Authentication idea advanced but not yet fulfilled

Authentication idea advanced but not yet fulfilled

ANALYSIS Advances in technology over the last decade have enabled academics to make progress in creating so-called one-time programs.

One-time programs (OTPs) – originally presented at the Crypto ‘08 conference – describe a type of cryptographically obfuscated computer program that can be run only once, a special property that makes them useful for several applications and use cases.

OTPs were first proposed by researchers Goldwasser, Kalai, and Rothblum.

The general idea is that ‘Alice’ can send ‘Bob’ a computer program that is encrypted in such a way that:

1.  Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs.
2.  Bob can learn nothing about the secret program by running it.

The run-only-once requirement runs into trouble because it would be trivial to install a run-once-only program on multiple virtual machines, trying each one with different inputs. This would violate the whole premise of the technology.

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob.

No such tokens were ever made, so the whole idea has lain dormant for more than a decade.

**OTP revived**

But now a team of computer scientists from Johns Hopkins University and NTT Research have laid the groundwork for how it might be possible to build one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services.

More specifically they have hacked ‘counter lockbox’ technology and applied its use to an unintended purpose. Counter lockboxes protect an encryption key under a user-specified password, enforcing a limited number of incorrect password guesses (typically 10) before the protected information is erased.

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to cheat the system – the focus of the research.

**Garbled circuits**

The researchers’ work shows how multiple counter lockboxes might be chained together to form so-called ‘garbled circuits’, a construction that might be used to build one-time programs.

A paper describing this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography conference (TCC 2022).

The clearest application for OTPs is preventing brute-force attacks, says one researcher

  
**Hardware-route discounted**

One alternative means of constructing one-time programs, considered by the paper, is using tamper-proof hardware. But tamper-proof hardware would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Matthew Green, a professor at Johns Hopkins University and one of the co-authors of the paper.

“This would be costly and worse, \[and\] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” Green explains.

RELATED Post-quantum cryptography hits standardization milestone

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome.

In practical terms, someone could realize this technology by creating multiple iCloud or Google accounts and then using Apple’s iCloud Key Vault \[pdf\] or Google’s Titan Backup service to store a ‘backup key’ for each of them. This is anything but elegant and the computer scientists at John Hopkins are inviting other researchers to progressing their research by coming up with neater schemes.

**A bastion against brute-force attacks**

Harry Eldridge from Johns Hopkins University, who is lead author of the paper, told The Daily Swig that one-time programs could have multiple uses.

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords,” Eldridge explained. “For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.

“However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords \[such as a four-digit PIN\] can actually be pretty secure,” Eldridge added.

More generally this could be applied to other forms of authentication – for example if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan.

**‘Autonomous’ ransomware risk**

One danger posed by the approach is that bad guys might use the technique to develop ‘autonomous’ ransomware.

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.”

Read more of the latest encryption security news

The feedback on the work so far has been “generally positive”, according to Eldridge.

“\[Most agree\] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high,” Eldridge told The Daily Swig. “There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.”

Professor Alan Woodward, a computer scientist at the University of Surrey, welcomed the research.

“It’s a nice paper and it doesn’t claim to be the ultimate answer: it gives a solution in the hope that others may find better ways of doing the same thing,” Prof. Woodward told The Daily Swig.

“If achievable it means one-time programs become viable, and that opens up an interesting array of applications where you want someone to be able to run your program but not to be able to undertake differential analysis to learn about how the program functions.”

RECOMMENDED Matrix address flaws that break message encryption assurances

Boffins rekindle one-time program cryptographic concept

The settlement muddies the waters even further for the viability of war exclusion clauses when it comes to cyber insurance.

Mondelez International, maker of Oreos and Ritz Crackers, has settled a lawsuit against its cyber insurer after the provider refused to cover a multimillion-dollar clean-up bill stemming from the sprawling NotPetya ransomware attack in 2017.

The snack giant originally brought the suit against Zurich American Insurance back in 2018, after NotPetya had completed its global cyber-ransacking of major multinational corporations, and the case has since been tied up in court. Terms of the deal have not been disclosed, but a "settlement" would indicate a compromise resolution — illustrating just how thorny an issue cyber-insurance exclusion clauses can be.

**NotPetya: Act of War?**

The lawsuit hinged on the contract terms in the cyber insurance policy — specifically, an exclusion carve-out for damages caused by acts of war.

NotPetya, which the US government in 2018 dubbed the "most destructive and costliest cyberattack in history," started out as compromising Ukrainian targets before spreading globally, ultimately impacting companies in 65 countries and costing billions in damage. It spread rapidly thanks to the use of the EternalBlue worming exploit in the attack chain, which is a leaked NSA weapon that allows malware to self-propagate from system to system using Microsoft SMB file shares. Notable victims of the attack included FedEx, shipping behemoth Maersk, and pharmaceutical giant Merck, among many others.

In the case of Mondelez, the malware locked up 1,700 of its servers and a staggering 24,000 laptops, leaving the corporation incapacitated and reeling from more than $100 million in damages, downtime, lost profits, and remediation costs.

As if that weren't tough enough to swallow, the food kahuna soon found itself choking on the response from Zurich American when it filed a cyber insurance claim: The underwriter had no intention of covering the costs, citing the aforementioned exclusion clause that included the language "hostile or warlike action in time of peace or war" by a "government or sovereign power."

Thanks to world governments' attribution of NotPetya to the Russian state, and the original mission of the attack to strike a known kinetic adversary of Moscow, Zurich American had a case — despite the fact that the Mondelez attack was certainly unintended collateral damage.

However, Mondelez argued that Zurich American's contract left some disputed crumbs on the table, as it were, given the lack of clarity in what could and could not be covered in an attack. Specifically, the insurance policy clearly stated that it would cover "all risks of physical loss or damage" — emphasis on "all" — "to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction." It's a situation that NotPetya perfectly embodies.

Caroline Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and midsize businesses (SMBs), notes that the lack of clear cyber insurance policy-wording left the door open for Mondelez' appeal — and should act as a cautionary message to others negotiating coverage.

"The scope of coverage, and the application of war exclusions, remains one of the most challenging areas for insurers as cyber threats continue to evolve, businesses increase their dependencies on digital operations, and geopolitical tensions continue to have widespread impact," she tells Dark Reading. "It is paramount for insurers to be familiar with the terms of their policy and seek clarification where needed, but also opt for modern cyber-policies that can evolve and adapt at the pace their risk and exposures do."

**War Exclusions**

There's one glaring issue in making war exclusions stick for cyber insurance: he difficulty in proving that attacks are indeed "acts of war" — a burden that generally requires determining on whose behalf they're carried out.

In the best of cases, attribution is more of an art than a science, with a shifting set of criteria underpinning any confident finger-pointing. Rationales for advanced persistent threat (APT) attribution often rely on far more than quantifiable technology artifacts, or overlaps in infrastructure and tooling with known threats.

Squishier criteria can include aspects such as victimology (i.e., are the targets consistent with state interests and policy goals?; the subject matter of social-engineering lures; coding language; level of sophistication (does the attacker need to be well-resourced? Did they use an expensive zero day?); and motive (is the attack bent on espionage, destruction, or financial gain?). There's also the issue of false-flag operations, where one adversary manipulates these levers to frame a rival or adversary.

"What is shocking to me is the idea of verifying that these attacks can be reasonably attributed to a state — how?" says Philippe Humeau, CEO and co-founder of CrowdSec. "It is well known that you can hardly track a decently skilled cybercriminal's base of operations, since air-gapping their operations is the first line of their playbook. Two, governments are not willing to actually admit they do provide cover for the cybercriminals in their countries. Three, cybercriminals in many parts of the world are usually some mix of corsairs and mercenaries, faithful to whatever entity/nation-state may be funding them, but totally expandable and deniable if there are ever questions about their affiliation."

That's why, absent a government taking responsibility for an attack a la terrorism groups, most threat-intelligence firms will caveat state-sponsored attribution with phrases like, "we determine with low/moderate/high confidence that XYZ is behind the attack," and, to boot, different firms may determine different sources for any given attack. If it's that difficult for professional cyber-threat-hunters to pin down the culprits, imagine how difficult it is for cyber-insurance adjusters operating with a fraction of the skills.

If the standard for proof of an act of war is wide governmental consensus, this also poses issues, Humeau says.

"Accurately attributing attacks to nation-states would require cross-country legal cooperation, which has historically proven to be both difficult and slow," says Humeau. "So the idea of attributing these attacks to nation-states who will never 'fess up to it leaves too much room for doubt, legally speaking."

**An Existential Threat to Cyber Insurance?**

To Thompson's point, one of the realities in today's environment is the sheer volume of state-sponsored cyber activity in circulation. Bryan Cunningham, attorney and advisory council member at data security company Theon Technology, notes that if more and more insurers simply deny all claims stemming from such activity, there could be very few payouts indeed. And, ultimately, companies may not see cyber-insurance premiums as worth it anymore.

"If a significant number of judges actually begin allowing carriers to exclude coverage for cyberattacks just upon a claim that a nation-state was involved, this will be as devastating to the cyber insurance ecosystem as 9/11 was (temporarily) to commercial real estate," he says. "As a result, I do not think many judges will buy this, and proof, in any event, will almost always be difficult."

In a different vein, Ilia Kolochenko, chief architect and CEO of ImmuniWeb, notes that the cybercriminals will find a way to use the exclusions to their advantage — undercutting the value of having a policy even further.

"The problem stems from a possible impersonation of well-known cyber-threat actors," he says. "For instance, if cybercriminals — unrelated to any state — wish to amplify the damage caused to their victims by excluding the eventual insurance coverage, they may simply try to impersonate a famous state-backed hacking group during their intrusion. This will undermine trust in the cyber-insurance market, as any insurance may become futile in the most serious cases that actually require the coverage and justify the premiums paid."

**The Question of Exclusions Remains Unsettled**

Even though the Mondelez-Zurich American settlement would seem to indicate that the insurer succeeded in at least partially making its point (or perhaps neither side had the stomach for incurring further legal costs), there is conflicting legal precedent.

Another NotPetya case between Merck and ACE American Insurance over the same issue was put to bed in January, when the Superior Court of New Jersey ruled that act of war exclusions only extend to real-world physical warfare, resulting in the underwriter paying up a heaping $1.4 billion serving of claims settlement.

Despite the unsettled nature of the area, some cyber-insurers are going forward with war exclusions, most notably Lloyd's of London. In August the market stalwart told its syndicates that they will be required to exclude coverage for state-backed cyberattacks beginning in April 2023. The idea, the memo noted, is to protect insurance companies and their underwriters from catastrophic loss.

Even so, success for such policies remains to be seen.

"Lloyd's, and other carriers, are working on making such exclusions stronger and absolute, but I think this, too, ultimately will fail because the cyber-insurance industry likely could not survive such changes for long," Theon's Cunningham says.

Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit

Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.

FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, one of this year's most prolific ransomware families.

That's the conclusion of researchers at SentinelOne based on what they say are various similarities in the tactics, techniques, and procedures between the Black Basta campaign and previous FIN7 campaigns. Among them are similarities in a tool for evading endpoint detection and response (EDR) products; similarities in packers for packing Cobalt Strike beacon and a backdoor called Birddog; source code overlaps; and overlapping IP addresses and hosting infrastructure.

**A Collection of Custom Tools**

SentinelOne's investigation into Black Basta's activities also unearthed new information about the threat actor's attack methods and tools. For example, the researchers found that in many Black Basta attacks, the threat actors use a uniquely obfuscated version of the free command-line tool ADFind for gathering information about a victim's Active Directory environment.

They found Black Basta operators are exploiting last year's PrintNightmare vulnerability in Windows Print Spooler service (CVE-2021-34527) and the ZeroLogon flaw from 2020 in Windows Netlogon Remote Protocol (CVE-2020-1472) in many campaigns. Both vulnerabilities give attackers a way to gain administrative access on domain controllers. SentinelOne said it also observed Black Basta attacks leveraging "NoPac," an exploit that combines two critical Active Directory design flaws from last year (CVE-2021-42278 and CVE-2021-42287). Attackers can use the exploit to escalate privileges from that of a regular domain user all the way to domain administrator.

SentinelOne, which began tracking Black Basta in June, observed the infection chain beginning with the Qakbot Trojan-turned-malware dropper. Researchers found the threat actor using the backdoor to conduct reconnaissance on the victim network using a variety of tools including AdFind, two custom .Net assemblies, SoftPerfect's network scanner, and WMI. It's after that stage that the threat actor attempts to exploit the various Windows vulnerabilities to move laterally, escalate privileges, and eventually drop the ransomware. Trend Micro earlier this year identified the Qakbot group as selling access to compromised networks to Black Basta and other ransomware operators. 

"We assess it is highly likely the Black Basta ransomware operation has ties with FIN7," SentinelOne's SentinelLabs said in a blog post on Nov. 3. "Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7."

**Sophisticated Ransomware Threat**

The Black Basta ransomware operation surfaced in April 2022 and has claimed at least 90 victims through the end of September. Trend Micro has described the ransomware as having a sophisticated encryption routine that likely uses unique binaries for each of its victims. Many of its attacks have involved a double-extortion technique where the threat actors first exfiltrate sensitive data from a victim environment before encrypting it. 

In the third quarter of 2022, Black Basta ransomware infections accounted for 9% of all ransomware victims, putting it in second place behind LockBit, which continued by far to be the most prevalent ransomware threat — with a 35% share of all victims, according to data from Digital Shadows.

"Digital Shadows has observed the Black Basta ransomware operation targeting the industrial goods and services industry, including manufacturing, more than any other sector," says Nicole Hoffman, senior cyber-threat intelligence analyst, at Digital Shadows, a ReliaQuest company. "The construction and materials sector follows close behind as the second most targeted industry to date by the ransomware operation."

FIN7 has been a thorn in the side of the security industry for a decade. The group's initial attacks focused on credit and debit card data theft. But over the years, FIN7, which has also been tracked as the Carbanak Group and Cobalt Group, has diversified into other cybercrime operations as well, including most recently into the ransomware realm. Several vendors — including Digital Shadows — have suspected FIN7 of having links to multiple ransomware groups, including REvil, Ryuk, DarkSide, BlackMatter, and ALPHV. 

"So, it would not be surprising to see yet another potential association," this time with FIN7, Hoffman says. "However, it is important to note that linking two threat groups together does not always mean that one group is running the show. It is realistically possible the groups are working together."

According to SentinelLabs, some of the tools that the Black Basta operation uses in its attacks suggest that FIN7 is attempting to disassociate its new ransomware activity from the old. One such tool is a custom defense-evasion and impairment tool that appears to have been written by a FIN7 developer and has not been observed in any other ransomware operation, SentinelOne said.

FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign

Welcome to this week’s edition of the Threat Source newsletter.
I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase

Thursday, November 3, 2022 16:11

Welcome to this week’s edition of the Threat Source newsletter.

I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase of Twitter and the subsequent exodus led me down the nostalgic path of thinking about how times change and platforms change but things largely remain the same. Until now. We’ve grown as an entire internet community and we remember the pain of moving from app to app and site to site. Many top infosec follows have deactivated their accounts while others are weighing when and if they will leave. Several have moved to decentralized solutions like mastodon.social which saw an uptick of more than 70,000 new users in a single day after the purchase was official. In theory Mastadon can’t be controlled by a single person or entity and to me it feels like this is the next step in our path as an internet community. Will it catch on and be the answer to all of our needs? Doubtful. It is a step in the evolution of the internet and I’m very interested to see what the next adaptation brings.

**The one big thing**

Cisco Talos Incident Response recently released their Quarterly Report highlighting the ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. This quarter saw ongoing Qakbot, Hive, and Vice Society activity as well as the emergence of Black Basta, which first surfaced in April 2022. Adversaries continue to leverage not only LoLBins but a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. Defenders continue to struggle with MFA rollouts, as lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services.

**Why do I care?**

Understanding the current tools and trends used by attackers, as well as understanding the vulnerabilities that are targeted are intrinsic to good security posture. Knowing your environment is step one. Understanding that same environment from the view of the attacker is the next step. Per the report “In nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.”

**So now what?**

Ensuring that you know your environment and are covering the base of the security pyramid well is critical. Patch, self-assess, and follow trusted threat intelligence sources. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication and to disable or delete inactive accounts from Active Directory to prevent suspicious activity.

For the OpenSSL vulnerability we strongly recommend users mitigate affected OpenSSL systems as soon as possible by upgrading to version 3.0.7. Talos has released coverage across the device portfolio including Snort Rules: 60790, 300306-300307 to protect against exploitation of CVE-2022-3602 and ClamAV signature, Multios.Exploit.CVE\_2022\_3602-9976476-0, to detect malware artifacts related to this threat.

**Top security headlines of the week**

Security researchers were once again falsely implied by a ransomware gang in an effort to indicate their involvement. This time around Azov implicated BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, Lawrence Abrams, and Vitali Kremez, urging infected users to contact them via their accounts on Twitter to recover files.

Dropbox was the target of a recent phishing campaign that led to attackers gaining access to code stored in Github and copying 130 code repositories, including third-party libraries, internal software projects, and a few tools and configuration files maintained by the Dropbox security team. The attackers didn't gain access to any user content, passwords, or payment information. The Dropbox security team released a report detailing how they handled the incident.

**Can't get enough Talos?**

*   https://blog.talosintelligence.com/researcher-spotlight-how-azim-khodjibaev-went-from-hunting-real-world-threats-to-threats-on-the-dark-web/
*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q3-2022/
*   https://blog.talosintelligence.com/openssl-vulnerability/
*   https://youtu.be/KhG6RUZgMas

**Upcoming events where you can find Talos**

BSides Lisbon (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

  
SHA256:  
d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86  
MD5: 69fbf6849d935432bac8b04bdb00fd68  
Typical Filename: KMSAuto++.exe  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
MD5: d47fa115154927113b05bd3c8a308201  
Typical Filename: outlook.exe  
Claimed Product: MS Outlook  
Detection Name: W32.00AB15B194-95.SBX.TG

Threat Source newsletter (Nov. 3, 2022): Mastadon, evolution, and LiveJournal oh my!

Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.

**  
Zettlr \[_ˈset·lər_\]**

**A Markdown Editor for the 21st century**.

     

Homepage | Download | Documentation | Discord | Contributing | Support Us

With Zettlr, writing professional texts is easy and motivating: Whether you are a college student, a researcher, a journalist, or an author — Zettlr has the right tools for you. Watch the video or continue reading to see what they are!

Visit our Website.

**Features**

*   Available in over a dozen languages
*   Tight and ever-growing **integration with your favourite reference manager** (such as Zotero or JabRef)
*   **Cite with Zettlr** using citeproc and your existing literature database
*   Five **themes and dark mode support**
*   File-agnostic writing: Enjoy **full control over your own files**
*   Keep all your notes and texts **in one place** — searchable and accessible
*   **Code highlighting** for many languages
*   Simple and beautiful **exports** with Pandoc, LaTeX, and Textbundle
*   Support for state of the art knowledge management techniques (**Zettelkasten**)
*   A revolutionary **search algorithm** with integrated heatmap

… and the best is: **Zettlr is Open Source (FOSS)!**

**Installation**

To install Zettlr, just download the latest release for your operating system! Currently supported are macOS, Windows, and most Linux distributions (via Debian- and Fedora-packages as well as AppImages).

All other platforms that Electron supports are supported as well, but you will need to build the app yourself for this to work.

**Please also consider becoming a patron or making a one-time donation!**

**Getting Started**

After you have installed Zettlr, head over to our documentation to get to know Zettlr. Refer to the Quick Start Guide, if you prefer to use software heads-on.

**Contributing**

Zettlr is an Electron\-based app, so to start developing, you'll need to have:

1.  A NodeJS\-stack installed on your computer. Make sure it's at least Node 14 (lts/fermium). To test what version you have, run node -v.
2.  Yarn installed. Yarn is the required package manager for the project, as we do not commit package-lock.json\-files and many commands require yarn. You can install this globally using npm install -g yarn or Homebrew, if you are on macOS.

Then, simply clone the repository and install the dependencies on your local computer:

$ git clone https://github.com/Zettlr/Zettlr.git
$ cd Zettlr
$ yarn install --frozen-lockfile

The --frozen-lockfile flag ensures that yarn will stick to the versions as listed in the yarn.lock and not attempt to update them.

During development, hot module reloading is active so that you can edit the renderer's code easily and hit F5 after the changes have been compiled by electron-forge. You can keep the developer tools open to see when HMR has finished loading your changes.

**What Should I Know To Contribute Code?**

In order to provide code, you should have basic familiarity with the following topics and/or manuals (ordered by importance descending):

*   JavaScript (especially asynchronous code) and TypeScript
*   Node.js
*   Electron
*   Vue.js (2.x) and Vuex
*   CodeMirror (5.x)
*   ESLint
*   LESS
*   Webpack 5.x
*   Electron forge
*   Electron builder

> Note: See the "Directory Structure" section below to get an idea of how Zettlr specifically works.

**Development Commands**

This section lists all available commands that you can use during application development. These are defined within the package.json and can be run from the command line by prefixing them with yarn. Run them from within the base directory of the repository.

**start**

Starts electron-forge, which will build the application and launch it in development mode. This will use the normal settings, so if you use Zettlr on the same computer in production, it will use the same configuration files as the regular application. This means: be careful when breaking things. In that case, it's better to use test-gui.

**package**

Packages the application, but not bundle it into an installer. Without any suffix, this command will package the application for your current platform and architecture. To create specific packages (may require running on the corresponding platform), the following suffixes are available:

*   package:mac-x64 (Intel-based Macs)
*   package:mac-arm (Apple Silicon-based Macs)
*   package:win-x64 (Intel-based Windows)
*   package:win-arm (ARM-based Windows)
*   package:linux-x64 (Intel-based Linux)
*   package:linux-arm (ARM-based Linux)

The resulting application packages are stored in ./out.

> This command will skip typechecking to speed up builds, so be extra cautious.

**release:{platform-arch}**

Packages the application and then bundles it into an installer for the corresponding platform and architecture. To create such a bundle (may require running on the corresponding platform), one of the following values for {platform-arch} is required:

*   release:mac-x64 (Intel-based Macs)
*   release:mac-arm (Apple Silicon-based Macs)
*   release:win-x64 (Intel-based Windows)
*   release:win-arm (ARM-based Windows)
*   release:linux-x64 (Intel-based Linux)
*   release:linux-arm (ARM-based Linux)

The resulting setup bundles are stored in ./release.

> Please note that, while you can package directly for your platform without any suffix, for creating a release specifying the platform is required as electron-builder would otherwise include the development-dependencies in the app.asar, resulting in a bloated application.

**lang:refresh**

This downloads the four default translations of the application from Zettlr Translate, with which it is shipped by default. It places the files in the static/lang\-directory. Currently, the default languages are: German (Germany), English (USA), English (UK), and French (France).

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**csl:refresh**

This downloads the Citation Style Language (CSL) files with which the application is shipped, and places them in the static/csl-locales\- and static/csl-styles\-directories respectively.

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**lint**

This simply runs ESLint. Apps such as Atom or Visual Studio Code will automatically run ESLint in the background, but if you want to be extra-safe, make sure to run this command prior to submitting a Pull Request.

> This command will run automatically on each Pull Request to check your code for inconsistencies.

**reveal:build**

This re-compiles the source-files needed by the exporter for building reveal.js\-presentations. Due to the nature of how Pandoc creates such presentations, Zettlr needs to modify the output by Pandoc, which is why these files need to be pre-compiled.

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**test**

This runs the unit tests in the directory ./test. Make sure to run this command prior to submitting a Pull Request, as this will be run every time you commit to the PR, and this way you can make sure that your changes don't break any tests, making the whole PR-process easier.

**test-gui**

Use this command to carefree test any changes you make to the application. This command will start the application as if you ran yarn start, but will provide a custom configuration and a custom directory.

> This command will skip typechecking to speed up builds, so be extra cautious.

**The first time you start this command**, pass the --clean\-flag to copy a bunch of test-files to your ./resources\-directory, create a test-config.yml in your project root, and start the application with this clean configuration. Then, you can adapt the test-config.yml to your liking (so that certain settings which you would otherwise _always_ set will be pre-set without you having to open the preferences).

Whenever you want to reset the test directory to its initial state (or you removed the directory, or cloned the whole project anew), pass the flag --clean to the command in order to create or reset the directory. **This is also necessary if you changed something in test-config.yml**.

You can pass additional command-line switches such as --clear-cache to this command as well. They will be passed to the child process.

> Attention: Before first running the command, you **must** run it with the --clean\-flag to create the directory in the first place!

Additionally, have a look at our full development documentation.

**Directory Structure**

Zettlr is a mature app that has amassed hundreds of directories over the course of its development. Since it is hard to contribute to an application without any guidance, we have compiled a short description of the directories with how they interrelate.

    .
    ├── resources                      # Contains resource files
    │   ├── NSIS                       # Images for the Windows installer
    │   ├── icons                      # Icons used to build the application
    │   ├── screenshots                # The screenshots used in this README file
    ├── scripts                        # Scripts that are run by the CI and some YARN commands
    │   ├── assets                     # Asset files used by some scripts
    │   └── test-gui                   # Test files used by `yarn test-gui`
    ├── source                         # Contains the actual source code for the app
    │   ├── app                        # Contains service providers and the boot/shutdown routines
    │   ├── common                     # Common files used by several or all renderer processes
    │   │   ├── fonts                  # Contains the font files (note: location will likely change)
    │   │   ├── img                    # Currently unused image files
    │   │   ├── less                   # Contains the themes (note: location will likely change)
    │   │   ├── modules                # Contains renderer modules
    │   │   │   ├── markdown-editor    # The central CodeMirror markdown editor
    │   │   │   ├── preload            # Electron preload files
    │   │   │   └── window-register    # Run by every renderer during setup
    │   │   ├── util                   # A collection of utility functions
    │   │   └── vue                    # Contains Vue components used by the graphical interface
    │   ├── main                       # Contains code for the main process
    │   │   ├── assets                 # Static files (note: location will likely change)
    │   │   ├── commands               # Commands that perform user-actions, run from within zettlr.ts
    │   │   └── modules                # Main process modules
    │   │       ├── document-manager   # The document manager handles all open files
    │   │       ├── export             # The exporter converts Markdown files into other formats
    │   │       ├── fsal               # The File System Abstraction Layer provides the file tree
    │   │       ├── import             # The importer converts other formats into Markdown files
    │   │       └── window-manager     # The window manager manages all application windows
    │   ├── win-about                  # Code for the About window
    │   ├── win-custom-css             # Code for the Custom CSS window
    │   ├── win-defaults               # Code for the defaults file editor
    │   ├── win-error                  # The error modal window
    │   ├── win-log-viewer             # Displays the running logs from the app
    │   ├── win-main                   # The main window
    │   ├── win-paste-image            # The modal displayed when pasting an image
    │   ├── win-preferences            # The preferences window
    │   ├── win-print                  # Code for the print and preview window
    │   ├── win-quicklook              # Code for the Quicklook windows
    │   ├── win-stats                  # Code for the general statistics window
    │   ├── win-tag-manager            # Code for the tag manager
    │   └── win-update                 # The dedicated update window
    ├── static                         # Contains static files, cf. the README-file in there
    └── test                           # Unit tests
    

**On the Distinction between Modules and Service Providers**

You'll notice that Zettlr contains both "modules" and "service providers". The difference between the two is simple: Service providers run in the main process and are completely autonomous while providing functionality to the app as a whole. Modules, on the other hand, provide functionality that must be triggered by user actions (e.g. the exporter and the importer).

**The Application Lifecycle**

Whenever you run Zettlr, the following steps will be executed:

0.  Execute source/main.ts
1.  Environment check (source/app/lifecycle.ts::bootApplication)
2.  Boot service providers (source/app/lifecycle.ts::bootApplication)
3.  Boot main application (source/main/zettlr.ts)
4.  Load the file tree and the documents
5.  Show the main window

And when you shut down the app, the following steps will run:

1.  Close all windows except the main window
2.  Attempt to close the main window
3.  Shutdown the main application (source/main/zettlr.ts::shutdown)
4.  Shutdown the service providers (source/app/lifecycle.ts::shutdownApplication)
5.  Exit the application

During development of the app (yarn start and yarn test-gui), the following steps will run:

1.  Electron forge will compile the code for the main process and each renderer process separately (since these are separate processes), using TypeScript and webpack to compile and transpile.
2.  Electron forge will put that code into the directory .webpack, replacing the constants you can find in the "create"-methods of the window manager with the appropriate entry points.
3.  Electron forge will start a few development servers to provide hot module reloading (HMR) and then actually start the application.

Whenever the app is built, the following steps will run:

1.  Electron forge will perform steps 1 and 2 above, but instead of running the app, it will package the resulting code into a functional app package.
2.  Electron builder will then take these pre-built packages and wrap them in a platform-specific installer (DMG-files, Windows installer, or Linux packages).

Electron forge will put the packaged applications into the directory ./out while Electron builder will put the installers into the directory ./release.

**Command-Line Switches**

The Zettlr binary features a few command line switches that you can make use of for different purposes.

**--launch-minimized**

This CLI flag will instruct Zettlr not to show the main window on start. This is useful to create autostart entries. In that case, launching Zettlr with this flag at system boot will make sure that you will only see its icon in the tray.

Since this implies the need to have the app running in the tray bar or notification area when starting the app like this, it will automatically set the corresponding setting system.leaveAppRunning to true.

> Note: This flag will not have any effect on Linux systems which do not support displaying an icon in a tray bar or notification area.

**--clear-cache**

This will direct the File System Abstraction Layer to fully clear its cache on boot. This can be used to mitigate issues regarding changes in the code base. To ensure compatibility with any changes to the information stored in the cache, the cache is also automatically cleared when the version field in your config.json does not match the one in the package.json, which means that, as long as you do not explicitly set the version\-field in your test-config.yml, the cache will always be cleared on each run when you type yarn test-gui.

**--data-dir=path**

Use this switch to specify custom data directory, which holds your configuration files. Without this switch data directory defaults to %AppData%/Zettlr (on Windows 10), ~/.config/Zettlr (on Linux), etc. The path can be absolute or relative. Basis for the relative path will be either the binary's directory (when running a packaged app) or the repository root directory (when running an app that is not packaged). If the path contains spaces, do not forget to escape it in quotes. ~ to denote home directory does not work. Due to the bug in Electron an empty Dictionaries subdirectory is created in the default data directory, but it does not impact functionality.

**--disable-hardware-acceleration**

This switch causes Zettlr to disable hardware acceleration, which could be necessary in certain setups. For more information on why this flag was added, see issue #2127.

**VSCode Extension Recommendations**

This repository makes use of Visual Studio Code's recommended extensions feature. This means: If you use VS Code and open the repository for the first time, VS Code will tell you that the repository recommends to install a handful of extensions. These extensions are recommended if you work with Zettlr and will make contributing much easier. The recommendations are specified in the file .vscode/extensions.json.

Since installing extensions is sometimes a matter of taste, we have added short descriptions for each recommended extension within that file to explain why we recommend it. This way you can make your own decision whether or not you want to install any of these extensions (for example, the SVG extension is not necessary if you do not work with the SVG files provided in the repository).

If you choose not to install all of the recommended extensions at once (which we recommend), VS Code will show you the recommendations in the extensions sidebar so you can first decide which of the ones you'd like to install and then manually install those you'd like to have.

> Using the same extensions as the core developer team will make the code generally more consistent since you will have the same visual feedback.

**License**

This software is licensed via the GNU GPL v3-License.

The brand (including name, icons and everything Zettlr can be identified with) is excluded and all rights reserved. If you want to fork Zettlr to develop another app, feel free but please change name and icons. Read about the logo usage.

CVE-2022-40276: GitHub - Zettlr/Zettlr: A Markdown Editor for the 21st century.

By Owais Sultan
Next gen SIEM is a cloud-native cyberscurity tool that utilizes artificial intelligence and machine learning to discover malicious activity in real-time.
This is a post from HackRead.com Read the original post: 4 Major Benefits of Next Gen SIEM

Security analysts are **up against more cyberattacks than ever**, increased attack surfaces, and more protective tools on the cloud and premises than ever before.

All of that is accompanied by cybersecurity experts that are leaving the field. Stress, poor company culture, and long hours have prompted top talent to seek alternative employment.

Bombarded with alerts and understaffed, those who stay need all the help they can get.

This also means that they require tools that aid them in decreasing manual labor and, essentially, working smarter instead of harder.

For example, next-generation security information and event management (AKA next-gen SIEM) is a tool that addresses the key issues security experts have been dealing with for years.

What is this solution all about, and what are the major **advantages of next gen SIEM** over traditional SIEM technology?

We uncover the details below.

**What Is Next Gen SIEM, Exactly?**

Next gen SIEM is a cloud-native cybersecurity tool that utilizes artificial intelligence and machine learning to discover malicious activity in real time.

SIEM, the predecessor of the next gen SIEM solution, has been notorious for its **high number of alerts**, a large quantity of data that is not properly categorized, and poor quality of information concerning threats within systems.

The new and improved version of the tool (next gen SIEM) is more precise, less overwhelming for security teams, and makes data more manageable.

The main advantages of the next gen SIEM include:

*   The early discovery of threats
*   Unified data management
*   Reduced alert fatigue
*   Simpler scaling of security 

Let’s break down these benefits even further.

**#1 Early Discovery of Threats**

Since it relies on artificial intelligence, next gen SIEM is an automated tool that can detect critical issues within the infrastructure early. 

The data that is gathered from the versatile security solutions is both streamlined and actionable, helping teams to react promptly — close security gaps or mitigate threats as they appear within the system.

This includes **zero-day attacks** as well. Dubbed zero-day, such threats refer to weaknesses that have been exploited before IT teams had a chance to patch them up — the teams have zero days to fix them.

Considering that next gen SIEM utilizes machine learning and continually learns about the regular behavior within the system, it’s quick to detect anomalies that point to high-risk threats.

Identifying security issues on time is essential because **prompt reaction time cuts costs** that a company would have to allocate in order to repair the aftermath of a cyberattack.

**#2 Unified Data Management**

One of the major pain points of traditional SIEM has been managing the large quantity of data as well as discerning the important information.

Within the next gen tool, the information is automatically categorized and contextualized — regardless of its quantity.

The best next gen SIEM tool unifies the information in a single platform — this includes third-party data as well as that unique to one’s architecture.

For the teams that manage security, having all the essential data within a single dashboard means they can find the information they need quickly as well as identify the issue in time.

**#3 Reduced Alert Fatigue**

Traditional SIEM is an alert-happy tool that generates an overwhelming number of notifications from separate tools. Even more, those alerts come from multiple dashboards that have to change all the time. Shifting from one to another **causes alert fatigue** (PDF).

Alarms would be raised on any change within the network, and IT teams would have to discern whether the alert is something to worry about, wasting time as they discover to which extent the system has been affected as well as where the threat is exactly.

Many of these alerts are false positives — not high-risk issues that are likely to turn into cyber incidents.

As a result, security experts are likely to disregard even those alerts that flag real concerns.

Next gen SIEM is designed to facilitate understaffed and overworked teams that are tired of playing catch-up. 

Nuanced data analytics and automation link alert with exact incidents that are taking place in real-time. 

In short — fewer alerts coming from one dashboard make for happier security teams and leave them with more time to focus on more challenging issues.

**#4 Simpler Scaling of Security**

Security has to keep up with the changes within the company’s systems. As more and more organizations rely on the cloud, they require solutions that can be easily deployed.

This involves relying on security tools that can adapt to both growing and complex infrastructures.

Namely, most architectures nowadays are a combination of several cloud deployments (multi-cloud) and structures on the premises.

All the devices and software that are being added (whether it’s a new remote worker’s device or more cloud storage) have to be protected with versatile security points and continually managed afterward.

More complex structures and a larger number of tools generate even more data about security that has to be categorized on the go.

Next gen SIEM is a cloud-powered tool that can be adjusted based on the needs of growing companies.

The scalability of big data is an important feature of the tool as well because it is designed to add more volume within the **cloud-based solution**.

**Final Word**

In a nutshell, next gen SIEM delivers on the empty promises of its forerunner (SIEM).

Traditional SIEM is slowly fading into the past as next gen technology takes its place by fixing the headache-inducing shortcomings such as poor data quality, an overwhelming number of alerts, and failure to detect zero-day attacks.

For businesses, this means better security for a lower price tag and having security teams that are less overworked and overwhelmed with the incoming data that is being generated from multiple siloed tools.

What’s more, next gen SIEM also created the security that can keep up with the rapidly advancing technology, large quantities of information, and complex infrastructures of modern businesses.

1.  **Free and Best OSINT Tools**
2.  **Tools for Testing Your Proxy Servers**
3.  **CISA Publishes List of Free Cybersecurity Tools and Services**
4.  **Psst! tool by 1Password lets users share passwords using a link**
5.  **New Underactor tool reveals pixelated text to expose sensitive data**

4 Major Benefits of Next Gen SIEM

Banco de Crédito Cooperativo (BCC) wins the first hyper-realistic cybersecurity competition for the financial industry.

**RESTON, Va. and BOSTON, Nov. 3, 2022 /PRNewswire/ —** FS-ISAC, the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, and Cyberbit, provider of the world's leading cybersecurity skill development and readiness platform, announced today that team "IsNotTheEDR" from Banco de Crédito Cooperativo (BCC) is the winner of the first International Cyber League (ICL) Financial Cup, 2022 – the first hyper-realistic cybersecurity tournament for the financial industry. The first runner-up is team "Suboptimal" from a leading Fortune 500 financial institution, the second runner-up is Team "AskITTeam" from BCC and the third runner up is team "TIAA" from TIAA.

The tournament ran from 6-26 October 2022 and challenged cybersecurity teams from the financial sector to respond to live-fire cyberattack simulations replicating attacks they may encounter in real life. Teams were scored based on typical incident response KPIs including investigation, eradication, and remediation goals, as well as their response times. The BCC team outperformed 55 cyber defense teams from leading financial organizations around the world and scored a perfect 100 in the live-fire challenge. The Cyberbit platform, normally used by enterprises to train and upskill information security teams, as well as for FS-ISAC's monthly cyber range workshops, was repurposed to power the ICL competition. The platform provided a virtual arena that emulated an organizational network and a virtual security operations center (SOC) that simulated the live attacks and automatically scored the teams based on their achievements.

The ICL reinvents cybersecurity competition formats by assessing cyber defense skills in real-world scenarios, allowing teams to predict their performance during an attack. Traditional Capture-the-Flag (CTF) events test offensive skills, but these do not reflect the capabilities that cyber defenders will be required to demonstrate during an attack. The ICL leverages cyber range live-fire scenarios to simulate real threat vectors and malware that assess essential "blue team" skills, including technical skills like malware analysis and SIEM investigation, as well as soft skills like teamwork, critical thinking, and communications.

"We in the financial sector believe that exercising builds muscle memory to ensure smooth and efficient incident response," said **Cameron Dicker, Global Head of Business Resilience at FS-ISAC**. "We run a wide variety of exercises to ensure preparedness throughout all different organizational levels and functions, and we chose this competition format during Cybersecurity Awareness Month to bring a little fun into this critical tool for operational resilience."

"CISA and the NCA aptly named this year's cyber awareness month theme as 'See Yourself in Cyber,' demonstrating that cybersecurity is ultimately, about people," said **Sharon Rosenman, Chief Marketing Officer at Cyberbit**. "The feedback from the ICL teams was overwhelmingly positive and we are proud to collaborate with FS-ISAC in helping the financial industry become better prepared for real-world attacks by assessing and maximizing human performance."

"A Cyber Range is a strategic capability that enables governments and companies to effectively educate and train their professionals, as well as to experiment, test and validate new cybersecurity and cyber defense concepts, technologies, techniques, and tactics. Cyber range competitions such as the ICL Financial Cup help in providing a comparison with the rest of the peers in the sector", said Francisco Navarro García, Chief Information Security Officer, Banco de Crédito Cooperativo (BCC).

Additional teams who reached the top 10 in ICL finals include Loan Depot and Somerset Trust.

"The International Cyber League has been an excellent experience for our teams and a fantastic opportunity for them to test their skills with other elite teams across the financial services sector. We are incredibly proud of their work in keeping our company safe. Their strong performance in this competition is celebrated across Technology and the entire company", said Harold Rivas, Chief Information Officer, Loan Depot.

"Somerset Trust takes the security of our information very seriously, and I have always known that we assembled a good team of security professionals. It's always nice to see a competition like this that hones their skills and proves our dedication to security", said John Ash, Sr. Vice President and Chief Information Officer, Somerset Trust.

**About FS-ISAC**

FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization's real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector's collective security and defenses. Member financial firms represent $100 trillion in assets in 75 countries.

**About Cyberbit**

Cyberbit provides the global leading attack readiness platform for enabling SOC teams to maximize their performance when responding to cyberattacks. The platform empowers security leaders to make the most of their cybersecurity investment by boosting the impact of the human element in their organization. Cyberbit delivers hyper-realistic attack simulations mirroring real-world scenarios. It enables security leaders to dramatically reduce MTTR, dwell time and cybercrime costs, improve hiring and onboarding, and increase employee retention. Customers include Fortune 500 companies, MSSPs, systems integrators, governments, and leading healthcare providers.

FS-ISAC and Cyberbit Announce Winner of the First Financial Cyber League

Confused economies and rising unemployment rates foster a rich opportunity for cybercrime recruitment.

It's well known that cybercrime has become big business — and not just in terms of the volume but also in how crime syndicates are organizing themselves. As we saw earlier this year with the leak of files from the Conti ransomware group, that organization was operating very much like any other enterprise — it even had an HR lead and a recruitment director. We've also seen how bad actors are actively recruiting internal help with their missions.

Here's one aspect of cybercrime syndicates that's unlike most of their legitimate business counterpoints — economic uncertainty and rising unemployment rates are a boon for them. That's because these factors create a ripe opportunity for ramped-up recruitment efforts.

We're witnessing huge growth in ransomware-as-a-service (RaaS). The ransomware threat continues to adapt with more variants enabled by RaaS; our researchers saw 10,666 different variants in the first half of 2022, compared with just 5,400 in the previous six-month period. Why is this important? Because it underscores just how much easier RaaS is making it for bad actors to operate — they're able to perpetrate attacks faster and at a high rate of scale.

**Recruitment, Recruitment, Recruitment**

One way cybercriminals operate is through the use of "cyber mules" to launder their financial gain. Sometimes these mules know what they're getting into, and sometimes they're lured in under false pretenses. Criminal organizations frequently rely on legitimate-looking job postings on legitimate job-hunting websites. A dubious job ad might refer to the need for a "money transfer agent," a "payment processing agent," or even a role as vague and general as an "administration representative." These job listings and solicitation emails prey on people's desperation by offering what seems to be legitimate employment.

Leaning on insiders within organizations for help is another tactic cybercrime syndicates use for their recruitment efforts. One recent survey found 65% of respondents said they had been approached by bad actors to help with ransomware attacks against the organizations they work for.

With more people and resources, cybercrime organizations will be able to pull off more attacks and organizations need to be aware of this. Recruitment efforts show that ransomware groups are expanding and potentially able to pull off more sophisticated attacks.

**Collaboration to Combat Cybercrime Recruiting**

It takes a global team effort with solid, dependable relationships among cybersecurity stakeholders to defeat international cybercriminal groups. Criminal organizations operate nearly identically to legitimate enterprises. They have costs and profit margins. They may start looking for a new way to make money if they are unable to make a profit in a timely manner because cyber defenders are destroying their infrastructures and making them constantly start over. Cybercrime may start to decline after attackers start to give up out of concern about being discovered and arrested or because they believe the rewards aren't worth the dangers.

The World Economic Forum Partnership Against Cybercrime (PAC) is undertaking one such initiative. To disrupt cybercrime ecosystems, PAC has concentrated on fusing private sector data and digital knowledge with public sector threat intelligence. PAC has long said that breaking down communication barriers and adopting a worldwide strategy will make it simpler to get beyond the factors that protect cybercriminals.

Last year, this private-public partnership introduced the Cybercrime Atlas, a joint research initiative that gathers and compiles data about the cybercriminal ecosystem and the main threat actors active today. Legal authorities will gain from increased visibility into cybercrime operations in their investigations, takedowns, prosecutions, and convictions.

Economic insecurity provides a ripe opportunity for cybercriminals to recruit, and they've gotten so good at it that some unsuspecting job seekers get pulled into their web of evil. Or they go after employees at companies they want to target, hoping for some insider help. Collaboration at the global level combines the strengths and resources of the private and public sectors to give organizations the up-to-date intel they need to protect their networks from increased cybercrime recruitment and its fruits.

Economic Uncertainty Isn't Stopping Cybercrime Recruitment — It's Fueling It

Investment to advance efforts to detect and mitigate disinformation.

**WASHINGTON and SAN FRANCISCO, Nov. 2, 2022 /PRNewswire/ —** Alethea, a technology company that detects and mitigates disinformation, misinformation, and social media manipulation, raised $10 million Series A, led by Ted Schleinand Kevin Mandia of Ballistic Ventures.

Proceeds will be invested into Alethea's machine learning SaaS platform, Artemis (in closed beta), by growing its engineering and data science teams. Currently in use by household name brands, Artemis conducts multichannel analysis across billions of datapoints to identify disinformation and social media manipulation at its start. As a result, communicators and risk and intelligence teams have the insights they need to protect their brands, bottom lines, and market cap.

"Disinformation is the next iteration of information security, and communicators and risk professionals are on the front lines of protecting their organizations from the information that exists outside their systems," said Lisa Kaplan, Founder and CEO of Alethea. "We've earned our record of alerting customers to the unknown unknowns to help avoid crises. Our incident response capabilities during high-stress periods, such as short-seller attacks, protects our customers. To provide this protection at scale, we created the system that didn't exist – Artemis – to provide tailored insights into the disinformation, misinformation, and social media manipulation ecosystem."

"We have found the right partners with Ted, Kevin, and the Ballistic network to deliver this capability at scale. With the ability to operate in free economies and democracies at stake, we look forward to rapidly scaling our support to customers as they navigate the new digital reality," continued Kaplan.

"Alethea is on the cutting edge of the fight against misinformation, one of the biggest threats to our modern society," said Ted Schlein, Chairman and General Partner of Ballistic Ventures. "We invested in the company because we believe Alethea's proven technology is critical to helping corporations promote access to accurate information and a more secure world."

Alethea was represented by outside counsel, WilmerHale, in the transaction.

**About Ballistic Ventures**

Ballistic Ventures is a venture capital firm solely dedicated to early-stage cybersecurity and cyber-related companies. The founding partners, Kevin Mandia, Barmak Meftah, Ted Schlein, Jake Seid, and Roger Thornton, have spent their entire careers defending against every cyber threat conceivable. Collectively, they have founded, funded, and operated over 90 successful cybersecurity firms, led over 10,000 security professionals globally, and have 40+ years of experience in venture capital. Learn more at ballisticventures.com.

**About Alethea**

Alethea is a technology company helping the Fortune 500, private companies and nonprofits protect themselves from harms stemming from disinformation. Leveraging its multi-channel machine learning platform, Artemis, Alethea detects disinformation narratives across the internet, enabling customers to proactively defend against this pervasive threat. With Artemis-powered early detection, Alethea customers can protect their reputations, key assets, physical safety and market value. The company was founded in 2019 and is woman-owned. Learn more at www.aletheagroup.com.

Alethea Closes $10M Series A Financing Led by Ballistic Ventures

Red Hat Security Advisory 2022-7338-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include code execution, privilege escalation, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:7338-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7338  
Issue date:        2022-11-02  
CVE Names:         CVE-2022-2588 CVE-2022-23816 CVE-2022-23825  
                   CVE-2022-26373 CVE-2022-29900 CVE-2022-29901  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* A use-after-free in cls_route filter implementation may lead to privilege  
escalation (CVE-2022-2588)

* RetBleed Arbitrary Speculative Code Execution with Return Instructions  
(CVE-2022-23816, CVE-2022-29900)

* Branch Type Confusion (non-retbleed) (CVE-2022-23825)

* Intel: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373)

* Intel: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-29901)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Update to the latest RHEL7.9.z18 source tree (BZ#2117337)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)  
2114849 - CVE-2022-2588 kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation  
2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.80.1.rt56.1225.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.80.1.rt56.1225.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/6971358

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2K9NtzjgjWX9erEAQjkRRAAm/2K718txKtGuCBa6NclLP2TpOKlk8dw  
R3eORyTgVZTrl6Qm6RQSA50kcqMFn6/6hzUto5NRvuSgw4H7I2hg/CS+TQlPdFi4  
0WcZiZ0vbu7csrsAtAKpmWOpu1O1FzNdqSF5MA7s7zZ0oht9ZnszT+exzcjHbgpO  
qVMRhgaKmbdlKkKi/32gZP7IwKIZS+CkhqpHhFy7V736FtNyWFT0VNCHdKCklkdP  
K6gAClFQuMv8npxovTURJfhLjqv6ymcRVrl6KQT3Qlu+iHiy0j18CA3ewW0TdAkO  
IzDOEh+W9gfTR4bgrrUl5+A5oZkkazYqm6joGJBI7uZHv9v3yoOLzP4HAduSVFBC  
AgBo9yhGnP6xXzunT5nYVs0EpnCpHFaJhlxsavm/pKjS+c35enuawyN2l24kACnE  
Kdv3KZ6XQtBTdaR9e/UTqCCiSXznEcJJ0xE4VfKFNtngXrWGftAIcTBMDQpfePP7  
rfBo/C9IT8rKqt1T62M0Xu+NfjoeziKrpPoXi86rn90bw93Mdl0rrmAhTISeL92K  
M5m5DIyPD9HQuX4/3NKWXJDEKgPao+JFouEAlm86YMfFzjxzBE8GXTnvp2xw5vf1  
BJkFxtUe74jR8YqJYO7KxyOS9K9Z7BeqEcvSRwNdBAY6TgcDa5lB347Kcgl1WvDf  
SmJAIcuqXRk=WLhk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#intel