Email at many organizations has stopped working; the tech giant has advised users who are facing the issue to uninstall the updates so that it can address flaw.

Source: Eric D ricochet69 via Alamy Stock Photo

Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.

This decision came after there were reports from admins saying that email had stopped flowing altogether.

The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn't being shared via email to an outside organization.

According to Microsoft, some customers found that the mail flow rules stopped periodically after they installed the update. It is now advising admins who are noticing this issue to uninstall the November security updates entirely until they're re-released.

"We are continuing the investigation and are working on a permanent fix to address this issue," Microsoft stated in an update regarding the issue. "We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update. Customers who might not use Transport or DLP rules and did not run into the issue with rules, can continue using the November SU update."

**About the Author**

Microsoft Pulls Exchange Patches Amid Mail Flow Issues

According to Mozilla, users have a lot more power to manipulate ChatGPT than they might realize. OpenAI hopes those manipulations remain within a clearly delineated sandbox.

Source: mundissima via Alamy Stock Photo

ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI's security on the whole.

The world's leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system, and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.

OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.

"They're not documented features," he says. "I think this is a pure design flaw. It's a matter of time until something happens, and some zero-day is found," by virtue of the data leakage.

**Prompt Injection: What ChatGPT Will Tell You**

Figueroa didn't set out to expose the guts of ChatGPT. "I wanted to refactor some Python code, and I stumbled upon this," he recalls. When he asked the model to refactor his code, it returned an unexpected response: directory not found. "That's odd, right? It's like a \[glitch in\] the Matrix."

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Was ChatGPT processing his request using more than just its general understanding of programming? Was there some kind of file system hidden underneath it? After some brainstorming, he thought of a follow-up prompt that might help elucidate the matter: "list files /", an English translation of the Linux command "ls /".

In response, ChatGPT provided a list of its files and directories: common Linux ones like "bin", "dev", "tmp", "sys", etc. Evidently, Figueroa says, ChatGPT runs on the Linux distribution "Debian Bookworm," within a containerized environment.

By probing the bot's internal file system — and in particular, the directory "/home/sandbox/.openai\_internal/" — he discovered that besides just observing, he could also upload files, verify their location, move them around, and execute them.

**OpenAI Access: Feature or Flaw?**

In a certain light, all of this added visibility and functionality is a positive — offering even more ways for users to customize and level up how they use ChatGPT, and enhancing OpenAI's reputation for transparency and trustworthiness.

Indeed, the risk that a user could really do anything malicious here — say, upload and execute a malicious Python script — is softened by the fact that ChatGPT runs in a sandboxed environment. Anything a user can do will, in theory, be limited only to their specific environment, strictly cordoned off from any of OpenAI's broader infrastructure and most sensitive data.

Related:Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats

Figueroa warns, though, that the extent of information ChatGPT leaks via prompt injection might one day help hackers find zero-day vulnerabilities, and break out of their sandboxes. "The reason why I stumbled onto everything I did was because of an error. This is what hackers do \[to find bugs\]," he says. And if trial and error doesn't work for them, he adds, "the LLM could assist you in figuring out how to get through it."

In an email to Dark Reading, a representative of OpenAI reaffirmed that it does not consider any of this a vulnerability, or otherwise unexpected behavior, and claimed that there were "technical inaccuracies" in Figueroa's research. Dark Reading has followed up for more specific information.

**The More Immediate Risk: Reverse-Engineering**

There is one risk here, however, that isn't so abstract.

Besides standard Linux files, ChatGPT also allows its users to access and extract much more actionable information. With the right prompts, they can unearth its internal instructions — the rules and guidelines that shape the model's behavior. And even deeper down, they can access its knowledge data: the foundational structure and guidelines that define how the model "thinks," and interacts with users.

Related:Cloud Ransomware Flexes Fresh Scripts Against Web Apps

On one hand, users might be grateful to have such a clear view into how ChatGPT operates, including how it handles safety and ethical concerns. On the other hand, this insight could potentially help bad actors reverse engineer those guardrails, and better engineer malicious prompts.

Worse still is what this means for the millions of custom GPTs available in the ChatGPT store today. Users have designed custom ChatGPT models with focuses in programming, security, research, and more, and the instructions and data that gives them their particular flavor is accessible to anyone who feeds them the right prompts.

"People have put secure data and information from their organizations into these GPTs, thinking it's not available to everyone. I think that is an issue, because it's not explicitly clear that your data potentially could be accessed," Figueroa says.

In an email to Dark Reading, an OpenAI representative pointed to GPT Builder documentation, which warns developers about the risk: "Don't include information you do not want the user to know" it reads, and flags its user interface, which warns, "if you upload files under Knowledge, conversations with your GPT may include file contents. Files can be downloaded when Code Interpreter is enabled."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

ChatGPT Exposes Its Instructions, Knowledge &amp; OS Files

In the future, the cybersecurity landscape likely will depend not only on the ability of federal workforces to protect their agencies but also on their capacity to continuously develop and sharpen those skills.

Tony Holmes, Practice Lead, Practice Lead for Solutions Architects in the Public Sector, Pluralsight

November 15, 2024

4 Min Read

Source: Stuart Miles via Alamy Stock Photo

COMMENTARY

The public sector is facing a security crisis. The acceleration of deepfake videos, AI-generated threats, and nation-state cyberattacks has put the federal government under increasing pressure to protect its employees, agencies, and the general public. Last year, the FBI, the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released details on the "growing challenge" that deepfake threats present to a range of federal agencies. 

According to the three groups, "threats from synthetic media such as deepfakes have exponentially increased — presenting a growing challenge for users of modern technology and communications." In addition to national critical infrastructure owners and operators, these users include the National Security Systems, the Department of Defense, and the Defense Industrial Base.  

What's more, in 2023, the NSA reported that deepfake threats pose "a new set of challenges to national security." According to the NSA, "organizations and their employees need to learn to recognize deepfake tradecraft and techniques and have a plan in place to respond and minimize impact if they come under attack." 

Effectively managing the combination of cyber threats, misinformation, and disinformation requires coordination across federal agencies. The workforce within these agencies must possess the most up-to-date cybersecurity skills possible. Agencies can position themselves to future-proof cybersecurity strategies and maintain an advantage against threats by training teams on how to outmaneuver malicious actors. Regularly practicing simulated cyberattacks and leveraging predetermined incident response plans to mitigate breaches is crucial.  

**The Public Sector's Cyber-AI Skills Gap **

Against the backdrop of this intricate threat landscape, federal agencies need tech-proficient employees with a unique set of skills to ensure protection. As 90% of surveyed IT leaders said they don't completely understand their teams' AI skills and proficiency, there is a clear need for agencies to take action. By promoting training to improve team members' confidence and enhance their skills, leaders can engage themselves in the process and better understand the workforce's strengths and weaknesses. 

As the country transitions into the post-election period, deepfake threats remain a pressing concern, capable of shaping public perceptions through deceptive content. Federal employees and the agencies they serve must continue to bolster defenses against this and other cyber threats by prioritizing strategic skills development and training. 

These programs should consider existing proficiencies their teams possess and also foresee what skills are necessary to mitigate threats that may be detrimental to their agencies and the voting public. Agencies can arm their technologists with the tools they need to stay one step ahead of threats by prioritizing skills and implementing active, enterprisewide cybersecurity measures.  

Efforts to combat cyberattacks at the federal level coincide with the federal government's campaign to promote high-tech career paths across all of its agencies to address tech talent shortages. Last year, the Biden administration launched its National AI Talent Surge to fill open agency positions by recruiting technology professionals who can "bring their experience, expertise, and vision into government." This program brings the deficit of skilled technologists in the public sector into sharp focus.  

**Agency Workforces Need the Skills to Be Vigilant Against Attacks**

As cyber threats against government organizations continue, it's critical that agency workforces have the skills they need to recognize threats, and have the know-how to respond when an attack occurs. Earlier this year, Ashley Manning, the US assistant secretary of defense for cyber policy, told a congressional subcommittee about measures the Department of Defense is taking to counter cyber threats.  

According to Manning, the US faces cyber challenges, including China's targeting of US networks in prolonged espionage campaigns, Russia's use of cyberspace to target critical infrastructure networks, and for-profit cybercriminals who target an array of vulnerable sectors with ransomware attacks that impact American citizens.  

To guard against cyberattacks, federal agencies must take a holistic approach to ensuring that their teams have the skills to keep their networks and data secure. This includes addressing skills gaps in the workforce, leveraging best practices in cybersecurity, and creating a culture of continuous learning and upskilling. By arming their teams with the best possible defense against threats, agency leaders can empower employees to counteract cyberattacks effectively.  

**Create an Enterprisewide Knowledge Base to Ensure Cybersecurity**

It's critical for agencies to better understand their teams' current cybersecurity knowledge by benchmarking the skill sets of their workforce. Training resources that align with their skills gaps and technologists' needs include providing content created by industry experts, tracking skill acquisition, creating forums or community support, and providing hands-on labs. By implementing individualized learning programs that ensure every employee receives the necessary training, agencies can build a workforce equipped with the skills needed to keep their networks and data as secure as possible. 

**About the Author**

Practice Lead, Practice Lead for Solutions Architects in the Public Sector, Pluralsight

Pathological problem solver, and serial question asker, a lifelong student of mental models, experienced in creating innovative solutions where analogical ideas meet rigorous socratic method. For more than two decades Tony Holmes has been solving complex problems for some of the largest, and most forward-thinking technology organizations in the world, including British Broadcasting Corporation, Digital Equipment Corporation, Microsoft Research, Opsware, Hewlett Packard, Oracle, and, currently, Pluralsight, the Technology Skills platform for the Government.

Combating the Rise of Federally Aimed Malicious Intent

A new report from the Open Software Supply Chain Attack Reference (OSC&R) team provides a framework to reduce how much vulnerable software reaches production.

Neatsun Ziv, CEO & Co-Founder, Ox Security

November 15, 2024

5 Min Read

Source: Andrey Kryuchkov via Alamy Stock Photo

COMMENTARY

The complexity of today's software development — a mix of open source and third-party components, as well as internally developed code — has resulted in an abundance of vulnerabilities for attackers to exploit throughout the software supply chain.

We've seen the direct effects of software supply chain attacks in incidents like the MOVEit and SolarWinds breaches, revealing that no industry sector, size of company, or stage of software development is immune. According to a survey from Enterprise Strategy Group (ESG), 91% of organizations experienced at least one software supply chain security incident in 2023, and 2024 hasn't seemed any better.

Security teams are overwhelmed by the task of sorting through, assessing, and prioritizing the mitigation of tens of thousands of alerts to discern those that pose real risk from those that are benign. In 2023, a group of AppSec experts addressed this problem by launching the Open Software Supply Chain Attack Reference (OSC&R), a freely available, MITRE ATT&CK-like framework to help organizations gain a deeper understanding of their software supply chain vulnerabilities.

The OSC&R community's inaugural report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures," offers a comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, it examines the risk to software supply chains and probes the alignment between the vulnerabilities found in the wild and the focus of AppSec teams today.

The research offers some eye-opening statistics, including that 95% of organizations have at least one high, critical, or apocalyptic risk in their software supply chain, with the average organization having nine such issues. What's more, the OSC&R data shows that many of the most common software supply chain vulnerabilities are tied to fundamental security controls, such as authentication, encryption, publicly available information in logs, and the principle of least privilege. Following are some of the most important takeaways from the report.

**1\. Watch for Run-Time Exposure**

One in five applications was found to contain high, critical, or apocalyptic runtime vulnerabilities during the execution phase of an attack. This makes them prime targets for attackers. Because the most significant software vulnerabilities tend to surface in later attack stages, it's crucial to catch issues early in the software development life cycle.

As such, AppSec and DevOps teams should aim to strengthen application runtime security. This can be accomplished by integrating continuous monitoring and real-time protection mechanisms that focus on the later stages of an attack, when the damage potential is greatest.

**2\. It's Worth Fixing Older Vulnerabilities**

While newer vulnerabilities may grab headlines, older vulnerabilities remain the most common attack vectors when it comes to supply chain security. Techniques like command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) — as well as slow-burn vulnerabilities like CVE-2024-3094, which targeted the compression utility XZ Utils in major Linux distributions — still wreak havoc in unpatched systems. Attackers continue to successfully use historical tactics and techniques, showing that "old school" vulnerabilities present significant and persistent risks.

To counter these tactics and techniques and drive down the opportunity for attack, organizations should regularly review and update legacy systems and codebases to patch known vulnerabilities. Further, implementing a robust vulnerability management program that includes continuous scanning for both old and emerging threats will harden software to known risks.

**3\. Vulnerabilities That Span Multiple Attack Stages Amplify Damage**

In the OSC&R report data analysis, 36% of applications were found to be vulnerable to exploits in the initial access attack stage, with many overlapping across multiple stages of attack. Indeed, vulnerabilities in initial access stages often open the door for more severe threats, such as persistence and execution exploits.

The data underscores the need for AppSec and DevOps team to bolster defenses across all stages of the attack life cycle, not just in initial phases. Organizations should adopt multilayered security solutions that can detect and neutralize threats at various stages of the kill chain to prevent attackers from moving laterally within systems and causing widespread cyber and business damage.

**Next Steps for AppSec Teams**

One of the questions the inaugural OSC&R report sought to answer was whether what AppSec and DevOps teams focus on matched the vulnerabilities found in the wild. The data reveals that this is not yet the case. Progress is being made, but the high volume of vulnerabilities passing through the supply chain into live applications, and the large percentage of organizations that report supply chain security incidents, indicate that greater focus on proactive software security measures is needed.

In addition, organizations need to do a better job of looking systemically at both their software development processes and the attack lifecycle to identify the places most likely to be at risk. But historical data alone is not the answer. Organizations must implement the tools and processes that give them holistic visibility of their supply chain — from the build stage all the way through runtime, and including the development and testing environments, which are occasionally overlooked.

Further, it's clear that focusing on one or two stages of software development or one stage of the attack lifecycle isn't enough. Businesses must adopt a multilayered, full-lifecycle AppSec strategy — accompanied by tools that can unify all stages — to reduce the probability of attack.

Development and security teams now have a reference they can use to map their programs to known attack vectors and tactics. OSC&R, in effect, sets the foundation for operating a streamlined software security program that reduces the number of vulnerabilities that reach production, enhancing the resiliency of the organization as a whole and easing the fears of breach due to software flaws.

**About the Author**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

Lessons From OSC&amp;R on Protecting the Software Supply Chain

Given increased tensions with China over tariffs, companies could see a shift in attacks, but also fewer regulations and a run at a business-friendly federal privacy law.

Source: Anna Moneymaker via Shutterstock

President-elect Donald Trump's return and his promised shift to a more insular foreign policy will likely result in a new set of cyber threats, fewer regulations for most industrial sectors, and possible business-friendly federal privacy legislation, cybersecurity and legal experts say.

The president-elect is moving quickly with nominations for cabinet officials and other high-level appointees. While he named South Dakota Gov. Kristi Noem to lead the Department of Homeland Security, Trump has not yet named a candidate for director of the Cybersecurity and Infrastructure Security Agency (CISA), which leads government cybersecurity efforts.

Overall, however, companies should expect far less emphasis on regulations and more focus on protecting critical infrastructure and technology companies, says Michael Bahar, co-lead of global cybersecurity and data privacy at Eversheds Sutherland, a global legal advisory firm.

"We are going to see — at the federal level — a deprioritization of cybersecurity regulations and cybersecurity enforcement," he says. "One really important exception is where cybersecurity intersects with trade policy and national security and technology. That's actually where you're going to see an increase of enforcement and at least a continuation of the regulatory environment."

Threats will likely shift depending on the changes in foreign policy initiated by the incoming Trump administration. Already, China has become a major concern for its cyber operations in the Asia Pacific, opposing US support for Taiwanese democracy and international opposition to China's claims to large areas of the South China Sea. Trump's stated support for Israeli settlers and for Russia's annexation of parts of Ukraine will also likely drive increasing cyber threats.

With the departure from the policy of the Biden administration, the incoming US government will spur different rivalries, says Lou Steinberg, founder and managing partner of CTM Insights

"As a new administration comes in — and there's a perception that maybe there's more support for Israel over Palestine, or more support for a deal with Russia, and maybe more toe-to-toe \[tensions\] with China — those will result in a different set of motivations, and so a different kind of response," Steinberg says. "We need to realign to the new kinds of threats that come from a new political landscape."

**Administration — and Threats — to Focus on Critical Infrastructure**

The GOP platform hosted on the Trump for President site already prioritizes the safety of critical infrastructure and the industrial base against cyber threats. But that remains the only mention of cyber in the entire document.

The president-elect's support for cybersecurity efforts shifted during his first term. In 2018, he signed the Cybersecurity and Infrastructure Security Agency Act, establishing the agency of the same name to lead efforts to protect critical infrastructure from cyberattack. Yet following his loss in the 2020 election, then President Trump criticized CISA's statement validating the security of the elections and fired then-Director Chris Krebs.

Still, the threat landscape has evolved since then, and in ways that align with the incoming Trump administration's priorities. Both China and Iran are considered larger threats, with a variety of officials pointing to China's effort to establish a network of digital beachheads for a future possible conflict as particularly dangerous.

President-elect Trump's pledge to set high tariffs on Chinese goods will likely increase tensions, and potentially lead to more significant attacks, causing China to shift its covert efforts to overt disruption, says Steinberg.

"If China thinks we're going to engage directly, their response could completely change," he says. "We're likely to see a sustained attack against critical infrastructure — so yes power, yes water, yes communications. We usually think of \[distributed denial-of-service\] attacks as last\[ing\] a couple of days, not months, but the point will be to degrade our ability to respond."

Meanwhile, Iran will likely ramp up efforts against US and Israeli targets, following the president-elect's deep support for Israel. Russia and Iran will likely continue to use disinformation against the US administration, but the approach may change, as both countries are focused on sowing discord, rather than supporting the agenda of one party over another.

**Easing Regulations, but Will It Matter?**

The deprioritization of cybersecurity regulations — and promised efforts to shrink the federal government — will likely lead to less enforcement of cyber regulations against businesses. Yet data-protection and privacy regulations will likely see a shake-up, as states look to bolster privacy and give their attorneys general the ability to pursue violators.

As a result, the US could see federal privacy legislation, says Bahar, who also co-leads Eversheds Sutherland's Congressional Investigations group.

"I think, at the state level, you're going to see an uptick — if that's even possible — of regulatory activity, in large part because there might be a perception that they need to step in to ... 'fill the void,'" he says. "It's actually likely you're going to get a federal privacy law —  a very business-friendly federal privacy law — so that \[companies do not have to deal with\] that patchwork effect of state laws."

In the end, however, easing regulations may not result in less corporate focus on cybersecurity, because the latest cybercriminal attacks often threaten business operations, Steinberg says.

"We've seen more and more companies — even less regulated companies — start to worry about cyberattacks like ransomware," he says. "So do I think a decrease in the regulatory environment might lead to a decrease in cybersecurity investment? Yeah, a little, but probably not in the defense industry, probably not in financial services, and maybe not in healthcare."

With increasing global tensions come increasing dangers, Steinberg says, and most companies will likely not be able to justify cutting budgets in the face of an uncertain threat landscape.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats

The proposed rules codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber risk management plans.

The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking to establish cyber risk management and reporting practices for pipeline, railroad, bus and other public transportation systems. The proposed rules extends existing cybersecurity framework developed by the National Institute of Standards and Technology as well as the cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).

 The proposed rules, as laid out in the Federal Register on Thursday, would affect "certain pipeline and rail owner/operators," and impose lesser requirements on some types of bus operators. These organizations would be required to establish and maintain comprehensive cyber risk management programs, to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and to designate a physical security coordinator and report significant physical security concerns to TSA. The cyber risk management plans will need to include annual cybersecurity evaluations; assessment plans that identify unaddressed vulnerabilities; and a cybersecurity operational implementation plan describing officials in charge of cyber, critical cyber systems and how they are protected, measures in place to detect cyberattacks, and what will be done to address and recover from cyber incidents.

If approved, the new rules would impact just under 300 surface transportation owners/operators regulated by the TSA across freight railroad, passenger railroad, rail transit and pipeline sectors, and would also require the aviation sector to comply. Specifically, the rules would impact 73 of the approximately 620 freight railroads currently operating in the U.S., 34 of the approximately 92 public transportation agencies and passenger railroads, 71 over-the-road bus owners and operators, and 115 of the more than 2,000 pipeline facilities and systems.

"TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure," said TSA Administrator David Pekoske in a statement. "The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation."

This is one of the Biden administration’s last efforts to shore up the cybersecurity of critical infrastructure in the wake of the ransomware attack that crippled Colonial Pipeline back in 2021. The proposed rule is open for public comment until February 2, 2025.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

TSA Proposes Cyber Risk Mandates for Pipelines, Transportation Systems

Frenos offers a zero-impact, continuous security assessment platform for operational technology environments.

Source: Zoonar GmbH via Alamy Stock Photo

Continuous security assessment platform newcomer Frenos narrowly edged out the competition to win this year's DataTribe Challenge, held by seed-stage venture capital firm DataTribe.

Four finalists were chosen from hundreds of pre-seed and seed stage cybersecurity and data science startups, and each got to present their case during Wednesday's Challenge Finalists Event. In addition to splitting part of a $25,000 prize, finalists were given the opportunity to present their business to a panel of judges, investors and industry leaders. Finalists also received one-on-one messaging and strategy coaching from DataTribe.

When evaluating the finalists, whether the company has the right team in place — and if they're truly experts in their field — plays a big part, says DataTribe's chief innovation officer Leo Scott. The judges also evaluate the addressable market for each company’s offering and how well they meet that need. 

Frenos, based in Charlotte, N.C., has both.

The startup created a zero-impact, continuous security assessment platform for operational technology environments, giving OT organizations the ability to perform attack simulations and penetration testing. 

"They are truly leading experts in the OT environment," Scott says. "And if you look into the geopolitical landscape, it is a pretty important space, from broad national security to literally keeping the lights on."

The list of finalists include Austin, Tex.-based DataMonstr, New Jersey-based Force Field, and San Francisco-based Validia.

*   DataMonstr provides protection to the developer environment, both at developer endpoints and at the source code repository level. 
    
*   Force Field offers a system to verify the authenticity of photos, videos and audio to reduce fraud in areas like insurance claims. 
    
*   Validia provides real-time identify verification to combat deepfakes and impersonation in remote work environments. 
    

For Brian Proctor, founder and CEO of Frenos, participating in the competition has helped the company on its road to landing seed funding. 

"One of the great things about it, which we really liked, is that every finalist is assigned an advisor from DataTribe. So they really work hand in hand with you to refine the pitch, get feedback on your presentation," says Proctor. "We had an excellent advisor, David, who was part of our team. Honestly, without David, I'm not sure what the outcome would have been. He was a huge help."

DataTribe has invested in eight of the finalists of its six previous competitions, and more than 20 companies have received funding after participating in the competition, Scott says.

Check out what DataTribe's Leo Scott had to say regarding the DataTribe Challenge in this Dark Reading News Desk segment from Black Hat USA 2024.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Frenos Takes Home the Prize at 2024 DataTribe Challenge

Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.

Source: tofino via Alamy Stock Photo

Researchers at Varonis discovered a vulnerability within Postgres language extension PL/Perl, allowing a user to set arbitrary environment variables in PostgreSQL session processes.

The vulnerability was given a CVSS 8.8 score for severity and could lead to severe security issues, depending on the scenario where it's exploited.

Tracked as CVE-2024-10979, the flaw allows a threat actor to modify a sensitive environment, ultimately allowing them to execute arbitrary code without accessing a user of the operating system.

The vulnerability also allows a threat actor to run additional queries to gather information on the machine and its contents.

Versions preceding PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected by this vulnerability and can be mitigated by upgrading to PostgreSQL, "to the latest minor version at a minimum," according to the researchers, as well as restricting allowed extensions.

Postgres customers should also examine ddl logs for creation of functions they do not recognize or did not create themselves to assess if they have been impacted.

**About the Author**

Varonis Warns of Bug Discovered in PostgreSQL PL/Perl

In addition to his prison sentence, he will have to pay more than $1 million in restitution to his victims.

Source: Gregg Vignal via Alamy Stock Photo

Robert Purbeck, 45, received a 10-year prison sentence for hacking into 19 computer servers across the US, stealing the personally identifiable information (PII) of 132,000 people, attempting to extort an orthodontist in exchange for Bitcoin, and threatening to make public the patient records he stole.

In 2017, Purbeck purchased access to a medical clinic's computer server on a cybercriminal marketplace. Using these stolen credentials, he accessed the clinic's computers and downloaded records for more than 43,000 individuals that included names, addresses, birthdates, and Social Security numbers.

Nearly a year later, Purbeck purchased credentials on the Dark Web for a police department server in Newnan, Ga., stealing documents, police reports, and sensitive information of over 14,000 people.

And in July 2018, Purbeck threatened an orthodontist he'd stolen data from, demanding a ransom in Bitcoin. He also threatened to sell the PII of the orthodontist's child, harassing the orthodontist and his patients with threatening emails and messages.

The FBI ultimately executed a federal search warrant at Purbeck's home in 2019, seizing his computers and devices. Earlier this year, he pleaded guilty to two counts of "intentionally accessing and obtaining information from a protected computer without authorization."

Alongside his prison sentence, Purbeck was ordered to serve three years of supervised release as well as pay $1,048,702 in restitution to his victims.

Idaho Man Turns to RaaS to Extort Orthodontist

As alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up.

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

For most of my cybersecurity career, I worked on the vendor side, in presales capacity, helping businesses identify and address security pain points. Now, as an information security engineer, I am on the other side, engaging with security vendors. A typical sales engagement includes pre-sales, proof of concept (PoC), onboarding, and support. While PoCs are useful, the real complexity of a product is understood only when the customer is fully onboarding. 

Although customers are responsible for accurate implementation of systems, vendors must realize they play a key role in guiding them through settings to ensure optimal performance and reduced alert fatigue. 

Achieving 100% efficiency will always be an ongoing challenge, but alert fatigue remains a significant issue. Modern security systems involve multiple components, each generating alerts that require teams to collaborate. And as alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up. 

**The Reality of Alert Fatigue**

Alert fatigue is not new, but the problem becomes bigger as organizations adopt more complex security solutions. These tools detect every potential anomaly, generating a flood of alerts, many of which are low-priority or false positives, obscuring critical signals. 

When faced with hundreds of alerts daily, analysts can become numb, ignoring or delaying important alerts, which leads to security breaches. Vendors currently address only part of the challenge by delivering systems that detect every possible attack are only doing half their job. However, these products alone fall short in helping companies effectively manage the alert flood, often times requiring a managed security service provider (MSSP) to bridge the gap. But they must do a better job helping companies manage the resulting flood of information. 

**Why Vendors Must Take Ownership**

It may be tempting for vendors to shift alert management to customers, but vendors create the underlying logic that generates these alerts, and therefore, they must ensure their tools enable users to respond effectively rather than overwhelming them. 

Here's how vendors need to take lead: 

1.  Smart filtering and prioritization: Vendors should design tools that prioritize high-risk alerts while suppressing noise using machine learning and contextual analytics. This reduces irrelevant notifications. 
    
2.  Automation to reduce manual work: The volume of alerts makes manual intervention impractical. Vendors should offer built-in automation for routine alerts, allowing security engineers to focus on critical ones, such as sinkholing, rate-limiting, blocking malicious IPs, or isolating suspicious files. 
    
3.  Actionable alerts with context: Vendors need to provide meaningful data with each alert, contextualizing it for the customer's environment and offering clear next steps, enabling quicker, more effective responses. 
    
4.  Continuous engagement and customization: Vendors must stay engaged with customers beyond the initial setup, helping tailor systems to meet specific needs. Regular optimization reduces unnecessary alerts and ensures critical threats are identified. 
    
5.  Feedback-based adaptive learning: Vendors should provide solutions that evolve with feedback loops, learning from customer input. False positives or low-priority alert floods should lead to system adjustments, improving accuracy over time. 
    

**The Cost of Ignoring Alert Fatigue**

If vendors fail to address alert fatigue, security teams may miss critical threats, leading to breaches. Overwhelmed staff may burn out, increasing turnover. For vendors, poor alert management can erode customer trust, leading to dissatisfaction and potential churn. 

**Needed: A Partnership for Success**

Alert fatigue is a shared problem, but vendors play the key role in solving it. By offering smarter, more responsive systems, ongoing optimization, and automation with context, vendors help customers focus on what matters the most. 

This isn't just about efficiency — it's about creating a partnership between vendors and customers. Together, they must be able to cut through the noise and be able to provide clarity in the fight against modern cyber threats. Vendors must ensure their solutions don't just alert but empower users to make the best decisions. 

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Security Engineer

Supradeep Bokkasam is a Brisbane-based information security engineer with nearly 20 years of IT experience. He has worked extensively in the content delivery network (CDN) space, focusing on network and application security, identity and access management (IAM), and zero-trust network access (ZTNA). He has worked with organizations across various sectors to identify and safeguard critical assets against cyber threats.

Source

DARKReading