Daily Archives: October 24, 2024

Over 115,000 United Nations Documents Associated to Gender Equality Exposed Online

Posted on by

[…] The non-password protected, non encrypted/clear text database contained financial reports and audits (including bank account information), staff documents, email addresses, contracts, certifications, registration documents, and much more. In total, the database held 115,141 files in.PDF,.xml,.jpg,,png, or other formats, amounting to 228 GB. Many of the documents I saw were marked as confidential and should have not been made publicly available. One single.xls file contained a list of 1,611 civil society organizations, including their internal UN application numbers, whether they are eligible for support, the status of their applications, whether they are local or national, and a range of detailed answers regarding the groups’ missions.

I also saw numerous scanned passports, ID cards, and staff directories of individual organizations. The staff documents included staff names, tax data, salary information, and job roles. There were also documents labeled as “victim success stories” or testimonies. Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014. Exposure of this information could potentially have serious privacy or safety implications to charity workers and those individuals they provide assistance or services to.

The records indicated an association with UN Women and the UN Trust Fund to End Violence against Women. For instance, there were reference letters addressed directly to the UN, documents stamped with UN logos, and file names indicating the UN Women organization. I immediately sent a responsible disclosure notice of my findings to the general UN InfoSec address and UN Women, and public access to the database was restricted the following day. I received an immediate reply to my disclosure notice from the UN Information Security team stating “The reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN”.

Although the records indicated the files belonged to the UN Women agency, it is not known if they owned and managed the non-password protected database or if it was under the control of a third-party contractor. It is also unknown how long the records were exposed or if anyone else accessed them, as only an internal forensic audit can identify that information. I did not receive a reply from UN Women at the time of publication.

[…]

A scam alert was issued in an undated post on their website that reads “UN Women has been made aware of various correspondences—circulated via email, websites, social media, regular mail, or facsimile—falsely stating that they are issued by, or in association with UN Women, the United Nations, and/or its officials. These scams, which may seek to obtain money and/or, in many cases, personal details from the recipients of such correspondence, are fraudulent”. These scams typically operate by impersonating reputable organizations or individuals and requesting application fees, dues, or other payments.

[…]

Many of the charities operate in countries and regions where the potential threat of violence against women and members of the LGBTQ community is a serious safety concern. Protecting the privacy and identities of these individuals is extremely important. Criminals could potentially use social engineering methods to target charity workers — not only for financial gain, but in an effort to obtain the identities of vulnerable individuals who receive assistance from an organization.

[…]

Source: Over 115,000 United Nations Documents Associated to Gender Equality Exposed Online

Juicy Licensing Deals With AI Companies Show That Publishers Don’t Actually Care About Creators

Posted on by

One of the many interesting aspects of the current enthusiasm for generative AI is the way that it has electrified the formerly rather sleepy world of copyright. Where before publishers thought they had successfully locked down more or less everything digital with copyright, they now find themselves confronted with deep-pocketed companies – both established ones like Google and Microsoft, and newer ones like OpenAI – that want to overturn the previous norms of using copyright material. In particular, the latter group want to train their AI systems on huge quantities of text, images, videos and sounds.

As Walled Culture has reported, this has led to a spate of lawsuits from the copyright world, desperate to retain their control over digital material. They have framed this as an act of solidarity with the poor exploited creators. It’s a shrewd move, and one that seems to be gaining traction. Lots of writers and artists think they are being robbed of something by Big AI, even though that view is based on a misunderstanding of how generative AI works. However, in the light of stories like one in The Bookseller, they might want to reconsider their views about who exactly is being evil here:

Academic publisher Wiley has revealed it is set to make $44 million (£33 million) from Artificial Intelligence (AI) partnerships that it is not giving authors the opportunity to opt-out from.

As to whether authors would share in that bounty:

A spokesperson confirmed that Wiley authors are set to receive remuneration for the licensing of their work based on their “contractual terms”.

That might mean they get nothing, if there is no explicit clause in their contract about sharing AI licensing income. For example, here’s what is happening with the publisher Taylor & Francis:

In July, authors hit out another academic publisher, Taylor & Francis, the parent company of Routledge, over an AI deal with Microsoft worth $10 million, claiming they were not given the opportunity to opt out and are receiving no extra payment for the use of their research by the tech company. T&F later confirmed it was set to make $75 million from two AI partnership deals.

It’s not just in the world of academic publishing that deals are being struck. Back in July, Forbes reported on a “flurry of AI licensing activity”:

The most active area for individual deals right now by far—judging from publicly known deals—is news and journalism. Over the past year, organizations including Vox Media (parent of New York magazine, The Verge, and Eater), News Corp (Wall Street Journal, New York Post, The Times (London)), Dotdash Meredith (People, Entertainment Weekly, InStyle), Time, The Atlantic, Financial Times, and European giants such as Le Monde of France, Axel Springer of Germany, and Prisa Media of Spain have each made licensing deals with OpenAI.

In the absence of any public promises to pass on some of the money these licensing deals will bring, it is not unreasonable to assume that journalists won’t be seeing much if any of it, just as they aren’t seeing much from the link tax.

The increasing number of such licensing deals between publishers and AI companies shows that the former aren’t really too worried about the latter ingesting huge quantities of material for training their AI systems, provided they get paid. And the fact that there is no sign of this money being passed on in its entirety to the people who actually created that material, also confirms that publishers don’t really care about creators. In other words, it’s pretty much what was the status quo before generative AI came along. For doing nothing, the intermediaries are extracting money from the digital giants by invoking the creators and their copyrights. Those creators do all the work, but once again see little to no benefit from the deals that are being signed behind closed doors.

Source: Juicy Licensing Deals With AI Companies Show That Publishers Don’t Actually Care About Creators | Techdirt

Minecraft is ending all virtual reality support next spring

Posted on by

[…]Developer Mojang announced last month that March 2025 would be the last update for the game on PlayStation VR. Yesterday’s patch notes for the Bedrock edition of the game use similar language, stating that “Our ability to support VR/MR devices has come to an end, and will no longer be supported in updates after March of 2025.”

All is not lost for the block builders who have been enjoying Minecraft in virtual reality. After the final March 2025 update, the patch notes clarify that “you can keep building in your worlds, and your Marketplace purchases (including Minecoins) will continue to be available on a non-VR/MR graphics device such as a computer monitor.” It’s a sad development for a game that was such a good match for the VR experience. And with the huge sales figures Minecraft continues to put up year after year, it’s also a bit discouraging for the broader virtual reality and mixed reality ecosystem to lose such an iconic title.

[…]

Source: Minecraft is ending all virtual reality support next spring

With Microsoft having ended support for Windows Mixed Reality and junking a whole load of 2 year old consumer VR devices, this is another blow to an industry that is finally growing again, with new devices such as Pico 4 and Pimax Crystal Lite hitting the shops.

Samsung phones being attacked by flaw. Use the Oct 7 update!

Posted on by

A nasty bug in Samsung’s mobile chips is being exploited by miscreants as part of an exploit chain to escalate privileges and then remotely execute arbitrary code, according to Google security researchers.

The use-after-free vulnerability is tracked as CVE-2024-44068, and it affects Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920. It received an 8.1 out of 10 CVSS severity rating, and Samsung, in its very brief security advisory, describes it as a high-severity flaw. The vendor patched the hole on October 7.

While the advisory doesn’t make any mention of attackers abusing the vulnerability, according to Googlers Xingyu Jin and Clement Lecigene, someone(s) has already chained the flaw with other CVEs (those aren’t listed) as part of an attack to execute code on people’s phones.

The bug exists in the memory management and how the device driver sets up the page mapping, according to Lecigene, a member of Google’s Threat Analysis Group, and Jin, a Google Devices and Services Security researcher who is credited with spotting the flaw and reporting it to Samsung.

“This 0-day exploit is part of an EoP chain,” the duo said. “The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to ‘vendor.samsung.hardware.camera.provider@3.0-service,’ probably for anti-forensic purposes.”

The Register reached out to Samsung for more information about the flaw and in-the-wild exploits, but did not immediately receive a response. We will update this story when we hear back.

It’s worth noting that Google TAG keeps a close eye on spyware and nation-state gangs abusing zero-days for espionage purposes.

Considering that both of these threats frequently attack mobile devices to keep tabs on specific targets — Google tracked [PDF] 61 zero-days in the wild that specifically targeted end-user platforms and products in 2023 – we wouldn’t be too surprised to hear that the exploit chain including CVE-2024-44068 ultimately deploys some snooping malware on people’s phones. ®

Source: Samsung phone users exposed to EoP attacks, Google warns • The Register