Search This Blog

Showing posts with label User Safety. Show all posts

'Hot Pixel' Attack Exploits Novel GPUs and SoCs to Siphon Browsing History

 

An innovative cyberattack technique known as "Hot Pixel," which targets the complex interactions between graphic processing units (GPUs), contemporary system-on-a-chip (SoC), and browser data, has been discovered through a historic partnership between the University of Michigan, Ruhr University Bochum, and Georgia Tech. 

The "Hot Pixel" attack varies from conventional security flaws, as it bypasses modern side-channel defences by taking advantage of data-dependent computation cycles in GPUs and SoCs to steal information from Chrome and Safari browsers. 

The inherent difficulties that contemporary processors have in managing power consumption and heat dissipation, especially at high execution rates, served as the foundation for the researchers' finding. This disproportion generates a distinct digital fingerprint that can be recognised and examined. 

By removing pixels from the content being displayed in the target's browser, the "Hot Pixel" attack takes advantage of these peculiarities to deduce a device's navigation history. The attackers were able to quickly determine the data being processed by observing how the processor behaved differently under various browsing circumstances.

“The rendered image of a webpage may contain private information that should be isolated from scripts running on the page,” the research paper reads. “Examples include embeddings of cross-domain content through the use of iframe elements, and the rendering of hyperlinks, which indicates whether they have been visited.”

In the Chrome and Safari web browsers, researchers ran several CPU and GPU tests. They were able to steal data based on pixels from Chrome with an accuracy range of 60% to 94%, and it took them between 8.1 and 22.4 seconds to decode each pixel. 

Sending cookies to iframe elements is prohibited by Safari's anti-pixel-stealing policy if their origin is different from the parent page of the attacker. However, the researchers found that by burying URLs to sensitive sites on their site, attackers can still exfiltrate the victim's browsing history. 

Attackers might simply ascertain whether their victim had previously visited a particular address because links are presented differently if they have been previously viewed.

The researchers suggest the following measures to stop attacks similar to Hot Pixel: 

  • Minimise devices that are thermally restricted 
  • Enforce hardware constraints by keeping systems' temperatures within acceptable ranges 
  • Remove secrets from iframes' visible content by separating cookies from cross-origin iframes
  • Get rid of unauthorised access to sensor readings (OS-level mitigation)

Free VPN Experiences Massive Data Breach, Putting Users at Risk

 

SuperVPN, a popular free VPN service, is said to have experienced a huge data breach, compromising over 360 million customer accounts. The leak is reported to have exposed 133GB of sensitive information, including user email addresses, originating IP addresses, and geolocation data. According to sources, the material exposed included secret programme keys, unique user identity numbers, and visited website logs. 

The size and scope of the breach highlight the importance of selecting a reliable free VPN service from the hundreds now available, as many fail to provide their users with adequate security cover - despite the fact that many people use a Virtual Private Network for privacy and security in the first place.

The SuperVPN data leak was first revealed on the vpnMentor website by security researcher Jerimiah Fowler, emphasizing the need of conducting thorough research when choosing a secure VPN provider. 

While the contents of this data breach appear to suggest otherwise, SuperVPN promises to offer extensive privacy protection on its help pages, claiming that it:  ‘…keeps no logs which enable interference with your IP address, the moment [sic] or content of your data traffic. We make express reference to the fact that we do not record in logs communication contents or data regarding the accessed websites or the IP addresses”.

In fact, this is the second major data incident involving the widely used free VPN programme. User information related to a few of dodgy providers was released to the tune of over 20 million customers in May 2022, while SuperVPN was also identified as a hazardous malware-ridden VPN programme as early as 2016.

According to Fowler, the situation is especially concerning because SuperVPN appears to be situated in China, a country that has strict regulations on internet usage and regulates the flow of information within its borders.

Rather than being alarmist or jumping on the anti-China bandwagon, Fowler is emphasizing the obvious conflict of interest when an online privacy tool is managed from a country with little to no online privacy. Indeed, he adds that the terms and conditions of SuperVPN included an Orwellian prohibition on "subverting state power, undermining national unity, undermining social stability, and or damaging the honor and interests of the State."

He advocates individuals looking for a VPN to "pay attention to where the company is based" since "certain countries are known for internet censorship (like China or Iran) or surveillance (like the US, the UK, and other members of the Fourteen Eyes alliance)."

Despite the SuperVPN data breach, using a VPN is essentially safe if you choose the proper one.  

Three Ways AI-Powered Patch Management is Influencing Cybersecurity's Future

 

Approaches to patch management that aren't data-driven are breaches just waiting to happen. Security teams delay prioritising patch management until a breach occurs, which allows attackers to weaponize CVEs that are several years old.

More contextual knowledge about which CVEs are most vulnerable is now a part of the evolving cyber attacker tradecraft. As a result, unsecured attack surfaces with exploitable memory conflicts are left behind when patch management is done manually or endpoints are overloaded with agents. 

Attackers continue to hone their skills while weaponizing vulnerabilities with cutting-edge methods and tools that can elude detection and undermine manual patch management systems.

Up to 71% of all detections indexed by the CrowdStrike Threat Graph, according to CrowdStrike's 2023 Global Threat Report, are caused by intrusive activities without the use of malware. Security flaws that had not yet been patched were at blame for 47% of breaches. Remediating security vulnerabilities manually is done by 56% of organisations. 

Consider this if you need any additional evidence that relying on manual patching techniques is ineffective: 20% of endpoints are still not up to date on all patches after remediation, making them vulnerable to breaches once more.

A prime example of how AI can be used in cybersecurity is to automate patch management while utilising various datasets and integrating it into an RBVM platform. The most advanced AI-based patch management systems can translate vulnerability assessment telemetry and rank risks according to patch type, system, and endpoint. Nearly every vendor in this sector is advancing AI and machine learning quickly due to risk-based scoring.

When prioritising and automating patching operations, vulnerability risk rating and scoring based on AI and machine learning provide the knowledge security teams need. The following three examples highlight how AI-driven patch management is revolutionising cybersecurity: 

Real time detection 

To overpower endpoint perimeter-based protection, attackers rely on machine-based exploitation of patch vulnerabilities and flaws. Attack patterns are identified and added to the algorithms' knowledge base via supervised machine learning techniques that have been trained on data. As a result of the fact that machine identities now outweigh human identities by a factor of 45, attackers look for vulnerable endpoints, systems, and other assets that are not patched up to date.

In a recent interview, Ivanti's Mukkamala described how he sees patch management evolving into a more automated process with AI copilots supplying more contextual intelligence and forecast accuracy. 

“With more than 160,000 vulnerabilities currently identified, it is no wonder that IT and security professionals overwhelmingly find patching overly complex and time-consuming,” Mukkamala explained. “This is why organizations need to utilize AI solutions … to assist teams in prioritizing, validating and applying patches. The future of security is offloading mundane and repetitive tasks suited for a machine to AI copilots so that IT and security teams can focus on strategic initiatives for the business.” 

Automating remediation decisions 

Machine learning algorithms continuously analyse and learn from telemetry data to increase prediction accuracy and automate remediation decisions. The quick evolution of the Exploit Prediction Scoring System (EPSS) machine learning model, developed with the combined knowledge of 170 professionals, is one of the most exciting aspects of this breakthrough field.

The EPSS is designed to aid security teams in managing the rising tide of software vulnerabilities and spotting the most perilous ones. The model now in its third iteration outperforms earlier iterations by 82%. 

“Remediating vulnerabilities by faster patching is costly and can lead astray the most active threats,” writes Gartner in its report Tracking the Right Vulnerability Management Metrics (client access required). “Remediating vulnerabilities via risk-based patching is more cost-effective and targets the most exploitable, business-critical threats.” 

Contextual understanding of endpoint assets 

Another noteworthy aspect of AI-based patch management innovation is the speed with which providers are enhancing their usage of AI and machine learning to discover, inventory, and patch endpoints that require updates. Each vendor's approach is unique, but they all strive to replace the outmoded, error-prone, manual inventory-based method. Patch management and RBVM platform suppliers are rushing out new updates that improve prediction accuracy and the capacity to determine which endpoints, machines, and systems need to be patched.

Bottom line

The first step is to automate patch management updates. Following that, patch management systems and RBVM platforms are integrated to improve application-level version control and change management. Organisations will acquire more contextual information as supervised and unsupervised machine learning algorithms assist models discover potential abnormalities early and fine-tune their risk-scoring accuracy. Many organisations are still playing catch-up when it comes to patch management. To realise their full potential, organisations must leverage these technologies to manage whole lifecycles.

WhatsApp Users Alerted About Possible Scam Calls From International Numbers

 

As per experts, if you're receiving missed calls, messages, or WhatsApp calls from international numbers starting with +254, +84, +63, or others, it's advised to "report and block" them. The Indian Cybercrime Coordination Centre (I4C) of the Home Ministry is spreading this alert to protect people from falling prey to cybercrime. Forensics and data analysis experts, who are actively working to combat this issue for the government, have cautioned that these numbers may be originating from countries such as Singapore, Vietnam, and Malaysia. These international numbers may be used by malicious individuals to obtain financial information unlawfully.

"This is a new cybercrime trend. People across India irrespective of their profession have been receiving calls and missed calls on WhatsApp from +254, +84, +63, +1(218) or other international numbers, and some of them have become victims of cybercrime. It has become more frequent," an expert in cyber intelligence and digital forensics told ANI on condition of anonymity.

"Cyber awareness and hygiene are one of the important aspects in policing and it is a much-appreciated initiative," the official added.

"From early morning between 6 am to 7 am or late in the night, such calls are being received by people from all groups whether he or she is a private employee, businessman, retired government officer or even school and college boy or girl. We need to be just aware of such calls."

A message received from a number starting with +243 said: "Hello, my name is Allena, may I take a few minutes of your time?"

"Now that the 5G era of the Internet has arrived, there are already many people who make money through the Internet. I believe you know it too. I must be added to make money. If you don't speak, you may miss an opportunity at a turning point in your life. There are not many opportunities. I hope you see and then respond to my message," the message said.

If a person or organization is the victim of a cyber-attack, the situation can be reported on the cybercrime.gov.in website, according to the experts, who added that "focused work is being done by the central agencies with the help of I4C to curb the cyber menace."

In March, Union Home Minister Amit Shah visited the Indian Cyber Crime Coordination Centre (I4C) and stated that the wing is trying to realize Prime Minister Narendra Modi's goal of a cyber-success society. He went on to say that the I4C allows for effective and seamless cooperation among all agencies and states in the fight against cybercrime.

Since its inauguration in 2018, the Indian Cyber Crime Coordination Centre, a "special purpose unit" of the Centre, has saved over Rs 12 crore from cybercrime victims.

Google is Phasing Out Passwords and Adopting Passkeys: Here's What You Should Know

 

Users will soon be able to log in to their Google accounts without ever having to remember a single password again, according to the firm.

Instead, Google is betting big on passkeys, which are cryptographic keys kept on your device with zero information - you don't even know what they are. They enable you to access specific accounts without using a password; all you have to do is authenticate using your device's PIN or saved biometric data, such as your fingerprint or face. 

Only a few large services, including BestBuy, PayPal, and eBay, already enable their clients to login to their accounts using passkeys, and Google is about to join them. Passkeys are part of the FIDO alliance, which establishes technological and social standards for them. All of the main tech companies are members of the alliance, including Apple, Amazon, Google, and Meta.

They are said to be safer because they are resistant to phishing and more convenient because the user does not have to remember anything. Traditional 2FA methods are likewise obsolete. The biometric information you use to authenticate is also not shared with Google or any other third party. 

Once you've added a passkey, you'll be prompted to use it to access your Google account, as well as to confirm your identity if any unusual activity is discovered. They are compatible with iOS 16 and Android 9 devices and can be shared with other devices such as by using Apple's iCloud, or a compatible password manager such as 1password or Dashlane.

There is also the option to utilize a passkey from a device other than your own, allowing you to log in using a one-time passkey that will not transfer to your own device. Google advises against creating passkeys on shared devices since any other user can access your Google account. 

Passkeys can also be canceled if users think that someone else is using them to access their accounts or if they misplace the device on which they are kept. Passkeys can also be used instead of physical security keys for members of Google's Advanced Protection Program. 

Google account holders can continue to use their passwords if they like, and it will likely be some time before Google switches entirely to passkeys, as mainstream adoption is still a long way off. 

“We’re thrilled with Google’s announcement today as it dramatically moves the needle on passkey adoption due both to Google’s size, and to the breadth of the actual implementation — which essentially enables any Google account holder to use passkeys,” said Andrew Shikiar, executive director of FIDO Alliance. 

He added, “I also think that this implementation will serve as a great example for other service providers and stands to be a tipping point for the accelerated adoption of passkeys.”

Utilising Multiple Solutions Makes Your Zero Trust Strategy More Complex

 

According to BeyondTrust, business operational models are much more complicated now than they were a few years ago. 

Integration with zero trust

More applications, information stored and moving through the cloud, remote personnel accessing critical systems and data, and other factors are all contributing to this complexity. 

Threat to supply chain security 

As a result of a company's growing reliance on its supply chain, partners, suppliers, and shippers are now frequently directly linked to its systems. This has increased the demand for identity solutions and a zero trust strategy. 

The results of this study suggest that integration needs could prevent timely implementation. The research for the survey centred on comprehending the adoption rates, occurrences, solutions, obstacles, and new areas of attention for identification and zero trust.

“Today’s business operating models are highly complex, with remote employees accessing critical systems using dozens, and even hundreds of applications,” stated Morey Haber, Chief Security Officer at BeyondTrust. 

“Data is transmitted between clouds and corporate data centers, with third-party contractors and supply chain partners, suppliers, and shippers directly connecting to these corporate systems. Legacy security architectures and network defenses are less effective at managing this extended perimeter. Zero trust principles and architectures are being adopted by public and private sectors because they have become one of the most effective approaches to mitigating the heightened risks to highly sensitive identities, assets, and resources,” concluded Haber. 

Data breaches and identity theft skyrocket 

The study discovered that 81% of respondents had two or more identity-related occurrences in the previous 18 months, making up virtually all of the sample. A sizable portion of these instances included privileged accounts. 

A zero-trust strategy is still being implemented by more than 70% of businesses in order to secure an expanding security perimeter brought on by increased cloud usage and remote workers. 

For their zero trust strategy, almost all businesses said they were utilising multiple vendors and solutions, with the majority citing four or more. 70% of the businesses that were interviewed rely on expensive third-party services, frequently specialised coding, for integration. The deployment procedure was complicated by the fact that 84% of those had zero trust defenses that required several integration strategies. 

Native integration is needed for zero trust solutions 

Over 70% of respondents to a survey stated that they had to remove a security solution because it didn't integrate well, demonstrating how critical integration has become for many businesses. According to those questioned, flaws in their zero trust strategy led to a variety of problems, including a slower rate of issue resolution, poorer user experiences, erroneous access privileges, human intervention, and compliance problems. 

A faster reaction to security risks and enhanced compliance are two benefits of better integration that save time in addition to resources, according to more than 90% of businesses. Important issues affecting businesses 

Identity-related

  • 93% report having identity troubles as a result of integration concerns in the past 18 months
  • 81% of people have reported two or more identity concerns 
  • 63% of respondents claim that identification issues directly included privileged users and credentials, while 5% are unsure.

Zero trust related

  • 76% of businesses are still working to establish a zero-trust strategy to protect their environment
  • 96% of businesses employ several zero-trust strategies, with 56% utilising four or more. 

Integration-related 

  • 70% of businesses are forced to rely on vendor bespoke code for the integration of zero trust solutions
  • 84% of businesses use a variety of integration techniques to implement their zero-trust strategy
  • 99% of businesses say zero trust solutions must be integrated with a wide range of other programmes. 
  • Easy integration is rated as "very important" or "important" by 94% of participants, with none saying it isn't.
To lessen the burden of integration processes, practically every organisation said that a zero trust approach requires integration with multiple other business and collaboration apps. Most have made native integration a crucial consideration for choosing zero-trust solutions due to integration problems. 

This AI Tool Can Crack Your Password in Sixty Seconds; Here's How to Protect Yourself

 

Even though ChatGPT may be the AI that everyone is thinking about right now, chatbots aren't the only AI tool that has emerged in recent times. DALL•E 2 and Runway Gen 2 are just two examples of AI picture and video creators. Sadly, some AI password crackers exist as well, such as PassGAN. 

PassGAN is actually not that new, at least not in the grand scheme of things. The most recent GitHub update was six years ago, and it made its debut back in 2017. In other words, this isn't a brand-new hacking tool developed in response to the ChatGPT revolution. But when it was recently put to the test by cybersecurity research company Home Security Heroes, the results were startling. PassGAN can break any — yes, any — seven-character password in six minutes or less, according to the Home Security Heroes study. It can quickly crack passwords of seven characters or fewer, regardless of whether they contain symbols, capital letters, or numbers. 

Modus operandi 

PassGAN combines Password with the Generative Adversarial Network (GAN), much like ChatGPT combines Chat with the Generative Pre-trained Transformer (GPT). In essence, the deep learning model that the AI is trained on is GAN, similar to GPT.

In this case, the model's objective is to provide password guesses based on real-world passwords that it has been given as input. In order to train PassGAN, a popular tool for studies like these, Home Security Heroes used the RockYou dataset that resulted from the 2009 RockYou data breach. PassGAN was given the data set by the organisation, and it then generated passwords in an effort to properly guess sample passwords. 

In the end, it was possible to quickly break a wide range of passwords. Home Security Heroes then had an AI tool trained on actual passwords that could instantly crack passwords after using PassGAN to train on the RockYou dataset. 

Should I be alarmed about PassGAN?

The good news is that, for the time being at least, you don't really need to panic about PassGAN. Security Editor for Ars Technica Dan Goodin claimed in an opinion piece that PassGAN was "mostly hype." This is because while the AI tool can fairly easily crack passwords, it doesn't do it any more quickly than other non-AI password crackers. 

In example, Goodin quotes Yahoo Senior Principal Engineer Jeremi Gosney, who claimed that using standard password-cracking methods, they could quickly accomplish similar results and decrypt 80% of passwords used in the RockYou breach. For his part, Gosney characterised the study's findings as "neither impressive nor exciting." And after taking a closer look at the results, you might not be as impressed as you were when you first heard that "50% of common passwords can be cracked in less than a minute." These passwords rarely include capital letters, lowercase letters, digits, and symbols and are primarily made up of numbers with a character count of seven or less. 

This means that all it takes to fool PassGAN is a password of at least 11 characters, made up of a mixture of uppercase and lowercase letters, numbers, and symbols. If you can do that, you can make a password that PassGAN will need 365 years to figure out. If you make that number 11 characters long, it becomes 30,000 years. And the finest password managers make it simple to create these kinds of passwords. 

But let's say you don't want to use a password manager because you don't trust that they won't be vulnerable to data breaches, like the LastPass compromise in August 2022. It's a legitimate concern. Fortunately, using a passphrase—a password created by combining several words—will likely still be enough to fool PassGAN. Home Security Heroes estimates that it would still take PassGAN on average 890 years to crack a 15-character password made up entirely of lowercase letters. That timeline could jump to a staggering 47 million years if only one capital letter were added, long after our AI overloads have already dominated the world. 

However, always keep it in mind that no password is ever completely secure. Despite your best efforts, data breaches might still leave you exposed, and by pure dumb luck, a password cracker might guess your password earlier than planned. But as long as you follow the best practises for password security, you have nothing to worry about with PassGAN or any other rogue actor.

Canada Attempts to Control Big Tech as Data Gets More Potent

 

Whether you're booking a flight, opening a new bank account, or buying groceries, a select few well-known brands control the majority of the market. What this means for the nation's goods—and prices—is examined in the Canadian Press series Competition Ltd. 

Marc Poirier co-founded the search management platform Acquisio 20 years ago, but he will never forget how Google sparked the company's decline. 

It was 2015. The tech behemoth had recently reorganised its companies under the Alphabet brand and was assessing whether recent pushes into riskier projects like self-driving vehicles, internet-beaming balloons, and smart city infrastructure could match the success of its search engine business. The Brossard, Quebec-based business of Marc Poirier was in a lose-lose situation as advertising income and growth stagnated and the company felt pressure to increase earnings.

“I experienced first-hand Google going from partner to fierce competitor,” Poirier stated. “They started selling the same stuff that we built.” 

Sales growth at Acquisio, which sold software to assist advertisers manage bids and budgets for Google, Yahoo, and Microsoft search campaigns, abruptly came to a halt before starting to decline. Poirier began to consider selling, and in 2017 he finally did so through a contract with Web.com. 

Regulators all across the world have made controlling Big Tech a primary priority because of incidents like Poirier's and growing worries about the sheer scale and influence that tech companies have over users, their privacy, communications, and data. 

Google declined to comment on Poirier's particular situation, but spokesman Shay Purdy pointed out that Alphabet underwent significant changes between 2015 and 2017, including its complex restructuring, and claimed that external factors at the time included an economic downturn following a spike in oil prices. 

Many people are expecting that an ongoing review of the country's Competition Act would level the playing field for digital businesses, even as Canada moves closer to new legislation that will shift some revenue from social media giants to news publishers and better safeguard consumer privacy. 

It's not simple, though, to look into and dismantle monopolies in a sector that is constantly changing and formerly functioned under the motto "move fast and break things" popular in Silicon Valley. Tech companies, aware that regulators are following on their heels, are making the work even more difficult. 

The Competition Bureau, Canada's monopoly watchdog, has been given a lot of the job. It has looked into issues including Ticketmaster's deceptive price advertising, Thoma Bravo's acquisition of the oil and gas software business Aucerna, Amazon's market dominance, and other issues. But if real reform is to take place, according to the bureau and tech observers, the federal government must give the regulator additional authority. 

Collecting evidence of anti competitive behaviour is frequently the bureau's first obstacle. Technology companies are known for keeping their operations under wraps, depending on strong non-disclosure agreements and limiting personnel access to prevent product leaks before buzzy releases or competitors gaining an advantage over them. 

In order to make it more difficult to trace a paper trail, Krista McWhinnie notices companies becoming progressively more deliberate about how they record their decision-making or take any action that even seems to hint at anticompetitive purpose. 

“That alone can stop us from being able to remedy conduct that is having potentially quite a big impact in the market,” stated the deputy commissioner of the bureau’s Monopolistic Practices Directorate. 

It is insufficient to justify action under Canadian competition laws, even if the bureau has evidence that a company's practices are seriously hurting competition. Additionally, the bureau must show that a corporation planned to engage in anticompetitive action as well, which is "a very high bar" and "relatively unusual" in other nations. 

According to McWhinnie, "that's frequently a really difficult task that requires a lot of resources." It takes a lot of time, which is one of the factors contributing to the difficulty in bringing these cases quickly. The bureau has come under fire in recent months for moving too slowly on an examination of Google's possible involvement in anti-competitive practices in the online display advertising market, which is set to begin in October 2021. 

The investigation is predicated on the hypothesis that Google's hegemony in online advertising may be limiting the development of rivals, leading to higher costs, less variety, and less innovation, as well as harming advertisers, news publishers, and consumers. 

“Every day that Google is allowed to monopolise ad revenue, more harm is inflicted on the Canadian news industry, which has a negative impact on democracy as a whole,” stated Lana Payne, Unifor’s national president, in a press release. 

Google pointed The Canadian Press to a research on the economic impact of its services, which showed that the use of its search, cloud, advertising, and YouTube products generated $37 billion in revenue for Canadian companies, non-profits, publishers, creators, and developers. More than the total economic impact of the forestry and aviation industries, this is equal to 1.5% of Canada's gross domestic product, according to the statement.

Jim Balsillie, a former BlackBerry CEO and current head of the Council of Canadian Innovators, feels that Canada's problems with competition are caused by a lack of tools and a subpar approach to defending consumer rights in the digital age. The sheer quantity and specificity of consumer data that many large internet companies collect, together with their ability to use AI to mix it with that data to glean personal insights and sway public opinion, is what gives them their power and control.

Data gathering isn't only a Big Tech strategy. Balsillie cites pharmacies as having reams of health information on customers, cellular providers as knowing your whereabouts to within 10 metres, and banks as knowing what you're buying. 

According to Jennifer Quaid, estimating the potential worth of all that data—a crucial component of figuring out whether businesses are engaging in anticompetitive behavior—is not an easy task.

It's challenging to quantify the effects of mergers or tech company policies on innovation, creativity, and consumer behaviour, especially when the company deals in data "that isn't necessarily valuable at the time but ends up becoming valuable when it's aggregated with other information," said the competition law professor at the University of Ottawa's Civil Law Section.

Quaid and Balsillie concur that the problem would be made simpler if the Competition Bureau had a wider array of tools at its disposal, enabling it to impose more significant fines and overhauling some of the regulatory regimes that have allowed some monopolies to flourish unchecked.

Employing Zero Trust to Defend Against Backdoor Attacks

 

Attackers are increasing the number of backdoor attacks they use to spread malware and ransomware, showing that organisations cannot put any trust in anyone to protect their endpoints and identities. 

According to IBM's Security X-force Threat Intelligence Index 2023, hackers are prioritising these backdoor assaults in their efforts to blackmail downstream victims whose data has been hacked. The effort to breach a backdoor was the beginning of 21% of all intrusion attacks. A ransomware component was present in two-thirds of backdoor attempts.

The X-Force Intelligence team at IBM also found that backdoor attacks increased significantly in February and March of last year, as shown by a notable uptick in Emotet malware instances. In 2022, the increase was so large that it was responsible for 47% of all backdoor penetration attempts worldwide. 

“While extortion has mostly been associated with ransomware, extortion campaigns have also included a variety of other methods to apply pressure on their targets,” stated Chris Caridi, cyber threat analyst for IBM security threat intelligence. “And these include things like DDoS attacks, encrypting data, and more recently, some double and triple extortion threats combining several of the previously seen elements.” 

Businesses that rely on perimeter-based protection are being out-innovated by ransomware attackers. The average time to launch a ransomware assault has been cut in half over the past two years by 94%. In just under four days in 2021, ransomware attackers were able to complete what took them two months in 2019. 

Backdoor attack industry, a lucrative field

On the dark web, one of the most valuable and expensive assets for sale is backdoor access to an organization's infrastructure. Access brokers continue to build a robust industry selling mass stolen names and credentials to ransomware attackers, according to CrowdStrike's 2023 Global Threat Report. Government, financial services, industrial, and engineering organisations had the highest average access request prices, according to the highly recognised intelligence team at CrowdStrike.

While access to the government sector cost an average of $6,151, it cost an average of $3,827 to access the academic sector. In the 2023 index, the IBM team writes, "first access brokers often attempt to auction their accesses, with X-Force having seen prices at $5,000 to $10,000, while final pricing may be less. Accesses have been known to sell for $2,000 to $4,000 in some cases, even reaching $50,000. 

Mitigation Tips

Employ antivirus: Use sophisticated antivirus software that is able to recognise and stop a variety of viruses, including as trojans, cryptojackers, spyware, and rootkits. Before they can infect your computer, an antivirus will find and remove backdoor malware. To make sure you're as safe as possible online, good antivirus software like Norton 360 also contains technologies like Wi-Fi monitoring, a powerful firewall, web protection, and microphone and camera privacy monitoring. 

Use firewall: Firewalls, which keep an eye on all of your device's incoming and outgoing traffic, are crucial for anti-backdoor protection. The firewall will prevent unauthorised users from accessing your smartphone, and it will also stop any apps on your device that attempt to send data to an unidentified network location.

Even after your device's malware detection has been tricked, advanced firewalls can find unauthorised backdoor communication. Although the built-in firewalls on Windows and macOS are both fairly good, they are insufficient. There are a few antivirus software packages that have effective firewalls (McAfee has great network safeguards), and you might also think about getting a smart firewall, which is a real-world hardware item that you attach to your router. 

Use a good password manager: Password managers create, store, and even let you automatically log into all of your accounts' login credentials. Using 256-bit AES encryption, all of this data is safely secured and protected by a master password. The security of your password vault can even be increased by employing biometric login or 2FA technologies like TOTP generators and USB tokens, according to advanced password managers like Dashlane. Password managers make it far more difficult for hackers to break into your network or spread throughout your network in the case that a backdoor is placed on your system since they create random, complex passwords.

Role of the Modern CISO in the Rapidly Evolving Cybersecurity Landscape

 

The Chief Information Security Officer (CISO) position is currently undergoing transition, especially as risks alter and as more rules and compliance mandates are implemented. The assumptions around this formerly specialist position need to be reevaluated because it is now essential for contemporary businesses. 

CISO's evolving position 

In a recently published report, the executive search and leadership consultancy firm Marlin Hawk noted changes in the fundamental requirements for CISOs, increased internal hiring for cyber security positions, and declining CISO turnover rates. 

"Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace," stated managing partner at Marlin Hawk, James Larkin.

As a result, CISOs need to be proficient communicators with people at all levels of the organisation. They must be able to communicate with the board as well as the marketplace of investors and clients. The growing focus on CISO soft skills will raise standards for this position.

Role of "CISO+" 

Security experts claim that the CISO role has genuinely evolved into a "CISO+" role during the past 8–10 years as a result of the large number of CISOs who have taken on engineering-related tasks, physical security-related projects, operational resiliency initiatives, brand trust building projects, and/or supply chain resilience building initiatives.

The chances for CISOs to become business enablers and higher-level transformational technology leaders have increased as a result of this. From this new vantage point, CISOs are better able to gain the respect of their executive-level peers as well as the support of the legal departments, other business departments, and other organisational divisions.

CISOs must understand that as recently appointed members of the C-suite, they are accountable for and have a stake in innovation, revenue, and growth.

Manager to leader transition 

For everyone involved in an organisation's cyber security, the promotion of the CISO position to the C-suite is generally good news. CISOs must, nevertheless, show that they are eager to tackle new difficulties.

In order to generate corporate value, CISOs must now act as creative thought leaders, accomplished storytellers, and transformation architects. Across the whole corporate value chain, the CISO must now work as a strategist, tactical master, influencer, and inspiration. Being a change agent is one of the most crucial and challenging practises in lean management transformations. It calls for a person with a distinct vision, patience, persistence, the capability to set a good example, the ability to ask probing questions, and reliability. 

CISOs may be required to spearhead highly focused, precisely targeted initiatives to comprehend risk, identify threats, and emphasise overall cyber security preparation in order to enable more business agility.

Online Privacy is a Myth; Here's Why

Although it seems simple in theory, the reality is more nuanced when it comes to privacy. Our experience online has been significantly changed by ongoing technological advancements. Today, we use the internet for more than simply work and study; we also use it for shopping, travel, socialising, and self-expression. We share a tonne of data in the process, data that provides insights into our personalities and daily routines. 

The idea that maintaining privacy is difficult is a frequent misconception. In fact, even under ideal conditions, it is nearly impossible to build entirely "private" systems. But, we should not let excellence be the adversary of virtue. In fact, a little thought and effort can stop a lot of privacy harm. In truth, technology may be used to preserve our privacy by implementing privacy by design, just as it can be used to breach it. To develop privacy-friendly alternatives to the systems we frequently use now, existing privacy-friendly technology and privacy-by-design methodologies can be leveraged. 

It's time to confront these beliefs, learn to identify badly constructed systems and switch to more privacy-friendly alternatives. Most importantly, constantly keep in mind the following 

The concept of privacy is a fantasy  


The open-air is the medium for your communications. Both encrypted and unencrypted versions exist. Since a very long time ago, this has been occurring. Every single thing you say can be recorded, followed, stalked, stolen from, and utilised to keep an eye on your movements. 

Your Email Is Not a Secure Place 


Employees at Google can access users' email accounts and do so to remove viruses and emails that might be dangerous or violent. You may feel comfortable having some of the most private conversations of your lives here. Only having your signature on the agreement clause from when you started your account will do.  

The history of your browsing cannot be deleted 


Even when you go incognito, your browsing history is connected to your identity and is rarely private. The information that may be retrieved from your browser creates a very terrifying picture. 

You may retrieve information on operating systems and installed programmes, and if your name is associated with either your computer or those programmes, it will frequently store the registrant's identity. That implies that a porn site may access information like your first and last name, username, cookies, etc. Targeting for ongoing offensive intelligence operations frequently results in this. 

Although gathering your personal information for marketing and demography purposes is definitely not an intentional attack on you, it nonetheless seems intrusive and disrespectful. 

Prevention tips  


Use antivirus and firewall suites: Installing a reliable anti-virus tool on your device is one method of preventing fraudulent assaults. Antivirus software scans your files, emails, and internet searches for potential risks. 

They can locate and remove malware, and the majority of these applications have cutting-edge capabilities like link protection, anti-phishing, anti-theft tools, and browser protection, which frequently involves looking for and detecting phoney websites. 

Secure cloud: Many individuals and businesses save their data in the cloud. They incorporate safety procedures that guard against attacks, making them far safer than maintaining data on your own computers. 

You can even set up the security protocols on your own if you choose a private or personal arrangement. 

Password manager: Your online accounts will be more difficult for hackers and other cybercriminals to access if you use a password manager to create and remember strong passwords. 

In addition to offering advanced capabilities like monitoring accounts for security breaches, giving advice on how to change weak passwords, highlighting duplicate passwords, and syncing your passwords across various devices, these programmes can assist you in creating secure passwords. 

Internet privacy does exist, but only to a certain degree. Online security risks abound, and there is no way to totally prevent websites and apps from gathering data about you. Yet, there are several actions and resources at your disposal that you may use to safeguard your data from illegal access. 

Leading Tech Talent Issues Open Letter Warning About AI's Danger to Human Existence

 

Elon Musk, Steve Wozniak, and Tristan Harris of the Center for Humane Technology are among the more than 1,100 signatories to an open letter that was published online Tuesday evening and requests that "all AI labs immediately pause for at least 6 months the training of AI systems more powerful than GPT-4." 

"Contemporary AI systems are now becoming human-competitive at general tasks,[3] and we must ask ourselves: Should we let machines flood our information channels with propaganda and untruth? Should we automate away all the jobs, including the fulfilling ones? Should we develop nonhuman minds that might eventually outnumber, outsmart, obsolete and replace us? Should we risk loss of control of our civilization? Such decisions must not be delegated to unelected tech leaders. Powerful AI systems should be developed only once we are confident that their effects will be positive and their risks will be manageable," the letter reads.

A "level of planning and management" is allegedly "not happening," according to the letter, and in its place, unnamed "AI labs" have been "locked in an out-of-control race to develop and deploy ever more powerful digital minds that no one - not even their creators - can understand, predict, or reliably control."

Some of the AI specialists who signed the letter state that the pause they are requesting should be "public and verifiable, and include all essential participants. Governments should intervene and impose a moratorium, the letter advises, if the proposed stop cannot be swiftly implemented.

Indeed, the letter is intriguing both because of those who have signed it, including some engineers from Meta and Google, Emad Mostaque, founder and CEO of Stability AI, and non-technical individuals like a self-described electrician and an esthetician, as well as those who haven't. For instance, no one from OpenAI, the company that created the GPT-4 big language model, has signed this letter. Neither has the team from Anthropic, which split off from OpenAI to create a "safer" AI chatbot. 

Sam Altman, the CEO of OpenAI, told the WSJ earlier this week that GPT-5 training has not yet begun at OpenAI. Altman also mentioned that the business has historically prioritised safety during development and spent more than six months testing GPT-4 for safety issues prior to release. He told the Journal, "In a way, this is preaching to the choir. "I believe that we have been discussing these topics loudly, intensely, and for the longest."

Altman had a conversation with this editor in January, during which he made the case that "starting these [product releases] now [makes sense], where the stakes are still relatively low, rather than just putting out what the entire industry will have in a few years with no time for society to update," was the better course of action. 

In a more recent interview, Altman discussed his friendship with Musk, who cofounded OpenAI but left the group in 2018 due to conflicts of interest, with computer scientist and well-known podcaster Lex Fridman. Musk was a cofounder of OpenAI. According to a more recent claim from the outlet Semafor, Musk departed when Altman, who was named CEO of OpenAI in early 2019, and the other company founders rejected his offer to lead it. 

Given that he has spoken out about AI safety for many years and has recently targeted OpenAI in particular, claiming the organisation is all talk and no action, Musk is arguably the least surprise signatory to this open letter. Fridman questioned Altman about Musk's frequent and recent tweets criticising the company. 

"Elon is definitely criticising us on Twitter right now on a few different fronts, and I feel empathy because I think he is — appropriately so — incredibly anxious about His safety," Altman added. Although I'm sure there are other factors at play as well, that is undoubtedly one of them."

Watch Out for These Common Signs to Identify an Email Phishing Scam

 

Cybercriminals most frequently use phishing as a method of attack. This communication is a hoax designed to trick the recipient into disclosing private information, sending money, or clicking on a dangerous link. Usually, it is transmitted by email, social media direct messages, or some other text-based method. 

There are many different kinds of phishing, but for big firms, whaling or imitation phishing is the most dangerous. In this kind of attack, the cybercriminal poses as a senior executive to target the employees of the target company. In order to mislead the recipient, deceptively similar email addresses, display names, and messages are used. Since an email from top management or a professional acquaintance is typically taken to be authentic and doesn't arouse suspicion, it is a particularly effective strategy.

To mitigate risks, watch out for these tell-tale signs to identify a phishing email.

Unexpected or unsolicited correspondence 

When an email arrives unexpectedly, that's your first clue that it might be a fraud. Do you recall any offline or in-person discussions about the aforementioned subject? A warning sign that an email may be a phoney message is when you unexpectedly receive one from a top leader, client, or vendor without any prior context.

Scan the display name and email address 

Always check the display name and email address of the sender. On closer inspection, you might discover that a "O" has been changed to a "0" or a I has been changed to a "!". It might initially appear to be genuine. Also, you need to regularly check the domains of the emails you get. 

Internal communications will almost never come through a free email provider and will almost always come from the company's official domain. The same is true of external communication from other enterprises and companies. When you hover over a domain, the fraudulent one will often appear to be real or similar to the company's email address. 

Prompting urgency 

In most cases, phishing emails sound urgent. They want the victim to act without considering or confirming the legitimacy of the email's sender or contents. So, you should be wary of senior executives who unexpectedly request money transfers or information disclosures over email. Always confirm such requests using alternative methods. Call the sender directly, for instance, to confirm the communication. 

Unusual query

Take into account the requests made in the email. There are some common calls to action in phishing emails. They request that you send them private or delicate business information that shouldn't ideally be communicated through email in an unforeseen or initial discussion. It can also request that you click a link to submit this data. You can be led to assume that a senior executive has sent you a paper pertinent to your job by including it in an email. It might even request that you transfer money, either your own or, if you have the power, the company's. 

Prevention tips 

The first thing to do if you think you've received a phishing email is to say nothing. That is, never reply to emails, click on any links, or download any attachments. Next, if you have any doubts about the communication's legitimacy, you should always get in touch with the sender directly through a different method, such as by phone, text, or in person.

Additionally, keep an eye on the emails that arrive in your mailbox. Even if they are from within the company, use extra caution when dealing with emails or senders you weren't anticipating.

Users' Private Info Accidentally Made Public by ChatGPT Bug

 

After taking ChatGPT offline on Monday, OpenAI has revealed additional information, including the possibility that some users' financial information may have been compromised. 

A redis-py bug, which led to a caching problem, caused certain active users to potentially see the last four numbers and expiration date of another user's credit card, along with their first and last name, email address, and payment address, the business claims in a post. Users might have also viewed tidbits of other people's communication histories. 

It's not the first time that cache problems have allowed users to view each other's data; in a famous instance, on Christmas Day in 2015, Steam users were sent pages containing data from other users' accounts. It is quite ironic that OpenAI devotes a lot of attention and research to determining the potential security and safety repercussions of its AI, yet it was taken by surprise by a fairly well-known security flaw. 

The firm claimed that 1.2 percent of ChatGPT Plus subscribers who used the service on March 20 between 4AM and 1PM ET may have been impacted by the payment information leak. 

According to OpenAI, there are two situations in which payment information might have been exposed to an unauthorised user. During that time, if a user visited the My account > Manage subscription page, they might have seen information about another ChatGPT Plus customer who was actively utilising the service. Additionally, the business claims that certain membership confirmation emails sent during the event were sent to the incorrect recipient and contained the final four digits of a user's credit card information. 

The corporation claims it has no proof that either of these events actually occurred before January 20th, though it is plausible that both of them did. Users who may have had their payment information compromised have been contacted by OpenAI. 

It appears that caching had a role in how this whole thing came about. The short version is that the company uses a programme called Redis to cache user information. In some cases, a Redis request cancellation would result in damaged data being delivered for a subsequent request, which wasn't supposed to happen. The programme would typically get the data, declare that it was not what it had requested, and then raise an error.

Yet, the software determined everything was good and presented it to them if the other user was requesting for the same type of data — for example, if they were trying to view their account page and the data was someone else's account information. 

Users were being fed cache material that was originally intended to go to someone else but didn't because of a cancelled request, which is why they could see other users' payment information and conversation history. It also only affected individuals who were actively using the system for that reason. The software wouldn't cache any data for users who weren't actively using it. 

What made matters worse was that, on the morning of March 20, OpenAI made a change to their server that unintentionally increased the amount of Redis queries that were aborted, increasing the likelihood that the issue would return an irrelevant cache to someone.

As per OpenAI, the fault that only affected a very specific version of Redis has been addressed, and the team members have been "great collaborators." It also claims that it is changing its own software and procedures to ensure that something similar doesn't occur again. Changes include adding "redundant checks" to ensure that the data being served actually belongs to the user making the request and decreasing the likelihood that its Redis cluster will experience errors when under heavy load.

How to Shield Yourself From Malicious Websites

 

The sense of wondering if you've just infected your phone or computer with a virus is familiar if you've ever clicked on a link someone sent you, say in an email or a direct message, only to be sent to a website that seemed really suspect. Hackers are getting more and more creative in their attempts to trick you into visiting dangerous websites by disguising them as benign ones.

Furthermore, the practice has spread so widely that it isn't restricted to a small number of sites or site types. It is no longer sufficient to simply be informed that a particular site is off-limits. Therefore, while viewing a website, it's critical to approach it with the mindset of a tech expert and to conduct some research before you decide to keep browsing. 

In this post, we'll look at some easy measures you can take to check the website you land on to see if it's safe and secure and see if there's any chance of data loss or malware installation.

Beware of unclear characters and misspelled URLs

In order to lure visitors into visiting their malicious websites, fraudsters frequently utilise homoglyphs, also known as homographs, assaults, and misspelled or other misleading URLs. Although it might sound like you're going to get whacked over the head with a dictionary, a homoglyph attack actually happens when threat actors register domains with names that are highly similar to others yet contain visually confusing letters or have an imperceptible addition. 

Scan malicious website

There are several online tools you may use to determine whether a website is harmful if you have a bad feeling about it or, even better, if you are considering going but haven't yet. 

One such service is Google's Safe Browsing site status tool, which allows you to paste the URL of a website and receive information on its security. VirusTotal's URL checker is another comparable tool you can use. It analyses a website's address, verifies it with a number of top-tier antivirus engines, and then provides you with a prediction of whether a specific URL might be malicious. The SANS teacher Lenny Zeltser has put together a list of tools that may be useful even if the scan comes back "clean."

To learn who owns the domain you're visiting, you can also run a "whois" search as an alternative. 'Whois' is a record that lists details about the domain you're looking for, including who owns it, when and where it was registered, and how to contact the owner. The address of the website you're looking for must be entered on a special website before you can conduct a whois inquiry. 

Whether the domain is newly registered, which could be a sign that it could be malicious, is one of the details you should be keeping an eye out for. For instance, Facebook won't be a domain that was initially registered in February 2021. If you click "display more data," and it is incomplete or full of errors, that is another indication that the domain may be malicious; although, in some cases, that could be the result of someone being negligent while entering the registration information.

Check for a privacy statement 

If you're browsing a website and unsure if it's trustworthy or not, one thing to check is whether there is a privacy policy. As they are required by data protection legislation to describe how the website handles and protects user data, every reputable website needs to have one. 

Companies that violate data protection laws, particularly the General Data Protection Regulation (GDPR) of the European Union, may suffer substantial repercussions for privacy and security failings. Thus, if a website doesn't have a privacy policy or has one that seems deficient, that should be a pretty good indication that something is amiss and that the website doesn't care about the severe data protection rules that are enforced globally. 

Get contact details

Any trustworthy business that values establishing long-lasting relationships with its clients will have contact information readily available on its website. Typically, it includes a phone number, email address, physical mailing address, or contact form. While attempting to determine whether you're dealing with a genuine or reputable organisation, there are a number of warning indicators that you should be on the watch for. 

For instance, you will most likely be dealing with a scam if you attempt to call the provided phone number and it is disconnected or the person who answers the phone doesn't sound professional. If it passes that evaluation, then confirm by conducting a fast Google search for the business's official contact information and giving that number a call just to be safe. 

Now that you know what you should do to stay secure, you might feel like it's a tall order. In fact, there are other factors you should pay attention to as well, such as whether a website has strange advertising that keeps appearing everywhere or whether it is rife with typos and poor grammar, which may suggest that you have found a shady website. 

To summarise, you should check the website's security certificate, watch for misspellings in the URL, and preferably manually type the address if possible or only click on reliable links.