Apr 15, 2024The Hacker NewsActive Directory / Attack Surface

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to privileged identity management aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.

What is JIT and why is it important?

JIT privileged access provisioning involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so.

One of the key advantages of JIT provisioning is its ability to reduce the risk of privilege escalation and minimize the attack surface for credential-based attacks. By eliminating standing privileges, or privileges that an account possesses when not in active use, JIT provisioning restricts the window of opportunity for malicious actors to exploit these accounts. JIT provisioning disrupts attackers’ attempts at reconnaissance, as it only adds users to privileged groups when active access requests occur. This prevents attackers from identifying potential targets.

How to implement JIT provisioning with Safeguard

Safeguard, a privileged access management solution, offers robust support for JIT provisioning across multiple platforms, including Active Directory and Linux/Unix environments. With Safeguard, organizations can create regular user accounts within Active Directory, without special privileges. These accounts are then placed under Safeguard’s management, remaining in a disabled state until activated as part of an access request workflow.

When an access request is created, Safeguard automatically activates the user account, adds it to designated privileged groups, such as Domain Admins, and grants the necessary access rights to the account. Once the access request is completed, either through a configured timeout period or the user checking credentials back in, the user account is removed from privileged groups and disabled, minimizing exposure to any potential security threats.

How to enhance JIT provisioning with Active Roles

When coupled with Active Roles ARS, One Identity’s market-leading Active Directory management tool, organizations can elevate the security and customization of their JIT provisioning to even greater heights. Active Roles enables more sophisticated JIT provisioning use cases, allowing organizations to automate account activation, group membership management and Active Directory attribute synchronization.

For instance, a Safeguard access request workflow can trigger Active Roles to not only activate user accounts and assign privileges but also update virtual attributes within Active Directory and synchronize changes across the environment.

Conclusion

Just-in-Time provisioning of privileged access is a critical component of a comprehensive privileged access management strategy. By implementing JIT provisioning, organizations can reduce the risk of privilege misuse, enhance security, and ensure that users access privileged resources only when and for as long as necessary. Combining Safeguard with Active Roles allows organizations to implement robust JIT provisioning policies to strengthen security and mitigate risks.

Apr 11, 2024NewsroomVulnerability / Threat Mitigation

Fortinet has released patches to address a critical security flaw impacting FortiClientLinux that could be exploited to achieve arbitrary code execution.

Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.

“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website,” Fortinet said in an advisory.

The shortcoming, which has been described as a case of remote code execution due to a “dangerous nodejs configuration,” impacts the following versions –

• FortiClientLinux versions 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10 (Upgrade to 7.0.11 or above)
• FortiClientLinux version 7.2.0 (Upgrade to 7.2.1 or above)

Security researcher CataLpa from Dbappsecurity has been credited with discovering and reporting the vulnerability.

Fortinet’s security patches for April 2024 also address an issue with FortiClientMac installer that could also lead to code execution (CVE-2023-45588 and CVE-2024-31492, CVSS scores: 7.8).

Also resolved is a FortiOS and FortiProxy bug that could leak administrator cookies in certain scenarios (CVE-2023-41677, CVSS score: 7.5).

While there is no evidence of any of the flaws being exploited in the wild, it’s recommended that users keep their systems up-to-date to mitigate potential threats.

2023 CL0P Growth

Emerging in early 2019, CL0P was first introduced as a more advanced version of its predecessor the ‘CryptoMix’ ransomware, brought about by its owner CL0P ransomware, a cybercrime organisation. Over the years the group remained active with significant campaigns throughout 2020 to 2022. But in 2023 the CL0P ransomware gang took itself to new heights and became one of the most active and successful ransomware organizations in the world.

Capitalizing on countless vulnerabilities and exploits for some of the world’s largest organizations. The presumed Russian gang took its name from the Russian word “klop,” which translates to “bed bug” and is often written as “CLOP” or “cl0p”. Once their victims’ files are encrypted, “.clop” extensions are added to their files.

CL0P’s Methods & Tactics

The CL0P ransomware gang (closely associated with the TA505. FIN11, and UNC2546 cybercrime groups) was renowned for their extremely destructive and aggressive campaigns, which targeted large organizations around the world throughout 2023. The “big game hunter” ransomware gang utilized the “steal, encrypt and leak” method on numerous large companies with a specific interest for those in the Finance, Manufacturing and Healthcare industries.

CL0P operates a Ransomware-as-a-Service model (RaaS), which frequently employs the ‘steal, encrypt, and leak’ tactics common worldwide among many ransomware affiliates. If its victims fail to meet the demands, their data is published via the gang’s Tor-hosted leak site known as ‘CL0P^_-LEAKS’. Just like many other Russian-speaking cyber gangs, their ransomware was unable to operate on devices located in the CIS (Commonwealth of Independent States).

LockBit also operates as a Ransomware-as-a-service (RaaS) model.

‘In short, this means that affiliates make a deposit to use the tool, then split the ransom payment with the LockBit group. It has been reported that some affiliates are receiving a share as high as 75%. LockBit’s operators have posted advertisements for their affiliate program on Russian-language criminal forums stating they will not operate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking “guarantor” vouches for them.’ – ‘The Prolificacy of LockBit Ransomware’

SecurityHQ’s Global Threat Landscape2024 Forecast talked about CL0P’s resurgence in the ransomware landscape and one to be on the lookout for in 2024.

3rd Most Prolific Group 2023

After examining the data from ‘CL0P^_-LEAKS’, the threat intelligence team at SecurityHQ was able to collect data on various cybercrime gangs around the world and help visualize the extent of CL0P’s rise in activity throughout 2023. The gangs’ transition from remaining outside the topmost active ransomware groups in 2022 to securing the third most prolific in 2023 is something that should not be taken lightly.

©2024 SecurityHQ, SecurityHQ Data on Threat Groups During 2023

Latest Activities

Over a month-long period throughout March of 2023, the CL0P ransomware gang attempted to exploit ‘Fortra GoAnywhere MFT’ zero-day vulnerability. Tracked as CVE-2023-0669, attackers were able to capitalize on unpatched versions of the software with internet access to obtain RCE. The vulnerability was patched the following day, but the group had already successfully targeted over 100 organisations.

Then, in April, Microsoft was able to identify the involvement of two ransomware gangs (CL0P and LockBit) who were exploiting the tracked CVE-2023-27350 and CVE-2023-27351. Contained inside the print management software known as PaperCut, which is a common tool used among all the large printing firms worldwide. The groups were able to exploit this vulnerability, successfully deploying the infamous TrueBot malware that had been used many months prior. A perfect target for the likes of CL0P, whose tactics have shifted from not just encrypting the files anymore but more towards stealing the data to further extort the organisations. This worked perfectly as Papercut features a “Print Archiving” tool that saves any job/document that is sent through their server.

The group’s major event came in May; the widely used MOVEit Transfer (CVE-2023-24362) and MOVEit Cloud Software (CVE-2023-35036) were actively exploited via an unknown SQL injection vulnerability. CL0P was able to capitalize on vulnerable networks and systems extremely quickly, extracting sensitive data from some of the world’s largest organizations (BBC, Ernst Young, PwC, Gen Digital, British Airways, TFL, Siemens, and many more). The group stated they had deleted all data relating to governments, military, and hospitals, but with several US government agencies being affected by the MOVEit breach, a bounty of $10 million was set in place that could help link them to a foreign agent.

Lasting Impact of Quadruple Extortion

The group has not only played a major role on the influx in ransomware activity throughout 2023 but was almost single handedly responsible for the drastic increase in the average ransomware payments.

CL0P’s operators are renowned for going to extreme lengths to get their message across. After publicly displaying the proof of the organisations breach, publishing data on their leak site and their messages being ignored, they will go straight to stakeholders and executives to ensure their demands are met. This is known as quadruple extortion.

From single to double, double to triple and now the progression to quadruple extortion, it’s fair to say ransomware groups aren’t stopping until they get what they came for. Just like the double or triple extortion, quadruple extortion adds a new layer which comes in the form of two main avenues.

1. The first is DDoS attacks, which aim to shut down an organization’s online presence until the ransom is paid.
2. The harassment of various stakeholders (customers, media, employees, etc.) increases pressure on the decision-makers.

Best Defense Against CL0P Group Defending Against CL0P

To defend against CLOP throughout 2024, it is recommended by SecurityHQ to

• Pay attention to your landscape and your environment. Know what is normal for your environment and what is not so you can act quickly.
• Develop and review your Incident Response Plan, with clear steps shown so that actions are set in the event of a worst-case scenario.
• Ensure that Threat Monitoring is in place to identify threats rapidly.
• Review current cyber security practices to make sure that the best practices are being used.
• Those at greater risk, for instance, those in industries specifically targeted by CLOP (Finance, Manufacturing, Healthcare), or those that hold sensitive data, should work with an MSSP to ensure that the best security practices are in place.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Their team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to navigate the intricacies of the cyber security threat landscape confidently.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

Note: This expertly contributed article is written by Patrick McAteer, Cyber Threat Intelligence Analyst at SecurityHQ Dubai, excels in analyzing evolving cyber threats, identifying risks, and crafting actionable intelligence reports to empower proactive defense.

Apr 05, 2024NewsroomAdvanced Persistent Threat

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).

The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.

The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations.

“UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,” Mandiant researchers said.

The threat actor has been linked to post-exploitation activity leading to the deployment of the Sliver command-and-control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that comes with command execution, keylogging, port scanning, file system interaction, and screen capturing functions.

UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions –

• PHANTOMNET – A modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads
• TONERJAM – A launcher that’s designed to decrypt and execute PHANTOMNET

Besides using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP bind accounts configured on the infected devices in order to domain admin access.

Another notable China-linked espionage actor is UNC5337, which is said to have infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four distinct components that work in tandem to function as a stealthy and persistent backdoor –

• SPAWNSNAIL – A passive backdoor that listens on localhost and is equipped to launch an interactive bash shell as well as launch SPAWNSLOTH
• SPAWNMOLE – A tunneler utility that’s capable of directing malicious traffic to a specific host while passing benign traffic unmodified to the Connect Secure web server
• SPAWNANT – An installer that’s responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
• SPAWNSLOTH – A log tampering program that disables logging and log forwarding to an external syslog server when the SPAWNSNAIL implant is running

Mandiant has assessed with medium confidence that UNC5337 and UNC5221 are one and the same threat group, noting the SPAWN tool is “designed to enable long-term access and avoid detection.”

UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell referred to as ROOTROT that’s embedded into a legitimate Connect Secure .ttc file located at “/data/runtime/tmp/tt/setcookie.thtml.ttc” by exploiting CVE-2023-46805 and CVE-2024-21887.

A successful deployment of the web shell is followed by network reconnaissance and lateral movement, in some cases, resulting in the compromise of a vCenter server in the victim network by means of a Golang backdoor called BRICKSTORM.

“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.”

The last among the five China-based groups tied to the abuse of Ivanti security flaws is UNC5291, which Mandiant said likely has associations with another hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of academic, energy, defense, and health sectors.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” the company said.

The findings once again underscore the threat faced by edge appliances, with the espionage actors utilizing a combination of zero-day flaws, open-source tooling, and custom backdoors to tailor their tradecraft depending on their targets to evade detection for extended periods of time.

Apr 03, 2024NewsroomWeb Security / Vulnerability

A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes.

The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.

The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. “This update includes important security fixes,” the maintainers of LayerSlider said in their release notes.

LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is used by “millions of users worldwide.”

The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information, Wordfence said.

The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It has been resolved in version 3.4.9.3.

The vulnerability, due to insufficient input sanitization and output escaping, “makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page,” the WordPress security company said.

Should the code be executed in the context of an administrator’s browser session, it can be used to create rogue user accounts, redirect site visitors to other malicious sites, and carry out other attacks, it added.

Over the past few weeks, security vulnerabilities have also been disclosed in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) that could be exploited for information disclosure and inject arbitrary web scripts, respectively.

Cloud solutions are more mainstream – and therefore more exposed – than ever before.

In 2023 alone, a staggering 82% of data breaches were against public, private, or hybrid cloud environments. What’s more, nearly 40% of breaches spanned multiple cloud environments. The average cost of a cloud breach was above the overall average, at $4.75 million. In a time where cloud has become the de facto standard – with 65% of IT decision-makers confirming that cloud-based services are their first choice when upgrading or purchasing new solutions – despite its overwhelming prominence, cloud security still faces multiple challenges.

Security Challenges in the Cloud

One major hurdle is the lack of visibility. Unlike physical servers you can see and touch, cloud resources are often spread across vast networks, making it difficult to monitor for suspicious activity and leaving vulnerabilities undetected. Another challenge is the inconsistency across cloud vendor permission management systems. Different providers have different controls for who can access and modify data. This inconsistency creates complexity and increases the risk of accidental misconfigurations, which are a leading cause of breaches.

Moreover, with multiple teams involved in cloud deployments – development, operations, security – clear ownership and accountability for cloud security can be blurred. This lack of coordination can lead to situations where security best practices are overlooked or bypassed. Additionally, many attacks move across the cloud to on-prem environments and vice versa, which can put both environments at risk.

All these challenges highlight the urgent need for robust cloud security solutions that provide comprehensive visibility, standardized permission management, and clear lines of responsibility. Yet security resources are stretched thin even in the best-provisioned teams – and cloud security teams are expected to investigate and remediate thousands of exposures that may not all have the same impact on critical resources. This leads to uncertainty around what to fix first and how to actually address all the identified exposures, leaving cloud environments exposed to cyberattacks.

Continuous Exposure Management is Essential

Instead of chasing countless vulnerabilities, security teams need to prioritize the most critical ones. This means being able to quickly identify the most dangerous attack paths and take preemptive action against advanced attack methods in the cloud.

By focusing on high-risk areas, cloud security teams can build targeted remediation plans that prevent major attacks, streamline workflows, and accurately report on real threats across multiple cloud environments. The key to achieving this is Continuous Threat Exposure Management (CTEM), a proactive and continuous five-stage program or framework that reduces exposure to cyberattacks. First introduced by Gartner in 2022, CTEM has proven essential for preventing high-impact attacks, improving remediation efficiency, and reporting true risk.

CTEM was introduced to solve the problem of endless lists of exposures, and more specifically vulnerabilities, across on-prem environments. Not being able to highlight and fix the exposures that are most critical leaves security teams fixing CVEs that may or may not be exploitable or impactful in their specific environment. In multi-cloud environments, the lists of vulnerabilities may be shorter, but together with misconfigurations and highly privileged access, they add up to a long list of exposures that attackers can use to breach the multi-cloud environment and that security teams must address. The only way to block attacks is by identifying and fixing the exposures with the highest impact on your business. That requires adopting the CTEM framework in the cloud environment.

Fix What Matters Across Multi-Cloud

To help cloud security teams fix what matters and block high-impact attacks in multi-cloud environments, a comprehensive CTEM program will highlight the most impactful entities that can compromise cloud resources. These solutions identify the cloud resources that can be compromised and discover all the exposures that attackers can use to compromise them. Mapping the attack paths that attackers could exploit helps prioritize and validate the most impactful exposures that are exploitable in the multi-cloud environment in order to address them first.

For example, taking the attacker’s perspective allows identifying top choke points. Choke points are critical weaknesses in your cloud defenses, where multiple attack paths converge on a single exposure. They can be easily breached by attackers who can then access a vast network of resources – databases, computers, identity controls, and more. By prioritizing these high-impact areas, security teams focus on the most attractive targets for attackers, maximizing the return on their security efforts. Common choke points include internet-facing systems and unused access accounts. Addressing them significantly reduces the attack surface, effectively fortifying your entire cloud environment.

Example of Cloud Choke Point showing inbound and outbound attack paths

Another example of a high-impact exposure stems from pre-defined highly-privileged access. Highly privileged accounts, like pre-defined admins, are considered “game-over” assets. If compromised, attackers can wreak havoc. Having a comprehensive approach to CTEM helps by identifying these accounts and uncovering weaknesses that could leave them vulnerable. This includes spotting admin access without multi-factor authentication (MFA) or unused service accounts – essentially; weaknesses attackers would love to exploit.

To ensure critical exposures are addressed, advanced exposure management solutions provide remediation guidance and alternatives. More often than not highly privileged accounts or internet-facing resources cannot be restricted, but analyzing the attack path that leads to them makes it possible to find a fix that lowers their exploitability and hence their level of risk.

Stopping Hybrid Environment Attacks

Attackers are not limited by hybrid environments, and defenders must ensure they too are not limited. Solutions that analyze hybrid attack paths, across on-prem and multi-cloud environments allow security teams to stay one step ahead of attacks – understanding exactly where they are exposed to cyber threats. These tools provide complete details around potential breach points, attack techniques, permissions usage, and remediation alternatives to help customers address these exposures and block the most critical attack paths.

Example hybrid attack path across MS Active Directory and AWS

Summary

While traditional cloud security struggles against the volume of ever-present exposures, CTEM offers an actionable remediation plan by focusing on the most critical ones in a specific environment. The right approach to CTEM reaches across on-prem and multi cloud, encompassing your entire IT landscape. This holistic approach eliminates blind spots and empowers organizations to transition from reactive to proactive defense. By embracing CTEM, organizations can ensure their success in the cloud-based future.

Note: This expertly contributed article is written by Zur Ulianitzky, VP Security Research at XM Cyber.

Mar 28, 2024The Hacker NewsApplication Security / Webinar

Considering the ever-changing state of cybersecurity, it’s never too late to ask yourself, “am I doing what’s necessary to keep my organization’s web applications secure?”

The continuous evolution of technology introduces new and increasingly sophisticated threats daily, posing challenges to organizations all over the world and across the broader spectrum of industries striving to maintain reliable defenses. 2024 promises to be no exception. Threat actors continue to adapt their tactics, techniques, and procedures to exploit vulnerabilities in innovative ways, injecting malicious content into files that bypass traditional antivirus solutions and advanced, AI and ML-powered solutions alike.

Therefore, organizations must assess and continually reinforce their security measures. One critical aspect that organizations often grapple with is identifying and addressing security blind spots. These are areas within the infrastructure where vulnerabilities exist but may go unnoticed—for example—only 63% of companies scan all files for malware with multiple antimalware engines and only 32% disarm files to remove embedded threats.

In our webinar, we’ll shine a light on blind spots like these and discuss best practices for eliminating them, emphasizing the importance of continuous monitoring, defense-in-depth cybersecurity strategy, threat intelligence integration, and regular security audits.

Our experts will cover:

• Insights into the current security landscape, its challenges, and effective cyber defense approaches.
• How developing a comprehensive application security strategy can help your organization stay compliant with key global regulations.
• An overview of threat detection and prevention technologies, their benefits, and integration into your technology stack.
• Understanding the shared responsibilities model and how a defense-in-depth approach enhances your current defense strategies.
• Strategies to enforce comprehensive cybersecurity across all environments: on-premises, in the cloud, and in K8S—even within SSL-protected environments.
• How F5 and OPSWAT’s practices align with OWASP guidelines for comprehensive application security.

Join our panel of industry experts, Buu Lam, Community Evangelist, F5 DevCentral; George Prichici, VP of Products, OPSWAT; Adam Rocker, Director, Product Management, OPSWAT; and James Azar, CISO & Moderator for THN for an engaging webinar that will arm you with information to strengthen your organization’s web application security.

Register for the From Blind Spots to Bulletproof: Secure Your Applications with OPSWAT and F5 Webinar now

Mar 22, 2024NewsroomPrivacy / Encryption

The U.S. Department of Justice (DoJ), along with 16 other state and district attorneys general, on Thursday accused Apple of illegally maintaining a monopoly over smartphones, thereby undermining, among others, security and privacy of users when messaging non-iPhone users.

“Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct,” the landmark antitrust lawsuit said. “Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests.”

“Apple selectively compromises privacy and security interests when doing so is in Apple’s own financial interest – such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available.”

The sprawling complaint also alleged that iPhone users who message a non-iPhone user via the Messages app are defaulted to the less secure SMS format (as opposed to iMessage) that lacks support for encryption and offers limited functionality. On the other hand, iMessage is end-to-end encrypted (E2EE) and is even quantum-resistant.

It’s worth noting at this stage that iMessage is only available on the iPhone and other Apple devices. Apple has repeatedly said it has no plans of making iMessage interoperable with Android, even stating that doing so will “will hurt us more than help us.”

Furthermore, the 88-page lawsuit called out the iPhone maker for blocking attempts by third-parties to bring secure cross-platform messaging experience between iOS and Android platform.

In December 2023, Beeper managed to reverse engineer the iMessage protocol and port the service to Android through a dedicated client called Beeper Mini. Apple, however, has shut down those efforts, arguing that Beeper “posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.”

These limitations have a powerful network effect, driving consumers to continue buying iPhones and less likely to switch to a competing device, the DoJ said, adding, “by rejecting solutions that would allow for cross-platform encryption, Apple continues to make iPhone users’ less secure than they could otherwise be.”

The development comes as Apple is facing more scrutiny than ever to open up its tightly-controlled software ecosystem — the so-called “walled garden” — which regulators say locks in customers and developers. Other major tech giants like Microsoft, Google, Amazon, and Meta have all dealt with similar lawsuits in recent years.

Apple, in a surprise move late last year, announced that it intends to add support for Communication Services (RCS) – an upgraded version of the SMS standard with modern instant messaging features – to its Messages app. It also said it will work with the GSMA members to integrate encryption.

In response to the lawsuit, Cupertino said it will “vigorously defend” itself and that the lawsuit “threatens who we are and the principles that set Apple products apart in fiercely competitive markets.” It also said that DoJ winning the lawsuit would “set a dangerous precedent, empowering the government to take a heavy hand in designing people’s technology.”

Mar 21, 2024NewsroomMachine Learning / Software Security

GitHub on Wednesday announced that it’s making available a feature called code scanning autofix in public beta for all Advanced Security customers to provide targeted recommendations in an effort to avoid introducing new security issues.

“Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing,” GitHub’s Pierre Tempel and Eric Tooley said.

The capability, first previewed in November 2023, leverages a combination of CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code suggestions. The Microsoft-owned subsidiary also said it plans to add support for more programming languages, including C# and Go, in the future.

Code scanning autofix is designed to help developers fix vulnerabilities as they code by generating potential fixes as well as providing a natural language explanation when an issue is discovered in a supported language.

These suggestions could go beyond the current file to include changes to several other files and the dependencies that should be added to rectify the problem.

“Code scanning autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer,” the company said.

“Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase.”

That said, it’s left to the developer to evaluate the recommendations and determine if it’s the right solution and ensure that it does not deviate from its intended behavior.

GitHub also emphasized the current limitations of the autofix code suggestions, making it imperative that developers carefully review the changes and the dependencies before accepting them –

• Suggest fixes that are not syntactically correct code changes
• Suggest fixes that are syntactically correct code but are suggested at the incorrect location
• Suggest fixes that are syntactically valid but that change the semantics of the program
• Suggest fixes that are fail to address the root cause, or introduce new vulnerabilities
• Suggest fixes that only partially resolve the underlying flaw
• Suggest unsupported or insecure dependencies
• Suggest arbitrary dependencies, leading to possible supply chain attacks

“The system has incomplete knowledge of the dependencies published in the wider ecosystem,” the company noted. “This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.”

Mar 20, 2024The Hacker NewsArtificial intelligence / Webinar

Did you know that 79% of organizations are already leveraging Generative AI technologies? Much like the internet defined the 90s and the cloud revolutionized the 2010s, we are now in the era of Large Language Models (LLMs) and Generative AI.

The potential of Generative AI is immense, yet it brings significant challenges, especially in security integration. Despite their powerful capabilities, LLMs must be approached with caution. A breach in an LLM’s security could expose the data it was trained on, along with sensitive organizational and user information, presenting a considerable risk.

Join us for an enlightening session with Elad Schulman, CEO & Co-Founder of Lasso Security, and Nir Chervoni, Booking.com’s Head of Data Security. They will share their real-world experiences and insights into securing Generative AI technologies.

Why Attend?

This webinar is a must for IT professionals, security experts, business leaders, and anyone fascinated by the future of Generative AI and security. It’s your comprehensive guide to the complexities of securing innovation in the age of generative artificial intelligence.

What You’ll Learn:

• How GenAI is Reshaping Business Operations: Explore the current state of GenAI and LLM adoption through statistics and insightful business case studies.
• Understanding Security Risks: Dive into the emerging security threats posed by Generative AI.
• Effective Security Strategies for Businesses: Gain insights into proven strategies to navigate GenAI security challenges.
• Best Practices and Tools: Discover best practices and tools for effectively securing GenAI applications and models.