Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Risks. Show all posts
Technology
Android app ecosystem app sideloading Google Google Play Store Safety Security Risks Technology

Google CEO Warns of Potential Security Risks Associated with Sideloading Apps

 

In recent years, sideloading apps, the practice of installing apps from sources outside of official app stores, has gained significant traction. While Android has always embraced this openness, Apple is now facing pressure to follow suit. 

This shift in dynamics is evident in the ongoing legal battle between Google and Epic Games, where Epic Games accuses Google of stifling competition by imposing high fees on app developers.

Google CEO Sundar Pichai has defended Google's stance, citing security concerns associated with sideloading apps. He emphasizes that Google's policies, exemplified by Android's diverse device designs, foster innovation and provide users with choices.

However, Pichai's emphasis on security raises eyebrows, as Android has always been known for its open-source nature and embrace of sideloading. His focus on potential malware infections seems to be a tactic to instill fear among users. In reality, Google's Play Protect feature is only a recent addition for screening sideloaded apps.

Critics argue that sideloading empowers Google with greater control over the apps users can access. While Google maintains that the Play Store provides the highest level of security, a study by Kaspersky Labs contradicts this claim, revealing that over 600 million malicious app downloads occurred from the Google Play Store in 2023 alone.

Apple's staunch opposition to sideloading stems from its desire to retain control over the app distribution process on iPhones. However, both Apple and Google are undoubtedly aware of the 30% commission they charge developers for hosting apps on their respective app stores. This hefty fee has driven companies like Epic Games to explore alternative distribution channels.

The debate over sideloading highlights the growing tension between app developers, app store operators, and users. As the battle for app distribution intensifies, it remains to be seen whether sideloading will become a mainstream practice or remain a niche alternative.
Read more »
Vulnerabilities and Exploits
AI/ML vulnerabilities exploitable flaws Safety Security Risks Vulnerabilities and Exploits

AI/ML Tools Uncovered with 12+ Vulnerabilities Open to Exploitation

 

Since August 2023, individuals on the Huntr bug bounty platform dedicated to artificial intelligence (AI) and machine learning (ML) have exposed more than a dozen vulnerabilities that jeopardize AI/ML models, leading to potential system takeovers and theft of sensitive information.

Discovered in widely used tools, including H2O-3, MLflow, and Ray, each boasting hundreds of thousands or even millions of monthly downloads, these vulnerabilities have broader implications for the entire AI/ML supply chain, according to Protect AI, the entity overseeing Huntr.

H2O-3, a low-code machine learning platform facilitating the creation and deployment of ML models through a user-friendly web interface, has been revealed to have default network exposure without authentication. This flaw allows attackers to provide malicious Java objects, executed by H2O-3, providing unauthorized access to the operating system.

One significant vulnerability identified in H2O-3, labeled as CVE-2023-6016 with a CVSS score of 10, enables remote code execution (RCE), allowing attackers to seize control of the server and pilfer models, credentials, and other data. Bug hunters also pinpointed a local file include flaw (CVE-2023-6038), a cross-site scripting (XSS) bug (CVE-2023-6013), and a high-severity S3 bucket takeover vulnerability (CVE-2023-6017).

Moving on to MLflow, an open-source platform managing the entire ML lifecycle, it was disclosed that it lacks default authentication. Researchers identified four critical vulnerabilities, with the most severe being arbitrary file write and patch traversal bugs (CVE-2023-6018 and CVE-2023-6015, CVSS score of 10). These bugs empower unauthenticated attackers to overwrite files on the operating system and achieve RCE. Additionally, critical-severity arbitrary file inclusion (CVE-2023-1177) and authentication bypass (CVE-2023-6014) vulnerabilities were discovered.

The Ray project, an open-source framework for distributed ML model training, shares a similar default authentication vulnerability. A crucial code injection flaw in Ray's cpu_profile format parameter (CVE-2023-6019, CVSS score of 10) could result in a complete system compromise. The parameter lacked validation before being inserted into a system command executed in a shell. Bug hunters also identified two critical local file include issues (CVE-2023-6020 and CVE-2023-6021), enabling remote attackers to read any files on the Ray system.

All these vulnerabilities were responsibly reported to the respective vendors at least 45 days before public disclosure. Users are strongly advised to update their installations to the latest non-vulnerable versions and restrict access to applications lacking available patches.
Read more »
User Security
AI Cyber Security data security Security Risks User Security

Businesses Need to Ramp Up Their Security to Counter Future Attacks

 

The report, which was published by Perception Point and Osterman Research this week, found that firms typically spend $1,197 per employee each year to deal with cybersecurity incidents, which can add up quickly over time. Because of this, Deloitte believes that employees and board members will be better equipped to thwart cyberattacks in 2023. 

Moreover, Deloitte anticipates that securing emerging technologies, bolstering connected device visibility, and data security practices will be priorities for organizations in 2023. Security supply chains, in addition to security talent shortages and issues, are also likely to continue. The talent shortage, however, is likely to persist as security supply chains continue to struggle, the company leaders mentioned. 

The experts predicted that future-forward preparedness and organizational resilience will play an important role in helping enterprises better manage their vulnerability to adversary actors in the future, in addition to cybersecurity. 

Mulesoft, a Salesforce-owned company, also made predictions about the businesses in 2023. It noted that, up until now, companies have remained committed to digital transformation, speeded up by automation, composable agility, low-code, and no-code tools, data automation, and layered cyber defenses to continue to grow. 

Quantum Growth 

While tech giants like Google, IBM, Microsoft, and Intel made headlines this week, they are also pushing ahead with cloud services and other tools to test quantum algorithms. 

Sandeep Pattathil, a senior analyst at IT advisory firm Everest Group, told VentureBeat that quantum computing’s algorithmic improvements will remain the biggest challenge. He said that IBM, Microsoft, and Google are all working on cloud services to test quantum algorithms. It will also be difficult for them to develop speedy quantum computing programs. 

 AI Needs Change 

According to Kevin McNamara, CEO, and founder of synthetic data vendor, Parallel Domain, which just raised $30 million in a series B round led by March Capital, Artificial intelligence (AI) may be eating the world as we know it, but Ai itself is also starving — and needs to change its diet. 

“Data is food for AI, but AI today is underfed and malnourished,” stated Kevin McNamara. “That’s why things are growing slowly. But if we can feed that AI better, models will grow faster and in a healthier way. Synthetic data is like nourishment for training AI.”
Read more »
Technology
Blockchain Security cryptocurrency Security Risks Technology

5 Harsh Truths Regarding Blockchain Security

 

Cryptocurrencies are based on blockchain technology, which comprises multiple security features, such as cryptography, software-mediated contracts, and identity controls. However, the rise in popularity of cryptocurrencies has encouraged threat actors to employ new strategies to target the underlying blockchain. 

According to Atlas VPN, decentralized finance-related attacks constituted 76% of all major hacks in 2021, with over $1 billion lost in the third quarter alone. The third quarter of 2021 also had 20% more blockchain-based hacking incidents than in all of 2020, SlowMist reported. 

Here are five factors that have created issues for the blockchain security landscape.

1. 51% attacks 

51% of attacks involve the hacker being able to secure control of more than 50 percent of the hashing power. In 2018, three renowned cryptocurrency platforms experienced issues from 51% attacks. The three platforms were Ethereum Classic, Verge Currency, and ZenCash (now Horizen). 

2. Susceptibilities at Blockchain Endpoints 

Threat actors exploit every minor flaw, therefore it’s important to remember that most blockchain transactions have endpoints that are vulnerable. For example, the result of bitcoin trading or investment may be a large sum of bitcoin being deposited into a “hot wallet,” or virtual savings account. These wallet accounts may not be as hacker-proof as the actual blocks within the blockchain. 

To facilitate blockchain transactions, several third-party vendors may be enlisted. Some examples include payment processors, smart contracts, and blockchain payment platforms. These third-party blockchain vendors often have comparatively weak security on their own apps and websites, which can leave the door open to hacking. 

3. Regulation issues 

Many advocates of blockchain believe that regulation will result in innovation delays. However, it is quite opposite because regulations and standards can indeed benefit security and innovation. The current market is suffering from high fragmentation, where different firms have their own rules and protocols. This means developers can't learn from the mistakes and vulnerabilities of others -- never mind the risk of low integration. 

4. Lack of talented cybersecurity professionals 

The current blockchain security space is suffering from a major skills shortage of cybersecurity professionals who have blockchain expertise or a tight hold on novel security risks of the emerging Web3 decentralized economy.

5. Phishing Attacks 

Phishing is one of the most common methods employed by attackers. It is basically a scamming attempt to obtain the credentials of a user. Hackers send emails to wallet key owners by posing as an authentic, authoritative source. 

How to mitigate such attacks? 

The attacks can only be prevented by strengthening the security processes. And it comes at various levels. Here are a few tips recommended by experts to mitigate the risks in blockchain technology: -

  • Two-factor authentication
  • Ensuring proper wallet management 
  • Using different wallet addresses 
  • Keep off phishing links 
  • Regularly checking wallet approvals
Read more »
Weapons Programs
Cyber Security Defense DOD Security Risks Weapons Programs

U.S. DOD Weapons Programs Struggles to Add 'Key' Cybersecurity Measures

 

The U.S. Defense Department failed to communicate cybersecurity guidelines to contractors tasked with building systems for its weapon programs, according to a new watchdog report, released on Thursday. While the agency has developed a range of policies aimed at strengthening the security for its weapon programs, the guidance misses out a key point – the contracts for securing various weapons. 

The U.S. government sanctions hundreds of billions of dollars each year for contracting various manufacturers, from military contractors to small businesses. In a new report released on Thursday, the U.S. Government Accountability Office (GAO) said, 60 percent of the contracts meet zero requirements when it comes to cybersecurity measures. 

According to the GAO report, three out of five contracts reviewed by them had no cybersecurity requirements written into the contract language when they were awarded, with only vague requirements added later. The Air Force was the only service with broad guidance to define cybersecurity requirements and incorporate them in contracts.

“Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met,” according to the GAO’s report.

The Defense Department (DOD) has a huge network of sophisticated weapons systems that need to resist cyberattacks in order to operate when required. But the DOD also has a documented history of discovering mission-critical security flaws within those programs due to what the GAO says is a lack of focus on weapon systems cybersecurity. 

“As we reported in 2018, DOD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process. The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, and key acquisition and requirements policies did not focus on cybersecurity. AS a result, DOD likely designed and build many systems without adequate security,” the report read.
Read more »
Subscribe to: Posts (Atom)