Black Hat Asia's NOC team gives a look inside what's really happening on the cyberfront during these events.

BLACK HAT ASIA – Singapore – When you're in an environment where the overwhelming majority of network traffic is classified as posing a severe cybersecurity threat, deciding what to be concerned about becomes not a needle in a haystack situation, but a needle in a needlestack problem.

That's the word this week at Black Hat Asia, where Neil Wyler, global lead of active threat assessments at IBM X-Force, and Bart Stump, senior systems engineer for NetWitness, took to the stage to give attendees a look inside the event's enterprise-grade network operations center (NOC). The duo oversaw the NOC's design and led the security team for the show, which ran from May 9-12. The multi-vendor network supported attendee Wi-Fi access; internal operations such as registration; the needs of business hall stands; and the communications requirements of technical trainings, briefings, keynotes, and vendor demonstrations.

"When we discuss the traffic, try to explain to others that at Black Hat it's bad all the time — all or most of the traffic is malicious," Wyler explained. "That sounds scary, but for this crowd that traffic is normal. There are people demoing attacks, there are red teams trainings going on, etc., and that means that we don't really block anything. We let that traffic fly because we don't want to take down a demo on stage or on the expo floor. Unless we see a direct attack on our infrastructure, say the registration system, we let it go."

So, in order to ferret out the actual bad, bad traffic, the NOC relies on a number of dashboards that allow a real-time view of everything flowing through the network, with the ability to capture stats on everything from device profiles to which cloud apps attendees are connecting to. It also captures raw packet data so NOC analysts can go back and rebuild sessions in the event something seems abnormally suspicious, to look at "every single thing someone is doing with every packet, in a way we can't using just logs," Wyler noted.

One of the more unusual dashboards put in place for the event offered a heat map of where Wi-Fi, Bluetooth, and even peer-to-peer wireless connections were being used, offering a quick look at where people were congregating and where there might be cyber issues afoot.

"It's an interesting perspective," explained Stump. "The bottom left corner of the map is actually the show floor, and after the business hall opened up, that got more red. You can see when breaks are happening and when they put the beverages out because people migrate. And overall, it's a quick visualization for us to see where potential issues might be coming from, where we should focus our attention."

    

_A heat map of where devices connected to the network._

In all, the NOC tracked 1,500 total unique devices connecting to the network across mobile phones, Internet of things (IoT) gear, and other endpoints, with DNS queries at their highest for the event since 2018. About three-quarters (72%) of that traffic was encrypted — a refreshingly high amount, the researchers noted. And interestingly, a domain called Hacking Clouds hosted the most user sessions — more even than the show's general Wi-Fi network for attendees.

In terms of the apps being used, TikTok made an appearance in the Top 10 for the first time, the team observed. Other top apps included Office 365 (no surprise there), Teams, Gmail, Facebook, and WhatsApp.

**Interesting NOC Happenings**

A few interesting incidents emerged from the data during the event, the duo noted. In one case, an individual was generating so much malicious activity that all of the NOC systems alerted at once.

"One particular person was so noisy that every NOC vendor partner saw their activity at the same time," Wyler said. "We're talking SQL injection on public-facing websites, WordPress compromises, lots and lots of scanning for vulnerabilities and open ports. It was like they learned something this week and went, 'Let me see if it works. I've heard about Log4j, let me see what's out there.' They took a training class and now they're spreading their wings and flying."

After the person moved from attacking restaurant chain websites to probing payment sites, it was clear the activity wasn't demo-related, so the team pinpointed the person and sent the individual a cease-and-desist email.

"We figured out they were sitting in the hallway looking out at the Bay, just attacking company after company after company," Wyler said. "We explained that it's still illegal to do what they're doing, so please discontinue attempting to execute vulnerabilities on public-facing websites. This is a violation of the Black Hat Code of Conduct and we will come find you if it doesn't stop — love, the NOC. They got that and everything stopped."

Other incidents involved VPN issues, including one that was transmitting the user's location information in clear text. The team captured the data, plugged it into Google Maps and generated a view of exactly where the person had been during the day.

    

_A VPN leak allowed the team to create a map of the user's location._

Yet another issue involved an endpoint detection and response (EDR) vendor that was sending all of the usage data it was collecting on the endpoints of its users in clear text back to its servers; one antivirus vendor was found sending unencrypted SMTP emails containing pricing quotes and other information in an unencrypted fashion, along with login credentials — allowing easy harvesting.

"An attacker could have pulled down quotes, changed quotes, gathered internal work information and customer information, definitely not good," said Stump. "It could be used to craft phishes or to manipulate pricing."

In all cases, the team worked with the problematic entities to resolve the issues. The NOC, quite simply, is on the case, according to Stump.

"People often say that at Black Hat, you shouldn't even get on the network because it's dangerous," said Stump. "But our goal is actually to leave attendees more secure than when they arrived. And that's why we do things like letting people know they're sending passwords in clear text, or when we see cryptomining activity, we'll alert them. We're committed to that."

'Very Noisy': For the Black Hat NOC, It's All Malicious Traffic All the Time

Regulators should apply a healthy skepticism to generative AI developments to guarantee a competitive marketplace.

Generative artificial intelligence (AI) is developing at breakneck speed. After a couple of months of unalloyed enthusiasm, crucial questions about accuracy, bias, security, and regulation are now surfacing. Recently we've seen officials in Germany and Italy scrutinize or outright ban ChatGPT over security and privacy concerns. US regulators are moving toward a similar healthy skepticism.

Blanket regulations on particular applications of AI models might appeal to some as a way to constrain markets, but as Bill Gates recently said, "it won't solve \[its\] challenges." A better way for regulators to ensure AI development and deployment is safe, open, and producing real-world benefits is to keep markets robust by scrutinizing AI partnerships that lack transparency and other arrangements that try to prevent fair competition. The standard to strive for is an innovative, transparent, and competitive marketplace that can bring life-changing technology to the masses in safe and responsible ways.

**Microsoft's Footprint**

The place to start is with the partnership between Microsoft and OpenAI. Microsoft grasped the potential of OpenAI's work long before the resounding success of ChatGPT's public launch. But Microsoft's 2019 deal with OpenAI was not a conventional financial investment. Instead, the initial billion dollars from Microsoft largely came in the form of Azure credits, a de facto subsidy that led to OpenAI being built on Microsoft's cloud — exclusively and rent free.

This unusual partnership has created deep ties between Microsoft and OpenAI's technology infrastructures and sets a clear path to a technological walled garden. The agreement presents pressing questions for regulators: why should this partnership not be viewed as a deft move to create a subsidiary relationship while avoiding antitrust scrutiny? If so, should the Federal Trade Commission step in immediately to examine the impact on the competitive landscape? Is telegraphing a walled-garden strategy enough to warrant investigation and potential action by regulators today to forestall future harm?

History suggests the answer to these questions should be yes. Digital technology over the past 40 years has followed a predictable cycle: a long period of slow, incremental evolution culminating in a threshold moment that changes the world. This pattern led to the World Wide Web in the 1990s, mobile phones in the 2000s, and is happening today with AI. As AI prepares to enter a new phase of broad adoption and revolutionary technologies, the biggest risk that technology itself cannot solve for will very likely be anti-competitive business practices.

History also shows what will likely happen if regulators stand by. Large, first-mover firms will try to lock up foundational technologies and use market power to create long-term advantage. Microsoft wrote the playbook with the bundling of Internet Explorer into Windows and now appears ready to rerun that familiar play.

**Equal Terms**

If OpenAI can't run its most advanced models efficiently on non-Microsoft platforms, society will lose out. We want foundational technologies to be available on equal terms to innovators large and small, established and otherwise. We want companies to succeed wildly by using and building on foundational technologies, on the basis that innovation and competition creates previously unimaginable products that benefit customers and society at large. We don't want one company serving as gatekeeper and hoarding foundational technology to limit innovation from competitors. And more importantly, if we let a Microsoft AI walled garden be built, are we inviting other AI walled gardens to quickly follow — an Oracle walled garden, a Meta walled garden, a Google walled garden — limiting interoperability and stunting innovation? This is precisely the scenario that modern antitrust policy aims to prevent.

An optimist might object to this argument and point out that the early pathway for foundational technologies is notoriously hard to foresee. No one can prove at this moment that new entrants and open source alternatives won't reduce OpenAI's lead or even get out ahead. But if that hopeful view is incorrect, going backward to undo the damage will be tougher, bordering on impossible. Hoping for the best isn't a good strategy in antitrust, just as elsewhere.

Modern innovation often requires massively ambitious bets. It's one thing for a monolithic firm to invest billions in a startup with long-term research and development programs. It's another thing entirely to shape the investment into a captive relationship with a just-emerging foundational technology whose application could lead the innovation environment for decades.

Regulators are right to question the policies that guide AI ethics, fairness, and values. But one of the most effective ways to advance those goals is to ensure a broad, diverse, and competitive marketplace where the key foundational technologies are open for equal access. That means taking steps now to prevent "walled gardens'' from being built in the first place. Rather than scrambling for a cure too far down the road, regulators should step in now and ensure the Microsoft-OpenAI partnership isn't simply anti-competitive activity under a clever disguise. Otherwise, a single company's profit could be set up to prevail over what promises to be a world changing threshold moment.

AI Is About to Be Everywhere: Where Will Regulators Be?

As a way to enhance MFA security, Microsoft will require users to authorize login attempts by entering a numeric code into the Microsoft Authenticator app.

Multifactor authentication (MFA) is an essential element of identity and access management, but it is not fail-proof, especially as attackers increasingly employ social-engineering tactics to bypass MFA controls. To enhance the security of MFA, Microsoft is enforcing "number matching" for all users of its Microsoft Authenticator app.

Previously, the process flow for Microsoft Authenticator displayed a prompt in the app when the user tried to log in. The user tapped the prompt on the secondary device to authorize the transaction. Number matching adds another step by forcing users to have the secondary device and see the login screen on the primary device. Instead of just tapping the prompt, users will now have to enter a number that is displayed on the application's login screen. A person logging into Office 365, for example, would see a message on the original login screen with a numeric code. The person would enter that code into the Authenticator app on their secondary device to approve the transaction. There is no way to opt out of entering the code.

"Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator," Microsoft said in a supporting article. "We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023."

**Attacks Are More Prevalent**

Number matching was originally introduced in Microsoft Authenticator as an optional feature in October, after attackers started spamming users with MFA push notification requests. Users were granting access to the attackers just to get the spam notifications to stop or by mistake. Number matching is designed to help users avoid accidentally approving false authentication attempts. MFA fatigue – overwhelming users with MFA push notifications requests – has “become more prevalent,” according to Microsoft, which observed almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts last August, compared with 32,442 in 2021. Last year 382,000 attacks employed this tactic, Microsoft said.

It was also recently used in attacks against Uber, Microsoft, and Okta.

Number matching with Authenticator will be used for actions such as password resets, registration, and access to Active Directory. Users will also see additional context, such as the name of the application and the location of the login attempt, to prevent accidental approvals. The idea is that users cannot accept a login attempt if they are not in front of the login screen at that time.

**How to Enable Number Matching**

While number matching was enabled by default for Microsoft Azure in February, users will see some services start using this feature before others. Microsoft recommends enabling number matching in advance to "ensure consistent behavior." Administrators can enable the setting by navigating to **Security - Authentication methods - Microsoft Authenticator** in the Azure portal.

1.  On the **Enable and Target** tab, click **Yes** and **All users** to enable the policy for everyone or add selected users and groups. The **Authentication mode** for these users and groups should be either **Any** or **Push**.
2.  On the **Configure** tab for **Require number matching for push notifications**, change **Status** to **Enabled**, choose who to include or exclude from number matching, and click **Save.**

Administrators can also limit the number of MFA authentication requests allowed per user and lock the accounts or alert the security team when the number is exceeded.

Users should upgrade to the latest version of Microsoft Authenticator on their mobile devices. Number matching does not work for wearables, such as Apple Watch, or other Android devices. Rather, users will have to key in the number via the mobile device.

Microsoft Authenticator to Enforce Number Matching

New data shows cyberattacks targeting software supply chains will cost the global economy $80.6 billion annually by 2026.

**Hampshire, UK – 11th May 2023:** A new study from Juniper Research, the foremost experts in cybersecurity markets, has found that the total cost of software supply chain cyberattacks to businesses will exceed $80.6 billion globally by 2026, up from $45.8 billion in 2023. This growth of 76% reflects increasing risks from absent software supply chain security processes, and the rising complexity of software supply chains overall.

The new study, Vulnerable Software Supply Chains Are a Multi-billion Dollar Problem, highlights the need for greater emphasis on the software elements of the supply chain as a critical security vulnerability. The study analysed how both shifts in wider cybersecurity processes, and the mindset around the management of the software supply chain are needed to address these risks.

"The software supply chain has been neglected over the years as a source of risk, leading to a situation where organisations face significant issues, if they cannot change the way they operate," said Nick Maynard, report author and Head of Research at Juniper Research. "As software supply chains become more complex, the problem becomes exponentially more complicated, requiring immediate attention to resolve, through regulations, SBOMs (Software Bills of Materials), embedded security, and cybersecurity solutions."

BlackBerry, a seasoned security vendor, commented on the study. "Enhancing the security of software supply chains is critical for national security and for building a trusted digital world," said Arvind Raman, CISO, BlackBerry. "BlackBerry welcomes this study from Juniper Research, which outlines why software supply chain security practices must be adopted by all industries, and we are pleased to be recognised for our best-in-class security solutions that address this market need. BlackBerry has long been a champion of built-in security and a pioneer of cybersecurity, which is why we have earned the trust of organisations around the world."

The study also examines the importance of software supply chains across several verticals, including, financial services, government, automotive, and healthcare, making the study vital reading for key stakeholders in those high-risk industries.

The study can be viewed here.

**About Juniper Research**

Juniper Research provides research and analytical services to the global hi-tech communications sector; providing consultancy, analyst reports, and industry commentary.

Juniper Research Study Reveals Staggering Cost of Vulnerable Software Supply Chains

**TOKYO****,** **May 11, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704;TSE: 4704), a global cybersecurity leader, today announced earnings results for the first quarter of fiscal year 2023, ending March 31, 2023 by reporting 16% year-over-year growth. 

Trend Micro's business resilience continues to be achieved by diversifying between both enterprise and consumer customers spanning more geographies than any pure play cybersecurity company. With a singular focus on cybersecurity, these results were powered by a customer base of over 500,000 organizations across more than 175 countries.  

As the growth engine for the company, the enterprise customer segment grew 20% YoY net sales at actual currency driven by a 9% increase in SaaS deployments globally. Enterprise ARR increased by 25% YoY totaling more than US $692 at the company's internal plan exchange rate. The company protects over 68 million enterprise assets at a growth rate of 29% YoY.

As the value engine for the company, Trend continued to invest in its consumer business growing across all geographies at 6% YoY net sales at actual currency.

"We too see the economy impacting markets and expect this to continue for the remainder of the year despite cybersecurity being identified as a critical priority," said Trend Micro CEO and co-founder Eva Chen. "Organizations worldwide are tightening budgets and prioritizing vendors who understand and ease the pressures of the security operations center. We proudly empower every organization to thrive in a world with less risk."

For this quarter, Trend Micro posted consolidated net sales of 58,704 million Yen (or US $443 million, 132.40 JPY \= 1USD). The company posted operating income of 9,548 million Yen (or US $72 million) and net income attributable to owners of the parent of 6,374 million Yen (or US $48 million) for the quarter.

The company will not revise expected consolidated results for the full fiscal year ending December 31, 2023 (released on February 16, 2023). Based on information currently available to the company, consolidated net sales for the year ending December 31, 2023 is expected to be 248,500 million Yen (or US $1,840 million, based on an exchange rate of 135 JPY \= 1 USD). Operating income and net income are expected to be 34,800 million Yen (or US $257 million) and 25,100 million Yen (or US $185 million), respectively.

**Key Business Updates in Q1 2023**

**Innovative**: Trend nurtures a culture of innovation to drive advancements across its cybersecurity platform.

*   Acquired SOC experts Anlyz to extend its orchestration, automation and integration capabilities for the Trend Vision One platform and empower Managed Security Service Providers to improve operational efficiencies, cost effectiveness and security outcomes.
*   Launched a new incubation project as a subsidiary of Trend Micro, focused on combating emerging threats in the private 5G networks.

**Trusted**: Trend is a trusted partner to the customers and communities that it serves.

*   Disclosed newest ransomware survey that revealed how decision makers can leverage operational changes to collectively help drive down ransomware profitability.
*   Announced that the Trend Micro Zero Day Initiative's (ZDI's) Pwn2Own bug bounty competition will add a contest to secure connected vehicle ecosystems.
*   Conducted two Pwn2Own competitions in Q1 which collectively awarded over US $1 Million to external researchers who discovered over 50 unique zero-days, including the first-time generative AI like ChatGPT was used to detect a vulnerability.

**Global**: Trend has the most geographically diverse customers in the industry, with millions of sensors powering the Trend Vision One platform for superior attack surface risk management.

*   Released a global study revealing that while global organizations plan to increase cybersecurity budgets in 2023, while business leaders hold conflicting views on functions.
*   Established a new research and development center in Bangalore, India, with more than 40 technical employees, expanding its worldwide engineering team of over 3000.

**New Patents Filed**

Trend Micro was awarded the following patents in Q1 2023:

**Notice Regarding Forward-Looking Statements**

Certain statements included in this press release that are not historical facts are forward-looking statements. Forward-looking statements are sometimes accompanied by words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "should," "would," "plan," "predict," "potential," "seem," "seek," "future," "outlook" and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. These statements are based on our current expectations and beliefs and are subject to a number of factors and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. Although we believe that the expectations reflected in our forward-looking statements are reasonable, we do not know whether our expectations will prove correct. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof, even if subsequently made available by us on our website or otherwise. We do not undertake any obligation to update, amend or clarify these forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required under applicable securities laws.

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.trendmicro.com.

SOURCE Trend Micro Incorporated

Trend Micro Reports Consistent Earnings Results for Q1 2023

Corgan got FBI involved to track down the cybercriminal, who had stolen from other artists as well, he said.

Smashing Pumpkins front man Billy Corgan was on a recent podcast to promote the band's new album, and he told the hosts that a hacker stole several of the songs before the release and threatened to leak them without a payoff.

"A fan contacted me and said nine of the songs have leaked," Corgan told the Klein/Ally Show, according to CBS News. "This is like six months ago. And they were all probably the most catchy, singley type songs."

Corgan added he paid off the cybercriminal out of his own pocket. After Corgan contacted the FBI, the hacker was tracked down, he explained.

"What we were able to do was stop the leak from happening," Corgan added, "because it was a mercenary person who had hacked somebody — I don't want to say who, excuse me — and they had other stuff from other artists."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Billy Corgan Paid Off Hacker Who Threatened to Leak New Smashing Pumpkins Songs

Data on more than 830K people exposed in the 2021 cyberattack.

The Korean National Police Agency (KNPA) has concluded that a cyberattack on Seoul National University Hospital (NSUH), one of the largest hospitals in the country, was the handiwork of North Korean hackers.

The attack occurred between May and June 2021.

The police report does not explicitly name any particular threat group, but it is believed that the Kimsuky group is responsible for the attack, according to South Korean media reports. Using seven servers based in multiple countries, including South Korea, the attackers infiltrated the hospital's internal network, leading to data exposure for 831,000 people, most of whom were patients.

After two years conducting analytical investigations to identify the threat actors, South Korean law enforcement stated they attributed the attack to North Korean hackers based on the intrusion techniques, website registration, the IP addresses linked to threat actors in that country, and the North Korean language and vocabulary used in the attack.

"We plan to actively respond to organized cyberattacks backed by national governments by mobilizing all our security capabilities," the KNPA stated in a press release, "and to firmly protect South Korea's cybersecurity by preventing additional damage through information sharing and collaboration with related agencies."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

North Korean Hackers Behind Hospital Data Breach in Seoul

Field programmable gate arrays are particularly useful for organizations that are embracing new edge computing devices and applications.

As 5G and the Open Radio Access Network (ORAN) accelerate the emergence of new edge computing devices and applications, there has been no shortage of new security challenges. Firmware attacks have proliferated in recent years, increased Internet of Things (IoT) device connections are expanding the network attack surface, and legacy network risks are still being exploited. Between these threats and rising compliance standards, network architects face mounting pressure to ensure their systems are not just secure but cyber resilient.

Cyber resiliency is the ability to continuously protect systems, detect threats, and recover from firmware attacks. As the network becomes more decentralized, its attack surface becomes larger and bad actors find more ways to exploit vulnerabilities. To achieve cyber resiliency, network architects are looking at root-of-trust (RoT) foundations and automating the cycle of protection, detection, and recovery functions on RoT components.

Field programmable gate arrays (FPGAs) have proved to be particularly useful to serve as a hardware root of trust (HRoT) device, given their inherent flexibility, small form factor, and low power consumption. These characteristics make FPGAs an ideal security engine not just for telecommunication vendors, but also for a variety of industries that are rapidly moving to the edge.

As the number of 5G IoT connections continues to increase, the importance of security, power efficiency, and overall system performance cannot be overstated. FPGAs are helping ensure a cyber resilient future in a variety of applications.

**Data Centers**

Similar to telecommunication hardware, data centers need to have proactive measures in place to protect their data if they are to be cyber resilient. They must be able to automatically detect threats and recover, yet they face the additional pressure of maintaining enough functionality to deliver on their service-level requirements. Platform firmware resiliency (PFR) provides the "protect, detect, recover" real-time cycle to do so, and it starts with leveraging an HRoT device, such as an FPGA.

FPGAs don't just detect whether malware is directly present or a system is actively under attack. Instead, they proactively monitor systems pre- and post-boot, which is vital because bad actors understand that this is when a system is most vulnerable. If an attack on firmware manages to be successful, flash devices on the FPGA can load a golden image of the authorized firmware, override the unauthorized version, and ensure recovery of the system.

Beyond their built-in cyber resilient features, FPGAs can also be upgraded in the field if any new security vulnerabilities are found after a design is locked, including with post-quantum cryptographic algorithms. System architects can essentially "future-proof" their new hardware designs thanks to FPGAs' ability to be reprogrammed in-field, rather than needing devices to be brought back home for upgrades or to replace the entire system.

**Automotive Designs**

Although the automotive industry has made great strides to improve vehicle comfort and safety through advanced driver assist systems (ADAS), vehicle connectivity, and autonomous driving, it has also made vehicles newly susceptible to various security threats and cyberattacks. Beyond protecting their physical cars, consumers now also need to ensure that their vehicles are not being hacked or tampered with remotely.

This is where functional safety (FuSa) becomes increasingly important. FuSa ensures systems or pieces of equipment are operating correctly in response to inputs or failure; it is a crucial part of the overall safety of a system. FPGAs are often used to connect multiple displays and cameras in a vehicle and can help ensure that safety-critical information is reliably reproduced, while also notifying the driver of an error or failure.

Practices like PFR are moving into the automotive realm to bring consumers peace of mind, and FPGAs are providing HRoT capabilities to vehicles on the road. As the line between the physical highway and the digital network continues to blur, FPGAs offer an ideal platform for security.

**Smart Home Control and Security**

At home, smart devices, such as security cameras, smart doorbells, home assistance devices, and smart appliances, have proliferated over the years. Beyond hardware security to protect from mundane attacks, designers are looking for flexibility in sensor choices, powerful edge processors, and the ability to aggregate data from multiple sources for processing. FPGAs meet each of these requirements so smart home devices can function as smoothly — and therefore securely — as possible.

Moreover, since smart home control and security systems demand such high levels of data processing power, it's key that they function with the lowest latencies possible to prevent security vulnerabilities.

**Small in Size, Big in Impact**

The applications above only scratch the surface of the impact FPGAs are having across industries. It's remarkable to see a single technology be used in such a variety of applications, but good security is everyone's best interest.

No matter your business, pay close attention to the cybersecurity landscape and how FPGAs are helping us all live in a more digitally secure future.

Integrating Cyber Resiliency With FPGAs

RSA's Innovation Sandbox 2023 focused on the software supply chain, as well as attack surfaces exposed by generative AI, ML systems, and APIs.

Cybersecurity has traditionally secured the use of off-the-shelf IT hardware and software. Yet almost all the finalists at this year's RSA Innovation Sandbox centered around securing attack surfaces arising from the building of applications, machine learning systems, and API integrations. And while that may sound like the SecDevOps and software supply chain security of old, these innovators are focused on a larger opportunity.

Innovation Sandbox is RSA's _Shark Tank_\-like competition bringing 10 startup finalists to present onstage before judges. HiddenLayer took the top prize for defending ML systems against adversarial AI.

Today, every company is a software company, and more developers and data scientists arrive each year. Yet nondevelopers have begun to build software, too. Anyone can ask ChatGPT to code API integrations to their favorite SaaS app. Or to drag tasks into the playbooks of orchestration tools. This year's finalists highlighted new attack surfaces produced by this growing business activity of software building.

**Surprising Vulnerabilities in ML Systems**

Cylance was hit with an adversarial AI attack in 2019, directly targeting its ML systems. Those involved were so sure they witnessed the future of cyber warfare, they built the Innovation Sandbox winner, HiddenLayer.

HiddenLayer defends ML systems against attacks that the public may have heard of, like poisoned training data. Yet the industry hasn't really addressed how easy it is to steal intellectual property (IP) from ML systems. As an example, inference attacks probe deployed ML models, learning to create labels that automatically train new models to mimic the victim's now stolen IP.

HiddenLayer protects customer models while they’re still being staged, detects their vulnerabilities, then protects and obfuscates models once deployed. In addition to their product, HiddenLayer offers a managed detection and response service for this unfamiliar world.

Many want the insights and automation that third-party AI providers, such as OpenAI, can deliver. Yet they don't want to share sensitive data. Enter Zama, the finalist working on the holy grail of AI privacy, fully homomorphic encryption.

Zama's fully homomorphic encryption allows their end customer's application developers to encrypt sensitive data into structures of ciphertext, then share it with third-party AI providers. After this third-party AI provider has completed its work on the structured ciphertext, the new analytic insights are handed back to the customer who originally shared their data. Homomophic's magic now happens as it's decrypted, with the integrity of the third-party AI's insights and their relation to the customer's private data intact. Yet no secrets were ever shared, only encrypted cyphertext.

Zama's twist is a quantization technique that optimizes by using integers instead of decimals, the latter of which require extra CPU instructions for even basic math.

**Enabling Software Developers Instead of Critiquing Code**

The shift-left movement has failed to make developers fix insecure code. This year's startups focused less on analyzing code and more on helping developers write secure code in the first place.

Taking second place was Pangea, which provides already working security functionality that can be built into applications with one-line API integrations. Pangea calls it shifting left-of-left: enable developers, instead of creating arguments with SecDevOps.

Other finalists in this mold include Endor Labs, which comes from the founder of cloud posture management pioneer RedLock, which became Palo Alto Networks' Prism cloud. Endor Labs targets the open source side of software composition analysis. Open source libraries are everywhere. As Endor Labs tells it, there’s even foundational Internet code maintained by single part-time developers. And some of these folks have even served time in prison. Endor Labs helps developers choose open source wisely, as they develop.

Relyance AI enforces privacy by asserting compliance against a company's custom code. The advanced intelligence they built in only three years may cause a double take. Relyance AI cites advances in NLP, and generative AI's ability to rapidly prototype as having accelerated R&D. They've built an AI product that understands privacy clauses in compliance documents, and enforces these on developer code.

Dazz focuses on orchestrating remediation across the sprawling software development life cycle. Today a diverse set of code-to-cloud personnel deploy applications on numerous continuous integration and continuous development (CI/CD) pipelines. They maintain their own container images, write code and include who-knows-what libraries and artifacts. Dazz auto-maps these CI/CD pipelines, then orchestrates remediating vulnerabilities across sprawling departments and actors.

**API Integrations Threaten Software Supply Chain**

The most important supply chain issue no one is talking about is back-end API integrations. Hidden data flows between commercial SaaS vendors arise as business users build "shadow integrations" with orchestration platforms and generative AI — even without coding skills. Because these integration apps automate and authenticate, these integrations are often handled by nonhuman identities, and there are a lot more nonhumans than humans.

Astrix Security maps the web of APIs, monitors, and reins in these API-to-API shadow integrations. By Astrix's count, there are 45 times more nonhumans traversing these connections than employees, making this the new identity problem.

Valence Security maps the SaaS-to-SaaS mesh, handles misconfigurations, and remediates — including an education step. They explain how in the new decentralized world, business users may essentially end up as SaaS admins.

**Timely Topics: SBOMs, Blockchain Contracts**

SafeBase builds a secure role-based trust center allowing a vendor's salespeople and customers to share supply chain information, share software bills of materials (SBOMs), and facilitate the expensive questionnaire process.

The final competitor, AnChain, showcased a Web3 SOC product that monitors, detects, responds to, and investigates blockchain smart contracts.

Innovation Sandbox gave us a first glimpse at securing the upcoming automation era where developers, data scientists, _and_ business users go to work every day and build potentially vulnerable software.

Startup Competition Secures ML Systems, Vulnerabilities in Automation

New "Greatness" phishing-as-a-service used in attacks targeting manufacturing, healthcare, technology, and other sectors.

A previously unreported phishing-as-a-service (PaaS) tool allows even script kiddies to build compelling, effective phishing attacks against businesses.

Researchers at Cisco Talos detailed their findings on "Greatness," a one-stop-shop for all of a cybercriminal's phishing needs. With Greatness, anyone with even rudimentary technical chops can craft compelling Microsoft 365-based phishing lures, then carry out man-in-the-middle attacks that steal authentication credentials — even in the face of multifactor authentication (MFA) — and much more.

The tool has been in circulation since at least mid-2022 and has been used in attacks against enterprises in manufacturing, healthcare, and technology, among other sectors. Half of the targets thus far have been concentrated in the US, with further attacks occurring around Western Europe, Australia, Brazil, Canada, and South Africa.

"It's designed to be accessible," says Nick Biasini, head of outreach for Cisco Talos. "It democratizes access to phishing campaigns."

**How Greatness Works**

To a victim, Greatness will come in the form of an email with a link, or usually an attachment disguising an HTML page. Clicking on the attachment will open a blurred image of a Microsoft document behind a loading wheel, giving the impression that the file is loading. But the document never loads. Instead, the victim is redirected to a Microsoft 365 login page.

That might seem suspicious if not for the fact that the victim's email address, as well as their company's logo, are already pre-filled on the page, lending an air of legitimacy to the whole affair.

At this point, the man-in-the-middle scheme begins. The victim submits their password to 365, not knowing they're helping to log in their own attacker. Even if a victim has MFA implemented, it's no problem. 365 requests a code, the victim submits it, Greatness intercepts it, and the ruse continues. Greatness collects its authenticated session cookies and passes it on to the threat actor via Telegram or its admin panel.

It used to take time, effort, and _coding_ to craft phishing attacks this convincing. With Greatness, all you have to do is fill out a form: title, caption, an image of an Excel spreadsheet to trick them with, and so on. Enabling the "autograb" feature automatically pre-fills the 365 login page with the victim's email address, according to Talos' findings.

"Basically you just pay, you get access to your API, and that's it," Biasani says. "You have to understand some basic things, like what API keys are, and how to apply it in the portal, but it's pretty, pretty user-friendly."

**Why Greatness Works So Great**

Because Greatness is so slick in presentation and so effortlessly bypasses MFA, simple awareness and cyber hygiene may not be enough to save an enterprise from its grasp.

One simple change organizations can make is to adjust cookie session timeouts. "Having a timeout value of, like, two weeks is not a good look in the threat landscape that we're looking at today," Biasani explains. He adds, though, that "the challenge is you also have a user base, and forcing people to use MFA every five minutes is not going to go over very well, either. So you're kind of sitting in that middle space: a security decision versus a usability decision. It's a very tough balance."

Where simple fixes won't solve the problem, more sophisticated security is required. "This is where you start getting into things like anomaly detection," he notes, "and location-based logins. Things like that. You're going to have to take your detection up a level."

Still, Biasani sees a silver lining. "To me, more than anything else, it shows that MFA actually works … because they're \[attackers\] really actively trying to do something to counter it now," he says. "MFA is hitting a point where they can't ignore it anymore."

Source

DARKReading