An authenticated access vulnerability in the aspectMemory.php script of ABB Cylon Aspect BMS/BAS controllers allows attackers to set arbitrary values for Java heap memory parameters (HEAPMIN and HEAPMAX). This configuration is written to /usr/local/aam/etc/javamem. The absence of input validation can lead to system performance degradation, Denial-of-Service (DoS) conditions, and crashes of critical Java applications.

ABB Cylon Aspect 3.08.02 (aspectMemory.php) Arbitrary Heap Memory Configuration

Title: ABB Cylon Aspect 3.08.02 (aspectMemory.php) Arbitrary Heap Memory Configuration  
Advisory ID: ZSL-2024-5883  
Type: Local/Remote  
Impact: Manipulation of Data, DoS  
Risk: (4/5)  
Release Date: 13.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

An authenticated access vulnerability in the aspectMemory.php script of ABB Cylon Aspect BMS/BAS controllers allows attackers to set arbitrary values for Java heap memory parameters (HEAPMIN and HEAPMAX). This configuration is written to /usr/local/aam/etc/javamem. The absence of input validation can lead to system performance degradation, Denial-of-Service (DoS) conditions, and crashes of critical Java applications.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[13.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_mem1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-51544  
\[3\] https://www.cve.org/CVERecord?id=CVE-2024-51550  
\[4\] https://packetstorm.news/files/id/183145/

**Changelog**

\[13.12.2024\] - Initial release  
\[15.12.2024\] - Added reference \[4\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Small, easily weaponizable drones have become a feature of battlefields from the Middle East to Ukraine. Now the threat looms over the US homeland—and the Pentagon's ability to respond is limited.

A spectre is haunting the United States—the spectre of drone warfare.

Since the middle of November, unidentified unmanned aerial vehicles have lit up the skies above New Jersey, startling residents and baffling military and government officials. The US Army’s Picatinny Arsenal research and manufacturing facility in the state’s Morris County reported 11 confirmed instances of mysterious drones illegally entering its airspace since the middle of the month, while a dozen drones were spotted hovering over US Naval Weapons Station Earle in Monmouth County in early December. Similar sightings were reported in at least six other counties throughout the state; according to the Coast Guard, a group of drones even followed one of the service’s vessels “in close pursuit” near a state park.

The spate of drone sightings in the skies above New Jersey have caused alarm among state lawmakers, prompting one to call for a “limited state of emergency … until the public receives an explanation” regarding the source of the unidentified drones. One Republican US congressman even claimed the drones were originating from an Iranian “mothership” lurking off of the state’s coastline, an assertion the US Defense Department quickly batted down.

“As you know, Joint Base McGuire-Dix-Lakehurst possess \[sic\] capabilities to identify and take down unauthorized unmanned aerial systems and have utilized this capability to address overflights of the installation,” New Jersey representative Chris Smith told Defense Secretary Lloyd Austin in a December 10 letter. “I urgently request all capabilities possessed by the Department of Defense, especially those in use by JBMDL to be immediately deployed to identify and address the potential threats posed by \[drones\] over the state of New Jersey.”

Despite the growing chorus of concern from New Jersey lawmakers, the US military appears relatively unimpressed with the sudden incursions. In a December 11 statement, US Northern Command (NORTHCOM) revealed that the command had “conducted a deliberate analysis of the events, in consultation with other military organizations and interagency partners, and at this time we have not been requested to assist with these events.” The following day, White House national security communications adviser John Kirby stated that many of the alleged drone sightings that had alarmed civilian observers on the ground in recent weeks were, in fact, conventional manned aircraft. The Federal Bureau of Investigation and Department of Homeland Security echoed this assessment in a statement on Thursday, saying, “it appears that many of the reported sightings are actually manned aircraft, operating lawfully. There are no reported or confirmed drone sightings in any restricted air space.”

“At this time, we have no evidence that these activities are coming from a foreign entity or the work of an adversary. We're going to continue to monitor what is happening,” deputy Pentagon press secretary Sabrina Singh told reporters on Wednesday. “At no point were our installations threatened when this activity was occurring." (In an interesting confluence of events, the US Department of Justice that same day announced the arrest of a Chinese citizen for flying a drone over and taking photos of Vandenberg Space Force Base in California.)

The alarm over the sudden drone incursions over New Jersey, neighboring New York and Pennsylvania, and near sensitive US government sites in particular, even if overblown, isn’t completely unwarranted: Officials at North American Aerospace Defense Command (NORAD)—the joint US-Canadian military organization tasked with overseeing air sovereignty on the continent—revealed in October that they had received reports of nearly 600 incursions above domestic US military installations since 2022.

The issue is, US law severely limits how the US military can respond to these mysterious drones—even if the number of incidents has been growing for years.

Indeed, for several months earlier this year, unidentified drones repeatedly circled Plant 42 in California, the Edwards Air Force Base installation where defense contractor Northrop Grumman has been working on the Air Force’s vaunted new B-21 Raider stealth bombers. In December 2023, Langley Air Force Base in Virginia was targeted by a wave of mysterious drone overflights, prompting the Pentagon to relocate a contingent of F-22 Raptor fighter jets stationed there to another base. And the New Jersey incidents come on the heels of a mid-November series of drone incursions near RAF Lakenheath in the United Kingdom, which, while not a US domestic installation, hosts a strategically-important contingent of American fighter jets, among other capabilities.

It appears that Pentagon assets in the continental United States have been subject to such drone activity as far back as 2019, when a fleet of US Navy Arleigh Burke-class destroyers was shadowed by a swarm of drones for several days during maneuvers at a training range off the coast of southern California. Later that year, a series of mysterious drone sightings in eastern Colorado and western Nebraska and Kansas confounded not just local law enforcement and federal agencies, but alarmed Air Force officers at nearby F.E. Warren Air Force Base in Wyoming, home to one of the Pentagon’s many Minuteman III ICBM fields.

These incidents aren’t limited to US military facilities. In October 2023, several drones were detected in the airspace above the US Energy Department’s Nevada National Security Site, which is used for nuclear research and development, the Wall Street Journal recently reported. And back in 2019, the Palo Verde Nuclear Generating Station in Arizona—the most powerful nuclear power plant in the United States—was subject to a series of mass drone incursions that Nuclear Regulatory Commission officials would later characterize as a “drone-a-palooza,” albeit with grave concern over the potential vulnerability exposed by the incursion, according to email correspondence obtained by The War Zone in 2020.

“I would point out that restricted airspace will do nothing to stop an adversarial attack and even the detection systems identified earlier in this email chain have limited success rates, and there is even lower likelihood that law enforcement will arrive quickly enough to actually engage with the pilots,” one senior NRC security official at Palo Verde wrote in an email regarding the incident. “We should be focusing our attention on getting Federal regulations and laws changed to allow sites to be defended and to identify engineering fixes that would mitigate an adversarial attack before there our \[sic\] licensed facilities become vulnerable.”

While unmanned aerial vehicles have been in military use for generations for surveillance and reconnaissance, the US military is largely responsible for transforming modern drones into vehicles of precision violence during the early years of the Global War on Terrorism, a policy especially expanded under US president Barack Obama. In more recent years, the rise of cheap, commercially-available unmanned platforms like those used by hobbyists has turned the small drone into the weapon of choice for both nation states and irregular forces abroad, from militant groups like ISIS In Iraq and Syria and the Iran-backed Houthi rebels in Yemen to the Russian and Ukrainian militaries. With a potential conflict with China over Taiwan looming on the horizon amid the US military’s pivot to “great power competition,” the Pentagon is itself in the midst of a major surge in both unmanned capabilities and technology to defend against weaponized drones belonging to foreign adversaries.

The US military has been slowly but surely adjusting to the sudden spike in mysterious drone incursions near sensitive sites across the United States with an expanded counter-drone strategy. In early December, Defense Secretary Lloyd Austin signed the Pentagon’s new Strategy for Countering Unmanned Systems, which seeks to unify disparate DoD efforts to address the rise of drone threats both at home and abroad into a single coherent framework, one that implicitly acknowledges the potential for the rising tide of domestic drone threats to grow from intrusive surveillance risks to something more damaging.

“From the Middle East to Ukraine and across the globe—including in the US homeland—unmanned systems are reshaping tactics, techniques, and procedures; challenging established operational principles; and condensing military innovation cycles,” the unclassified fact sheet on the new Pentagon strategy states. “The relatively low-cost, widely available nature of these systems has, in effect, democratized precision strike.”

The Pentagon has been working overtime to field fresh counter-drone capabilities to US forces deployed overseas in recent years, including traditional firearms outfitted with computerized optics and remotely operated vehicle-mounted heavy weapons turrets, laser-guided rocket and missile systems, AI-assisted kinetic interceptors, radio frequency- and Global Positioning System-jamming electronic warfare suites, and even exotic directed energy weapons like high-energy lasers and high-powered microwaves, among others. As recently as late October, NORTHCOM was working in conjunction with the Federal Aviation Administration to demo fresh counter-drone tech as part of its Falcon Peak 2025 experiment at Fort Carson in Colorado.

“By all indications, \[small unmanned aerial systems\] will present a safety and security risk to military installations and other critical infrastructure for the foreseeable future,” NORTHCOM boss Air Force general Gregory Guillot told reporters at the time. “Mitigating those risks requires a dedicated effort across all federal departments and agencies, state, local, tribal and territorial communities, and Congress to further develop the capabilities, coordination and legal authorities necessary for detecting, tracking and addressing potential sUAS threats in the homeland.”

But US military officials also indicated to reporters that the types of counter-drone capabilities the Pentagon may be able to bring to bear for domestic defense may be limited to non-kinetic “soft kill” means like RF and GPS signal jamming and other relatively low-tech interception techniques like nets and “string streamers” due to legal constraints on the US military’s ability to engage with drones over American soil.

“The threat, and the need to counter these threats, is growing faster than the policies and procedures that \[are\] in place can keep up with,” as Guillot told reporters during the counter-drone experiment. “A lot of the tasks we have in the homeland, it’s a very sophisticated environment in that it’s complicated from a regulatory perspective. It’s a very civilianized environment. It’s not a war zone.”

Defense officials echoed this sentiment during the unveiling of the Pentagon’s new counter-drone strategy in early December.

“The homeland is a very different environment in that we have a lot of hobbyist drones here that are no threat at all, that are sort of congesting the environment,” a senior US official told reporters at the time. “At the same time, we have, from a statutory perspective and from an intelligence perspective, quite rightly, \[a\] more constrained environment in terms of our ability to act.”

The statute in question, according to defense officials, is a specific subsection of Title 10 of the US Code, which governs the US armed forces. The section, known as 130(i), encompasses military authorities regarding the “protection of certain facilities and assets from unmanned aircraft.” It gives US forces the authority to take “action” to defend against drones, including with measures to “disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft” and to “use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.”

As The War Zone points out, 130i limits when and where the US military can actually deploy counter-drone assets outside of immediate self-defense in the face of an imminent threat. Notably, it requires the defense secretary to “coordinate” with both the US transportation secretary and Federal Aviation Administration (FAA) administrator regarding any counter-drone implementation that “might affect aviation safety, civilian aviation and aerospace operations, aircraft airworthiness, or the use of airspace.” Not only that, but 130i authority is only applicable to a specific list of installations, mainly those dealing with nuclear deterrence and missile defense functions of the US national security apparatus.

This, in turn, limits what kinds of counter-drone systems the US military can actually employ domestically. Service members may be up to their eyes in fresh counter-drone tech overseas, but the regulatory environment at home is rigid enough that “hard kill” solutions like missiles, guns, and other kinetic interceptors aren't even considered potential options because there’s simply too much risk that they might end up inflicting collateral damage on innocent, unsuspecting civilians in nearby neighborhoods. Even “soft kill” solutions like RF and GPS jamming require coordination with the FAA and other federal agencies to prevent potential harm to civilian air travel, approvals that could slow down the reaction time among base security forces amid a potential drone incursion.

“Given the impact of GPS denial, just across infrastructure and all that stuff, it is a very, very difficult capability to get permissions to utilize,” as one official told The War Zone at Falcon Peak.

While the Pentagon’s broad new counter-drone strategy is a step in the right direction when it comes to bolstering domestic drone defenses, Congress is taking action as well. In the compromise version of the annual National Defense Authorization Act defense budget legislation unveiled in December, lawmakers included language calling upon the Pentagon to not just conduct an assessment of the counter-drone technology landscape at large, but generate recommendations on how policy changes could reduce the amount of burdensome bureaucratic coordination between federal agencies required to address the growing number of drone incursions—and, in an ideal world, allow the US military to move quickly and decisively to counter intrusive drones at sensitive installations before they become dangerous.

“We agree that US troops have the inherent right of self defense, including from \[drone\] attacks, wherever they may be,” the explanatory statement accompanying the compromise NDAA says.

At the moment, the Pentagon seems unconvinced that the Northeast drone sightings and earlier incursions are connected to a foreign adversary. But with lawmakers increasingly concerned with the potential threat to sensitive installations and critical infrastructure in their states, the US military’s renewed approach to counter-drone defense can’t come soon enough.

Why the US Military Can't Just Shoot Down the Mystery Drones

Learn how blockchain and smart contracts improve cybersecurity factors in online transactions, remove the element of fraud, and…

Learn how blockchain and smart contracts improve cybersecurity factors in online transactions, remove the element of fraud, and promote trust with automation and transparency.

In this connected age, where data breaches and online fraud are rising concerns, blockchain technology and smart contracts have become powerful solutions for secure transactions. Their ability to provide transparency, remove middlemen, and enable fraud-resistant mechanisms has made them a key part of today’s financial systems and more.

****How Blockchain Builds a Secure Foundation****

Blockchain is best known as the technology behind cryptocurrencies like Bitcoin and Ethereum, but its uses go well beyond digital currencies. It works as a decentralized ledger, recording transactions across multiple points in a network, which makes it incredibly secure and nearly impossible for cybercriminals to tamper with or hack.

When it comes to digital payments, this decentralization is key. Traditional payment systems rely on central authorities, which are vulnerable to malware attacks, breaches and fraud.

Blockchain, on the other hand, distributes the transaction record across a network, reducing the risk of a single point of failure. The stability of blockchain also means that once a transaction is recorded, it cannot be changed, adding another layer of trust and accountability.

****The Role of Smart Contracts****

Smart contracts take blockchain’s security a step further. These self-executing agreements operate based on established criteria rules written into code. Once the conditions are met, the contract automatically executes, removing the need for intermediaries.

For example, imagine buying a digital service. A smart contract can be programmed to release payment only when the service is delivered and verified. This reduces the risk of fraud and disputes, as the terms are enforced automatically.

Another benefit is efficiency. By automating processes, smart contracts not only save time but also reduce costs associated with manual verification and third-party oversight. This makes them especially appealing for industries like supply chain management, insurance, and real estate, where trust and speed are paramount.

However, security vulnerabilities have also affected smart contracts, which need to be addressed by skilled blockchain developers or specialized auditing teams. According to Onchainpay, a European secure cryptocurrency payment gateway, smart contract vulnerabilities are one single major factor that continues to pose security risks within the blockchain infrastructure.

A recent systematic literature review identified 101 distinct vulnerabilities in Ethereum smart contracts, categorized into ten groups. In particular, in the first quarter of 2024 alone, exploits targeting these vulnerabilities resulted in nearly $45 million in losses across 16 incidents, averaging $2.8 million per exploit.

****Real-World Applications****

Nevertheless, despite ups and downs, Blockchain and smart contracts are already being used to secure payments and transactions globally. As noticed by Halborn, Microsoft, JPMorgan Chase, Walmart, IBM and Amazon are just some major examples.

In international payments, they enable faster and more transparent transfers without the hefty fees associated with traditional banking. In e-commerce, smart contracts can automate escrow services, protecting both buyers and sellers.

Even outside of payments, blockchain is enhancing security. From safeguarding healthcare records to verifying the authenticity of luxury goods, its applications are vast.

****What This Means for Businesses****

As cybersecurity threats grow, businesses opting for blockchain and smart contracts gain a competitive advantage in security and efficiency. For consumers, this means safer and more reliable transactions.

While the technology isn’t without challenges, such as regulatory hurdles and technical complexity, its benefits are clear. Businesses looking to adopt secure payment systems should consider solutions that leverage blockchain and smart contracts to protect their data and enhance trust in their transactions.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **5 Platforms for Identifying Smart Contract Vulnerabilities**
3.  **Growing Importance of Secure Crypto Payment Gateways**
4.  **Best Crypto Marketing Agencies for Web3 Security Brands**
5.  **Why Hosting firms have started accepting crypto payments**
6.  **Top 5 Platforms for Identifying Smart Contract Vulnerabilities**

The Role of Blockchain and Smart Contracts in Securing Digital Transactions

As the adoption of LCNC grows, so will the complexity of the threats organizations face.

Source: ArtemisDiana via Alamy Stock Photo

COMMENTARY

As organizations lean into low-code/no-code (LCNC) platforms to streamline development and empower citizen developers, security risks become increasingly challenging to manage. One of the more under-the-radar LCNC threats is OData injection, an attack vector that can expose sensitive corporate data and is predominant on the Microsoft Power Platform. This new vulnerability is poorly understood by security professionals in LCNC environments, where traditional safeguards are lacking.

**What Is OData? **

OData, or Open Data Protocol, is an OASIS standard that has gained traction in LCNC platforms as a way to manage and deliver data through REST APIs. It's widely adopted because it allows seamless communication between applications and data sources, regardless of the underlying data storage model. In LCNC environments, it is commonly used as a query language to retrieve data from a variety of sources, such as SQL databases, SharePoint, or Dataverse.

OData is particularly valuable in LCNC platforms because of its simplicity — developers don't need to be database experts to use it, and the same query language can be used for very different data sources. 

**The OData Injection Threat**

OData injection manipulates user input that is later used by an application or automation to form an OData query. The query is then applied to an enterprise data source. This allows an attacker to gain unauthorized access to manipulate or exfiltrate sensitive user and corporate data. 

While SQL injection (SQLi) is generally understood by security professionals, OData injection poses a different set of challenges, especially in LCNC environments, where multiple data sources are often connected and managed by citizen developers with minimal security training. Unlike SQLi, which is confined to relational databases, OData can connect to a wide array of data sources, including custom applications and third-party services, broadening the potential impact of an attack. 

OData also lacks the well-established security practices that have been developed for SQL. For example, SQLi can typically be mitigated with parameterized queries, a practice that has become standard over the years. OData injection, however, doesn't have a similar one-size-fits-all solution. Developers must create custom input validation mechanisms — a manual and error-prone process. In addition, the general lack of awareness of OData injection techniques further reduces the likelihood that custom validation methods will be implemented. 

**A New External Attack Surface**

OData vulnerabilities in LCNC environments often stem from the unrecognized risks associated with external data inputs. These are frequently integrated into workflows that manipulate critical enterprise data, including Web forms, email messages, social media, and external Web applications. These inputs typically are accepted without stringent validation, leaving the attack surface vulnerable and often undefended, as developers and security teams may overlook these sources as potential risks.  

This oversight allows attackers to exploit these inputs by injecting malicious OData queries. For instance, a simple product feedback form could be exploited to extract sensitive data or modify stored information. 

**Security Challenges **

Because most citizen developers don't have formal security training and are often unfamiliar with the dangers of accepting unchecked external inputs in their workflows, OData Injection vulnerabilities can flourish undetected.

Also, unlike SQL injection, validating user inputs in OData queries requires a more hands-on approach. Developers must manually sanitize inputs — removing harmful characters, ensuring proper formatting, and guarding against common injection techniques. This process takes time, effort, and more advanced programming knowledge that most LCNC developers lack.

Furthermore, in traditional development environments, security vulnerabilities are often tracked and remediated through ticketing systems or backlog management tools like Jira. This formal process does not exist in most LCNC development environments, where developers may not be full-time coders and have no formalized way to handle bug tracking or vulnerability management.

**Mitigation Best Practices**

Combating OData injection requires a proactive security strategy. Ideally, LCNC developers should be trained on OData query risks and how external inputs could be exploited. This is unrealistic, since citizen developers aren't full-time coders. 

Instead, automation can play a significant role in monitoring and detecting OData injection vulnerabilities. Security teams should deploy tools that continuously assess LCNC environments for potential vulnerabilities, especially as new applications and workflows are created. This will help identify weaknesses early and quickly provide developers with actionable insights into how to fix them.

Collaboration between security teams and LCNC developers is another essential piece of the puzzle. Security teams should be granted access to monitor the development process in real-time, particularly in environments where critical corporate data is being processed. When vulnerabilities are identified, security must communicate clearly with developers, offering specific guidance on how to remediate issues. This could include best practices for input validation and sanitation, as well as tools for automating the process where possible.

Lastly, security should be integrated into the LCNC development life cycle. Much like the "shift-left" movement in traditional software development, security checks should be built into the LCNC workflow from the outset. Automated testing tools can be leveraged to scan for vulnerabilities as applications are being built, reducing the likelihood of OData injection vulnerabilities slipping through the cracks.

As the adoption of LCNC continues to grow, so will the complexity of the threats organizations face. Addressing LCNC vulnerabilities like OData injection now will help keep enterprises safe in the long run.

**About the Author**

CTO & Co-Founder, Nokod Security

Amichai Shulman, chief technology officer (CTO) and co-founder of Nokod Security, is an internationally recognized expert and researcher in data and application security. He was previously co-founder, CTO, and chief scientist at Imperva for more than 15 years. Amichai is a frequent conference speaker and industry authority on cybersecurity. As an investor and adviser, he has guided successful startups, including Intsights and SkyFence. Amichai is also an adjunct professor at the Technion – Israel Institute of Technology.

OData Injection Risk in Low-Code/No-Code Environments

AI creates what it’s told to, from plucking fanciful evidence from thin air, to arbitrarily removing people’s rights, to sowing doubt over public misdeeds.

OpenAI CEO Sam Altman expects AGI, or artificial general intelligence—AI that outperforms humans at most tasks—around 2027 or 2028. Elon Musk’s prediction is either 2025 or 2026, and he has claimed that he was "losing sleep over the threat of AI danger." Such predictions are wrong. As the limitations of current AI become increasingly clear, most AI researchers have come to the view that simply building bigger and more powerful chatbots won’t lead to AGI.

However, in 2025, AI will still pose a massive risk: not from artificial superintelligence, but from human misuse.

These might be unintentional misuses, such as lawyers over-relying on AI. After the release of ChatGPT, for instance, a number of lawyers have been sanctioned for using AI to generate erroneous court briefings, apparently unaware of chatbots’ tendency to make stuff up. In British Columbia, lawyer Chong Ke was ordered to pay costs for opposing counsel after she included fictitious AI-generated cases in a legal filing. In New York, Steven Schwartz and Peter LoDuca were fined $5,000 for providing false citations. In Colorado, Zachariah Crabill was suspended for a year for using fictitious court cases generated using ChatGPT and blaming a "legal intern" for the mistakes. The list is growing quickly.

Other misuses are intentional. In January 2024, sexually explicit deepfakes of Taylor Swift flooded social media platforms. These images were created using Microsoft’s “Designer” AI tool. While the company had guardrails to avoid generating images of real people, misspelling Swift's name was enough to bypass them. Microsoft has since fixed this error. But Taylor Swift is the tip of the iceberg, and non-consensual deepfakes are proliferating widely—in part because open-source tools to create deepfakes are available publicly. Ongoing legislation across the world seeks to combat deepfakes in hope of curbing the damage. Whether it is effective remains to be seen.

In 2025, it will get even harder to distinguish what’s real from what’s made up. The fidelity of AI-generated audio, text, and images is remarkable, and video will be next. This could lead to the "liar's dividend": those in positions of power repudiating evidence of their misbehavior by claiming that it is fake. In 2023, Tesla argued that a 2016 video of Elon Musk could have been a deepfake in response to allegations that the CEO had exaggerated the safety of Tesla autopilot leading to an accident. An Indian politician claimed that audio clips of him acknowledging corruption in his political party were doctored (the audio in at least one of his clips was verified as real by a press outlet). And two defendants in the January 6 riots claimed that videos they appeared in were deepfakes. Both were found guilty.

Meanwhile, companies are exploiting public confusion to sell fundamentally dubious products by labeling them “AI.” This can go badly wrong when such tools are used to classify people and make consequential decisions about them. Hiring company Retorio, for instance, claims that its AI predicts candidates' job suitability based on video interviews, but a study found that the system can be tricked simply by the presence of glasses or by replacing a plain background with a bookshelf, showing that it relies on superficial correlations.

There are also dozens of applications in health care, education, finance, criminal justice, and insurance where AI is currently being used to deny people important life opportunities. In the Netherlands, the Dutch tax authority used an AI algorithm to identify people who committed child welfare fraud. It wrongly accused thousands of parents, often demanding to pay back tens of thousands of euros. In the fallout, the Prime Minister and his entire cabinet resigned.

In 2025, we expect AI risks to arise not from AI acting on its own, but because of what people do with it. That includes cases where it _seems_ to work well and is over-relied upon (lawyers using ChatGPT); when it works well and is misused (non-consensual deepfakes and the liar's dividend); and when it is simply not fit for purpose (denying people their rights). Mitigating these risks is a mammoth task for companies, governments, and society. It will be hard enough without getting distracted by sci-fi worries.

Human Misuse Will Make Artificial Intelligence More Dangerous

SUMMARY Byte Federal, the US’s largest Bitcoin ATM operator offering around 1,200 Bitcoin ATMs across the country, recently…

****SUMMARY****

*   **Byte Federal, the largest US Bitcoin ATM operator, suffered a data breach affecting 58,000 customers.**

*   **Hackers exploited a vulnerability in GitLab to access sensitive customer data.**

*   **Exposed information includes names, IDs, addresses, and transaction histories.**

*   **Byte Federal secured systems, notified customers, and is investigating with experts.**

*   **Customers are urged to reset passwords and monitor accounts for fraud.**

Byte Federal, the US’s largest Bitcoin ATM operator offering around 1,200 Bitcoin ATMs across the country, recently confirmed a data breach that potentially exposed the personal information of 58,000 customers.

The company submitted a report to Maine’s attorney general, revealing that the breach occurred on September 30th, 2024, but wasn’t discovered until November 18th. A consumer notification was published (PDF) on November 27th.

It is worth noting that this is the second data breach Byte Federal has experienced. In March 2023, hackers successfully stole $1.5 million worth of Bitcoin from the company.

****What Happened?****

Hackers exploited a vulnerability in a third-party software platform called GitLab to gain unauthorized access to one of Byte Federal’s servers. Upon discovering the breach, Byte Federal immediately shut down its platform, isolated the hackers, and secured the compromised server. They also implemented additional security measures, including resetting all customer accounts.

****What Information Was Involved?****

The compromised data may include a combination of the following for affected customers:

*   Name
*   Birthdate
*   Address
*   Photographs
*   Phone number
*   Email address
*   Transaction history
*   Social Security number
*   Government-issued ID number

****What Byte Federal is Doing****

At the time of this writing, Byte Federal has no evidence that any information was misused or user funds/assets were compromised. The company is currently conducting a forensic investigation with the help of a cybersecurity team to determine the full scope of the breach. They are also cooperating with law enforcement.  

The company has notified all affected customers via mail and issued a press release. Additionally, they’ve updated their website with further details and suggest the following steps for customers:

*   Reset login credentials for Byte Federal services
*   Monitor bank and credit card statements for fraudulent activity
*   Obtain a free credit report and monitor it regularly for unauthorized activity
*   Place a fraud alert or security freeze on credit reports with major credit reporting agencies (Experian, Equifax, TransUnion)

If you are a Byte Federal customer, follow the recommendations outlined above. Additionally, Byte Federal provided contact information for their dedicated helpline and customer service email for further assistance. They also encourage them to report any suspicious activity immediately.

Cryptocurrency platforms are facing increasing cyber threats, where attackers are targeting both assets and personal information, highlighting the ongoing challenges the cryptocurrency industry faces in safeguarding user data. Recently, hackers posted fake claims and phishing links, announcing a new CEO of Giggle Academy, founded by former Binance CEO Changpeng Zhao.

In October 2024, crypto payment services firm Transak suffered a data breach that exposed the information of over 92,000 individuals. This breach compromised sensitive data such as names, birthdays, passport and driver’s license information, and user selfies. Such incidents highlight the need for enhanced security measures within the crypto industry.

Roger Grimes, data-driven defense evangelist at KnowBe4, shared the following comment with Hackread.com regarding this news stating, _“_It seems like Byte Federal is doing all the right things in response to this security breach. Other companies should take note. My biggest worry would be a user’s funds or private keys being compromised, but this doesn’t appear to have happened, and that’s a good thing._“_

Roger explained that _“_Although, the information the attacker did have access to could easily be used in sophisticated spear phishing attacks using crypto-related themes. That’s the only remaining worry. Byte Federal customers have to understand that some attackers intent on stealing their crypto value could use learned information against them in sophisticated phishing attacks and act accordingly._“_

1.  **Hackers Drain $1.48 Billion from Crypto in 2024**
2.  **Hackers selling Bitcoin ATM Malware on Dark Web**
3.  **Scammers using fake WHO Bitcoin wallet to steal donation**
4.  **Hackers Deploy Linux FASTCash Malware for ATM Cashouts**
5.  **The Growing Importance of Secure Crypto Payment Gateways**

Bitcoin ATM Giant Byte Federal Hit by Hackers, 58,000 Users Impacted

The white supremacist Robert Rundo faces years in prison. But the “Active Club” network he helped create has proliferated in countries around the world, from Eastern Europe to South America.

American neo-Nazi Robert Rundo’s six-year “battle with the feds”—a fight that spans two dismissals, three appellate reversals, and an extradition and deportation from at least two countries—concludes today with his sentencing to federal prison for attacking ideological opponents at political rallies across California in 2017.

Along with several members of the Rise Above Movement, a fight club-cum-street gang Rundo cofounded with fellow extremist Ben Daley in Southern California during the peak of the alt-right movement, Rundo was convicted on 2018 charges of conspiracy to violate the federal Anti-Riot Act for training and planning a series of attacks on political opponents at rallies across California and Unite the Right in Virginia the year prior. While Rundo may be locked behind bars for years, the movement he created is running wild around the globe.

In the interceding years since his initial arrest, indictment, imprisonment, and flight from the US after his case was initially dismissed in 2019, Rundo helped mastermind an international network of RAM clones known as “Active Clubs.” A transnational alliance of far-right fight clubs that closely overlap with skinhead gangs and neofascist political movements in North America, Europe, the Antipodes, and South America, the Active Club network is proliferating internationally. There are dozens of Active Clubs in the United States, United Kingdom, Ireland, France, Germany, Holland, Scandinavia, Australia, and Colombia, according to the groups’ presence on Telegram and extremism researchers.

Seemingly harmless from the outside, Active Clubs are small groups of young men who go on hikes, train in combat sports, weight-lift, and build camaraderie—all part of the Rise Above Movement’s original program. But the darkness is in the details: The groups’ membership often overlaps with other extremist organizations like Patriot Front, criminal skinhead groups like the Hammerskins, and other violent extremists in foreign nations. Some US-based Active Clubs are branching out into political intimidation and violence, like the Rise Above Movement before them.

“I definitely do believe that in the future there needs to be a mass movement, a mass organization, but when it comes for that, do you really want a bunch of guys coming strictly from the online world to come join a mass movement without having any experience or skills?” Rundo said in a video posted online shortly before his March 2023 arrest in Bucharest, Romania. “Active clubs are a great local way to start guys off as they come from the online world into the real world, to learn actual skills.”

Hannah Gais, a senior research analyst at the Southern Poverty Law Center who has long researched Rundo and his associates, says the Active Club model stands out for its low barrier to entry, emphasis on positive community building to draw new blood from outside of extremist circles, and a ready-made international network. “The model has really made it easier to facilitate those transnational connections,” Gais says. “If you’re not an organization, then you can network with whoever you want.”

The Active Club network is seeing expanded breadth and growing significance in street politics (American members appeared alongside foreign counterparts at extreme right-wing demonstrations in Paris this May and Warsaw this fall), a fact emphasized by US prosecutors in their filing seeking prison time for Rundo. Federal attorneys scoured Rundo’s media output—which is considerable, ranging from a series of far-right “influencer” Telegram channels to the Media2Rise propaganda outlet that he ran in conjunction with stateside followers and members of Patriot Front—for their explanation of how seemingly innocuous fitness organizations like Active Clubs serve as vehicles for radicalization.

In a November 26 sentencing memorandum, prosecutors flagged Rundo’s description of the Active Cub network as “brush fire effect” that will be difficult for authorities to stamp out “because these clubs are generally small and local, helping to shield it from infiltrators and broader law enforcement actions.”

The Active Club ideology also leans heavily on young male grievances against a world that supposedly singles them out in favor of people of color and LGBTQ+ youth. “Defendant lamented that ‘\[b\]oy scouts no longer teach boys how to be men, instead softening them up, discouring \[sic\] any forms of competition, accepting girls, and promoting LGBT values,’ and encouraged Active Clubs to ‘put out propaganda’ to ‘let\[\] our own know the fight is not over,’ the government’s filing reads.

The Active Club network was not Rundo’s creation alone: He came up with the idea along with Denis Nikitin, a German-Russian neo-Nazi who started out as a soccer hooligan before moving into combat sports as a fighter, promoter, and organizer of far-right tournaments. According to exhibits filed by US prosecutors, Nikitin counseled Rundo on how to flee the US in 2018 while dodging what he believed to be his first arrest warrant, and sought to smuggle him into Ukraine with the assistance of the Azov Movement (a neo-Nazi political movement that has its own paramilitary forces integrated with the Ukrainian military and organizes with other similar extremist groups across Europe) and its allies in that country’s security services. Nikitin is not currently charged with an offense by the United States government.

Nikitin, whose legal surname is Kapustin, is one of Europe’s most influential neo-Nazi activists, starting out small with fight club events held in backwater Russian cities among amateurs from soccer hooligan and skinhead groups. In 2012, Nikitin’s MMA tournament promotion vehicle, White Rex, ran its first tournament outside Russia, in Kyiv. Soon Nikitin was hosting tournaments in Italy, Hungary, France, Germany, Greece, and elsewhere.

Nikitin also got his hands dirty. He allegedly participated in the hooligan riot during Russia’s 2016 European Championship clash with England in Marseille and trained British Nazis in armed combat tactics in 2014 at camps in England and Wales, as well as Swiss extremists in 2017. In 2019, he was reportedly banned from the European Union’s Schengen Zone for promoting extremism in several countries.

Nikitin currently leads a volunteer combat battalion of far-right wing extremists in association with Ukrainian command that spearheaded a surprise assault on Russia’s Kursk region earlier this year.

Since Rundo and Kapustin coined the concept of an Active Club in 2021 on an eponymous podcast, the neo-Nazi fight clubs have proliferated throughout Western Europe, Australia, and the United States, and are currently the preeminent organizing model for far-right streetfighters. Their members have been involved in political violence in the US and France, have been banned and arrested in Germany, and are a growing concern for UK and Irish law enforcement as the place of their recruiting has skyrocketed following this summer's riots.

Michael Vandelune, a research fellow at the American Counterterrorism Targeting & Resilience Institute, has long studied transnational networking by neo-fascist groups, including Rundo’s relationship with Nikitin. “Rundo was building on the Eastern European emphasis on hypermasculinity and physical fitness, and in many ways, he was a perfect Western mouthpiece for Nikitin and similar peoples’ ideas,” Vandelune says. Rundo’s devotion to Nikitin is apparent: While getting RAM off the ground, he repeatedly cited Nikitin’s white-nationalist clothing brand and MMA promotion company White Rex as inspiration, and got the company’s logo tattooed on his shin in 2018.

Along with members of the Azov Movement’s 3rd Assault Battalion who have been integrated into the regular units of Ukraine military intelligence directorate (HUR), Nikitin hosted a September conference in Lviv that gathered representatives from extreme right-wing organizations across Europe for a strategy conference. Italian fascist organization Casapound, which Rundo visited in 2018 and views as an exemplar, sent a representative, as did Germany’s openly neo-Nazi party Dritte Weg (Third Way).

Patrick Macdonald, a Canadian known as ‘Dark Foreigner’ who allegedly produced the neo-Nazi group Atomwaffen Division’s eyecatching signature far-right propaganda at the end of the last decade, did the same work for the Active Club network, according to testimony given during his trial in Ottawa this month (Macdonald has plead not guilty to several charges, including participating in terrorist activity). Last year, the Canadian Anti-Hate Network identified Macdonald as a participant in Canada’s Active Club.

Outside of North America, the Active Clubs have proliferated most widely in France, the first European country to start such an organization. There are currently at least 50 such organizations in operation across the country, from Normandy to Provence and the Swiss border.

Sébastien Bourdon, a French journalist with Le Monde’s video investigations unit who authored a forthcoming book on that country’s far-right, says Active Clubs are the fastest-expanding facet of far-right militancy in France.

“When they launched the first Active Club in France in early 2022, within a few months they had 10 to15 groups. That’s already quite a lot. The fact that within two years they’ve grown from 15 groups to 50-plus groups throughout the country is mad,” Bourdon says. “Historically, most far-right groups in France have been active in big cities like Paris, Lyon, but if you look at some of the places they claim, some of them I’ve never heard of before.”

In France, where far-right street violence has a decades-long history despite authorities’ attempts to ban and dissolve organized groups, Bourdon says Active Clubs have proved effective at dodging legal crackdowns while appearing to have carried out acts of violence including an attack on an asylum center near Nantes last year. At least one founding member of the Active Club in Lyon has gone on to fight in Ukraine alongside other far-right volunteers.

As for Rundo, he will likely spend years in prison—a place he’s been before. He previously served nearly two years for stabbing a rival gang member in Flushing Queens in 2009. While he did radicalize during his stint at New York’s Greene Correctional Facility, starting a small white power gang, Rundo’s forthcoming prison term will mark his first federal term as a certified domestic extremist. But it remains unlikely that federal lockup will change his ideologies.

Rundo “has not renounced the violent extremist ideology that motivated that conduct,” US prosecutors wrote in their sentencing memo. It’s also likely that Rundo will hold out for help from a friendlier government.

Prior to the US election in November, Rundo urged his supporters to vote for Donald Trump specifically in the hope that the Republican president-elect would pardon him and other extremists who plead guilty to federal crimes. Since the election, there has been a sustained pardon campaign from corners of the far-right internet, which is a possibility since Rundo will be serving time in a federal prison when the incoming administration is sworn in this January.

As the Mastermind of Far-Right ‘Active Clubs’ Goes to Prison, His Violent Movement Goes Global

A sophisticated social engineering cybercrime campaign bent on financial gain was observed being run from Tencent servers in Singapore.

Source: Rastislav Sedlak via Alamy Stock Photo

The Dubai Police are the latest victims of impersonation by fraudsters in the United Arab Emirates (UAE), who are sending thousands of text messages out to unwitting mobile users while purporting to represent the law enforcement agency.

Researchers at BforeAI observed a recent surge in phishing attacks leveraging alleged police communications, which encourage text recipients to click on a malicious URL to respond to supposed legal trouble or to register with an "official" online portal. The included links redirect victims to fake websites designed to harvest sensitive information, including bank details or personal identification details.

The campaign uses well-crafted lures with official branding, suggesting a moderate level of sophistication, according to BforeAI. But while the lures are tailored to UAE citizens, the phishing methodology resembles a 'spray-and-pray' model in its broad reach.

"The campaign targets individuals likely to respond to law enforcement-related communications, of which legitimate comms of this nature are not uncommon in the UAE — targeting particularly those with a limited understanding of digital threats," Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, tells Dark Reading.

"The most striking aspect of this campaign is the calculated misuse of Dubai Police branding to establish credibility and deceive victims," he adds. "This demonstrates a sophisticated understanding of social engineering techniques and reliance on psychological manipulation, exploiting fear and trust in law enforcement — which for citizens of the UAE is of utmost importance."

Related:Governments, Telcos Ward Off China's Hacking Typhoons

**Cybercriminals Increasingly Target UAE, Middle East**

Cybercrime campaigns targeting organizations and individuals in Dubai and other parts of the UAE are noticeably on the rise. According to research from Kaspersky earlier this year, 87% of companies in UAE have faced some form of cyber incident in the past two years.

"The UAE is a high-value target due to its affluent population, high Internet penetration, and reliance on digital services," Qureshi says. "Cybercriminals exploit these factors alongside vulnerabilities in newly adopted technologies."

The cybercrime spree is part of a larger trend in the targeting of individuals and organizations in some areas of the Middle East in general, he notes.

"There's a focus on wealthy regions and individuals to maximize financial gain," he says. "There are also regional geopolitical interests and an increased focus on Middle Eastern entities due to economic and political dynamics."

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

To boot, because the area has embraced digital transformation and IT modernization with gusto, cybercriminals are targeting digital adoption vulnerabilities that come from the rapid implementation of advanced technologies without adequate protections, according to Qureshi.

**Anchoring a UAE Cybercrime Campaign in Singapore**

The cyberattackers behind the Dubai Police offensive appear to have used an automated domain generation algorithm (DGA) or bulk registration to quickly cycle through different domains to host malicious Web pages bent on financial fraud. Each domain is short-lived, in order to better avoid detection.

Most of those domains originated from Tencent servers based in Singapore, according to BforeAI researchers, who noted the company's servers have hosted malicious activity before, including spam, phishing, and botnets.

"Tencent, a Chinese-based technology giant, maintains a significant hub in Singapore, leveraging the city-state's strategic location and robust digital infrastructure," says Qureshi. "Despite Singapore's strong cyber-resilience and rigorous policies to address malicious activity, its status as a global tech hub makes it a prime location for abuse of legitimate platforms by cybercriminals."

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Qureshi adds that the presence of malicious activity on Tencent servers could be due to the exploitation of legitimate services.

"High-traffic servers can be abused to host or relay malicious content without the company's direct knowledge," he explains, adding that jurisdictional complexity could also be at play: "Singapore's law enforcement may face challenges in coordinating with foreign entities and differentiating criminal use from legitimate operations. While Tencent is based in Singapore — they are a Chinese firm."

Two of the registrants were found to be from India and Dubai itself, with suspicious names suggesting that they originate from a legitimate company, according to the research. For the most part though, the cyberattackers have managed to keep their identity anonymous.

Tencent did not immediately return a request for comment.

**How Organizations in the Middle East Can Protect Against Cyber Fraud**

For organizations in the region, campaigns like this should prompt changes in risk management, Qureshi advises. Although the phishing messages are broad-based, in the age of the mobile office, even campaigns designed to hit individuals can end up affecting companies.

Common-sense security hygiene includes the basics, like double-checking the official domain of the Dubai government and the payment portal before proceeding with any payment, as well as looking for red flags like missing HTTPs protocol, broken links, out-of-place Web designs, or suspicious phrasing or grammar.

Qureshi advises organizations to take several additional steps to mitigate their risk, including:

*   Enhanced monitoring: Implement robust predictive phishing detection systems and actively monitor for misuse of branding;
    
*   Awareness programs: Train employees on phishing recognition and reporting;
    
*   Collaboration: Work with CERTs and law enforcement to address identified threats;
    
*   Incident response: Develop and test response plans to address phishing-related breaches;
    
*   Reporting: Alert phishing reporting websites such as Etisalat and DU when employees receive phishing messages;
    
*   And continuous vigilance: Adopt a proactive cybersecurity stance to protect brand reputation and customer trust.
    

And finally, "this Dubai Police campaign highlights the globalized nature of cybercrime, where local targets are exploited using international infrastructure," Qureshi warns. "The importance of cross-border cooperation and leveraging threat intelligence to stay ahead of evolving tactics cannot be overstated."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

Tag

#auth