Preventative security should be driven by data and risk assessment, not compliance.

As organizations increasingly move their data and workloads to the cloud, securing cloud identities has become paramount. Identities are the keys to accessing cloud resources, and, if compromised, they enable attackers to gain access to sensitive data and systems.

Most attacks we see today are client-side attacks, in which attackers compromise someone's account and use their privileges to move laterally and access sensitive data and resources. To prevent this, you need visibility into your cloud's identity infrastructure. Unless you know the identity of all the people and objects that are accessing systems, their permissions, and their relationships, you won't have the context necessary to effectively assess your risk and take preventative measures.

A number of high-profile attacks illustrate this problem. A compromised cloud identity gave attackers access to SolarWinds' Orion software, where they deployed malicious code to thousands of their customers, including government agencies and Fortune 500 companies. Another example is the Microsoft Exchange attack, in which attackers exploited a vulnerability in Exchange to gain access to email accounts. From there, they stole sensitive data and sent phishing emails in an attempt to compromise other accounts.

For securing the cloud, I advise implementing an approach known as applied risk, which allows security practitioners to make decisions about preventative actions based on contextual data about the relationship between identities and what the downstream impacts of threats are in their specific environments. Here are some practical tips for adopting applied risk.

**Treat Cloud Protection as a Security Project, Not a Compliance Exercise**

For starters, shift your mindset. Gone are the simple days of client-server computing. The cloud environment is a complicated system of data, users, systems, and interactions between all of them.

Checking a series of boxes won't bring greater security if you don't understand how everything works together. Most teams take an unguided approach to preventive security, putting blind faith in the prioritization and remediation strategy put in place years ago. Yet security requires a bespoke approach tailored to every security team based on the organization's broader risk exposure. Not every "critical" alert from a security vendor is necessarily the biggest risk to that specific environment.

To accurately prioritize remediation and reduce risk, you must consider the entire attack surface. Understanding the relationships between exposures, assets, and users help you to determine which issues pose the greatest risk. When you take into account additional context, the "critical" finding may not be the biggest issue.

**Get Visibility Into Your Cloud Identity Infrastructure**

Next, visibility is key. To credibly identify the applied risk, you should do a comprehensive audit of all the identities and access control points in your cloud identity infrastructure. You need to know what resources you have in your environment, whether they're in the cloud or on-premises, how they're provisioned and configured, and other variables.

When securing the cloud, you can't only look at how cloud-specific resources are configured — you have to audit the identity aspect: virtual machines (VMs), serverless functions, Kubernetes clusters, and containers, for instance. One admin may have an account tied to AWS, an Active Directory account with a different role to log into their local systems, an account on GitHub, a Salesforce account, etc. You also have to consider things like the hygiene of the machines that the developers, DevOps, and IT teams are using. A successful phishing attack on a DevOps engineer can have a massive impact on the security posture of your cloud environments.

From there, you should map the relationships between identities and the systems they access. This is an important part of understanding your attack surface. Cloud-native application protection platforms (CNAPPs) are designed to help with this. Having a strong CNAPP platform gives the security team the ability to detect abnormal behavior around a particular identity and detect when configurations start to drift.

**Align Your Different Teams**

Once you have the identities and the relationships mapped out, you need to tie them to vulnerabilities and misconfigurations to determine where you are most vulnerable and start quantifying the applied risk. You can't create an effective remediation strategy without that.

But data and strategy will take you only so far. Teams tend to operate in silos, and each follows prioritization actions based on the specific software they are using, without communication with other teams or alignment on a holistic vision for minimizing risk. Because not every attack surface is the same, you need to structure the organization so that different skill sets can take mitigative action based on the variables specific to their environment.

When teams are coupled more closely, organizational risk drops. Let's say you have a cross-site scripting vulnerability in one of your Web applications. Wouldn't it make sense to prioritize any security or configuration issue associated with the infrastructure running that application? The inverse is also true. Does it not make more sense to address the vulnerability that is running in production or sitting on the Internet versus a vulnerability running in a dev environment with no chance of exploitation?

A large part of the reason security teams work in these silos is because the vendor landscape has kind of forced them to work this way. Until recently, there hasn't been a way to do the things I'm proposing here — at least not for anyone but the 1% of organizations that have vast security budgets and built in-house tools and teams.

To sum up, protecting identities — cloud and otherwise — requires adopting a mindset shift from compliance to a holistic security, applied risk approach that involves gaining visibility into your cloud infrastructure with CNAPP and aligning different teams on prioritizing remediation.

Securing Cloud Identities to Protect Assets and Minimize Risk

When investing in a unified endpoint management solution, prioritize the needs of your network and users ahead of brand names. This Tech Tip focuses on questions to ask.

A high-caliber, enterprise-grade unified endpoint management (UEM) solution is more critical than ever in today's remote, hybrid, and constantly fluctuating work landscape. If you're in procurement or finance, you're likely under a lot of pressure to choose the right one. You must drive operational efficiency through cost savings and overhead optimization.

For many organizations, Microsoft Intune (rebranded from Microsoft Endpoint Manager \[MEM\] and generally sold as part of an MS Enterprise License Agreement \[ELA\]) looks like a solid choice for endpoint management. It's a cloud-based solution with clear name recognition. Another plus: Microsoft's Intune plan pricing seems very approachable.

Other options have less name recognition than Microsoft but may be a better fit depending on an organization's needs. For example, according to G2, Ivanti Neurons for UEM gets high ratings for quality of support and ease of use. Atera offers particular expertise for small businesses. NinjaOne is rated well for being "a good partner in doing business."

The upshot: Organizations should not be making purchasing decisions based on brand name and pricing. Instead, companies should look beneath the surface before investing in technology, particularly in high-stakes scenarios with serious return on investment (ROI) potential.

**What to Ask Before Investing in a UEM Solution**

We cannot attempt to discuss the pros and cons of every major UEM solution available. With that in mind, here's what I recommend asking when evaluating a UEM solution:

1.  What type of devices will I be using the UEM solution for? Is it primarily mobile, mostly laptops or desktops, or a combination?
2.  Are my endpoints dispersed regionally, globally, or mostly on-site behind a perimeter?
3.  How is my IT help desk going to support and troubleshoot these devices? What is the additional cost per year to support?
4.  How many employees will be involved, and what's the cost per employee?
5.  What are the licensing agreements like? Do I need to buy a whole pie when I only want a slice?
6.  How is pricing structured? Will it scale based on usage?
7.  Do my employees exclusively use one type of device and operating system or a mix? If it's the latter, will the UEM solution work just as well regardless of the device type and OS used?
8.  Would my IT and security team benefit more from a central dashboard with a single-pane-of-glass view or integrated Mobile Threat Defense capabilities?
9.  How does the solution integrate with my other vendors/solutions and third-party apps?
10.  How many more IT employees will it take to manage? Does it require more servers?

Some of those questions might sound overly technical to those in finance and procurement, but your answers can significantly affect your true usability and costs.

**Get the Full Picture of Your Total Cost of Ownership**

As a rule, technology must suit the organization using it, and no technology solution is suitable for everyone. Total cost of ownership, for instance, is important, and it varies among solutions. Let's look at Intune as an example.

For all its strengths and lightweight supports on operating systems such as Android and macOS, Intune is not recommended for some verticals and businesses that require robust support on third-party applications. It is not intended as a complete systems-management platform. Part of the reason it might look like you're saving money by switching to Intune is because it's built primarily for a narrow subset of needs — and those needs are more cost-effective for Microsoft to handle.

Suppose you have diverse endpoints and many third-party apps to manage and integrate. In that case, you'll end up in a tough spot — either tolerating significant vulnerability or shelling out more for a comprehensive solution to pick up the slack. You'll also likely need to acquire additional software to run on certain operating systems. Furthermore, Microsoft charges additional costs per year for its Remote Help/Remote View of mobile devices.

There are more gaps like this, but perhaps most critically for finance, Microsoft Intune's pricing is based in part on the volume of data transmitted. These usage fees are challenging to predict and budget for and can add up. It becomes problematic when deciding between facilitating an unlimited flow of protected data or managing costs. Additionally, I've seen many enterprises having to buy more servers to manage Intune and hire additional administrators to manage those servers.

**The Bottom Line for Your Bottom Line**

In this example, Microsoft Intune is a fantastic option if:

*   You need a robust solution for lightweight mobile applications mainly on the same OS.
*   Your use case is straightforward enough that a single-pane-of-glass view isn't relevant.
*   The numbers look favorable based on your usage needs.

If you have more complicated requirements, perform due diligence to identify more flexible options.

Regardless of where you end up, do not go _without_ a UEM solution. Your company's security depends on it.

Understand the True Cost of a UEM Before Making the Switch

Categories: Exploits and vulnerabilities
Categories: News
Tags: iLeakage

Tags:  side-channel

Tags:  Safari

Tags:  CVE-2023-40413

Tags:  CVE-2023-40416

Tags:  CVE-2023-40423

Tags:  CVE-2023-42487

Tags:  CVE-2023-42841

Tags:  CVE-2023-41982

Tags:  CVE-2023-41997

Tags:  CVE-2023-41988

Tags:  CVE-2023-40447

Tags:  CVE-2023-42852

Tags:  CVE-2023-32434

Tags:  CVE-2023-41989

Tags:  CVE-2023-38403

Tags:  CVE-2023-42856

Tags:  CVE-2023-40404

Tags:  CVE-2023-41977

Tags:  Vim

Apple has released security updates for its phones, iPads, Macs, watches and TVs.



(Read more...)




The post Update now! Apple patches a raft of vulnerabilities appeared first on Malwarebytes Labs.

Apple has released security updates for its phones, iPads, Macs, watches and TVs.

Updates are available for these products:

*   iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later get iOS 17.1 or iPadOS 17.1.
*   iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later get iOS 16.7.2 or iPadOS 16.7.2.
*   iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) get iOS 15.8 or iPadOS 15.8.
*   Macs get one of macOS Sonoma 14.1, macOS Ventura 13.6.1, macOS Monterey 12.7.1, and Safari 17.1.
*   Apple TV HD and Apple TV 4K (all models) get tvOS 17.1.
*   Apple Watch Series 4 and later get watchOS 10.1.

The important vulnerabilities that have been addressed in this raft of updates are:

CVE-2023-40423, a critical vulnerability in IOTextEncryptionFamily that could allow an app to execute arbitrary code with kernel privileges. Arbitrary code execution means an attacker could run any commands or code of their choice on a target machine or in a target process. Kernel privileges means the attacker would have the highest level of access to all machine resources.

CVE-2023-40413, a vulnerability in Find My that could allow another to read sensitive location information.

CVE-2023-40416, a vulnerability in ImageIO which means processing an image could result in disclosure of process memory.

CVE-2023-42847, a vulnerability in Passkeys could allow an attacker to access passkeys without authentication. A passkey is a way to sign in to an app or website account, without needing to create and remember a password.

CVE-2023-42841, a vulnerability in Pro Res could allow an app to execute arbitrary code with kernel privileges.

CVE-2023-41982, CVE-2023-41997, and CVE-2023-41988 are a set of vulnerabilities in Siri that would allow an attacker with physical access to use Siri to access sensitive user data.

CVE-2023-40447 and CVE-2023-42852 are vulnerabilities in WebKit that could be used for arbitrary code execution. Visiting a specially crafted website could cause WebKit to perform operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2023-32434 is a vulnerability that could allow an app to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

CVE-2023-41989 could allow an attacker to execute arbitrary code as root from the Lock Screen due to a vulnerability in Emoji. The issue was addressed by restricting options offered on a locked device. Root is the superuser account in many opeating systems. It is a user account for administrative purposes, and typically has the highest access rights on the system.

CVE-2023-38403 is a vulnerability in iperf3 before 3.14 that could allow peers to cause an integer overflow and heap corruption via a crafted length field. iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it's expecting, which creates a route for the attacker to manipulate the program. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

CVE-2023-42856 could be used to trigger unexpected app termination or arbitrary code execution due to a vulnerability in Model I/O. Model I/O provides the ability to access and manage 3D models.

CVE-2023-40404 could allow an app to execute arbitrary code with kernel privileges due to a vulnerability in Networking.

CVE-2023-41977 is a vulnerability in Safari that could allow a malicious website to reveal browsing history.

Notably absent from the bugs that have been fixed is iLeakage, a sophisticated side-channel attack in the Spectre family.

The updates above may already have reached you, but it doesn't hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading your iPhone or iPad or your Mac.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update now! Apple patches a raft of vulnerabilities

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

CVE-2023-34059: VMSA-2023-0024

Xpand IT Write-back manager v2.3.1 allows attackers to perform a directory traversal via modification of the siteName parameter.

During an authorised penetration testing assessment conducted on Xpand IT’s Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to change the directory to which an uploaded file is saved on the filesystem.

This blog post is the second post of a five-part series in which we will technically describe five security vulnerabilities and how they were detected and exploited.

**What is Write-Back?**

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premises execution, audit, multiple back-end databases, and integrated authentication.

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

**Write-Back (Server)**: Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.

**Write-Back Manager**: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing it to manage that instance.

**Technical description**

CVE-2023-27170 is a path or directory traversal security vulnerability that allows an authenticated user to upload a file to any location on the file system using any of the multiple file upload features on the Write-Back Manager.

This vulnerability was initially detected by changing the uploaded filename through a man-in-the-middle attack.

In the particular case of the customised logo upload feature, the name under which the logo file would be written to disk equalled the value passed in the siteName parameter, which by default was always 00000000-0000-0000-0000-000000000000. By manipulating the value of this parameter and adding special characters such as dots ‘.’ and slashes ‘/’, an attacker can change the path to which the file will be written:

**_Figure 1 – Logo file upload._**

In this example, the logo was placed in one folder hierarchically above the logos folder:

**_Figure 2 – Logo file uploaded to a different folder._**

The root cause of this vulnerability can be found in the uploadLogoFile function of the ThemesManager class, which handles the upload of a custom logo file:

**_Figure 3 – Cause of the vulnerability._**

The siteName parameter is simply concatenated together with the file extension and added to the writePath, resulting in the manipulation of the folder’s path to which the file is uploaded to.

**Impact**

This vulnerability could potentially be exploited in multiple manners. A malicious user could overwrite critical files, upload massive files, cause a file space denial of service, or upload dangerous files into the web tree to achieve code execution.

**CVE ID:** CVE-2023-27170  
**CVSS 3.1 Base Score:** 5.5  
**CVSS Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L  
**Affected Vendor:** Xpand IT  
**Affected Product:** Write-Back  
**Affected Version:** Write-Back Manager v2.3.1

**Mitigation**

Update Write-Back to at least version 4.1.

**Timeline**

12-12-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27170 reserved.

12-07-2023 – Official Patch released by Write-Back team.

20-10-2023 – Public disclosure of CVE-2023-27170.

**Credits**

**Bruno Pincho** | Penetration Tester at Balwurk 

**References**

*   https://writeback4t.com

CVE-2023-27170: CVE-2023-27170 - Improper Limitation of a Pathname to a Restricted Directory - Balwurk

Categories: Exploits and vulnerabilities
Categories: News
Apple has fixed a bunch of security flaws, but not iLeakage, a side-channel vulnerability in Safari.



(Read more...)




The post Patch...later? Safari iLeakage bug not fixed appeared first on Malwarebytes Labs.

Apple has released updates for its phones, Macs, iPads, watches, and TV streaming devices, fixing a bunch of security problems. But amid all that activity, one fix is notably absent—there is nothing to address the vulnerability dubbed iLeakage.

iLeakage is a side-channel attack that can force the Safari browser to divulge secrets like passwords and Gmail messages.

A side-channel attack looks at the indirect effects of a computer program, or computer hardware, which can reveal things about what's happening under the hood. It's like a thief looking at your house and concluding from the fact that there are no lights on and the car isn't in the driveway that you aren't home. The lights and the empty driveway are side channels.

In the case of iLeakage, the side channel is speculative execution, a performance enhancement feature found in modern CPUs. iLeakage is just the latest in a whole family of speculative execution bugs, known as Spectre, dating back to 2017.

Virtually every modern CPU uses some kind of performance optimization where it attempts to predict what a program will do next. Once a prediction is made, the CPU will execute instructions ahead of time, so that the answer is there immediately should you need it. If the CPU realizes its prediction was wrong it has to revert all the changes it made, but sometimes speculative execution leaves traces in the CPU's microarchitectural state, and especially the cache.

A group of cybersecurity researchers used these traces to show how an attacker can make Safari reveal sensitive information. The attacks use a malicious web page that exploits iLeakage. The page can be used to open Instagram, Gmail, YouTube, or any other website in a new tab. Behind the scenes, the same Safari computer process renders both the malicious page and the target web page, allowing the malicious page to pull information from the target, such as auto-filled passwords, using iLeakage.

Although there are no fixes for iLeakage yet, there are mitigations. Unfortunately, all of them come with significant caveats. According to the researchers, the super-secure Lock Down mode that's available on Apple's Macs, phones, and tablets will disable iLeakage, but Lock Down mode can impact performance and, as Apple points out, "When Lockdown Mode is enabled, your device won’t function like it typically does."

You can also stop iLeakage by disabling JavaScript execution in your browser, but this will likely impact the behavior of every website you visit, making many of them unusable.

There is another mitigation that specifically targets iLeakage, but it's macOS only and it's not enabled by default. On top of that, the mitigation is considered unstable, and it requires users to open a computer terminal window, which will be beyond many users' comfort zones. If you really want to go there, you can read the instructions on the iLeakage site, under "How can I defend against iLeakage." We suggest that unless you're a high value target you probably don't need to bother, and if you are a high value target you should enable Lock Down mode anyway.

There is no evidence that iLeakage has been abused in the wild, and figuring out how the researchers did it will be a significant undertaking for cybercriminals.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Patch...later? Safari iLeakage bug not fixed

The newly launched AI & ML Security Library allows developers to analyze the code used in machine learning systems to identify and address risks.

As part of "shift left" to incorporate security discussions earlier in the software development life cycle, organizations are beginning to look at threat modeling to identify security flaws in software design. With developers increasingly incorporating machine learning in their applications, threat modeling is necessary for identifying the risks to the organization.

"People are still grappling with the whole idea that when you use that very new technology \[machine learning\], it brings along a bunch of risk, as well," says Gary McGraw, co-founder of the Berryville Institute of Machine Learning. "I've been in the unenviable position of saying, 'Well, there's this risk, and there's that risk, and the sky is falling,' and everybody goes, 'Well, what am I supposed to do about that?'"

There have been many conversations about machine learning risk, but the difficulty lies in figuring out how to address them, McGraw says. Threat modeling – identifying the types of threats that can cause harm to the organization – helps organizations think through security risks in machine learning systems such as data poisoning, input manipulation, and data extraction. If developers could understand the security flaws in their designs by threat modeling, it would reduce the time spent on security testing during development and before production. NIST's Guidelines on Minimum Standards for Developer Verification of Software recommends threat modeling to look for design-level security issues.

IriusRisk’s threat modeling tool addresses this challenge by automating both threat modeling and architecture risk analysis. Developers and security teams can import the code into the tool to generate diagrams and threat models. Threat modeling templates make threat modeling accessible even to those not familiar with diagramming tools or risk analysis.

And the newly launched AI & ML Security Library allows organizations using IriusRisk to threat model the machine learning system they are planning in order to understand what the security risks are, as well as how to mitigate those risks.

“We're finally getting around to building machinery that people can use to address the risk and control the risk," says McGraw, who is also a member of IriusRisk’s advisory board. "When you put machine learning into your \[system\] design, and you're using IriusRisk, now you know what risks are involved and what to do about that."

**What ML Threat Modeling Looks Like**

IriusRisk's AI & ML Security Library helps organizations ask necessary questions. For example:

1.  Asking where the data being used to train the machine learning model came from. It's important to also ask whether anyone had the opportunity to embed incorrect or malicious data to make the machine do the wrong thing.
2.  Consider how the machine keeps learning once it is in production. Machine learning systems that are online and keep on learning from users are more dangerous than the ones that are not online. "It depends on who is using it. Is it your people? Is it bad people? Is it everybody on Twitter, or X?" McGraw says, noting there have been examples of past projects that had to be taken offline after it learned objectionable information.
3.  Ask if confidential information can be extracted from the machine. If you put confidential information into your machine learning algorithm, it is not protected by cryptographic means and can be extracted. "If you put the data in the machine, it's in the machine," McGraw says. "You need to think about making sure that people using your machine learning system cannot extract that confidential data."

The AI & ML Security Library is based on the BIML ML Security Risk Framework, a taxonomy of machine learning threats, as well as an architectural risk assessment of typical machine learning components developed by McGraw. The framework is designed to be used by developers, engineers, and designers creating applications and services that use machine learning in the early design and development phases of the project. With IriusRisk's library, everybody who is using machine learning can use BIML's framework.

The AI & ML Security Library is available to IriusRisk customers and those using the community edition of the platform.

**Time to Be Threat Modeling**

The AI & ML Security Library was developed in response to interest from organizations about how to analyze and secure AI and ML systems, according to Stephen de Vries, CEO of IriusRisk.

"We have seen a surge in interest from our customers in the finance and technology sectors for guidance on how to analyze, and secure design ML systems," de Vries said in a statement. "Since these are often new projects that are still in the design phase, performing threat modeling here adds a lot of value, because those teams will very quickly understand where the security goalposts are – and what they need to do in order to get there."

The library doesn't help organizations that don't have visibility into their machine learning use. Just as organizations can have shadow IT – where different business stakeholders set up their own servers and Web applications without IT oversight – they can also have shadow machine learning, McGraw says. Different departments are trying out new applications and tools, but there is a gap between what individual employees are using and what risks IT and security teams know about.

“Everybody's like, 'I don't think I have any machine learning in my organization,'" McGraw says. "But as soon as they find out that they do … they find it everywhere.”

Many organizations do not incorporate threat modeling during software design, and those that do rely on manual processes where a person analyzes the threats one at a time.

"If you have a mature threat modeling program and you're using a tool like IriusRisk, you can also now handle machine learning. So the people who are already doing the best are going to do even better," McGraw says. "What about the people who aren't doing threat modeling? Maybe they should start. It's not new. It's time to do it."

IriusRisk Brings Threat Modeling to Machine Learning Systems

**PRESS RELEASE**

**SEATTLE – Oct. 24, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the launch of WatchGuard MDR, a new 24/7 cybersecurity service purpose-built to make MDR vastly more accessible to managed service providers (MSPs) working to address soaring customer demand for managed cybersecurity delivery. The new service is managed by an elite team of cybersecurity experts and powered by AI. It requires no investment in a traditional security operation center (SOC) infrastructure, advanced technologies, or security experts, which addresses the pressures of scarce cybersecurity professionals and funding faced by MSPs.

“WatchGuard’s new solution has effectively super charged our managed security services business by allowing us to effortlessly tap into the immense potential of MDR and offer it as a value-added service to customers,” said Raul Zayas, president of ZTek Solutions. “By removing the burden on us to create a modern SOC, WatchGuard MDR expedited our ability to give customers what they need the most: top-notch, comprehensive cybersecurity backed by industry-leading cyber experts to ensure a resilient defense against evolving cyber threats. Not only has WatchGuard put us in the fast lane in that regard, they also make it all incredibly simple to do through their Unified Security Platform architecture to help ensure we stay ahead of the curve.”  

Highly customizable and scalable, this new MDR service further strengthens WatchGuard's Unified Security Platform architecture, providing advanced threat detection and response capabilities on top of WatchGuard EDR, EPDR, and Advanced EPDR that empower MSPs to build out robust, comprehensive security offerings for their customers. It comes with the support of WatchGuard’s automated Zero-Trust Application Service, Threat Hunting Service, advanced security analytics, threat intelligence, and a dedicated team of skilled cybersecurity analysts that monitor, detect, and respond to threats 24/7. 

“As a 100% channel-driven company, we wanted to deliver an enterprise-class MDR solution that would allow our MSP partners to expand their business without the expense of building their own SOC or adding to the challenges they already face in finding cybersecurity talent,” said Andrew Young, chief product officer at WatchGuard Technologies. “We are dedicated to supporting our MSP community, and the launch of WatchGuard MDR represents another milestone in the long-term trusted relationships we build with our partners. Not only does this service help MSPs break through existing barriers to entry for delivering managed security services – it allows them to capitalize on a growing opportunity with an innovative new solution we’ve purpose-built for them specifically.” 

**Key Features and Benefits**

WatchGuard MDR is the ideal choice for service providers looking to elevate the security posture of their customers, expand their portfolio, and generate recurring revenue streams with zero investment in modern security operations center (SOC), sophisticated and expensive AI-based technology, and scarce cybersecurity experts. Capabilities include:  

*   **24/7 Endpoint Activity Monitoring and Data Collection –** to provide real-time and retrospective monitoring using event data captured by WatchGuard EPDR or Advanced EPDR in WatchGuard’s modern SOC.
*   **24/7 Proactive Hunting and Detection** – to reduce time to detect and mitigate threats using AI, machine learning, and other advanced techniques to identify indicators of attack, while WatchGuard’s MDR threat hunters search for threats lurking in endpoints.
*   **24/7 Investigation and Validation** – to minimize the impact of potential threats by relying on WatchGuard experts to quickly investigate and accurately validate incidents to determine their nature and severity.
*   **Immediate Incident Notification** – to provide prompt notification with key insights such as affected machines and tactics used when a validated incident occurs so MSPs can take immediate action.
*   **Options for Mitigation and Guidelines for Remediation** – to give MSPs the flexibility to choose the strategy that works best for their business. They can rely on their own team with guidance from WatchGuard experts on how to contain and remove traces of an attack, restore data, patch vulnerabilities, and install additional controls. Or they can outsource the initial response and the containment through endpoint isolation to automated playbooks developed by WatchGuard MDR experts.
*   **Weekly Security Health Status Report and Monthly Activity Reporting** – to build trust with customers by providing regular reports on their security status, which service providers can customize to better engage customers with their MDR service and provide valuable feedback throughout the process.  

For more information about WatchGuard MDR, click here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard Launches MDR Service, Helps MSPs Accelerate Cybersecurity Service Delivery

**PRESS RELEASE**

**SANTA CLARA, Calif.,Oct. 25, 2023/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today launched an essential new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts, robust credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes' award-winning antivirus and VPN software, helps prevent criminals from stealing or using personal information to drain financial accounts, hack or impersonate social media accounts, damage a user's reputation or other online and identity-based attacks.

Today's digital life is complex and sometimes deceptive. According to new research from Malwarebytes, identity theft ranks as people's third biggest concern when it comes to online security, just behind fear of financial accounts and personal data being breached – both of which play into identity theft. Of those surveyed 64% agree that identity theft protection is important, but only 13% have it. Consumers are also increasingly fearful of new technology. Malwarebytes gives consumers protection they can trust, alerting them when we see their information has been stolen and providing live agent support to restore their identity and replace lost items.

"Even as we spend more and more of our lives online, we all know that the internet today can't be trusted," said Mark Beare, GM of Consumer Business Unit, Malwarebytes. "Consumers need a tool that not only blocks threats like malware and phishing, but that also monitors and protects their digital identity, be that social media profiles, bank accounts or email. With Malwarebytes Identity Theft Protection, we provide a robust and exhaustive suite of services so individuals and families can rest easy knowing that we are actively working to keep them safe and protect their digital identity."

Malwarebytes Identity Theft Protection is available globally through a variety of tiered offerings that provide protection via computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key features include:**

*   Identity Monitoring & Alerts**:** Continuously scours a multitude of websites and data sources, including the Dark Web, to alert if personal information is being illegally traded or sold. Recommends actions to take to protect yourself.
*   Credit Monitoring and Protection**:** Ongoing tracking of credit for critical changes, such as new accounts or inquiries and applications for new lines of credit. A credit freeze also can be activated\*.
*   Breach IQ**:** Provides a safety score and alerts if personal information is part of a known breach\*.
*   Identity Recovery & Resolution**:** Assistance in the event of an identity theft incident, including guided steps to report the crime, dispute fraudulent charges, restore identity and recuperate financial losses incurred. Includes up to a $2 million insurance policy.

To read more about the latest threats and cyber protection strategies, visit our blog, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

_\*U.S. only_

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including AVLAB and AV-TEST. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Announces Consumer Identity Theft Protection Solution

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

Tag

#mac