December 20, 2023
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
The announcement from OpenAI comes in the wake of several major releases focused on AI safety from its chief rival, Anthropic, another leading AI lab that was founded by former OpenAI researchers. Anthropic, which is known for its secretive and selective approach, recently published its Responsible Scaling Policy, a framework that defines specific AI Safety Levels and corresponding protocols for developing and deploying AI models.The two frameworks differ significantly in their structure and methodology. Anthropic’s policy is more formal and prescriptive, directly tying safety measures to model capabilities and pausing development if safety cannot be demonstrated. OpenAI’s framework is more flexible and adaptive, setting general risk thresholds that trigger reviews rather than predefined levels.?... Experts say both frameworks have their merits and drawbacks, but Anthropic’s approach may have an edge in terms of incentivizing and enforcing safety standards. From our analysis, it appears Anthropic’s policy bakes safety into the development process, whereas OpenAI’s framework remains looser and more discretionary, leaving more room for human judgment and error.
The government is looking to develop legislation to "encourage" businesses to voluntarily provide information to ASD and the Cyber Coordinator about a cyber incident under a limited basis that would prevent the agencies from using this information for compliance action against the reporting organizations. The idea is to give more information than current regulation requires so the agencies can provide better support when businesses are under attack and to mitigate harms to individuals arising from cyber security incidents. ... Home Affairs t is seeking input from industry on the design and implementation of a cyber incident review board (CIRB). It is proposed that the CIRB would conduct no-fault incident reviews to reflect on lessons learned from cyber incidents, and share these lessons learned with the Australian public. The paper stated that the CIRB would not be a law enforcement, intelligence or regulatory body. It would be allowed to request information related to a cyber incident but would not have powers to compel and organization to do so.?
CIOs, CISOs, and other IT leaders should keep a watchful eye on the EU's regulatory developments, Martha Heller, CEO at executive search firm Heller Search, tells InformationWeek. “The EU’s legislative move to curtail the power of US tech companies is a double-edge sword,” she says in an email interview. “Its mandate that the largest US-based tech companies give users more choice among services could give smaller technology companies a fighting chance. But its bias against US tech companies could limit the US’s ability to compete on the global market.” Heller adds, “As both producers and enterprise consumers of technology, CIOs and CTOs should pay close attention to the EU, as it leverages its watchdog position.” ... For CIOs, keeping track of regulatory considerations is not getting easier moving forward. “You have five big US tech companies that are primarily affected,” Chin-Rothmann says. “You must look at that in context with all of the other digital laws globally. It’s going to be a pretty complex regulatory patchwork. And when the EU regulates, other countries tend to follow suit.
领英推荐
Our analysis indicates that in this new campaign, threat actors’ intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials in order to then access and likely monetize their banking information. Our data shows that threat actors purchased malicious domains in December 2022 and began executing their campaigns shortly after. Since early 2023, we’ve seen multiple sessions communicating with those domains, which remain active as of this blog’s publication. Upon examining the injection, we discovered that the JS script is targeting a specific page structure common across multiple banks. When the requested resource contains a certain keyword and a login button with a specific ID is present, new malicious content is injected. Credential theft is executed by adding event listeners to this button, with an option to steal a one-time password (OTP) token with it. This web injection doesn’t target banks with different login pages, but it does send data about the infected machine to the server and can easily be modified to target other banks.
The latest initial infection vector is a malicious Google ad for AnyDesk that, when clicked by a victim from the search results page, redirects to a fake website named anadesky.ovmv[.]net that points to a malicious MSI installer hosted on Dropbox. It's worth pointing out that the redirection to the bogus website only occurs after fingerprinting the request, and only if it's not originating from a virtual machine. "The threat actors are bypassing Google's security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare," Segura explained. "At this point, only clean IP addresses are forwarded to the next step." Interestingly, a second round of fingerprinting takes place when the victim clicks on the download button on the website, likely in an added attempt to ensure that it's not accessible in a virtualized environment. Malwarebytes said the attacks are reminiscent of previously identified malvertising chains employed to disseminate another loader malware known as FakeBat (aka EugenLoader).
As the university trio put it this week, a successful Terrapin attack can "lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks in OpenSSH 9.5." In some very specific circumstances, it could be used to decrypt some secrets, such as a user's password or portions of it as they log in, but this is non-trivial and will pretty much fail in practicality. Let's get to the nitty gritty. We'll keep it simple; for the full details, see the paper. When an SSH client connects to an SSH server, before they've established a secure, encrypted channel, they will perform a handshake in which they exchange information about each other in plaintext. Each side has two sequence counters: one for received messages, and one for sent messages. Whenever a message is sent or received, the relevant sequence counter is incremented; the counters thus keep a running tally of the number of sent and received messages for each side. As a MITM attack, Terrapin involves injecting a plaintext 'ignore' message into the pre-secure connection, during the handshake, so that the client thinks it came from the server and increments its sequence counter for received messages. The message is otherwise ignored.