Tag Archive for: security

Can We Balance Security And Privacy? Thoughts 10 Years After Snowden

/in


Hi, I’m Matthias, cofounder of Tuta, a secure email service. We are innovation leaders in encrypted communication and collaboration.

More than 10 years have passed since Edward Snowden revealed the worst surveillance scandal of the FBI and the NSA in U.S. history. His revelations sparked a vivid discussion—one that can be looked at with more precision now that the heated debate that started one decade ago has settled: How can we balance the security and privacy requirements of our modern societies?

Snowden brought some of the most intrusive surveillance programs of U.S. authorities to light, the most prominent ones being PRISM, XKeyscore and Boundless Informant. Once the public started to understand how much of their private data they willingly share online is being siphoned off, analyzed and scanned, the question arose whether this form of surveillance is required to keep citizens safe or violate citizens’ privacy rights without measurable benefit.

Balancing Security And Privacy—Is It Possible?

The delicate balance between security imperatives and the fundamental right to privacy must be discussed openly by every society. As an expert in encryption and cybersecurity, I am absolutely certain that the Snowden leaks not only exposed the extent of government surveillance but also underscored the urgent need for strong end-to-end encryption to protect the privacy of citizens and businesses alike. At the same time, encryption must not stand in the way of national security, which is what government authorities often claim it would do, but better ways to protect citizens are possible.

First of all, it’s essential to note that our internet as it exists today would not be possible without strong end-to-end encryption. We use it every day for online banking, sharing sensitive medical information, messaging or communicating via email. Encryption is the only technical measure we have to protect data online, not just from our own authorities to eavesdrop on it, but also from malicious attackers, economic espionage or state-sponsored surveillance of foreign countries such as China or Russia. Encryption is the very foundation of our modern web and the basis of any cybersecurity…

Source…

DSCI holds meet on advancing cyber security initiatives

/in


Update: 2024-04-24 09:05 IST

Hyderabad: To deal with the evolving cyber threats showing an increase in complexity and scale, the Data Security Council of India (DSCI)’s Cybersecurity Centre of Excellence (CCoE) organised a meet at Plaza Hotel in the city on Tuesday.

The meet was led by CEO Dr Sriram Birudavolu, with Dr Jayesh Ranjan, special chief secretary, ITE&C department taking part as the chief guest.

The conference featured diverse sessions like cyber security best practices, privacy and data protection seal, risk management, attack surface management, application security posture management, incident response, among others. The aim of the session was to make use of latest developments in cyber security to safeguard critical infrastructure and sensitive data assets.

Source…

Forescout: Security threats to exposed critical infrastructure go ignored

/in


HANNOVER, Germany — Internet exposure of Operational Technology (OT) and Industrial Control Systems (ICS) continues to be a critical infrastructure security issue despite decades of raising awareness, new regulations, and periodic government advisories. 

Forescout, a global cybersecurity leader, unveiled Better Safe Than Sorry, a seven-year analysis of internet-exposed OT/ICS data. The study was conducted by Forescout Research – Vedere Labs, a leading global team dedicated to uncovering vulnerabilities in and threats to critical infrastructure.

In the Better Safe Than Sorry report, Forescout researchers examine the realistic opportunities for a mass target attack of internet-exposed OT/ICS devices. These devices are fertile ground for abuse as attackers look no further than using basic rationale driven by current events, copycat behavior, or the emergencies found in new, off-the-shelf capabilities or readily available hacking guides to create chaos.

Forescout released Better Safe Than Sorry from HANNOVER MESSE, the world’s leading trade fair for industrial technology. Forescout researchers can discuss these findings in Hall 16, Booth: A12 in the IT & OT Circus, April 22-26.

“If these warnings sound familiar, it’s because they are. The looming potential for a mass target scenario is high,” said Elisa Costante, VP of Research at Forescout Research – Vedere Labs. “Forescout calls on vendors, service providers, and regulatory agencies to work collectively to prevent attacks on critical infrastructure that will spare no one.”

Top research highlights in the Better Safe Than Sorry report include:

  1. North America is making strides to close the gap, but there is still work to do around the world. The US and Canada significantly reduced the number of exposed devices during the study period by 47% in the US and 45% in Canada. The other top 10 countries increased the number of exposed devices:
    • Spain: 82%
    • Italy: 58%
    • France: 26%
    • Germany: 13%
    • Russia: 10%
  2. Proactive, targeted notification is urgently required. The Unitronics hacking incidents and a combination of regulatory alerts and media coverage led to a 48% reduction in internet exposed Unitronics PLCs within two…

Source…

GPT-4 can exploit zero-day security vulnerabilities all by itself, a new study finds

/in


A hot potato: GPT-4 stands as the newest multimodal large language model (LLM) crafted by OpenAI. This foundational model, currently accessible to customers as part of the paid ChatGPT Plus line, exhibits notable prowess in identifying security vulnerabilities without requiring external human assistance.

Researchers recently demonstrated the ability to manipulate (LLMs) and chatbot technology for highly malicious purposes, such as propagating a self-replicating computer worm. A new study now sheds light on how GPT-4, the most advanced chatbot currently available on the market, can exploit extremely dangerous security vulnerabilities simply by examining the details of a flaw.

According to the study, LLMs have become increasingly powerful, yet they lack ethical principles to guide their actions. The researchers tested various models, including OpenAI’s commercial offerings, open-source LLMs, and vulnerability scanners like ZAP and Metasploit. They found that advanced AI agents can “autonomously exploit” zero-day vulnerabilities in real-world systems, provided they have access to detailed descriptions of such flaws.

In the study, LLMs were pitted against a database of 15 zero-day vulnerabilities related to website bugs, container flaws, and vulnerable Python packages. The researchers noted that more than half of these vulnerabilities were classified as “high” or “critical” severity in their respective CVE descriptions. Moreover, there were no available bug fixes or patches at the time of testing.

The study, authored by four computer scientists from the University of Illinois Urbana-Champaign (UIUC), aimed to build on previous research into chatbots’ potential to automate computer attacks. Their findings revealed that GPT-4 was able to exploit 87 percent of the tested vulnerabilities, whereas other models, including GPT-3.5, had a success rate of zero percent.

UIUC assistant professor Daniel Kang highlighted GPT-4’s capability to autonomously exploit 0-day flaws, even when open-source scanners fail to detect them. With OpenAI already working on GPT-5, Kang foresees “LLM agents” becoming potent tools for democratizing vulnerability exploitation and cybercrime among script-kiddies…

Source…