Zero-Day Patches, Changes Coming to Social Media, & Text-to-Images

August 26, 2022 by
Zero-Day Patches, Changes Coming to Social Media, & Text-to-Images
Lighthouse IT Solutions, Matthew Almendinger

The Lighthouse IT Podcast - August 26th, 2022

This week, Matt & Griff discuss the expected overtake of streaming vs traditional TV, bad news out of Twitter, more bad news out of Apple, even more bad news from Bitcoin ATMs, some interesting TikTok developments, the wild future that is text-to-images, and more!

Listen here!

News

Streaming > Cable

  • Only surprising because it has just happened, but this summer marked that streaming viewership was greater than traditional TV. Viewers spent 34.8% of their total TV time streaming. Begging the question... what else is there?
  • Advertising is taking a hit as a result - regularly reached viewers of ads on traditional TV was 5%, and, shocking no one, 40 of the 50 most watched TV programs were sports-related.
  • Should come up a bit once sportsball comes back, but will it overtake streaming????

READ MORE

Could Musk's accusations have been on to something?

  • Former security chief Peiter Zatko has just blown the whistle on his former employer and says that execs covered up major security flaws for more than a decade AND that there may be Twitter employees who are actually working for a variety of foreign intelligence agencies.
  • This isn't just bad, it's really bad. The accusations were that incidents were happening about 1 per week that should have required disclosure.
  • Complicated more is that the FTC settled with Twitter in 2011, requiring them to have robust security procedures and independent audits. None of which ever happened.
  • It's also bad timing given our attention to Elon Musk's attempted buyout and famous withdrawal as the eccentric millionaire's legal team has also subpoenaed Jack Dorsey, the former Twitter CEO about the false information furnished to Musk and his investors.

READ MOREREAD MORE

If you have an Apple device, patch it. Patch it real good

  • Apple has not one but two 0-day vulnerabilities that it has just released a patch for - both of which our friends over at Sophos believe are actively being exploited.
  • The first is an RCE (remote control execution) hole within Webkit (this is the integrated web browser engine for Safari) that can trick your iPhone, iPad, or Mac to running code that it shouldn't.
  • And while this only applies to the Apple's rendering engine, iDevices require the use of Apple's implementation of Webkit (You can run other browsers on Mac computers), you'll find many help, about, or applications that make use of the webview component are also vulnerable.
  • Which leads us to Vulnerability #2: And it's kernel level. This vulnerability is complete takeover of the device, including access to your camera, GPS, all data, microphone, you name it.
  • In typical Apple fashion, we don't know how they discovered these bugs, but let's just go with make haste and patch now!

READ MORE

Likewise, Chrome has a zero-day of its own

  • While we're on the subject, if you use Google Chrome - let's just go ahead and patch that now as well. The latest update, (104.0.5112.101 for Mac/Linux; 104.0.5112.102 for Windows) addresses 11 security updates, but 1 is an active exploit.

READ MORE

VPN in iOS - maybe not as secure as once thought; and it was disclosed 2 years ago

  • Oof, Apple. C'mon!
  • Normally when you connect to a VPN, the OS kills all active connections and then resumes with the VPN enabled. This forces traffic to route over the VPN (assuming it is full tunnel), but apparently that's not how iOS rolls.
  • What does this mean? Despite telling you that you are connected to a VPN, giving you the IP address, DNS, and all the other information you'd expect to see, any connection initiated prior to the VPN routes directly through the device's internet connection.
  • This data could be used to track your IP or intercept data. We often share that you should use a VPN if you are on a public network - and this kind of slaps it in the face.

READ MORE

U.S. offers up to $10m dollars for information about the Conti RaaS gang

  • The heat is on to find and break up the Conti gang as the US is sick of their Conti actions.

READ MORE

BitCoin ATMs leeching moolah through fake admin accounts

  • Bitcoin ATMs. They're a thing. And one brand, General Bytes has just notified its customers of a major issue.
  • In a nutshell, you buy an ATM machine from GB. You also need a CAS Server to actually execute and manage the transaction. The ATM machine talks to the CAS Server.
  • GB recommend using Digital Ocean.
  • Attacker's find out that by making a URL call to the CAS Server, they can create a brand new admin account. Using that they start scanning Digital Ocean's network looking for servers that identify themselves as CAS Servers, add the new user, then reconfigure the ATMs to route all invalid payments to their wallet.

READ MORE

Amazon launches AWS private 5G so companies can build their own 4G mobile networks

  • Amazon Web Services (Amazon's cloud division) has launched a new service designed to help companies deploy their own private 5G networks.
  • Though it only supports 4G LTE today but will support 5G in the future.
  • As of now, Ohio is one of three locations where this is almost completely rolled out.
  • AWS charges $10 per hour for each radio unit it installs, with each radio supporting speeds of 150 Mbps across up to 100 SIMs. AWS will also bill for all data that transfers outwards to the internet, charged.

READ MORE

Teens, social media, and technology 2022

  • For those interested in learning more about a common topic we discuss, there is a great study conducted on teens using social media today vs a few years ago.
  • It outlines everything some great points like what social media platforms are the biggest, how much they are used, and the scary state of how many teens admitted that they use a social platform "almost constantly".

READ MORE

The age of text-to-image is upon us

  • Google's DALL-E 2 competitor, Imagen
  • Imagen is Google's text-to-image diffusion model with an unprecedented degree of photorealism and a deep level of language understanding:

READ MORE

  • There are even ways to build your own text-to-image model using MinImagen:

READ MORE

  • But can you believe that TikTok now offers a very basic text-to-image AI generator directly in the app?
  • TikTok added a new effect it calls "AI greenscreen" that allows users to type in a text prompt that the software will then generate as an image. This image can then be used as the background to a video — potentially a very useful tool for creators.
  • It is very basic compared to the other ones we just mentioned, but it allows a text-to-image tool to be easily accessible to everyone.
  • Plus, wouldn't it make sense to ensure the models are limited on purpose? This is the wild-west of tech right now, and it'd be best for them not to start a controversy while they are experiencing such growth.

READ MORE

Oracle begins auditing TikTok's algorithms

  • But not everyone thinks TikTok's growth is all fun and games.
  • In June, after longstanding pressure from the U.S. government, TikTok said it had begun routing all its U.S. user data to Oracle's cloud infrastructure.
  • Oracle is one of the largest cloud-infrastructure companies in the world and they have been working with the U.S. government to ensure that U.S. TikTok is keeping user data safe and that the content recommendations aren't being manipulated.
  • So this new arrangement gives Oracle "regular vetting and validation" of TikTok's content recommendation and moderation models.

READ MORE

  • This comes right as they are about to update their algorithm again...
  • TikTok is testing a new — Nearby' feed that is designed to display local content to users.

READ MORE

TikTok's in-app browser includes code that can monitor your keystrokes, researcher says

  • You know when you click a link in a social app, and it opens the webpage, but not in Chrome or Safari? That's the social media's custom browser. They use this to track you for advertising and whatnot, but the problem is that this browser also tracks your keystrokes...
  • When TikTok users enter a website through a link on the app, TikTok inserts JavaScript code that can monitor their activity on those outside websites, including their keystrokes and whatever they tap on the page.
  • That includes logins, credit cards, and more.
  • TikTok strongly pushed back at the idea that it's tracking users in its in-app browser. The company confirmed those features exist in the code, but said TikTok is not using them.

READ MORE

  • But, to be fair, here is an article finding the exact same issue in the custom Facebook/Instagram in-app browser published just two weeks ago:

READ MORE

  • Here is the explanation/tool that researcher Felix Krause uses to find these issues:

READ MORE

Amazon is internally testing a TikTok-like feed in its app

  • Are you sick of the TikTok-like social feed yet?
  • Well, too bad because now Amazon's app is also doing the one-by-one vertical scroll made popular by TikTok and embraced by nearly all other big-name social platforms.
  • The feed — known currently as "Inspire" — will appear on the bottom navigation bar in the Amazon app and posts like links to purchase any items featured in the post.
  • For example, a post of a person using a grill will allow you to click and purchase the grill, the apron, the utensils, the hotdogs, or anything else that they can see in the post.

READ MORE

Instagram looks to copy BeReal with new 'IG Candid' feature

  • Familiar with BeReal? Well it's an app that sends you a notification once a day at a random time and gives you two min to share a selfie of what they are up to.
  • It's a fun way for friends to interact and has gotten very popular with younger users.
  • But now Instagram has stolen this idea with IG Candid

READ MORE