Debian Linux Security Advisory 5793-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5793-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 20, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957                  CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961                  CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965                  CVE-2024-9966Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 130.0.6723.58-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcUsNcACgkQZF0CR8Nudjd6rg//bZLkI/saFvjiULKRewv88ToCLOpx5l4ht0nHNYjW0Sy1I0FP3YtN8oZN4jJ+pJjDbxEkNDFmoPWVZP+wsUEtBottwQ1mkhSVroH9dJeNs9jWs4Rnxp7S6d3wsIYEQ99gQrPpjBr8jTSjffrLZzc0QlltdiVoc3A2RW9+RSKb/Yql+ylIRJGNI4frHDTkuFVRpC6m+T25Fbak3zF7v8tSOiQNH/2LE/Ez9wV3/PwQxTj6eGRLrJ0SkvwlDh8Z9Y8rm6auLTOxriA3dJfZR1rcmJN4kROyTMBwJTmdfCx03kyHQhxLowEABflzpyUdhqvrFAnnrfLqxTDO9odXJl7uu7sQiM4ed0LSKaX+ycrtHUhmZjWSlhbdE7eywZNAKX9rWf3ZkzqMz8gj256YPbAf1stq/I5vMlophU91X70KNMkogNIdo86ntxkB+vl6ded4LLcUFZYKrdurWD86QNNx0lQRXTlBGfTN+f0ujySbpvBGalpgK2UwLUVhP44q5ZhB1vvgw7ZwVQhpF7Cr1mb0bgR3WYg4XUZKG0jv+UQMR6yW2RxMaOkaKGbUXod+/L0OgN28yw10mg0PKBJKCR5iIxMj+jIAhlOPxiMBZbGYwYzPM5bgqwFRvXdgW1CiVrnRKVp2gN/RPmqF54ExcqyQN1TN4uguzHST/A1xUbtWtt8==vfgN-----END PGP SIGNATURE-----

Debian Security Advisory 5793-1

Helper is an enumerator written in PHP that helps identify directories on webservers that could be targets for things like cross site scripting, local file inclusion, remote shell upload, and remote SQL injection vulnerabilities.

Helper 0.1

Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \app\backend\controller\auth\Auth.php.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-7pp4-388x-2xqj: SQL injection in funadmin

Pentest Checklists Are More Important Than Ever
Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization’s attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically

Penetration Testing / API Security

****Pentest Checklists Are More Important Than Ever****

Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization's attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically uncover vulnerabilities in various assets like networks, applications, APIs, and systems. They ensure no critical area is overlooked and guide the testing process, making it more efficient and effective at identifying security weaknesses that could be exploited by attackers. A pentest checklist essentially leaves no stone unturned and is a detailed and comprehensive list of every type of vulnerability in which to simulate an attack against.

Each asset being tested, however, requires a different pentest checklist tailored to its specific characteristics and risks. For example, a checklist for pentesting web applications – which remains one of the top targets by malicious actors - will be quite lengthy but encompasses vulnerabilities that are unique to external-facing apps. These specialized checklists are a litmus test to ensure that security measures are evaluated, assesses for effectiveness, depending on the asset, and make overall testing more targeted and relevant to each environment.

BreachLock recently introduced a comprehensive guide that includes detailed pentest checklists of the primary stages involved in pentesting using various frameworks such as OWASP Top 10 and OWAS ASVS across every asset and all respective associated vulnerabilities for the following:

*   **Network –** A pentest checklist for a Black Box external network testing including information gather, vulnerability scanning and enumeration, generic security findings, and service-based testing.
*   **Web Applications**. A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **APIs –** A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **Mobile -** A pentest checklist for Gray Box testing including static analysis, dynamic analysis, and network analysis.
*   **Wireless** – An abbreviated pentest checklist including identification of wireless network (SSID), unauthorized access to wireless networks, access security controls, and rogue access point detection
*   **Social Engineering**\- Aa abbreviated pentest checklist including phishing attacks, pretexting and impersonation, USB drops, and physical penetration.

This is a summary of why pentest checklists are important including an overview of a general pentest checklist. A complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets, can be accessed here.

****Overview of Pentesting Delivery Models****

Penetration testing has become one of the most effective offensive security measures to identify and assess vulnerabilities across both internal and external attack surfaces. Traditional pentesting methods have certainly evolved and penetration testing services are now widely used to help fortify an organization's security posture.

Pentesting is carried out by certified security experts who simulate real-world attacks to identify vulnerabilities for assessment and mitigation within a specific scope. These tests are based on detailed pentest checklists that are tailored by asset (e.g., web applications, network, APIs, etc.) and act as a guide for the pentest checklist process, ensuring standardized frameworks are used and testing adheres to applicable compliance requirements.

To better understanding pentesting, below are the varied methods used for penetration testing that lie in the delivery model, scalability, and frequency of testing, followed by pentest checklists by asset type.

****Delivery Models****

1.  **Traditional Penetration Testing:** Typically performed manually by a team of certified pentesting experts over a fixed period (often a few days or weeks). The engagement is project-based with a final report delivered upon completion of testing.
    *   **Frequency:** Usually performed on a periodic basis, such as annually or semi-annually, as part of compliance requirements or security audits.
    *   **Scalability:** Limited in scalability due to the manual effort required by human testers and the one-off nature of the engagement.
    *   **Advantage:** Deep analysis, thorough testing tailored to specific security requirements, and direct engagement with pentest experts.
    *   **Challenges:** Fixed time frame and limited scope of assessment, which can leave gaps between tests.
2.  **Penetration Testing as a Service (PTaaS):** PTaaS is a cloud-based model that offers ongoing penetration testing services, often integrated with platforms that provide real-time reporting and collaboration. It combines automated tools with human-led expertise.
    *   **Frequency:** A more proactive approach that allows for continuous or more frequent approach to detecting and updating vulnerabilities as they emerge, .
    *   **Scalability:** Highly scalable, as it leverages automation, cloud infrastructure, and hybrid models (automated testing with human validation), enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Scalable, on-demand accessibility, hybrid efficiency, convenience, provides real-time insights, and allows for ongoing security testing.
3.  **Automated or Continuous Penetration Testing:** Uses automation to continuously monitor and test systems for vulnerabilities and is often integrated with tools that run periodic scans.
    *   **Frequency:** Provides ongoing or continuous assessments rather than periodic tests. Can be used for ongoing pentesting to validate security measure and/or to uncover new vulnerabilities as they emerge.
    *   **Scalability:** Highly scalable, as it leverages automation enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Efficient for frequent testing of repetitive tasks or enterprises in high computing environments, cost-effective, and ideal for covering large attack surfaces and complex IT infrastructures.
    *   **Challenges:** Limited in identifying complex vulnerabilities and unique attack paths that require human intuition.
4.  **Human-led Penetration Testing:** A manual and well-scoped process where certified pentest experts simulate realistic attack scenarios and TTPs, focusing on complex vulnerabilities that automated tools may miss.
    *   **Frequency:** Relies on a human-driven approach whereby certified pentest experts explore potential attack vectors. Frequency is usually project-led and periodic.
    *   **Scalability:** Highly customized to the enterprise's unique environment and assets. However, limited scalability due to the manual effort required by human testers
    *   **Advantage:** In-depth analysis, greater flexibility, and a high success rate in discovering sophisticated vulnerabilities.
    *   **Challenges:** Can be more time-consuming and costly than automated methods.

****Pentest Checklists Across Your Attack Surfaces********High-Level Pentest Checklist****

Creating a detailed pentest checklist is essential for performing thorough and effective security assessments. This first checklist is a general but expanded checklist that offers a structure approach to ensure both enterprises and CREST-certified pentest experts cover all critical areas in evaluating cybersecurity defenses.

1.  **Set Clear Objectives and Define Scope**
    *   **Clarify Goals:** Set concise objectives of the pentest engagement, such as identifying weaknesses for specific assets, compliance or security audit, or post-incident reconnaissance.
    *   **Define Scope:** Specify the systems, networks, and applications that will be tested, including the type of testing (e.g., black box, white box, gray box) for each asset.
    *   **Establish Boundaries:** Set parameters to avoid disrupting operations, such as not testing certain assets or limiting tests to outside business hours.
2.  **Assemble Penetration Testing Team**
    *   **Build a Skilled Team:** Include certified professionals with diverse expertise, such as network, application security, or social engineering specialists.
    *   **Check Credentials:** Ensure pentest experts have relevant certifications like CREST, OSCP, OSWE, CEH, or CISSP, along with hands-on experience.
3.  **Obtain Necessary Approvals**
    *   **Get Formal Authorization:** Secure written consent from stakeholders detailing and agreeing upon scope, objectives, and limitations of the test to ensure legal compliance.
    *   **Document Process:** Record all stages of the approval process, including discussions and any agreed-upon conditions. If using a third-party pentesting provider, the scope and process should be documented and signed off on.
4.  **Information Gathering**
    *   **Analyze Targets:** Gather comprehensive information about the infrastructure, including hardware, software, network design, and configurations.
    *   **Use OSINT:** Apply open-source intelligence techniques to gather additional insights into the enterprise's online presence and potential weak points.
5.  **Generating a Pentest Roadmap**
    *   **Attack Surface Management:** Run automated scans using tools such as Nessus or OpenVAS to identify vulnerabilities, focusing on identifying issues without manual input to create a preliminary roadmap for penetration testing.
    *   **Validate Findings:** Results from these scans can be validated to rule out false positives, understand the real context and impact of each potential vulnerability, and categorize by severity to provide a clear roadmap for penetration testing.
6.  **Create a Threat Model**
    *   **Identify Potential Threats:** Review recent attacks and TTPs, consider likely attackers - from random hackers to more targeted - likely attack paths, sophisticated entities, and their motivations.
    *   **Map Attack Vectors:** Prioritize the possible ways an attacker could breach an enterprise based on its environment and the current threat landscape.
7.  **Simulate Attacks**
    *   **Follow a Structure Approach:** Conduct attacks systematically, attempting to exploit weaknesses, bypass controls, and gain higher privileges where possible.
    *   **Adhere to Ethical Standards:** Ensure testing is conducted by certified experts, following standardized frameworks and compliance standards, to minimize risks to systems and data.
8.  **Gather Data and Analyze Results**
    *   **Capture Evidence:** Collect thorough evidence for each attack, such as proof of concepts (POCs) via screenshots, potential attack paths for each domain and associated subdomains and IPs.
    *   **Assess Impact:** Evaluate the consequences or impact of each vulnerability, including potential data breaches, system compromise, and operational disruption and prioritize findings by risk severity and potential impact.
9.  **Prepare and Deliver Reports**
    *   **Document Findings:** Provide a detailed report on each vulnerability and technical descriptions, POCs, risk severity, potential impact, and remediation recommendations.
    *   **Prioritization:** Penetration testing or PTaaS providers will work with enterprises to rank vulnerabilities based on risk and develop a plan for remediation in line with available resources.
10.  **Support Remediation Efforts**
    *   **Actionable Mitigation:** Present clear recommendations on how to mitigate each issue based on severity and impact.
    *   **Retesting:** Verify effectiveness of remediation by conducting follow-up pentest to ensure issues have been resolved.
11.  **Communicate with Stakeholders**
    *   **Present Results:** Share findings by providing story of impact if no action is taken. This is a much more effective strategy then providing a laundry list of vulnerabilities. Summarize key risks and actions for non-technical stakeholders.
    *   **Foster Dialogue:** Engage in discussions to address any concerns or questions about reporting and remediation efforts.

****Conclusion****

Pentest checklists serve pentest experts and their organizations by ensuring a consistent, comprehensive, and systematic approach to identifying security vulnerabilities. A pentest checklist leaves no stone unturned and facilitates better communication between pentesters and stakeholders. They provide a clear outline of what will be tested, evaluated, and how the findings will be assessed. This transparency helps enterprises understand their security posture and to make more informed decisions about improvements.

Pentest checklists are not only effective in identifying vulnerabilities but ensure a systematic approach, using the best practices, tools, and frameworks, for penetration testing. They benefit pentesters by providing assurances to their organization and stakeholders that they are taking meaningful steps to protect their assets. Pentest checklists are a security blanket for any organization conducting penetration testing as a Service.

For more detailed pentest checklists, click here for the complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Guide:  The Ultimate Pentest Checklist for Full-Stack Security

Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Cybersecurity / Weekly Recap

Hi there! Here's your quick update on the latest in cybersecurity.

Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.

Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date.

In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe.

Let's get started!

****⚡ Threat of the Week****

**China Calls Volt Typhoon an Invention of the U.S.:** China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a "large-scale global internet surveillance network."

****‎️‍Trending CVEs****

CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164

****🔔 Top News****

*   **Apple macOS Flaw Bypasses Privacy Controls in Safari Browser:** Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user's privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
*   **Legitimate Red Team Tool Abuse in Real-World Attacks:** Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
*   **TrickMo Can Now Steal Android PINs:** Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device's unlock pattern or PIN by presenting to victims' a bogus web page that mimics the device's actual unlock screen.
*   **FIDO Alliance Debuts New Specs for Passkey Transfer:** One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it's impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
*   **Hijack Loader Uses Legitimate Code-Signing Certificates:** Malware campaigns are now leveraging a loader family called Hijack Loader that's signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

****📰 Around the Cyber World****

*   **Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days:** Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
*   **87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113:** About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a "super complex vulnerability" that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
*   **Researchers Outline Early Cascade Injection:** Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. "This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique," Outflank researcher Guido Miggelenbrink said. "Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction."
*   **ESET Israeli Partner Breached to Deliver Wiper Malware:** In a new campaign, threat actors infiltrated cybersecurity company ESET's partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes," the company said in a post on X, adding it was not compromised as a result of the incident.
*   **Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges:** Google said it's migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it's focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it's using Chrome's accessibility APIs to find security bugs. "We're now 'fuzzing' that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash," Chrome's Adrian Taylor said.

**Cybersecurity Resources & Insights****LIVE Webinars**

**1.** **DSPM Decoded: Learn How Global-e Transformed Their Data Defense**: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e's secret weapon. In this can't-miss webinar, Global-e's CISO breaks down:

*   The exact steps that transformed their data security overnight
*   Insider tricks to implement DSPM with minimal disruption
*   The roadmap that slashed security incidents by 70%

**2.** **Identity Theft 2.0: Defending Against LUCR-3's Advanced Attacks**: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?

Join Ian Ahl, Mandiant's former threat-hunting mastermind, as he:

*   Decrypts LUCR-3's shadowy tactics that breach 9 out of 10 targets
*   Unveils the Achilles' heel in your cloud defenses you never knew existed
*   Arms you with the counterpunch that leaves LUCR-3 reeling

This isn't a webinar. It's your war room strategy session against the internet's most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3's next trophy.

**Cybersecurity Tools**

*   **Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool —** What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.

**Tip of the Week**

**Secure Your Accounts with Hardware Security Key:** For advanced protection, hardware security keys like YubiKey are a game-changer. But here's how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you're never locked out, even if one key is lost. Also, enable "FIDO2/WebAuthn" protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It's security that's physical, smart, and almost foolproof.

****Conclusion****

That's the roundup for this week's cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don't forget, cybersecurity isn't just for the IT team; it's everyone's responsibility. We'll be back next week with more insights and tips to help you stay ahead of the curve.

Stay vigilant, and we'll see you next Monday!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

Donald Trump's opposition to “woke” safety standards for artificial intelligence would likely mean the dismantling of regulations that protect Americans from misinformation, discrimination, and worse.

If Donald Trump wins the US presidential election in November, the guardrails could come off of artificial intelligence development, even as the dangers of defective AI models grow increasingly serious.

Trump’s election to a second term would dramatically reshape—and possibly cripple—efforts to protect Americans from the many dangers of poorly designed artificial intelligence, including misinformation, discrimination, and the poisoning of algorithms used in technology like autonomous vehicles.

The federal government has begun overseeing and advising AI companies under an executive order that President Joe Biden issued in October 2023. But Trump has vowed to repeal that order, with the Republican Party platform saying it “hinders AI innovation” and “imposes Radical Leftwing ideas” on AI development.

Trump’s promise has thrilled critics of the executive order who see it as illegal, dangerous, and an impediment to America’s digital arms race with China. Those critics include many of Trump’s closest allies, from X CEO Elon Musk and venture capitalist Marc Andreessen to Republican members of Congress and nearly two dozen GOP state attorneys general. Trump’s running mate, Ohio senator JD Vance, is staunchly opposed to AI regulation.

“Republicans don't want to rush to overregulate this industry,” says Jacob Helberg, a tech executive and AI enthusiast who has been dubbed “Silicon Valley’s Trump whisperer.”

But tech and cyber experts warn that eliminating the EO’s safety and security provisions would undermine the trustworthiness of AI models that are increasingly creeping into all aspects of American life, from transportation and medicine to employment and surveillance.

The upcoming presidential election, in other words, could help determine whether AI becomes an unparalleled tool of productivity or an uncontrollable agent of chaos.

**Oversight and Advice, Hand in Hand**

Biden’s order addresses everything from using AI to improve veterans’ health care to setting safeguards for AI’s use in drug discovery. But most of the political controversy over the EO stems from two provisions in the section dealing with digital security risks and real-world safety impacts.

One provision requires owners of powerful AI models to report to the government about how they’re training the models and protecting them from tampering and theft, including by providing the results of “red-team tests” designed to find vulnerabilities in AI systems by simulating attacks. The other provision directs the Commerce Department’s National Institute of Standards and Technology (NIST) to produce guidance that helps companies develop AI models that are safe from cyberattacks and free of biases.

Work on these projects is well underway. The government has proposed quarterly reporting requirements for AI developers, and NIST has released AI guidance documents on risk management, secure software development, synthetic content watermarking, and preventing model abuse, in addition to launching multiple initiatives to promote model testing.

Supporters of these efforts say they’re essential to maintaining basic government oversight of the rapidly expanding AI industry and nudging developers toward better security. But to conservative critics, the reporting requirement is illegal government overreach that will crush AI innovation and expose developers’ trade secrets, while the NIST guidance is a liberal ploy to infect AI with far-left notions about disinformation and bias that amount to censorship of conservative speech.

At a rally in Cedar Rapids, Iowa, last December, Trump took aim at Biden’s EO after alleging without evidence that the Biden administration had already used AI for nefarious purposes.

“When I’m reelected,” he said, “I will cancel Biden’s artificial intelligence executive order and ban the use of AI to censor the speech of American citizens on Day One.”

**Due Diligence or Undue Burden?**

Biden’s effort to collect information about how companies are developing, testing, and protecting their AI models sparked an uproar on Capitol Hill almost as soon as it debuted.

Congressional Republicans seized on the fact that Biden justified the new requirement by invoking the 1950 Defense Production Act, a wartime measure that lets the government direct private-sector activities to ensure a reliable supply of goods and services. GOP lawmakers called Biden’s move inappropriate, illegal, and unnecessary.

Conservatives have also blasted the reporting requirement as a burden on the private sector. The provision “could scare away would-be innovators and impede more ChatGPT-type breakthroughs,” Representative Nancy Mace said during a March hearing she chaired on “White House overreach on AI.”

Helberg says a burdensome requirement would benefit established companies and hurt startups. He also says Silicon Valley critics fear the requirements “are a stepping stone” to a licensing regime in which developers must receive government permission to test models.

Steve DelBianco, the CEO of the conservative tech group NetChoice, says the requirement to report red-team test results amounts to de facto censorship, given that the government will be looking for problems like bias and disinformation. “I am completely worried about a left-of-center administration … whose red-teaming tests will cause AI to constrain what it generates for fear of triggering these concerns,” he says.

Conservatives argue that any regulation that stifles AI innovation will cost the US dearly in the technology competition with China.

“They are so aggressive, and they have made dominating AI a core North Star of their strategy for how to fight and win wars,” Helberg says. “The gap between our capabilities and the Chinese keeps shrinking with every passing year.”

**“Woke” Safety Standards**

By including social harms in its AI security guidelines, NIST has outraged conservatives and set off another front in the culture war over content moderation and free speech.

Republicans decry the NIST guidance as a form of backdoor government censorship. Senator Ted Cruz recently slammed what he called NIST’s “woke AI ‘safety’ standards” for being part of a Biden administration “plan to control speech” based on “amorphous” social harms. NetChoice has warned NIST that it is exceeding its authority with quasi-regulatory guidelines that upset “the appropriate balance between transparency and free speech.”

Many conservatives flatly dismiss the idea that AI can perpetuate social harms and should be designed not to do so.

“This is a solution in search of a problem that really doesn't exist,” Helberg says. “There really hasn’t been massive evidence of issues in AI discrimination.”

Studies and investigations have repeatedly shown that AI models contain biases that perpetuate discrimination, including in hiring, policing, and health care. Research suggests that people who encounter these biases may unconsciously adopt them.

Conservatives worry more about AI companies’ overcorrections to this problem than about the problem itself. “There is a direct inverse correlation between the degree of wokeness in an AI and the AI's usefulness,” Helberg says, citing an early issue with Google’s generative AI platform.

Republicans want NIST to focus on AI’s physical safety risks, including its ability to help terrorists build bioweapons (something Biden’s EO does address). If Trump wins, his appointees will likely deemphasize government research on AI’s social harms. Helberg complains that the “enormous amount” of research on AI bias has dwarfed studies of “greater threats related to terrorism and biowarfare.”

**Defending a “Light-Touch Approach”**

AI experts and lawmakers offer robust defenses of Biden’s AI safety agenda.

These projects “enable the United States to remain on the cutting edge” of AI development “while protecting Americans from potential harms,” says Representative Ted Lieu, the Democratic cochair of the House’s AI task force.

The reporting requirements are essential for alerting the government to potentially dangerous new capabilities in increasingly powerful AI models, says a US government official who works on AI issues. The official, who requested anonymity to speak freely, points to OpenAI’s admission about its latest model’s “inconsistent refusal of requests to synthesize nerve agents.”

The official says the reporting requirement isn’t overly burdensome. They argue that, unlike AI regulations in the European Union and China, Biden’s EO reflects “a very broad, light-touch approach that continues to foster innovation.”

Nick Reese, who served as the Department of Homeland Security’s first director of emerging technology from 2019 to 2023, rejects conservative claims that the reporting requirement will jeopardize companies’ intellectual property. And he says it could actually benefit startups by encouraging them to develop “more computationally efficient,” less data-heavy AI models that fall under the reporting threshold.

AI’s power makes government oversight imperative, says Ami Fields-Meyer, who helped draft Biden’s EO as a White House tech official.

“We’re talking about companies that say they’re building the most powerful systems in the history of the world,” Fields-Meyer says. “The government’s first obligation is to protect people. ‘Trust me, we’ve got this’ is not an especially compelling argument.”

Experts praise NIST’s security guidance as a vital resource for building protections into new technology. They note that flawed AI models can produce serious social harms, including rental and lending discrimination and improper loss of government benefits.

Trump’s own first-term AI order required federal AI systems to respect civil rights, something that will require research into social harms.

The AI industry has largely welcomed Biden’s safety agenda. “What we're hearing is that it’s broadly useful to have this stuff spelled out,” the US official says. For new companies with small teams, “it expands the capacity of their folks to address these concerns.”

Rolling back Biden’s EO would send an alarming signal that “the US government is going to take a hands off approach to AI safety,” says Michael Daniel, a former presidential cyber adviser who now leads the Cyber Threat Alliance, an information sharing nonprofit.

As for competition with China, the EO’s defenders say safety rules will actually help America prevail by ensuring that US AI models work better than their Chinese rivals and are protected from Beijing’s economic espionage.

**Two Very Different Paths**

If Trump wins the White House next month, expect a sea change in how the government approaches AI safety.

Republicans want to prevent AI harms by applying “existing tort and statutory laws” as opposed to enacting broad new restrictions on the technology, Helberg says, and they favor “much greater focus on maximizing the opportunity afforded by AI, rather than overly focusing on risk mitigation.” That would likely spell doom for the reporting requirement and possibly some of the NIST guidance.

The reporting requirement could also face legal challenges now that the Supreme Court has weakened the deference that courts used to give agencies in evaluating their regulations.

And GOP pushback could even jeopardize NIST’s voluntary AI testing partnerships with leading companies. “What happens to those commitments in a new administration?” the US official asks.

This polarization around AI has frustrated technologists who worry that Trump will undermine the quest for safer models.

“Alongside the promises of AI are perils,” says Nicol Turner Lee, the director of the Brookings Institution’s Center for Technology Innovation, “and it is vital that the next president continue to ensure the safety and security of these systems.”

A Trump Win Could Unleash Dangerous AI

A new document shows the Department of Homeland Security is concerned that Chinese investment in lithium batteries to power energy grids will make them a threat to US supply chain security.

Analysts at the US Department of Homeland Security shared an internal report to local agencies in August, warning them about the economic risks of using Chinese utility storage batteries. It warns that the dependence on Chinese batteries could hurt developing a secure supply chain in the US.

The document, first obtained by national security transparency nonprofit Property of the People and seen by WIRED, accuses Chinese companies of “using People’s Republic of China state support to quickly and cheaply enter the emerging US utility battery energy storage industry and create supply chain dependencies on China,” and asks that any suspicious activity be reported.

Specifically, the report alleges three companies—Contemporary Amperex Technology Co. Limited (CATL), Build Your Dreams (BYD), and Ruipu Energy Co. Ltd. (REPT)—have “benefited from the various forms of state support and leveraged this to further business strategies for gaining US market share.”

Currently, CATL and BYD lead the global energy storage battery market by far, with 40 percent and 12 percent market shares, respectively, according to South Korean energy research firm SNE Research. Eight out of the 10 top companies in the industry are from China, so there are few alternatives to turn to when building grid storage.

The report says it builds on previous documents that analyzed Chinese “state-supported firms’ use of noncompetitive tactics in the electric vehicle and battery supply chains.” DHS did not respond to a request for further comment.

In 2022, CATL entered a deal with Primergy Solar to build the largest US solar and storage project in Nevada, which came online this year. Its battery products have also been used by Duke Energy, a North Carolina–based utility company, although the latter dropped CATL as a supplier for marine base electricity storage after concerns around national security were raised by, in part, lawmakers in Washington.

In an emailed statement, Fred Zhang, a CATL spokesperson, rejects the categorization that the firm has relied on state support to gain an edge. “CATL has achieved tremendous growth through continuous innovation, farsighted strategic planning, and a commitment to high-quality products at a reasonable cost,” the statement says.

BYD and REPT did not reply to WIRED’s request for comment.

Following efforts to curb Chinese EV companies’ competitiveness, the US government is now also concerned about how domestic utility companies could become too dependent on Chinese batteries for energy storage.

The US government has in recent years started to catch up in the battery industry. The Inflation Reduction Act and the Bipartisan Infrastructure Bill set out investment tax credits and other economic incentives to build up energy storage capacity in the country. In September it awarded another $3 billion in incentives to projects that boost domestic production of batteries.

These incentives are also the focus of the DHS report, which alleges that Chinese-based firms are targeting US incentives to further grow their market share. “BYD’s public website as of spring 2023 highlighted how US state incentives can make BYD utility storage systems an attractive investment,” the report claims. (WIRED was unable to find the BYD website referenced in the report.)

The CATL spokesperson says the company “does not receive any US federal or state incentives.”

As the US utility grids incorporate more renewable energy sources like solar and wind, it’s essential to build up a battery storage capacity that can store intermittent energy supply for times of heightened demand. And Chinese companies have dominated the global industry of producing lithium batteries for this job. These companies make over 80 percent of the EV battery cells in the world, and they had plans to invest another $2 trillion in 2023 into new production capacities inside and outside the country.

“Chinese original equipment manufacturers currently supply about 90 percent of the energy storage system batteries, actually a larger share than for EVs,” says Vanessa Witte, a senior research analyst at Wood Mackenzie who focuses on US energy storage. “There is a huge oversupply right now, partly due to softening EV demand, along with a number of Tier 2 and Tier 3 OEMs that have started new manufacturing facilities. The excess supply is a big reason the prices are so low.”

These batteries are essential for global energy transition, and Chinese battery companies see them as an opportunity to widen their product markets. They’ve become such an important industry that the Chinese central government emphasized their importance for the first time in its annual government report in March.

The battery supply chain has also emerged as one of the top economic and security concerns around China in the eyes of the US government. The Biden administration has so far raised a 25 percent tariff on Chinese-made lithium-ion EV batteries (and even higher for the EVs they power.) The government has also repeatedly sounded alarms about the national security threats of having Chinese-made equipment and parts in domestic infrastructure.

So far, the particular conversations around energy storage batteries have mostly surrounded cybersecurity, worried that the components could contain backdoor access for hacking like those that have been suspected in Chinese-made port cranes. Those concerns are “a bit overstated,” Witte says. “There haven’t been any incidents that would lend one to believe the battery management system is sending data to China or could disrupt our infrastructure.”

There have been several political efforts to restrict the use of Chinese-made batteries in the US. The pentagon will be the first to be banned from buying batteries from six Chinese companies, in an order which will become effective in 2027, but some congressmembers are still asking for CATL and other Chinese companies to be added to trade blacklists, and there’s a bill in Congress that would ban DHS from procuring Chinese batteries.

But the DHS report shows that the government is also looking at whether the dominance of Chinese batteries can be an economic issue.

“It is simplistic to see this as just unfair competition due to Chinese government support, as a lot of what China did, such as creating demand for batteries through EV subsidies, is not unlike what we see in the West today,” says Yayoi Sekine, head of energy storage research at BloombergNEF.

The pricing advantage that Chinese battery companies have are also the results of harsh market competition and a more established battery supply chain in China, she says, and these battery companies are willing to squeeze their own margins in exchange for keeping their market shares. “We think the US government's attempts to support a healthy battery industry domestically has been incredibly generous through the incentives in the Inflation Reduction Act and the Bipartisan Infrastructure Law,” says Sekine, “but it may still be challenging to compete on cost.”

US Government Says Relying on Chinese Lithium Batteries Is Too Risky

A list of topics we covered in the week of October 14 to October 20 of 2024

October 18, 2024 - Microsoft disclosed details about the HM Surf vulnerability that could allow an attacker to gain access to the user’s data in Safari

October 17, 2024 - Sure, you can request a deletion of your data from 23andMe, but that doesn’t mean the company will delete it entirely.

October 16, 2024 - Mozilla warns that a vulnerability in Firefox and Tor Browser is actively being exploited against both browsers

October 15, 2024 - Typical AI supported scams are after your Google account by pretending to follow up on account recovery requests

October 15, 2024 - The US presidential election is stirring fears amongst a third of people who worry that their vote could be exposed to outsiders.

 A week in security (October 14 &#8211; October 20) 

Cybersecurity researchers have discovered severe cryptographic issues in various end-to-end encrypted (E2EE) cloud storage platforms that could be exploited to leak sensitive data.
"The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext," ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong

Encryption / Data Protection

Cybersecurity researchers have discovered severe cryptographic issues in various end-to-end encrypted (E2EE) cloud storage platforms that could be exploited to leak sensitive data.

"The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext," ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong said. "Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs."

The identified weaknesses are the result of an analysis of five major providers such as Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised attack techniques hinge on a malicious server that's under an adversary's control, which could then be used to target the service providers' users.

A brief description of the flaws uncovered in the cloud storage systems is as follows -

*   Sync, in which a malicious server could be used to break the confidentiality of uploaded files, as well as injecting files and tampering with their content

*   pCloud, in which a malicious server could be used to break the confidentiality of uploaded files, as well as injecting files and tampering with their content

*   Seafile, in which a malicious server could be used to speed-up brute-forcing of user passwords, as well as injecting files and tampering with their content

*   Icedrive, in which a malicious server could be used to break the integrity of uploaded files, as well as injecting files and tampering with their content

*   Tresorit, in which a malicious server could be used to present non-authentic keys when sharing files and to tamper with some metadata in the storage

These attacks fall into one of the 10 broad classes that violate confidentiality, target file data and metadata, and allow for injection of arbitrary files -

*   Lack of authentication of user key material (Sync and pCloud)
*   Use of unauthenticated public keys (Sync and Tresorit)
*   Encryption protocol downgrade (Seafile),
*   Link-sharing pitfalls (Sync)
*   Use of unauthenticated encryption modes such as CBC (Icedrive and Seafile)
*   Unauthenticated chunking of files (Seafile and pCloud)
*   Tampering with file names and location (Sync, pCloud, Seafile, and Icedrive)
*   Tampering with file metadata (impacts all five providers)
*   Injection of folders into a user's storage by combining the metadata-editing attack and exploiting a quirk in the sharing mechanism (Sync)
*   Injection of rogue files into a user's storage (pCloud)

"Not all of our attacks are sophisticated in nature, which means that they are within reach of attackers who are not necessarily skilled in cryptography. Indeed, our attacks are highly practical and can be carried out without significant resources," the researchers said in an accompanying paper.

"Additionally, while some of these attacks are not novel from a cryptographic perspective, they emphasize that E2EE cloud storage as deployed in practice fails at a trivial level and often does not require more profound cryptanalysis to break."

While Icedrive has opted not to address the identified issues following responsible disclosure in late April 2024, Sync, Seafile, and Tresorit have acknowledged the report. The Hacker News has reached out to each of them for further comment, and we will update the story if we hear back.

The findings come a little over six months after a group of academics from King's College London and ETH Zurich detailed three distinct attacks against Nextcloud's E2EE feature that could be abused to break confidentiality and integrity guarantees.

"The vulnerabilities make it trivial for a malicious Nextcloud server to access and manipulate users' data," the researchers said at the time, highlighting the need to treat all server actions and server-generated inputs as adversarial to address the problems.

Back in June 2022, ETH Zurich researchers also demonstrated a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Discover Severe Security Flaws in Major E2EE Cloud Storage Providers

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Latest News