March 1, 2024

UK's NCSC Issues Warning as SVR Hackers Target Cloud Services

UK’s NCSC Issues Warning as SVR Hackers Target Cloud Services

Leave a Comment /

Russian state hackers are adapting their techniques to target organizations moving to the cloud, an advisory from the UK National Cyber Security Centre and international security agencies has warned.

The advisory details how cyber espionage group APT29 is directly targeting weaknesses in cloud services used by victim organizations to gain initial access to their systems. APT29 is also expanding the scope of its attacks beyond governments, think tanks, healthcare and energy providers to include victims in aviation, education, law enforcement, local and state councils, government financial departments and military organizations. APT29 has been linked to Russia’s Foreign Intelligence Service.

The advisory urges organizations to address common vulnerabilities in their cloud environments by removing dormant accounts, enabling multi-factor authentication and creating canary accounts to monitor for suspicious activity.

Who is APT29?

APT29, also known as Cozy Bear, Midnight Blizzard or the Dukes, is a cyber espionage group that is widely believed to be the perpetrator behind the infamous 2020 SolarWinds attack, which exploited vulnerabilities in the Orion network and had a devastating impact on U.S. government agencies and various private sector companies.

The hacking group was also blamed for the recent password spraying attack on Microsoft that resulted in the compromise of a small number of corporate email accounts.

How APT29 is adapting its cyberattacks to focus on cloud-based environments and “MFA bombing”

According to the advisory, APT29 has been observed using a number of techniques over the past 12 months that suggest it is adapting to the shift towards cloud-based operating environments across the public and private sectors.

Specifically, the group is increasingly exploiting weaknesses in cloud services used by organizations to gain initial access to networks. This marks a shift away from traditional attack methods used by the group, namely those that target on-premises equipment.

Techniques used by APT29 include password spraying and brute-force attacks that target accounts that are either dormant or not operated by a person and are used to manage other apps on the network.

“This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise,” the advisory notes.

“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.”

APT29 is also exploiting weaknesses in MFA protocols via “MFA bombing,” which involves bombarding a victim’s device with authentication requests until they are fatigued into accepting — either accidentally or otherwise.

After bypassing MFA, hackers are able to register their own device on the network and gain deeper access into the victim organization’s systems. SVR actors have also been observed stealing system-issued authentication tokens, enabling them to access victims’ accounts without the need for a password.

Toby Lewis, head of threat analysis at British cybersecurity company Darktrace, said the change in APT29’s tactics highlighted some of the “inherent challenges” in securing cloud infrastructure.

“Increasing data and workload migration to the cloud has opened new attack surfaces that cyber criminals are eager to exploit,” Lewis told TechRepublic via email.

“Cloud environments contain enormous troves of sensitive data that appeal to bad actors and nation-state groups alike. The distributed nature of cloud infrastructure, rapid provisioning of resources, and prevalence of misconfigurations have posed major security challenges.”

How SVR hackers are staying undetected

Residential proxies and dormant accounts are also proving to be highly useful tools for SVR hackers, the advisory notes.

Dormant accounts are typically created when an employee leaves an organization but their account is left active. Hackers who have access to a dormant account can get around any password resets enforced by an organization following a security breach, the advisory notes; they simply log into the dormant or inactive account and follow the password reset instructions. “This has allowed the actor to regain access following incident response eviction activities,” it says.

Likewise, SVR actors are using residential proxies to mask their location and make it appear as though their network traffic is originating from a nearby IP address. This makes it more difficult for a victim organization to spot suspicious network activity, and makes cybersecurity defenses that use IP addresses as indicators of suspicious activity less effective.

“As network-level defences improve detection of suspicious activity, SVR actors have looked at other ways to stay covert on the internet,” the advisory says.

The challenges of securing cloud networks

While not specifically mentioned in the advisory, Lewis said developments in generative artificial intelligence posed additional challenges for securing cloud environments — namely that attackers are leveraging the technology to craft more sophisticated phishing attacks and social engineering techniques.

He also suggested that many organizations fall over on cloud security because they assume this is the responsibility of the cloud service provider, when it is in fact a shared responsibility.

DOWNLOAD: This Security Awareness and Training Policy from TechRepublic Premium

“Many organisations mistakenly assume the cloud provider will handle all aspects of security. However, while the provider secures the underlying infrastructure, the customer retains responsibility for properly configuring resources, identity and access management, and application-level security,” he said.

“Business leaders must take cloud security seriously by investing in proper skills, tools and processes. They should ensure employees have cloud architecture and security training to avoid basic misconfigurations. They should also embrace the shared responsibility model, so they know exactly what falls within their purview.”

NCSC’s tips for staying secure regarding the SVR advisory

The NCSC advisory stresses the importance of cybersecurity fundamentals, which includes:

  • Implementing MFA.
  • Using strong and unique passwords for accounts.
  • Reducing session lifetimes for tokens and user sessions.
  • Implementing a principle of least privilege for system and service accounts, whereby each account is granted only the minimum levels of access needed to perform its functions.

This minimizes potential damage from compromised accounts and restricts the access level attackers might gain. “Good baseline of cyber security fundamentals can deny even a threat as sophisticated as the SVR, an actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds compromise,” the advisory notes.

DOWNLOAD: This Cloud Security Policy from TechRepublic Premium

Beyond this, the advisory suggests setting up canary service accounts — i.e., accounts that look legitimate but are actually used to monitor for suspicious activity on the network. Zero-touch enrolment policies should be implemented where possible so only authorized devices can be automatically added to the network, and organizations should “consider a variety of information sources such as application events and host-based logs to help prevent, detect and investigate potential malicious behaviour.”

Lewis stressed the importance of collaboration in responding to the evolving threat landscape, as well as ensuring businesses have the right skills, people and processes in place to defend against new and emerging threats.

“Global collaboration among cybersecurity agencies and companies is critical to identify and respond to sophisticated threats. Attackers like APT29 think globally, so defenders must as well,” he said.

“Sharing intelligence on new tactics allows organisations worldwide to improve their defences and respond quickly. No one agency or company has complete visibility on its own.”

Source link

UK’s NCSC Issues Warning as SVR Hackers Target Cloud Services Read More »

Introducing Message Templates - Intigriti

Introducing Message Templates – Intigriti

Leave a Comment /

In case you missed it, we recently introduced message templates! In our ongoing effort to improve your experience and productivity, we’ve introduced this neat feature to bring efficiency and consistency right to your fingertips.

Walk through our guided demo

To ensure you get the most out of our new message template functionality, we’ve prepared an interactive demo. This step-by-step guide will walk you through every aspect of creating, managing, and using templates effectively within your workflow. It’s an excellent way to see firsthand how templates can transform your communication strategy.

Why Message Templates?

Save Time and Effort: With our pre-defined templates, you no longer need to start from scratch. Adapt and build upon these templates to save valuable time and effort, allowing you to focus on what truly matters.

Ensure Consistency: Our templates help maintain a high standard of communication across your programs. They provide a unified approach to similar situations, ensuring quality, compliance, and adherence to best practices.

Perfect for Various Scenarios:

  • Welcoming researchers upon their first submission.
  • Initiating the review process for submissions.
  • Communicating delays in the review process.
  • Requesting further information or feedback.
  • Announcing bonus rewards to researchers.
  • Structured internal team communications.

How to manage your templates?

Navigate to ‘User dropdown > Message templates’ to add, edit, or delete your templates. Crafting personalized templates is a breeze with our intuitive interface, allowing you to incorporate variables and placeholders for a tailored experience.

Add personalization with variables and placeholders

Enhance your templates with dynamic content. Simply type “{{” to select a variable from the dropdown, such as {{ Username }}, {{ Company Name }}, or {{ Submission Title }}. Use placeholders to further customize your messages, ensuring no detail is overlooked.

In our knowledge base, you will find more examples and detailed information on how to personalize your templates.

Sharing is Caring

Company administrators can share essential templates with all team members, ensuring consistent and efficient communication. Once shared, templates are readily available for use, fostering a collaborative and unified messaging standard.

We’re excited for you to explore this feature and see the difference it makes. As always, your feedback is invaluable to us, so please don’t hesitate to share your thoughts and experiences.

Source link

Introducing Message Templates – Intigriti Read More »

Startup accelerates progress toward light-speed computing

Startup accelerates progress toward light-speed computing

Leave a Comment /

Our ability to cram ever-smaller transistors onto a chip has enabled today’s age of ubiquitous computing. But that approach is finally running into limits, with some experts declaring an end to Moore’s Law and a related principle, known as Dennard’s Scaling.

Those developments couldn’t be coming at a worse time. Demand for computing power has skyrocketed in recent years thanks in large part to the rise of artificial intelligence, and it shows no signs of slowing down.

Now Lightmatter, a company founded by three MIT alumni, is continuing the remarkable progress of computing by rethinking the lifeblood of the chip. Instead of relying solely on electricity, the company also uses light for data processing and transport. The company’s first two products, a chip specializing in artificial intelligence operations and an interconnect that facilitates data transfer between chips, use both photons and electrons to drive more efficient operations.

“The two problems we are solving are ‘How do chips talk?’ and ‘How do you do these [AI] calculations?’” Lightmatter co-founder and CEO Nicholas Harris PhD ’17 says. “With our first two products, Envise and Passage, we’re addressing both of those questions.”

In a nod to the size of the problem and the demand for AI, Lightmatter raised just north of $300 million in 2023 at a valuation of $1.2 billion. Now the company is demonstrating its technology with some of the largest technology companies in the world in hopes of reducing the massive energy demand of data centers and AI models.

“We’re going to enable platforms on top of our interconnect technology that are made up of hundreds of thousands of next-generation compute units,” Harris says. “That simply wouldn’t be possible without the technology that we’re building.”

From idea to $100K

Prior to MIT, Harris worked at the semiconductor company Micron Technology, where he studied the fundamental devices behind integrated chips. The experience made him see how the traditional approach for improving computer performance — cramming more transistors onto each chip — was hitting its limits.

“I saw how the roadmap for computing was slowing, and I wanted to figure out how I could continue it,” Harris says. “What approaches can augment computers? Quantum computing and photonics were two of those pathways.”

Harris came to MIT to work on photonic quantum computing for his PhD under Dirk Englund, an associate professor in the Department of Electrical Engineering and Computer Science. As part of that work, he built silicon-based integrated photonic chips that could send and process information using light instead of electricity.

The work led to dozens of patents and more than 80 research papers in prestigious journals like Nature. But another technology also caught Harris’s attention at MIT.

“I remember walking down the hall and seeing students just piling out of these auditorium-sized classrooms, watching relayed live videos of lectures to see professors teach deep learning,” Harris recalls, referring to the artificial intelligence technique. “Everybody on campus knew that deep learning was going to be a huge deal, so I started learning more about it, and we realized that the systems I was building for photonic quantum computing could actually be leveraged to do deep learning.”

Harris had planned to become a professor after his PhD, but he realized he could attract more funding and innovate more quickly through a startup, so he teamed up with Darius Bunandar PhD ’18, who was also studying in Englund’s lab, and Thomas Graham MBA ’18. The co-founders successfully launched into the startup world by winning the 2017 MIT $100K Entrepreneurship Competition.

Seeing the light

Lightmatter’s Envise chip takes the part of computing that electrons do well, like memory, and combines it with what light does well, like performing the massive matrix multiplications of deep-learning models.

“With photonics, you can perform multiple calculations at the same time because the data is coming in on different colors of light,” Harris explains. “In one color, you could have a photo of a dog. In another color, you could have a photo of a cat. In another color, maybe a tree, and you could have all three of those operations going through the same optical computing unit, this matrix accelerator, at the same time. That drives up operations per area, and it reuses the hardware that’s there, driving up energy efficiency.”

Passage takes advantage of light’s latency and bandwidth advantages to link processors in a manner similar to how fiber optic cables use light to send data over long distances. It also enables chips as big as entire wafers to act as a single processor. Sending information between chips is central to running the massive server farms that power cloud computing and run AI systems like ChatGPT.

Both products are designed to bring energy efficiencies to computing, which Harris says are needed to keep up with rising demand without bringing huge increases in power consumption.

“By 2040, some predict that around 80 percent of all energy usage on the planet will be devoted to data centers and computing, and AI is going to be a huge fraction of that,” Harris says. “When you look at computing deployments for training these large AI models, they’re headed toward using hundreds of megawatts. Their power usage is on the scale of cities.”

Lightmatter is currently working with chipmakers and cloud service providers for mass deployment. Harris notes that because the company’s equipment runs on silicon, it can be produced by existing semiconductor fabrication facilities without massive changes in process.

The ambitious plans are designed to open up a new path forward for computing that would have huge implications for the environment and economy.

“We’re going to continue looking at all of the pieces of computers to figure out where light can accelerate them, make them more energy efficient, and faster, and we’re going to continue to replace those parts,” Harris says. “Right now, we’re focused on interconnect with Passage and on compute with Envise. But over time, we’re going to build out the next generation of computers, and it’s all going to be centered around light.”

Source link

Startup accelerates progress toward light-speed computing Read More »

Dealing with the limitations of our noisy world

Dealing with the limitations of our noisy world

Leave a Comment /

Tamara Broderick first set foot on MIT’s campus when she was a high school student, as a participant in the inaugural Women’s Technology Program. The monthlong summer academic experience gives young women a hands-on introduction to engineering and computer science.

What is the probability that she would return to MIT years later, this time as a faculty member?

That’s a question Broderick could probably answer quantitatively using Bayesian inference, a statistical approach to probability that tries to quantify uncertainty by continuously updating one’s assumptions as new data are obtained.

In her lab at MIT, the newly tenured associate professor in the Department of Electrical Engineering and Computer Science (EECS) uses Bayesian inference to quantify uncertainty and measure the robustness of data analysis techniques.

“I’ve always been really interested in understanding not just ‘What do we know from data analysis,’ but ‘How well do we know it?’” says Broderick, who is also a member of the Laboratory for Information and Decision Systems and the Institute for Data, Systems, and Society. “The reality is that we live in a noisy world, and we can’t always get exactly the data that we want. How do we learn from data but at the same time recognize that there are limitations and deal appropriately with them?”

Broadly, her focus is on helping people understand the confines of the statistical tools available to them and, sometimes, working with them to craft better tools for a particular situation.

For instance, her group recently collaborated with oceanographers to develop a machine-learning model that can make more accurate predictions about ocean currents. In another project, she and others worked with degenerative disease specialists on a tool that helps severely motor-impaired individuals utilize a computer’s graphical user interface by manipulating a single switch.

A common thread woven through her work is an emphasis on collaboration.

“Working in data analysis, you get to hang out in everybody’s backyard, so to speak. You really can’t get bored because you can always be learning about some other field and thinking about how we can apply machine learning there,” she says.

Hanging out in many academic “backyards” is especially appealing to Broderick, who struggled even from a young age to narrow down her interests.

A math mindset

Growing up in a suburb of Cleveland, Ohio, Broderick had an interest in math for as long as she can remember. She recalls being fascinated by the idea of what would happen if you kept adding a number to itself, starting with 1+1=2 and then 2+2=4.

“I was maybe 5 years old, so I didn’t know what ‘powers of two’ were or anything like that. I was just really into math,” she says.

Her father recognized her interest in the subject and enrolled her in a Johns Hopkins program called the Center for Talented Youth, which gave Broderick the opportunity to take three-week summer classes on a range of subjects, from astronomy to number theory to computer science.

Later, in high school, she conducted astrophysics research with a postdoc at Case Western University. In the summer of 2002, she spent four weeks at MIT as a member of the first class of the Women’s Technology Program.

She especially enjoyed the freedom offered by the program, and its focus on using intuition and ingenuity to achieve high-level goals. For instance, the cohort was tasked with building a device with LEGOs that they could use to biopsy a grape suspended in Jell-O.

The program showed her how much creativity is involved in engineering and computer science, and piqued her interest in pursuing an academic career.

“But when I got into college at Princeton, I could not decide — math, physics, computer science — they all seemed super-cool. I wanted to do all of it,” she says.

She settled on pursuing an undergraduate math degree but took all the physics and computer science courses she could cram into her schedule.

Digging into data analysis

After receiving a Marshall Scholarship, Broderick spent two years at Cambridge University in the United Kingdom, earning a master of advanced study in mathematics and a master of philosophy in physics.

In the UK, she took a number of statistics and data analysis classes, including her first class on Bayesian data analysis in the field of machine learning.

It was a transformative experience, she recalls.

“During my time in the U.K., I realized that I really like solving real-world problems that matter to people, and Bayesian inference was being used in some of the most important problems out there,” she says.

Back in the U.S., Broderick headed to the University of California at Berkeley, where she joined the lab of Professor Michael I. Jordan as a grad student. She earned a PhD in statistics with a focus on Bayesian data analysis. 

She decided to pursue a career in academia and was drawn to MIT by the collaborative nature of the EECS department and by how passionate and friendly her would-be colleagues were.

Her first impressions panned out, and Broderick says she has found a community at MIT that helps her be creative and explore hard, impactful problems with wide-ranging applications.

“I’ve been lucky to work with a really amazing set of students and postdocs in my lab — brilliant and hard-working people whose hearts are in the right place,” she says.

One of her team’s recent projects involves a collaboration with an economist who studies the use of microcredit, or the lending of small amounts of money at very low interest rates, in impoverished areas.

The goal of microcredit programs is to raise people out of poverty. Economists run randomized control trials of villages in a region that receive or don’t receive microcredit. They want to generalize the study results, predicting the expected outcome if one applies microcredit to other villages outside of their study.

But Broderick and her collaborators have found that results of some microcredit studies can be very brittle. Removing one or a few data points from the dataset can completely change the results. One issue is that researchers often use empirical averages, where a few very high or low data points can skew the results.

Using machine learning, she and her collaborators developed a method that can determine how many data points must be dropped to change the substantive conclusion of the study. With their tool, a scientist can see how brittle the results are.

“Sometimes dropping a very small fraction of data can change the major results of a data analysis, and then we might worry how far those conclusions generalize to new scenarios. Are there ways we can flag that for people? That is what we are getting at with this work,” she explains.

At the same time, she is continuing to collaborate with researchers in a range of fields, such as genetics, to understand the pros and cons of different machine-learning techniques and other data analysis tools.

Happy trails

Exploration is what drives Broderick as a researcher, and it also fuels one of her passions outside the lab. She and her husband enjoy collecting patches they earn by hiking all the trails in a park or trail system.

“I think my hobby really combines my interests of being outdoors and spreadsheets,” she says. “With these hiking patches, you have to explore everything and then you see areas you wouldn’t normally see. It is adventurous, in that way.”

They’ve discovered some amazing hikes they would never have known about, but also embarked on more than a few “total disaster hikes,” she says. But each hike, whether a hidden gem or an overgrown mess, offers its own rewards.

And just like in her research, curiosity, open-mindedness, and a passion for problem-solving have never led her astray.

Source link

Dealing with the limitations of our noisy world Read More »

Dashlane Free vs. Premium: Which Plan Is Best For You?

Dashlane Free vs. Premium: Which Plan Is Best For You?

Leave a Comment /

Dashlane logo.
Image: Dashlane

Dashlane is one of few password managers that offers a completely free version. While limited in comparison to Dashlane Premium, the free version still allows users access to key password management features.

If you’re wondering if you should stick with the free version or make the investment in Dashlane Premium, this article highlights the differences and pros and cons to help you decide.

Dashlane Free vs. Dashlane Premium: Comparison

Features Free Premium $4.99/month
Password storage Up to 25 passwords Unlimited
Support No Email and chat support
Devices One at a time Multiple devices
Two factor authentication Yes Yes
Password generator and history Yes Yes
Autofill Yes Yes
Dark web monitoring Yes Yes

Feature comparison: Dashlane Free vs. Dashlane Premium

Password Storage

Dashlane password vault.
Figure A: Dashlane password vault. Image: Luis Millares

Dashlane’s free version only allows users to store up to 25 passwords on one device, whereas Dashlane Premium offers unlimited password storage across multiple devices. When you consider logins to cloud providers, streaming services, banking, phone services, email and more, 25 passwords isn’t a lot. If you need more, you’ll likely want to opt for Dashlane Premium.

Support

Dashlane Premium comes with email and chat support. And as of December 2023, support is no longer available for the free version. With email and chat support dependent upon the responsiveness of those at the other end and their level of expertise, a lack of support in the free version shouldn’t be a reason to favor the premium edition more.

Devices

The free version is available only on one device. With Premium, a user can use the password manager across multiple devices with no restrictions. Most users, these days, use multiple devices. But there are many who only use a laptop or smartphone. In these cases, the free version may suffice provided the number of passwords remains low enough.

2FA

Two-factor authentication (2FA) is available in both versions. This provides an extra level of protection. Even if a bad actor learns a password, they still have to enter a second item such as a code or biometric before they can access an application.

Password generator/history

Dashlane password generator.
Figure B: Dashlane password generator. Image: Luis Millares

Both versions include a password generator and store the user’s password history. As most sites now want at least eight characters—including capital and small letters, a number and a symbol—few users will be able to remember all their passwords. Password generators create lengthy passwords that are extremely difficult, if not impossible to crack. The app will store the passwords, and their history, so users don’t have to remember. These capabilities are built into the free and paid versions.

Autofill

Both versions provide autofill capabilities to save user time. There is no need to type in your name, address, email, phone each time you set a password for a new site. Dashlane takes care of this automatically.

Dark web monitoring

Dashlane dark web scan results.
Figure C: Dashlane dark web scan results. Image: Luis Millares

Both versions offer dark web monitoring to see if usernames and passwords have been compromised. This feature is important as many users get sloppy and use the same or similar passwords across multiple devices and applications. If hackers obtain one, they can use it to gain access to many other applications.

Dashlane Free pros and cons

Pros of Dashlane Free

  • Rich feature set that includes 2FA, dark web monitoring, password generator and history.
  • No cost.

Cons of Dashlane Free

  • Limited to only one device.
  • Limited to no more than 25 passwords.
  • No support.

Dashlane Premium pros and cons

Pros of Dashlane Premium

  • Unlimited password storage.
  • Multiple devices.
  • Chat and email support is available.
  • Includes a built-in VPN.

Cons of Dashlane Premium

  • Pricier than competitive offerings.
  • If the user forgets the master password and hasn’t set a recovery key, the data stored is lost and all passwords will have to be reset.

Methodology

These products were evaluated based on a survey of user feedback and product reviews. Read our full review of Dashlane for more information.

Should your organization use Dashlane Free or Dashlane Premium?

Dashlane’s free version may suffice for someone who is tied to one device. A user who mainly favors a laptop or a phone will likely find its feature set more than sufficient in many cases. After all, it comes with just about all of the security features built into the paid edition. This includes 2FA, encryption, dark web monitoring, password generation and more. There is a caveat. The free version can’t store more than 25 passwords. These days, many users need access to far more than that. In those cases, and where the person moves fluidly from one device to another, Dashlane Premium is worth the investment. The user also gains access to support options which are not available in the free version.

Source link

Dashlane Free vs. Premium: Which Plan Is Best For You? Read More »

Scroll to Top