Suramya's Blog : Welcome to my crazy life…

February 8, 2025

Reserve Bank of India launches exclusive domains ‘bank.in’ and ‘fin.in’ for Indian Banks to reduce cyber fraud

Filed under: Computer Security,Tech Related — Suramya @ 10:49 PM

A big problem in online security is verifying that the site you are accessing is the authentic version. As techies we have a bunch of ways to check if the site is valid but for regular users it can be a hard problem to solve. I personally know a few folks who have been scammed out of a lot of money so it is a pretty prevalent problem in the industry.

One of the ways people get scammed is that they are sent a link to a site that looks like the official bank site but is instead a cloned version of the site that hijacks the entered password and OTP to steal money. To combat this issue and the problem of banking sites not having a verifiable URL / Domain name, the Government of India has announced the launch an exclusive “.bank.in” domain for banks starting from April 2025.

Similar to how the .gov address is a known domain name for US Government and .gov.in for official Indian Government sites this new domain will be for verified/validated banks only. The Institute for Development and Research in Banking Technology (IDRBT) will be the exclusive registrar for the new domain and will start rolling out in April.

In addition, the RBI is also planning to launch a “.fin.in” domain for non-bank entities in the financial sector. This will cover entities like paypal/PhonePe and other Fintech firms in India.

I think that this is a great idea and it would be awesome if we have have a global official .bank domain. But something like that would take a lot of time and coordination to implement so for now we will just have the India specific domains.

Source: Times of India: RBI announces exclusive domains ‘bank.in’ and ‘fin.in’ to enhance cyber security in Indian banking

– Suramya

September 26, 2024

Python in Excel launched for all Office 365 Business and Enterprise users

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 10:35 PM

Excel is both a blessing and a bane for companies. Because of its capabilities folks have created formulas/macros/scripts/functions etc in Excel that allows them to generate data that is used to take major financial decisions with real world impact. But that capability also makes it an ideal vector for infiltrating an organization using Macros or scripts in Excel files to compromise systems.

Back in Aug 2023, Microsoft first announced that they are going to support running Python inside an Excel file. After that there was no major talk about it so I had hoped this meant that they had abandoned the project, but sadly I was mistaken. Redmond announced the official release of Python in Excel for Windows users of Microsoft 365 Business and Enterprise in a blog post. The post has a lot of details on the new capabilities this gives to power users and frankly I can see why folks are excited about it. But from a security and version control point of view this is a disaster waiting to happen.

There is a new learning series available for free for 30 days on LinkedIn that incorporates numerous examples, tutorials, and tips on how to best leverage Python in Excel.

Included in the Excel for Python release is a large language model integration that will allow Excel users to ask the Copilot to build scripts for them with plain language commands.

Microsoft partnered with data science tool maker Anaconda to develop the Python-Excel integration. As we’ve previously reported, data can move effortlessly between the two platforms using a few custom-defined functions.

This two-way function sending is a key part of security – Microsoft states Python processes Excel data without revealing the user’s identity, and all Python code runs in a secure, isolated environment, only accessing libraries approved by Anaconda​.

As with all the stuff MS has released recently, this also has LLM Integration but is on a very restricted list. The service is available to all Office 365 users with a valid Enterprise or Business Microsoft 365 subscription on the Current Channel.

Source: The Register: Python in Excel is here, but only for certain Windows users

– Suramya

August 21, 2024

First three Post-Quantum Encryption Algorithms released by NIST

Filed under: Computer Security,My Thoughts,Quantum Computing — Suramya @ 8:30 PM

NIST has been reviewing algorithms as part the the PQC (Post Quantum Cryptography) Standardization process for over 8 years now and they have released the first three standards for post-quantum cryptography. These standards will allow systems to protect their data and communications with encryption that are not vulnerable to Quantum Computers. Current standards and tools rely on complex math problems that are difficult or impossible to solve using conventional computers but are vulnerable to a sufficiently capable quantum computer which would be able to process potential solutions very quickly.

The new standards are designed for two essential tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. NIST announced its selection of four algorithms — CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+ and FALCON — slated for standardization in 2022 and released draft versions of three of these standards in 2023. The fourth draft standard based on FALCON is planned for late 2024.

While there have been no substantive changes made to the standards since the draft versions, NIST has changed the algorithms’ names to specify the versions that appear in the three finalized standards, which are:

  • Federal Information Processing Standard (FIPS) 203, intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. The standard is based on the CRYSTALS-Kyber algorithm, which has been renamed ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism.
  • FIPS 204, intended as the primary standard for protecting digital signatures. The standard uses the CRYSTALS-Dilithium algorithm, which has been renamed ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm.
  • FIPS 205, also designed for digital signatures. The standard employs the Sphincs+ algorithm, which has been renamed SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable.

Similarly, when the draft FIPS 206 standard built around FALCON is released, the algorithm will be dubbed FN-DSA, short for FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm.

This is a significant step in ensuring our data and systems are protected against threats that are on the horizon. The Register has a good article on this topic (NIST finalizes trio of post-quantum encryption standards) that I highly recommend you check out.

Sources:
* Mastodon.social
* Schneier.com: NIST Releases First Post-Quantum Encryption Algorithms

May 24, 2024

OpenSSF launches Siren to provide real-time security warning for Open Source Software

Securing OpenSource software (OSS) can be a bit of a challenge at times and a lot of the Infosec feeds that give information on Security issues in software are commercial paid entities. There are software that scan for OSS vulnerabilities but we can always use more threat intelligence networks.

Open Source Security Foundation (OpenSSF) has launched a new threat intelligence sharing group called ‘OpenSSF Siren‘ that aims to provide real-time security warning bulletins and deliver a community-driven knowledge base to fill the gap between the open-source and enterprise communities.

The OpenSSF Siren is a collaborative effort to aggregate and disseminate threat intelligence specific to open source projects. Hosted by the OpenSSF, this platform provides a secure and transparent environment for sharing Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with recent cyber attacks. Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination.

The Key features of the OpenSSF Siren include:

  • Open Source Threat Intelligence: shared with the community about actively exploited public vulnerabilities and threats.
  • Real-Time Updates: List members receive notifications via email about emerging threats which may be relevant to their projects, enabling swift action to mitigate risks.
  • TLP:CLEAR: To facilitate effective unrestricted transparent communication, the list follows the Traffic Light Protocol (TLP), Clear guidelines for the sharing and handling of intelligence.
  • Community-driven: Contributors from diverse backgrounds collaborate to enrich the intelligence database, fostering a culture of shared responsibility and collective defense.

You can sign up for it here: Siren Sign-Up
Source: OpenSSF sings a Siren song to steer developers away from buggy FOSS

– Suramya

May 23, 2024

Windows 11 will feature builtin Spyware in the near future or Recall AI as Microsoft Calls it

Till recently if you wanted to spy on someone and see what they have been doing on the computer, you had to infect their computer by making them visit a dodgy site or get physical access and download a RAT (Remote Access Trojan) & install it on the target’s computer, configure the Antivirus to ignore it and put in a backdoor so that you can access the data remotely. Obviously this was a lot of work so looks like some cyber criminals reached out to Microsoft (MS) and asked for help. MS being a super helpful company, has added a functionality called ‘Windows Recall’ to it’s windows 11 Preview build to solve this. Recall takes a snapshot (literally) of the screen every few seconds and stores it in a searchable database ‘stored locally’. Basically it does exactly what spyware does without having to install anything new on your system. As per the company below is how the Recall works:

Recall uses Copilot+ PC advanced processing capabilities to take images of your active screen every few seconds. The snapshots are encrypted and saved on your PC’s hard drive. You can use Recall to locate the content you have viewed on your PC using search or on a timeline bar that allows you to scroll through your snapshots. Once you find the snapshot that you were looking for in Recall, it will be analysed and offer you options to interact with the content. What actions you can take depend on the content and the chat provider capabilities in Copilot in Windows. For example, you may highlight a block of text and decide to summarise it, translate it, or open it with a text editor like Word or Notepad. If you highlight an image, you will be able to edit it or use your chat provider in Copilot in Windows to find or create a similar image.

Recall will also enable you to open the snapshot in the original application in which it was created, and, as Recall is refined over time, it will open the actual source document, website or email in a screenshot. This functionality will be improved during Recall’s preview phase.

The best part is that according to their own announcement the snapshots will not hide passwords/account numbers etc. However, it does block you from recording DRM’d video you might be watching because protecting that is important not simple things like personal information etc.

Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.

This is a gold mine for data thieves, abusers, industrial espionage, identity thieves and other cyber criminals. Once they have access to a PC they don’t need to do anything else except copy the data from the Recall DB to their own system and happily browse through the users personal data at their leisure.

I don’t think MS has thought about folks who use public computers such as the ones in an Internet Cafe or Hotels or Libraries. With this feature enabled all someone has to do is wait a few days then come back and copy incredibly private information that they can then sell/use. Privacy and Domestic Abuse experts are raising questions about this as well because sure as night follows day, abusers will use this to track what their victims are doing on a computer and that can go bad very quickly.

Even if the data is supposedly only on the local machine we don’t know when MS is going to force it to be uploaded to their servers using OneDrive or other similar setups. All the coverage I have seen for this functionality 99% of them have raised similar concerns about the security, privacy and quite frankly the need for this kind of surveillance.

Imagine what would a regieme like Taliban, China or other conservative/restrictive governments do with information they get from this system. You are dreaming if you think that they will not force MS to make this information available to them at the risk of losing access to that market if they don’t. Once you have the capability to do this, feature creep will happen for sure and we will end up in a Surveillance state.

The only Windows 11 system at my place is my wife’s laptop and you can be sure that I am going to disable this ‘feature’ as soon as it launches.

Source: Bleepingcomputer: Windows 11 Recall AI feature will record everything you do on your PC

– Suramya

May 12, 2024

A High-Level Technical Overview of Fully Homomorphic Encryption

Homomorphic Encryption is an interesting application of data encryption in that it allows us to encrypt data in a way such that we can perform computations on it without first having to decrypt it. The more formal definition states “Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. Homomorphic encryption enables complex mathematical operations to be performed on encrypted data without compromising the encryption.”

I have been following the work on Homomorphic Encryption solutions since 2017 onwards, which was when I first became aware of it and have read tons of articles and papers on it. The overview by Jeremy Kun is probably the best one I have seen so far. His post with A High-Level Technical Overview of Fully Homomorphic Encryption goes into enough technical details that you understand it without going so deep that you are lost in the details.

Homomorphic encryption lets you encrypt data in such a way that you can run programs on it without ever decrypting it. This means that the computer running the program has no access to the underlying data while running the program—neither via intermediate computed values, nor even the result. In particular, if a nefarious human had access to the machine’s raw memory, they still could not learn any information about the underlying data (without breaking the cryptography). A user sends the program an encrypted input, and when the program is done, the encrypted result is sent back to the user to decrypt.

Running a program on encrypted data sounds magical. It works by choosing an encryption scheme that is “compatible” with addition and multiplication in the following sense:

Adding ciphertexts gives you an encryption of the sum of the underlying plaintexts.
Multiplying two ciphertexts give you an encryption of the product of the underlying plaintexts.

Given this power, you can encrypt your data bit by bit, express your program as a boolean circuit—an XOR gate is addition and an AND gate is multiplication—and simulate the circuit. Since XOR and AND form a universal basis for boolean logic, you can always decompose a circuit this way.

Check it out if you are curious about Homomorphic Encryption and want to learn more.

– Suramya

April 21, 2024

Crescendo Method enables Jailbreaking of LLMs Using ‘Benign’ Prompts

LLMs are becoming more and more popular across all industries and that creates a new attack surface for attackers to target to misuse for malicious purposes. To prevent this LLM models have multiple layers of defenses (with more being created every day), one of the layers attempts to limit the capability of the LLM to what the developer intended. For example, a LLM running a chat service for software support would be limited to answer questions about software identified by the developer. Attackers attempt to bypass these safeguards with the intent to achieve unauthorized actions or “jailbreak” the LLM. Depending on the LLM, this can be easy or complicated.

Earlier this month Microsoft published a paper showcasing the “Crescendo” LLM jailbreak method called “Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack“. Using this method a successful attack could usually be completed in a chain of fewer than 10 interaction turns.

Large Language Models (LLMs) have risen significantly in popularity and are increasingly being adopted across multiple applications. These LLMs are heavily aligned to resist engaging in illegal or unethical topics as a means to avoid contributing to responsible AI harms. However, a recent line of attacks, known as “jailbreaks”, seek to overcome this alignment. Intuitively, jailbreak attacks aim to narrow the gap between what the model can do and what it is willing to do. In this paper, we introduce a novel jailbreak attack called Crescendo. Unlike existing jailbreak methods, Crescendo is a multi-turn jailbreak that interacts with the model in a seemingly benign manner. It begins with a general prompt or question about the task at hand and then gradually escalates the dialogue by referencing the model’s replies, progressively leading to a successful jailbreak. We evaluate Crescendo on various public systems, including ChatGPT, Gemini Pro, Gemini-Ultra, LlaMA-2 70b Chat, and Anthropic Chat. Our results demonstrate the strong efficacy of Crescendo, with it achieving high attack success rates across all evaluated models and tasks. Furthermore, we introduce Crescendomation, a tool that automates the Crescendo attack, and our evaluation showcases its effectiveness against state-of-the-art models.

Microsoft has also published a Blog post that goes over this attack and potential mitigation steps that can be implemented along with details on new tools developed to counter this attack using their “AI Watchdog” and “AI Spotlight” features. The tools attempt to identify adversarial content in both input and outputs to prevent prompt injection attacks.

SCM Magazine has a good writeup on the attack and the defenses against it.

– Suramya

Source: Slashdot: ‘Crescendo’ Method Can Jailbreak LLMs Using Seemingly Benign Prompts

April 2, 2024

Soon it will be possible to update Apple Devices while still in the box

Filed under: Computer Security,My Thoughts — Suramya @ 11:43 PM

Apple has come up with an interesting new technology that allows stores to install the latest updates to an iPhone without removing it from the box. If the technology works (and it looks like it does) it will remove one of the major hassles of buying a new phone or device which is to install the latest updates and patches on the phone.

This device can wirelessly turn on the iPhone, update its software and then power it back down. We still don’t have a full explanation on how it works but based on at a guess, it leverages the fact that the NFC chip in the phone can work potentially work even when the phone is switched off (it already works with a low battery). Placing the phone in the device would potentially trigger the NFC chip which would then start the phone in a special mode that allows it to connect to the WiFi and download the updates. Post completion the system would shutdown the phone and it would be ready to use.

In theory this sounds like a great enhancement but I fear that unless the system has sufficient controls and checks around it it will open up a whole new attack vector. Previously, there have been attacks where Nation States or Criminal organizations would intercept hardware being delivered to a target open the package, make changes and then reseal and send it on to the target. This is a sure shot way of ensuring that a device is compromised before it reaches the target, however it requires a lot of resources and manual effort to implement and there is a risk of exposure since multiple folks are involved. With this new update option an attacker just has to have physical access to the device and can be done by simply taking the packaged device and putting it in the updater for a little while.

This assumes that the security checks and authentication built around the process can be bypassed. That being said, once the tech is live there are going to be a lot of very smart people trying to bypass the checks to be able to update the phone. Keep in mind that there is nothing stopping anyone from updating the phone using this method even after someone is actively using it.

Source: Mastodon.social: arstechnica

March 7, 2024

Cloudflare announces Firewall for LLMs to protect them

Filed under: Artificial Intelligence,Computer Security,My Thoughts — Suramya @ 10:52 PM

As is always the case when the attackers invent technology / systems to attack a system the defenders will immediately come up with a technology to protect (might not always be great protection at the beginning). Yesterday I posted about Researchers demo the first worm that spreads through LLM prompt injection and today while going through my feeds I saw the news that earlier this week cloudflare announced a Firewall for AI . Initially when I read the headline I thought it was yet another group of people who are claiming to have created a ‘perfect firewall’ using AI. Thankfully that was not the case and in this instance it looks like an interesting application that will probably become as common as the regular firewall.

What this system does is quite simple, it is setup in front of a LLM so that all interactions with the LLM goes through the firewall and every request with an LLM prompt is scanned for patterns and signatures of possible attacks. As per their blog post attacks like Prompt Injection, Model Denial of Service, and Sensitive Information Disclosure can be mitigated by adopting a proxy security solution like Cloudflare Firewall for AI.

Firewall for AI is an advanced Web Application Firewall (WAF) specifically tailored for applications using LLMs. It will comprise a set of tools that can be deployed in front of applications to detect vulnerabilities and provide visibility to model owners. The tool kit will include products that are already part of WAF, such as Rate Limiting and Sensitive Data Detection, and a new protection layer which is currently under development. This new validation analyzes the prompt submitted by the end user to identify attempts to exploit the model to extract data and other abuse attempts. Leveraging the size of Cloudflare network, Firewall for AI runs as close to the user as possible, allowing us to identify attacks early and protect both end user and models from abuses and attacks.

OWASP has published their Top 10 for Large Language Model Applications, which is a fantastic read and a good overview of the security risks targeting LLM’s. As per cloudfare this firewall mitigates some of the risks highlighted in OWASP for LLM’s. I would suggest taking the announcement with a grain of salt till we have independent validation of the claims. That being said it is def a step in the correct direction though.

– Suramya

Source: Hacker News: Cloudflare Announces Firewall for AI

March 6, 2024

Researchers demo the first worm that spreads through LLM prompt injection

Filed under: Artificial Intelligence,Computer Security,Computer Software — Suramya @ 10:17 PM

In the past year we have seen an uptick in the tech industry looking towards embedding LLM (Large Language Models) or AI as they are being pitched to the world in all possible places. Windows 11 now has built in Copilot that is extremely hard to disable. Email systems are using LLM’s to get additional details/information using the data from the email to add context etc. This creates new attack surfaces that attackers can target and we have seen instances where attackers have used prompt injection to gain access to data or systems that were restricted.

Building on top of that researchers have now created (and demo’d) the first worm that spreads through prompt injection. This is breakthrough work similar to how the Morris Worm was in the late 80’s. Basically, researchers created an email which has an adversarial prompt embedded in it. This prompt is then ingested by an LLM (using Retrieval-Augmented Generation which allows it to enhance the reliability of the LLM by fetching data from external sources when the email is processed by the LLM) where it jailbreaks the GenAI service and can steal data from the emails (or do whatever else the attacker wants such as changing email text, removing data etc). In addition the prompt also has the ability to make the email assistant forward the email with the malicious prompt to other email addresses allowing it to spread. The researchers have christened their worm as Morris II giving homage to the first email worm.

Abstract: In the past year, numerous companies have incorporated Generative AI (GenAI) capabilities into new and existing applications, forming interconnected Generative AI (GenAI) ecosystems consisting of semi/fully autonomous agents powered by GenAI services. While ongoing research highlighted risks associated with the GenAI layer of agents (e.g., dialog poisoning, membership inference, prompt leaking, jailbreaking), a critical question emerges: Can attackers develop malware to exploit the GenAI component of an agent and launch cyber-attacks on the entire GenAI ecosystem?

This paper introduces Morris II, the first worm designed to target GenAI ecosystems through the use of adversarial self-replicating prompts. The study demonstrates that attackers can insert such prompts into inputs that, when processed by GenAI models, prompt the model to replicate the input as output (replication), engaging in malicious activities (payload). Additionally, these inputs compel the agent to deliver them (propagate) to new agents by exploiting the connectivity within the GenAI ecosystem. We demonstrate the application of Morris II against GenAI-powered email assistants in two use cases (spamming and exfiltrating personal data), under two settings (black-box and white-box accesses), using two types of input data (text and images). The worm is tested against three different GenAI models (Gemini Pro, ChatGPT 4.0, and LLaVA), and various factors (e.g., propagation rate, replication, malicious activity) influencing the performance of the worm are evaluated.

This is pretty fascinating work and I think that this kind of attack will start becoming more common as the LLM usage goes up. The research paper is available at: ComPromptMized: Unleashing Zero-click Worms that Target GenAI-Powered Applications.

– Suramya

Older Posts »

Powered by WordPress