CISA and the FBI recommended software companies today to assess their products and fix route traversal security flaws before selling.
Attackers can leverage path traversal vulnerabilities (also known as directory traversal) to create or overwrite important files used to execute malware or circumvent security systems such as authentication.
“Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog,” says the CISA and FBI joint report.
Such security holes can also allow threat actors to acquire sensitive data, such as credentials, which can then be used to brute-force existing accounts and compromise the targeted systems.
Another option is to disable or limit access to vulnerable systems by overwriting, destroying, or altering critical authentication files (which would lock out all users).
CISA and the FBI propose that software buyers ask vendors if they completed formal directory traversal testing.
To eliminate this type of problem from all goods, manufacturers should ensure that their software developers immediately install the necessary mitigations. Integrating security into products from the start can eliminate directory traversal issues.
Directory traversal vulnerabilities occur when users manipulate inputs, such as file paths, to gain unauthorized access to application files and directories. Malicious cyber actors can use these exploits to access restricted directories and read, change, or write arbitrary files, which can have adverse effects.
To minimize directory traversal vulnerabilities in software products, developers should apply proven mitigations such as:
Path vulnerabilities ranked eighth on MITRE's list of the 25 dangerous software issues, trailing only out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bounds read flaws.
In March, CISA and the FBI released another "Secure by Design" alert, advising executives of software manufacturing companies to develop mitigations to prevent SQL injection (SQLi) security risks.
SQLi vulnerabilities were listed third among MITRE's top 25 most hazardous software vulnerabilities between 2021 and 2022, trailing only out-of-bounds writes and cross-site scripting.
DropBox has announced a breach in its DropBox Sign eSignature platform, formerly known as HelloSign. The breach, uncovered on April 24, has left customer data vulnerable, including authentication tokens, MFA keys, hashed passwords, and personal information.
The breach was first detected on April 24, prompting DropBox to launch a thorough investigation into the matter. Through this investigation, it was revealed that threat actors had gained unauthorised access to a crucial configuration tool within the backend services of the DropBox Sign platform. This access granted them added privileges, allowing them to penetrate the customer database.
The compromised data encompasses a bulk of sensitive information, ranging from customer emails, usernames, and phone numbers to hashed passwords and account settings. Even individuals who had not registered accounts with DropBox Sign had their email addresses and names exposed, magnifying the scope of the breach.
Some Measures To Consider
DropBox readily took action to restore the collateral damage. All user passwords were reset, and all sessions to DropBox Sign were logged out as a precautionary measure. Furthermore, the company imposed restrictions on the usage of API keys until they could be rotated by the respective customers. Additionally, users who employ Multi-Factor Authentication (MFA) are advised to delete and reconfigure their settings with new keys obtained from the official website.
No Access to Documents
DropBox has reassured its users that the threat actors did not manage to access any customer documents or agreements. Moreover, the breach did not extend to other DropBox services, offering a semblance of relief amidst the security concerns.
Precautions for Users
Users are urged to remain cautious against potential phishing attempts indulging the compromised data. Should users receive an email prompting a password reset, it is imperative to refrain from clicking any links within the email. Instead, users should reset their passwords directly through the DropBox Sign website to ensure their security.
This breach isn't DropBox's first encounter with security challenges. In 2022, the company disclosed a breach wherein threat actors stole 130 code repositories by infiltrating the company's GitHub accounts using stolen employee credentials.
DropBox is actively addressing the breach and has provided comprehensive guidance to affected users. While the breach surfaces the critical importance of robust cybersecurity measures, users can play their part by staying informed and adhering to the precautionary measures outlined by DropBox. By doing so, users can help mitigate the impact of the breach and safeguard their sensitive information in the face of emerging cyber threats.
According to the business, in benchmark testing, the AI models outperform the GPT-4 models. This specific AI model's long-context capabilities, which enable it to process and analyze research papers and health records, are one of its standout qualities.
The paper is available online at arXiv, an open-access repository for academic research, and is presently in the pre-print stage. In a post on X (formerly known as Twitter), Jeff Dean, Chief Scientist at Google DeepMind and Google Research, expressed his excitement about the potential of these models to improve patient and physician understanding of medical issues. I believe that one of the most significant application areas for AI will be in the healthcare industry.”
The AI model has been fine-tuned to boost performance when processing long-context data. A higher quality long-context processing would allow the chatbot to offer more precise and pinpointed answers even when the inquiries are not perfectly posed or when processing a large document of medical records.
Med-Gemini isn’t limited to text-based responses. It seamlessly integrates with medical images and videos, making it a versatile tool for clinicians.
Imagine a radiologist querying Med-Gemini about an X-ray image. The model can provide not only textual information but also highlight relevant areas in the image.
Med-Gemini’s forte lies in handling lengthy health records and research papers. It doesn’t shy away from complex queries or voluminous data.
Clinicians can now extract precise answers from extensive patient histories, aiding diagnosis and treatment decisions.
Med-Gemini builds upon the foundation of Gemini 1.0 and Gemini 1.5 LLM. These models are fine-tuned for medical contexts.
Google’s self-training approach has improved web search results. Med-Gemini delivers nuanced answers, fact-checking information against reliable sources.
Imagine a physician researching a rare disease. Med-Gemini not only retrieves relevant papers but also synthesizes insights.
It’s like having an AI colleague who reads thousands of articles in seconds and distills the essential knowledge.
Med-Gemini empowers healthcare providers to offer better care. It aids in diagnosis, treatment planning, and patient education.
Patients benefit from accurate information, demystifying medical jargon and fostering informed discussions.
As with any AI, ethical use is crucial. Med-Gemini must respect patient privacy, avoid biases, and prioritize evidence-based medicine.
Google’s commitment to transparency and fairness will be critical in its adoption.
Artificial intelligence (AI) has surged into nearly every facet of our lives, from diagnosing diseases to deciphering ancient texts. Yet, for all its prowess, AI still falls short when compared to the complexity of the human mind. Scientists are intrigued by the mystery of why humans excel over machines in various tasks, despite AI's rapid advancements.
Bridging The Gap
Xaq Pitkow, an associate professor at Carnegie Mellon University, highlights the disparity between artificial intelligence (AI) and human intellect. While AI thrives in predictive tasks driven by data analysis, the human brain outshines it in reasoning, creativity, and abstract thinking. Unlike AI's reliance on prediction algorithms, the human mind boasts adaptability across diverse problem-solving scenarios, drawing upon intricate neurological structures for memory, values, and sensory perception. Additionally, recent advancements in natural language processing and machine learning algorithms have empowered AI chatbots to emulate human-like interaction. These chatbots exhibit fluency, contextual understanding, and even personality traits, blurring the lines between man and machine, and creating the illusion of conversing with a real person.
Testing the Limits
In an effort to discern the boundaries of human intelligence, a new BBC series, "AI v the Mind," will pit AI tools against human experts in various cognitive tasks. From crafting jokes to mulling over moral quandaries, the series aims to showcase both the capabilities and limitations of AI in comparison to human intellect.
Human Input: A Crucial Component
While AI holds tremendous promise, it remains reliant on human guidance and oversight, particularly in ambiguous situations. Human intuition, creativity, and diverse experiences contribute invaluable insights that AI cannot replicate. While AI aids in processing data and identifying patterns, it lacks the depth of human intuition essential for nuanced decision-making.
The Future Nexus of AI and Human Intelligence
As we move forward, AI is poised to advance further, enhancing its ability to tackle an array of tasks. However, roles requiring human relationships, emotional intelligence, and complex decision-making— such as physicians, teachers, and business leaders— will continue to rely on human intellect. AI will augment human capabilities, improving productivity and efficiency across various fields.
Balancing Potential with Responsibility
Sam Altman, CEO of OpenAI, emphasises viewing AI as a tool to propel human intelligence rather than supplant it entirely. While AI may outperform humans in certain tasks, it cannot replicate the breadth of human creativity, social understanding, and general intelligence. Striking a balance between AI's potential and human ingenuity ensures a symbiotic relationship, attempting to turn over new possibilities while preserving the essence of human intellect.
In conclusion, as AI continues its rapid evolution, it accentuates the enduring importance of human intelligence. While AI powers efficiency and problem-solving in many domains, it cannot replicate the nuanced dimensions of human cognition. By embracing AI as a complement to human intellect, we can harness its full potential while preserving the extensive qualities that define human intelligence.
In a recent legal case that has shaken Finland, cyber offender Julius Kivimäki, known online as Zeekill, has been sentenced to six years and three months behind bars for his involvement in a sophisticated cybercrime operation. The case revolves around the breach of Vastaamo, Finland's largest psychotherapy provider, where Kivimäki gained unauthorised access to sensitive patient records.
The Extent of the Breach
Kivimäki's method involved infiltrating Vastaamo's databases, compromising the privacy of thousands of therapy patients. Despite his unsuccessful attempt to extort a large sum of money from the company, he resorted to directly threatening patients with exposure to their therapy sessions unless they paid up. The repercussions of his actions were severe, with at least one suicide linked to the breach, leaving the nation in shock.
Legal Proceedings and Conviction
Throughout the trial, Kivimäki insisted on his innocence, even going as far as evading authorities and fleeing. However, the court found him guilty on all counts, emphasizing his ruthless exploitation of vulnerable individuals. The judges emphasized the significant suffering inflicted upon the victims, given Vastaamo's role as a mental health service provider.
A History of Cybercrime
Kivimäki's criminal journey began at a young age, participating in various cyber gangs notorious for causing chaos between 2009-2015. Despite being apprehended at the age of 15 and receiving a juvenile sentence, he persisted in his illicit activities, culminating in the Vastaamo breach.
How Law Enforcement Cracked the Case?
Law enforcement's efforts, combined with advanced digital forensics and cryptocurrency tracking, played a pivotal role in securing Kivimäki's conviction. His misstep led authorities to a server containing a wealth of incriminating evidence, aiding in his arrest and subsequent sentencing.
The Human Toll of Cyber Intrusion
Tiina Parikka, one of the affected patients, described the profound impact of receiving Kivimäki's threatening email, leading to a deterioration in her mental health. The breach not only compromised patients' privacy but also eroded their trust in the healthcare system.
Corporate Accountability
While Kivimäki faced legal consequences, Vastaamo's CEO, Ville Tapio, also received a suspended prison sentence for failing to protect customer data adequately. The once esteemed company suffered irreparable damage, ultimately collapsing in the aftermath of the breach.
Moving Forward
As legal proceedings conclude, civil court cases are expected as victims seek compensation for the breach. The incident has stressed upon the vulnerability of healthcare data and the pressing need for robust cybersecurity implementation to safeguard the information of such sensitivity. After all, maintaining confidentiality is the first step towards establishing a healthy environment for patients.
The Vastaamo case serves as a telling marker of the devastating consequences of cybercrime on individuals and businesses. In an age of advancing technology, it is essential for authorities and organisations to remain armed in combating such threats to ensure the protection of privacy and security for all.
Major UAE government organizations including the Executive Council of Dubai, the Federal Authority for Nuclear Regulation, the Telecommunications and Digital Government Regulatory Authority, and important government programs like Sharik.ae and WorkinUAE.ae are among the victims of the purported attack. The UAE Space Agency, Ministry of Finance, and Ministry of Health and Prevention are among the other ministries impacted.
The threat actor released a few samples, claiming to have access to personally identifiable information (PII) belonging to different government personnel. These samples included the roles, genders, and email addresses of high-ranking individuals.
The threat actor purportedly posted screenshots of internal data from multiple prominent government agencies in the United Arab Emirates. The threat actor displayed samples of personally identifiable information (PII) including names, roles, and contact data, claiming to have obtained access to PII of high-ranking government personnel.
The threat actor's purported possession of samples raises questions about the safety of government employees and the integrity of national activities. The hacker's sudden appearance complicates the situation and raises questions about the accuracy of the statements made, but it may also point to a high-risk situation.
Such a compromise might have serious repercussions for public safety, national security, and the UAE's economic stability. The world's cybersecurity community is keeping a careful eye on the events and highlighting the necessity of a prompt and forceful government probe to determine the full scope of the hack and minimize any possible harm.
The hacker's sudden rise to prominence and lack of past experience or evidence of similar actions raises questions about the veracity of the claims.
There hasn't been any independent confirmation of the breach, nor have the UAE government or the impacted agencies addressed these allegations as of yet. For further details on the attacks, the Cyber Express team has gotten in touch with the Telecommunications and Digital Government Regulatory Authority (TDRA) in Dubai.
The vast number of impacted organizations and the type of purportedly stolen data point to a very sophisticated and well-planned operation, which is inconsistent with the image of a lone, inexperienced hacker.