Lifeboat Foundation

Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple’s operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware.

“An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads,” Jonathan Bar Or of the Microsoft 365 Defender Research Team said in a write-up.

Tracked as CVE-2022–26706 (CVSS score: 5.5), the security vulnerability impacts iOS, iPadOS, macOS, tvOS, and watchOS and was fixed by Apple in May 2022.

Security experts from paluno, the Ruhr Institute for Software Technology at the University of Duisburg-Essen (UDE) have developed a new technique that, for the first time, enables fuzz testing of protected memory areas in modern processors. Their method revealed many vulnerabilities in security-critical software.

Intel’s “Software Guard Extension” (SGX) is a widely used technology to protect sensitive data from misuse. It helps developers in shielding a certain memory area from the rest of a computer. A password manager, for example, can be executed safely in such an enclave, even if the rest of the system is corrupted by malware.

However, it is not uncommon for errors to creep in during the programming of the enclaves. Already in 2020, the paluno team from Prof. Dr. Lucas Davi discovered and published several vulnerabilities in SGX enclaves. Now, together with partners form the CASA cluster of excellence, the researchers have achieved another breakthrough in the analysis techniques: Their latest development enables the fuzz testing of enclaves, which is much more effective than the previously used symbolic execution. The idea behind fuzz testing is to feed a large number of inputs into a program in order to gain insights into the structure of the code.

Deep learning techniques have recently proved to be highly promising for detecting cybersecurity attacks and determining their nature. Concurrently, many cybercriminals have been devising new attacks aimed at interfering with the functioning of various deep learning tools, including those for image classification and natural language processing.

Perhaps the most common among these attacks are adversarial attacks, which are designed to “fool” deep learning algorithms using data that has been modified, prompting them to classify it incorrectly. This can lead to the malfunctioning of many applications, biometric systems, and other technologies that operate through deep learning algorithms.

Several past studies have shown the effectiveness of different adversarial attacks in prompting deep neural networks (DNNs) to make unreliable and false predictions. These attacks include the Carlini & Wagner attack, the Deepfool attack, the fast gradient sign method (FGSM) and the Elastic-Net attack (ENA).

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

“If you’re an average internet user, you may not think too much about your privacy when you visit a random website,” says Reza Curtmola, one of the study authors and a computer science professor at NJIT. “But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they’re very stealthy. You just visit the website and you have no idea that you’ve been exposed.”

The risk that government-backed hackers and cyber-arms dealers will attempt to de-anonymize web users isn’t just theoretical. Researchers have documented a number of techniques used in the wild and have witnessed situations in which attackers identified individual users, though it wasn’t clear how.

Researchers at Simon Fraser University have made a crucial breakthrough in the development of quantum technology.

Their research, published in Nature today, describes their observations of more than 150,000 silicon “T center” photon-spin qubits, an important milestone that unlocks immediate opportunities to construct massively scalable quantum computers and the quantum internet that will connect them.

Quantum computing has enormous potential to provide computing power well beyond the capabilities of today’s supercomputers, which could enable advances in many other fields, including chemistry, materials science, medicine and cybersecurity.

Microsoft warns of a large-scale AITM phishing attacks targeting over 10,000 organizations across the world.

A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom.

The gang received the name Luna Moth and has been active since at least March in phishing campaigns that delivered remote access tools (RAT) that enable the corporate data theft.

Lee Holloway programmed internet security firm Cloudflare into being. Then he became apathetic, distant, and unpredictable—for a long time, no one could make sense of it.

Circa 2021

Finding and fixing bugs in code is a time-consuming, and often frustrating, part of everyday work for software developers. Can deep learning address this problem and help developers deliver better software, faster? In a new paper, Self-Supervised Bug Detection and Repair, presented at the 2021 Conference on Neural Information Processing Systems (NeurIPS 2021), we show a promising deep learning model, which we call BugLab can be taught to detect and fix bugs, without using labelled data, through a “hide and seek” game.

To find and fix bugs in code requires not only reasoning over the code’s structure but also understanding ambiguous natural language hints that software developers leave in code comments, variable names, and more. For example, the code snippet below fixes a bug in an open-source project in GitHub.

Continue reading “Finding and fixing bugs with deep learning” »