uTalk

Cybersecurity experts issue a warning about CAPTCHA-breaking services that are being sold as a way to get around filters that separate human users from bot traffic.

"Several services that are primarily geared toward this market demand have been created," Trend Micro said in a report released last week. "Cybercriminals are keen on breaking CAPTCHAs accurately.".

Instead of breaking CAPTCHAs using [optical character recognition] techniques or sophisticated machine learning methods, these CAPTCHA-solving services farm out CAPTCHA-breaking tasks to actual human solvers. ".

Completely Automated Public Turing Test to Tell Computers and Humans Apart, or CAPTCHA, is a tool that distinguishes between authentic human users and automated users in order to fight spam and prevent the creation of fake accounts.

In spite of the fact that CAPTCHA mechanisms can be annoying to users, they are thought to be a useful defense against attacks from bot-generated web traffic.

The illegal CAPTCHA-solving services operate by channeling customer requests through their human solvers, who then figure out the answer and send the results back to the users.

Additionally, the ability to send the CAPTCHA in real-time via API calls to the service provider, who then sends the responses programmatically, makes the entire workflow accessible to bot operators.

CAPTCHA.

According to security researcher Joey Costoya, "this makes it easy for the users of CAPTCHA-breaking services to develop automated tools against online web services.". "And because real people are completing CAPTCHAs, the goal of preventing automated bot traffic through these tests is defeated. ".

But that's not all. Threat actors have been seen buying CAPTCHA-breaking services and combining them with proxyware options to mask the source IP address and get around antibot defenses.

Proxyware effectively transforms the devices it runs on into residential proxies, despite being marketed as a utility to share a user's unused internet bandwidth with third parties in exchange for "passive income.".

The task requests coming from a bot are routed through a proxyware network in one instance of a CAPTCHA-breaking service that targets the well-known social commerce marketplace Poshmark.

Although CAPTCHAs are frequently used to stop spam and bot abuse, Costoya claimed that their effectiveness has decreased due to the rise of CAPTCHA-breaking services. "Online web services are able to block the IP addresses of abusers, but the widespread use of proxyware has rendered this technique useless, just like CAPTCHAs. ".

Online web services are advised to use additional anti-abuse tools in addition to IP blocklisting and CAPTCHAs to reduce such risks.

Researchers have found a low-cost attack method that can be used to brute-force fingerprints on smartphones in order to get around user authentication and take over the devices.

The BrutePrint method uses two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework to circumvent restrictions put in place to stop unsuccessful biometric authentication attempts.

The vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), take advantage of logical flaws in the authentication framework that result from inadequate protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.

Researchers Yu Chen and Yiling He claimed in a research paper that the outcome is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking.". "BrutePrint serves as a go-between for the TEE [Trusted Execution Environment] and the fingerprint sensor. ".

To submit as many fingerprint images as necessary until a match is found is the main objective. However, it assumes that a threat actor already has the concerned target device in their possession.

In order to carry out the attack for as little as $15, the adversary also needs a fingerprint database and a set-up that includes a microcontroller board and an auto-clicker that can intercept data sent by a fingerprint sensor.

The first of the two flaws that makes this attack possible is CAMF, which enables increasing the fault tolerance capabilities of the system by invalidating the fingerprint data's checksum and granting an attacker an unlimited number of tries.

In contrast, MAL uses a side-channel to infer matches of the fingerprint images on the target devices, even when it locks itself out after a certain number of failed login attempts.

Even though Keyguard has an additional checkbox to prevent unlocking while in lockout mode, the researchers noted that TEE had produced the authentication result.

It is possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images because the success authentication result is returned instantly when a matched sample is met. ".

BrutePrint was tested against 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo in an experimental setting. The results showed infinite attempts on Android and HarmonyOS devices and 10 additional attempts on iOS devices.

The discoveries follow the publication of a hybrid side-channel by a group of academics that takes advantage of the "three-way tradeoff between execution speed (i. e. to perform "browser-based pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2 on contemporary system-on-chips (SoCs) and GPUs.

The attack, known as Hot Pixels, makes use of this behavior to launch website fingerprinting attacks and use JavaScript code to collect browsing histories from users.

This is achieved by developing a computationally intensive SVG filter to stealthily harvest the data with an accuracy of up to 94 percent while measuring the rendering times and leaking pixel colors.

Google, AMD, Intel, Nvidia, Qualcomm, Apple, and Google have all acknowledged the problems. In addition, the researchers advise "preventing SVG filters from being applied to iframes or hyperlinks" and limiting unauthorized access to sensor data.

As a result of 10 security flaws that Google found in Intel's Trust Domain Extensions (TDX), which could result in arbitrary code execution, denial-of-service situations, and loss of integrity, BrutePrint and Hot Pixels were also developed.

On a related note, it has been discovered that Intel CPUs are vulnerable to a side-channel attack that uses variations in execution time brought on by changing the EFLAGS register during transient execution to decode data without using the cache.

The Europol Innovation Lab organized a number of workshops with subject matter experts from across Europol to examine how criminals can abuse large language models (LLMs) like ChatGPT as well as how it may help investigators in their daily work. This was done in response to the growing public interest in ChatGPT.

The purpose of this report is to promote the development of secure and reliable AI systems by increasing awareness of the potential misuse of LLMs, starting a conversation with AI companies to help them implement better safeguards, and raising awareness of the potential misuse of LLMs. Only law enforcement was given access to a longer, more in-depth version of this report.

How do large language models work?
An AI system that can process, manipulate, and generate text is known as a large language model.

Large amounts of information, including books, articles, and websites, are fed to an LLM during training so that it can discover word patterns and connections and produce new content.

As part of a research preview in November 2022, OpenAI released ChatGPT, an LLM, to the general public.

The current publicly available model underpinning ChatGPT is capable of processing and producing human-like text in response to user requests. In particular, the model is capable of responding to queries on a range of subjects, translating text, having conversations (or "chatting"), creating new content, and writing useful code.

Large Language Models' negative side.
Even though the capabilities of LLMs like ChatGPT are constantly being enhanced, the prospect of criminals abusing these kinds of AI systems is bleak.

The three crime hotspots listed below are just a few of the many concerns noted by Europol's experts.

Fraud and social engineering: ChatGPT can create text that is incredibly realistic, which makes it a useful tool for phishing. It is possible to imitate a particular person's or group's speech patterns using LLMs' capacity to reproduce language patterns. This capability can be used extensively to deceive prospective victims into putting their trust in the hands of criminal actors.
Misinformation: ChatGPT is incredibly fast and efficient at producing text that sounds real. Because users can easily create and disseminate messages reflecting a particular narrative, the model is perfect for propaganda and disinformation.
Cybercrime: ChatGPT can produce code in a number of different programming languages in addition to human-like language. This is a priceless resource for someone looking to commit crime but lacking in technical expertise to create malicious code.
It will be more crucial than ever for law enforcement to stay abreast of technological advancements as new models become accessible in order to foresee and stop abuse.

Attackers can now unlock smartphones using their fingerprints thanks to the new BrutePrint attack.

Researchers have found a low-cost attack method that can be used to brute-force fingerprints on smartphones to get around user authentication and take over the devices.

The BrutePrint method uses two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework to circumvent restrictions set up to prevent unsuccessful biometric authentication attempts.

The Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) vulnerabilities take advantage of logical flaws in the authentication framework that result from inadequate protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.

The end result, according to researchers Yu Chen and Yiling He in a research paper, is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking.". Between the fingerprint sensor and the TEE (Trusted Execution Environment), bruteprint serves as a middleman. ".

The main objective is to be able to submit an infinite number of fingerprint images until a match is found. However, it assumes that the target device in question is already in the possession of a threat actor.

To carry out the attack for as little as $15, the adversary also needs a fingerprint database and a set-up that includes a microcontroller board and an auto-clicker that can intercept data sent by a fingerprint sensor.

The first of the two vulnerabilities that make this attack possible is CAMF, which enables increasing the fault tolerance capabilities of the system by invalidating the checksum of the fingerprint data and granting an attacker unlimited tries.

In contrast, MAL uses a side-channel to infer matches of the fingerprint images on the target devices, even when it locks itself out after a certain number of failed login attempts.

The researchers stated, "Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE.

"Side-channel attacks may be able to guess the outcome because the success authentication result is always returned right away when a sample match is made. Examples of such behaviors include response time and the quantity of images acquired. ".

In a test environment, 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo were used to evaluate BrutePrint. The evaluation resulted in an infinite number of attempts on Android and HarmonyOS devices and an additional 10 attempts on iOS devices.

The discoveries follow the publication of a hybrid side-channel by a group of academics that takes advantage of the "three-way tradeoff between execution speed (i. e. pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2 using "browser-based system-on-chips (SoCs) and GPUs in modern system-on-chips (SoCs) and GPUs.

The Hot Pixels attack, which makes use of this behavior, mounts website fingerprinting attacks and uses JavaScript code to collect browsing histories from users.

This is achieved by developing a computationally intensive SVG filter to stealthily harvest the information with an accuracy of up to 94 percent while measuring the rendering times and leaking pixel colors.

Apple, Google, AMD, Intel, Nvidia, and Qualcomm have all expressed awareness of the problems. As well as preventing unauthorized access to sensor data, the researchers advise "preventing SVG filters from being applied to iframes or hyperlinks.".

Following Google's discovery of ten security flaws in Intel's Trust Domain Extensions (TDX) that could result in arbitrary code execution, denial-of-service situations, and loss of integrity, BrutePrint and Hot Pixels were also released.

On a related note, it has been discovered that Intel CPUs are vulnerable to a side-channel attack that uses variations in execution time brought on by changing the EFLAGS register during transient execution to decode data without using the cache.