OpenAI announces ‘Preparedness Framework’ to track and mitigate AI risks
The announcement from OpenAI comes in the wake of several major releases focused on AI safety from its chief rival, Anthropic, another leading AI lab that was founded by former OpenAI researchers. Anthropic, which is known for its secretive and selective approach, recently published its Responsible Scaling Policy, a framework that defines specific AI Safety Levels and corresponding protocols for developing and deploying AI models.The two frameworks differ significantly in their structure and methodology. Anthropic’s policy is more formal and prescriptive, directly tying safety measures to model capabilities and pausing development if safety cannot be demonstrated. OpenAI’s framework is more flexible and adaptive, setting general risk thresholds that trigger reviews rather than predefined levels. ... Experts say both frameworks have their merits and drawbacks, but Anthropic’s approach may have an edge in terms of incentivizing and enforcing safety standards. From our analysis, it appears Anthropic’s policy bakes safety into the development process, whereas OpenAI’s framework remains looser and more discretionary, leaving more room for human judgment and error.
Australian federal government opens consultation on mandatory ransomware reporting obligation for businesses
The government is looking to develop legislation to "encourage" businesses to
voluntarily provide information to ASD and the Cyber Coordinator about a cyber
incident under a limited basis that would prevent the agencies from using this
information for compliance action against the reporting organizations. The
idea is to give more information than current regulation requires so the
agencies can provide better support when businesses are under attack and to
mitigate harms to individuals arising from cyber security incidents. ... Home
Affairs t is seeking input from industry on the design and implementation of a
cyber incident review board (CIRB). It is proposed that the CIRB would conduct
no-fault incident reviews to reflect on lessons learned from cyber incidents,
and share these lessons learned with the Australian public. The paper stated
that the CIRB would not be a law enforcement, intelligence or regulatory body.
It would be allowed to request information related to a cyber incident but
would not have powers to compel and organization to do so.
US Lawmakers Urge Pushback on EU’s Big Tech Crackdown
CIOs, CISOs, and other IT leaders should keep a watchful eye on the EU's
regulatory developments, Martha Heller, CEO at executive search firm Heller
Search, tells InformationWeek. “The EU’s legislative move to curtail the power
of US tech companies is a double-edge sword,” she says in an email interview.
“Its mandate that the largest US-based tech companies give users more choice
among services could give smaller technology companies a fighting chance. But
its bias against US tech companies could limit the US’s ability to compete on
the global market.” Heller adds, “As both producers and enterprise consumers
of technology, CIOs and CTOs should pay close attention to the EU, as it
leverages its watchdog position.” ... For CIOs, keeping track of regulatory
considerations is not getting easier moving forward. “You have five big US
tech companies that are primarily affected,” Chin-Rothmann says. “You must
look at that in context with all of the other digital laws globally. It’s
going to be a pretty complex regulatory patchwork. And when the EU regulates,
other countries tend to follow suit.
Web injections are back on the rise: 40+ banks affected by new malware campaign
Our analysis indicates that in this new campaign, threat actors’ intention
with the web injection module is likely to compromise popular banking
applications and, once the malware is installed, intercept the users’
credentials in order to then access and likely monetize their banking
information. Our data shows that threat actors purchased malicious domains in
December 2022 and began executing their campaigns shortly after. Since early
2023, we’ve seen multiple sessions communicating with those domains, which
remain active as of this blog’s publication. Upon examining the injection, we
discovered that the JS script is targeting a specific page structure common
across multiple banks. When the requested resource contains a certain keyword
and a login button with a specific ID is present, new malicious content is
injected. Credential theft is executed by adding event listeners to this
button, with an option to steal a one-time password (OTP) token with it. This
web injection doesn’t target banks with different login pages, but it does
send data about the infected machine to the server and can easily be modified
to target other banks.
New Malvertising Campaign Distributing PikaBot Disguised as Popular Software
The latest initial infection vector is a malicious Google ad for AnyDesk that,
when clicked by a victim from the search results page, redirects to a fake
website named anadesky.ovmv[.]net that points to a malicious MSI installer
hosted on Dropbox. It's worth pointing out that the redirection to the bogus
website only occurs after fingerprinting the request, and only if it's not
originating from a virtual machine. "The threat actors are bypassing Google's
security checks with a tracking URL via a legitimate marketing platform to
redirect to their custom domain behind Cloudflare," Segura explained. "At this
point, only clean IP addresses are forwarded to the next step." Interestingly,
a second round of fingerprinting takes place when the victim clicks on the
download button on the website, likely in an added attempt to ensure that it's
not accessible in a virtualized environment. Malwarebytes said the attacks are
reminiscent of previously identified malvertising chains employed to
disseminate another loader malware known as FakeBat (aka EugenLoader).
SSH shaken, not stirred by Terrapin vulnerability
As the university trio put it this week, a successful Terrapin attack can
"lead to using less secure client authentication algorithms and deactivating
specific countermeasures against keystroke timing attacks in OpenSSH 9.5." In
some very specific circumstances, it could be used to decrypt some secrets,
such as a user's password or portions of it as they log in, but this is
non-trivial and will pretty much fail in practicality. Let's get to the nitty
gritty. We'll keep it simple; for the full details, see the paper. When an SSH
client connects to an SSH server, before they've established a secure,
encrypted channel, they will perform a handshake in which they exchange
information about each other in plaintext. Each side has two sequence
counters: one for received messages, and one for sent messages. Whenever a
message is sent or received, the relevant sequence counter is incremented; the
counters thus keep a running tally of the number of sent and received messages
for each side. As a MITM attack, Terrapin involves injecting a plaintext
'ignore' message into the pre-secure connection, during the handshake, so that
the client thinks it came from the server and increments its sequence counter
for received messages. The message is otherwise ignored.
SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols
Using SMTP Smuggling, an attacker can send out a spoofed email purporting to
come from a trusted domain and bypass the SPF, DKIM and DMARC email
authentication mechanisms, which are specifically designed to prevent spoofing
and its use in spam and phishing attacks. An analysis found that the attack
technique could allow an attacker to send emails spoofing millions of domains,
including ones belonging to high-profile brands such as Microsoft, Amazon,
PayPal, eBay, GitHub, Outlook, Office365, Tesla, and Mastercard. The attack
was demonstrated by sending spoofed emails apparently coming from the address
‘admin(at)outlook.com’. However, attacks against these domains are possible —
or were possible, because some vendors have applied patches — due to the way a
handful of major email service providers set up SMTP servers. The vendors
identified by the researchers are GMX (Ionos), Microsoft and Cisco. The
findings were reported to these vendors in late July. GMX fixed the issue
after roughly 10 days. Microsoft assigned it a ‘moderate severity’ rating and
rolled out a patch sometime in the middle of October.
Digital Transformation: Composable Applications And Micro-Engagements
Composable applications are characterized by one simple concept. Organizations
are evolving beyond the method of integrating low-level services, and they’re
gravitating to consuming higher-level micro-engagements. Micro-engagements are
defined as small, repeatable experiences that can be preconfigured and
consumed within a larger environment. Organizations are questioning why they
need to re-create the wheel (or in this instance, the experience) using
low-level services. Why can’t they simply leverage commonly repeatable
experiences and lower their overall technical debt while increasing overall
agility? ... Once embraced, organizations adopting the composable application
mindset will be biased toward vendors who provide use cases or
process-specific micro-engagements. Out-of-the-box micro-engagements can be
quickly and easily discovered, evaluated, integrated, branded and deployed
with minimal effort and risk, and vendors that provide no-code platforms can
enable organizations to quickly and easily create their own reusable
micro-engagements.
CISO: Your Tech Security Guide
Every business, regardless of size, necessitates a security leader overseeing
technology, information, and data security, even if not designated as a CISO.
While midsize and larger enterprises commonly appoint a CISO within their
C-suite, smaller businesses may delegate such responsibilities to a tech
executive like a director of cybersecurity. Some smaller or startup
enterprises opt to outsource the CISO role, enhancing protection for their
intellectual property, data, and IT infrastructure. ... A CISO’s contribution
lies in their comprehensive understanding of security, connecting various
security facets with the organization’s IT systems and networks. They leverage
this perspective to pinpoint security risks and devise effective management
strategies. Successful CISOs adeptly articulate complex security issues in
layman’s terms, enabling leadership to grasp the implications. ... Becoming a
CISO involves understanding cybersecurity’s technical foundations alongside
practical management principles, encompassing people, processes, and
technology. Critical attributes include a fervor for information technology,
commitment to ongoing learning, adept leadership, familiarity with security
standards, and relevant certifications (CISSP, CISM).
Is Your Product Manager Hurting Platform Engineering?
Having a product manager from day one can lower oxygen levels for your
platform team. Feedback may be filtered, delayed or misunderstood, massively
reducing its value and making good outcomes less likely. Platform engineers
should bathe in the full, grainy details of the feedback and use it to enrich
their understanding of the tasks their customers are trying to complete — and
where they are underserviced when completing those jobs. This helps the
platform team create innovative solutions that may solve multiple unmet needs.
You don’t have to use the Jobs To Be Done (JTBD) framework here. The crucial
detail is that by immersing yourself in the customer’s needs, you can come up
with ideas that solve many pain points instead of falling into the
feature-factory trap of solving problem after problem. ... While it’s tempting
to think ahead to what happens when your platform has achieved total adoption,
been spun into a subsidiary organization, and had a conference named after it,
it’s worth understanding that scale is not why you’ll add a product
manager.
Quote for the day:
"Effective team leaders adjust their
style to provide what the group can't provide for itself." --
Kenneth Blanchard
No comments:
Post a Comment