Daily Tech Digest - July 19, 2022

Open source isn’t working for AI

It’s hard to trust AI if we don’t understand the science inside the machine. We need to find ways to open up that infrastructure. Loukides has an idea, though it may not satisfy the most zealous of free software/AI folks: “The answer is to provide free access to outside researchers and early adopters so they can ask their own questions and see the wide range of results.” No, not by giving them keycard access to Facebook’s, Google’s, or OpenAI’s data centers, but through public APIs. It’s an interesting idea that just might work. But it’s not “open source” in the way that many desire. That’s probably OK. ... Because open source is inherently selfish, companies and individuals will always open code that benefits them or their own customers. Always been this way, and always will. To Loukides’ point about ways to meaningfully open up AI despite the delta between the three AI giants and everyone else, he’s not arguing for open source in the way we traditionally did under the Open Source Definition. Why? Because as fantastic as it is (and it truly is), it has never managed to answer the cloud open source quandary—for both creators and consumers of software—that DiBona and Zawodny laid out at OSCON in 2006.

Botnet malware disguises itself as password cracker for industrial controllers

What's weird is that the malware also deploys code to check the clipboard contents for cryptocurrency wallet addresses, and silently rewrites those details to point to another wallet so as to steal people's funds. Remember, this is running on PCs normally connected to industrial equipment, so perhaps the crooks behind this caper just grabbed some generic nasty to use. "Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes," the team wrote. The Sality malware family has been around for almost two decades, first being detected in 2003, and can be commanded by its masterminds to perform other malicious actions, such as attacking routers, F-Secure analysts wrote in a report. Sality maintains persistence on the host PC through process injection and file infection, and abusing Windows' autorun functionality to spread copies of itself over USB, network shares, and external storage drives, according to Dragos.

Rescale and Nvidia partner to automate industrial metaverse

The new partnership between Rescale and Nvidia will allow enterprises to connect workflows between Rescale’s existing catalog of engineering and scientific containers, Nvidia’s extensive NGC offerings, and enterprises’ standard containers of their own models and supporting software. This new containerized approach to engineering software means teams can specify the software libraries and configurations that reflect industry best practices. The recent Nvidia and Siemens partnership is an ambitious effort to bring together physics-based digital models and real-time AI. Rescale’s announcement with Nvidia enhances this partnership, as accelerated computing combined with high-performance computing is the foundation that powers these use cases. For example, enterprises can take advantage of Nvidia’s work on Modulus, which uses AI to speed up physics simulations hundreds or thousands of times. Siemens estimates that integrating physics and AI models could help save the power industry $1.7 billion in reduced turbine maintenance. The partnership could also make it easier for companies to integrate other apps that work on these tools.

Uber Files leak shows why India’s approach to security and privacy matters

In the Uber Files investigation led by The Guardian under the International Consortium of Investigative Journalists or ICAJ, the leaked documents provide evidence of law breaking, lobbying world leaders, using stealth technologies to evade raids and opaque algorithms deployed by the Uber Corporation in 2012-16. In the documents, there have been instances where Uber executives have sanctioned the use of stealth technologies like the ‘Kill Switch’ to evade regulations and efforts of investigative agencies for a fair probe in India, Belgium and other countries. On similar lines, reports indicate that e-commerce giant Amazon spent more than Rs 8,000 crore in India on legal fees in 2018-20. There are numerous incidents like these where regulators are in a Catch-22 situation of regulation and innovation. The Uber Files tell how technology platforms deploy a multi-pronged strategy to subvert public opinion with sponsored academic work, allying with public officials, and wilfully stifling investigations of law enforcement agencies to dodge regulatory efforts for better transparency, accountability and public scrutiny of their architecture.

Is Microsoft’s VS Code really open source?

“Microsoft modifies VS Code in a way that a non-Microsoft VS Code fork can’t use extensions from the official Microsoft VS Code store. Not only that, some of the VS Code extensions developed and released by Microsoft will only work in the VS Code released by Microsoft and won’t work on non-Microsoft VS Code forks,” mentioned Ranatunge in his blog post. Microsoft has made similar moves in the past. It modified the open-source cross-platform IDE MonoDevelop as Visual Studio for Mac. The Visual Studio for Mac has three versions- for students, professionals and enterprises. While the students’ version is free and supports classroom learning, individual developers and small companies must log in via IDE to access the other versions. In 2021, Microsoft abruptly removed the Hot Reload functionality from the open-source .NET SDK, only to revoke it later as it had enraged the .NET community. As stated, Microsoft follows an open-core model for VS code. Therefore, developers who want access to the full open source code that is MIT licensed will have to download the code from the repository and then build the VS code on their own.

Open source security needs automation as usage climbs amongst organisations

"OSS is not insecure per se…the challenge is with all the versions and components that may make up a software project," he explained. "It is impossible to keep up without automation and prioritisation." He noted that the OSS community was responsive in addressing security issues and deploying fixes, but organisations tapping OSS would have to navigate the complexity of ensuring their software had the correct, up-to-date codebase. This was further compounded by the fact that most organisations would have to manage many projects concurrently, he said, stressing the importance of establishing a holistic software security strategy. He further pointed to the US National Institute of Standards and Technology (NIST), which offered a software supply chain framework that could aid organisations in planning their OSS security response. Asked if regulations were needed to drive better security practices, Liu said most companies saw cybersecurity as a cost and would not want to address it actively in the absence of any incentive.

How To Minimize the Impacts of Shadow IT on Your Business

Organizations looking to manage and mitigate the negative impacts of shadow IT must first perform an internal audit. Cloud security applications such as Microsoft’s Cloud App Security detect unsanctioned usage of applications and data. But detecting shadow IT is only one part of the equation. Companies should work to address the root causes. This may include optimizing communications between departments – particularly the IT team and other departments. If one department discovers a software solution that may be beneficial, they should feel comfortable approaching the IT team. CIOs and IT staff should develop processes that allow them to streamline software assessment and procurement. They should be able to give in-depth reasons why a particular tool suggested by a non-IT employee may be impracticable. Additionally, it is recommended that IT staff suggest a better alternative if they reject a proposed tool. Organizations should consider training non-IT staff in cybersecurity literacy and awareness. 

Gatling vs JMeter - What to Use for Performance Testing

There's a saying that every performance tester should know: "lies, damn lies, and statistics." If they don't know it yet, they will surely learn it in a painful way. A separate article could be written about why this sentence should be the mantra in the performance test area. In a nutshell: median, arithmetic mean, standard deviation are completely useless metrics in this field (you can use them only as an additional insight). You can get more detail on that in this great presentation by Gil Tene, CTO and co-founder at Azul. Thus, if the performance testing tool only provides this static data, it can be thrown right away. The only meaningful metrics to measure and to compare performance are the percentiles. However, you should also use them with some suspicion about how they were implemented. Very often the implementation is based on the arithmetic mean and standard deviation, which, of course, makes them equally useless. ... Another approach would be to check the source code of implementation yourself. I regret that most of the performance test tools documentation does not cover how percentiles are calculated. 

BlackCat Adds Brute Ratel Pentest Tool to Attack Arsenal

Sophos investigators found that the attacker used commercially available tools such as AnyDesk and TeamViewer and also installed nGrok, an open-source remote access tool. "The attackers also used PowerShell commands to download and execute Cobalt Strike beacons on some machines, and a tool called Brute Ratel, which is a more recent pen-testing suite with Cobalt Strike-like remote access features," Brandt says. Sophos researchers found that the Brute Ratel binary was installed as a Windows service named wewe in an affected machine. One of the bigger challenges for the Sophos investigators was that some of the targeted organizations were running the same servers that were compromised using the Log4j vulnerability. Apart from ransoming systems on the network, the threat actors collected and exfiltrated sensitive data from the targets and uploaded large volumes of data to Mega, a cloud storage provider. The attackers used a third-party tool called DirLister to create a list of accessible directories and files, or in some cases used a PowerShell script from a pen tester toolkit, called PowerView.ps1, to enumerate the machines on the network. 

Removing the blind spots that allow lateral movement

One of the biggest challenges of lateral movement detection is its low anomaly factor. Lateral movement attacks exploit the gaps in an organization’s user authentication process. Such attacks tend to remain undetected because the authentication performed by the attacker is essentially identical to the authentication made by a legitimate user. Following the initial “patient zero” compromise, the attacker uses valid credentials to log in to organizational systems or applications. Therefore, the standard IAM infrastructure in place legacy cannot detect any anomaly during this process, which allows attackers to slip through and remain in the network undetected. Another key challenge is the potential mismatch or disparity between endpoint and identity protection aspects. Endpoint protection solutions are mainly focused on detecting anomalies in file and process execution. However, the attacker gains access by exploiting the legitimate authentication infrastructure, utilizing legitimate files and process. Therefore, it doesn’t appear on the radar of endpoint solutions.

Quote for the day:

"Sport fosters many things that are good; teamwork and leadership" -- Daley Thompson

No comments:

Post a Comment