March 12, 2024
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | BU Soft Tech | itTrident | Former Sr. VP & CTO of MF Utilities
There is more than BitLocker in an operating system that will allow control over encryption settings. Often you are mandated in a firm to ensure that all sensitive data at rest is kept secure. Older operating systems may not natively provide the necessary internal encryption of application-layer encryption. Specific group policies are included in Windows that target how passwords are stored. A case in point is the setting “Store passwords using reversible encryption”. This policy, if enabled, would lower the security posture of your firm. Older protocols being used in such locations as web servers and IIS may mandate that you enable these settings. Thus, you may want to audit your web servers to see if any developer mandate has indicated that you must have lesser protections in place. For example, if you use challenge handshake authentication protocol (CHAP) through remote access or internet authentication services (IAS), you must enable this policy setting. CHAP is an authentication protocol used by remote access and network connections. Digest authentication in internet information services (IIS) also requires that you enable this policy setting.?
More broadly, the EDPS’ corrective measures require the Commission to fix its contracts with Microsoft — to ensure they contain the necessary contractual provisions, organizational measures and/or technical measures to ensure personal data is only collected for explicit and specified purposes; and “sufficiently determined” in relation to the purposes for which they are processed. Data must also only be processed by Microsoft or its affiliates or sub-processors “on the Commission’s documented instructions”, per the order — unless it takes place within the region and processing is for a purpose that complies with EU or Member State law; or, if outside the region to be processed for another purpose under third-country law there must be essentially equivalent protection applied. The contracts must also ensure there is no further processing of data — i.e. uses beyond the original purpose for which data is collected. The EDPS found the Commission infringed the “purpose limitation” principle of applicable data protection rules by failing to sufficiently determine the types of personal data collected under the licensing agreement it concluded with Microsoft Ireland, meaning it was unable to ensure these were specific and explicit.
The report focuses on two key risks: weaponization and loss of control. Weaponization includes risks such as AI systems that autonomously discover zero-day vulnerabilities, AI-powered disinformation campaigns and bioweapon design. Zero-day vulnerabilities are unknown or unmitigated vulnerabilities in a computer system that an attacker can use in a cyberattack. While there is still no AI system that can fully accomplish such attacks, there are early signs of progress on these fronts. Future generations of AI might be able to carry out such attacks. “As a result, the proliferation of such models – and indeed, even access to them – could be extremely dangerous without effective measures to monitor and control their outputs,” the report warns. Loss of control suggests that “as advanced AI approaches AGI-like levels of human- and superhuman general capability, it may become effectively uncontrollable.” An uncontrolled AI system might develop power-seeking behaviors such as preventing itself from being shut off, establishing control over its environment, or engaging in deceptive behavior to manipulate humans.?
领英推荐
Most recently, researchers with cybersecurity vendor GuidePoint Security that the operators behind the BianLian ransomware were exploiting the TeamCity vulnerabilities, initially trying to execute their backdoor malware written in the Go programming language. After failed attempts, the group turned to living-of-the-land methods, using a PowerShell implementation of the backdoor, which provided them with almost identical functionality, the researchers wrote in a report. They detected the attack during an investigation of malicious activity within a customer’s network. It was unclear which of the two vulnerabilities the BianLian attackers exploited, they wrote. After leveraging a vulnerable TeamCity instance to gain initial access, the bad actors were able to create new users in the build server and executed malicious commands that enabled them to move laterally through the network and run post-exploitation activities. ... “The threat actor was detected in the environment after attempting to conduct a Security Accounts Manager (SAM) credential dumping technique, which alerted the victim’s VSOC, GuidePoint’s DFIR team, and GuidePoint’s Threat Intelligence Team (GRIT) and initiated the in-depth review of this PowerShell backdoor,” the researchers wrote.
While advertisers must focus on forging their paths forward in a cookieless landscape, it’s worth considering what comes next for Google. As privacy concerns dwindle with the deprecation of third-party cookies, there’s good reason to believe that antitrust concerns will grow regarding the industry titan. The timing of Google’s deprecation of third-party cookies on Chrome, coming years after Safari and Firefox made the same move, is telling. The simple reality is that Google did not want to make this move until it could develop an alternate approach that enabled the tracking, targeting and monetization of logged-in Chrome users. Now that Google has had the time to secure its ad revenue against any major disruptions, it will end the cookie’s reign. This move will garner added scrutiny from regulators who have already set their antitrust sights on Google in the past. With the deprecation of third-party cookies, Google retains end-to-end control of a massive swath of the advertising technology that powers the internet, and the company is going to be sharing less and less of that power (in the form of data and insights) with its clients and other parties.
Typosquatting criminals are constantly refining their craft in what seems to be a never-ending cat and mouse conflict. Several years ago, researchers discovered the homograph ploy, which substitutes non-Roman characters that are hard to distinguish when they appear on screen. ... In an Infoblox report from last April entitled "A Deep3r Look at Lookal1ke Attacks," the report's authors stated that "everyone is a potential target." "Cheap domain registration prices and the ability to distribute large-scale attacks give actors the upper hand," they wrote in the report. "Attackers have the advantage of scale, and while techniques to identify malicious activity have improved over the years, defenders struggle to keep pace." For instance, the report shows an increasing sophistication in the use of typosquatting lures: not just for phishing or simple fraud but also for more advanced schemes, such as combining websites with fake social media accounts, using nameservers for major spear-phishing email campaigns, setting up phony cryptocurrency trading sites, stealing multifactor credentials and substituting legitimate open-source code with malicious to infect unsuspecting developers.