It’s official: BlackLotus malware can bypass UEFI secure boot

Posted on March 2, 2023 by Robin Edgar

BlackLotus, a UEFI bootkit that’s sold on hacking forums for about $5,000, can now bypass Secure Boot, making it the first known malware to run on Windows systems even with the firmware security feature enabled.

Secure Boot is supposed to prevent devices from running unauthorized software on Microsoft machines. But by targeting UEFI the BlackLotus malware loads before anything else in the booting process, including the operating system and any security tools that could stop it.

Kaspersky’s lead security researcher Sergey Lozhkin first saw BlackLotus being sold on cybercrime marketplaces back in October 2022 and security specialists have been taking apart piece by piece ever since.

[…]

BlackLotus exploits a more than one-year-old vulnerability, CVE-2022-21894, to bypass the secure boot process and establish persistence. Microsoft fixed this CVE in January 2022, but miscreants can still exploit it because the affected signed binaries have not been added to the UEFI revocation list, Smolár noted.

“BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability,” he wrote.

Plus, a proof-of-concept exploit for this vulnerability has been publicly available since August 2022, so expect to see more cybercriminals using this issue for illicit purposes soon.

Making it even more difficult to detect: BlackLotus can disable several OS security tools including BitLocker, Hypervisor-protected Code Integrity (HVCI) and Windows Defender, and bypass User Account Control (UAC), according to the security shop.

[…]

Once BlackLotus exploits CVE-2022-21894 and turns off the system’s security tools, it deploys a kernel driver and an HTTP downloader. The kernel driver, among other things, protects the bootkit files from removal, while the HTTP downloader communicates with the command-and-control server and executes payloads.

The bootkit research follows UEFI vulnerabilities in Lenovo laptops that ESET discovered last spring, which, among other things, allow attackers to disable secure boot.

[…]

Source: It’s official: BlackLotus malware can bypass secure boot • The Register

OpenAI will let developers build ChatGPT into their apps, control own data

Posted on March 2, 2023 by Robin Edgar

OpenAI, the company behind ChatGPT and DALL-E 2, announced several significant changes today. First, it’s launching developer APIs for ChatGPT and the Whisper speech-transcription model. It also changed its terms of service to let developers opt out of using their data for improvements while adding a 30-day data retention policy.

The new ChatGPT API will use the same AI model (“gpt-3.5-turbo”) as the popular chatbot, allowing developers to add either unchanged or flavored versions of ChatGPT to their apps. Snap’s My AI is an early example, along with a new virtual tutor feature for the online study tool Quizlet and an upcoming Ask Instacart tool in the popular local-shopping app. However, the API won’t be limited to brand-specific bots mimicking ChatGPT; it can also power “non-chat” software experiences that could benefit from AI brains.

The ChatGPT API is priced at $0.002 per 1,000 tokens (about 750 words). Additionally, it’s offering a dedicated-capacity option for deep-pocketed developers who expect to use more tokens than the standard API allows. The new developer options join the consumer-facing ChatGPT Plus, a $20-per-month service launched in February.

Meanwhile, OpenAI’s Whisper API is a hosted version of the open-source Whisper speech-to-text model it launched in September. “We released a model, but that actually was not enough to cause the whole developer ecosystem to build around it,” OpenAI president and co-founder Greg Brockman told TechCrunch on Tuesday. “The Whisper API is the same large model that you can get open source, but we’ve optimized to the extreme. It’s much, much faster and extremely convenient.” The transcription API will cost developers $0.006 per minute, enabling “robust” transcription in multiple languages and providing translation to English.

Finally, OpenAI revealed changes to its developer terms based on customer feedback about privacy and security concerns. Unless a developer opts in, the company will no longer use data submitted through the API for “service improvements” to train its AI models. Additionally, it’s adding a 30-day data retention policy while providing stricter retention options “depending on user needs” (likely meaning high-usage companies with budgets to match). Finally, it’s simplifying its terms surrounding data ownership, clarifying that users own the models’ input and output.

The company will also replace its pre-launch review process for developers with a mostly automated system. OpenAI justified the change by pointing out that “the overwhelming majority of apps were approved during the vetting process,” claiming its monitoring has “significantly improved.” “One of our biggest focuses has been figuring out, how do we become super friendly to developers?” Brockman said to TechCrunch. “Our mission is to really build a platform that others are able to build businesses on top of.”

Source: OpenAI will let developers build ChatGPT into their apps | Engadget

John Dodd Rolls Royce 27-Liter Merlin V12-Powered, Street-Legal Fiberglass Legend From the ’70s for sale

Posted on March 2, 2023 by Robin Edgar

Many cars claim to be a beast although just a few have a resume to back it up. This 1972 Rolls-Royce-ish plants its flag as “The Beast” so hard it’s right there on the name. This beige-on-beige-on-beige masterpiece is heading to auction to find a new home, and hopefully, one with a very long garage to contain its very long snout.

The Beast was the creation of John Dodd, who died last December at 90 years old. The automotive engineer and transmission maker constructed the car using a Rolls-Royce Merlin engine plucked from a military application [Note: from a Spitfire airplane] to power his Beast, all 27 liters and 12 cylinders of glory. The result was an “estimated” 750 horsepower, although the Beast hasn’t ever set foot on a dyno. What you see here isn’t the first Beast, either. Dodd bought the first Beast after he helped to craft a transmission for it, which burned on the way home from a trip in Sweden. The rebodied version is what you see here, and it’s longer than its predecessor if that’s at all possible.

This Beast once famously and litigiously wore a Rolls-Royce snout, which you can see has been removed and replaced with John Dodd’s initials after courts ruled against him. (It still says “Rolls-Royce” on the registration, so checkmate.) The interior is no less resplendent than Rollers of the time, although it’s far smaller than a car with a football-field-sized footprint should have. There are two doors, two seats—in beige no less—with a long cargo area. (So, technically a shooting brake?) There’s a sculpted dash that looks like 1971 vacuformed. It’d be hard to imagine airbags anywhere in the car—they may not be needed if the hood is technically one county ahead of the passengers—but it appears there’s some padding on the dash and a bank of switches with no clear indication of what any of them do.

The internals are absurd, albeit interesting. Behind the vainglorious Meteor V12 is a GM three-speed automatic that shifts through a heavy-duty Currie rear axle. A staggered wheel setup covers four-wheel disc brakes, which is good because the Beast managed 183 mph in a top-speed run in 1977. Just an observation: The five-lug wheels don’t inspire a lot of confidence for the power and speed, but I’m no expert.

But I can confidently spot a winner when I see one, and the Beast is one such winner. It was certifiably the most powerful car on the planet in 1977 and it can also be yours.