The White House Center for Science and Technology Policy defined the five core principles that underpin the Blueprint for an AI Bill of Rights. In July 2023, several large technology companies including Google and Meta convened at the White House to announce voluntary commitments advancing the safe, secure, and transparent development of AI. The latest order sets out to define standards for safety and security, advance equity and civil rights, promote innovation and competition, and ensure transparency to protect consumers. This sweeping order also promises to foster strong international collaboration to ensure the same principles guide global AI development. Let’s delve into the key areas and explore five main takeaways.

1) Defines New Standards for AI Safety & Security

The executive order requires that companies developing the most powerful AI algorithms notify the government when they are training these models and share critical safety test data with the U.S. government. This will apply to models that may pose national security, economic, public health, and safety risks. The National Institute of Standards and Technology (NIST) will develop rigorous standards to ensure that AI systems are secure and trustworthy prior to their public release. The order also builds on the Biden-Harris Administration Artificial Intelligence Cyber Challenge (AIxCC) with a cybersecurity program that encourages the adoption of AI tools to flag and mitigate vulnerabilities in critical software.

2) Emphasizes Privacy & Data Protection

The Biden Administration’s order is developing programs that will evaluate and develop best practices for federal agencies to protect data privacy for Americans. This program will fund the creation of a Research Coordination Network which will collaborate closely with the National Science Foundation to encourage widespread adoption of cutting-edge privacy technologies by federal agencies. This order also requires that federal agencies be provided with stronger guidance on how they collect and use commercially available information in order to mitigate the risks posed by AI.

3) Advances Equity & Civil Rights

The Blueprint for an AI Bill of Rights identifies algorithmic discrimination as an emerging area that undermines equality and civil rights. Guidelines and best practices will be developed to help ensure that AI is used responsibly in the criminal justice system, benefits programs, federal contractors, landlords, and in workplaces. Federal law enforcement agencies will be equipped with the knowledge, skills, and tools to properly investigate and prosecute civil rights violations that involve the use of AI.

4) Advocates for Patients, Workers & Consumers

Society enjoys real benefits from AI applications — including improved healthcare research and delivery, greater productivity, and more personalized experiences in several settings. However, AI brings with it increased workplace surveillance, bias, and potential for discrimination in medical, employment, consumer, and educational settings. The White House Executive Order on Artificial Intelligence benefits workers by defining guiding principles and best practices to ensure employers do not misuse AI to exploit or discriminate against workers. It also establishes a budget to ensure that AI is used effectively and ethically for the development of lifesaving healthcare treatments and to correct healthcare practices.

5) Promotes American Leadership in AI Innovation & Fosters Competition

This order, along with others issued in recent years, fosters breakthrough innovation by authorizing pilot programs, grants and education opportunities. It also emphasizes the need for international, multi-disciplinary collaboration to ensure that the future of AI is safe and trustworthy everywhere. To this end, the State and Commerce Departments will lead international efforts to institute effective frameworks and accelerate the creation of crucial international AI standards that will mitigate risks while still allowing people to take advantage of AI’s many benefits.

The executive order’s standards, best practices, and principles lay a strong foundation for developing responsible, equitable AI systems. The U.S., in collaboration with international partners, aims to ensure that AI is trustworthy, upholds individual rights, and its fullest potential is maximized to support critical global initiatives. AI is still in its early stages, but this Bill marks an important milestone.

Jennifer Mullen, Emerging Technology Solutions at Keysight Technologies (KEYS)

The post 5 Things You Need to Know About the White House Executive Order on Artificial Intelligence appeared first on My TechDecisions.

For eCommerce businesses, the main risk is DDoS attacks. Known as a dangerous and malicious attack to destabilize and halt services or products, its biggest drawback is disrupting operations. By making products or services utterly inaccessible to consumers, DDoS attacks effectively eliminate any incoming profits.

The key lies in understanding how it works to protect your business and keep out these intrusions. In this article, we will review the different layers and ways to prevent them.

7 Layers of DDoS Attacks

1. Physical Layer Attacks

These DDoS attacks target the network or infrastructure of a business. By using a range of techniques: overloading network switches, jamming wireless signals, or physically cutting cables, attackers can cut income streams if they can access a business’s location. The difficulty in preventing it lies in how unpredictable people can be. One of the best ways to combat this is by installing surveillance that regularly monitors and alerts owners of suspicious activities. This can mitigate risks, especially if alerts go directly to the police.

2. Data Link Layer Attacks

Unlike physical layer attacks, data link attacks target how network devices communicate. With a MAC (Media Access Control) address, attackers can trick digital devices into communicating with a fake network device. In other cases, it is also common to use STP (Spanning Tree Protocol) attacks to manipulate how the network switches forward traffic. The only way to manage this is by ensuring businesses have a foolproof authentication mechanism, including MAC filtering that drives smooth configuration.

3. Network Layer Attacks

Network layer attacks work by affecting data that is transmitted across the Internet. Through IP (Internet Protocol) fragmentation attacks, data is sent in small batches to overwhelm network devices. Or, attackers can engage in ICMP (Internet Control Message Protocol) floods where a target is drowned with ICMP messages. To prevent such occurrences, firewalls and intrusion detection systems should be utilized to block or flag uncommon network traffic.

4. Transport Layer Attacks

As the name suggests, transport layer attacks target how data is transmitted between network devices. By engaging in techniques such as TCP (Transmission Control Protocol) SYN floods, attackers send a high volume of TCP SYN requests to a target. On the other hand, they can also use UDP (User Datagram Protocol) floods, where a high volume of UDP packets is sent to the target. Hence, businesses need to implement load balancers and rate limiters to reduce and prevent possible transport layer attacks to halt a high volume of traffic from overwhelming their network devices.

5. Session Layer Attacks

Not limited to network devices, DDoS attacks can also occur in applications by targeting how they communicate. Using techniques such as SSL (Secure Sockets Layer) attacks, attackers exploit vulnerabilities in SSL/TLS (Transport Layer Security) protocols to intercept data, or they can drown a target with SIP (Session Initiation Protocol) messages. The easiest way to prevent session layer attacks is by ensuring applications are securely configured with updated SSL/TLS certificates.

6. Presentation Layer Attacks

As the name implies, presentation layer attacks work by attacking how information is presented to users. Through techniques such as XML (Extensible Markup Language) attacks, attackers either exploit vulnerabilities in XML parsers to execute malicious code or implement XSS (Cross-Site Scripting) attacks, where they inject malicious scripts into web pages. Firms can avoid presentation layer attacks with secure coding practices and frequent vulnerability scans.

7. Application Layer Attacks

For the application layer attacks, its emphasis lies in attacking the way applications function. Using techniques such as SQL (Structured Query Language) injection attacks, attackers inject malicious SQL queries into a target application to gain unauthorized access to data. In other cases, they can also use RFI (Remote File Inclusion) attacks to exploit vulnerabilities in web applications to execute malicious code. Unlike the other solutions, you can educate employees to prevent these attacks. You can eradicate this possibility by focusing on coding practices, phishing awareness, and password hygiene.

DDos Protection

DDoS Protection takes a community of conscious efforts to keep firms up and running. For businesses to excel, driving revenue and consumers to the store is no longer an option. Cybersecurity is vital to help safeguard existing assets and keep revenue flowing. Hence, implementing these features should be paramount to stay vigilant for businesses to flourish.

The post 7 Layers of DDoS Attacks and How To Prevent Them appeared first on My TechDecisions.

As expected from authorities anticipating an increase in threats to the education sector, cyberattacks are continuing to wreak havoc on colleges and universities across the United States. As of the beginning of May, there had already been 27 confirmed ransomware attacks against U.S. institutions. These ransomware numbers only tell part of the story as data breaches, malware attacks, and more account for an even greater number of threats, not all of which are reported to the public as they occur.

The second quarter of 2023 has seen a flurry of cyberattacks strike higher education institutions, including West Virginia’s Bluefield University, Tennessee’s Chattanooga State Community College, and Georgia’s Mercer University, among others. Beyond the obvious consequences of ransom payments and leaked personal data, some of the most severe attacks in recent memory have culminated in the delay and cancelation of classes, as well as the closure of one college in Illinois entirely.

With attacks against higher education on the rise year-over-year, campuses have become one of the top targets for attempted data breaches, ransomware attacks, malware, and more. Feeling the effects of various financial and/or technological hurdles, most schools are not currently equipped with the security controls to adequately defend themselves from increasingly sophisticated cyber threats that continue to hamper the community.

This increase in cyberactivity should serve as a wake-up call for higher education institutions to reevaluate and enhance their cybersecurity postures. Here are some of the top considerations for higher education leaders seeking to plug the gaps in their cybersecurity strategy.

Securing Data

One of the recurring themes in attacks against higher education is the vulnerability of sensitive data. From student, staff, and faculty information to sensitive school records, there are countless data assets that, if breached, can be weaponized against institutions.

Data exfiltration, or unauthorized data transfer, is a leading threat to data security in higher education. To help prevent data loss, colleges and universities need to be able to monitor user and entity behavioral analytics (UEBA) and they need to be able to watch their network using a network detection and response (NDR) tool. This allows schools to detect, qualify, and remediate any anomalous activity at the individual level, as well as malicious or unauthorized attempts at exfiltration.

Managing Access

For colleges and universities, student information, research data, and assessment criteria are all critical to daily operations. However, it can be common for institutions to encounter unauthorized access to these types of crucial information due to a lack of IT resources and necessary safeguards. This can result in the loss of confidentiality, integrity, and availability of technological assets, among other things.

To better facilitate and manage user access to sensitive data, schools should implement an effective IT security strategy intentionally designed to protect critical assets. This strategy should include the compartmentalization of data and provide a least privileged approach to accessing that data. Utilizing a least privileged approach, users are only granted access to the data required for their specific roles. This helps to prioritize the protection of intellectual property that is so valuable to higher education institutions. In doing so, schools can better protect the privacy of their students and employees and their reputations.

Detecting Threats

Even with cybersecurity mechanisms in place, no security threat can be resolved if it falls undetected. Colleges and universities must be able to detect, alert and automate security response capabilities when threats arise. Institutions should consider adopting security orchestration, automation, and response (SOAR) tools to help standardize and scale their incident response.

By relying on SOAR, schools can automate workflows to accelerate various stages of the threat investigation and response processes. Given the severity of a particular threat, it can be escalated to key decision-makers for a manual response or remediated automatically (or semi-automatically) from a playbook of preselected actions. Ultimately, SOAR is intended to help security teams cut through the noise and allow them to prioritize and direct their attention toward the most pressing threats.

Protecting and Prospering

Given the attack patterns of the last two years, cyberattacks in higher education are not going away overnight. Colleges and universities continue to be targeted by malicious actors for a reason. As long as institutions remain underequipped to monitor and respond to cybersecurity threats, they will find themselves with a target on their back.

Regardless of an institution’s budgetary constraints, there are tried and true precautions that can be taken to better protect their campus. Implementing threat detection, stricter access controls, and stronger data security measures are all foundational components of an effective cybersecurity strategy. By solidifying that foundation, colleges and universities can do their part to avoid being next in the line of higher education victims.

Another version of this article originally appeared on our sister-site Campus Safety on August 14, 2023. It has since been updated for My TechDecisions’ audience.

Kevin Kirkwood is Deputy CISO for LogRhythm.

The post Spike in Cyberattacks Exposes Vulnerabilities in University Security Measures appeared first on My TechDecisions.

The company says these improvements have improved Bard’s accuracy to computation-based word and math problems by 30%.

According to Google, the company is introducing a new technique called “implicit code execution” to help Bard detect computational prompts and run code in the background. The intended result is a more accurate response to mathematical tasks, coding questions and string manipulation prompts. These improvements also come with a new features that allows users to export a table to Google Sheets.

In a blog, Google leaders overseeing Bard say the improvements will make the generative AI chatbot better at answering questions such as:

• What are the prime factors of 15683615?
• Calculate the growth rate of my savings
• Reverse the word “Lollipop” for me

In the blog, Google says large language models (LLMs) are like prediction engines. Essentially, LLMs generate a response to prompts by predicting what words are likely to come next.

“As a result, they’ve been extremely capable on language and creative tasks, but weaker in areas like reasoning and math,” write Google Bard leaders. “In order to help solve more complex problems with advanced reasoning and logic capabilities, relying solely on LLM output isn’t enough.”

This new method, however, allows Bard to generate and execute code to boost its reasoning and math abilities.

According to Google, this approach is inspired from “a well-studied dichotomy in human intelligence, notably covered in Daniel Kahneman’s book “Thinking, Fast and Slow” — the separation of “System 1” and “System 2” thinking.

“System 1 thinking is fast, intuitive and effortless,” the Bard experts write. “When a jazz musician improvises on the spot or a touch-typer thinks about a word and watches it appear on the screen, they’re using System 1 thinking. System 2 thinking, by contrast, is slow, deliberate and effortful. When you’re carrying out long division or learning how to play an instrument, you’re using System 2.”

LLMs have been essentially operating under System 1, producing responses quickly but without deep thought, leading to some issues like trying to solve complex math problems.

Meanwhile, traditional computation more closely aligns with System 2 thinking as it is formulaic and flexible, but can produce impressive results with the “right sequence of steps,” Google says.

With the latest update, Google is combining the capabilities of both LLMs and traditional code – which it compared to combining System 1 and System 2 thinking.

“Through implicit code execution, Bard identifies prompts that might benefit from logical code, writes it “under the hood,” executes it and uses the result to generate a more accurate response,” Google says. “So far, we’ve seen this method improve the accuracy of Bard’s responses to computation-based word and math problems in our internal challenge datasets by approximately 30%.”

The post Google: Bard Now 30% Better at Computation-Based Problems appeared first on My TechDecisions.

Announced at Cisco Live in Las Vegas, Cisco announced Cisco Networking Cloud for simplified IT management, security service edge solution Cisco Secure Access, a new Secure Firewall 4200, Cisco Multicloud Defense, Cloud Native Application Security, Full-Stack Observability, a generative AI-powered security assistant and a new Webex device.

Cisco Networking Cloud

Cisco announced its vision for the Cisco Networking Cloud: to simplify network management via a single platform experience for seamlessly managing all networking domains.

New innovations include single sign-on, API key exchange/repository, sustainable data center networking solutions and expanded network assurance with Cisco Thousand Eyes.

Cisco says Networking Cloud will “dramatically simplify IT” with a more flexible Cisco Catalyst switch stack, improved visibility into data center power and energy consumption and new AI data center blueprints to improve performance and visibility for network operations.

Security enhancements

Cisco announced several new security tools and enhancements, including a new security service edge solution for hybrid work security, generative AI capabilities and innovations across firewall, multicloud and application security.

The company during its Cisco Live event announced its first generative AI capabilities in the Security Cloud, including an AI-powered Policy Assistant designed to help security and IT administrators describe granular security policies and evaluate how best to implement them across different aspects of their security infrastructure. It will be available later this year.

Cisco also announced a new SOC Assistant, available by the end of the year, to help support SOC analysts and detect and respond to threats faster by contextualizing events across email, web, endpoints and the network to tell the analyst what happened and the impact.

In addition, Cisco announced the Cisco Firewall 4200 Series, featuring AI and ML-based encrypted threat blocking without decryption, complete threat inspection and policy for each individual application and simplified branch routing. Cisco Secure Firewall 4200 Series appliance will be generally available in September 2023 supporting the 7.4 version of the operating system. The 7.4 OS will be generally available for the rest of the Secure Firewall appliance family in December 2023.

Cisco also announced new capabilities in Panoptica, the company’s cloud-native application security solution including Cloud Security Posture Management, a new attack path engine and an integration with Cisco’s Full Stack Observability portfolio.

Full-Stack Observability

The company also used its Cisco Live event to announce the general availability of its Full-Stack Observability (FSO) platform to give customers the ability to develop and grow an application ecosystem built on an open, extensible architecture, including new use cases in a single consumption model. Additionally, Cisco’s new bi-directional integration between AppDynamics and ThousandEyes drives powerful customer digital experience monitoring and closes observability gaps with rapid actionable recommendations and insights, the company says.

Room Bar Pro

Also at Cisco Live, Cisco announced the Room Bar Pro, a new easy-to-deploy video bar with “significant processing power, more connections, touch screen integration, and all of the advanced AI capabilities built into (Cisco’s) RoomOS platform.”

Cisco says the Room Bar Pro, based on the powerful NVIDIA processor, is optimized for medium workspaces (5-12 seats) of varying shapes. The device also features a dual camera system that reaches further, wider, and frames everyone in the room in ultra-high quality, even when participants are sitting at the ends of the table.

The post Cisco Live 2023: Simplified Management, Enhanced Security, AI appeared first on My TechDecisions.

That includes Microsoft, which is attributing the attacks exploiting the bug, tracked as CVE-2023-34362, to a group it calls “Lace Tempest,” which is known for ransomware operations and running the Clop extortion site.

The Redmond, Wash. tech giant says the group has used similar vulnerabilities in file transfer tools to steal data and extort victims in the past.

In a series of tweets, the Microsoft Threat Intelligent Twitter account revealed several details on the attacks, saying exploitation is typically followed by deployment of a web shell with data exfiltration capabilities.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j

— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023

According to Progress Software, the vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. MOVEit Transfer customers are advised to take immediate action to help protect their environment. Organizations are urged to apply the patch immediately.

According to a statement from a MOVEit spokesperson, the company promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. “We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Affecting all supported MOVEit Transfer versions, CVE-2023-34362 is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the company says.

In the meantime, the MOVEit says its continuing to work with cybersecurity experts to investigate the issue. A company spokesperson said in a statement, “We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”

Experts Weigh in On MOVEit Vulnerability

On Monday, reports of widespread exploitation came pouring in, as several security firms say their customers are under active attack.

Caitlin Condon, senior manager for security research at Rapid7, says the company has responded to alerts across a range of organizations from small businesses to enterprises with “tens of thousands of assets.”

There doesn’t appear to be any particular target vertical of organizational profile, Condon says, as victim organizations have so far included technology, insurance, manufacturing, municipal government, healthcare and financial services. The amount of data varies case by case, but Rapid7 has responded to “multiple incidents where several dozen gigabytes of data was stolen,” Condon says.

In a Rapid7 blog, the company says it has observed an uptick in related cases since the bug was disclosed last week, and the company’s researchers say the vulnerability was exploited at least four days prior to Progress Software’s first advisory on May 31.

These updates confirm what Satnam Narang, senior staff research engineer at Tenable, said last week, attributing the exploitation of file transfer tools to double extortion ransomware groups like Clop.

“While we don’t know the specifics around the group behind the zero day attacks involving MOVEit, it underscores a worrisome trend of threat actors targeting file transfer solutions,” Narang said last week. “Organizations that use MOVEit software should assume compromise and engage in incident response to determine the potential impact, if any.”

MOVEit customers are advised to check for indicators of compromise and unauthorized access over at least the past 30 days.

The post Ransomware Groups Confirmed to be Exploiting MOVEit Bug appeared first on My TechDecisions.

According to CNN, the C919’s first flight left Shanghai at 10:32 am. Sunday and landed at the Beijing Capital International Airport at 12:31 p.m. This is being hailed as an important moment in China’s strategy to boost domestic manufacturing by 2025 and reduce reliance on foreign companies in the aviation sector.

While manufactured in China, many of the airplane’s components do come from Western companies. Leading to further scrutiny of the aircraft’s development are allegations that a Chinese state-aligned adversar conducted cyber intrusions against several of those companies that make the C919’s components. These allegations are detailed in a lengthy and detailed 2019 report from cybersecurity firm CrowdStrike as well as a series of indictments against both cyber actors and insiders.

CrowdStrike could not be reached for comment, so this article is sourced entirely from the firm’s report and U.S. Department of Justice indictments.

In CrowdStrike’s report, the company says its research corroborates a series of DOJ indictments released over the course of two years during the C919’s development that highly suggests cyber actors from China, company insiders and state directives targeted foreign companies to fill key technology and intelligence gaps to better compete with against the western aerospace industry.

“What follows is a remarkable tale of traditional espionage, cyber intrusions, and cover-ups, all of which overlap with activity CrowdStrike Intelligence has previously attributed to the China-based adversary TURBINE PANDA,” CrowdStrike said in the 2019 report, alleging that the operations can be traced back to China’s Ministry of State Security’s (MSS) Jiangsu Bureau, the alleged perpetrators of the infamous 2015 U.S. Office of Personnel Management (OPM) breach.

Cyberattacks beginning in 2010

According to CrowdStrike, Turbine Panda, conducted cyber intrusions against between 2010 and 2015 against foreign manufacturers of aviation components, including many that were chosen for the C919.

The state-owned enterprise (SOE) Commercial Aircraft Corporation of China announced in December 2009 that it had chosen CFM International’s (a joint venture between U.S.-based GE Aviation and French aerospace firm Safran, formerly Snecma) LEAP-X engine to provide a custom variant engine, the LEAP-1C, for the then-newly announced C919.

Despite the deal, both COMAC and fellow SOE the Aviation Industry Corporation of China were believed to be tasked by China’s State-owned Assets Supervision and Administration Commission of the State Council (SASAC) with building an “indigenously created” turbofan engine that was comparable to the LEAP-X, CrowdStrike says in its report. In 2016, the Aero Engine Corporation of China produced the CKJ-1000AX engine, which bears multiple similarities to the LEAP-1C engine.

While CrowdStrike admitted that it is difficult to assess if the Chinese engine is a direct copy, the cybersecurity firm said it is highly likely that its makers benefitted significantly from the cyber campaign of the Jiangsu Bureau of the MSS (JSSD).

CrowdStrike, citing its own intelligence reporting and U.S. government sources, says the Chinese government uses a “multi-faceted system” of forced technology transfer, joint ventures, physical theft from insiders and cyber espionage to acquire information to fill key knowledge gaps.

One DOJ indictment, CrowdStrike says, describes initial preparatory action that included compromising Los Angeles-based Capstone Turbine servers and later using a doppelganger site as a strategic web compromise (SWC) in combination with DNS … to compromise other aerospace firms.”

From 2010 to 2015, the linked JSSD operators are believed to have targeted a variety of aerospace-related targets … using two China-based APT favorites, PlugX and Winnti, and malware assessed to be unique to the group dubbed Sakula.

Many individuals associated with the campaign are “assessed to have storied histories in legacy underground hacking circles within China dating back to at least 2004,” CrowdStrike says, citing the DOJ.

Indictments

As detailed in CrowdStrike’s report, the U.S. Department of Justice released several indictments from 2017 through October 2018, charging several individuals with activities related to theft of trade secrets and hacking related to the development of the C919.

The indictments were against Sakula developer YU Pingan, JSSD Intelligence Officer XU Yanjun, GE employee and insider ZHENG Xiaoqing, U.S. Army Reservist and assessor JI Chaoqun, and 10 JSSD-affiliated cyber operators.

“What makes these DoJ cases so fascinating is that, when looked at as a whole, they illustrate the broad, but coordinated efforts the JSSD took to collect information from its aerospace targets,” CrowdStrike says in its report. “In particular, the operations connected to activity CrowdStrike Intelligence tracked as TURBINE PANDA showed both traditional human-intelligence (HUMINT) operators and its cyber operators working in parallel to pilfer the secrets of several international aerospace firms.”

Insiders

CrowdStrike and the DOJ also detail how insiders and IT employees helped steal information and coverup the cyber activities, offering new insight into how adversaries leverage a wide variety of tools and techniques to accomplish their goals.

According to CrowdStrike and the DOJ, a GE insider was charged with using “an elaborate and sophisticated means” to steal GE trade secrets after being recruited by a Chinese aerospace official closely aligned with the country’s Ministry of Industry and Information Technology.

In addition, IT employees at the Canada-based International Civil Aviation Organization (ICAO), the United Nations body that sets global aviation standards, allegedly covered up a cyber intrusion by another alleged China state-sponsored actor that had been observed targeting the aviation industry.

CrowdStrike, citing public reporting, says the intrusion at ICAO was “likely designed to facilitate a strategic web compromise (SWC) attack … that would easily provide a springboard to target a plethora of other aerospace-related as well as foreign government victims.”

“Upon being alerted to the breach by the Aviation Information Sharing and Analysis Center (AISAC), the ICAO internal IT investigation staff was reportedly grossly negligent, and the cyber intruders may have had direct access to one of their superuser accounts,” CrowdStrike says in its report. “In addition, a file containing a list of all the potential organizations who were compromised by the incident mysteriously disappeared during further investigations.”

Both the ICAO IT supervisor in charge of the mishandled internal investigation and the ICAO’s secretary general who shelved recommendations to investigate the IT supervisor and his four team members, were both found by CrowdStrike to have ties to China’s aviation industry, CrowdStrike says.

Takeaways from four years later

This article is just a snippet of CrowdStrike’s reporting and what Turbine Panda and other associated groups are alleged to have done to help boost the Chinese aviation sector. But more than that, it tells the tale of how advanced persistent threat (APT) groups and other sophisticated threat actors will go to extraordinary means to accomplish their end goals.

That includes advanced hacking techniques, leveraging insiders, physical theft and collaborating with the massive underground cybercrime community to launch multi-faceted attacks against a particular organization or industry.

The post The Cyberattacks and Insider Threats During The Development of China’s C919 Passenger Jet appeared first on My TechDecisions.

According to Kaspersky, the message triggers a vulnerability that leads to code execution, and the code within the exploit downloads several subsequent stages from the command-and-control server that include additional exploits for privilege escalation.

After successful exploitation, a final payload is downloaded from the C&C server, which Kaspersky calls a “fully featured APT platform.” The initial message and the exploit in the attachment is then deleted.

How Kaspersky discovered the exploit

Researchers for Kaspersky, which is the subject of a federal government ban and potential enforcement actions due to its alleged ties to the Russian government, say the company was monitoring network traffic of its own corporate WiFi network dedicated for mobile devices when they noticed suspicious activity coming from iOS devices.

“Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise,” researchers say.

The company says its mobile device backups provided a partial copy of the filesystem, including some user data and service databases. Timestamps of files, folders and the database records helped the company reconstruct the events leading to compromise.

According to Kaspersky, the malicious toolset does not support persistence, likely due to the limitations of the operating system.

Based on timelines of infected devices, devices may be reinfected after being rebooted.

The oldest traces of infection discovered by researchers happened in 2019, and the attack is ongoing, as the most recent version of devices successfully targeted is iOS15.7, which was released in September 2022.

While analysis of the final payload is not finished yet, Kaspersky researchers say the code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.

Disabling iMessage would prevent iOS devices from compromise, the company says.

The vulnerabilities used, while not disclosed in the Kaspersky blog, were apparently zero days before they were patched in February.

Who is behind these attacks?

Kaspersky (neither the company nor the CEO of the same name) did not attribute the attacks to any specific group, but Russia’s Federal Security Service (FSB) in a separate statement (which didn’t specifically mention the Kaspersky report) accused the U.S. National Security Agency and Apple of having a “close cooperation” to spy on Russian diplomats.

In a statement provided to Reuters and other media outlets, Apple denied the claims, saying the company has “never worked with any government to insert a backdoor into any Apple product and never will.”

In a series of Tweets, CEO Eugene Kaspersky says successful exploitation can result in transmitting private information, including microphone recordings, photos from instant messages, geolocation and data about a number of other activities.

We’ve discovered a new cyberattack against iOS called Triangulation.

The attack starts with iMessage with a malicious attachment, which, using a number of vulnerabilities in iOS installs spyware. No user action is required.#IOSTriangulation pic.twitter.com/daxEYZwXwD

— Eugene Kaspersky (@e_kaspersky) June 1, 2023

The spyware infected “several dozen iPhones” of Kaspersky employees, but the CEO says the threat has been neutralized and the company is now operating normally.

In other Tweets, Kaspersky says the campaign is not related to other iOS attacks, such as Pegasus, Predator, or Reign. In addition, the Russia-based cybersecurity firm was not the main target of the attacks, the CEO says.

The company calls this campaign “Operation Triangulation” and has set up a webpage containing all related information. The company is asking anyone with additional details to contact the company at triangulation[at]kaspersky.com.

How to find out if you’ve been affected by Operation Triangulation

Kaspersky on Friday released a tool designed to automate the process of checking iOS device backups for possible indicators of compromise.

This article has been updated on June 2, 2023 to reflect a statement from Apple. 

The post Kaspersky Discovers New 0-Click iOS Exploit appeared first on My TechDecisions.

While the FTC only mentions consumer customers, Ring does offer commercial security solutions under its Ring for Business arm. In addition, the allegations in the FTC’s complaint further demonstrate the risks that many IT and security professionals say are inherent in IoT devices. 

Under a proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed. It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

California-based Ring LLC, which was purchased by Amazon (Nasdaq: AMZN) in February 2018. According to My TechDecisions’ sister-site CE Pro’s 2023 100 Brand Analysis, Ring is the No. 1 video doorbell product installed by integrators with 66% of leading integrators installing the solution.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment.”

— Samuel Levine, Director of FTC’s Bureau of Consumer Protection

In a complaint, the FTC says Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

According to the complaint, these failures amounted to egregious violations of users’ privacy. For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms. The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.

The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.

Ring’s Alleged Security Failures

According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats—“credential stuffing” and “brute force” attacks—despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing—for example, by cycling through breached credentials or entering well-known passwords—hundreds or thousands of times to gain access to an account.

Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics—such as multifactor authentication—until 2019. Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness, the FTC said.

 “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

— SAMUEL LEVINE, FTC

As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.

In addition to the mandated privacy and security program, the proposed order requires Ring to pay $5.8 million, which will be used for consumer refunds. The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.

The Commission voted 3-0 to authorize the staff to file the complaint and stipulated final order. The FTC filed the complaint and final order in the U.S. District Court for the District of the District of Columbia.

A version of this article originally appeared on our sister site CE Pro. 

The post FTC Accuses Ring of Watching Private Videos, Poor Security Practices appeared first on My TechDecisions.

Privately owned, the Houston-headquartered business has ambitions to grow in the U.S. healthcare, automotive, aerospace, chemical and upstream energy sectors and extend its footprint across North America, Europe, Asia, Australasia and Africa. Safeguarding its customers’ data is essential to achieving its international expansion plans.

Customers demand world-class security

“Our customers are increasingly asking us detailed questions about our security, including disaster recovery and how we’ll respond to severe incidents. We must confidently reassure them that we have enterprise-grade protection in place,” explains Daniel Iturbe, VP of infrastructure, security & compliance at MCi.

“To achieve this, we have implemented rigorous security protocols and business continuity and recovery plans that ensure the safety and confidentiality of our customer’s data. Our team of experts is continuously monitoring and updating these measures to stay ahead of potential threats, Iturbe says.

“We understand that our customers trust us with their sensitive information, and we take that responsibility very seriously. Rest assured, our commitment to providing top-notch security measures is unwavering, and we are always ready to respond swiftly and effectively in any security incident,” he says.

After completing a comprehensive program of preparation internally, MCi was ready to find a cyber security partner to provide a security operations center (SOC) that would match their business needs and meet the high standards of cybersecurity demanded by their customers worldwide.

MCi searched Quorum Cyber online, and a local Microsoft representative assured them they were worth talking to. Founded in 1989, MCi is predominantly in the cloud, and its cloud hosting is 100% provided by Azure. Hence, being a Microsoft-only house and a Microsoft Solutions Partner for Security, Quorum Cyber seemed like a good candidate. However, there were many other companies to assess as well.

Five essential criteria for a long-term partner

MCi took a diligent approach in selecting a long-term cybersecurity partner. They conducted an exhaustive Request for Proposal (RFP) discovery and execution phase over five months. During this time, they carefully evaluated over ten cybersecurity companies and thoroughly assessed their service offerings. Price was not the only determining factor, and the companies were assessed based on several essential criteria:

1. Vendor qualifications: Experience, expertise and financial stability.
2. Technology and tools: A vital matrix component consisted of selecting a SOC company focusing only on Microsoft Azure Security Stack and Azure toolsets.
3. Service Level Agreements (SLAs): Response times, escalation procedures, and reporting capabilities needed to comply with MCi contractual and compliance requirements.
4. Flexibility and customization: The ability to tailor and customize services to meet MCi annual reports and audits for MCi customers.
5. Security and compliance: SOC requirements to have Microsoft and industry-accepted certifications and accreditations.
6. Cost and value: SOC’s pricing structure, schedule, add-on services, and overall were collectively categorized and analyzed independently.
7. Reputation and references: The SOC’s reputation in the industry and references from current and past customers were scored using an internal MCi review process.

After evaluating all proposals, MCi trusted Quorum Cyber as their long-term cybersecurity partner. This decision was made after considering the added complexity of working with multiple vendors and that Quorum Cyber met all their requirements, including their need for an experienced and reputable Microsoft partner with a complete set of security competencies, certifications, advanced SIEM services, and strong customer support.

A true partner that lives and breathes cybersecurity

“I strongly believed that we needed a partner dedicated solely to the Microsoft ecosystem, who deeply understood cybersecurity and could fully support our Security Operation Center’s needs. We wanted a partner who would invest the time to comprehend our cloud infrastructure, unique business model, and even our customers and be part of our growth journey and continued success,” says Iturbe.

Moreover, MCi needed an expert in Microsoft Sentinel, Azure, and cloud computing that can proactively detect and defend against zero-day attacks and possess strong automation skills to improve efficiency and reduce the risk associated with cyber incidents. The ideal partner should also have experience working within a single, integrated security ecosystem.

After onboarding MCi onto their SOC in early 2022, MCi is confident that Quorum Cyber, whose SOC team runs the Microsoft Sentinel Managed Detection & Response (MDR) service, has already helped to improve its cybersecurity posture and security scores significantly.

“I am thoroughly impressed by the exceptional customer service provided by Quorum Cyber. Their attention to detail, quick response time, and efficient triaging of information by their SOC is outstanding,” says Iturbe.

Iturbe continues, “The single-pane-of-glass view offered by their customer portal, Clarity, has been an invaluable asset to my team. This enables us to access all the necessary information from one dashboard easily. Quorum Cyber’s technical expertise and account management skills are second to none, and their professionalism is truly commendable. They maintain continuous communication with their customers and offer top-notch customer support, a rare quality in today’s business world.”

Iturbe says, “Overall, Quorum Cyber is a fantastic extension of our organization and a true partner. Their unwavering commitment to excellence is reflected in every aspect of their services, making them a top-class provider in the cyber security industry.”

Peace of mind around the clock

“We couldn’t get the security and visibility of the SOC by recruiting more people to cover the same things in-house,” concludes Iturbe. “In a nutshell, MCi has been able to catapult our cybersecurity posture to an enterprise-grade level, thanks to the mutual partnership in working towards the same goals.”

The post MCi Protects Its Customers Worldwide With Quorum Cyber’s Enterprise-Grade Cybersecurity appeared first on My TechDecisions.