In this episode of 'Cybersecurity Today,' host Jim Love covers several significant cybersecurity incidents. Hackers disrupt all Aeroflot flights, causing massive delays in Russia. The women-only dating app 'Tea' faces a second serious data leak, exposing 1.1 million private messages. A game on Steam named 'Camia' is found to contain three types of malware, including Info Stealers and a Backdoor. Additionally, researchers discover that OpenAI's GPT-4 agent can bypass CAPTCHAs, raising concerns about the future of this security measure.
00:00 Introduction and Headlines
00:28 Tea App's Major Data Breaches
02:29 Aeroflot Cyber Attack Disrupts Flights
04:22 Malware Found in Steam Game
06:27 OpenAI's GPT-4 Bypasses Captchas
08:59 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
Hackers disrupt all Aeroflot flights.
Bringing travel in Russia to a halt camia.
A game from STEAM is riddled withmalware open AI's agents are able to
handle Captchas and Tea for two takeson a whole new meeting with a second
leak of even more sensitive information.
(00:24):
This is Cybersecurity today.
I'm your host, Jim Love.
The Tea app, a woman only dating safetyplatform that verifies users with a
selfie and government ID is now at thecenter of a second serious data leak.
Last week, a user on four chan revealedthat T'S firebase storage bucket was left
(00:47):
unsecured exposing over 72,000 images.
These included 13,000 selfies and IDs.
Used for verification plus59,000 photos shared in posts.
Comments and messages.
Tea claims selfies were retainedto comply with cyber bullying
investigations, but that hasn't stoppedthe images from spreading across.
(01:11):
Hacking forums via torrents.
And now a second exposeddatabase has been discovered.
This time leaking over 1.1 millionprivate messages between users.
Security researcher Kasra Rahjerdi foundthat any T user could access stored
(01:33):
data simply by using their own API Key.
And these messages spanning much morerecent times from 2023 to just last week.
Include highly sensitive conversationsabout such things as abortions,
infidelity, and even personal trauma.
Researchers say it's possible toidentify users by cross-referencing
(01:57):
message content with socialmedia handles or phone numbers.
One attacker has already created aface smash style website, inviting
visitors to rate leaked selfies,turning a platform designed for
safety into a tool for humiliation.
Both the first and second leaks were dueto unauthenticated firebase databases
(02:22):
using easily guest names like T Dash prod.
The
alo.
Russia's flagship airline was forcedto cancel more than 100 flights
on Sunday after a cyber attack.
Disabled parts of its internal IT systems,the Pro Ukraine Hacking Group, Silent
(02:43):
Crow, claimed responsibility, along witha Belarusian group, cyber partisans.
Silent Crow has also taken creditfor attacks this year on a Russian
real estate database estate.
Telecom provider, a major insurer,the Moscow IT Department, and even
the Russian office of Kia Motors,some resulting in large data leaks.
(03:07):
Cyber warfare has been part of Ukraine'sfight back since Russia's 2022 invasion
when Kiev helped mobilize a 300,000strong digital force through a telegram
group known as the IT Army of Ukraine.
And that army is havingan impact in a statement.
Silent Crow claimed this attack followeda year long infiltration of AeroFlot
(03:30):
systems, during which it destroyed7,000 servers and accessed personal
computers used by senior managers.
The group did not provide proof ofthese claims, but threaten to release
the personal data of all Russianswho've ever flown with AeroFlot.
According to the Guardian, silent Crowsaid it isn't seeking ransomware money.
(03:52):
Just disruption the group remainsrelatively unknown with only
a few previous public claims.
And while Russian passengers havebecome familiar with drone attacks
causing air travel delays, thismarks one of the first major cyber
attacks aimed at disrupting flights.
AeroFlot has resumed most services byMonday, but the incident highlights
(04:16):
how civilian infrastructure is becominga frontline in digital warfare.
And finally, a game offered throughSteam's early access program has been
found hiding three types of malware.
According to a report by theCybersecurity Forum, Prodapt Prodapt,
a European cyber threat intelligencecompany known for tracking advanced
(04:39):
threat actors, said the game.
Chemia, I hope I'm saying itright, was laced with Info
Steelers and Backdoor malware.
. The title was marketed as apost-apocalyptic survival crafting
game, but users who requested accessto its play test were unknowingly
downloading malicious code.
(05:00):
According to Prodapt, Camiainstalled fickle Steeler, Viter
Steeler, and hijack loader.
The first two are designed to stealsensitive information, including
browser data, saved passwordsand cryptocurrency wallets.
The third acts as a loader, enablingattackers to silently deliver more
(05:22):
malware to infected systems in the future.
The developer was listed as Ather ForgeStudios, but prod dat and reporters
found no trace of that name online.
No website, no social media, nopublic history tied to the game.
Camia remained live on Steam as ofthe morning of July 25th, two days
(05:44):
after the report was published, butit was quietly pulled later that day.
The malware campaign appearslinked to a group called Encrypt
Hub, which Prodapt says has beenrunning targeted spearfishing
attacks since at least June of 2024.
Indicators of compromise,including hashes for the embedded
malware have been published onGitHub for defenders to review.
(06:09):
This incident is a stark reminder.
Just because software is distributedon a trusted platform like Steam
doesn't guarantee it's safe,especially when the developer's
identity is murky or unverifiable.
And finally, researchers at RobustIntelligence have discovered that Open
(06:32):
AI's GPT-4 based agent is not justphenomenal in terms of its actions, but
it can actually bypass capture tests.
You know those I am not a robot.
Challenges that are meant to blockautomated access to websites.
In their demo, the team built a livesite using Google Recapture and had
GPT-4 perform basic tasks through openAI's browser and function calling tools.
(06:58):
When the agent encountered a recapturecheckbox, it simply clicked it, passed
the test, and moved on without human help.
This wasn't a simulationor a backend bypass.
The agent used a live browsersession, interacted with real page
elements, and succeeded on its own.
It didn't need to solve visualpuzzles or trick a human as
(07:21):
earlier bots sometimes did.
Capcha, which is short for completelyautomated public Turing test to
tell computers and humans apart,has evolved from simple challenges
to complex behavior-based systems.
Some implementations like CrowdStrikenow detect non-human interaction
(07:43):
patterns and then serve up image puzzles.
Even humans find frustrating.
According to ArsTechnica GPT-4treated the recapture like any other
interface and casually clicked through.
That said, results may vary.
We saw this and tried it on alive site using a recapture, and
(08:04):
we couldn't reproduce the bypass.
Our agent asked for help, thenit timed out and eventually left
us to click the box ourselves.
Still, the original demo shows thatAI is getting better and better at
these tasks, and that means thatCaptcha systems will have to get
(08:25):
harder, unfortunately, for humans too.
And if you've ever sat there clickingthrough some of these blurry pictures of
traffic lights and steps and mountains.
Expect more of that, but before you gettoo annoyed, here's a reason to smile.
The irony of having an AI having to proveit's not a robot hasn't gone unnoticed.
(08:50):
As one Reddit user joked, it'sbeen trained on human data,
why would it identify as a bot?
We should respect thatchoice, and that's our show.
Just a reminder to keep an eye onthe new agents that are appearing
while they're no doubt interestingand perhaps highly useful.
(09:11):
I'm working with themnow and I gotta tell you.
I think they're gonna presentus with some challenges.
Open.
AI has warned people to ensure wedon't use them unsupervised or use
them in highly sensitive processesbefore they're actually proven.
, But hey, if people actually paidattention to warnings, 90% of our job
(09:34):
would be done with just a warning.
Until we reach that Nirvana.
I'm your host, Jim Love.
Thanks for listening,
Hackers disrupt all Aeroflot flights.
Bringing travel in Russia to a halt camia.
A game from STEAM is riddled withmalware open AI's agents are able to
handle Captchas and Tea for two takeson a whole new meeting with a second
leak of even more sensitive information.
(00:24):
This is Cybersecurity today.
I'm your host, Jim Love.
The Tea app, a woman only dating safetyplatform that verifies users with a
selfie and government ID is now at thecenter of a second serious data leak.
Last week, a user on four chan revealedthat T'S firebase storage bucket was left
(00:47):
unsecured exposing over 72,000 images.
These included 13,000 selfies and IDs.
Used for verification plus59,000 photos shared in posts.
Comments and messages.
Tea claims selfies were retainedto comply with cyber bullying
investigations, but that hasn't stoppedthe images from spreading across.
(01:11):
Hacking forums via torrents.
And now a second exposeddatabase has been discovered.
This time leaking over 1.1 millionprivate messages between users.
Security researcher Kasra Rahjerdi foundthat any T user could access stored
(01:33):
data simply by using their own API Key.
And these messages spanning much morerecent times from 2023 to just last week.
Include highly sensitive conversationsabout such things as abortions,
infidelity, and even personal trauma.
Researchers say it's possible toidentify users by cross-referencing
(01:57):
message content with socialmedia handles or phone numbers.
One attacker has already created aface smash style website, inviting
visitors to rate leaked selfies,turning a platform designed for
safety into a tool for humiliation.
Both the first and second leaks were dueto unauthenticated firebase databases
(02:22):
using easily guest names like T Dash prod.
The
alo.
Russia's flagship airline was forcedto cancel more than 100 flights
on Sunday after a cyber attack.
Disabled parts of its internal IT systems,the Pro Ukraine Hacking Group, Silent
(02:43):
Crow, claimed responsibility, along witha Belarusian group, cyber partisans.
Silent Crow has also taken creditfor attacks this year on a Russian
real estate database estate.
Telecom provider, a major insurer,the Moscow IT Department, and even
the Russian office of Kia Motors,some resulting in large data leaks.
(03:07):
Cyber warfare has been part of Ukraine'sfight back since Russia's 2022 invasion
when Kiev helped mobilize a 300,000strong digital force through a telegram
group known as the IT Army of Ukraine.
And that army is havingan impact in a statement.
Silent Crow claimed this attack followeda year long infiltration of AeroFlot
(03:30):
systems, during which it destroyed7,000 servers and accessed personal
computers used by senior managers.
The group did not provide proof ofthese claims, but threaten to release
the personal data of all Russianswho've ever flown with AeroFlot.
According to the Guardian, silent Crowsaid it isn't seeking ransomware money.
(03:52):
Just disruption the group remainsrelatively unknown with only
a few previous public claims.
And while Russian passengers havebecome familiar with drone attacks
causing air travel delays, thismarks one of the first major cyber
attacks aimed at disrupting flights.
AeroFlot has resumed most services byMonday, but the incident highlights
(04:16):
how civilian infrastructure is becominga frontline in digital warfare.
And finally, a game offered throughSteam's early access program has been
found hiding three types of malware.
According to a report by theCybersecurity Forum, Prodapt Prodapt,
a European cyber threat intelligencecompany known for tracking advanced
(04:39):
threat actors, said the game.
Chemia, I hope I'm saying itright, was laced with Info
Steelers and Backdoor malware.
. The title was marketed as apost-apocalyptic survival crafting
game, but users who requested accessto its play test were unknowingly
downloading malicious code.
(05:00):
According to Prodapt, Camiainstalled fickle Steeler, Viter
Steeler, and hijack loader.
The first two are designed to stealsensitive information, including
browser data, saved passwordsand cryptocurrency wallets.
The third acts as a loader, enablingattackers to silently deliver more
(05:22):
malware to infected systems in the future.
The developer was listed as Ather ForgeStudios, but prod dat and reporters
found no trace of that name online.
No website, no social media, nopublic history tied to the game.
Camia remained live on Steam as ofthe morning of July 25th, two days
(05:44):
after the report was published, butit was quietly pulled later that day.
The malware campaign appearslinked to a group called Encrypt
Hub, which Prodapt says has beenrunning targeted spearfishing
attacks since at least June of 2024.
Indicators of compromise,including hashes for the embedded
malware have been published onGitHub for defenders to review.
(06:09):
This incident is a stark reminder.
Just because software is distributedon a trusted platform like Steam
doesn't guarantee it's safe,especially when the developer's
identity is murky or unverifiable.
And finally, researchers at RobustIntelligence have discovered that Open
(06:32):
AI's GPT-4 based agent is not justphenomenal in terms of its actions, but
it can actually bypass capture tests.
You know those I am not a robot.
Challenges that are meant to blockautomated access to websites.
In their demo, the team built a livesite using Google Recapture and had
GPT-4 perform basic tasks through openAI's browser and function calling tools.
(06:58):
When the agent encountered a recapturecheckbox, it simply clicked it, passed
the test, and moved on without human help.
This wasn't a simulationor a backend bypass.
The agent used a live browsersession, interacted with real page
elements, and succeeded on its own.
It didn't need to solve visualpuzzles or trick a human as
(07:21):
earlier bots sometimes did.
Capcha, which is short for completelyautomated public Turing test to
tell computers and humans apart,has evolved from simple challenges
to complex behavior-based systems.
Some implementations like CrowdStrikenow detect non-human interaction
(07:43):
patterns and then serve up image puzzles.
Even humans find frustrating.
According to ArsTechnica GPT-4treated the recapture like any other
interface and casually clicked through.
That said, results may vary.
We saw this and tried it on alive site using a recapture, and
(08:04):
we couldn't reproduce the bypass.
Our agent asked for help, thenit timed out and eventually left
us to click the box ourselves.
Still, the original demo shows thatAI is getting better and better at
these tasks, and that means thatCaptcha systems will have to get
(08:25):
harder, unfortunately, for humans too.
And if you've ever sat there clickingthrough some of these blurry pictures of
traffic lights and steps and mountains.
Expect more of that, but before you gettoo annoyed, here's a reason to smile.
The irony of having an AI having to proveit's not a robot hasn't gone unnoticed.
(08:50):
As one Reddit user joked, it'sbeen trained on human data,
why would it identify as a bot?
We should respect thatchoice, and that's our show.
Just a reminder to keep an eye onthe new agents that are appearing
while they're no doubt interestingand perhaps highly useful.
(09:11):
I'm working with themnow and I gotta tell you.
I think they're gonna presentus with some challenges.
Open.
AI has warned people to ensure wedon't use them unsupervised or use
them in highly sensitive processesbefore they're actually proven.
, But hey, if people actually paidattention to warnings, 90% of our job
(09:34):
would be done with just a warning.
Until we reach that Nirvana.
I'm your host, Jim Love.
Thanks for listening,
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.