• Search for:
    22Dec, 2023
    Top 7 Trends Shaping SaaS Security in 2024

    Over the past few years, SaaS has developed into the backbone of corporate IT. Service businesses, such as medical practices, law firms, and financial services firms, are almost entirely SaaS based. Non-service businesses, including manufacturers and retailers, have about 70% of their software in the cloud.

    These applications contain a wealth of data, from minimally sensitive general corporate information to highly sensitive intellectual property, customer records, and employee data. Threat actors have noted this shift, and are actively working to breach apps to access the data.

    Here are the top trends influencing the state of SaaS Security for 2024 — and what you can do about it.

    Democratization of SaaS 

    SaaS apps have transformed the way organizations purchase and use software. Business units purchase and onboard the SaaS tools that best fit their needs. While this is empowering for business units that have long been frustrated by delays in procuring and onboarding software, it does require organizations to rethink the way they secure data.

    Security teams are being forced to develop new ways to secure company data. Lacking access and visibility into an application, they are placed in the role of advising a business unit that is using SaaS applications. To further complicate matters, every SaaS application has different settings and uses different terminology to describe security features. Security teams can’t create a one-size-fits-all guidance document because of the differences between the apps.

    Security teams must find new ways to collaborate with business units. They need a tool that offers visibility and guidance for each application setting so that they – and the business unit – understand the risks and ramifications involved in the configuration choices that they make.

    ITDR Forms a Critical Safety Net

    If a threat actor gains access to a high-privilege account, they gain unfettered access within the application. Organizations are now understanding that identity is the de facto perimeter for their SaaS applications.

    When threat actors take over an authorized user account, they typically follow common tactics, techniques and procedures (TTP) as they work their way through the app toward the data they want. They leave behind indicators of compromise (IoC), which might be based on actions taken within the app or logs.

    As we move into the new year, we are going to see more organizations adopting an Identity Threat Detection & Response (ITDR) approach. ITDR mitigates that concern. As a key component in Identity Security Posture Management, ITDR capabilities can detect TTPs and IoCs, and then send an alert to the incident response team. Through ITDR, threat actors who have managed to breach the identity perimeter can still be stopped before they steal critical data or insert ransomware into the application.

    Cross-Border Compliance Means More Tenants to Secure

    Global companies are increasingly facing different regulatory requirements from one country to the next. As a result, 2024 will see an increase in the number of geo-specific tenants as part of the effort to keep data segmented in accordance with the different regulations.

    This change will have a limited impact on software costs as most SaaS app pricing is based on subscribers rather than tenants. However, it will have a significant impact on security. Each tenant will need to be configured independently, and just because one instance of the application is secure doesn’t mean that all tenants are secure.

    To secure all these tenants, security teams should look for a security solution that allows them to set app benchmarks, compare tenants, and display security settings side-by-side without charging extra for each additional tenant. By applying best practices throughout the organization, companies can keep all their tenants secure.

    Misconfigured Settings Are Leading to New Exploits

    A default misconfiguration in ServiceNow triggered widespread panic in October. The setting, which was part of the application’s Access Control Lists, allowed unauthorized users to extract data from records. The misconfiguration impacted thousands of companies. A similar misconfiguration in Salesforce Community back in May also impacted a significant number of companies and led to data breaches.

    Misconfigurations like these have the potential to cause major damage to companies. They lead to data leaks that break the trust between companies and their stakeholders, and have the potential to turn into onerous fines, depending on the nature of the data that leaked.

    Securing misconfigurations is an organization’s best chance at preventing these exploits from impacting their operations and hurting their bottom lines.

    Increased Reliance on Third-Party Applications Adds to SaaS Risk

    Third-party applications add real value for end users. They improve processes, extend functionality, and connect data between multiple applications. Users connect these SaaS apps with the click of button, and instantly begin improving their workflows.

    In March 2023, Adaptive Shield released a report showing that organizations using Google Workplace with 10,000-20,000 users averaged 13,913 third-party apps connected to Google Workplace alone. An astonishing 89% of these requested either high- or medium-risk permissions. Many of these high-risk apps are used once and forgotten about, or used by a small number of employees. However, even these dormant or lightly used applications have significant permissions and can be used to compromise or breach a SaaS application.

    The use of third-party applications is only increasing, as more apps are developed and employees use their own judgment – rather than checking with their security team – when integrating third-party applications into their stack. Security teams must develop visibility into all their integrated apps, and gain insights into the permissions requested, the value the app contributes to the organization, and the risk it poses.

    Multiple Devices to Secure as Working from Home Isn’t Going Anywhere 

    In 2023, nearly 40% of all employees worked from home at least part of the time. According to WFHResearch, approximately 12% of employees work exclusively in their homes, while another 28% have hybrid roles.

    These figures should give pause to security personnel concerned about users logging in to their work accounts from personal devices. One of the biggest concerns security teams have is when high-privileged users log into their accounts using an unmanaged or unsecured device. These devices may have critical vulnerabilities, and create a new attack vector. For many teams, there is almost no way to tell which devices are used to access the SaaS app or see whether those devices are secure.

    Organizations Are Turning to SSPM to Secure SaaS

    While all these trends point to legitimate SaaS security concerns, SaaS Security Posture Management (SSPM) tools coupled with ITDR capabilities, like Adaptive Shield, can fully secure the SaaS stack. SSPMs are designed to automatically monitor configurations, looking for configuration drifts that weaken an app’s posture. In SaaS Security Survey, 2024 Plans & Priorities by Cloud Security Association and Adaptive Shield, 71% of respondents said their company had increased their investment into SaaS security tools over the past year, and 80% were either already suing SSPM or planned to invest in one within the next 18 months.

    SSPMs can provide baselining tools for multiple tenants of the same app, and enable users to establish best practices, compare settings from different instances, and improve the overall posture of the SaaS stack.

    SSPMs also detect and monitor third-party applications, alerting users if their integrated apps are requesting too much access and updating the security team when integrated apps are dormant. It tracks users, and monitors the devices being used to access applications to prevent the use of unmanaged or unsecured devices on corporate SaaS apps. Furthermore, their built-in communication tools make it easy for business units to collaborate with security personnel in securing their applications.

    SaaS apps have grown in popularity for good reason. They allow organizations to scale as needed, subscribe to the apps they need at the moment, and limit investment in some IT. With SSPM, these applications can be secured as well.

    Resource : https://thehackernews.com/2023/12/top-7-trends-shaping-saas-security-in.html

    19Dec, 2023
    Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs

    Government agencies in the US, UK, Canada, Australia, and New Zealand have published guidance for software makers to eliminate memory safety vulnerabilities.

    The document, named Case for Memory Safe Roadmaps (PDF), recommends the adoption of memory safe programming languages (MSLs), which will help eliminate well-known and common coding errors that threat actors routinely exploit in malicious attacks.

    The guidance also provides software manufacturers with instructions on “creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products”.

    Memory safety bugs, the Five Eyes government agencies note, persist despite significant efforts put into reducing their prevalence. Transitioning to an MSL, however, should eliminate this type of security flaws and reduce their impact, allowing both developers and customers to invest resources in other areas.

    “Eliminating this vulnerability class should be seen as a business imperative likely requiring participation from many departments. The authoring agencies urge executives to lead from the top by publicly identifying senior staff who will drive publication of their roadmap and assist with realigning resources as needed,” the guidance reads.

    Some of the mitigation methods used to reduce memory safety bugs include developer training, code coverage (testing as much code as possible), secure code guidelines, fuzzing, the use of static application security testing (SAST) and dynamic application security testing (DAST) tools, and the use of safer language subsets.

    To reduce the impact of this type of vulnerabilities, defenders have marked memory segments as non-executable, adopted Control Flow Integrity (CFI), Address Space Layout Randomization (ASLR), sandboxing, and other mitigation methods, and are considering the use of hardware to support memory protections.

    “Despite software manufacturers investing vast resources attempting to mitigate memory safety vulnerabilities, they remain pervasive. Customers must then expend significant resources responding to these vulnerabilities through both onerous patch management programs and incident response activities,” the guidance reads.

    The adoption of MSLs should bring benefits to both software makers and their customers, by improving code reliability, reducing the need to patch the reported vulnerabilities and the number of emergency releases, and ultimately reducing the number of urgent updates that customers will need to install, as well as data breaches.

    “In addition to bringing benefits to software manufacturers and their customers, MSLs reduce a product’s attack surface. That reduction in attack surface will increase the cost to malicious actors who then need to invest more resources discovering other exploitable vulnerabilities,” the guidance reads.

    When developing a memory safety roadmap, software manufacturers should consider how to prioritize transition, the use of appropriate MSLs, and how they will train developers. For each of these aspects, the Five Eyes agencies recommend specific steps to follow.

    The guidance also provides an overview of the implementation challenges that software makers will encounter when adopting MSLs, as well as details on the elements that a memory safety roadmap should include.

    “The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases,” the guidance reads.

    The guide was authored by the US cybersecurity agency CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Cyber Security Centre, the Canadian Centre for Cyber Security, UK’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team.

    Resource : https://www.securityweek.com/five-eyes-agencies-publish-guidance-on-eliminating-memory-safety-bugs/

    18Dec, 2023
    MongoDB Suffers Security Breach, Exposing Customer Data

    MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

    The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

    It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

    In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

    That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.

    When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

    Resource : https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

    16Dec, 2023
    New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now

    Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.

    The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.

    “Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks,” security researcher Oskar Zeino-Mahmalat said.

    “Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network.”

    Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection.

    A brief description of the flaws is given below –

    • CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
    • CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
    • CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

    Reflected XSS attacks, also called non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser.

    As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.

    “Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack,” Zeino-Mahmalat said.

    Following responsible disclosure on July 3, 2023, the flaws were addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 released last month.

    The development comes weeks after Sonar detailed a remote code execution flaw in Microsoft Visual Studio Code’s built-in integration of npm (CVE-2023-36742, CVSS score: 7.8) that could be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of its Patch Tuesday updates for September 2023.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    Resource : https://thehackernews.com/2023/12/new-security-vulnerabilities-uncovered.html

    14Dec, 2023
    Cloud engineer gets 2 years for wiping ex-employer’s code repos

    Miklos Daniel Brody, a cloud engineer, was sentenced to two years in prison and a restitution of $529,000 for wiping the code repositories of his former employer in retaliation for being fired by the company. 

    First Republic Bank was a commercial bank in the U.S., employing over seven thousand people and having an annual revenue of $6.75 billion. The bank closed on May 1, 2023, and was sold to JPMorgan Chase.

    According to the U.S. Department of Justice (DoJ) announcement, Brody was fired on March 11, 2020, from First Republic Bank (FRB) in San Francisco, where he worked as a cloud engineer.

    The court documents state that Brody’s employment was terminated after he violated company policies by connecting a USB drive containing pornography to company computers.

    Following his dismissal, Brody allegedly refused to return his work laptop and instead used his still-valid account to access the bank’s computer network and cause damages estimated to be above $220,000

    “Among other things, Brody deleted the bank’s code repositories, ran a malicious script to delete logs, left taunts within the bank’s code for former colleagues, and impersonated other bank employees by opening sessions in their names,” describes the U.S. DOJ announcement.

    “He also emailed himself proprietary bank code that he had worked on as an employee, which was valued at over $5,000.”

    Until his access to FRB’s network was eventually terminated on March 12, 2020, Brody had performed the following actions:

    • Ran a malicious script named “dar.sh” to wipe FRB’s servers
    • Deleted git logs and git commit history for the particular script
    • Accessed FRB’s GitHub repository and deleted the hosted code
    • Inserted ‘taunts’ in the code, including references to “grok”
    • Impersonated another cloud engineer at FRB to access the firm’s network and make configuration changes

    After the incident, Brody falsely reported to the San Francisco Police Department that the FRB-issued laptop had been stolen from his car.

    He continued to uphold this story when interviewed by United States Secret Service agents following his arrest in March 2021.

    Eventually, in April 2023, Brody pleaded guilty to lying about the laptop and to two charges concerning violation of the Computer Fraud and Abuse Act.

    In addition to the two-year prison term and the payment of the restitution, Brody will serve three years of supervised release.

    Resource : https://www.bleepingcomputer.com/news/security/cloud-engineer-gets-2-years-for-wiping-ex-employers-code-repos/

    13Dec, 2023
    Scaling Security Operations with Automation

    In an increasingly complex and fast-paced digital landscape, organizations strive to protect themselves from various security threats. However, limited resources often hinder security teams when combatting these threats, making it difficult to keep up with the growing number of security incidents and alerts. Implementing automation throughout security operations helps security teams alleviate these challenges by streamlining repetitive tasks, reducing the risk of human error, and allowing them to focus on higher-value initiatives.

    While automation offers significant benefits, there is no foolproof method or process to guarantee success. Clear definitions, consistent implementation, and standardized processes are crucial for optimal results. Without guidelines, manual and time-consuming methods can undermine the effectiveness of automation.

    This blog explores the challenges faced by security operations teams when implementing automation and the practical steps needed to build a strong foundation for successful implementation.

    The Automation Challenge

    Organizations often struggle with automation due to a lack of well-documented processes and limited resources. With constant alerts and fires to put out, security teams are often spread thin, and only have time to focus on the task in front of them. This leaves them little to no time for proper documentation of processes and procedures. This, along with other factors such as maturity and process monitorability, contributes to the challenges security teams face when implementing automation. Successful automation requires a pragmatic approach, where teams identify and prioritize processes that are feasible and provide the greatest impact on efficiency and risk reduction.

    When considering the feasibility of automation, it becomes crucial to assess whether the processes and procedures in place can be seamlessly automated from start to finish. Not all tasks are suitable for complete end-to-end automation. The decision to automate certain processes should be based on factors like the organization’s maturity level, the available time and resources, and the ability to monitor and ensure the feasibility of the automation efforts. It requires careful evaluation to determine if automation makes sense and can effectively streamline security operations.

    Identifying Automation Maturity

    To reach effective security automation, organizations must assess their readiness and maturity level. A comprehensive assessment involves evaluating three critical investigation processes.

    Evidence Gathering

    This process involves querying information across the organization’s technology environment. Historically, the biggest problem with this process is that it has been manual. Organizations usually have a multitude of different technologies, all of which speak their own different languages, resulting in extensive amounts of time spent pivoting from tool to tool gathering data for any given investigation.

    Automation can greatly enhance this stage by unifying and simplifying queries, thereby eliminating the complexities associated with different logging systems and query nomenclatures. A security orchestration, automation, and response (SOAR) solution can prove to be extremely useful here. However, the main hurdle with implementing SOARs lies in integration, maintenance, and upkeep. If organizations are already facing resource constraints, attempting to set up a SOAR becomes even more challenging as they may not have sufficient people available to handle incidents effectively while also maintaining a SOAR.

    Analysis

    Once evidence is gathered, the analysis stage takes the output of evidence gathering and analyzes it against internal and external. Automation can help extract insights, identify patterns, and accelerate the detection of potential threats, but it is important to note that the analysis process often requires human intervention to ensure accuracy and effectiveness.

    Depending on what is being analyzed, human involvement may be necessary. For instance, when dealing with critical assets, vulnerability scanning, or identifying all the root and admin accounts within a system, it’s essential to have internal human intelligence reviewing and verifying the information.

    Remediation

    This process involves responding effectively to true-positive alerts within an environment. Remediation greatly depends on the efficacy of everything built before that. It’s going to be extremely difficult to have confidence in your remediation process if you don’t have all the data, you need or if there are gaps in your internal or external intelligence.

    Practical Automation Development

    It’s crucial to understand what processes and procedures are in place when responding to threats. Depending on where an organization is in their maturity journey, it might be hard to know where to start with implementing automation. Building a solid foundation for automation involves following a systematic and iterative approach. Below are five steps organizations can use to better implement automation:

    1. Interview Security Teams: Engage with security teams about their existing processes and identify use cases suitable for automation.
    2. Identify Use Cases: Identify automation use case opportunities based on those interviews. Prioritize high-volume, repetitive tasks or those with significant human effort. Focus on one process at a time to avoid complications caused by rushing through multiple processes without proper understanding and development.
    3. Document Findings: During the documentation phase, analyze actions in consoles and compare them with the corresponding API endpoints. Changing technologies and unexpected variables can disrupt processes. To mitigate any disruptions, it’s crucial to have a solid understanding of the APIs being used and document the findings thoroughly. By integrating this documentation into the overall workflow, any deviations from the initial assumptions can be identified and addressed promptly.
    4. Develop a Feedback Loop: Incorporate the security operations team’s insights, suggestions, and expertise throughout the development process to ensure the automation solution aligns with the organization’s needs and enhances productivity.
    5. Measure and Assess: After implementing automation, measure its effectiveness and efficiency. Continuously assess the impact and gather feedback from the security team. Use these insights to fine-tune the automation techniques and address any emerging edge cases.

    To have a successful automation foundation, it’s not enough to simply create and deploy automation solutions. It’s also important to integrate automation into existing security operations workflows. This process of operationalization ensures that automated processes and human decision-making can work together seamlessly.

    Conclusion

    Implementing automation is crucial for organizations to combat the increasing security threats in today’s digital landscape. It streamlines tasks, reduces human errors, and enables security teams to focus on higher-value initiatives. However, success in automation requires clear definitions, consistent implementation, and standardized processes. Organizations should assess feasibility, readiness, and maturity level, and follow a systematic approach for practical automation development. By integrating automation into existing workflows and identifying relevant use cases, security teams can maximize the benefits and leverage the expertise of professionals. A solid foundation for automation can reduce response times, improve accuracy, minimize errors, and enhance threat detection in various security processes for organizations.

    Resource : https://thehackernews.com/2023/12/scaling-security-operations-with.html

    13Dec, 2023
    50K WordPress sites exposed to RCE attacks by critical bug in backup plugin

    A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites.

    Known as Backup Migration, the plugin helps admins automate site backups to local storage or a Google Drive account.

    The security bug (tracked as CVE-2023-6553 and rated with a 9.8/10 severity score) was discovered by a team of bug hunters known as Nex Team, who reported it to WordPress security firm Wordfence under a recently launched bug bounty program.

    It impacts all plugin versions up to and including Backup Migration 1.3.6, and malicious actors can exploit it in low-complexity attacks without user interaction.

    CVE-2023-6553 allows unauthenticated attackers to take over targeted websites by gaining remote code execution through PHP code injection via the /includes/backup-heart.php file.

    “This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server,” Wordfence said on Monday.

    “By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.”

    In the /includes/backup-heart.php file used by the Backup Migration plugin, an attempt is made to incorporate bypasser.php from the BMI_INCLUDES directory (defined by merging BMI_ROOT_DIR with the includes string) at line 118.

    However, BMI_ROOT_DIR is defined through the content-dir HTTP header found on line 62, thereby making BMI_ROOT_DIR subject to user control.

    Patch released within hours

    Wordfence reported the critical security flaw to BackupBliss, the development team behind the Backup Migration plugin, on December 6, with the developers releasing a patch hours later.

    However, despite the release of the patched Backup Migration 1.3.8 plugin version on the day of the report, almost 50,000 WordPress websites using a vulnerable version still have to be secured nearly one week later, as WordPress.org org download stats show.

    Admins are strongly advised to secure their websites against potential CVE-2023-6553 attacks, given that this is a critical vulnerability that unauthenticated malicious actors can exploit remotely.

    WordPress administrators are also being targeted by a phishing campaign attempting to trick them into installing malicious plugins using fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 as bait.

    Last week, WordPress also fixed a Property Oriented Programming (POP) chain vulnerability that could allow attackers to gain arbitrary PHP code execution under certain conditions (when combined with some plugins in multisite installations).

    Resource : https://www.bleepingcomputer.com/news/security/50k-wordpress-sites-exposed-to-rce-attacks-by-critical-bug-in-backup-plugin/?&web_view=true

    9Dec, 2023
    Gmail’s AI-powered spam detection is its biggest security upgrade in years

    The latest post on the Google Security blog details a new upgrade to Gmail’s spam filters that Google is calling “one of the largest defense upgrades in recent years.” The upgrade comes in the form of a new text classification system called RETVec (Resilient & Efficient Text Vectorizer). Google says this can help understand “adversarial text manipulations”—these are emails full of special characters, emojis, typos, and other junk characters that previously were legible by humans but not easily understandable by machines. Previously, spam emails full of special characters made it through Gmail’s defenses easily.

    If you want an example of what “adversarial text manipulation” looks like, the below message is something from my spam folder. My personal Gmail experience with these emails is that they used to be a major problem during the first half of the year, with emails like this regularly landing in my inbox. It does seem like this RETVec tech upgrade works, though, because emails like this haven’t been a problem at all for me in the last few months.

    Emails like this have been so difficult to classify because, while any spam filter could probably swat down an email that says, “Congratulations! A balance of $1,000 is available for your jackpot account,” that’s not what this email actually says. A big portion of the letters here are “homoglyphs“—by diving into the endless depths of the Unicode standard, you can find obscure characters that look like they’re part of the normal Latin alphabet but actually aren’t.

    For instance, the subject “𝐂𝐡𝐞𝐜𝐤_𝐘𝐨𝐮𝐫_𝐀𝐜𝐜𝐨𝐮𝐧𝐭” is weirdly bolded not because it has bolded styling but because it uses Unicode glyphs like the “Mathematical Bold Capital C.” It’s a math symbol that happens to look like the letter “C” to people, but the robot doing spam filtering accurately views it as a math symbol and doesn’t understand the intended English meaning. The closer you look at an email like this, the worse it gets: “C0NGRATULATIONS” has a zero replacing one of the “O” characters, the underlined letters in “Jᴀ̲ᴄ̲ᴋ̲pot” are so strange they don’t even come up in Unicode searches, and a lot of spaces are swapped out for periods or underscores. The result is that a spam filter looks at this hot mess of an email and basically gives up. (I don’t understand why illegible emails default to “inbox” instead of “spam,” but I’m not in charge.)

    Google says RETVec is here to save the day: “RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more. The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently. Thus, RETVec works out-of-the-box on over 100 languages without the need for a lookup table or fixed vocabulary size.”

    Google says the efficiency here is a big deal. Alternative approaches that used a “fixed vocabulary size” or “lookup table” for homoglyphs made them resource-intensive to run. Imagine a list of every possible spelling and misspelling of “congratulations” that swaps out one or more characters for numbers, math symbols, Cyrillic, Hebrew, or emojis, and you have a nearly endless list. Google says RETVec is only 200,000 “instead of millions of parameters,” so while Google’s spam-filtering cloud is probably big enough to run anything, this is small enough that it could even run on a local device. RETVec is open source, and Google hopes it will rid the world of homoglyph attacks, so even your local comment section could be running it someday.

    RETVec appears to work a lot like how humans read: It’s a machine-learning TensorFlow model that uses visual “similarity” to identify what words mean instead of their actual character content. Google’s similarity demo uses the same technology to identify pictures of cats, so turning that into the world’s fanciest optical character recognition system sounds pretty doable. Apparently, this approach has led to big improvements, with Google saying: “Replacing the Gmail spam classifier’s previous text vectorizer with RETVec allowed us to improve the spam detection rate over the baseline by 38% and reduce the false positive rate by 19.4%. Additionally, using RETVec reduced the TPU usage of the model by 83%, making the RETVec deployment one of the largest defense upgrades in recent years.”

    Resource : https://arstechnica.com/gadgets/2023/12/gmails-ai-powered-spam-detection-is-its-biggest-security-upgrade-in-years/

    9Dec, 2023
    Certificate and remote ID now required to fly drones in Europe

    Starting January 1st, 2024, new requirements in the European Union will come into effect, reshaping how small drones may be operated in the region. According to the European Union Aviation Safety Agency (EASA), with limited exceptions, even small drone pilots will require a certificate and registration, and drones must be equipped with a remote identification system.

    According to the EASA, drones starting from 900 grams in take-off mass (class identification labels from C1 to C6) are already equipped with a remote identification system, which transmits identification information such as the drone’s serial number, operator registration number, remote pilot position or, if not available, take-off point, and the drone’s location. These drones are mostly used for leisure activities and low-risk commercial activities.

    “After January 1st, 2024, only drones equipped with a remote identification system, updated with the UAS (drone) operator registration number, will be allowed to operate. States may identify geographical zones where remote identification is not mandatory,” the EASA publication reads.

    No training will be required for toy drones and those that are under 250 grams and have no camera or sensors on board. Those fall into the C0 category, for which a minimum remote pilot age of 16 is required unless the drone is a toy.

    For drones under 900 grams, the pilot must complete the online training and pass online theoretical exams. Larger drones require special remote pilot certificates, practical training, and passing an exam.

    Privately built drones and drones placed on the market before 2024 must also not overfly uninvolved people, maintain a horizontal distance of 150m from uninvolved people and urban areas, and maintain flight altitude below 120m above ground level.

    Remote pilots can obtain an EU drone license starting from around €50-€100 online, with the certificate valid for 5 years. The EASA is aware that some illegal websites are selling fake certificates of training: “Please trust only the providers of training and exams that are listed on the NAA website.”

    All remote pilots need to register themselves unless the drone weighs less than 250g and has no camera or other sensor able to detect personal data, or it’s a small drone that complies with a ‘toy’ directive.

    According to the EASA, open-category drone operators need to register themselves in the EU Member State where they have their residence for natural persons or where they have their principal place of business for legal persons. Third-country operators need to register in the first EASA Member State in which they perform an operation.

    Old drones must be retrofitted with remote ID

    All drones in the EU will be required to operate with an active and up-to-date Remote identification (RID) system. There are two ways to satisfy this condition: flying a C-class drone with RID built-in or retrofitting older drone models with an RID module attached to the drone body.

    “Remote identification (RID) technologies allow authorities and any member of the public to identify drones remotely using a smartphone app or dedicated receiver,” Dronetag, an RID manufacturer, which covers 70% of RID device supplies in the US, explained in a press release. “The main goal of RID adoption is to enhance the safety of unmanned aircraft systems operations.”

    RID transmitters can attached to the old drone body. According to Lukas Brchl, CEO of Dronetag, pilots should not ignore the upcoming change.

    “To avoid problems that framed the start of RID in the USA earlier this year, drone operators should get their RID module in advance if they want to use their drones in 2024 safely. The production capacities of all suppliers are limited, so my only advice is to act now. Dronetag team put immense effort into scaling production to the maximum, but we already accept orders with deliveries at the end of January 2024,” Brchl said.

    For small drones, he recommends using Direct RID modules, which transmit identification data via Bluetooth to the drone’s nearby surroundings.

    Resource : https://cybernews.com/security/certificate-and-remote-id-required-drone-pilots-europe/

    8Dec, 2023
    Future Intel, AMD and Arm CPUs Vulnerable to New ‘SLAM’ Attack: Researchers

    Academic researchers have disclosed the details of a new type of attack targeting modern CPUs, particularly future products from Intel, AMD and Arm. 

    The attack has been named SLAM, which stands for ‘Spectre based on Linear Address Masking’, and it was discovered by researchers at VUSec, the systems and network security group at the VU Amsterdam university in the Netherlands. 

    The researchers’ goal was to demonstrate that upcoming hardware-based security features such as Intel’s Linear Address Masking (LAM), AMD’s Upper Address Ignore (UAI) and Arm’s Top Byte Ignore (TBI), which should enable the implementation of fast security checks, can actually increase the surface for Spectre attacks. 

    Spectre is one of the original transient execution CPU vulnerabilities, which can expose potentially sensitive information from memory, such as encryption keys and passwords, to side-channel attacks. 

    According to the researchers, SLAM impacts some current AMD processors, as well as future Intel, AMD and Arm CPUs that will support LAM, UAI and TBI. 

    The experts demonstrated their findings by developing an end-to-end Spectre exploit targeting LAM on upcoming Intel processors. 

    The exploit focuses on the more recent Spectre BHI attack variant, which bypasses some of the hardware mitigations implemented in response to the original Spectre, and abuses various gadgets in the latest Linux kernel to leak the root password hash from kernel memory within minutes.

    Intel, AMD and Arm have been informed about the SLAM attack. Intel, one of the sponsors of the research, said it plans to provide software guidance prior to the release of CPUs that support LAM. In addition, Linux developers created patches to disable the security feature by default until guidance becomes available. 

    Arm has published a security advisory to inform customers about the attack, but noted that existing mitigations for Spectre v2 and Spectre BHI should prevent exploitation. 

    The researchers said AMD also claims existing Spectre v2 mitigations should prevent exploitation and the company has not released further guidance. 

    technical paper detailing the SLAM attack has been made public, along with code and a video showing the exploit in action. 

    Resource : https://www.securityweek.com/future-intel-amd-and-arm-cpus-vulnerable-to-new-slam-attack-researchers/