The company's Confidential Data Search technique relies on confidential computing to keep data secure even while it is in use.

Fortanix is bringing hardware security technology to database search with Confidential Data Search, with the goal to help organizations process highly sensitive data in databases. Fortanix's technology uses confidential computing technologies to allow data to be searched within the hardware vault.

Various encryption schemes and technologies are used to protect data while at rest and while being transported between systems. Confidential computing provides layers of hardware protection so that data remains secure even while it is being processed. Data is stored in a secure hardware vault, authorized parties need a code to unlock the vault, and the data is processed inside without ever leaving the vault.

Advancements in chip technology have made it possible to build these secure vaults directly inside chips. The chip makers have also baked in hardware mechanisms called attestation, which ensures only authorized parties can access data in secure vaults.

Homomorphic encryption is typically used when banks and other large enterprises need to offer the ability to search the database without exposing the unencrypted information, because that scheme allows users to work directly on encrypted data without turning it into plaintext. However, that form of encryption may not be the best for some types of searches, says Richard Searle, vice president of confidential computing at Fortanix. He notes that homomorphic encryption search gets slower and complicated with complex query requests.

"You need to perform that search in plaintext, and the only way to do that is within the confidential computing trusted execution environment, where it is shielded from the outside, there's no human access, no external application access, no operating system access," Searle says. "You can run the query in the same way as you would in an unsecured world."

Searle also notes that in many cases, vendors using homomorphic encryption are working with nonstandard hardware — not off-the-shelf Intel Xeon CPUs or standard server blades.

Fortanix also supports Intel's Trust Domain Extension (TDX) module, which is a confidential computing technology suited for artificial intelligence (AI) applications. Companies can feed diverse information into secure vaults to enhance proprietary AI learning models. The third-party data set can be allowed to enter and exit the vault, with no information retained or stolen.

**Developing a Market for Confidential Computing

The market will have to prove Fortanix's technology, and the company will have to show a dramatic performance improvement or dramatic cost savings to gain a foothold, says James Sanders, principal analyst at CCS Insight.

"The technology behind this is secondary to the value it must demonstrate to enterprise buyers," he says.

But Fortanix is in a solid position to educate the market about confidential computing, which is still new.

"The maxim 'don't roll your own security' applies here, " Sanders says. "Banks and hospitals are not going to write their own \[confidential computing\] stacks, and a validated third-party option will help to increase the exposure and utilization of those confidential computing technologies."

The Fortanix technology can be implemented on-premises or in the cloud with some form of confidential computing hardware enablement, including Intel Secure Guard Extension (SGX) and AMD's SEV-SNP. A tool called Data Security Manager manages the confidential computing deployment.

"We handle all of the deployment of the database at the interface for you," Searle says. "You do not need to get involved in implementation. It is an automated deployment based on the policy controls within Data Security Manager."

**

Fortanix Builds Hardware Security Wall Around Plaintext Search

Israel's cyber head points finger at Iran-backed MuddyWater APT group as the perpetrator of a recent attack against a university.

Israel earlier this year aided the United Arab Emirates (UAE) in helping repel a major distributed denial-of-service (DDoS) attack.

Speaking at last week's Cyber Week in Tel Aviv, UAE head of cybersecurity Mohamed Al Kuwaiti said that attacks "continuously come and go" and praised the Abraham Accords, which were ratified in 2020 to strengthen Middle East relations. "Thank God for the partnership, with the relationship that we have; it helped us elevate as well as to prepare an early warning system," he said.

According to Jewish Press, Gaby Portnoy, director general of the Israel National Cyber Directorate, joined Al Kuwaiti onstage at the conference, as did national cyber representatives from Bahrain, Morocco, and the US.

Al Kuwaiti noted that "cybersecurity is an important aspect for us all" and that many of Israel's startups are "helping us as a matter of fact to build up that cyber dome or to extend that cyber dome to defend against cyberattacks," a report by All Israel said.

The DDoS attack declaration by Al Kuwaiti came in the same week as a formal announcement was made to increase intelligence sharing between the UAE and Israel with the so-called Crystal Ball project, a partnership between Israel and the UAE's cyber teams and backed by private industry. Crystal Ball is intended to detect and repel hackers via collaboration and knowledge sharing around national-level cyberthreats.

"It is a well-known fact that criminal gangs are working together to victimize individuals and companies, any improvements in international cooperation between nation-states to tackle these threats is a welcome move," says Brian Honan, CEO of BH Consulting.

**No Clarity in MuddyWater?**

At CyberWeek, Portnoy reportedly mentioned cyberattacks the group MuddyWater initiated against Israel. He said the MuddyWater group has ties to Iran's Islamic Revolutionary Guard Corps (IRGC), and blamed it for a cyberattack against the Technion Institute of Technology in Haifa. Technion was forced to disconnect its systems to prevent security damage and lose data.

According to a new blog from Deep Instinct's Simon Kenin, a custom-made command and control server was detected in the attack against Technion, and MuddyWater have been using that server since 2021.

"The group doesn't just work against Israel, but rather also hacks civilian targets in many other countries, including Turkey, Saudi Arabia, Egypt, Morocco, India, Bahrain, Oman, Kuwait, and others," Portnoy said.

The MuddyWater group has previously been linked to spear phishing campaigns against employees of Middle East telecom operators, as well as with cyber surveillance activities.

Israel Aided UAE in Defending Against DDoS Attack

If you've ever owned a domain name, the chances are good that at some point you've received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don't need, and probably will never receive. Here's a look at the most recent incarnation of this scam -- DomainNetworks -- and some clues about who may be behind it.

If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — **DomainNetworks** — and some clues about who may be behind it.

The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. Although the letter includes the words “marketing services” in the upper right corner, the rest of the missive is deceptively designed to look like a bill for services already rendered.

DomainNetworks claims that listing your domain with their promotion services will result in increased traffic to your site. This is a dubious claim for a company that appears to be a complete fabrication, as we’ll see in a moment.  But happily, the proprietors of this enterprise were not so difficult to track down.

The website **Domainnetworks\[.\]com** says it is a business with a post office box in Hendersonville, N.C., and another address in Santa Fe, N.M. There are a few random, non-technology businesses tied to the phone number listed for the Hendersonville address, and the New Mexico address was used by several no-name web hosting companies.

However, there is little connected to these addresses and phone numbers that get us any closer to finding out who’s running Domainnetworks\[.\]com. And neither entity appears to be an active, official company in their supposed state of residence, at least according to each state’s Secretary of State database.

The **Better Business Bureau** listing for DomainNetworks gives it an “F” rating, and includes more than 100 reviews by people angry at receiving one of these scams via snail mail. Helpfully, the BBB says DomainNetworks previously operated under a different name: **US Domain Authority LLC.**

DomainNetworks has an “F” reputation with the Better Business Bureau.

Copies of snail mail scam letters from US Domain Authority posted online show that this entity used the domain **usdomainauthority\[.\]com**, registered in May 2022. The Usdomainauthority mailer also featured a Henderson, NC address, albeit at a different post office box.

Usdomainauthority\[.\]com is no longer online, and the site seems to have blocked its pages from being indexed by the Wayback Machine at archive.org. But searching on a long snippet of text from DomainNetworks\[.\]com about refund requests shows that this text was found on just one other active website, according to publicwww.com, a service that indexes the HTML code of existing websites and makes it searchable.

A deceptive snail mail solicitation from DomainNetwork’s previous iteration — US Domain Authority. Image: Joerussori.com

That other website is a domain registered in January 2023 called **thedomainsvault\[.\]com**, and its registration details are likewise hidden behind privacy services. Thedomainsvault’s “Frequently Asked Questions” page is quite similar to the one on the DomainNetworks website; both begin with the question of why the company is sending a mailer that looks like a bill for domain services.

Thedomainsvault\[.\]com includes no useful information about the entity or people who operate it; clicking the “Contact-us” link on the site brings up a page with placeholder Lorem Ipsum text, a contact form, and a phone number of 123456789.

However, searching passive DNS records at **DomainTools.com** for thedomainsvault\[.\]com shows that at some point whoever owns the domain instructed incoming email to be sent to **ubsagency@gmail.com**.

The first result that currently pops up when searching for “ubsagency” in Google is **ubsagency\[.\]com**, which says it belongs to a Las Vegas-based Search Engine Optimization (SEO) and digital marketing concern generically named both **United Business Service** and **United Business Services**. UBSagency’s website is hosted at the same Ann Arbor, Mich. based hosting firm (A2 Hosting Inc) as thedomainsvault\[.\]com.

UBSagency’s LinkedIn page says the company has offices in Vegas, Half Moon Bay, Calif., and Renton, Wash. But once again, none of the addresses listed for these offices reveal any obvious clues about who runs UBSagency. And once again, none of these entities appear to exist as official businesses in their claimed state of residence.

Searching on ubsagency@gmail.com in Constella Intelligence shows the address was used sometime before February 2019 to create an account under the name “**Sammy\\Sam\_Alon**” at the interior decorating site **Houzz.com**. In January 2019, Houzz acknowledged that a data breach exposed account information on an undisclosed number of customers, including user IDs, one-way encrypted passwords, IP addresses, city and ZIP codes, as well as Facebook information.

Sammy\\Sam\_Alon registered at Houzz using an Internet address in Huntsville, Ala. (68.35.149.206). Constella says this address was associated with the email **tropicglobal@gmail.com**, which also is tied to several other “Sammy” accounts at different stores online.

Constella also says a highly unique password re-used by tropicglobal@gmail.com across numerous sites was used in connection with just a few other email accounts, including **shenhavgroup@gmail.com**, and **distributorinvoice@mail.com**.

The shenhavgroup@gmail.com address was used to register a Twitter account for a **Sam Orit Alon** in 2013, whose account says they are affiliated with the Shenhav Group. According to DomainTools, shenhavgroup@gmail.com was responsible for registering roughly two dozen domains, including the now-defunct unitedbusinessservice\[.\]com.

Constella further finds that the address distributorinvoice@mail.com was used to register an account at **whmcs.com**, a web hosting platform that suffered a breach of its user database several years back. The name on the WHMCS account was **Shmuel Orit Alon**, from Kidron, Israel.

UBSagency also has a Facebook page, or maybe “had” is the operative word because someone appears to have defaced it. Loading the Facebook page for UBSagency shows several of the images have been overlaid or replaced with a message from someone who is _really_ disappointed with **Sam Alon**.

“Sam Alon is a LIAR, THIEF, COWARD AND HAS A VERY SMALL D\*CK,” reads one of the messages:

The current Facebook profile page for UBSagency includes a logo that is similar to the DomainNetworks logo.

The logo in the UBSagency profile photo includes a graphic of what appears to be a magnifying glass with a line that zig-zags through bullet points inside and outside the circle, a unique pattern that is remarkably similar to the logo for DomainNetworks:

The logos for DomainNetworks (left) and UBSagency.

Constella also found that the same Huntsville IP address used by Sam Alon at Houzz was associated with yet another Houzz account, this one for someone named “**Eliran**.”

The UBSagency Facebook page features several messages from an Eliran “Dani” Benz, who is referred to by commenters as an employee or partner with UBSagency. The last check-in on Benz’s profile is from a beach at Rishon Letziyon in Israel earlier this year.

Neither Mr. Alon nor Mr. Benz responded to multiple requests for comment.

It may be difficult to believe that anyone would pay an invoice for a domain name or SEO service they never ordered. However, there is plenty of evidence that these phony bills often get processed by administrative personnel at organizations that end up paying the requested amount because they assume it was owed for some services already provided.

In 2018, KrebsOnSecurity published How Internet Savvy are Your Leaders?, which examined public records to show that dozens of cities, towns, school districts and even political campaigns across the United States got snookered into paying these scam domain invoices from a similar scam company called **WebListings Inc.**

In 2020, KrebsOnSecurity featured a deep dive into who was likely behind the WebListings scam, which had been sending out these snail mail scam letters for over a decade. That investigation revealed the scam’s connection to a multi-level marketing operation run out of the U.K., and to two brothers living in Scotland.

Who’s Behind the DomainNetworks Snail Mail Scam?

Cybercriminals employ obfuscated script to stealthily hijack victim server bandwidth for use in legitimate proxy networks.

Threat actors are exploiting vulnerable secure shell protocol (SSH) servers to launch Docker services that take advantage of an emerging and lucrative attack vector that hijacks a victim's network bandwidth for money.

Researchers from the Akamai Security Intelligence Response Team (SIRT) in June discovered the currently active campaign, which employs an emerging type of attack called proxyjacking, the researchers revealed in a blog post last week.

Threat actors use SSH for remote access and then run malicious scripts that enlist victim servers into a legitimate peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain, without their knowledge, the researchers said. These networks — which use companion apps or software installed on Internet-connected devices — allow someone to share Internet bandwidth by paying to use the IP address of the app users.

"This allows for the attacker to monetize an unsuspecting victim's extra bandwidth, with only a fraction of the resource load that would be required for cryptomining, with less chance of discovery," Allen West, an SIRT security researcher, wrote in the post.

In a nutshell, that is proxyjacking, an emerging attack model that takes advantage of these services and, on a grand scale, potentially can earn cybercriminals hundreds of thousands of dollars per month in passive income, the researchers found.

While the idea of proxyjacking is not new — think of cryptojacking, an entirely illegal endeavor, as a distant cousin — the ability to easily monetize piggybacking on someone's bandwidth as affiliates of mainstream companies is new, which explains why security researchers are seeing more proxyjacking in the threat landscape, West warned.

"Providing a simple path to financial gain makes this vector a threat to both the corporate world and the average consumer alike, heightening the need for awareness and, hopefully, mitigation," he wrote.

Proxyjacking also makes it easy for threat actors to hide their tracks by routing malicious traffic through a multitude of peer nodes before it reaches its final destination, according to the research. This makes the origin of the nefarious activity difficult for victims or researchers to pinpoint — another attractive option for attackers looking to monetize their activity without consequence.

**How the Attack Works**

The first indication of the attack that Akamai researchers identified came when an attacker established multiple SSH connections to one of the company's honeypots using a double Base64-encoded Bash script to obscure the activity. They successfully decoded the script and were able to observe the proxyjacking method of the threat actor down to the exact sequence of operations.

The script transformed the compromised system into a node in the Peer2Profit proxy network, using the account specified by $PACCT as the affiliate that will profit from the shared bandwidth, according to Akamai SIRT. The same process was seen being employed for a Honeygain installation awhile later.

"The script was designed to be stealthy and robust, attempting to operate regardless of the software installed on the host system," West wrote.

The script goes on to execute various functions, one of which is to download an actual, unmodified version of cURL, a command-line tool that enables data exchange between a device and a server through a terminal.

This tool seems to be all the attackers need for the scheme to work, and, "if it is not present on the victim host, then the attacker downloads it on their behalf," West wrote.

The executable cancels any containers running on the node to install a Docker container to handle the proxyjacking process and, once everything is in place, the attacker can exit the network without a trace.

**How Do You Defend Against Proxyjacking?**

Because of the growing prevalence of and the relative ease with which attackers can set up proxyjacking attacks, and inability to identify original perpetrators, organizations need to maintain vigilance on their networks so as to notice abnormal behavior in how their resources are being used to avoid compromise, the researchers recommend.

For the particular attack that the Akamai team observed, attackers used SSH to gain access to a server and install a Docker container. To avoid this type of attack, organizations can check their locally running Docker services to locate any unwanted resource sharing the system, according to Akamai. If they find one, the intrusion should be investigated and a determination of how the script was uploaded and run should be made, after which organizations should perform a thorough clean-up.

Also unique to the attack is that the executable in the form of the cURL tool would likely go overlooked by most companies, since that tool can be used legitimately. However, in this case, it was the initial artifact in the attack that led the researchers to investigate deeper, West said.

"It was the ability to look at the source of the artifact that took it from a harmless piece of code to what we now know is part of a proxyjacking scheme," he explained, which "highlights the importance of being able to isolate all unusual artifacts, not just those that are considered malicious."

Moreover, because proxyjacking attackers also use vulnerabilities to mount attacks — that was the case in a recent attack that leveraged the infamous Log4j flaw — organizations should maintain updated assets and apply patches to applications whenever available, particularly when vulnerabilities already have been exploited, the research recommends.

West added: "Users with deeper knowledge of computer security can additionally remain vigilant by paying attention to the containers currently running, monitoring network traffic for anomalies, and even running vulnerability scans on a regular basis."

SSH Servers Hit in 'Proxyjacking' Cyberattacks

By Owais Sultan
Video translation plays a significant role in fostering trust and connection between individuals and cultures. As our world…
This is a post from HackRead.com Read the original post: The Psychology of Video Translation: Building Trust and Connection

Video translation plays a significant role in fostering trust and connection between individuals and cultures. As our world becomes more interconnected, the ability to bridge language barriers through effective communication has become increasingly important.

In this article, we will explore the psychology behind video translation, focusing on the benefits of artificial intelligence (AI) video translation, particularly in the context of translating Turkish videos to English. By delving into the power of AI technology, we will uncover how it enhances the quality and speed of translation, ultimately building trust and fostering meaningful connections.

****The Power of Language in Building Trust****

Language serves as the foundation of human interaction, allowing individuals to express thoughts, emotions, and ideas. When language barriers exist, trust can be compromised, hindering effective communication and understanding. Video translation, especially from Turkish to English, breaks down these barriers, enabling individuals to connect with others who speak different languages.

AI video translation, with its advanced algorithms and machine learning capabilities, ensures accurate and contextually appropriate translations, building trust between parties involved in the communication process. By understanding and appreciating each other’s language, individuals can establish a sense of trust, creating a solid foundation for meaningful connections.

****Enhancing Connection Through Cultural Understanding****

Language is deeply intertwined with culture, shaping individuals’ perspectives, values, and beliefs. Effective video translation goes beyond literal word-for-word conversion; it involves capturing cultural nuances and conveying them accurately to the target audience.

AI video translation excels in this aspect by leveraging sophisticated algorithms that take into account cultural context and idiomatic expressions. By accurately translating Turkish videos to English, AI video translation allows viewers to gain a deeper understanding of the cultural context portrayed in the video. This promotes cultural appreciation and empathy, fostering stronger connections and bridging the gap between different communities.

****Quality Translation for Meaningful Communication****

In the realm of video translation, quality is paramount. A poorly translated video can lead to misinterpretation, confusion, and even loss of credibility. AI video translation brings a new level of quality to the process, surpassing traditional translation methods. With its ability to analyze vast amounts of data and learn from patterns, AI technology ensures accurate and contextually relevant translations.

By precisely translating Turkish videos to English, AI video translation maintains the integrity and intended meaning of the original content, facilitating clear and meaningful communication. This quality-driven approach fosters trust and connection among viewers, strengthening the impact of the translated video.

****Speed: Real-Time Connection****

In today’s fast-paced world, timely communication is crucial. Waiting for manual translation processes to complete can cause delays and hinder effective connection. AI video translation offers a significant advantage in terms of speed, allowing real-time translation of Turkish videos to English.

With the help of advanced algorithms, AI technology quickly and efficiently translates videos, enabling seamless communication and connection across language barriers. This speed not only saves time but also ensures that the translated content remains relevant and engaging for the target audience.

****Widening Access to Information****

Translation is not just about facilitating communication; it is also about ensuring equitable access to information. AI video translation democratizes information by making it accessible to individuals who do not understand the original language. By accurately translating Turkish videos to English, AI video translation opens up a world of knowledge, news, and entertainment to a broader audience.

This inclusive approach builds trust and connection by allowing people from different linguistic backgrounds to access and engage with a diverse range of content.

****Conclusion****

Video translation, particularly through the advancements of AI technology, holds immense power in building trust and connection between individuals and cultures. By accurately translating Turkish videos to English, AI video translation enhances communication, fosters cultural understanding, and facilitates meaningful connections.

Through its emphasis on quality, speed, and equitable access to information, AI video translation bridges the gap between languages and enables individuals to connect, engage, and build trust with one another. As we continue to embrace the possibilities of AI, video translation will undoubtedly play a pivotal role in shaping a more connected and inclusive world.

**RELATED ARTICLES**

1.  What is ASR Technology and Where Can It Develop?
2.  Learn Morse Code in 30 mins on your smartphone with Google
3.  Free Translator Software – Boost Global Growth with Translation
4.  Meta Universal Translator won’t Be the End of Human Translation
5.  AI-Powered Smart Glasses Give Deaf People the Power of Speech

The Psychology of Video Translation: Building Trust and Connection

By Waqas
A Twitter user successfully utilized the "grandma exploit" to trick ChatGPT and acquire multiple Windows 10 codes.
This is a post from HackRead.com Read the original post: ChatGPT tricked into generating Windows 10 and Windows 11 keys

**The Twitter account of the user who managed to generate Windows activation keys on ChatGPT and Google Bard has been suspended.**

ChatGPT, the popular artificial intelligence (AI) chatbot, is at the centre of controversy as users uncover a potential security loophole. As one of the fastest-growing AI services globally, ChatGPT has gained immense popularity for its diverse functionalities. However, recent reports suggest that some users have managed to bypass certain safety measures, including the so-called “grandma” exploit.

The exploit involves leveraging ChatGPT’s capabilities to extract Windows 10 Pro keys. Astonishingly, one user successfully utilized the grandma exploit to obtain multiple Windows 10 codes, which were initially perceived as legitimate. Intrigued by this discovery, the user continued to request codes for upgrading from Windows 11 Home to Windows 11 Pro.

It all started on June 17th, 2023, when a Twitter user going by the handle of @immasiddtweets, (their Twitter account has been suspended now but here is the archived link to their now deleted tweets), claimed to have successfully generated Windows 10 Pro keys by engaging with OpenAI’s AI-powered chatbot, ChatGPT.

The user requested the chatbot to read out the keys as a way to reminisce about their deceased grandmother. Surprisingly, the chatbot responded compassionately and provided five unique Windows 10 Pro keys at no cost.

Out of curiosity, @immasiddtweets went a step further and showcased how they utilized Google Bard and ChatGPT to upgrade from Windows 11 Home to Windows 11 Pro. However, TechRadar revealed a crucial detail—the generated product keys were generic in nature.

Consequently, while it remains possible to install or upgrade Windows using these keys, users may encounter limitations and miss out on certain features available in the full Windows 11 experience.

ChatGPT and Google Bard AI generating Windows Keys for @immasiddtweets (Image: Hackread.com)

Here is a series of Tweets from users generating keys for Windows 10 and Windows 11:

*   1: “Worked on Bing too bruv, and said it so confident,” said one user while sharing a screenshot of the generated keys
*   2: ”So True,” tweeted a user with a screenshot of generated keys.
*   3: For some users, ChatGPT also generated API keys.
*   4: ”Bing fell into the trap,” said one tweet.

However, according to Windows Central, when their researchers headed to Microsoft’s Bing AI chatbot to generate Windows keys, the chatbot came up with no keys but offered words of wisdom about piracy and how such products should be bought from original sources.

Nevertheless, to ensure the integrity of their services, both ChatGPT and Google Bard have implemented robust measures to prevent users from generating unauthorized product keys. As users navigate the digital realm, it is vital to exercise caution and seek legitimate avenues for obtaining product keys, ensuring a genuine and uninterrupted Windows experience.

**RELATED ARTICLES**

1.  Europol warns of ChatGPT exploitation
2.  OpenAI ChatGPT Bug Bounty Program – Earn $200 to $20k
3.  DarkBERT: Enhancing Cybersecurity Efforts on the Dark Web
4.  100,000 Hacked ChatGPT Accounts Discovered on Dark Web
5.  ChatGPT’s False Information Generation Enables Code Malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChatGPT tricked into generating Windows 10 and Windows 11 keys

Categories: Podcast
This week on Lock and Code, we speak with Matthew Guargilia about the NSA's broad powers to sweep up Americans' emails, DMs, messages, and all manner of digital communications.



(Read more...)




The post Of sharks, surveillance, and spied-on emails: This is Section 702, with Matthew Guariglia appeared first on Malwarebytes Labs.

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and online. 

But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the US National Security Agency—even if those communications involve a US person—without any significant warrant requirement. Those digital communications can be searched by the FBI. The information the FBI gleans from those searches can be used can be used to prosecute Americans for crimes. And when the NSA or FBI make mistakes—which they do—there is little oversight. 

This is surveillance under a law and authority called Section 702 of the FISA Amendments Act. 

The law and the regime it has enabled are opaque. There are definitions for "collection" of digital communications, for "queries" and "batch queries," rules for which government agency can ask for what type of intelligence, references to types of searches that were allegedly ended several years ago, "programs" that determine how the NSA grabs digital communications—by requesting them from companies or by directly tapping into the very cables that carry the Internet across the globe—and an entire, secret court that, only has rarely released its opinions to the public. 

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia about what the NSA can grab online, whether its agents can read that information and who they can share it with, and how a database that was ostensibly created to monitor foreign intelligence operations became a tool for investigating Americans at home. 

As Guariglia explains:

> "In the United States, if you collect any amount of data, eventually law enforcement will come for it, and this includes data that is collected by intelligence communities."

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Of sharks, surveillance, and spied-on emails: This is Section 702, with Matthew Guariglia

XDR can lower platform costs and improve detection, but it requires committing to a few principles that go against the established way of thinking about SOC.

The cyber security operation center (SOC) model's focus has shifted to extended detection and response (XDR). Architected correctly, XDR puts less pressure and cost on the security information and event management (SIEM) system to correlate complex security alerts. It also does a better job as a single pane of glass for ticketing, alerting, and orchestrating automation and response.

XDR is a real opportunity to lower platform costs and improve detection, but it requires committing to a few principles that go against the established way of thinking about SOCs.

**Intelligent Data Pipelines and Data Lakes Are a Necessity**

_**Takeaway: A security data pipeline can remove log waste prior to storage and route logs to the most appropriate location.**_

Managing your security data pipeline intelligently can have a massive impact on controlling spending by preprocessing every log and eliminating excess waste, especially when your primary cost driver is GB per day. Consider the following example showing the before and after size of Windows Active Directory (AD) logs.

    

The average inbound event had 75 fields and a size of 3.75KB. After removing redundant and unnecessary fields, the log has 30 fields and a size of 1.18KB. That is a 68.48% reduction of SIEM storage cost.

Applying similar value analysis for where you send each log is equally important. Not all logs should be sent to the SIEM! Only logs that drive a known detection should be sent to SIEM. All others used in supporting investigations, enrichment, and threat hunting should go to the security data lake. An intelligent data pipeline can make on-the-fly routing decisions for each log and further reduce your costs.

    

    

**Focus Detection and Prevention Closest to the Threat**

_**Takeaway: Product-native detections have gotten dramatically better; the SIEM should be a last line of defense.**_

The SIEM used to be one of the only tools that could correlate and analyze raw logs and identify alerts that need to be addressed. This was largely a reflection of other tools being single-purpose and generally bad at identifying issues by themselves. As a result, it made sense to ship everything to the SIEM and create complex correlation rules to sort the signal from the noise.

Today's landscape has changed with endpoint detection and response (EDR) tools. Modern EDR is essentially SIEM on the endpoint. It has the same capabilities to write detection rules on endpoints as the SIEM has, but now there is no need to ship every bit of telemetry data into the SIEM.

EDR vendors have gotten markedly better at building and maintaining out-of-the-box detections. We have consistently seen a sizable decrease in detections and preventions attributed to the SIEM during our purple team engagements in favor of tools like EDR and next-generation firewalls (NGFW). There are exceptions like Kerberoasting (which on-premises AD doesn't have much coverage for). As you move to pure cloud for AD, even those types of detections will be handled by "edge" tools like Microsoft Defender for Endpoint.

**Play to Your SIEM Strong Suit**

_**Takeaway: Having a deliberate process to consistently measure and improve your detection capabilities is far more valuable than having any specific SIEM tool on the market.**_

Purple teaming across industries and detection ecosystems has allowed us to understand the efficacy of many modern EDR, NGFW, SIEM, and other tools. We score and benchmark purple team results and trend the improvements over time. We have found over the past five years that the SIEM you buy has no measurable correlation to purple team scores. Process, tuning, and testing are what matter.

SIEM tools have architectural differences that can make one a better or worse fit for your environment, but buying a specific SIEM to significantly improve your detection capabilities will not prove out. Instead, focus your efforts on dashboards and correlations that support threat-hunt and incident-response efforts.

**Align EDR, SIEM, and SOAR in Your XDR Architecture**

_**Takeaway: Security automation and artificial intelligence (AI)-enhanced triage is the future but should be approached with caution. Not all automation needs to exclude all human involvement.**_

The future of XDR is coupled with tightly integrated security orchestration, automation, and response (SOAR) technologies. XDR concepts recognize that what really matters is **not how fast you can detect a threat, but how fast you can neutralize a threat.** _"If this – then that"_ SOAR automation methodologies aren't effective in real-world scenarios. One of the best approaches we've seen in XDR automation is:

*   Conduct a purple team exercise to identify which current detection events are optimized (very low false positive rates) and can be trusted with an automated response.
*   Create an automated response playbook but insert human intervention steps to gain confidence before you turn it fully over to automation. We call this "semi-automation," and it's a smart first step.

XDR is a buzzword, but when viewed in a technology-agnostic fashion, it is based on good foundations. Where organizations are most likely to fail is applying legacy SIEM management philosophies to modern XDR architectures. These program design philosophies will likely improve your capabilities and reduce your costs.

**About the Author**

    

Mike Pinch joined Security Risk Advisors in 2018 after serving 6 years as the Chief Information Security Officer at the University of Rochester Medical Center. Mike is nationally recognized as a leader in the field of cybersecurity, has spoken at conferences including HITRUST, H-ISAC, and has contributed to national standards for health care and public health sector cybersecurity frameworks. Mike focuses on GCP, AWS, and Azure security, primarily in helping SOC teams improve their capabilities. Mike is an active developer and is currently enjoying weaving modern AI technologies into common cybersecurity challenges.

Architecting XDR to Save Money and Your SOC's Sanity

Plus: Hackers knock out Russian military satellite communications, a spyware maker gets breached, and the SEC targets a victim company's CISO.

Amid exploding AI usage, the United States Senate is mulling legislation to regulate the development of artificial intelligence, but lawmakers' comments to WIRED this week indicate that Congress' abysmal track record on tech regulation may be doomed to repeat itself. Meanwhile, in the European Union, challenges filed under the EU's GDPR data law on Thursday allege that Pornhub has been collecting user data illegally.

We looked at a common air travel booking scam that can turn real—but not ticketed—flight reservations into cash grabs for cybercriminals. And tech companies have recently released an array of critical software updates that you should install on your devices right now. Some patches published in recent weeks from the company Progress Software patch flaws in the popular file transfer service MOVEit, which has been exploited by ransomware actors to spread malware and steal data from international companies, universities, and the US government.

If you want a digital hygiene project for the weekend, we have tips on how to make your chats and messaging more secure. And if you're craving a long read, WIRED went in-depth on the 1973 US National Personnel Records Center fire that destroyed 17 million military records and prompted a massive restoration effort.

And there's more. Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

On Tuesday, a 7-2 decision by the US Supreme Court reversed the conviction of a man who repeatedly threatened a stranger online. Justice Elena Kagan wrote in the majority opinion that First Amendment free speech protections require such cases to show that online harassers or cyberstalkers were aware that their digital abuse could be construed as threatening. Threats of violence are not protected by the First Amendment, but the court said prosecutors must show that a defendant “consciously disregarded a substantial risk that his communications would be viewed as threatening violence.” The offender in the case the court looked at, Billy Counterman of Colorado, had “moved to dismiss the charge on First Amendment grounds, arguing that his messages were not ‘true threats’ and therefore could not form the basis of a criminal prosecution.”

Counterman had persistently and repeatedly messaged a local singer he didn't know on Facebook over two years, and when she would block him he made new accounts to continue messaging her. Victims of online harassment and digital rights advocates warned following the decision that it creates a dangerous precedent to empower cyberstalkers. “The Court just handed stalkers and harassers, including of politicians, journalists, climate scientists, doctors advocating for vaccines, you name it, a new weapon,” Soraya Chemaly, director of the Women’s Media Center Speech Project, told the _Washington Post_.

A cyberattack caused a multiday outage this week of a Russian satellite communication system from Dozor-Teleport. The platform is broadly used, including by the Russian military. Ukrainian satellite communication infrastructure suffered a similar outage more than a year ago. Dozor’s parent company, Amtel Svyaz, also grappled with significant system outages this week. Multiple hackers claimed responsibility for the attacks, including some purporting to be hacktivists and others who said they were affiliated with the Russian private mercenary army Wagner Group. In addition to the outage, one of the entities claiming responsibility for the attack said it had stolen data from Dozor and published 700 files, including documents and images, to a leak site and Telegram.

The invasive phone monitoring app LetMeSpy said on June 21 that it was itself hacked. Attackers stole names, messages, call logs, and location data collected by the service, the company said. LetMeSpy is a Polish Android app that's used around the world to monitor thousands of people. The company's notice said that “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

Years after a Russian espionage campaign launched a devastating supply chain attack against software firm SolarWinds, the US Securities and Exchange Commission sent legal notices—known as “Wells notices”—to certain current and former Solarwinds employees. Such notices warn of potential securities law violations that could lead to civil enforcement action, but they rarely relate to cybersecurity incidents. Notably, one of the SolarWinds employees who received a notice is the company's current chief information security officer, Tim Brown, who was Solarwinds' head of security architecture at the time of the attack. Company CFO Barton Kalsu also received a notice. The situation is potentially significant as the US and other countries attempt to develop appropriate accountability mechanisms for high-ranking executives who preside over breaches and other security lapses. The fear among security professionals is often that individual penalties will simply discourage talented practitioners from taking top roles.

US Supreme Court Hands Cyberstalkers a First Amendment Victory

The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the mu_add_roles_in_signup_meta() and mu_add_roles_in_signup_meta_recently() functions. This makes it possible for unauthenticated attackers to add additional roles to users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Tag

#intel