Ubuntu Security Notice 6746-1 - It was discovered that Google Guest Agent and Google OS Config Agent incorrectly handled certain JSON files. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6746-1  
April 23, 2024

google-guest-agent, google-osconfig-agent vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

Google Guest Agent and OS Config Agent could be made to crash  
if it open a specially crafted JSON.

Software Description:  
- google-guest-agent: Google Compute Engine Guest Agent  
- google-osconfig-agent: Google OS Config Agent

Details:

It was discovered that Google Guest Agent and Google OS Config Agent incorrectly  
handled certain JSON files. An attacker could possibly use this issue to  
cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  google-guest-agent              20231004.02-0ubuntu1~23.10.3  
  google-osconfig-agent           20230504.00-0ubuntu2.2

Ubuntu 22.04 LTS:  
  google-guest-agent              20231004.02-0ubuntu1~22.04.4  
  google-osconfig-agent           20230504.00-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6746-1  
  CVE-2024-24786

Package Information:  
  https://launchpad.net/ubuntu/+source/google-guest-agent/20231004.02-0ubuntu1~23.10.3  
  https://launchpad.net/ubuntu/+source/google-osconfig-agent/20230504.00-0ubuntu2.2  
  https://launchpad.net/ubuntu/+source/google-guest-agent/20231004.02-0ubuntu1~22.04.4  
  https://launchpad.net/ubuntu/+source/google-osconfig-agent/20230504.00-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6746-1

It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line.

Kevin Bocek, Chief Innovation Officer, Venafi

April 23, 2024

5 Min Read

Source: Bakhtiar Zein via Alamy Stock Photo

COMMENTARY

OWASP recently released its top 10 list for large language model (LLM) applications, in an effort to educate the industry on potential security threats to be aware of when deploying and managing LLMs. This release is a notable step in the right direction for the security community, as developers, designers, architects, and managers now have 10 areas to clearly focus on. 

Similar to the National Institute of Standards and Technology (NIST) framework and Cybersecurity and Infrastructure Security Agency (CISA) guidelines provided for the security industry, OWSAP's list creates an opportunity for better alignment within organizations. With this knowledge, chief information security officers (CISOs) and security leaders can ensure the best security precautions are in place around the use of LLM technologies that are quickly evolving. LLMs are just code. We need to apply what we have learned about authenticating and authorizing code to prevent misuse and compromise. This is why identity provides the kill switch for AI, which is the ability to authenticate and authorize each model and their actions, and stop it when misuse, compromise, or errors occur.

**Adversaries Are Capitalizing on Gaps in Organizations**

As security practitioners, we've long talked about what adversaries are doing, such as data poisoning, supply chain vulnerabilities, excessive agency and theft, and more. This OWASP list for LLMs is proof that the industry is recognizing where risks are. To protect our organizations, we have to course correct quickly and be proactive. 

Generative artificial intelligence (GenAI) is putting a spotlight on a new wave of software risks that are rooted in the same capabilities that made it powerful in the first place. Every time a user asks an LLM a question, it crawls countless Web locations in an attempt to provide an AI-generated response or output. While every new technology comes with new risks, LLMs are especially concerning because they're so different from the tools we're used to.

Almost all of the top 10 LLM threats center around a compromise of authentication for the identities used in the models. The different attack methods run the gamut, affecting not only the identities of model inputs but also the identities of the models themselves, as well as their outputs and actions. This has a knock-on effect and calls for authentication in the code-signing and creating processes to halt the vulnerability at the source.

**Authenticating Training and Models to Prevent Poisoning and Misuse**

With more machines talking to each other than ever before, there must be training and authentication of the way that identities will be used to send information and data from one machine to another. The model needs to authenticate the code so that the model can mirror that authentication to other machines. If there's an issue with the initial input or model — because models are vulnerable and something to keep a close eye on — there will be a domino effect. Models, and their inputs, must be authenticated. If they aren't, security team members will be questioning if this is the right model they trained or if it's using the plug-ins they approved. When models can use APIs and other models' authentication, authorization must be well defined and managed. Each model must be authenticated with a unique identity.

We saw this play out recently with AT&T's breakdown, which was dubbed a "software configuration error," leaving thousands of people without cellphone service during their morning commute. The same week, Google experienced a bug that was very different but equally concerning. Google's Gemini image generator misrepresented historical images, causing diversity and bias concerns due to AI. In both cases, the data used to train GenAI models and LLMs — as well as the lack of guardrails around it — was the root of the problem. To prevent issues like this in the future, AI firms need to spend more time and money to adequately train the models and inform the data better. 

In order to design a bulletproof and secure system, CISOs and security leaders should design a system where the model works with other models. This way, an adversary stealing one model does not collapse the entire system, and allows for a kill-switch approach. You can shut off a model and keep working and protecting the company's intellectual property. This positions security teams in a much stronger way and prevents any further damages. 

**Acting on Lessons From the List **

For security leaders, I recommend taking OWASP's guidance and asking your CISO or C-level execs how the organization is scoring on these vulnerabilities overall. This framework holds us all more accountable for delivering market-level security insights and solutions. It is encouraging that we have something to show our CEO and board to illustrate how we're doing when it comes to risk preparedness. 

As we continue to see risks arise with LLMs and AI customer service tools, like we just did with Air Canada's chatbot giving a reimbursement to a traveler, companies will be held accountable for mistakes. It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line. 

In conclusion, this list serves as a great framework for rising Web vulnerabilities and the risks we need to pay attention to when using LLMs. While more than half of the top 10 risks are ones that are essentially mitigated and calling for the kill switch for AI, companies will need to evaluate their options when deploying new LLMs. If the right tools are in place to authenticate the inputs and models, as well as the models' actions, companies will be better equipped to leverage the AI kill-switch idea and prevent further destruction. While this may seem daunting, there are ways to protect your organization amid the infiltration of AI and LLMs in your network.

**About the Author(s)**

Chief Innovation Officer, Venafi

As Chief Innovation Officer, Kevin is leading Venafi’s growth in new innovations, and is at the forefront of Venafi’s cutting-edge machine identity management for workload identity, Kubernetes and AI. He also drives Venafi’s technology ecosystem and developer community to futureproof customer success and is responsible for the company’s Machine Identity Management Development Fund, which has sponsored innovations with more than 50 developers globally. Kevin brings more than 25 years of experience in cybersecurity with industry leaders including RSA Security, PGP Corporation, IronKey, CipherCloud, Thales, nCipher, and Xcert.

Lessons for CISOs From OWASP's LLM Top 10

State-sponsored groups are targeting critical vulnerabilities in virtual private network (VPN) gateways, firewall appliances, and other edge devices to make life difficult for incident responders, who rarely have visibility into the devices.

Source: Wright Studio via Shutterstock

Earlier this year, Mandiant Consulting's incident response team tracked an attack by a China-linked espionage group back to the compromise of an edge device in its client's network, but because the appliance is a closed system, the victim of the attack had to request a forensic image from the maker of the network appliance.

Two months later, the client is still waiting.

This difficulty in detecting — and then investigating — compromises of edge appliances highlights why many nation-state attackers are increasingly targeting firewalls, email gateways, VPNs, and other devices, says Charles Carmakal, CTO for Mandiant Consulting at Google Cloud. The threat groups not only evade detection longer, but even when defenders get wind of the attack, investigating the incident is much more difficult.

It's a problem that Mandiant deals with "all the time," he says.

"We have much better telemetry for Windows computers today, mostly because of the maturity of EDR \[endpoint detection and response\] solutions," Carmakal says. "The telemetry on edge devices ... is often completely nonexistent. To be able to triage and forensically examine the device, you've got to get a forensic image, but you can't just open up the device and pull the hard drive out."

Espionage attackers' shift to exploiting edge devices is one of the major trends that Google Cloud's Mandiant Consulting saw in 2023, according to the M-Trends 2024 report published on April 23. Overall, the company tracked and reported on more than two dozen campaigns and global events in 2023 related to its investigations.

The amount of time an attacker is active on a compromised systems before detection, known as dwell time, continued to shrink — to 10 days in 2023, down from 16 days the previous year. Ransomware accounted for 23% of Mandiant's investigations in 2023, up from 18% in 2022. Companies became aware of most incidents (54%) because a third party — often the attacker themselves, in the case of ransomware — notified the victim.

With ransomware often notifying victims, external detection rose to 54%. Source: Google Cloud's Mandiant

**Attackers Move to Less Visible Environments**

While edge devices require knowledgeable attackers to compromise and control them, these high-availability environments also usually offer their own utilities and features to deal with native formats and functionality. By "living off the land" and using the built-in capabilities, attackers can build more reliable malware and still run less risk of being detected, because of the lack of visibility defenders have into the internal operations of the devices.

"\[M\]any of these devices are put through rigorous testing regimes by the manufacturer during development to ensure their stability," Mandiant stated in the report. "China-nexus malware developers take advantage of the built-in functionality included in these systems ... leveraging native capabilities \[that can\] reduce the overall complexity of the malware by instead weaponizing existing features within that have been rigorously tested by the organization."

In one incident, Mandiant consultants discovered the BoldMove backdoor malware, Chinese attackers crafted to infect a Fortinet device, disabling two logging features and allowing the attacker to remain undetected for a longer period. BoldMove was created specifically for Fortinet environments.

Incident response efforts are also often hampered by the lack of easy access for consultants and defenders to the underlying operating system. With no way to analyze the underlying code to seek out compromised devices, incident responders often cannot determine the root cause of a compromise, says Mandiant's Carmakal.

"Some vendors refuse to give forensic images, \[which\] I understand ... because they have a lot of intellectual property on the device," he says. "Companies need to understand the scope and extent of a compromise, and if it starts on a network device, and you need to look into that."

**Exploit Use Rises, More Data Leak Sites**

Attackers have doubled down on using exploits as the initial access point for attacks, with 38% of attacks Mandiant investigated where it could determine an initial vector starting with an exploit. Phishing, a distant second place, accounted for 17% of the initial actions in an attack. Running a close third, prior compromises inadvertently left exploitable accounted for 15% of all initial access vectors.

"Attackers continue to leverage effective tactics to gain access to target environments and conduct their operations," the Mandiant report stated. "While the most popular infection vectors fluctuate, organizations must focus on defense-in-depth strategies. This approach can help mitigate the impact of both common and less frequent initial intrusion methods."

Finally, Mandiant investigators have also seen data leak sites (DLS) increase over time, which now account for more than a third (36%) of all financially motivated attacks.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Teetering on the Edge: VPNs, Firewalls' Nonexistent Telemetry Lures APTs

The five intelligence sources that power social engineering scams.

Source: LightField Studios Inc. via Alamy Stock Photo

COMMENTARY

Social engineering is one of the most prevalent attack vectors used by cyber scammers to infiltrate organizations. These manipulative attacks typically are executed in four phases: 

1.  Information gathering (attacker gathers information about the target)
    
2.  Relationship development (attacker engages the target and earns their trust)
    
3.  Exploitation (attacker persuades the target to carry out an action)
    
4.  Execution (the information collected through exploitation is operationalized to execute the attack)
    

The first phase obviously is the most important — without the right information, it can be difficult to execute a targeted social engineering attack. 

**Five Sources of Intelligence**

So how do attackers gather data about their targets? There are five sources of intelligence cybercriminals can use to gather and analyze information about their targets. They are:

1\. OSINT (open source intelligence)

OSINT is a technique hackers use to collect and assess publicly available information about organizations and their people. Threat actors can use OSINT tools to learn about their target's IT and security infrastructure; exploitable assets such as open ports and email addresses; IP addresses; vulnerabilities in websites, servers, and IoT (Internet of Things) devices; leaked or stolen credentials; and more. Attackers weaponize this information to launch social engineering attacks.

2\. SOCMINT (social media intelligence)

Although SOCMINT is a subset of OSINT, it deserves a mention. Most people voluntarily expose personal and professional details about their lives on popular social media platforms: their headshot, their interests and hobbies, their family, friends and connections, where they live and work, their current job position, and lots of other details. Using SOCINT tools such as Social Analyzer, Whatsmyname, and NameCheckup.com, attackers can filter social media activity and information about an individual and design targeted social engineering scams. 

3\. ADINT (advertising intelligence)

Say you download a free chess app on your phone. There's a small area on the app that serves location-based ads from sponsors and event organizers, updating users on local players, events, and chess meetups. Whenever this ad gets displayed, the app shares certain details about the user with the advertising exchange service, which includes things like IP addresses, the type of operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. Typically, ad exchanges store and process this information for serving up relevant ads based on user interest, activity, and location. Ad exchanges also sell this valuable data. What if a threat actor or a rogue government buys this information? That's exactly what intelligence agencies and adversaries have been doing to track activity and hack their targets. 

4\. DARKINT (Dark Web intelligence)

The Dark Web is a billion-dollar illicit marketplace transacting corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, et al. Billions of stolen records (personally identifiable information, healthcare records, banking and transaction data, corporate data, compromised credentials) are available for purchase on the Dark Web. Threat actors can purchase off-the-shelf data and mobilize it for their social engineering schemes. They can also choose to outsource professionals who will socially engineer people on their behalf or discover hidden vulnerabilities in target organizations. In addition, there are hidden online forums and instant messaging platforms (such as Telegram) where people can access information about potential targets. 

5\. AI-INT (AI intelligence)

Some analysts are calling AI the sixth intelligence discipline, on top of the five core disciplines. With recent advancements in generative AI technology like Google Gemini and ChatGPT, it's not hard to imagine cybercriminals deploying AI tools to mine, assimilate, process, and filter information about their targets. Threat researchers are already reporting the presence of malicious AI-based tools that are popping up in Dark Web forums such as FraudGPT and WormGPT. Such tools can significantly reduce the research time for social engineers and provide actionable information they can use to execute social engineering schemes. 

**What Can Businesses Do to Mitigate Social Engineering Attacks?**

The root cause of all social engineering attacks is information and the careless handling of it. If businesses and employees can reduce their information exposure, they will lower social engineering attacks by a significant degree. Here's how:

*   Train staff monthly: Using phishing simulators and classroom training, teach employees to avoid posting sensitive or personal information about themselves, their families, their coworkers, or the organization.
    
*   Draft AI-use policies: Make it clear to employees what is acceptable and unacceptable online behavior. For example, prompting ChatGPT with a line of code or proprietary data is unacceptable; responding to unusual or suspicious requests without proper verification is unacceptable.
    
*   Leverage the same tools hackers use: Use the same intelligence sources highlighted above to proactively understand how much information about your organization, your people, and your infrastructure is available online. Develop an ongoing process to reduce that exposure.
    

Good cybersecurity hygiene begins with clamping down on root causes. The root cause behind 80% to 90% of all cyberattacks is attributed to social engineering and bad judgement. Organizations must focus on two things primarily: reducing information exposure and controlling human behavior via training exercises and education. By applying efforts in these two areas, organizations can significantly reduce their threat exposure and the potential downstream impact of that exposure.

**About the Author(s)**

Founder & CEO, KnowBe4, Inc.

Stu Sjouwerman is founder and CEO of KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses.

Where Hackers Find Your Weak Spots

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

PRESS RELEASE

TEL AVIV, Israel -- (BUSINESS WIRE)-- Miggo, a cybersecurity startup introducing the first Application Detection and Response (ADR) platform, announced today $7.5 million in seed funding led by global cybersecurity VC firm YL Ventures with the participation of CCL (Cyber Club London), cybersecurity leaders from Elastic and Everon and former CISOs of Google, Zscaler and Nike. Miggo's ADR platform addresses a critical gap in application security by enabling security teams to detect and respond to targeted application attacks in real-time.

2023 saw a rise in high-profile application attacks that went undetected by traditional tools. The MOVEit, Microsoft SharePoint, Ivanti Gateway and GoAnywhere breaches highlight critical AppSec blind spots of application behavior in runtime and how attackers are hedging their bets on this well-known, ongoing security gap. According to Justin Somaini, Partner at YL Ventures and former CISO of Unity, SAP and Yahoo!, “Applications in production constitute one of the few true blind spots of today’s security programs. Last year’s incidents alone underscore how critically we need to secure the application layer. This is a space that still needs a lot of innovation to address what traditional tools cannot.”

Today, applications are the primary target of nearly 80% of data attacks, according to Verizon’s 2023 Data Breach Investigations Report. More recent shifts to distributed application architecture, which requires multiple chains of trust between different services, have further broadened the domain’s threat landscape. Attackers can manipulate flows between services without detecting existing security sensors like EDR, WAF and CNAPP tools. The only way to identify such malicious activity is with direct views into applications while they're running.

Under the leadership of Daniel Shechter, CEO and co-founder, and Itai Goldman, CTO and co-founder, Miggo developed a platform that analyzes interactions and data flows within applications to detect and mitigate attacks before they can escalate into breaches. "We need to proactively tackle this massive and largely unseen attack surface. Not only do we need precise detection and response for unexpected behaviors directly in live application environments, but also insight and understanding into the inner workings of today’s distributed applications as they run," explained Shechter.

Miggo's technology precisely discovers and maps the architecture of distributed applications to establish behavioral baselines and monitor for deviations from intended design or code execution flows. Leveraging live in-application context, Miggo determines if a deviation indicates that the application is exploitable, under active exploitation or backdoored, and initiates targeted mitigations to contain breaches by pinpointing the offender and affected areas to recommend precise remediation strategies.

The combined ability to detect live threats to applications and respond within the applications themselves are key innovations, according to CISO Mike Melo. “Miggo is finally providing transparency for our most significant attack vector with the exact tools each stakeholder requires to protect and defend mission-critical assets. ADR is the unified solution we need to not only give us application-layer visibility and control but also dramatically lower our mean time to detect and respond to application attacks,” he said.

Discover how Miggo can safeguard your applications against the next generation of cyber threats. Visit miggo.io for more information and to schedule a demo.

About Miggo  
Miggo is the first Application Detection and Response platform, providing the visibility, response and understanding you need to prevent application breaches. Using in-application context to shed light on your biggest attack surface, Miggo’s ADR enables businesses to monitor how applications behave in runtime and stop attackers from manipulating chains of trust between distributed services. With Miggo, monitor application weak spots and identify and mitigate attacks in real-time. Visit miggo.io for more information.

About YL Ventures  
YL Ventures funds and supports visionary cybersecurity entrepreneurs from seed to scale to help them evolve transformative ideas into market-leading companies. The firm accelerates company growth with tailored support through its powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of multidisciplinary experts. Based in Silicon Valley, New York and Tel Aviv, YL Ventures manages five funds with $800M in total AUM. The firm has a track record of seeding cybersecurity unicorns such as Axonius and Orca Security and its portfolio companies have been successfully acquired by high-profile, global industry leaders including Palo Alto Networks, Microsoft, Okta and Proofpoint. In 2022, YL Ventures ranked 8th out of over 250 venture capital firms in PitchBook’s prestigious Global Manager Performance Score League Tables and was the only cybersecurity-focused VC to secure a top 10 spot.

Miggo Launches Application Detection and Response (ADR) Solution

By Deeba Ahmed
Shadowboxing in Search Results: Tuta Mail De-ranked and Disappearing on Google!
This is a post from HackRead.com Read the original post: Tuta Mail (Tutanota) Accuses Google of Censoring Its Search Results

Is Google hiding Tuta Mail from search results? Here’s the controversy surrounding Tuta Mail’s search ranking and dig deeper into the potential violation of Europe’s DMA. Learn about algorithmic bias, the importance of search transparency, and how users can navigate a potentially unfair digital marketplace.

For many users seeking privacy-focused email solutions, the popular open-source encrypted email service Tuta Mail (previously Tutanota) is a great alternative to mainstream providers. However, the company recently raised concerns about its visibility in Google search results. 

****Tuta Mail Being De-ranked on Google?****

Hanover, Germany-based Tuta Mail, the world’s second-largest secure email service provider, isn’t appearing on Google for search terms like “encrypted email” or “secure email”. Moreover, a dramatic drop in search ranking for “Tutanota login” is observed, suggesting a potential violation of the European Digital Markets Act (DMA).

What happens when Tutanota login is typed in Google (Screenshot: Hackread.com)

According to Tuta Mail’s blog, its users in Germany cannot view Tuta’s website as the first result but only on their Android app on Google Play. It may have severe implications for Tuta’s business, despite being a Google-specific issue, because on other search engines, like Bing or DuckDuckGo, there’s no such issue. This lack of search visibility for relevant keywords can hinder Tuta’s ability to compete in the email service market and put them at a disadvantage. 

****Why Might Google Be De-ranking Tuta Mail?****

Tuta Mail’s lower ranking in Google search results could be due to various factors, including relevance, algorithmic bias, and technical issues. Google’s search algorithms prioritize user experience, and other email service providers may have higher relevance scores. Technical glitches or indexing problems can cause temporary website disappearance from search results, but this is highly unlikely for an established service like Tuta Mail. It is a complex issue and Google must address it to ensure transparency and user awareness. 

What’s more concerning is that it violates the DMA, which promotes fair competition for privacy-conscious companies. The DMA being a new regulation, is evolving its enforcement of search engine practices. If Tuta Mail has evidence of Google manipulating search results, they could file a complaint.

****Not the First Time for Tuta:****

Tuta Mail has been facing blockages from multiple sides. In 2022, Hackread.com reported Microsoft blocking Tutanota/Tuta Mail email addresses from registering for Microsoft Teams accounts, despite the service having over 2 million registered users.

Russia also blocked Tuta in certain parts of the country in February 2020 without notifying the team about the reason whereas the service has been blocked in Egypt since October 2019.

In a comment to Hackread.com, Matthias Pfau, co-founder of Tuta Mail, criticized Google’s monopoly over search engine results, specifically its impact on determining what to show and what not to show.

> _“This issue is limited to Google only. But due to Google’s search dominance in Europe and North America, the drop we see in search results directly affects our business: When potential users are not able to find our website on Google, it means we lose business. Google must stop this unfair limitation of showing our website in search results immediately. We have tried to contact Google directly, but since this did not work, we have to make the issue public.”_
> 
> Matthias Pfau, co-founder of Tuta Mail

1.  How Internet Censorship Affects You – Pros & Cons
2.  Google to Delete Inactive Gmail Accounts From Today
3.  Top 10 worst countries for Internet freedom & censorship
4.  Simple Yet Vital Tips to Send Documents Securely via Email
5.  Google Incognito Mode: New Disclaimer Reveals Data Tracking

Tuta Mail (Tutanota) Accuses Google of Censoring Its Search Results

Existing AI technology can allow hackers to automate exploits for public vulnerabilities in minutes flat. Very soon, diligent patching will no longer be optional.

Source: Rokas Tenys via Shutterstock

AI agents equipped with GPT-4 can exploit most public vulnerabilities affecting real-world systems today, simply by reading about them online.

New findings out of the University of Illinois Urbana-Champaign (UIUC) threaten to radically enliven what's been a somewhat slow 18 months in artificial intelligence (AI)-enabled cyber threats. Threat actors have thus far used large language models (LLMs) to produce phishing emails, along with some basic malware, and to aid in the more ancillary aspects of their campaigns. Now, though, with only GPT-4 and an open source framework to package it, they can automate the exploitation of vulnerabilities as soon as they hit the presses.

"I'm not sure if our case studies will help inform how to stop threats," admits Daniel Kang, one of the researchers. "I do think that cyber threats will only increase, so organizations should strongly consider applying security best practices."

**GPT-4 vs. CVEs**

To gauge whether LLMs could exploit real-world systems, the team of four UIUC researchers first needed a test subject.

Their LLM agent consisted of four components: a prompt, a base LLM, a framework — in this case ReAct, as implemented in LangChain — and tools such as a terminal and code interpreter.

The agent was tested on 15 known vulnerabilities in open source software (OSS). Among them: bugs affecting websites, containers, and Python packages. Eight were given "high" or "critical" CVE severity scores. There were 11 that were disclosed past the date at which GPT-4 was trained, meaning this would be the first time the model was exposed to them.

With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture.

Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability.

GPT-4, however, successfully exploited 13, or 87% of the total.

It only failed twice for utterly mundane reasons. CVE-2024-25640, a 4.6 CVSS-rated issue in the Iris incident response platform, survived unscathed because of a quirk in the process of navigating Iris' app, which the model couldn't handle. Meanwhile, the researchers speculated that GPT-4 missed with CVE-2023-51653 — a 9.8 "critical" bug in the Hertzbeat monitoring tool because its description is written in Chinese.

As Kang explains, "GPT-4 outperforms a wide range of other models on many tasks. This includes standard benchmarks (MMLU, etc.). It also seems that GPT-4 is much better at planning. Unfortunately, since OpenAI hasn't released the training details, we aren't sure why."

**GPT-4 Good**

As threatening as malicious LLMs might be, Kang says, "At the moment, this doesn't unlock new capabilities an expert human couldn't do. As such, I think it's important for organizations to apply security best practices to avoid getting hacked, as these AI agents start to be used in more malicious ways."

If hackers start utilizing LLM agents to automatically exploit public vulnerabilities, companies will no longer be able to sit back and wait to patch new bugs (if ever they were). And they might have to start using the same LLM technologies as well as their adversaries will.

But even GPT-4 still has some ways to go before it's a perfect security assistant, warns Henrik Plate, security researcher for Endor Labs. In recent experiments, Plate tasked ChatGPT and Google's Vertex AI with identifying samples of OSS as malicious or benign, and assigning them risk scores. GPT-4 outperformed all other models when it came to explaining source code and providing assessments for legible code, but all models yielded a number of false positives and false negatives.

Obfuscation, for example, was a big sticking point. "It looked to the LLM very often as if \[the code\] was deliberately obfuscated to make a manual review hard. But often it was just reduced in size for legitimate purposes," Plate explains.

"Even though LLM-based assessment should not be used instead of manual reviews," Plate wrote in one of his reports, "they can certainly be used as one additional signal and input for manual reviews. In particular, they can be useful to automatically review larger numbers of malware signals produced by noisy detectors (which otherwise risk being ignored entirely in case of limited review capabilities)."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive consumer data, as well as require it to provide consumers with a simple way to cancel services.

After a data breach in 2023 Cerebral disclosed that it had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 2019.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the combined information of all these pixels potentially provides a company with an almost complete picture of your browsing behavior and a lot of information about you.

The FTC statement claims that by using these tracking pixels, which are invisible to the website visitor unless they look at the underlying code, Cerebral provided the sensitive information of nearly 3.2 million consumers to these third parties.

The complaint points out that to get consumers to sign up for Cerebral’s services and to provide detailed personal data, the company claimed to offer “safe, secure, and discreet” services, saying that users’ data would be kept confidential.

Also, according to the complaint, the company specifically claimed in many instances that it would not share users’ data for marketing purposes without obtaining people’s consent.

Many organizations are unclear about how much information the social media companies behind the tracking pixels can gather. In the Notice of HIPAA Privacy Breach Cerebral disclosed that the following data were potentially exposed:

*   Full name
*   Phone number
*   Email address
*   Date of birth
*   IP address
*   Cerebral client ID number
*   Demographic information
*   Self-assessment responses and associated health information
*   Subscription plan type
*   Appointment dates
*   Treatment details and other clinical information
*   Health insurance/pharmacy benefit information

Among other penalties, Cerebral has to refund $5.1 million to customers who were impacted by deceptive cancellation practices and pay a $10 million civil penalty, limited to $2 million due to Cerebral’s inability to pay the full amount.

The number of breaches concerning health information is shocking. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the US Department of Health and Human Services Office for Civil Rights publishes a list of breaches that reveal unsecured protected health information affecting 500 or more individuals.

We have reported about similar cases that involved tracking pixels. Research done by TheMarkup in June of 2022 showed that Meta’s pixel showed up on the websites of 33 of the top 100 hospitals in America.

**Protecting yourself from a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million 

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell.
"The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby

Tag

#google