US Intelligence Leaks, SwaaS, and OpenAI bug bounty - April 8th - 14th - This Week in Security

 
Tikka is back as your editor for this week in security. A lot has happened in the past week and I will start with the biggest story of Discord Leaks.

US Intelligence Leaks

 

A recent leak of sensitive U.S. defense documents that originated from the messaging platform Discord and eventually found their way to the website 4chan has raised national security concerns and triggered investigations by law enforcement agencies. The leaked documents were traced back to a Discord server called "Thug Shaker Central," which was known for sharing racist and antisemitic content, as well as discussions related to guns and military gear. The source of the leak was identified as Jack Teixeira, a 21-year-old member of the Massachusetts Air National Guard. Teixeira was sharing classified information on the server, which was then disseminated to other platforms, including 4chan. The information leaked included classified military and intelligence documents, which, in the wrong hands, could pose a significant threat to national security. The ease with which sensitive information can spread across the internet and the challenges this presents for authorities in tracking and containing such leaks is astonishing.

This leak raises serious questions:
  1. What type of security and access control protocols were in place that allowed a 21-year old to access this information?
  2. What role do popular messaging platforms play in facilitating the spread of sensitive information and what are their repronsibilities?


SwaaS: Swatting as a service

 

Swatting as a service refers to the use of AI-generated voice calls and anonymizing services to make fake emergency reports to the police, leading to law enforcement responding to a non-existent threat. This tactic is intended to harass, intimidate, or cause harm to the targeted individual. Due to the convincing nature of these AI-generated calls, authorities may have difficulty distinguishing between genuine and hoax calls, increasing the likelihood of unwarranted police response. The ability to spoof Caller ID and effectively hide behind the curtain of shady VOIP services is probably the root of the problem.

Motherboard is reporting rise in swatting incidents in recent months being attributed to this new method, which puts innocent lives at risk and causes significant disruption for law enforcement agencies.

Until there is a solution that regulates the use of VoIP tech and AI assisted voice synthesis it is best to protect against swatting attacks by taking following precautions:
  • Maintain privacy: Limit the amount of personal information shared online, such as your address, phone number, and daily routines. This can help reduce the chances of being targeted for a swatting attack.
  • Use strong, unique passwords: Ensuring that your online accounts have strong, unique passwords can prevent unauthorized access to your personal information. In addition, enable multi-factor authentication (MFA) wherever possible to further secure your accounts.
  • Be cautious with caller ID: Remember that caller ID can be easily spoofed, and do not assume that a call from a seemingly legitimate number is genuine. Verify the identity of the caller before providing any sensitive information.
  • Educate friends and family: Share information about swatting and its dangers with your friends and family. Encourage them to be vigilant and cautious when sharing personal information online.
  • Notify local law enforcement: If you believe you are at risk of being targeted for a swatting attack, inform your local police department. They may be able to take preventive measures or be more prepared to respond appropriately if an incident occurs.

OpenAI bug bounty program

 

OpenAI has launched a Bug Bounty Program to encourage security researchers and the broader community to identify and report potential security vulnerabilities in their systems. The program aims to improve the security and robustness of OpenAI's products, services, and infrastructure, ensuring that the company maintains the highest standards of protection for user data and system integrity.

To participate in the Bug Bounty Program, individuals can submit vulnerability reports that detail the security issues they have discovered in OpenAI systems. Submissions should include a clear explanation of the vulnerability, steps to reproduce the issue, potential security impact, and any other relevant information that would help OpenAI understand and address the problem. OpenAI encourages participants to submit their findings through the HackerOne platform, which provides a secure and organized way to report and track vulnerabilities.

OpenAI will review and evaluate the submitted reports, prioritizing them based on the severity and potential impact of the identified vulnerabilities. The company aims to respond to submissions within 48 hours and will work with the researchers to validate and address the reported issues. OpenAI acknowledges the importance of responsible disclosure and commits to keeping the researchers informed about the progress of resolving the vulnerabilities.

Researchers who submit valid vulnerability reports are eligible for monetary rewards, also known as bounties. The amount of the reward is determined based on the severity of the vulnerability and its potential impact on OpenAI systems. The company has set up a minimum and maximum payout range for different categories of vulnerabilities, including critical, high, medium, and low severity issues. OpenAI emphasizes that the reward amounts are not fixed and can be adjusted at their discretion.

The Bug Bounty Program is open to security researchers from around the world, except for individuals residing in countries under U.S. sanctions or other export control restrictions. Participants are expected to adhere to the program's rules and guidelines, which include not causing any harm to OpenAI systems, not disclosing the vulnerability to the public until it is resolved, and avoiding any actions that would violate applicable laws or regulations.

In summary, OpenAI's Bug Bounty Program invites security researchers to identify and report potential vulnerabilities in the company's systems, helping to strengthen the security and resilience of its products and infrastructure. Participants can earn monetary rewards based on the severity and impact of the reported vulnerabilities, while contributing to the overall safety and reliability of OpenAI's offerings.
 


Published Apr 17, 2023
Version 1.0
F5 SIRT
security
series-F5SIRT-this-week-in-security
TWIS

Was this article helpful?

1 Comment

Sort By
  • ddavisf5's avatar
    ddavisf5
    Ret. Employee
    Apr 28, 2023

    There's a whole bunch of stuff to unwrap in the first two parts of this article. At the end of 2019 the US Commerce Department blacklisted NSO Group, and in December 2019 levied sanctions against the Chinese Academy of Military Medical Sciences for their assistance to the Chinese government in the development of brain-control weaponry. For the US Commerce Department blacklist to be important, you need to know that a commerce department blacklist is a prohibition (among other things) of doing business in the country.  NSO Group spyware had been sold to United States police agencies and they were using it in conjunction with a foreign military (Iran and China) that had owned that **bleep** really hard.  One thing NSO Group spyware cannot do is place accurate or realistic voice calls containing your voice or my voice.  The voice modelling alone to do that and target a person is a major privacy event that would need public legislation, and it isn't feasible with the current complete lack of a public face of this for local police to have access to specific individual's voice model data, so it wasn't done by them.  It is cyberwarfare and is completely a military event. This was followed March 27th, 2023 by an executive order from President Joe Biden prohibiting the use of commercial spyware by United States government agencies that poses a threat to national security.

    We're not safe, and it's not cool to ignore the little fiddly technical **bleep** that we see all the time (some of us more than others), because there's quantum entanglement gear that is combined with the brain-measurement gear put forward by the CIA in their sanctions against the Chinese Academy of Military Medical Sciences.

    This cyberwarfare from the visible tip of the NSO Group and "AI" voice calls iceberg down to the obvious quantum physics nature (deniable in every way) of the cyberwarfare gear needs to be taken into account by all of us, and proper communication channels opened with the FBI or military intelligence (the Director of National Intelligence is a good place to go or your state's military department). We exist because they are safe, and that's it.