_Frog

EXECUTIVE SUMMARY

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

• Default configurations of software and applications
• Improper separation of user/administrator privilege
• Insufficient internal network monitoring
• Lack of network segmentation
• Poor patch management
• Bypass of system access controls
• Weak or misconfigured multifactor authentication (MFA) methods
• Insufficient access control lists (ACLs) on network shares and services
• Poor credential hygiene
• Unrestricted code execution

These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:

• Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.
• Software manufacturers must reduce the prevalence of these misconfigurations—thus strengthening the security posture for customers—by incorporating secure-by-design and -default principles and tactics into their software development practices.

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations.

• Remove default credentials and harden configurations.
• Disable unused services and implement access controls.
• Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.
• Reduce, restrict, audit, and monitor administrative accounts and privileges.

NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:

• Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
• Eliminating default passwords.
• Providing high-quality audit logs to customers at no extra charge.
• Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.

Preparations for a massive new particle smasher near Geneva are picking up speed. But the European-led project, which hopes to answer some of the biggest questions in physics, faces many obstacles, including competition from China.

In 2012 scientists at the European Organization for Nuclear Research (CERN) achieved a key breakthrough when they detected the elusive Higgs boson, an elementary particle that gives mass to all the others. This followed decades of work using accelerators such as the famed Large Hadron Collider (LHC), the world’s most powerful particle collider located north of Geneva.

Yet many fundamental questions about the universe remain unanswered: What constitutes dark matter? Why is our universe filled with matter and not antimatter? Or why do the masses of elementary particles differ so much?

The search for answers to these and other big physics questions requires another “leap to higher energies and intensities”, says CERN. The organisation wants to build a more powerful and precise successor to the LHC, which was conceived in the early 1980s and will complete its mission in 2040.

“We build these machines to explore the nature of the universe. It’s about going out into the unknown and exploring further,” says Mike Lamont, CERN’s director of accelerators and technology.

And so, following requests by the global physics community, plans for the so-called Future Circular Collider (FCC) have been taking shape over the past ten years.

The Nobel Assembly at Karolinska Institutet has today decided to award the 2023 Nobel Prize in Physiology or Medicine jointly to Katalin Karikó and Drew Weissman

for their discoveries concerning nucleoside base modifications that enabled the development of effective mRNA vaccines against COVID-19

The discoveries by the two Nobel Laureates were critical for developing effective mRNA vaccines against COVID-19 during the pandemic that began in early 2020. Through their groundbreaking findings, which have fundamentally changed our understanding of how mRNA interacts with our immune system, the laureates contributed to the unprecedented rate of vaccine development during one of the greatest threats to human health in modern times.

Vaccines before the pandemic

Vaccination stimulates the formation of an immune response to a particular pathogen. This gives the body a head start in the fight against disease in the event of a later exposure. Vaccines based on killed or weakened viruses have long been available, exemplified by the vaccines against polio, measles, and yellow fever. In 1951, Max Theiler was awarded the Nobel Prize in Physiology or Medicine for developing the yellow fever vaccine.

Thanks to the progress in molecular biology in recent decades, vaccines based on individual viral components, rather than whole viruses, have been developed. Parts of the viral genetic code, usually encoding proteins found on the virus surface, are used to make proteins that stimulate the formation of virus-blocking antibodies. Examples are the vaccines against the hepatitis B virus and human papillomavirus. Alternatively, parts of the viral genetic code can be moved to a harmless carrier virus, a “vector.” This method is used in vaccines against the Ebola virus. When vector vaccines are injected, the selected viral protein is produced in our cells, stimulating an immune response against the targeted virus.

Producing whole virus-, protein- and vector-based vaccines requires large-scale cell culture. This resource-intensive process limits the possibilities for rapid vaccine production in response to outbreaks and pandemics. Therefore, researchers have long attempted to develop vaccine technologies independent of cell culture, but this proved challenging.

Inspired by the suction cups on octopus tentacles, Zurich researchers have developed a patch for delivering medicines. The patch is stuck to the inside of the cheek and enables the delivery of medicines that would otherwise require a syringe.

In initial trials on humans, the patch proved to be safe and tolerable, as the researchers from the federal technology institute ETH Zurich (ETH Zurich) wrote in the study published on Wednesday in the journal Science Translational Medicine.

To test their patch, the researchers loaded it with desmopressin, an approved diabetes drug for dogs, and stuck it on the oral mucosa, the lining or “skin” inside of the mouth, including cheeks and lips, of dogs. The patch stayed in the animals' mouths for three hours without falling off or causing irritation, the study showed. The effect of the drug was comparable to the effect when given in tablet form.

The researchers then had 40 volunteers stick the patch to the inside of their cheeks for half an hour without medication while they talked, walked and rinsed their mouths. Most of the patches stuck. In addition, the subjects reported that they would prefer the patch over injections for daily, weekly or monthly treatment.

Further studies needed

According to the study, the patch could be suitable for insulin. Until now, diabetics have had to inject themselves with insulin several times a day. Other peptides and proteins can also only be administered by injection. Previous attempts to administer them via nasal sprays or microneedles showed only limited effectiveness, according to the study.

Before the suction cup is used, however, further studies are needed to determine the safety of repeated treatment with it, according to the researchers.

From 0 to 100km/h in 0.956 seconds: an electric racing car built by students from the federal technology institute ETH Zurich and the Lucerne University of Applied Sciences has broken the world acceleration record.

The vehicle named “Mythen” achieved the milestone in a distance of 12.3 metres, ETHZ announced on Tuesday.

The previous world record of 1.461 seconds, set by a team from the University of Stuttgart, was bettered by more than a third, according to ETHZ. The record was set at the Dubendorf military airfield in canton Zurich.

The vehicle weighs just 140 kilograms and has an output of 326hp. To prevent the car from taking off when it gets off to a speedy start, the students developed a type of vacuum cleaner that sucks the vehicle to the ground.

The car was designed and built by around 30 students from the Academic Motorsport Association Zurich (AMZ). Following attempts in 2014 and 2016, this is the third time that the AMZ has set the acceleration world record.

Edit 1, added links:

Link to the article from ETH Zürich

Link to the video (piped.video)

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.

An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.

Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.

Source of the problem

The researchers explain that the problem concerns the systemic practice of giving browser extensions unrestricted access to the DOM tree of sites they load on, which allows accessing potentially sensitive elements such as user input fields.

Given the lack of any security boundary between the extension and a site's elements, the former has unrestricted access to data visible in the source code and may extract any of its contents.

Additionally, the extension may abuse the DOM API to directly extract the value of inputs as the user enters them, bypassing any obfuscation applied by the site to protect sensitive inputs, and stealing the value programmatically.

The Manifest V3 protocol that Google Chrome introduced, and adopted by most browsers this year, limits API abuse, prohibits extensions from fetching code hosted remotely that could help evade detection, and prevents the use of eval statements that lead to arbitrary code execution.

However, as the researchers explain, Manifest V3 does not introduce a security boundary between extensions and web pages, so the problem with content scripts remains.

For the Swiss Association of Judges, artificial intelligence (AI) is an instrument that could be useful in the medium and long term in the administration of justice. However, it is likely to relieve the judiciary only to a limited extent.

AI could be used, for example, in mass cases and as an aid in the search for precedents, the association’s president Marie-Pierre de Montmollin told the Keystone-SDA Swiss News Agency.

It is also important to bear in mind that criminal proceedings are usually conducted orally and the sentence is determined individually. Under these conditions, AI could be a tool in the fight against judicial overload, she said at Neuchâtel cantonal court on behalf of the association’s board.

AI must also comply with the conditions set out by the Council of Europe in 2018 in an ethical charter on the use of artificial intelligence in and around the judiciary, she said. The Council of Europe demands, for example, certified sources and transparent data processing methods.

Internet criminals often target large companies. According to a study, 45% of Swiss companies with more than 250 employees have already been the victim of an attack at least once.

This is shown by the Swiss-VR-Monitor, a semi-annual survey published on Monday by the board of directors association swissVR in cooperation with the auditing and consulting firm Deloitte Switzerland and the Lucerne University of Applied Sciences and Arts. For the study, 400 board members were surveyed on cyber resilience.

In contrast to large companies, small and medium-sized companies (SMEs) appear to be significantly less affected: Only 18% of companies with fewer than 50 employees reported a serious attack.

As a reason for the correlation between company size and the frequency of attacks, Deloitte explained that large companies are more exposed globally and offer cybercriminals larger attack surfaces. “Another explanation for the supposedly lower level of concern among smaller companies is the partial lack of reporting of such incidents to the board of directors,” it said.

There is a need for action here, it said, pointing out that almost half of the companies lacked a clear cyber strategy. And 30% of the companies had not appointed a management team to adequately manage cyber issues. At least eight out of ten supervisory bodies have a risk policy that addresses cyber dangers.

Cyberattacks often have serious consequences for the operational business. By far the most frequent consequence is a business interruption. This is the case for 42% of the companies affected by a cyberattack. Data leaks occurred in a quarter of the companies attacked, and product malfunctions and faulty services in 20%.

In addition to lost sales due to business interruptions, there are high consequential costs, for example for the recovery of data. Only 7% of the attacked companies experienced an outflow of assets. But the financial consequences should not be underestimated, Deloitte wrote.

Linus Torvalds has decided the time is right to give the world a new version of the Linux kernel, announcing its delivery in a brief Sunday afternoon post.

"Nothing particularly odd or scary happened this last week, so there is no excuse to delay the 6.5 release," he wrote.

The emperor penguin admitted some trepidation about this release.

"I still have this nagging feeling that a lot of people are on vacation and that things have been quiet partly due to that. But this release has been going smoothly, so that's probably just me being paranoid," he wrote, adding "The biggest patches this last week were literally just to our selftests."

For the record, Torvalds has worried about the impact of Northern summer on this release ever since release candidate one debuted way back in the second week of July.

Whatever the reason for this release appearing on schedule, with no notable ructions, it has produced a version of the kernel unlikely to be regarded as particularly significant. Perhaps the most notable inclusion is default enablement of P-State on some AMD CPUs – meaning the kernel can manage cores more efficiently to balance performance and power consumption.

Intel CPUs that blend performance and efficiency cores have also gained improved load balancing, which should to get the most out of Chipzilla silicon based on the Alder Lake architecture.

The kernel also added tools to bring CPUs into operation in parallel – a boost for boot times on multisocket servers, which is relevant for hyperscalers.

Speaking of hyperscalers, China's Alibaba will be pleased that the kernel improved support for its homebrew T-Head Xuantie 910 TH1520 RISC-V 64-bit processor. T-Head, Alibaba's chip design house, suggests the Xuantie 910 will find its home in servers running AI workloads, 5G equipment, and edge servers. Running Linux is arguably a prerequisite for success in any of those roles. Also in version 6.5, USB 4.2 makes its initial appearance, albeit without full support. Wi-Fi 7 has received more kernel love.

On, then, to version 6.6 of the kernel, which might see the appearance of the bcachefs filesystem. It controversially didn't make it into version 6.5, but Torvalds perused it during the push for version 6.5, and expressed increased comfort at its debut in a future kernel cut.

Torvalds wrote that he already has "~20 pull requests pending and ready to go," but asked developers to test this new release before diving into the "next merge frenzy."

Linux 6.5 is the third release in a row to arrive on schedule after seven release candidates. Linux 6.1 needed an eighth release candidate, but Torvalds had planned for that in case work slowed over the 2022–23 Christmas/New Year period. ®

Most people think of Facebook as a social network and Google as a search engine. But tech geeks see these services as “platforms”: vast online territories that users inhabit. The companies that run them have mostly been free to make the rules in these digital places. But on August 25th they will lose much of this sovereignty when the rules of the European Union’s Digital Services Act (dsa) are put into action. What will this mean for internet users—not just in Europe, but worldwide?

With the dsa and its sister legislation, the Digital Markets Act, which will also be phased in over the coming months, the eu aims to change the oversight of large online platforms. Until now regulators have tried to fix problems—such as the spread of disinformation and violations of antitrust rules—after the fact. The new laws are meant to help them get ahead of the game by setting clear rules that online platforms must follow. The dsa will apply to all online businesses, but bigger services, defined as those with more than 45m users in the eu, will have to follow extra rules. In April the European Commission, the eu’s executive branch, designated 19 of these “very large online platforms” (vlops) and “very large online search engines”. This group includes the usual suspects, such as Facebook and Google, but also more surprising ones, such as Wikipedia, a free online encyclopaedia, and Zalando, a European e-commerce site.

Most web users will hardly notice some of the changes these firms will now have to implement. Platforms will have to share more information with regulators about how they moderate content, decide what users see and use artificial intelligence. They must allow vetted researchers and auditing firms to look at internal data to check if they are following the rules, too.

Other changes will be more obvious. Platforms must now make it easy for users to report content they think is illegal, and will have to remove it quickly if it breaks the law. They must also tell users if their content is removed or hidden, and explain why. Targeted advertisements will no longer be allowed if they are based on sensitive personal data such as religion and sexual orientation. Using personal data to show ads to children and teenagers will also be banned.

Companies have already started to tweak their services. Meta, which operates Facebook, is developing tools that will tell users when the visibility of their posts has been limited (and give them a chance to appeal). On Amazon, a big online retailer, European buyers will soon be able to flag potentially illegal products. And on TikTok, a social-media platform, users will have the option of seeing videos based on the content’s popularity in the area where they live, rather than what they have watched before, to minimise the personal data that is collected.