VP of privacy, safety and security engineering. CISA also updated the cross-sector cybersecurity performance goals. Based on industry feedback, it reorganized the goal to match the NIST Cybersecurity Framework. 

(Security Week)

And now a word from our sponsor, Conveyor

Does the thought of answering another security questionnaire make you feel like clearing out the ice cream section at your local grocery store?

Though we fully support the ice cream thing, you might want to check out Conveyor first: the end-to-end trust platform helping infosec teams reduce incoming questionnaires and fly through the ones they do have to complete.

Give customers access to a self-serve trust portal to download security info and for any remaining questionnaires that do come in, use our GPT-Questionnaire response tool or white-glove questionnaire completion service to knock them completely off your to-do list. Learn more at www.conveyor.com.

Pinduoduo app declared malware

Google flagged several apps from the Chinese e-commerce giant Pinduoduo as malware, suspending its official app in the Play Store. Google will also use its Google Play Protect feature on Android to block users from installing third-party APKs of these flagged apps and warn users who already have it installed to remove them. Security researchers speaking to TechCrunch claim the app attempts to exploit several zero-days to compromise devices. A Pinduoduo spokesperson denied the “speculation and accusation” that its app was malicious.

(TechCrunch)

GitHub gets a chatty Copilot

GitHub introduced its Copilot feature in 2021. This offered AI-assisted autocomplete suggestions for code. Microsoft announced an overhaul of the feature, under a new “Copilot X” vision. As part of this, GitHub launched a technical preview of a new chatbot experience within a code editor, which can explain code, recommend changes, and fix bugs. Currently the chat feature operates in a sidebar, but GitHub plans to bring this inline with code in the future. This also adds voice support for chat, through a creative “Hey, GitHub” wake word. This feature will launch in Microsoft’s Visual Studio and Visual Studio Code apps, but eventually come to other IDEs in the future. 

(The Verge)

PoC exploits released for vulnerable Netgear routers

Back in August 2022, Cisco’s Talos team disclosed vulnerabilities in Orbi 750 series routers to Netgear. Cisco released proof of concept exploits for these flaws. These opened the door to use public admin consoles to execute arbitrary code, man-in-the-middle attacks, and intercepting traffic data from a router to its extender. These exploits require valid login credentials, but its unclear how many publicly accessible routers still use stock credentials. Netgear released updated firmware, but Bleeping Computer found some routers did not automatically install it. Cisco did not find any evidence these vulnerabilities were under active exploitation. 

(Bleeping Computer)

Quantum Cleveland Clinic

IBM and the Cleveland Clinic announced the installation of the IBM Quantum System One as part of the Cleveland Clinic-IBM Discovery Accelerator project. This marks the first on-site private sector quantum computer in the US, although IBM still manages the machine. Researchers say the computer will speed biomedical discoveries across clinical and pharmaceutical research projects. IBM first announced the project in 2021, looking at how both organizations could learn from an on-site quantum computer deployment.  

(Healthcare IT News)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.