Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.

Source: Delphotos via Alamy Stock Photo

A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.

The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the Transparency, Consent, and Control (TCC) security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a "medium" severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).

Researchers from Microsoft have named their exploit of CVE-2024-44133 "HM Surf." In a new blog post, they described how HM Surf could open the door to a user's browsing data, camera, and microphone, as well as their device's location, among other things. And the threat doesn't only appear to be theoretical: There's already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.

Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.

"It's a serious concern, because of the unauthorized access it gives," says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, "By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it."

**Exploiting HM Surf**

In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.

Unless your app has a special "entitlement." Some of Apple's proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safari's entitlement, "com.apple.private.tcc.allow," which allows it to bypass TCC at an app level, and apply it only on a per website ("per origin") basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.

Safari's configuration — including the rules that define per-origin TCC protections — are stored in various files under ~/Library/Safari, within the user's home directory. Manipulating these files could provide a path to TCC bypass, though the home directory is itself TCC protected.

Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding ~/Library/Safari. Now they could modify Safari's per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.

**Was CVE-2024-44133 Already Exploited?**

After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what they'd found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.

It was a program digging into the victim's Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.

This program, it turned out, was a well-known macOS adware program called "AdLoad." AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.

In its blog post, Microsoft noted that though AdLoad's activity closely resembled the HM Surf technique, "Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself." Still, it added, "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."

Dark Reading has contacted both Apple and Microsoft for further comment on this story.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data

Adoption of the email authentication and policy specification remains low, and only about a tenth of DMARC-enabled domains enforce policies. Everyone is waiting for major email providers to get strict.

Source: TierneyMJ via Shutterstock

The state of DMARC email authentication and security standard looked so promising at the beginning of 2024.

Google and Yahoo had set a deadline of February 2024 for bulk email senders to adopt a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy, and as companies scrambled to meet the deadline, the number of email domains with a valid DMARC record jumped 60% in two months. As of September, nearly 6.8 million domains have email sender authentication configured.

Even with that surge earlier in the year, the reality is that businesses continue to be slow in setting up email authentication on their domains. The adoption lag is especially pronounced in making the switch from DMARC's minimum-baseline policy of 'p=none' to more stringent policies. Enforcement means non-authenticated emails get quarantined or rejected. The share of DMARC-enabled domains with an enforced policy has actually gone down from a high of 18% a year ago, to less than 14% today.

While Google's and Yahoo's actions forced many companies to adopt DMARC, most of them — spurred by concerns about blocking legitimate messages — haven't adopted the quarantine or reject policies, says Seth Blank, chief technology officer at Valimail, a provider of email security services.

"Google and Yahoo put the requirements out, the ecosystem got a shot in the arm, and the message was heavily about security — so the people who cared about security did something," Blank says. "There's still a large part of this market that has not moved, hasn't taken any steps, even this bare minimum that we're seeing here."

The DMARC protocol aims to add authentication to the Internet's email infrastructure, requiring that email senders adopt two verification technologies — Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — and specify a policy for how other servers should handle mail from a sender not part of an authorized domain. In October 2023, Google and Yahoo required that email marketers — anyone sending more than 5,000 emails daily through the services — set up DMARC. The move resulted in a significant reduction in non-authenticated emails, with Google seeing two-thirds less (65%) unauthenticated messages sent to Gmail users and 265 billion fewer unauthenticated message sent so far this year, according to company data released last week.

**Fear, Uncertainty, and DMARC**

The adoption rate of DMARC has roughly doubled over the past year — from about 55,000 domains adding new DMARC records each month in 2023, to 110,000 domains per month in Q3 2024, according to Valimail data. Yet, even at that rate, it would still take nearly 15 more years for the top 25 million domains to get on board.

Source: Author, with data from Valimail

Moreover, DMARC adoption has been spotty. While more than 60% of the organizations in some industries, such as manufacturing and healthcare, have adopted DMARC, only one in five have actually moved from the lowest security policy ('p=none') to the highest ('p=reject,') according to data from EasyDMARC, an email-authentication services firm. Some sectors, such as non-profits and charity organizations, have increased adoption over the year, but fewer than 8% of domains are using DMARC.

Because email is critical to business operations, organizations worry that stricter enforcement will result in lost messages, especially because DMARC is not necessary an easy technology to implement and maintain, says Kelly Molloy, director of network development for DomainTools, an internet intelligence firm.

"The fear is, especially if you are a company who depends on leads via email, is that you're going to miss messages from interested parties — from customers and potential customers — if you start doing \[strict enforcement\]," she says, adding: "A lot of companies are being conservative and are not going farther than they really need to ... because it does take resources."

**Waiting for the Other Shoe to Drop**

The stalled adoption cycle will likely attract another major move by Google, Yahoo and other large consumer email services, says Hagop Khatchoian, technical services team lead at EasyDMARC.

"They \[Google and Yahoo\] are just forcing everyone to have at least 'p=none' ... to just have a basic policy without any enforcement — we foresee that will be changed in the next few years," he says. "But you can't just go on and tell everyone, 'Hey, you need 'p=reject,' ... because if you have a small misconfiguration in your email ecosystem, and you have an enforced policy, then your own legitimate emails will be blocked as well."

Valimail's Blank agrees, noting that the major email services — Google, Microsoft and Yahoo, as well as major email providers in other countries — are unlikely to wait long before again turning the screws on unauthenticated email.

"The sending community or the receiving community will mandate the next steps, because they know \[authentication\] is the single most important input into their system — being able to know who sent an email with far more certainty," he says. "We're going to see more action there ... and it will take years, but it's not going to be five to ten years. It's probably two, three, maybe four."

**None's Not Nothing, But Close to It**

With another DMARC-push in the cards from major email services, organizations should plan to shift their DMARC policy from 'none' to a higher level of enforcement.

The three levels of enforcement are:

*   p=none — Mail that fails authentication checks are still delivered.
    
*   p=quarantine — Any authentication failure results in email being quarantined, possibly delivered to a user's spam folder or to an organization's quarantine storage.
    
*   p=reject — Authentication failure leads to the email being discarded, although some service providers may instead quarantine the email in a separate folder.
    

Every enforcement level can produce reports, and companies should monitor the reports to check for issues and anomalies, says Valimail's Blank.

"DMARC at 'p=none' with no reporting is syntactically equivalent to not having DMARC at all," he says. "The value of DMARC comes from reporting and working towards a policy that is not 'none.' If you have 'p=none', and you're not getting reports, there is nothing you can do, there is nothing you can see, there is nothing you can fix."

Getting reports from the DMARC infrastructure is important level of visibility for companies as they pursue better email security. Large companies are not the only organizations to see significant abuse of email, so any firms that sends email should monitor their DMARC reports, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Time to Get Strict With DMARC

The security firm is denying an assessment that its systems were compromised in Israel by pro-Palestinian cyberattackers, but acknowledged an attack on one of its partners.

Source: David R. Frazier Photolibrary via Alamy Stock Photo

Security firm ESET is refuting reports that cyberattackers compromised its platforms and used them to target customers in Israel with dangerous wiper malware. However, it did note that a partner there, Comsecure, was impacted.

"We are aware of a security incident which affected our partner company in Israel last week," the firm acknowledged on social media platform X. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation."

Security researcher Kevin Beaumont (aka Gossi the Dog) prompted the response after blogging about a malicious email that an ESET user posted on the ESET user forum. The email was flagged as malicious, with the subject line, "Government-Backed Attackers May Be Trying to Compromise Your Device!" It purported to be from the ESET team, offering extra security defense in the face of an ongoing attack:

Source: ESET user forum.

The email had a .ZIP attachment that, if opened, unpacked a destructive wiper malware that bears resemblance to that used by the Handala threat group, according to the person who flagged the email for Beaumont. Handala, so named for the political cartoon character that has come to personify the Palestinian people’s national identity, is known for targeting Israeli organizations with file-destroying wipers in the wake of the Oct. 7 Hamas attacks and resulting war.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Beaumont noted, "I managed to obtain the email, which passes both DKIM and SPF checks for coming from ESET’s store," he said in the blog post. "Additionally, the link is indeed to backend.store.eset.co.il — owned by ESET Israel."

This led Beaumont to conclude via Mastodon, "ESET Israel definitely got compromised, this thing is fake ransomware that talks to an Israeli news org server for whatever reason."

ESET has now categorically refuted that takeaway, so the assumption is that the cyberattackers were using some sort of MO to get around anti-spoofing measures for the email and the .ZIP link. ESET did not immediately return a request for comment from Dark Reading for more information on Comsecure's role in the incident and the attack routine.

The campaign is now blocked for ESET customers.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

ESET-Branded Wiper Attack Targets Israel; Firm Denies Compromise

A survey shows three-quarters of CISOs are drowning in threat detections put out by a sprawling stack of tools, yet still lack the basic visibility necessary to identify breaches.

Source: Kjetil Kolbjørnsrud via Alamy Stock Photo

Global information security spend is projected to reach $215 billion by the end of 2024. But a new survey of chief information security officers (CISOs) shows that all that cash might not have bought the peace of mind they hoped for. In fact, 44% of CISOs across the globe reported missing a data breach in the past 12 months with existing tools.

The top blind spot identified in the survey of 234 global CISOs was hybrid cloud infrastructure and data-in-transit, which eight out of 10 of those surveyed by Gigamon said is a "top concern." Gigamon's report added that data-in-motion is where 93% of malware has historically hidden. Overwhelmingly, 84% of surveyed CISOs said getting visibility into this encrypted traffic was a top priority for the upcoming year.

"Modern cybersecurity is about differentiating between acceptable and unacceptable risk," Chaim Mazal, CSO at Gigamon, said in the survey report. "Our research shows where CISOs are drawing that line, highlighting the critical importance of visibility into all data-in-motion to secure complex hybrid cloud infrastructure against today’s emerging threats. It’s clear current approaches aren’t keeping pace, which is why CISOs must reevaluate tool stacks and reprioritize investments and resources to more confidently secure their infrastructure."

Related:Fighting Crime With Technology: Safety First

**The Cloud and Cyber Threat Observability**

Deep observability into hybrid cloud environments is top of mind for 82% of surveyed CISOs. And 85% of those surveyed would like to gain visibility into packet-level and application metadata. Boards too agree that this deep observability is critical, with 81% of CISOs reporting hybrid cloud infrastructure will be a budgeting priority in 2025.

"Today’s CISOs recognize that security and observability are intrinsically connected," Stephen Elliott, group vice president, IT operations, observability, and CloudOps at IDC, said in the report. "The network provides a crucial layer of context that can inform security operations and vice versa, which is why modern security teams are leveraging network-derived intelligence and insights to understand the true impact of a threat and prioritize their responses accordingly."

But before CISOs start spending on new tools, they plan to get the most out of what they already have, according to the survey. Three-quarters of those CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts. So to get a better handle on hybrid cloud data and infrastructure, for instance, 60% of CISOs said their top priority for 2025 will be to consolidate and optimize existing tools for that arena.

Related:Cloud, AI Talent Gaps Plague Cybersecurity Teams

CISOs: Throwing Cash at Tools Isn't Helping Detect Breaches

This year, the majority of developers have adopted AI assistants to help with coding and improve code output, but most are also creating more vulnerabilities that take longer to remediate.

Source: Gorodenkoff via Shutterstock

Less than two years after the general release of ChatGPT, most software developers have adopted AI assistants for programming. That's boosting efficiency, but at the same time, it's led to a higher cadence of software development that has made maintaining security more difficult.

Developers are on track to download more than 6.6 trillion software components in 2024, which includes a 70% increase in downloads of JavaScript components and a 87% increase in Python modules, according to the annual "State of the Software Supply Chain" report from Sonatype. At the same time, the mean time to remediate vulnerabilities in those open source projects has grown significantly over the past seven years, from about 25 days in 2017 to more than 300 days in 2024.

One likely reason: The advent of AI is driving speedier development cycles, making security more difficult, says Brian Fox, chief technology officer of Sonatype. The majority of developers now use AI tools in their development process according to a recent Stackoverflow survey, with 62% of coders saying they used an AI assistant, up from 44% last year.

"AI has quickly become a powerful tool for speeding up the coding process, but the pace of security has not progressed as quickly, and it’s creating a gap that is leading to lower-quality, less-secure code," he says. "We’re headed in the right direction, but the true benefit of AI will come when developers don’t have to sacrifice quality or security for speed."

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

Security researchers have warned that AI code generation could result in more vulnerabilities and novel attacks. For instance, a group of researchers demonstrated the ability to poison the large language models (LLMs) used for code generation with maliciously exploitable code at the USENIX Security Symposium in August. In March, researchers with an LLM security vendor showed that attackers could use AI hallucinations as a way to direct developers and their applications to malicious packages.

Developers also have growing concerns over the potential for AI assistants to suggest or propagate vulnerable code. While the majority of developers (56%) expect AI assistants to provide usable code, only 23% expect the code to be secure, while a larger group (40%) don't believe AI assistants provide secure code at all, according to research by software development firm JetBrains and the University of California at Irvine, published in June.

Open source projects take longer to remediate vulnerabilities. Source: Sonatype

Many developers remain nonplussed by the speed of change wrought by AI coding tools, and there is likely more to come, says Jimmy Rabon, senior product manager with Black Duck Software, a software-integrity tools provider.

Related:Chinese Researchers Tap Quantum to Break Encryption

"We haven't seen the long-term effects of adding something that can code at the level of a junior- or intermediate-level developer and at massive scale," he says. "My expectation is that we will see more intermediate mistakes — the basic mistakes that you would make as a junior or intermediate level developer — and \[issues with\] understanding the context of where some of the data flows."

**2024: The Year of the Developer's AI Assistant**

While AI assistants are now being used by the majority of developers, in business environments, adoption of AI tools is much higher — more than 90% of developers used AI assistants, according to Black Duck's 2024 Global State of DevSecOps survey. AI as a tool for developers is well-entrenched and "will never go away," Rabon says.

Yet many developers don't have the experience to judge whether code provided by an AI assistant is safe. Entry-level developers, for example, are more trusting of AI-produced code than their professional counterparts, with 49% trusting the accuracy of AI-generated code versus 42% for more experienced developers, according to Stackoverflow's annual developer survey.

Related:WP Engine Accuses WordPress of 'Forcibly' Taking Over Its Plug-in

In addition, AI tools will affect the education of developers and could make it harder for those entry-level developers to gain the skill needed to advance in their careers, experts say. The reliance on AI to complete simple programming projects could reduce the need for new or entry-level developers who typically tackle simpler coding tasks, removing a training path, Sonatype's Fox says.

"The development community is aging, and the introduction of AI poses potential risks to younger generations," he says. "If AI can handle the tasks previously assigned to budding developers, how will they gain the experience needed to replace older developers exiting the industry?"

**Automatic Generation of Secure Code**

Until the companies behind AI assistants create training datasets that contain secure code suggestions, or put in place guardrails to protect against vulnerable and malicious code generation, companies will have to deploy automated software security tools to check the work of any coding assistant.

The good news is, between the additional security checks and the fast evolution of code-generation assistants, the security of software and applications could eventually become much stronger, says Black Duck's Rabon.

"There are certain basic security flaws that I think will disappear," he says. "If you asked an AI system to generate code, why should it ever \[suggest an insecure function?\] ... I don't think that we've had enough time to really see the dramatic effects of \[such capabilities\] or prove them out."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Vulnerabilities, AI Compete for Software Developers' Attention

Traditional practices are no longer sufficient in today's threat landscape. It's time for cybersecurity professionals to rethink their approach.

Malleswar Reddy Yerabolu, Senior Security Engineer, North Carolina Department of Health and Human Services

October 18, 2024

5 Min Read

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY  
In today's interconnected digital landscape, supply chain attacks are no longer an anomaly — they're a persistent, growing threat. From SolarWinds to Kaseya, high-profile breaches have demonstrated that attackers are increasingly exploiting vulnerabilities in the supply chain to infiltrate targets at scale. For cybersecurity professionals, the days of relying on traditional vendor risk management are over. A broader, more proactive approach to securing the supply chain is required — one that goes beyond checklists and questionnaires. 

**The Shortcomings of Traditional Vendor Risk Management**

Historically, organizations have relied on static risk assessments and due diligence processes to evaluate their suppliers. This involves vetting vendors using questionnaires, compliance audits, and sometimes even on-site assessments. While these methods help ensure compliance with industry regulations and basic cybersecurity hygiene, they are no longer enough to combat today's sophisticated supply chain attacks. 

The major flaw of traditional vendor risk management is that it assumes security is a one-time evaluation rather than an ongoing process. A vendor might pass an initial audit, but what happens when it updates its software or onboards a third-party subcontractor? Additionally, static assessments rarely account for zero-day vulnerabilities or the rapid evolution of threat landscapes. In short, by the time an assessment is complete, the information is often outdated. 

**Proactive Supply Chain Monitoring: A New Paradigm**

A more effective approach to supply chain security involves continuous, real-time monitoring of vendors. Rather than waiting for the next audit or questionnaire cycle, organizations should be leveraging tools that provide up-to-date visibility into their vendors' cybersecurity postures. 

There are several ways this can be accomplished: 

*   Third-party risk management platforms: Platforms like BitSight and Security Scorecard allow organizations to monitor the external security posture of their vendors continuously. These platforms aggregate data from public sources, including open vulnerabilities, SSL configurations, and even mentions of potential breaches, to give security teams real-time insights into potential risks. 
    
*   Threat intelligence integration: By integrating threat intelligence feeds into the vendor risk management process, organizations can identify whether any vendors are being actively targeted by attackers, or if their infrastructure is compromised. This dynamic approach goes beyond static questionnaires, allowing organizations to act quickly in response to emerging threats. 
    
*   Continuous penetration testing: Routine penetration testing is no longer a luxury; it's a necessity. Regular testing of vendors' systems ensures that vulnerabilities are identified and mitigated before attackers can exploit them. With the increasing automation of penetration testing tools, this process can be made continuous rather than sporadic.
    

**Blockchain for Enhanced Supply Chain Transparency**

Another innovative solution to supply chain security challenges is the use of blockchain for transparency and traceability. Blockchain technology allows for the creation of immutable audit trails, making it possible to trace the origin of every component in the supply chain. This can be especially valuable in industries like pharmaceuticals or critical infrastructure, where counterfeit products or compromised components can have catastrophic consequences. 

By using blockchain, organizations can verify that every link in the supply chain adheres to security standards and hasn't been tampered with. In addition, smart contracts on blockchain can enforce compliance, triggering alerts or even actions (such as revoking access) when deviations from agreed-upon standards occur. 

**Managing Access: A Dynamic Approach to Vendor Permissions**

One critical element of supply chain cybersecurity that is often overlooked is how vendors access internal systems. Traditional models grant vendors broad access to systems and data, often far beyond what is necessary. This presents a significant risk, as compromising a single vendor's account could grant an attacker the keys to an organization's entire network. 

A more dynamic approach involves implementing zero-trust principles, where vendors are granted the minimum necessary permissions, and access is constantly reevaluated. This can be done through: 

*   Granular access control: Leveraging role-based access controls (RBAC) or even attribute-based access controls (ABAC) ensures that vendors have access only to the resources they need at any given time. 
    
*   Behavioral monitoring: Continuous monitoring of vendor behavior within your systems can help detect abnormal activity that might indicate a compromise. AI-driven anomaly detection tools can provide early warning signs that a vendor's account has been hijacked. 
    
*   Just-in-time access: Some organizations are adopting just-in-time (JIT) access, where vendors are granted temporary access to systems only when required, and access automatically expires after a predefined period. This minimizes the risk of persistent backdoors being left open. 
    

**Collaboration Across the Supply Chain**

Lastly, improving supply chain security requires collaboration between all stakeholders. Organizations must foster a culture of shared responsibility, where security is not viewed as the sole responsibility of individual vendors but as a collective effort. This can be achieved through: 

*   Security scorecards for vendors: Regularly sharing security posture reports with vendors encourages transparency and accountability. These reports can highlight areas where vendors need to improve and set clear expectations for remediation. 
    
*   Vendor security workshops: Hosting workshops or training sessions for vendors can help elevate their understanding of modern security practices and ensure that their teams are equipped to mitigate risks. 
    

**A Call to Action**

The time has come for cybersecurity professionals to rethink their approach to supply chain security. Traditional vendor risk management practices are no longer sufficient in today's threat landscape. By adopting continuous monitoring, leveraging blockchain for transparency, and implementing dynamic access control, organizations can build more resilient supply chains that are harder for attackers to compromise. 

Ultimately, securing the supply chain is not just about protecting your vendors — it's about safeguarding your entire business ecosystem. 

**About the Author**

Senior Security Engineer, North Carolina Department of Health and Human Services

Malleswar Reddy Yerabolu is a senior security engineer with more than seven years of experience in vulnerability management, threat analysis, and security architecture across financial, hospitality, government, and communication sectors. He specializes in leveraging AI, machine learning (ML), and natural language processing (NLP) to enhance threat detection and automate security processes. His research focuses on integrating AI and NLP to optimize cybersecurity solutions. Malleswar’s innovative approach helps organizations reduce risks and strengthen their defenses against evolving cyber threats. He holds a master’s degree in computer engineering from California State University.

Supply Chain Cybersecurity Beyond Traditional Vendor Risk Management

PRESS RELEASE

October 17, 2024: OpenAI is projected to generate over $10 billion in revenue next year, a clear sign that the adoption of generative AI is accelerating. Yet, most companies struggle to deploy large AI models in production. With the steep costs and complexities involved, nearly 90% of machine learning projects are estimated never to make it to production. Addressing this pressing issue, Simplismart is today announcing a $7m funding round for its infrastructure that enables organizations to deploy AI models seamlessly. Like the shift to cloud computing, which relied on tools like Terraform and mobile app development fueled by Android, Simplismart is positioning itself as the critical enabler for AI’s transition into mainstream enterprise operations.   
The series A funding round was led by Accel with participation from Shastra VC, Titan Capital, and high-profile angels, including Akshay Kothari, Co-Founder of Notion. This tranche, more than ten times the size of their previous round, will fuel R&D and growth for their enterprise-focused MLOps orchestration platform.  
The company was co-founded in 2022 by Amritanshu Jain, who tackled cloud infrastructure challenges at Oracle Cloud, and Devansh Ghatak, who honed his expertise on search algorithms at Google Search. In just two years, with under $1m in initial funding, Simplismart has outperformed public benchmarks by building the world’s fastest inference engine. This engine allows organizations to run machine learning models at lightning speed, significantly boosting performance while driving down costs.  
Simplismart’s fast inference engine allows users to leverage optimized performance for all their model deployments. For example, Its software-level optimization helps run Llama3.1 (8B) at an impressive throughput of >440 tokens per second. While most competitors focus on hardware optimisations or cloud computing, Simplismart has engineered this breakthrough in speed within a comprehensive MLOps platform tailored for on-prem enterprise deployments - agnostic towards choice of model and cloud platform.  
“Building generative AI applications is a core need for enterprises today. However, the adoption of generative AI is far behind the rate of new developments. It’s because enterprises struggle with four bottlenecks: lack of standardized workflows, high costs leading to poor ROI, data privacy, and the need to control and customise the system to avoid downtime and limits from other services,” said Amritanshu Jain, Co-Founder and CEO at Simplismart  
Simplismart’s platform offers organizations a declarative language (similar to Terraform) that simplifies fine-tuning, deploying, and monitoring genAI models at scale. Third-party APIs often bring concerns around data security, rate limits, and utter lack of flexibility, while deploying AI in-house comes with its own set of hurdles: access to computing power, model optimisation, scaling infrastructure, CI/CD pipelines, and cost efficiency, all requiring highly skilled machine learning engineers. Simplismart’s end-to-end MLOps platform standardizes these orchestration workflows, allowing the teams to focus on their core product needs rather than spending numerous manhours building this infrastructure.  
Amritanshu Jain added: “Until now, enterprises could leverage off-the-shelf capabilities to orchestrate their MLOps workloads since the quantum of workloads, be it the size of data, model or compute required, was small. As the models get larger and the workload increases, it will be imperative to have command over the orchestration workflows. Every new technology goes through the same cycle: exactly what Terraform did for cloud, android studio for mobile, and Databricks/Snowflake did for data.”  
“As GenAI undergoes its Cambrian explosion moment, developers are starting to realise that customizing & deploying open-source models on their infrastructure carries significant merit; it unlocks control over performance, costs, customizability over proprietary data, flexibility in the backend stack, and high levels of privacy/security”, said Anand Daniel, Partner at Accel. “We were happy to see that Simplismart’s team saw this opportunity quite early, but what blew us away was how their tiny team had already begun serving some of the fastest-growing GenAI companies in production. It furthered our belief that Simplismart has a shot at winning in the massive but fiercely competitive global AI infrastructure market.”  
Solving MLOps workflows will allow more enterprises to deploy genAI applications with more control. They want to manage the tradeoff between performance and cost to suit their needs. Simplismart believes that providing enterprises with granular Lego blocks to assemble their inference engine and deployment environments is key to driving adoption. 

You May Also Like

Ex-Oracle, Google Engineers Raise $7m From Accel for Public Launch of Simplismart to Empower AI Adoption

PRESS RELEASE

WASHINGTON, DC (October 15, 2024) – The Consortium for School Networking (CoSN) today announced that the Illinois Learning Technology Center (LTC), a program of the Illinois State Board of Education, has partnered with CoSN on a program to improve student data privacy practices in their school districts. By joining the CoSN Trusted Learning Environment (TLE) State Partnership Program, Illinois is helping to ensure that K-12 education institutions across the states are equipped with the necessary tools, training, and guidance to build and improve their school districts’ student data privacy programs.

LTC joins the North Carolina Department of Instruction and the South Carolina Department of Education in partnering with CoSN on this important work.

By subscribing to the TLE Partnership Program, LTC will be providing free TLE Seal applications to all districts in their state.  In addition, the TLE State Partnership Program makes available exclusive data privacy benchmarking reports that provide aggregate measures of the state’s district privacy programs compared with aggregate measures from TLE Seal recipients across 25 specific privacy practices, as well as CoSN’s student data privacy resources designed to support areas of growth for the districts in protecting the privacy of more than 1.85 million students. The CoSN TLE Seal is a national distinction awarded to school districts demonstrating a tangible commitment to protecting student data privacy through modern, rigorous policies and practices.

“Protecting student privacy is a top priority in Illinois. By joining CoSN’s Trusted Learning Environment State Partnership Program—a program backed by one of the leaders in the K-12 technology space—we can enhance our understanding of district privacy needs and offer stronger support," said Tim McIlvain, Executive Director of the Learning Technology Center. "We’re excited to provide 851 districts with access to CoSN’s expert guidance and resources, which will strengthen privacy protections for all Illinois students.”

CoSN’s TLE State Partnership Program provides state education agencies with: 

*   Exclusive state data privacy benchmarking reports that provide aggregated measures of district student data privacy practices as compared with those of current TLE Seal recipients.
    
*   Resources to support improvements across common areas of challenge for the states’ districts and updated benchmarking reports to measure improvements.
    
*   Unlimited free applications for the TLE Seal for districts in the state.
    

Additional supports can include student data privacy training and seats in CoSN’s Certified Education Technology Leader (CETL®) preparation and exam.

“With the increasing complexity of today’s technological environment, protecting student data privacy is imperative. We are delighted to welcome the Learning Technology Center of Illinois to the CoSN TLE State Partnership Program, and to providing Illinois districts with vital tools, training, and resources to help better protect their student information and foster a culture committed to enhancing privacy practices,” said Keith Krueger, CEO of the Consortium for School Networking.

As the only privacy framework designed specifically for K-12 school districts, earning the CoSN TLE Seal requires that districts have taken measurable steps to implement, maintain, and improve organization-wide student data privacy practices. All TLE Seal recipients are required to demonstrate that improvement through a reapplication process every two years.

About CoSN 

CoSN is the premier professional association designed to meet the needs of K-12 edtech leaders, their teams, and other district leaders. CoSN provides thought leadership resources, community, best practices, and advocacy tools to help edtech leaders succeed in the digital transformation. CoSN represents over 13 million students and continues to grow as a powerful and influential voice in K-12 education. For more information, visit CoSN.org.

About the CoSN Trusted Learning Environment State Partnership Program

The CoSN Trusted Learning Environment (TLE) State Partnership Program is designed to measure and improve district student data privacy practices across all districts in the state. Through survey-based benchmarking, CoSN is able to aggregate district privacy performance across the 25 requirements of the CoSN Trusted Learning Environment Seal Program. CoSN provides comparisons of these results to the aggregated results of TLE Seal recipients. CoSN then provides each  state with resources that are ready-made for its districts, providing guidance to improve the top three areas of weakness. The process is repeated on a cycle to continuously build up privacy practices across all districts. States are also provided with free TLE applications for all districts, providing the opportunity for districts to gain additional, customized feedback on their privacy programs and earn recognition for their efforts. For more information, visit CoSN.org/TLEpartner.

About the Learning Technology Center

The Learning Technology Center (LTC) is a state-wide organization dedicated to supporting schools and districts in Illinois with technology integration, professional development, and digital learning initiatives. Through innovative programs, expert guidance, and collaborative partnerships, the LTC empowers educators and administrators to leverage technology for improved teaching and learning outcomes. With a focus on areas such as artificial intelligence, digital citizenship, cybersecurity, and infrastructure, the LTC is committed to helping schools navigate the evolving landscape of educational technology. Learn more at ltcillinois.org.

Illinois Joins CoSN's Trusted Learning Environment (TLE) State Partnership Program for Student Data Privacy

PRESS RELEASE

Brussels, 16 October 2024 – Swift today announced that it is rolling out new AI-enhanced fraud detection to help the global payments industry step up its defence as bad actors grow increasingly sophisticated. Available from January 2025, the service is the result of extensive collaboration with banks from around the world and a successful pilot earlier this year.   

The new capability builds on Swift’s existing Payment Controls Service — used by many small and medium-sized financial institutions — by drawing on pseudonymised data from the billions of transactions that flow over the Swift network each year to identify and flag suspicious transactions so that action can be taken in real-time. 

The rollout is part of Swift’s broader collaboration with its global community of more than 11,500 banks and financial institutions to test how AI can solve cross-industry challenges. With global industry estimates putting the total cost of fraud in financial services at USD 485 billion in 2023 alone , Swift is focused on using AI to give financial institutions stronger and more accurate insights into instances of potentially fraudulent activity.

Jerome Piens, Chief Product Officer at Swift, said: “Bad actors are using increasingly sophisticated tactics to commit financial crime, and the global financial industry needs to raise its defences higher to ensure their customers can continue to transact globally with confidence. Swift has a long track record of supporting our community by staying one step ahead to maintain the security and resilience that our network is known for - and now we’re doing so again by harnessing the latest technology.”

Since February, Swift has been working with leading global financial institutions to explore how federated learning, combined with privacy-enhancing technologies, could enable market participants to share information without revealing their proprietary data. The group has so far developed a number of fraud detection use cases which are set to be tested in a sandbox environment. 

The rollout of this enhanced service is a key milestone in Swift’s strategic vision to make end to end international transactions instant and frictionless, while maintaining trust, security and compliance.

"Collaboration across the banking sector is crucial to enhancing fraud detection, and by sharing data and leveraging AI, we empower ourselves to stay ahead. At BNP Paribas, we are fully committed to supporting Swift’s innovative initiative in that regard, as it marks a key step forward in protecting the integrity of our financial ecosystem." 

Olivier Nautet, Head of Cybersecurity, BNP Paribas; Nicolas Trimbour, Head of Fraud Prevention, Cash Management, BNP Paribas, and Su Yang, Head of Artificial Intelligence, Transaction Banking, BNP Paribas

“Standard Bank Group, Africa’s biggest bank by assets, has participated in Swift’s initiative for AI fraud detection capability to enhance the security of its customers’ transactions. The technology will identify suspicious patterns in real-time, reducing fraud-risk and ensuring a safer banking experience for clients. By leveraging the power of AI, Standard Bank Group reaffirms its commitment to innovation and safeguarding the financial assets of its clients - who are our main asset.”  

John McHugh, Head Operations Control – CIB at Standard Bank

Swift to Launch AI-Powered Fraud Defence to Enhance Cross-Border Payments

The scammers used real-time deepfakes in online dating video calls to convince the victims of their legitimacy.

Source: Mike via Adobe Stock

Hong Kong police arrested 27 people Monday for their involvement in a deepfake scam operation, stealing $46 million from the scam's victims.

The scammers used AI face-swapping technology to create female personas for online dating, using tools to alter their appearance and voices. 

They then contacted their victims via social media platforms using these AI-generated photos of people with made-up personalities, occupations, and backgrounds.

However, the victims began requesting video calls to become more familiar with the person they were communicating with, prompting the scammers to turn to real-time deepfakes, which transformed the scammers into attractive women, adding legitimacy to the fraud and gaining the trust of those that were being duped.

"The syndicate presented fabricated profit transaction records to victims, claiming substantial returns on their investments," said Fang Chi-kin, head of the New Territories South regional crime unit.

The victims realized that they had been scammed after attempting to withdraw money from their accounts without success.

The police seized computers, phones, and just over $25,000 in funds and luxury watches from the crime ring's headquarters, a 4,000-square-foot building in Hong Kong.

They also arrested six individuals who were recruited to set up cryptocurrency trading platforms, five of whom were reportedly potentially associated with Sun Yee On, a crime gang that operates in Hong Kong and China.

These developments come in the wake of a recent United Nations Office on Drugs and Crime report warning of the technological advancements crime syndicates are making to carry out cyber fraud in Asia, such as the use of deepfake technology. Some 10 different deepfake software providers were identified, selling their services via Telegram to criminal groups in Southeast Asia.

Source

DARKReading