Another image editor leaks data
Earlier this week, security researchers revealed that the Markup tool on Pixel devices allowed people to partially recover content edited out of an image. Now software engineer Chris Blume confirmed a similar issue impacts the Windows 11 Snipping Tool. When saving over an original image file with an edited one, the Snipping Tool does not properly truncate data. The PNG specification states that image files end in an ‘IEND’ data chunk, but the Snipping Tool leaves data from the original image after the IEND chunk. It’s not visible in the PNG file, but a simple Python script can partially recover content. Microsoft said it’s looking into the issue.
More Clop victims come forward
The ransomware group Clop claimed it compromised 130 organizations earlier this year using a compromise in the GoAnywhere file transfer service. On it’s leak site, Clop did not yet name all victims. However this week new victims came forward. The Canadian financing firm Investissement Quebec and Hitachi Energy both said a ransomware group obtained some employee information. Both pointed to security incidents at Fortra, which develops GoAnywhere, as the cause. Fortra did not answer media inquiries about other victims, but did release a patch to the exploit in February. Other victims that came forward include Community Health Systems, Hatch Bank, and the enterprise data management company Rubrik.
Big tech lobbies to limit spying law
Bloomberg’s sources say several big tech companies, including Meta, Alphabet, and Apple, have pushed Congress to limit Section 702 of the Foreign Intelligence Surveillance Act. The law is set to expire at the end of 2023. As passed in 2008, the law allows agencies to compel companies to turn over communications and other data on non-US citizens living outside the US without a warrant. With the renewal of the law, tech companies want the ability to disclose information on government requests about users, what data they disclosed, and restrictions on how the information disclosed can be used.
CISA expands cybersecurity committee
This week the US Cybersecurity and Infrastructure Security Agency added more than a dozen new members to its advisory committee, which works with director Jen Easterly on policies and programs. This members include CSOs from the NFL, VMware, General Motors, and Google’s VP of privacy, safety and security engineering. CISA also updated the cross-sector cybersecurity performance goals. Based on industry feedback, it reorganized the goal to match the NIST Cybersecurity Framework.
And now a word from our sponsor, Conveyor
Pinduoduo app declared malware
Google flagged several apps from the Chinese e-commerce giant Pinduoduo as malware, suspending its official app in the Play Store. Google will also use its Google Play Protect feature on Android to block users from installing third-party APKs of these flagged apps and warn users who already have it installed to remove them. Security researchers speaking to TechCrunch claim the app attempts to exploit several zero-days to compromise devices. A Pinduoduo spokesperson denied the “speculation and accusation” that its app was malicious.
GitHub gets a chatty Copilot
GitHub introduced its Copilot feature in 2021. This offered AI-assisted autocomplete suggestions for code. Microsoft announced an overhaul of the feature, under a new “Copilot X” vision. As part of this, GitHub launched a technical preview of a new chatbot experience within a code editor, which can explain code, recommend changes, and fix bugs. Currently the chat feature operates in a sidebar, but GitHub plans to bring this inline with code in the future. This also adds voice support for chat, through a creative “Hey, GitHub” wake word. This feature will launch in Microsoft’s Visual Studio and Visual Studio Code apps, but eventually come to other IDEs in the future.
PoC exploits released for vulnerable Netgear routers
Back in August 2022, Cisco’s Talos team disclosed vulnerabilities in Orbi 750 series routers to Netgear. Cisco released proof of concept exploits for these flaws. These opened the door to use public admin consoles to execute arbitrary code, man-in-the-middle attacks, and intercepting traffic data from a router to its extender. These exploits require valid login credentials, but its unclear how many publicly accessible routers still use stock credentials. Netgear released updated firmware, but Bleeping Computer found some routers did not automatically install it. Cisco did not find any evidence these vulnerabilities were under active exploitation.
Quantum Cleveland Clinic
IBM and the Cleveland Clinic announced the installation of the IBM Quantum System One as part of the Cleveland Clinic-IBM Discovery Accelerator project. This marks the first on-site private sector quantum computer in the US, although IBM still manages the machine. Researchers say the computer will speed biomedical discoveries across clinical and pharmaceutical research projects. IBM first announced the project in 2021, looking at how both organizations could learn from an on-site quantum computer deployment.