Categories
AI

How Onyxia uses security AI to help CISOs improve their security posture

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


Managing cybersecurity risks is challenging, not necessarily because vulnerabilities are hard to find, but because most organizations rely on manual processes to do so. However, security AI has the potential to automatically measure risks in the environment, and provide recommendations on what to address first. 

Security provider Onyxia, which launched today with $5 million in seed funding, demonstrates this approach by enabling organizations to use artificial intelligence (AI) to monitor their security posture in real time. 

As complexity increases in modern networks, AI-driven solutions will become more important for identifying gaps in an enterprise’s defenses, and reduce the chance of threat actors being able to exploit any vulnerabilities. 

Using security AI to mitigate risk 

The key challenge of mitigating cyber-risks is to understand that the level of risk isn’t static, but changes as technology and users in the environment move in and out. 

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

In environments that aren’t driven by AI, security teams and CISOs can struggle to keep up with the rate the environment changes. At the same time, the pace of work makes it difficult to make accurate judgment calls on which security risks to address first to improve the overall security posture of the organization. 

By using AI, an organization can eliminate this guesswork and start accurately assessing what actions they can take to better secure their environments.

Helpnet Security reported that out of 3,800 CISOs surveyed, 61% of security teams are understaffed and 69% say that hiring managers don’t accurately understand their company’s cybersecurity hiring needs, adding training and educational responsibilities that most IT teams cannot spare,” said Sivan Tehila, CEO of Onyxia. 

“Currently, security priorities are shifting as 90% of organizations fail to address cybersecurity risks. Onyxia enables CISOs and security teams to gain a holistic view of their entire cybersecurity environment while highlighting the best solutions and strategies to close security gaps, filling in the gaps that they didn’t know existed,” Tehila said. 

Onxyia is well-placed to meet these challenges, given founder Sivan Tehila’s technology pedigree, previously serving as CISO of the research and analysis division and head of information security for the Israeli Defense Force (IDF). 

The vendor’s solution uses machine learning (ML) and AI to provide CISOs with custom suggestions on how to improve their organization’s security posture. Choice are based on industry-specific needs, special risks and budget, and enable decision-makers to find the most effective way to improve cyber-resilience. 

AI risk management solutions 

According to Tehila, Onxyia is defining a new solution category for security teams and has no direct competitors. 

“Onxyia is a proactive solution that takes internal and macro-environment factors into account. A proactive solution is necessary for security managers to have real-time insight into their cybersecurity postures and implement proactive measures to ensure business continuity. Currently most of these processes are being done manually,” Tehila said. 

Although it’s important to note that Onxyia isn’t the only provider leveraging AI to identify risks in enterprise environments. For instance, Securiti uses AI to automatically map unstructured and structured data records in real time, while providing an overview of risk scores for data risks. Securiti most recently raised $50 million as part of a series B funding round

Similarly, OneTrust also uses AI to discover and classify data, identifying at-risk data and enabling the user to monitor it with analytics displays. To date, OneTrust has raised $920 million in funding

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Repost: Original Source and Author Link

Categories
AI

Nvidia and Booz Allen develop Morpheus platform to supercharge security AI 

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


One of the biggest challenges facing modern organizations is the fact that security teams aren’t scalable. Even well-resourced security teams struggle to keep up with the pace of enterprise threats when monitoring their environments without the use of security artificial intelligence (AI).

However, today at the 2022 Nvidia GTC conference, Nvidia and enterprise consulting firm Booz Allen announced they are partnering together to release a GPU-accelerated AI cybersecurity processing framework called the Morpheus platform. 

[Follow along with VB’s ongoing Nvidia GTC 2022 coverage »]

So far, Booz Allen has used Morpheus to create Cyber Precog, a GPU-accelerated software platform for building AI models at the network’s edge, which offer data ingestion capabilities at 300x the rate of CPUs, and boost AI training by 32x and AI inference by 24x. 

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

The new solution will enable public and private sector companies to address some of the cybersecurity challenges around closing the cyberskills gap with AI optimized for using GPUs, enabling much more processing to take place than if it was relying on CPUs. 

Finding threats with digital fingerprinting 

Identifying malicious activity in a network full of devices is extremely difficult to do without the help of automation. 

Research shows that 51% of IT security and SOC decision-makers feel their team is overwhelmed by the volume of alerts, with 55% admitting that they aren’t entirely confident in their ability to prioritize and respond to them. 

Security AI has the potential to lighten the loads of SOC analysts by automatically identifying anomalous — or high-risk — activity, and blocking it. 

For instance, the Morpheus software framework enables developers to inspect network traffic in real time, and identify anomalies based on digital fingerprinting. 

“We call it digital fingerprinting of users and machines, where you basically can get to a very granular model for every user or every machine in the company, and you can basically build the model on how that person should be interacting with the system,” said Justin Boitano, VP, EGX of Nvidia. 

“So if you take a user like myself, and I use Office 365 and Outlook every day, and suddenly me as a user starts trying to log in into build systems or other sources of IP in the company, that should be an event that alerts our security teams,” Boitano said. 

It’s an approach that gives the solution the ability to examine network traffic for sensitive information, detect phishing emails, and alert security teams with AI processing powered by large BERT models that couldn’t run on CPUs alone. 

Entering the security AI cluster category: UEBA, XDR, EDR 

As a solution, Morpheus is competing against a wide range of security AI solutions, from user and entity behavior analytics (UEBA) solutions to extended detection and response (XDR) and endpoint detection and response (EDR) solutions designed to discover potential threats.

One of the organizations competing against Nvidia in the realm of threat detection is CrowdStrike Falcon Enterprise, which combines next-gen antivirus (NGAV), endpoint detection and response, threat hunting, and threat intelligence as part of a single solution to continuously and automatically identify threats in enterprise environments.

CrowdStrike recently announced raising $431 million in revenue during the 2022 fiscal year. 

Another potential competitor is IBM QRadar, an XDR solution that uses AI to identify security risks with automatic root cause analysis and MITRE ATT&CK mapping, while providing analysts with support in the form of automated triaging and contextual intelligence. IBM announced raising $16.7 billion in revenue in 2021. 

With Nvidia recently announcing second quarter revenue of $6.7 billion, and now combining the strength of Nvidia’s GPUs alongside Booz Allen’s expertise, the Morpheus framework stands in a unique position to empower enterprises to conduct greater analytic data processing activities at the edge of the network to help supercharge threat detection. 

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Repost: Original Source and Author Link

Categories
Security

You can uninstall iOS 16 Rapid Security Response updates, but you probably shouldn’t

Apple will let you remove the security patches installed by iOS 16’s Rapid Security Response system, which can install patches without the need to fully update your iPhone (or even without having to restart it, in some cases). According to a support document spotted by MacRumors, you can remove a Rapid Security Response update by going to Settings > General > About, then tapping on the iOS Version. From there, you’ll be presented with a “Remove Security Update” button.

The document doesn’t give any examples of why you’d need to uninstall one of the patches, leaving your phone open to the vulnerability it protects against. It’s easy to imagine a few special circumstances where the feature could be useful, perhaps if one messes up some special work-related software or management tools, for instance. Otherwise, it’s one of those features that most people should probably never use unless they have a very specific reason and fully understand what they’re doing — kind of like the new extreme Lockdown Mode, which is included to protect users from “highly sophisticated” targeted cyberattacks.

Rapid Security Response is turned on by default, although you can turn off the updates by going to Settings > General > Software Update > Automatic Updates and toggling “Security Responses and System Files.” If you do so, you’ll have to wait for full iOS updates to get the security patches. Again, I’d personally recommend against turning the feature off unless you have an explicit reason to, given how many of Apple’s recent updates have patched out pretty serious vulnerabilities.

The system is also coming to macOS in Ventura, which hasn’t been officially released yet — so far, Apple’s support documents for its desktop OS don’t mention whether you’ll be able to roll back those updates as well.

Repost: Original Source and Author Link

Categories
Security

Google Chrome’s latest update has a security fix you should install ASAP

Google Chrome users on Windows, Mac, and Linux need to install the latest update to the browser to protect themselves from a serious security vulnerability that hackers are actively exploiting.

“Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,” the company said in a September 2nd blog post. An anonymous tipster reported the problem on August 30th, and Google says it expects the update to roll out to all users in the coming days or weeks.

The company hasn’t released much information yet on the nature of the bug. What we know so far is that it has to do with “Insufficient data validation” in Mojo, a collection of runtime libraries used by Chromium, the codebase that Google Chrome’s built on.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company said. By keeping those details under wraps for now, Google makes it harder for hackers to figure out how to exploit the vulnerability before the new update closes the opportunity for attacks.

Chrome users need to relaunch the browser to activate the update. This will update Chrome to version 105.0.5195.102 for Windows, Mac, and Linux. To make sure you’re using the latest version, click the icon with the three dots in the top right corner of your browser. Navigating to “Help,” and then “About Google Chrome” will lead you to a page that tells you whether Chrome is up to date on your device.

This latest update comes just days after Google released Chrome version 105 on August 30th. That update already came with 24 security fixes. Apparently, that still wasn’t enough.

This is the sixth zero-day vulnerability Chrome has faced so far this year. The last vulnerability that was actively exploited was just flagged in mid-August, BleepingComputer reported.

Repost: Original Source and Author Link

Categories
Security

Security pros are rallying to defend the Twitter whistleblower

Peiter “Mudge” Zatko, the former Twitter security chief who has alleged that the company covered up negligent security practices and lied to regulators about data management, was a credible, capable, and brutally honest security expert, according to peers and colleagues.

The assessment of Zatko’s work and character — culled from public messages of support and recollections shared directly with The Verge — is at odds with statements made by current Twitter CEO Parag Agrawal, who has claimed that Zatko is presenting a false narrative of the inner workings of the company after being terminated for poor performance in January.

In a whistleblower disclosure filed with the SEC and first reported by CNN and The Washington Post, Zatko accused Twitter of numerous severe security lapses and claimed that the executive team frequently misled government regulators and its own board of directors about the extent of vulnerabilities on the platform. The filing also claims that the company violated a privacy agreement made with the FTC that required it to delete the data of any users who decided to cancel their Twitter accounts and that the company intentionally manipulated data on the number of bot accounts on the platform.

In a response provided to CNN — language from which was echoed in an email sent by Agrawal to Twitter staff — a Twitter spokesperson said that Zatko’s allegations were “riddled with inconsistencies and inaccuracies” and seemed “designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”

But Twitter’s fierce pushback against Zatko’s criticism prompted a backlash from many leading voices in the field, who spoke out to endorse the security expert’s credentials and track record. Alec Muffett, an internet security expert and software engineer who worked on Twitter’s efforts to launch a Tor service, told The Verge that he had known Zatko for decades and trusted the claims made in the SEC disclosure.

“I’ve known Mudge since the mid 1990s when he — and the other members of the L0pht — were capable and scrappy hackers,” Muffett said. “He demonstrated enormous creativity and drive towards improvement of internet security overall … I have no hesitation about supporting his observations as being both highly credible and concerning.”

Zatko first gained prominence as part of the L0pht, a Boston-based hacker collective known as an influential computer security research group in the 1990s. Notably, while the L0pht released software, the group also advised on policy, even giving testimony before the Senate on internet security in 1998. In his earlier hacking days, Zatko was also a member of the notorious hacker group Cult of the Dead Cow, which also counted former presidential candidate (and current Texas gubernatorial candidate) Beto O’Rourke as a member.

As his profile grew, Zatko took on roles with Defense Advanced Research Projects Agency (DARPA) and Google’s Advanced Technologies and Projects research group. He was hired by Twitter in 2020 in the months after a major security incident that saw hackers take over some of the platform’s most-followed celebrity accounts. But he stayed only just over a year, being fired by incoming CEO Agrawal in January 2022.

One of Zatko’s specific claims — that too many employees are given access to critical software within the company — seemed to be supported by details shared by Al Sutton, a former software engineer at Twitter. In a tweet, Sutton said that he was still able to commit code in the employee group fo Twitter’s open-source software repositories on the code hosting website GitHub, despite having left the company 18 months ago.

The tweet linked to Twitter’s organization page on GitHub, showing that Sutton’s account was still listed as one of only 34 contributing members. Shortly after The Verge reached out to Twitter for comment, Sutton’s account was removed as a contributor.

Contacted by The Verge, Sutton declined to comment further on Twitter’s security posture but said of Zatko, “I had very little overlap with Mudge, but from what overlap I did have, and other folk I know who know him pretty well, he’s brutally honest and I have zero reason to doubt his claims.”

Already, leaders in the security space have rushed to Zatko’s public defense. Industrial security specialist Robert M. Lee accused Twitter of a smear campaign, saying Mudge’s skills and leadership were “some of the most beloved and well documented in the community.” Prominent cybersecurity journalist Kim Zetter echoed the sentiment, saying there was “probably no security exec with more ethics, more credibility than Mudge.”

The Verge reached out to Mudge for comment but did not receive a response. A statement sent from Whistleblower Aid, a nonprofit organization that supports whistleblowers and is representing Zatko, said that “legal obligations prevent Mudge and Whistleblower Aid from discussing events during Mudge’s time at Twitter, except through lawful, properly authorized disclosures including subpoenas to testify which he would of course honor.”

Twitter did not provide a comment by time of publication.



Repost: Original Source and Author Link

Categories
AI

Black Hat 2022 reveals enterprise security trends

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


The blast radius of cyberattacks on an enterprise is projected to keep growing, extending several layers deep into software supply chains, devops and tech stacks. Black Hat 2022’s presentations and announcements for enterprise security provide a sobering look at how enterprises’ tech stacks are at risk of more complex, devastating cyberattacks. Held last week in Las Vegas and in its 25th consecutive year, Black Hat‘s reputation for investigative analysis and reporting large-scale security flaws, gaps and breaches are unparalleled in cybersecurity.

The more complex the tech stack and reliant on implicit trust, the more likely it is to get hacked. That’s one of several messages Chris Krebs, the former and founding director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), delivered in a keynote to the audience at the Black Hat 2022 conference last week. Krebs mentioned that weaknesses often start from building overly complex tech stacks that create more attack surfaces for cybercriminals to then attempt to exploit.

Krebs also emphasized how critical software supply chain security is, explaining that enterprises and global governments aren’t doing enough to stop another attack at the scale of SolarWinds.

“Companies that are shipping software products are shipping targets,” he told the keynote audience.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

Cybercriminals “understand the dependencies and the trust connections we have on our software services and technology providers, and they’re working up the ladder through the supply chain,” Krebs added.

Additionally, eliminating implicit trust is table stakes for reducing supply chain attacks, a point Krebs alluded to throughout his keynote. 

Enterprise security: Reducing the growing blast radius 

Infrastructure, devops, and enterprise software vulnerabilities discovered by researchers made the enterprise-specific sessions worth attending. In addition, improving identity access management (IAM) and privileged access management (PAM), stopping ransomware attacks, reducing Azure Active Directory (AD) and SAP HTTP server attacks, and making software supply chains more secure dominated the enterprise sessions. 

Continuous integration and continuous delivery (CI/CD) pipelines are software supply chains’ most dangerous attack surfaces. Despite many organizations’ best efforts to integrate cybersecurity as a core part of their devops processes, CI/CD software pipelines are still hackable.

Several presentations at the conference explored how cybercriminals can hack into software supply chains using remote code execution (RCE) and infected code repositories. One session in particular focused on how advanced hackers could use code-signing to be indistinguishable from a devops team member. 

Another illustrated how hackers quickly use source code management (SCM) systems to achieve lateral movement and privilege escalation across an enterprise, infecting repositories and gaining access to software supply chains at scale.

Tech stacks are also becoming a more accessible target as cybercriminals’ skills increase. One presentation on how Azure AD user accounts can be backdoored and hijacked by exploiting external identity links to bypass multifactor authentication (MFA) and conditional access policies showed just how an enterprise can lose control of a core part of their tech stack in only minutes. 

A separate session on SAP’s proprietary HTTP server explained how cybercriminals could leverage two memory corruption vulnerabilities found in SAP’s HTTP server using high-level protocol exploitation techniques. CVE-2022-22536 and CVE-2022-22532 are remotely exploitable and could be used by unauthenticated attackers to compromise any SAP installation globally.

Malware attacks continue to escalate across enterprises, capable of bypassing tech stacks that rely on implicit trust and disabling infrastructure and networks. Using machine learning (ML) to identify potential malware attacks and thwart them before they happen using advanced classification techniques is a fascinating area of research. Malware Classification with Machine Learning Enhanced by Windows Kernel Emulation presented by Dmitrijs Trizna, security software engineer at Microsoft, provided a hybrid ML architecture that simultaneously utilizes static and dynamic malware analysis methodologies. 

During an interview prior to his session, Trizna explained that  “AI [artificial intelligence] is not magic, it’s not the silver bullet that will solve all your (malware) problems or replace you. It’s a tool that you need to understand how it works and the power underneath. So don’t discard it completely; see it as a tool.”

Trizna makes ML code for the models he’s working on available on GitHub.  

Cybersecurity vendors double down on AI, API and supply chain security 

Over 300 cybersecurity vendors exhibited at Black Hat 2022, with most new product announcements concentrating on API security and how to secure software supply chains. In addition, CrowdStrike’s announcement of the first-ever AI-based indicators of attack (IOA) reflects how fast cybersecurity providers are maturing their platform strategies based on AI and ML advances. 

CrowdStrike’s announcement of AI-powered IOAs is an industry first

Their AI-based IOAs announced at Black Hat combine cloud-native ML and human expertise, a process invented by CrowdStrike more than a decade ago. As a result, IOAs have proven effective in identifying and stopping breaches based on actual adversary behavior, irrespective of the malware or exploit used in an attack.

AI-powered IOAs rely on cloud-native ML models trained using telemetry data from CrowdStrike Security Cloud, as well as expertise from the company’s threat-hunting teams. IOAs are analyzed at machine speed using AI and ML, providing the accuracy, speed and scale enterprises need to thwart breaches. 

“CrowdStrike leads the way in stopping the most sophisticated attacks with our industry-leading indicators of attack capability, which revolutionized how security teams prevent threats based on adversary behavior, not easily changed indicators,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. “Now, we are changing the game again with the addition of AI-powered indicators of attack, which enable organizations to harness the power of the CrowdStrike Security Cloud to examine adversary behavior at machine speed and scale to stop breaches in the most effective way possible.” 

AI-powered IOAs have identified over 20 never-before-seen adversary patterns, which experts have validated and enforced on the Falcon platform for automated detection and prevention. 

“Using CrowdStrike sets Cundall apart as one of the more advanced organizations in an industry that typically lags behind other sectors in I.T. and cybersecurity adoption,” said Lou Lwin, CIO at Cundall, a leading engineering consultancy. “Today, attacks are becoming more sophisticated, and if they are machine-based attacks, there is no way an operator can keep up. The threat landscape is ever-changing. So, you need machine-based defenses and a partner that understands security is not ‘one and done.’ It is evolving all the time.” 

CrowdStrike demonstrated AI-powered IOA use cases, including post-exploitation payload detections and PowerShell IOAs using AI to identify malicious behaviors and code.  

AI-generated IOA fortifies existing defenses using cloud-based ML and real-time threat intelligence to analyze events at runtime and dynamically issue IOAs to the sensor. The sensor then correlates the AI-generated IOAs (behavioral event data) with local events and file data to assess maliciousness. CrowdStrike says AI-powered IOAs operate asynchronously alongside existing layers of sensor defense, including sensor-based ML and IOAs. Image credit: CrowdStrike.

For many enterprises, API security is a strategic weakness 

Cybersecurity vendors see the opportunity to help enterprises solve this challenge, and several announced new solutions at Black Hat. Vendors introducing new API security solutions include Canonic Security, Checkmarx, Contrast Security, Cybersixgill, Traceable, and Veracode. Noteworthy among these new product announcements is Checkmarx’s API Security, which is a component of their well-known Checkmarx One platform. Checkmarx is known for its expertise in securing CI/CD process workflows

 API Security can identify zombie and unknown APIs, perform automatic API discovery and inventory and perform API-centric remediation. In addition, Traceable AI announced several improvements to their platform, including identifying and stopping malicious API bots, identifying and tracking API abuse, fraud and misuse, and anticipating potential API attacks throughout software supply chains.

Stopping supply chain attacks before they get started 

Of the more than 300 vendors at Black Hat, the majority with CI/CD, devops, or zero-trust solutions promoted potential solutions for stopping supply chain attacks. It was the most hyped vendor theme at Black Hat. Software supply chain risks have become so severe that the National Institute of Standards and Technology (NIST) is updating its standards, including NIST SP 1800-34, concentrating on systems and components integral to supply chain security. 

Cycode, a supply-chain security specialist, announced it has added application security testing (SAST) and container-scanning capabilities to its platform, as well as introducing software composition analysis (SCA). 

Veracode, known for its expertise in security testing solutions, introduced new enhancements to its Continuous Software Security Platform, including software bill of materials (SBOM) API, support for software composition analysis (SCA), and support for new frameworks including PHP Symfony, Rails 7.0, and Ruby 3.x. 

The Open Cybersecurity Schema Framework (OCSF) meets an enterprise security need  

CISOs’ most common complaint regarding endpoint detection and response (EDR), endpoint management, and security monitoring platforms is that there is no common standard for enabling alerts across platforms. Eighteen leading security vendors have collaborated to take on the challenge, creating the Open Cybersecurity Schema Framework (OCSF) project. The project includes an open specification that enables the normalization of security telemetry across a wide range of security products and services. Open-source tools are also available to support and accelerate OCSF schema adoption.

Leading security vendors AWS and Splunk are cofounders of the OCSF project, with support from CrowdStrike, Palo Alto Networks, IBM Security and others. The goal is to continually create new products and services that support the OCSF specifications, enabling standardization of alerts from cyber monitoring tools, network loggers, and other software, to simplify and speed up the interpretation of that data. 

“At CrowdStrike, our mission is to stop breaches and power productivity for organizations,” said Michael Sentonas, chief technology officer, CrowdStrike. “We believe strongly in the concept of a shared data schema, which enables organizations to understand and digest all data, streamline their security operations, and lower risk. As a member of the OCSF, CrowdStrike is committed to doing the hard work to deliver solutions that organizations need to stay ahead of adversaries.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Repost: Original Source and Author Link

Categories
Security

Signal alerts 1,900 messaging users to a security threat from Twilio hackers

A data breach earlier this month affecting Twilio, a gateway that helps web platforms communicate over SMS or voice, may have had repercussions for users of Signal, the encrypted messaging platform. Today, Signal announced it has alerted 1,900 users that their accounts were potentially revealed to whoever hacked Twilio and said that the attackers searched for three specific numbers during the time they had access.

So far, Signal says it has heard from one of those three users that the attackers used their Twilio access to re-register a new device associated with their number, which would allow them to send and receive messages from that account.

According to Signal, “message history, contact lists, profile information, whom they’d blocked, and other personal data” for all users remained secure. However, if someone was among the users potentially revealed, and they don’t use Signal’s Registration Lock setting that requires their PIN to add a new device, then an attacker could’ve re-registered their account.

Signal is sending messages with a link to its support page for potentially affected accounts, as well as unregistering all devices connected to those accounts, and said it will be done with this process by tomorrow.

Summary

Recently Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack. Here’s what our users need to know:

All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.

For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.

We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices. If you received an SMS message from Signal with a link to this support article, please follow these steps:

Open Signal on your phone and register your Signal account again if the app prompts you to do so.

To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack.



Repost: Original Source and Author Link

Categories
Security

Zoom’s latest update on Mac includes a fix for a dangerous security flaw

Zoom has issued a patch for a bug on macOS that could allow a hacker to take control of a user’s operating system (via MacRumors). In an update on its security bulletin, Zoom acknowledges the issue (CVE-2022-28756) and says a fix is included in version 5.11.5 of the app on Mac, which you can (and should) download now.

Patrick Wardle, a security researcher and founder of the Objective-See Foundation, a nonprofit that creates open-source macOS security tools, first uncovered the flaw and presented it at the Def Con hacking conference last week. My colleague, Corin Faife, attended the event and reported on Wardle’s findings.

As Corin explains, the exploit targets the Zoom installer, which requires special user permissions to run. By leveraging this tool, Wardle found that hackers could essentially “trick” Zoom into installing a malicious program by putting Zoom’s cryptographic signature on the package. From here, attackers can then gain further access to a user’s system, letting them modify, delete, or add files on the device.

“Mahalos to Zoom for the (incredibly) quick fix!” Wardle said in response to Zoom’s update. “Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversion.”

You can install the 5.11.5 update on Zoom by first opening the app on your Mac and hitting zoom.us (this might be different depending on what country you’re in) from the menu bar at the top of your screen. Then, select Check for updates, and if one’s available, Zoom will display a window with the latest app version, along with details about what’s changing. From here, select Update to begin the download.



Repost: Original Source and Author Link

Categories
Security

Microsoft upgrades Office security by blocking VBA macros by default

There’s been a bit of back and forth since the change was originally announced, but this week Microsoft started rolling out an update to Microsoft Office that blocks the use of Visual Basic for Applications (VBA) macros on downloaded documents.

Last month, Microsft was testing the new default setting when it suddenly rolled back the update, “temporarily while we make some additional changes to enhance usability.” Despite saying it was temporary, many experts worried that Microsoft might not go through with changing the default setting, leaving systems vulnerable to attacks. Google Threat Analysis Group leader Shane Huntley tweeted, “Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts.”

Now the new default setting is rolling out, but with updated language to alert users and administrators what options they have when they try to open a file and it’s blocked. This only applies if Windows, using the NTFS file system, notes it as downloaded from the internet and not a network drive or site that admins have marked as safe, and it isn’t changing anything on other platforms like Mac, Office on Android / iOS, or Office on the web.

Microsoft:

We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share. Please refer to the following documentation:

• For end users, A potentially dangerous macro has been blocked

• For IT admins, Macros from the internet will be blocked by default in Office

If you ever enabled or disabled the Block macros from running in Office files from the Internet policy, your organization will not be affected by this change.

While some people use the scripts to automate tasks, hackers have abused the feature with malicious macros for years, tricking people into downloading a file and running it to compromise their systems. Microsoft noted how administrators could use Group Policy settings in Office 2016 to block macros across their organization’s systems. Still, not everyone turned it on, and the attacks continued, allowing hackers to steal data or distribute ransomware.

Users who try to open files and are blocked will get a pop-up sending them to this page, explaining why they probably don’t need to open that document. It starts by running through several scenarios where someone might try to trick them into executing malware. If they really do need to see what’s inside the downloaded file, it goes on to explain ways to get access, which are all more complicated than what happened before, where users could usually enable macros by pressing one button in the warning banner.

This change may not always stop someone from opening up a malicious file, but it does provide several more layers of warnings before they can get there while still providing access for the people that say they absolutely need it.



Repost: Original Source and Author Link

Categories
Security

Homeland Security bug bounty reveals huge number of flaws

The outcome of a bug bounty program for the Department of Homeland Security (DHS) has been revealed, and it’s not particularly encouraging news for a government agency synonymous with cyber security.

Participants of DHS’ first-ever bug bounty program, named “Hack DHS,” confirmed that they found a worrying number of security bugs.

Stock Depot/Getty Images

They discovered a total of 122 security vulnerabilities in external DHS systems, according to The Register and Bleeping Computer. Twenty-seven bugs were recognized as “critical severity” flaws.

The Hack DHS initiative saw more than 450 security researchers participate in the program. For their efforts, the government agency paid out a total reward of $125,600 that was distributed amongst the ethical hackers.

As aptly highlighted by The Register, the aforementioned payout figure pales in comparison to what other organizations pay to bug bounty hunters.

For example, Intel has previously offered up to $100,000 for successfully uncovering specific vulnerabilities.

Other technology giants like Microsoft offer 10s of thousands of dollars for finding flaws, while Apple paid a single individual nearly the entirety of the Hack DHS bounty by giving him $100,000 for hacking a Mac.

Google, meanwhile, has awarded nearly $30 million to individuals enrolled in its own bug bounty programs. In one particular case, the company gave a self-taught teenage hacker $36,000 for reporting a certain bug.

Considering the fact that one of the Department of Homeland Security’s key responsibilities involves cyber security, many may understandably be concerned that such a high amount of security bugs were found in the first place. Moreover, the somewhat lackluster payment tiers associated with Hack DHS could be a potential deterrent to future interested parties.

All things considered, it seems the DHS is not as secure as many Americans would have hoped it would be.

A physical lock placed on a keyboard to represent a locked keyboard.
piranka/Getty Images

Homeland Security’s quest to become more secure

Hack DHS was originally introduced in December 2021. Any hacker who joined the program would have to provide a comprehensive breakdown of any vulnerability they find. They also have to detail how that flaw can be targeted and exploited by potential threat actors, as well as explain how it can be specifically utilized to access and extract data from DHS systems.

Once these security defects are put through a verification process by “DHS security experts,” which takes 48 hours to analyze after a bug is detected and submitted, they are generally patched within 15 days or so. In some cases, it takes the government agency longer than half a month to fix the more intricate flaws.

The government agency’s bug bounty program will be conducted via a tiered rollout consisting of three stages. The first phase, payouts, has been completed, while the upcoming second stage will see security researchers hand-picked by the DHS taking part in a live hacking event.

As for the final phase, The Register reports that DHS will share information that it hopes will influence additional bug bounty programs.

The popularity of bug bounty programs is increasingly becoming more prominent in an era where cybercriminals have been intensifying their attempts to infiltrate major companies, especially in the technology space.

For example, Intel unveiled Project Circuit Breaker, an expansion to its bug bounty program that was introduced to recruit “elite hackers.” Google also updated its Vulnerability Reward Program last year by launching a new bug platform.

Elsewhere, Google recently confirmed that a record number of dangerous zero-day exploits were identified in 2021, while cybercrimes are more widespread than ever before.

Editors’ Choice




Repost: Original Source and Author Link