By Owais Sultan
This guide will introduce you to a machine learning career. You will get a complete understanding of the…
This is a post from HackRead.com Read the original post: Machine Learning: How To Become A Machine Learning Engineer?

****This guide will introduce you to a machine learning career. You will get a complete understanding of the profession and the necessary steps.******Machine Learning: Guide To The Profession**

**Machine learning** (ML) is an industry that plays a significant role in developing information technologies. Creating autonomous solutions is becoming more and more widespread In all areas of life.

Indeed.com **called** the profession the best in his report. How to become a part of this world? What is needed for this? We answer each question in the article.

**Machine learning engineer: the sense of work**

A machine learning engineer creates self-contained software that works without third-party intervention. Do you remember recommendations from YouTube or Amazon? It is just one example of machine learning implementation.

Another example is the Microsoft Face Tracking app from **Brights**. The application helps determine the most appropriate Microsoft product for the user based on his previous choice.

In practice, a machine learning engineer’s set of activities typically includes:

*   Implementing solutions
*   Collecting data by running experiments 
*   Finalizing and improving solutions to get maximum performance
*   Developing various solutions to problems, and providing a flow between databases and server systems.

**Machine learning engineer skills, knowledge, and more  **

Job responsibilities, knowledge, and requirements for a machine learning engineer vary by company. At the same time, successfully designing and **self-learning systems** require two sets of skills in any organization. Let’s consider each separately.

**Data Science **

To develop machine learning algorithms, you must process large amounts of data, understand it, systematize it, and draw the correct conclusions. Keep an eye on the **best data science tools** out there.

**Software engineering **

The specialist must be able to design systems, understand various data structures, understand computability, and computer architecture.

**Your steps to getting a profession**

1.  **Define your goal.** Understanding the purpose will help you to choose your study program. In addition, realizing the goal will motivate you to overcome the inevitable difficulties in any career path.
2.  **Learn primary programming languages.** No matter how you would like it otherwise, **without knowledge of coding**, you will not be able to gain access to the profession. It would help if you also learned the basics of computer science. Without this stage, you will be unable to quickly and efficiently implement machine learning solutions in production.
3.  **Learn to work with big masses of information.** It will help you experiment, analyze the information received, and find the best solutions.
4.  **Don’t stop learning.** Learn to understand the ideas and meaning of machine learning. Describe special tools, and remember that their names depend on what area you want to work in.
5.  **Put your knowledge into practice.** In any business, and machine learning more than ever, it is essential to put knowledge into practice. It will also be a huge plus in your job search.

**Can you learn machine learning without coding?**

In any case, a machine learning engineer must know primary **programming languages**—just accept it. Knowing 2-3 widespread languages will help you open doors to many companies.

You can have strong knowledge of mathematics and statistics to work with data and do tests and experiments. Still, you cannot make your machine learning decisions in production without an excellent base in coding. 

Basic knowledge of software engineering is also essential because it helps to implement many decisions fast and effectively.  

**Are machine learning engineers in demand?**

In the US, machine learning job growth is up 35% in 2020, according to a **LinkedIn report**. Specialists are needed in different industries: from the public sector to entertainment. According to forecasts, the number of open positions will only grow until 2029.

1.  **Why is learning Python important in Data Science?**
2.  **How the Internet can get smarter by combining AI and ML**
3.  **Cybersecurity Automation: How Can Businesses Benefit From It**
4.  **Incorporating machine learning in data mapping for improved results**
5.  **How chat platforms are using Machine Learning for content moderation?**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Machine Learning: How To Become A Machine Learning Engineer?

WordPress Ecwid Ecommerce Shopping Cart plugin versions 6.10.23 and below suffer from a cross site request forgery vulnerability.

Description: Cross-Site Request Forgery to Settings/Options Update

Affected Plugin: Ecwid Ecommerce Shopping Cart

Plugin Slug: ecwid-shopping-cart

Affected Versions: <= 6.10.23

CVE ID: CVE-2022-2432

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Researcher/s: Marco Wotschka

Fully Patched Version: 6.10.24

Ecwid Ecommerce Shopping Cart is a plugin offered by Lightspeed that allows site owners to set up an eCommerce store on a WordPress website and then sync it across various services such as Amazon and social media. It also offers ad integration and access to marketing tools. As part of the plugin’s functionality, there were some more advanced settings that could be managed. Unfortunately, this was implemented insecurely making it possible for attackers to update these settings via a forged request.

More specifically, the plugin provides the following admin_post action hooked to the ‘ecwid_update_plugin_params‘ function for that purpose:

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgGRrW4wJp7s4LR8_8W5GZxc55cBM_qW8hSV9n7QFM8MW16sCxG5h4mMrW8RWrLm7fnSqrW70Vz_q4PPYx1W6cGQ985xBh94W4KV7Yy3dzXV8W8bTSFR1sB2J5N60tSb8sMfWmW3Qhxq480ZZDvW6qNFsM4YqZm2W47Fl6f537-gRW8G9Mq25QpGZZW2B_hWM7ZNSZrW8jJ9gf8MSG0pW3c2FG27vDxqyW24KmsZ1HxD3TW6BS5rM4h9TL_W4My4sZ2R5dngW7nrf8C81zMWXW1bBRCq4lYLdfW5Wd9gF2rjpt7W2b9RlV7CGYQ8W4sgGCX98nMgqW1FPwLN10ndByW6yw5YW7rm4RLW1l8_qC5kZvHYW5kyvmH8qjwnbW6cS_Sd2f9WPjM-RF9H50XrYW6d-cP13xx9gWW8Jr_cw26btsNW30S0Xr6gZ41G36ft1 )

An initial check in the ‘ecwid_update_plugin_params‘ function ensures that the current user is allowed to manage site options, which is a capability that belongs to administrators. However, the nonce check performed shortly after is only executed if a nonce is set due to how the function uses && to combine the checks to validate that a nonce is present in the request and to verify that the nonce is valid. This means that if the wp-nonce parameter is not supplied in the request, the verification step is skipped. This makes the functionality susceptible to Cross-Site Request Forgery attacks in vulnerable versions.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgK04W67C43l5f9PlsW1vTzZ291zXDyW7lwxqt5S_SqhW8qMCLs5Vs8hTMlVtTSW5m53W8jPcbS3cs9wpW6xWDF_2xbLMZN7RfvGrn4vjHVXqXzJ3XzQ-1W3SsZJk5qWZY5W7tNvtn7z-pFSW2T45NG8qgmVjW4mZN5T8CCQR4W4X-xkp3MRyMBW8bQV2l1QmfF2W1N6yKt2SKNJxV9hRB01Dr8M4N4LKmRgHfRR-N5f00LN8JsxlVQCRGg9b5QQgVm1Wrc2NkSRpN22l9qWLg4rRW20bJdN7F1XgdN36zDyK1TZzNW6Fk9mV1Y1vkJW7zJyHY4w7XrNW6YPJyL4yxX2PW6qVHnh960fF3W8yZq6C8Nfqr_VkfJpP34G9dBW7J4NVS8plYskN1tn7-6tGsPRW3vNTQ14zxQXMW2gFKwm8yhK853nT51 )

This makes it possible for an attacker to change the ecwid_store_id, which uniquely identifies the store and is needed for support requests as well as for embedding the store on other sites. Another site option that could be modified is the site’s ecwid_store_page_id, which is the storefront page in the WordPress installation. Both of these settings may result in a loss of availability of the storefront if changed to an invalid store ID. There are several other settings that could be affected in addition to those two. The plugin does not provide a direct link to the settings page in any of its menus and a warning on the page suggests that modifying these settings may significantly affect the plugin functionality.

The Importance of Properly Implementing Nonces

Nonces are a critical component used to prevent Cross-Site Request Forgery vulnerabilities. As such, it’s important to ensure they are properly implemented throughout plugin and theme code to prevent unauthorized execution of that code. Fortunately, WordPress provides several mechanisms to create and validate proper nonces.

Nonce Creation

The first step to proper nonce implementation is nonce creation.

One option to properly implement nonce creation involves the wp_nonce_url() function. This function expects a target URL as well as an action and an optional nonce name. The nonce will be added to a URL and can be verified by a nonce validation function that is executed in the same or subsequent function. This makes it possible for developers to provide links to perform actions such as deletion of posts with a proper nonce that allows the code to verify that the action was initiated from within the site as opposed to a click on a link elsewhere, such as in an email.

An additional option is adding a nonce to a form to secure any submissions originating from that form. The function wp_nonce_field() is frequently used in these cases and expects an action string. This will add a hidden input field to the form. Upon form submission, the created nonce can be checked and verified.

Finally, a nonce can also be generated using wp_create_nonce(), which accepts an action string argument and returns just a nonce. This can be implemented in a variety of different ways and allows more flexibility as a developer to implement nonce validation. We frequently see this function contained in HTML on setting pages that is later used to validate the origin of the request when saving those settings.

Remember that nonces are specific to individual users and sessions and are invalidated after 24 hours, or on logout.

Nonce Validation

The second step to proper nonce implementation involves nonce verification. A plugin can implement an appropriate nonce on a form or settings update, but without proper validation of that nonce, there won’t be adequate protection.

The first option to properly validate a nonce involves the use of the check_admin_referer() function. This function accepts the protected action as well as the name of the nonce as an argument and checks the nonce as well as the referer, thus helping to ensure that the nonce provided is correct and that the request was initiated from an admin page.

When implementing an AJAX action, the check_ajax_referer() function can be used. This will verify the nonce but will not check the referer like the check_admin_referer() function does although it will validate that the request is an AJAX request.

A final option for validating a nonce is the more general wp_verify_nonce() function. With this function, an action and nonce name will need to be supplied, and it will verify that the proper nonce was set. This provides the most flexible implementation of nonce validation for developers.

In the case of today’s disclosure, the nonce was created on the settings form itself with wp_create_nonce():

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgF42W98C5CQ5NDR3nN58bq_96Ch4zW3GRvs_6bwRX5W3tsvrb2ShCghW3x06W68pRQH9W3Dg71b6v1HrYN1qR5fbY2lRlW1k5j_14xFFJHW7X-WLl1rqWk4W2Xtb8w2ZQV1fW60H5QG1l9dtQW4FrrX83gDD31W6PL9cT6F_6LvW370m6b2hcXrhW87SST67k_CFgW5-p6J61CRPtqW41Q3yy1ZncNXW3tf7LN7M0RtnVB_kYq1ywQZZW5nCmTg91v6g7W7d0m-m6FkNhhW7ZJZnp8SNnfqW8slWGB5dKbwfW6hRPqV27VwPwN6VYg76H73KcW5RSHN32P4qKzW87nrK28tmgf3W9kClqb5c9kpxW4sNhxd6ZtC1NW4W6S6N4tX1hSW8VG37Z822PTvW3vQSg86XJbffMW8y1Kj7SkzW8qWmSB1p6tWz33Jt1 )

As you can see, this statement will call wp_verify_nonce() but only if the nonce is set due to the if (isset($_POST['wp-nonce']) check and the use of && in combination with the wp_verify_nonce() function. Therefore, if the nonce is omitted, this check will not take place.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgYDJW4r9V7C4zvxxJW8nbMdr8F-cRDW2rwyLJ1CP2WHW4J-5Pl31WzP1W6DVyjb8Z3jqdN4stQLdG_ZkNW4mglnq1G8sRNW5mXcDc3VtGGNW4FY3bS3VJv8bW81wTgx9bFbTPV1C4Hj2mqjn2W34wsp890BqJ4W3mYsyR7j1ZmkW3N5y145YdY3JW1y9Jw7794yXvN8-B_JcFVNZ3W7qmWfy4_SYqlW8phV2n20Y2n1VY28TM2d1DnBVmThSG3kLmm9W3w1Qb8274pyfW3DMgQT1d69drW1Z_vwR8tNJ00W5VhJ9W1WWjw5V21_7j12XCNfW4nmmL65HjtPhW6bzWt73Vyc5XW49_SzN8D05kRW1p_M0l1RcrzgN5kXSx6thPmgW6kq5wb8y9lv7W2wb9d72F0qKFW6RJdQV89RNSpN1_lhTsk65Q51P1 )

This serves as an important reminder to not only properly implement nonces and validation checks but also to ensure that the check fails when the nonce value is empty or otherwise not present.

As a final important note: never rely on nonce checks alone. Developers should always remember to include a capability check using a function like current_user_can() in order to ensure the user initiating the action is indeed allowed to perform it. Nonces should never be used for authentication, authorization or any form of access control as they are simply intended to verify the origin of the request, and do not perform any authorization.

Timeline

June 24, 2022 – Initial outreach to the plugin developer.

July 11, 2022 – We escalate the issue to the WordPress.org plugins team and send them the full disclosure details.

July 13, 2022 – The vulnerability is patched in version 6.10.24.

Conclusion

In today’s post, we covered a vulnerability in the Ecwid Ecommerce Shopping Cart plugin that could be used to trick site administrators into updating plugin settings due to improper nonce verification. The vulnerability was patched by ensuring that a proper nonce was set and by verifying it.

Please remember that due to the nature of Cross-Site Request Forgery vulnerabilities, it is not possible to provide adequate protection via the Wordfence firewall without blocking legitimate requests. As such, we highly recommend updating to version 6.10.24 or higher of Ecwid Ecommerce Shopping Cart to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Ecwid Ecommerce Shopping Cart as soon as possible.

WordPress Ecwid Ecommerce Shopping Cart 6.10.23 Cross Site Request Forgery

The popular security devices are tracking (and sharing) more than you might think.

Jolynn Dellinger, a senior lecturing fellow focusing on privacy and ethics at Duke University’s school of law, says recording audio when someone is on the street is a “serious problem” for privacy and may change how people behave. “We operate with a sense of obscurity, even in public,” Dellinger says. “We are in danger of increasing surveillance of everyday life in a way that is not consistent with either our expected views or really what’s best for society.” In October 2021, a British woman won a court case that said her neighbor’s Ring cameras, which overlooked her house and garden, broke data laws.

Ring’s privacy policy says it can save videos of subscribers to its Ring Protect Plan, a paid service that provides an archive of 180 days of video and audio captured. The company says people can log in to the service to delete the videos, but the company may ultimately keep them anyway. “Deleted Content and Ring Protect Recordings may be stored by Ring in order to comply with certain legal obligations and are not retrievable without a valid court order,” the privacy policy says.

Ring can also keep videos shared to its Neighbors’ app—an app where people and law enforcement agencies can share alerts about “crimes” and post their videos of what is happening around the homes. (There are rules about what people are allowed to post.)

Ring’s privacy policy and terms of service allow it to use all this information it collects in multiple ways. It lists 14 ways the company can use your data—from improving the service Ring provides and protecting against fraud to conducting consumer research and complying with legal requirements. Its privacy policy includes the ambiguous statement: “We also may use the personal information we collect about you in other ways for which we provide specific notice at the time of collection and obtain your consent if required by applicable law.” Ring spokesperson Sarah Rall says this could apply if the company added features or use cases that are not already covered by its privacy policy. “We would provide additional notice or get permission as needed,” Rall says.

While Ring’s privacy policies apply to those who purchase its devices, people who are captured in footage or audio don’t have a chance to agree to them. “Privacy, security, and customer control are foundational to Ring, and we take the protection of our customers’ personal and account information seriously,” Rall says.

Ultimately, you agree to give Ring permission to control the “content” you share—including audio and video—while you own the intellectual property to it. The company’s terms of service say you give it an “unlimited, irrevocable, fee free and royalty-free, perpetual, worldwide right” to store, use, copy, or modify content you share through Neighbors or elsewhere online. (Audio recording can be turned off in Ring’s settings.)

“When I went out to buy a security camera last year, I looked for ones only that did local storage,” says Jen Caltrider, the lead researcher on Mozilla’s Privacy Not Included, which evaluates the privacy and security of products. Caltrider says people should try to keep as much control of their data as possible and not store files in the cloud unless they need to. “I don’t want any company having this data that I can’t control. I want to be able to control it.”

How Ring Works With Police

Ring’s deals with police forces—both in the US and the UK—have proved controversial. For years, the company has partnered with law enforcement agencies, providing them with cameras and doorbells that can be given to residents. By the start of 2021, Ring had partnered with more than 2,000 US law enforcement and fire departments. Documents have shown how Ring also controls the public messaging of police departments it has partnered with. “There is nothing mandating Ring build a tool that is easily accessible and helpful to police,” Guariglia says.

Rings’ terms of service say that the company may “access, use, preserve and/or disclose” videos and audio to “law enforcement authorities, government officials, and/or third parties” if it is legally required to do so or needs to in order to enforce its terms of service or address security issues. Government officials could include any “regulatory agency or legislative committee that issues a legally binding request for information,” Rall says. For the six months between January and June 2022, Ring says it had more than 3,500 law enforcement requests in the US.

All the Data Amazon's Ring Cameras Collect About You

At Black Hat USA, Igal Gofman plans to address how machine identities in the cloud and the explosion of SaaS apps are creating risks for IAM, amid escalating attention from attackers.

Cybercriminals always look for blind spots in access management, be they misconfigurations, poor credentialing practices, unpatched security bugs, or other hidden doors to the corporate castle. Now, as organizations continue their modernizing drift to the cloud, bad actors are taking advantage of an emerging opportunity: access flaws and misconfigurations in how organizations use cloud providers' identity and access management (IAM) layers.

In a talk on Wednesday, Aug. 10 at Black Hat USA entitled "IAM The One Who Knocks," Igal Gofman, head of research for Ermetic, will offer a view into this emerging risk frontier. "Defenders need to understand that the new perimeter is not the network layer as it was before. Now it's really IAM — it's management layer that governs all," he tells Dark Reading.

**Complexity, Machine Identities = Insecurity**

The most common pitfall that security teams step into when implementing cloud IAM is not recognizing the sheer complexity of the environment, he notes. That includes understanding the ballooning amount of permissions and access that software-as-a-service (SaaS) apps have created.

"Adversaries continue to put their hands on tokens or credentials, either via phishing or some other approach," explains Gofman. "At one time, those didn't give much to the attacker beyond what was on a local machine. But now, those security tokens have much more access, because everyone in the last few years moved to the cloud, and have more access to cloud resources."

The complexity issue is particularly piquant when it comes to machine entities — which, unlike humans, are always working. In the cloud context, they're used to access cloud APIs using API keys; enable serverless applications; automate security roles (i.e., cloud access service brokers or CASBs); integrate SaaS apps and profiles with each other using service accounts; and more.

Given that the average company now uses hundreds of cloud-based apps and databases, this mass of machine identities presents a highly complex web of interwoven permissions and access that underpin organizations' infrastructures, which is difficult to gain visibility into and thus difficult to manage, Gofman says. That's why adversaries are seeking to exploit these identities more and more.

"We are seeing a rise in the use of non-human identities, which have access to different resources and different services internally," he notes. "These are services that speak with other services. They have permissions, and usually broader access than humans. The cloud providers are pushing their users to use those, because at the basic level they consider them to be more secure. But, there are some exploitation techniques that can be used to compromise environments using those non-human identities."

Machine entities with management permissions are particularly attractive for adversaries to use, he adds.

"This is one of the main vectors we see cybercriminals targeting, especially in Azure," he explains. "If you don't have an intimate understanding of how to manage them within the IAM, you're offering up a security hole."

**How to Boost IAM Security in the Cloud**

From a defensive standpoint, Gofman plans to discuss the many options that organizations have for getting their arms around the problem of implementing effective IAM in the cloud. For one, organizations should make use of cloud providers' logging capabilities to build a comprehensive view of who — and what — exists in the environment.

"These tools are not actually used extensively, but they're good options to better understand what's going on in your environment," he explains. "You can use logging to reduce the attack surface too, because you can see exactly what users are using, and what permissions they have. Admins can also compare stated policies to what is actually being used within a given infrastructure, too."

He also plans to break down and compare the different IAM services from the top three public cloud providers — Amazon Web Services, Google Cloud Platform, and Microsoft Azure — and their security approaches, all of which are slightly different. Multi-cloud IAM is an added wrinkle for corporations using different clouds from different providers, and Gofman notes that understanding the subtle differences between the tools they offer can go a long way to shoring up defenses.

Organizations can also use a variety of third-party, open source tools to gain better visibility across the infrastructure, he notes, adding that he and his co-presenter Noam Dahan, research lead at Ermetic, plan to demo one option.

"Cloud IAM is super-important," Gofman says. "We're going to speak about the dangers, the tools that can be used, and the importance of understanding better what permissions are used and what permission are not used, and how and where admins can identify blind spots."

Cyberattackers Increasingly Target Cloud IAM as a Weak Link

A month after the algorithms were revealed, some companies have already begun incorporating the future standards into their products and services.

A month after the National Institute of Standards and Technology (NIST) revealed the first quantum-safe algorithms, Amazon Web Services (AWS) and IBM have swiftly moved forward. Google was also quick to outline an aggressive implementation plan for its cloud service that it started a decade ago.

It helps that IBM researchers contributed to three of the four algorithms, while AWS had a hand in two. Google contributed to one of the submitted algorithms, SPHINCS+.

A long process that started in 2016 with 69 original candidates ends with the selection of four algorithms that will become NIST standards, which will play a critical role in protecting encrypted data from the vast power of quantum computers.

NIST's four choices include CRYSTALS-Kyber, a public-private key-encapsulation mechanism (KEM) for general asymmetric encryption, such as when connecting websites. For digital signatures, NIST selected CRYSTALS-Dilithium, FALCON, and SPHINCS+. NIST will add a few more algorithms to the mix in two years.

Vadim Lyubashevsky, a cryptographer who works in IBM's Zurich Research Laboratories, contributed to the development of CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon. Lyubashevsky was predictably pleased by the algorithms selected, but he had only anticipated NIST would pick two digital signature candidates rather than three.

Ideally, NIST would have chosen a second key establishment algorithm, according to Lyubashevsky. "They could have chosen one more right away just to be safe," he told Dark Reading. "I think some people expected McEliece to be chosen, but maybe NIST decided to hold off for two years to see what the backup should be to Kyber."

**IBM's New Mainframe Supports NIST-Selected Algorithms**

After NIST identified the algorithms, IBM moved forward by specifying them into its recently launched z16 mainframe. IBM introduced the z16 in April, calling it the "first quantum-safe system," enabled by its new Crypto Express 8S card and APIs that provide access to the NIST APIs.

IBM was championing three of the algorithms that NIST selected, so IBM had already included them in the z16. Since IBM had unveiled the z16 before the NIST decision, the company implemented the algorithms into the new system. IBM last week made it official that the z16 supports the algorithms.

Anne Dames, an IBM distinguished engineer who works on the company's z Systems team, explained that the Crypto Express 8S card could implement various cryptographic algorithms. Nevertheless, IBM was betting on CRYSTAL-Kyber and Dilithium, according to Dames.

"We are very fortunate in that it went in the direction we hoped it would go," she told Dark Reading. "And because we chose to implement CRYSTALS-Kyber and CRYSTALS-Dilithium in the hardware security module, which allows clients to get access to it, the firmware in that hardware security module can be updated. So, if other algorithms were selected, then we would add them to our roadmap for inclusion of those algorithms for the future."

A software library on the system allows application and infrastructure developers to incorporate APIs so that clients can generate quantum-safe digital signatures for both classic computing systems and quantum computers.

"We also have a CRYSTALS-Kyber interface in place so that we can generate a key and provide it wrapped by a Kyber key so that could be used in a potential key exchange scheme," Dames said. "And we've also incorporated some APIs that allow clients to have a key exchange scheme between two parties."

Dames noted that clients might use Kyber to generate digital signatures on documents. "Think about code signing servers, things like that, or documents signing services, where people would like to actually use the digital signature capability to ensure the authenticity of the document or of the code that's being used," she said.

**AWS Engineers Algorithms Into Services**

During Amazon's AWS re:Inforce security conference last week in Boston, the cloud provider emphasized its post-quantum cryptography (PQC) efforts. According to Margaret Salter, director of applied cryptography at AWS, Amazon is already engineering the NIST standards into its services.

During a breakout session on AWS' cryptography efforts at the conference, Salter said AWS had implemented an open source, hybrid post-quantum key exchange based on a specification called s2n-tls, which implements the Transport Layer Security (TLS) protocol across different AWS services. AWS has contributed it as a draft standard to the Internet Engineering Task Force (IETF).

Salter explained that the hybrid key exchange brings together its traditional key exchanges while enabling post-quantum security. "We have regular key exchanges that we've been using for years and years to protect data," she said. "We don't want to get rid of those; we're just going to enhance them by adding a public key exchange on top of it. And using both of those, you have traditional security, plus post quantum security."

Last week, Amazon announced that it deployed s2n-tls, the hybrid post-quantum TLS with CRYSTALS-Kyber, which connects to the AWS Key Management Service (AWS KMS) and AWS Certificate Manager (ACM). In an update this week, Amazon documented its stated support for AWS Secrets Manager, a service for managing, rotating, and retrieving database credentials and API keys.

**Google's Decade-Long PQC Migration**

While Google didn't make implementation announcements like AWS in the immediate aftermath of NIST's selection, VP and CISO Phil Venables said Google has been focused on PQC algorithms "beyond theoretical implementations" for over a decade. Venables was among several prominent researchers who co-authored a technical paper outlining the urgency of adopting PQC strategies. The peer-reviewed paper was published in May by Nature, a respected journal for the science and technology communities.

"At Google, we're well into a multi-year effort to migrate to post-quantum cryptography that is designed to address both immediate and long-term risks to protect sensitive information," Venables wrote in a blog post published following the NIST announcement. "We have one goal: ensure that Google is PQC ready."

Venables recalled an experiment in 2016 with Chrome where a minimal number of connections from the Web browser to Google servers used a post-quantum key-exchange algorithm alongside the existing elliptic-curve key-exchange algorithm. "By adding a post-quantum algorithm in a hybrid mode with the existing key exchange, we were able to test its implementation without affecting user security," Venables noted.

Google and Cloudflare announced a "wide-scale post-quantum experiment" in 2019 implementing two post-quantum key exchanges, "integrated into Cloudflare's TLS stack, and deployed the implementation on edge servers and in Chrome Canary clients." The experiment helped Google understand the implications of deploying two post-quantum key agreements with TLS.

Venables noted that last year Google tested post-quantum confidentiality in TLS and found that various network products were not compatible with post-quantum TLS. "We were able to work with the vendor so that the issue was fixed in future firmware updates," he said. "By experimenting early, we resolved this issue for future deployments."

**Other Standards Efforts**

The four algorithms NIST announced are an important milestone in advancing PQC, but there's other work to be done besides quantum-safe encryption. The AWS TLS submission to the IETF is one example; others include such efforts as Hybrid PQ VPN.

"What you will see happening is those organizations that work on TLS protocols, or SSH, or VPN type protocols, will now come together and put together proposals which they will evaluate in their communities to determine what's best and which protocols should be updated, how the certificates should be defined, and things like things like that," IBM's Dames said.

Dustin Moody, a mathematician at NIST who leads its PQC project, shared a similar view during a panel discussion at the RSA Conference in June. "There's been a lot of global cooperation with our NIST process, rather than fracturing of the effort and coming up with a lot of different algorithms," Moody said. "We've seen most countries and standards organizations waiting to see what comes out of our nice progress on this process, as well as participating in that. And we see that as a very good sign."

Amazon, IBM Move Swiftly on Post-Quantum Cryptographic Algorithms Selected by NIST

By Deeba Ahmed
This hasn’t been a great week for the crypto community. On Monday, the Nomad bridge got exploited and…
This is a post from HackRead.com Read the original post: Thousands of GitHub Repositories Cloned in Supply Chain Attack

This hasn’t been a great week for the crypto community. On Monday, the Nomad bridge got exploited and lost nearly $200 million. Then on Wednesday, Hackread.com **reported** that roughly 8,000 Solana blockchain wallets were hacked, and approx. $8 million worth of crypto drained from its wallets.

Now, the GitHub developer platform has become the victim of a malware attack in which the attackers cloned thousands of repositories. This supply chain attack allows attackers to exfiltrate data and perform RCE.

**GitHub Facing Widespread Malware Attack**

According to developer **Stephen Lucy**, around 35,000 GitHub repositories have been cloned with malware. The incident was reported on Wednesday when the developer was confronted with the issue while reviewing a GitHub project found through Google search (search phrase= ovz1.j19544519.pr46m.vps.myjinoru).

Lucy noticed a malicious URL included in the code, and when GitHub repositories were scanned for this URL, it gave over 35,000 results.

It is however worth noting that crypto repositories weren’t targeted in the malware attack. However, these are among the impacted repositories. GitHub was notified about the issue on August 3.

**More Github Security News**

*   **New backdoor malware hits Slack and Github platforms**
*   **GitHub Will Now Support Security Keys for SSH Git Operations**
*   **Hackers use Github bot to steal $1,200 in ETH within 100 seconds**
*   **GitHub: Hackers Stole OAuth Access Tokens to Target Dozens of Firms**
*   **Hackers can spoof commit metadata to create false GitHub repositories**

**Were the Repositories Hacked?**

Bleeping Computer **wrote** that the repositories weren’t hacked, but actually, these were copied with their clones. These clones were modified to insert malware.

For your information, cloning open source code is common among developers. But, in this case, the attackers injected malicious code/links into genuine GitHub projects to target innocent users.

Furthermore, over 13,000 search results were obtained from a single repository identified as ‘redhat-operator-ecosystem.’ The malicious link exfiltrated the environment variables, which contain sensitive data like **Amazon AWS credentials**, API keys, and crypto keys, and also contained a one-line backdoor. The malware also lets remote attackers execute arbitrary code on those systems that install/run the clones.

The attack has impacted many crypto projects. These include Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned.

This attack is difficult to spot because genuine GitHub user accounts are spoofed on commits. It is possible because GitHub requires an email address to attribute commits to users, and they can sign commits with GPG.

Since fakes of legit projects can retain past commits and pull requests from genuine users, it becomes difficult to detect fakes. This supply chain attack will not affect those using original GitHub projects.

1.  Iran’s Largest Steel Producer Hit By Crippling Cyberattack
2.  Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices
3.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
4.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
5.  Cloud video platform abused in web skimmer attack against real estate sites

Thousands of GitHub Repositories Cloned in Supply Chain Attack

In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, and all versions of BIG-IQ 8.x, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP or BIG-IQ on Amazon Web Services (AWS) systems, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Successful exploitation relies on conditions outside of the attacker's control. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-34844

By Deeba Ahmed
According to the latest research findings from VirusTotal, cybercriminals and threat actors are increasingly relying on mimicked versions…
This is a post from HackRead.com Read the original post: VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

According to the latest research findings from **VirusTotal**, cybercriminals and threat actors are increasingly relying on mimicked versions of genuine, common-use apps such as Adobe Reader, Skype, and VLC Player to successfully conduct social engineering attacks.

**Findings Details**

In their study of malware, researchers at Google’s VirusTotal revealed that cybercriminals deploy numerous approaches to abuse the trust users have in many reputable apps.

The most widespread tactic is **mimicking legit apps to deliver malware**. In this technique, the app’s icon is replicated to gain the victim’s trust and convince them to use the mimicked app. The purpose behind this malicious new strategy is to bypass security solutions such as IP or domain-based firewalls on devices and spread malware via trusted domains.

Another commonly used attack tactic is stealing authentic signing certificates from legit software vendors and using them for signing the malware. Reportedly, since 2021, over one million signed samples had been declared suspicious.

Around thirteen percent of the samples checked by Google’s team didn’t have a valid signature when uploaded on VirusTotal for the first time, and over ninety-nine percent of them were DLL or Windows Portable Executable files.

This happens because the process of examining the validity of a signed file can be abused by malware stated VirusTotal security engineer Vicente Diaz. This becomes concerning when attackers start stealing legit certificates and creating an **ideal supply chain attack scenario**.

The third technique is incorporating legit installers as a portable executable resource into malicious samples to execute the installer when malware is run.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **US and China Exposed Most Databases Among 380k Found in 2021**
3.  **Fake reviews & third-party apps cause 50% of threats against Android**
4.  **134 million downloads in 85 countries: A look at VPN usage in H1 2020**
5.  **Google, Microsoft and Oracle generated the most vulnerabilities in 2021**
6.  **Google Drive accounted for 50% of malicious Office document downloads**

**Over 2 Million Suspicious Files Downloaded from Top Domains**

According to VirusTotal’s **blog post**, ten percent of the **top 1,000 Alexa domains** had distributed suspicious samples, including the domains commonly used for distributing files, and over 2 million shady files were downloaded from these domains.

Despite the technique’s simplicity, Diaz explains, it can effectively avoid raising red flags for the victim. That’s why many channels are becoming popular as potent malware distribution vectors. This includes the distribution of **cracked software**.

**Most Abused Websites and Apps**

The top three mimicked apps include the following:

*   Adobe Acrobat
*   VLC media player
*   Skype VoIP platform

When they researchers examined the URLs using web icon similarity, WhatsApp, Instagram, Facebook, and iCloud were the four most abused sites.

> “Adobe Acrobat, Skype, and 7zip are very popular and have the highest infection ratio, which probably makes them the top three applications and icons to be aware of from a social engineering perspective.”
> 
> VirusTotal

Furthermore, VirusTotal discovered 1,816 samples since January 2020 masquerading legit software by hiding the malware in installers for popular software like Zoom, Google Chrome, Proton VPN, Brave, and Mozilla Firefox.

Other impersonated apps by icon were TeamViewer, 7-Zip, CCleaner, Steam, Microsoft Edge, Zoom, and WhatsApp. The abused domains included are discordappcom, squarespacecom, amazonawscom, mediafirecom, and qqcom. 

The reason why attackers are using these software and apps is unknown as yet but one reason could be their popularity, Diaz stated.

**More Malware News**

1.  **Malware families using Pay-Per-Install service to expand targets**
2.  **This malware hides behind free VPN, pirated security software keys**
3.  **Fake KPSPico Windows activator tool KPSPico steals crypto wallet data**
4.  **Malware droppers for hire targeting users on fake pirated software sites**
5.  **Researchers Warn of New Variants of ChromeLoader Browser in the Wild**

VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.
Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.
"One of the

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.

Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.

"One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal said in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate."

It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables.

This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses. Some of the top abused domains are discordapp\[.\]com, squarespace\[.\]com, amazonaws\[.\]com, mediafire\[.\]com, and qq\[.\]com.

In total, no fewer than 2.5 million suspicious files downloaded from 101 domains belonging to Alexa's top 1,000 websites have been detected.

The misuse of Discord has been well-documented, what with the platform's content delivery network (CDN) becoming a fertile ground for hosting malware alongside Telegram, while also offering a "perfect communications hub for attackers."

Another oft-used technique is the practice of signing malware with valid certificates stolen from other software makers. The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database.

VirusTotal said it also uncovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.

Such a distribution method can also result in a supply chain when attackers manage to break into a legitimate software's update server or gain unauthorized access to the source code, making it possible to sneak the malware in the form of trojanized binaries.

Alternatively, legitimate installers are being packed in compressed files along with malware-laced files, in one case including the legitimate Proton VPN installer and malware that installs the Jigsaw ransomware.

That's not all. A third method, albeit more sophisticated, entails incorporating the legitimate installer as a portable executable resource into the malicious sample so that the installer is also executed when the malware is run so as to give an illusion that the software is working as intended.

"When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

VirusTotal Reveals Most Impersonated Software in Malware Attacks

To protect against similar attacks, organizations should focus on bringing cloud entitlements and configurations under control.

The recent conviction of a Seattle tech worker accused of carrying out a cyberattack against Capital One is not the end of the story. The trial showed how one person could perpetrate a massive data breach by exploiting misconfigurations and excessive privileges common in many cloud environments.

In the wake of the attack — and the resulting data breach — Capital One was fined $80 million by the federal government and settled customer lawsuits for $190 million. This should give organizations an incentive to put measures into place to avoid the same mistakes.

The attacker, who was an employee of Amazon Web Services, built a tool that allowed her to scan the AWS platform for misconfigured accounts. She used anonymizing services such as the Tor Network and IPredator VPN to hide her IP address.

The attacker carried out a server-side request forgery (SSRF) attack that enabled her to trick a server into making calls crafted on a misconfigured Web application firewall (WAF). This allowed the Capital One attacker to easily extract and exploit the machine's credentials and gain access to sensitive customer data such as names, addresses, and Social Security numbers.

**Lateral Moves and Least Privilege**

This case illustrates just how vulnerable cloud systems are to entitlements and misconfigurations. The hacker was able not only to exploit a misconfiguration in the WAF to access the system, but also to then obtain privileged credentials, move around to uncover data buckets, and then exfiltrate that data.

An MIT Sloan case study on the breach concluded that "it is very likely that Capital One had insufficient Identity and Access Management (IAM) controls for the environment that was hacked.” The study also noted that the incident could have been prevented by periodic reviews of user configurations to ensure that access controls were using the principle of least privilege correctly.

Least privilege, as the name implies, dictates that users and service identities can access only the resources and applications they need to do their jobs and no more. This lets organizations operate with agility while capping risk to the company and its customers. In the case of Capital One, the IAM role of the compromised WAF machine had access privileges beyond what was necessary for its functions.

This case is a good example of how easy it can be to find vulnerabilities and exploit them to open a backdoor into a company — even one that seems well-protected. Workloads can be compromised in so many ways that it's impossible to make them hacker-proof. Even the best efforts to patch and update software, secure network access, and implement other security best practices can leave gaps that a hacker can exploit.

Once inside, an attacker's ability to move laterally, undetected, defines the "blast radius" or extent of the damage. The best way to mitigate lateral attacks is to control access by rightsizing the permissions granted to human and machine (service) accounts. In the Capital One case, the hacker was able to use an identity with access permissions to sensitive user records the role clearly didn’t need.

The complexity of cloud environments makes applying least privilege policy challenging. Native tools do not provide the required visibility into permissions for proactive risk mitigation. In addition, the much-discussed cybersecurity talent gap means most organizations are understaffed and lack cloud expertise.

As a result, permissions management doesn’t get the attention it deserves. In fact, nearly 60% of CISOs and other security decision makers say lack of visibility, as well as inadequate identity and access management, are major threats to their cloud infrastructure. In a recent survey by IDC, respondents cited access risk and infrastructure security among their top cloud security priorities for the next 18 months.

Rightsizing permissions is doable if an organization's security and development teams can identify excessive entitlements and know how to create a least-privilege policy that will allow workloads to effectively function. This can be accomplished using the right blend of technology, processes, and procedures. Consider the following best practices to bring cloud entitlements and configurations under control:

*   **People:** Give someone in the organization responsibility for implementing a least-privilege architecture.

*   **Process:** Establish a regular cadence for reviewing and remediating entitlement risk in your organization, including access reviews for human users and remediation of unused privileges for services.

*   **Technology:** Deploy technology that can continuously monitor entitlement risk, automatically remediate problems, and identify anomalies at cloud scale.

Organizations can learn valuable lessons from this case and the financial consequences of not minding their cloud Ps and Cs — namely, permissions and configurations.

Tag

#amazon