Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Source: Ole.CNX via Shutterstock

When a major vulnerability shakes up the cybersecurity world — such as the recent XZ backdoor or the Log4j2 flaws of 2021 — the first question that most companies ask is, "Are we affected?" In the absence of well-written playbooks, the simple question can require a great deal of effort to answer.

Microsoft and Google are investing heavily in generative artificial intelligence (GenAI) systems that can turn large security questions into concrete actions, assist security operations, and, increasingly, take automated actions. Microsoft offers overworked security operations centers with Security Copilot, a GenAI-based service that can identify breaches, connect threat signals, and analyze data. And Google's Gemini in Security is a collection of security capabilities powered by the company's Gemini GenAI.

Startup Simbian is joining the race with its new GenAI-based platform for helping companies tackle their security operations. Simbian's system combines large language models (LLMs) for summarizing data and understanding native languages, other machine learning models to connect disparate data points, and a software based expert system based on security information culled from the Internet.

Where configuring a security information and event management system (SIEM) or a security orchestration, automation, and response (SOAR) system could take weeks or months, using AI cuts the time to — in some cases — seconds, says Ambuj Kumar, co-founder and CEO of Simbian.

"With Simbian, literally, these things are done in seconds," he says. "You ask a question, you express your goal in natural language, we break into steps code execution, and this is all done automatically. It's self sufficient."

Helping overworked security analysts and incident responders streamline their jobs is a perfect application for the more powerful capabilities of GenAI, says Eric Doerr, vice president of engineering at Google Cloud.

"The opportunity in security is particularly acute given the elevated threat landscape, the well publicized talent gap in cybersecurity professionals, and the toil that is the status quo in most security teams," Doerr says. "Accelerating productivity and driving down mean time to detect, respond, and contain \[or\] mitigate threats through the use of GenAI will enable security teams to catch up and defend their organizations more successfully."

**Different Starting Points, Different 'Advantages'**

Google's advantages in the market are evident. The IT and Internet giant has the budget to stay the course, the technical expertise in machine learning and AI from its DeepMind projects to innovate, and access to a lot of training data — a critical consideration for creating LLMs.

"We have a tremendous amount of proprietary data that we've used to train a custom security LLM — SecLM — which is part of Gemini for Security," Doerr says. "This is the superset of 20 years of Mandiant intelligence, VirusTotal, and more, and we're the only platform that has an open API — part of Gemini for Security — that allows partners and enterprise customers to extend our security solutions and have a single AI that can operate with all the context of the enterprise."

Like Simbian's guidance, Gemini in Security Operations — one capability under the Gemini in Security umbrella — will assist in investigations starting at the end of April, guiding the security analyst and recommending actions from within Chronicle Enterprise.

Simbian uses natural language queries to generate results, so asking, "Are we affected by the XZ vulnerability?" will produce a table of IP addresses of vulnerable applications. The systems also uses curated security knowledge gathered from Internet to create guidebooks for security analysts that show them a script of prompts to give to the system to accomplish a specific task.

"The guidebook is a way of personalizing or creating trusted content," says Simbian's Kumar. "Right now, we are creating the guidebooks, but once ... people just start to use it, then they can create their own."

**Strong ROI Claims for LLMs**

The returns on investment will grow as companies move from a manual process to an assisted process to autonomous activity. Most GenAI-based systems have advanced only to the stage of an assistant or copilot, when it suggests actions or takes only a limited series of actions, after gaining the users permissions.

The real return on investment will come later, Kumar says.

"What we are excited about building is autonomous — autonomous is making decisions on your behalf that are within the scope of guidance you have given it," he says.

Google's Gemini also seems to straddle the gap between an AI assistant and an automated engine. Financial services firm Fiserv is using Gemini in Security Operations for creating detections and playbooks faster and with less effort, and for helping security analysts quickly find answers using natural language search, boosting the productivity of security teams, Doerr says.

Yet trust is still an issue and a hurdle for increased automation, he says. To bolster trust in the system and solutions, Google remains focused on creating explainable AI systems that are transparent in how they come to a decision.

"When you use a natural language input to create a new detection, we show you the detection language syntax and you choose to run that," he says. "This is part of the process of building confidence and context with Gemini for Security."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

The Race for AI-Powered Security Platforms Heats Up

Terratec dmx_6fire USB version 1.23.0.02 suffers from an unquoted service path vulnerability.

    # Exploit Title:  Terratec dmx_6fire USB - Unquoted Service Path# Google Dork: null# Date: 4/10/2024# Exploit Author: Joseph Kwabena Fiagbor# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/# Software Link:# Version: v.1.23.0.02# Tested on: windows 7-11# CVE : CVE-2024-318041. Description:The Terratec dmx_6fire usb installs as a service with an unquoted servicepath runningwith SYSTEM privileges.This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.2. Proof> C:\Users\Astra>sc qc "ttdmx6firesvc"> {SC] QueryServiceConfig SUCCESS>> SERVICE_NAME: ttdmx6firesvc>         TYPE               : 10  WIN32_OWN_PROCESS>         START_TYPE         : 2   AUTO_START>         ERROR_CONTROL      : 1   NORMAL>         BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service>         LOAD_ORDER_GROUP   : PlugPlay>         TAG                : 0>         DISPLAY_NAME       : DMX6Fire Control>         DEPENDENCIES       : eventlog>                            : PlugPlay>         SERVICE_START_NAME : LocalSystem>>

Terratec dmx_6fire USB 1.23.0.02 Unquoted Service Path

By Waqas
Here's an updated list of five effective CAPTCHA plugins for WordPress that can help enhance the security of your website by preventing spam and bot activities:
This is a post from HackRead.com Read the original post: 5 Best CAPTCHA Plugins for WordPress Websites

As of 2024, the internet hosts over 1.89 billion websites, with approximately 835 million utilizing WordPress as their Content Management System (CMS). This represents about 43.3% of all websites globally.

Not only do these stats represent the expanding reach of the internet, but they also make WordPress a lucrative target for cybercriminals and spammers. While **WordPress security tips** are widely discussed to keep cybercriminals at bay, spamming is something not every website owner, especially newbies, is familiar with.

In this article, we will discuss five **CAPTCHA solutions** for WordPress and how a CAPTCHA plugin works.

Here’s an updated list of five effective CAPTCHA plugins for WordPress that can help enhance the security of your website by preventing spam and **bot activities:**

1.  **Captcha Plus**: This plugin offers multiple CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) options, including image-based, math-based, and Google reCAPTCHA. It’s known for its high performance and ease of customization, although it may be a bit overwhelming for beginners.
2.  **Google reCAPTCHA**: Perhaps the most well-known, this plugin uses advanced technology to differentiate humans from bots without disrupting the user experience. It’s seamlessly integrated into your forms and is supported by major form builders like WPForms.
3.  **Really Simple CAPTCHA**: As the name suggests, this plugin keeps it straightforward. It’s not as feature-rich as others, but it’s highly effective at blocking spam and is compatible with many form plugins​.
4.  **hCaptcha**: Offers a robust bot detection system and comes in both free and pro versions. The pro version includes advanced features like custom challenge creation and detailed analytics. It integrates well with a variety of forms and page builders, making it a versatile choice​.
5.  **Securimage-WP**: Great for those who prioritize a balance between strong security measures and maintaining user-friendliness. It integrates easily with popular form plugins like Contact Form 7 and Gravity Forms​.

****Honorable Mention: Akismet Anti-spam: Spam Protection****

Although not a CAPTCHA plugin, **Akismet Anti-spam** is a plugin designed to protect websites, particularly those using WordPress, from spam. Developed by Automattic, the same company behind WordPress.com, Akismet works by filtering out spam comments and form submissions.

It uses automated algorithms and community feedback to identify and block spam, helping keep websites clean and free from unwanted content. Akismet effectively reduces the time and effort needed to moderate spam, allowing website owners to focus on creating and managing content rather than dealing with spammy submissions.

****How does a CAPTCHA plugin work****

A CAPTCHA plugin works by presenting a challenge to website users to verify that they are human and not automated bots. Typically, this challenge involves completing a task that is easy for humans to do but difficult for bots to replicate, such as identifying distorted text, selecting certain images, or solving a simple puzzle.

The plugin then validates the user’s response, allowing access to the website if the challenge is completed correctly. This helps prevent automated bots from engaging in activities such as spamming forms, creating fake accounts, or launching malicious attacks on the website including DDoS attacks.

1.  New AI tool aims to make CAPTCHA a thing of the past
2.  Facebook captcha wants users to upload a clear photo of them
3.  Proton CAPTCHA: Privacy-First CAPTCHA Defense Against Bots

5 Best CAPTCHA Plugins for WordPress Websites

By Waqas
In this article, we will explore 12 paid and free OSINT tools that are publicly available and can be very useful when utilized properly and for appropriate purposes.
This is a post from HackRead.com Read the original post: Best Paid and Free OSINT Tools for 2024

Open Source Intelligence tools (or OSINT tools) are software applications or platforms used to collect, analyze, and interpret publicly available information from various online sources, aiding in investigations, research, and intelligence gathering.

These OSINT Tools assist in accessing and analyzing data from sources such as social media, websites, forums, and other public repositories to generate insights and support decision-making processes.

In this article, we will explore 12 paid and free OSINT tools that are publicly available and can be very useful when utilized properly and for appropriate purposes.

****1:** EpicVIN**

EpicVIN is a website dedicated to providing detailed vehicle history reports based on a vehicle’s VIN (Vehicle Identification Number) or license plate number. Established in 2012 and headquartered in Miami, Florida; the platform offers paid results with three packages starting from $14.99 for 1 report, $7.04 for 4 reports and $5.4 for 16 reports.

****2: Shodan****

Shodan is essentially a search engine for Internet-connected devices. It allows users to discover various types of devices, from routers to security cameras to servers, that are connected to the internet, providing valuable data about the security of these devices and potential vulnerabilities.

Shodan is available in free and paid packages.

****3: Telegogo****

Telegogo is a free Google-based search engine for Telegram. The tool can be used to search for public Telegram channels, groups, or content. Leveraging Google’s search capabilities helps users find Telegram-related information or discussions more efficiently than searching through Telegram’s own search features.

Telegogo is useful for anyone looking to explore public conversations or communities within Telegram around specific topics, making the platform’s vast amount of user-generated content more accessible and navigable. If you are looking for specific types of Telegram groups or channels, using a dedicated search tool like Telegogo could significantly streamline your search process.

****4\. GHunt****

GHunt is a free OSINT tool designed to extract information from any Google Account using an email address. The data that GHunt can gather includes:

*   Google ID
*   Owner’s name
*   Public photos (P)
*   Phones models (P)
*   Phones firmware
*   Installed Softwares
*   Google Maps reviews
*   Possible physical location
*   Possible YouTube channel
*   Possible other usernames
*   Events from Google Calendar
*   If the account is a Hangouts Bot
*   Last time the profile was edited
*   Activated Google services (YouTube, Photos, Maps, News360, Hangouts, etc.)

****5\. FOCA****

FOCA (Fingerprinting Organizations with Collected Archives) is a free OSINT tool used primarily for security auditing. It is designed to help security professionals analyze a domain’s security by finding metadata and hidden information in the documents they make available on their websites.

FOCA is popular among penetration testers and cybersecurity professionals for its ability to uncover information that can help in the early stages of a security audit or penetration test. It provides insights that can guide further testing and exploration including document analysis, metadata extraction, mapping and more.

****6\. SkopeNow****

Skopenow is a paid analytical search engine aimed at discovering and compiling digital identities from publicly available data. The platform uses various algorithms to aggregate information from social media, websites, and other online sources to create profiles that can be used for background checks, investigative purposes, and risk assessment. This can be particularly useful for professionals in law enforcement, fraud prevention, and corporate security to obtain insights into individuals’ online presence and behaviours.

****7\. Maltego****

Maltego is a powerful tool for performing real-time data mining and information gathering, as well as the visualization of this information in a graph format. Ideal for investigative purposes, it helps in identifying relationships and real-world links between pieces of information from various sources located on the Internet.

Maltego is available in free and paid packages.

****8\. Metagoofil****

Metagoofil is a metadata extraction tool that is used to analyze metadata of public documents (pdf, doc, xls, ppt, etc.) and to extract information that can be useful in an OSINT investigation. This tool can be used to gather data about the documents’ authors, creation dates, software used, and more.

****9\. Recon-ng****

Recon-ng is a full-featured free Web Reconnaissance framework written in Python. It provides a powerful environment in which open-source web-based reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feels similar to the Metasploit Framework, reducing the learning curve significantly.

****10\. TheHarvester****

TheHarvester is a free OSINT tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, key servers). This tool is particularly useful in the early stages of a penetration test to understand the human element of cybersecurity.

****11\. Arrests.org****

Arrests.org is a free website aggregating booking and arrest records from various public law enforcement agencies across the United States. The site typically displays mugshots, personal information such as age and gender, and details of the charges against the individuals listed. These records are pulled from publicly available sources, such as county sheriff’s offices and police departments.

Therefore, this site can serve as a perfect OSINT tool for researchers, journalists, security professionals, and the general public seeking intelligence or information about individuals’ arrest histories. Additionally, the accessibility and range of data available on Arrests.org make it a useful tool for conducting background checks, investigating criminal activity, or monitoring crime trends, all of which are key aspects of OSINT research

****12\. OSINT Framework****

OSINT Framework is not a tool in itself, but rather a free collection of OSINT tools that can be used for specific purposes. It organizes tools based on the type of data you are interested in and the goal of your investigation, making it an invaluable resource for anyone conducting OSINT.

1.  New tool detects fake 4G cell phone towers
2.  8 Online Best Dark Web Search Engines for Tor Browser
3.  What Are Dark Web Search Engines and How to Find Them?
4.  New tool lets teens report, remove their nude photos online
5.  CISA Publishes List of Free Cybersecurity Tools and Services
6.  Building Your Defense Toolbox: Tools to Combat Cyber Threats
7.  Temporary Phone Number: An Essential Tool for Privacy Protection

Best Paid and Free OSINT Tools for 2024

Project behind the Rust programming language asserted that any calls to a specific API would be made safe, even with unsafe inputs, but researchers found ways to circumvent the protections.

Source: Monticello via Shutterstock

The Rust Project has issued an update for its standard library, after a vulnerability researcher discovered a specific function used to execute batch files on Windows systems could be exploited using an injection flaw.

The set of common functions included with Rust programming language, known as the standard library, offers the ability — among its many other capabilities — to execute Windows batch files through the Command API. The function, however, did not process the inputs to the API rigorously enough to eliminate the possibility of injecting code into the execution, according to a Rust Security Response Working Group advisory published April 9.

While Rust is well known for its memory-safety features, the incident underscores that the programming language is not proof against logic bugs, says Yair Mizrahi, a senior vulnerability researcher at application-security firm JFrog.

"Overall, Rust's memory safety is a notable advantage, but developers must also pay close attention to the potential for logical bugs to ensure the overall security and reliability of their Rust-based applications," he says. "To address such logical issues, Rust encourages a rigorous testing and code review process, as well as the use of static analysis tools to identify and mitigate logical bugs."

Rust has gained a reputation for being a very secure programming language, because it does not leave applications open to the often-severe class of flaws known as memory-safety vulnerabilities. Google has attributed a drop in memory-unsafe code to the shift to memory-safe languages, such as Rust and Kotlin, while Microsoft found that up until 2018, when it shifted to memory-safe language, such vulnerabilities regularly accounted for 70% of all security issues.

**Windows Poses a Batch of Issues**

The latest issue is not a memory-safety vulnerability, but a problem with the logic used to process untrusted input. Part of Rust's standard library allows the developer to call a function to send a batch file to the Windows machine for processing. There are reasons for submitting code to the host as a batch file, says Joel Marcey, director of technology at Rust Foundation, which supports the programming language's maintainers and the Rust ecosystem.

"Batch files are run for many reasons on systems, and Rust provides an API to allow you to execute those fairly easily," he says. "So while this is not necessarily the most common use case for Rust, the API, before the fixed patch was implemented, allowed for malicious actors to theoretically take over your system by running arbitrary commands, and this is definitely a critical vulnerability."

Typically, a developer can forward a workload to the Windows host to be executed as a batch process through the Command applications programming interface (API), part of the standard library. Typically, Rust guarantees the safety of any call to the Command API, but in this case, the Rust Project could not find a way to prevent the execution of all arguments, primarily because Windows does not adhere to any sort of standard, and that the API could allow an attacker to submit code that would then be executed.

"Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution," according to the Rust Security Response WG.

**Rust Project Proves Responsive**

While dealing with any vulnerability can be a headache, the Rust Project has shown that the group quickly resolves issues, say experts. The standard library vulnerability, CVE-2024-24576, is ultimately an issue with the Windows batch-processing problem and affects other programming languages, if they do not adequately parse the arguments sent to the Windows batch process. The Rust Project appears to be the first out the door with a fix for passing arguments to the Windows CMD.exe process, says JFrog's Mizrahi.

The groups could not completely eliminate the issue, but the Command API will not return an error when any augments passed to the function could be unsafe, the Rust Project said. 

JFrog's Mizrahi urges Rust to broaden its use of static application security testing and expand the use of fuzzing and dynamic testing.

"Overall, Rust is on the right track by emphasizing memory safety and encouraging rigorous testing practices," he says. "Combining these efforts with continued advancements in static analysis and fuzzing can help the Rust community and the broader software industry make significant strides in addressing logical bugs and input validation flaws in the years to come."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Critical Rust Flaw Poses Exploit Threat in Specific Windows Use Cases

### Summary
A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial.

### Details
The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a `SIGKILL` after a few seconds of system-wide denial.

The root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below:

https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239

...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of `f *attached`, go-containerregistry will invoke this API:

https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
```golang
func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}
```

Notice that the second argument to `rl.fetcher.fetchBlob` is `verify.SizeUnknown` which results in not using the `io.LimitReader` in `verify.ReadCloser`:
https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100
```golang
func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}
```

### Impact
This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer. 

### Remediation
Update to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value.

**Summary**

A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial.

**Details**

The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a SIGKILL after a few seconds of system-wide denial.

The root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below:

https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239

...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of f *attached, go-containerregistry will invoke this API:

https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40

func (rl \*remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}

Notice that the second argument to rl.fetcher.fetchBlob is verify.SizeUnknown which results in not using the io.LimitReader in verify.ReadCloser:  
https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100

func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 \= io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}

**Impact**

This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer.

**Remediation**

Update to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value.

**References**

*   GHSA-88jx-383q-w4qc
*   https://nvd.nist.gov/vuln/detail/CVE-2024-29902
*   sigstore/cosign@629f5f8
*   https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
*   https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239
*   https://github.com/sigstore/cosign/releases/tag/v2.2.4

GHSA-88jx-383q-w4qc: Cosign malicious attachments can cause system-wide denial of service

Privacy-focused company DuckDuckGo is launching a tool to remove data from people-search websites, a VPN, and an identity theft restoration service.

For more than a decade, DuckDuckGo has rallied against Google’s extensive online tracking. Now the privacy-focused web search and browser company has another target in its sights: the sprawling, messy web of data brokers that collect and sell your data every single day.

Today, DuckDuckGo is launching a new browser-based tool that automatically scans data broker websites for your name and address and requests that they be removed. Gabriel Weinberg, the company’s founder and CEO, says the personal-information-removal product is the first of its kind where users don’t have to submit any of their details to the tool’s owners. The service will make the requests for information to be removed and then continually check if new records have been added, Weinberg says. “We’ve been doing it to automate it completely end-to-end, so you don't have to do anything.

The personal-information removal is part of DuckDuckGo’s first subscription service, called Privacy Pro, and is bundled with the firm’s first VPN and an identity-theft-restoration service. Weinberg says the subscription offering, which is initially available only in the US for $9.99 per month or $99.99 per year, is part of an effort to add to the privacy-focused tools it provides within its web browser and search engine. “There’s only so much we can do in that browsing loop, there's things happening outside of that, and a big one is data brokers, selling information scraped from different places,” Weinberg says.

The data broker industry is a far-reaching, $200-plus billion market, which collects, buys, and sells as much information as it can. A lack of comprehensive privacy laws in the US allows companies to easily trade everything from people’s names and addresses to financial data and specific GPS coordinates gathered from your phone. (The recently proposed American Privacy Rights Act, if passed, would create a new registry of data brokers and give people some European-style privacy rights).

DuckDuckGo’s personal-information-removal tool—for now, at least—is taking the privacy fight to people-search websites, which allow you to look up names, addresses, and some details of family members. However, Weinberg says DuckDuckGo has created it so the company isn’t gathering details about you, and it is built on technology from Removaly, which the company acquired in 2022.

Ahead of its launch, the company demonstrated how the system works and some of the engineering efforts that went into its creation. On the surface, the removal tool is straightforward: You access it through the company’s browser and enter some information about yourself, such as your name, year of birth, and any addresses. It then scans 53 data broker websites for results linked to you and requests those results to be wiped. (All 53 data brokers included have opt-out schemes that allow people to make requests.) A dashboard shows updates about what has been removed and when it will next scan those websites again, in case new records have been added.

Under the hood, things are more complex. Greg Fiorentino, a product director at DuckDuckGo, says when you enter your personal data into the system, it’s all saved in an encrypted database on your computer (the tool doesn’t work on mobile), and the company isn’t sent this information. “It doesn't go to DuckDuckGo servers at all," he says.

For each of the data brokers’ websites, Fiorentino says, DuckDuckGo looked at its URL structure: For instance, search results may include the name, location, and other personal information that are queried. When the personal information tool looks for you on these websites, it constructs a URL with the details you have entered.

“Each of the 53 sites we cover has a slightly different structure,” Fiorentino says. “We have a template URL string that we substitute the data in from the user to search. There are lots of different nuances and things that we need to be able to handle to actually match the data correctly.”

During testing, the company says, it found most people have between 15 and 30 records on the data broker sites it checks, although the highest was around 150. Weinberg says he added six addresses to be removed from websites. “I found hits on old stuff, and even in the current address, which I really tried to hide a bit from getting spam at, it’s still out there somehow,” Weinberg says. “It’s really hard to avoid your information getting out there.”

Once the scan for records has been completed, the DuckDuckGo system, using a similar deconstruction of each of the data broker websites, will then automatically make requests for the records to be removed, the team working on the product say. Fiorentino says some opt-outs will happen within hours, whereas others can take weeks to remove the data. The product director says that in the future, the tool may be able to remove data from more websites, and the company is looking at potentially including more sensitive data in the opt-outs, such as financial information.

Various personal-information-removal services exist on the web, and they can vary in what they remove from websites or the services they provide. Not all are trustworthy. Recently, Mozilla, the creator of the Firefox browser, stopped working with identity protection service Onerep after investigative journalist Brian Krebs revealed that the founder of Onerep also founded dozens of people-search websites in recent years.

DuckDuckGo’s subscription service marks the first time the company has started charging for a product—its browser and search engine are free to use, and the firm makes its money from contextual ads. Weinberg says that, because subscriptions are purchased through Apple’s App Store, Google Play, or with payment provider Stripe, details about who subscribes are not transferred to DuckDuckGo’s servers. A random ID is created for each user when they sign up, so people don’t have to create an account or hand DuckDuckGo their payment information. The company says it doesn’t have access to people’s Apple IDs or Google account details.

For its identity-theft-restoration service, DuckDuckGo says it is working with identity protection service Iris, which uses trained staff to help with fraudulent banking activity, document replacement, emergency travel, and more. DuckDuckGo says no information is shared between it and Iris.

Weinberg says that while the company’s main focus is providing free and easy-to-use privacy tools to people, running a VPN and the removal tool requires a different business model. “It just takes a lot of bandwidth,” he says of the VPN.

Broadly, the VPN industry, which allows people to hide their web traffic from internet providers and avoid geographic restrictions on streaming, has historically been full of companies with questionable records when it comes to privacy and people’s data. Free VPNs have long been a privacy nightmare.

DuckDuckGo says its VPN, which it built in-house and which uses the WireGuard protocol, does not store any logs of people’s activities and can be used on up to five devices at once. “We don’t have any record of website visits, DNS requests, IP addresses connected, or session lengths,” the company says in its documentation. The VPN runs through its browser, with 13 location options at launch, but shields all internet traffic passing through your phone or computer.

The company says it is conducting a third-party audit of the VPN to allow its claims to be scrutinized, and it will publish the full audit once it’s complete. “We really wanted to do something in the VPN space for a long time, we just didn't have the resources and people to do it,” Weinberg says. “We looked at partnering in different places. If we have to completely trust a partner versus building something where we can make it anonymous, we decided we would want to do it ourselves.”

DuckDuckGo Is Taking Its Privacy Fight to Data Brokers

Microsoft has fixed 149 vulnerabilities, two of which are reportedly being exploited in the wild.

The April 2024 Patch Tuesday update includes patches for 149 Microsoft vulnerabilities and republishes 6 non-Microsoft CVEs. Three of those 149 vulnerabilities are listed as critical, and one is listed as actively exploited by Microsoft. Another vulnerability is claimed to be a zero-day by researchers that have found it to be used in the wild.

Let’s first have a look at the two zero-days. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs for these two vulnerabilities are:

CVE-2024-26234 (CVSS score 6.7 out of 10): a proxy driver spoofing vulnerability that Microsoft listed as “Exploitation detected” hours after it initially listed it as non-exploited.

In fact, the patch is a revocation of a Microsoft Windows Hardware Compatibility Publisher signature that was used to sign a file which contained a backdoor using an embedded proxy server to monitor and intercept network traffic on an infected Windows machine. Apparently, the software, designed to remote-control phones, was used to make them act like online bots, collectively liking posts, following people on social media, and posting comments.

CVE-2024-29988 (CVSS score 8.8 out of 10): a SmartScreen prompt security feature bypass vulnerability. Microsoft still has this listed as “Exploitation More Likely” and acknowledges the fact that functional exploit code is available. Which means that the exploit code works in most situations where the vulnerability exists.

One reason for the contradiction could be that the exploitation requires some form of user interaction. It requires an attacker to get the victim to click on a link or open a file. If the victim falls for that, the bug allows the attacker to bypass the SmartScreen security feature in Windows that’s supposed to alert users to any untrusted websites or other threats.

Researchers said that attackers are using the weakness to send targets exploits in a zipped file which bypasses the Mark of the Web (MotW) warnings, a warning message users should see when trying to open a file downloaded from the internet.

The exploit for the vulnerability was called “trivial” and “embarrassingly easy” by the researchers that wrote about it.

A few applications that deserve some of your attention if you’re using them are SQL Server (38 vulnerabilities), and Windows Remote Access Connection Manager (9).

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

The **Android** Security Bulletin for April 2024 contains details of security vulnerabilities for patch level 2024-04-05 or later.

Google also updated **Chrome** to patch a zero-day vulnerability.

**SAP** has released its April 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft’s April 2024 Patch Tuesday includes two actively exploited zero-day vulnerabilities 

Prioritizing security and user experience will help you build a robust and reliable authentication system for your business.

Source: Tomasz Zajda via Alamy Stock Photo

Authentication protocols serve as the backbone of online security, enabling users to confirm their identities securely and access protected information and services. They define how claimants (users trying to access a digital service) and verifiers (the entities authenticating them) communicate. The protocols exchange information to verify the validity of the authentication service and confirm that the claimant possesses the appropriate token to authenticate their identity.

With myriad authentication protocols available, however, selecting the appropriate one for your organization can be daunting. Following are the key authentication protocols, along with insights into choosing the right one for your business needs.

Each authentication protocol offers unique features tailored to specific use cases and security requirements. If you're trying to figure out which one is best for your business, consider these four authentication protocols and their potential use cases.

OAuth/OpenID Connect (OIDC): OAuth, primarily designed for authorization, allows users to grant third-party applications limited access to their private resources without revealing their credentials. You might consider using OAuth from providers such as Google and GitHub to prioritize quick user registrations while getting validated information.

OpenID Connect (OIDC) is an open standard that builds on OAuth by providing authentication capabilities using an ID token to verify user identity securely. OIDC suits scenarios in which interoperability and user authentication across multiple systems are crucial, such as in federated identity management systems.

Both OAuth and OpenID Connect are widely adopted, allowing for interoperability between different systems, and they let users authenticate once to use the same credentials across multiple services. OAuth and OpenID Connect are, however, susceptible to phishing attacks and token theft if not implemented securely.

Security Assertion Markup Language (SAML): SAML is an XML-based standard for exchanging identity information between the user, the identity provider (IdP), and the service provider (SP). SAML offloads authentication responsibilities to specialized IdPs, reducing the burden on SPs and enhancing security. SAML works best for single sign-on (SSO) authentication in enterprise environments, where centralized authentication and access control are essential.

SAML supports use cases like identity federation, but SAML configurations can be complex and require careful management. SAML's reliance on XML may also introduce complexity owing to it being an older format than more modern ones, like JSON.

FIDO2/WebAuthn: FIDO2 is an open standard for passwordless authentication that relies on registered devices or hardware security keys to verify user identities. WebAuthn, a component of FIDO2, enables passwordless authentication through possession-based and biometric methods. You may want to consider WebAuthn for consumer-facing applications and mobile-first experiences, leveraging native device capabilities for seamless and secure authentication.

Passkeys, which are cross-device credentials based on the WebAuthn standards, have been implemented in several large organizations like Google, Apple, Shopify, Best Buy, TikTok, and GitHub over the past few years. Success stories from early adopters and increased awareness among end users are sure to continue driving adoption in the years to come.

FIDO2 and WebAuthn provide strong security against phishing and other attacks — because they don't rely on shared secrets like passwords — and a user-friendly experience, because users don't need to remember complex passwords. That said, FIDO2 and WebAuthn aren't compatible with all devices and browsers; current support gaps might make these protocols cumbersome for some users.

Time-Based One-Time Password (TOTP): TOTP generates single-use passcodes based on a shared secret key and the current time, often providing an additional layer of security in multifactor authentication (MFA) setups. TOTP supports both hardware tokens and software-based authenticator applications. You should consider TOTP for various authentication scenarios that require enhanced security.

TOTP provides an additional layer of security beyond a password, as the code changes frequently and is tied to the specific device generating it. TOTP does, however, require the user to have a separate device to generate the codes, and it doesn't protect against phishing if the user is tricked into handing the code over to the attacker.

**Factors in Selecting an Authentication Protocol**

It's easy to generalize which of the above four protocols you should use. Business applications targeting enterprises should use SAML because of its robust SSO capabilities and centralized authentication management. Consumer and mobile applications should pick WebAuthn/passkeys to provide a seamless and secure authentication experience that leverages native device features, like biometrics.

That said, each business has unique requirements, and it's not always best to generalize. Here are some factors to keep in mind when choosing an authentication protocol:

1.  Security levels: Prioritize protocols that offer robust security measures to safeguard user data and prevent unauthorized access.
    
2.  Integration: Choose protocols that seamlessly integrate with your existing infrastructure to streamline implementation and maintenance processes.
    
3.  Scalability: Ensure that the selected protocol can accommodate your organization's growth and an increasing user base without compromising performance or security.
    
4.  Authentication method: Consider the authentication methods your users prefer and select protocols that align with their expectations and UX preferences.
    

Choosing the right authentication protocol is critical for maintaining the security and trust of your users. By understanding the features and use cases of different protocols and considering factors such as security, integration, scalability, and user experience, you can select the most suitable protocol for your organization's needs.

**About the Author(s)**

Meir Wahnon is a co-founder at Descope, a drag-and-drop customer authentication and identity management platform. Before Descope, Meir served as senior director of engineering at Palo Alto Networks after the acquisition of Demisto, where he was part of the founding team. Meir is passionate about open source, no-code / low-code platforms, and ML. In his spare time, Meir likes to try out new Michelin-star restaurants around the world.

Selecting the Right Authentication Protocol for Your Business

Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

It takes a little to receive a lot of online hate today, from simply working as a school administrator to playing a role in a popular movie or video game.

But these moments of personal crisis have few, immediate solutions, as the current proposals to curb and stem online harassment zero in on the systemic—such as changes in data privacy laws to limit the personal information that can be weaponized online or calls for major social media platforms to better moderate hateful content and its spread.

Such structural shifts can take years (if they take place at all), which can leave today’s victims feeling helpless.

There are, however, a few steps that everyday people can take, starting now, to better protect themselves against online hate and harassment campaigns. And thankfully, none of them involve “just getting off the internet,” a suggestion that, according to Leigh Honeywell, is both ineffective and unwanted.

“The \[idea that the\] answer to being bullied is that you shouldn’t be able to participate in public life—I don’t think that’s okay,” said Honeywell, CEO and co-founder of the digital safety consultancy Tall Poppy.

Speaking to me on the Lock and Code podcast last month, Honeywell explained that Tall Poppy’s defense strategies to online harassment incorporate best practices from Honeywell’s prior industry—cybersecurity.

Here are a few steps that people can proactively take to limit online harassment before it happens.

****Get good at Googling yourself****

One of the first steps in protecting yourself from online harassment is finding out what information about you is already available online. This is because, as Honeywell said, much of that information can be weaponized for abuse.

Picture an angry diner posting a chef’s address on Yelp alongside a poor review, or a complete stranger sending in a fake bomb threat to a school address, or a real-life bully scraping the internet for embarrassing photos of someone they want to harass.  

All this information could be available online, and the best way to know if it exists is to do the searching yourself.

As for where to start?

“First name, last name, city name, or other characteristics about yourself,” Honeywell said, listing what, specifically, to search online.

It’s important to understand that the online search itself may not bring immediate results, but it will likely reveal active online profiles on platforms like LinkedIn, X (formerly Twitter), Facebook, and Instagram. If those profiles are public, an angry individual could scrape relevant information and use it to their advantage. Even a LinkedIn profile could be weaponized by someone who calls in fake complaints to a person’s employer, trying to have them fired from their position.

In combing through the data that you can find about yourself online, Honeywell said people should focus on what someone _else_ could do with that data.

“If an adversary was trying to find out information about me, what would they find?” Honeywell said. “If they had that information, what would they do with it?”

****Take down what you can****

You’ve found what an adversary might use against you online. Now it’s time to take it down.

Admittedly, this can be difficult in the United States, as Americans are not protected by a national data privacy law that gives them the right to request their data be deleted from certain websites, platforms, and data brokers.

Where Americans could find some help, however, is from online resources and services that streamline the data removal process that is enshrined in some state laws. These tools, like the iOS app Permission Slip, released by Consumer Reports in 2022, show users what types of information companies are collecting about them, and give user the opportunity to request that such data be deleted.

Separately, Google released on online tool in 2023 where users can request that certain search results that contain their personal information be removed. You can learn more about the tool, called “Results about you,” here.

When all else fails, Honeywell said that people shouldn’t be afraid to escalate the situation to their state’s regulators. That could include filing an official complaint with a State Attorney General, or with the Consumer Financial Protection Bureau, or the Federal Trade Commission.

“It sounds like the big guns,” Honeywell said, “but I think it’s important that, as individuals, we do what we can to hold the companies that are creating this mess accountable.”

****Lock down your accounts****

If an adversary can’t find your information through an online search, they may try to steal that information by hacking into your accounts, Honeywell said.

“If I’m mad at David, I’m going to hack into David’s email and share personal information,” Honeywell said. “That’s a fairly standard way that we see some of the worst online harassment attacks escalate.”

While hackers may have plenty of novel tools at their disposal, the best defenses you can implement today are the use of unique passwords and multifactor authentication.

Let’s first talk about unique passwords.

Each and every single one of your online accounts—from your email, to your social media profiles, to your online banking—should have a strong, unique password. And because you likely have dozens upon dozens of online accounts to manage, you should keep track of all those passwords with a devoted password manager.

Using unique passwords is one of the best defenses to company data breaches that expose user login credentials. Once those credentials are available on the dark web, hackers will buy those credentials so they can attempt to use them to gain access to _other_ online accounts. You can prevent those efforts going forward by refusing to repeat passwords across any of your online accounts.

Now, start using multifactor authentication, if you’re not already.

Multifactor authentication is offered by most major companies and services today, from your bank, to your email, to your medical provider. By using multifactor authentication, also called MFA or 2FA, you will be required to “authenticate” yourself with _more_ than just your password. This means that when you enter your username and password onto a site or app, you will also be prompted with entering a separate code that is, in many cases, sent to your phone via text or an app.

MFA is one of the strongest protections to password abuse, ensuring that, even if a hacker has your username and password, they still can’t access your account because they will not have the additional authentication that is required to complete a login.

In the world of cybersecurity, these two defense practices are among the gold standard in stopping cyberattacks. In the world of online harassment, they’re much the same—they work to prevent the abuse of your online accounts.

****Here to help****

Online harassment is an isolating experience, but protecting yourself against it can be quite the opposite. Honeywell suggested that, for those who feel overwhelmed or who do not know where to start, they can find a friend to help.

“Buddy up,” Honeywell said. “If you’ve got a friend who’s good at Googling, work on each other’s profile, identify what information is out there about you.”

Honeywell also recommended going through data takedown requests together, as the processes can be “extremely tedious” and some of the services that promise to remove your information from the internet are really only trying to sell you a service.

If you’re still wondering what information about you is online and you aren’t comfortable with your way around Google, Malwarebytes has a new, free tool that reveals what information of yours is available on the dark web and across the internet at large. The Digital Footprint Portal, released in April, provides free, unlimited scans for everyone, and it can serve as a strong first step in understanding what information of yours needs to be locked down.

To learn what information about you has been exposed online, use our free scanner below.

Tag

#google