Connect with us

Startups

Major attacks using Log4j vulnerability ‘lower than expected’

Published

on

Thanks in large part to the massive response effort from the security community, there have been few cyber attacks of consequence leveraging the vulnerabilities in Apache Log4j so far, according to findings from cybersecurity giant Sophos.

On the whole, successful attacks using the Log4j flaws have been limited, said Chester Wisniewski, principal research scientist at Sophos, in a blog today.

Like other cyber vendors, the Sophos Managed Threat Response Team (MTR) has detected a large number of scans and attempts to use exploits for the remote code execution vulnerability, known as Log4Shell. But as of early January, “only a handful of MTR customers faced attempted intrusions where Log4j was determined to be the initial entry point,” Wisniewski wrote. Most of those intrusions were by cryptocurrency miners.

“The overall number of successful attacks to date remains lower than expected,” he wrote.

Still, the broad scope of the Log4Shell vulnerability, and the difficulty of finding all instances of it, suggest the bug “will likely be a target for exploitation for years to come,” Wisniewski wrote.

Widespread vulnerability

If unpatched, many enterprise applications and cloud services written in Java are potentially vulnerable to the flaws in Log4j. The open source logging library is believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.

The initial Log4j vulnerability, revealed on December 9, could be used to enable remote execution of code by unauthenticated users.

However, “Sophos believes that the immediate threat of attackers mass exploiting Log4Shell was averted because the severity of the bug united the digital and security communities and galvanised people into action,” Wisniewski wrote. “This was seen back in 2000 with the Y2K bug and it seems to have made a significant difference here.”

Few major attacks using Log4j have been disclosed to date. On December 20, the defense ministry in Belgium disclosed that a portion of its network was shut down in the wake of a cyber attack. The attack had resulted from an exploitation of the vulnerability in Log4j, the defense ministry said.

Cyber firm Qualys previously told VentureBeat it has observed “attempted ransomware attacks, some of which have been successful – by Conti, Khonsari, and some nation-state-backed adversaries,” said Travis Smith, director of malware threat research at Qualys, in an email. Specifics of the attacks were not disclosed.

Disrupted attacks

Other attacks that have been reported were disrupted midway through. For instance, on December 29, CrowdStrike said its threat hunters identified and disrupted an attack by a state-sponsored group based in China, which involved an exploit of the Log4j vulnerability. CrowdStrike said that threat hunters on its Falcon OverWatch team intervened to help protect a “large academic institution,” which wasn’t identified, from a hands-on-keyboard attack that appears to have used a modified Log4j exploit.

In addition to the widespread response from the security community, another potential reason that mass exploitation has been kept to a minimum “could be the need to customize the attack to each application that includes the vulnerable Apache Log4J code,” Wisniewski wrote.

Nonetheless, “just because we’ve steered round the immediate iceberg, that doesn’t mean we’re clear of the risk,” he said.

“Some of the initial attack scans may have resulted in attackers securing access to a vulnerable target, but not actually abusing that access to deliver malware, for instance – so the successful breach remains undetected,” Wisniewski wrote.

“Sophos believes that attempted exploitation of the Log4Shell vulnerability will likely continue for years and will become a favourite target for penetration testers and nation-state supported threat actors alike,” he wrote. “The urgency of identifying where it is used in applications and updating the software with the patch remains as critical as ever.”

Long tail

Other cyber experts have previously made similar to comments to VentureBeat, saying that the worst of the attacks utilizing the Log4j flaws may actually be months — or even years — into the future.

“In many cases, attackers breach a company, gain access to networks and credentials, and leverage them to carry out huge attacks months and years later,” said Rob Gurzeev, cofounder and CEO of CyCognito, in a previous email to VentureBeat.

Once they’ve established a foothold, sophisticated attackers will often take their time in surveying users and security protocols before executing the full brunt of their attacks, said Hank Schless, senior manager for security solutions at Lookout.

This helps them strategize how to most effectively avoid existing security practices and tools, Schless said, “while simultaneously identifying what parts of the infrastructure would be most effective to encrypt for a ransomware attack.”

Ultimately, due to the widespread nature of the flaw, “the long tail on this vulnerability is going to be pretty long,” said Andrew Morris, the founder and CEO at GreyNoise Intelligence, in a previous interview. “It’s probably going to take a while for this to get completely cleaned up. And I think that it’s going to be a little bit before we start to understand the scale of impact from this.”

Source link

Startups

This Top-Rated PDF Solution Is 66% Off Now

Published

on

Opinions expressed by Entrepreneur contributors are their own.

Paper has made its way largely out of business, but that doesn’t mean you don’t still work with documents regularly. Instead, we’re just working with them differently: with the dreaded PDF. These static files can be great if you’re positive that a document is ready, but a serious nightmare when you have to make changes. When you’re working with a lot of PDFs, you need a quality digital solution.



Superace

We’ve got a deal you’ll like. For a limited time, you can get a lifetime subscription to UPDF Pro for 66% off.

UPDF Pro is one of the top-rated PDF solutions on the market. Geeky Gadget writes, “UPDF is a potent PDF editor and PDF converter designed to stay up with advanced technologies. It ensures that whichever features you use are up to date. UPDF not only converts PDF to Word but can perform many advanced editing.” Fossbytes adds, “UPDF doesn’t have a boring interface like other PDF software. The design is stunning and eye-catching. On top of it, it is convenient to use. You wouldn’t be bothered with a complex design that is very time-consuming.”

These are just the tip of the iceberg of positive reviews for this all-in-one PDF solution for individuals and businesses. With it, you can edit any PDF document across Windows, Mac, iOS, and Android devices, adding or deleting text, editing fonts and color, and much more. The tool allows you to add, crop, rotate, replace, extract or delete images, watermark documents, and password-protect them for elevated confidentiality. You can also easily annotate PDFs, highlight, underline, or strike out text, add shapes and notes, and much more. Finally, it’s even easy to convert any PDF to Word, Excel, PowerPoint, and a ton of other file types in just a click.

Working with PDFs has never been easier than with a lifetime subscription to UPDF Pro. Grab it on sale for 66% off $149 at just $49.99, the best price you’ll find online.

Prices subject to change.

Continue Reading

Startups

Using data to boost event ROI

Published

on

Events are essential to any marketing strategy. Because they have the power to bring people together, events offer a unique opportunity to engage and deeply connect with a target audience while enriching a sales pipeline for the business. 

During the pandemic, events went through a transformation. In addition to navigating drastic changes to how and where we met, event experience leaders employed new technologies to facilitate connections. In so doing, they learned more about improving event experiences for all attendees, speakers and sponsors. The most significant change to events: Technological advancements enable event organizers to act on data insights before, during and after an event to optimize outcomes.

As we enter a new era of events, it’s more critical than ever to know how to capture the right data — and use it meaningfully. According to a recent survey of more than 200 event organizers, 85% plan to host at least three in-person events in 2023, with 35% planning to host at least 10. The opportunity is ripe to unleash the power of event data to maximize business impact. 

In-person events, reimagined with better data 

With event professionals producing in-person events again, they bring the lessons learned from more than two years of constant upheaval and technological transformation. Event experience leaders at all organizations are tackling the “event impact gap”: The disparity between event organizers’ aspirations to produce impactful experiences and their ability to execute those goals with available technology.

Event

Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.


Register Now

While the role of event organizer has been evolving for many years, the pandemic quickly accelerated the change. In addition to planning and logistics expertise, event organizers now bring a host of other skills to the table: data analysis, marketing operations and digital production. But even with their enhanced skillsets, organizers continue to wrestle with outdated event software that keeps them from accessing and activating their data. That obstacle hinders organizers’ ability to design and execute personalized experiences and truly connect with their audiences. 

Better data activation empowers marketers to personalize outreach and drive engagement at scale, incorporating events deeper into their demand generation strategies. This fosters attendee engagement, driving increased revenue and ROI. 

Leveraging data to accelerate pipeline

In-person events possess enormous data potential waiting to be unlocked. Events stand out as a prime opportunity to understand how your target audience behaves, where their interests lie and what engages them deeply. When you’re onsite, you have an unparalleled window into the content, peers and exhibitors that appeal to your audience and how the audience is connecting to your brand. These insights inform both your future event strategy and your broader marketing strategy.

Use data to engage attendees

It’s one thing to decide what data to collect and another to be strategic about what you’ll do with the data. Event organizers’ experience executing virtual events showed that having access to data is half the battle. The real value of your data lies in your ability to turn it into something actionable and use it to your advantage. How do you bring the behavioral and engagement data you collect into the extended marketing fold? You need technology that enables your teams to use your data instantly and easily to personalize post-event content and communications. 

With the knowledge of whom an attendee interacted with, the sessions they liked and the type of content they downloaded, you’ll craft more effective outreach. This extends the value of your event for your attendees and your demand generation efforts. Rather than sending the same message to every attendee, with their name appended to the beginning of an email, you can use data to rouse your attendees’ interests and keep them meaningfully engaged. 

Understanding how engagement translates to leads  

The same data you use to customize an attendee’s event experience can enrich and accelerate your sales pipeline. By capturing insights into attendee activity — the polls attendees participated in, the sessions they checked into and the exhibitors they spent time with — you can use robust event experience technology to assign engagement scores to each attendee. From there, you can segment attendees by their levels of engagement and personalize your post-event follow-up.

In addition, equipping sales teams with the data needed to prioritize the most engaged leads lets them focus their time and efforts on maximizing conversion success. And because of the rich data you’ve collected about each attendee, sales teams can discern whether a correlation exists between an attendee’s high engagement levels and their likelihood of becoming an opportunity, enabling better future strategies.

Using data-enabling technology to refine experiences

Data-enhanced experimentation isn’t limited to your sales team. Events of all formats offer ample opportunities to experiment, iterate and improve experiences and business outcomes — before, during and after an event. 

Ensure you collect data corresponding with your event format. For instance, an in-person event with a virtual component requires data collection strategies for both audiences. Customize questions to speak to the distinct experiences of virtual and in-person attendees. And use event software that supports audience engagement measurement both on the floor and through the screen.

Maximize the value of behavioral data 

Use registrants’ behavioral data to build personalized session tracks and networking opportunities. Collecting behavioral data at in-person events can feel daunting compared to virtual events, but it doesn’t have to. Event experience leaders are leveraging new solutions like wearable technology to gain insights.

Today’s wearable event technology has the power to offer attendees more personalized networking and session experiences while simultaneously giving organizers unmatched data capture. Your budget may not permit wristbands, high-tech badges and other wearables as must-haves for every event, but they function as a powerful data source. When attendees wear these devices, they automatically provide information to help you optimize future events. Depending on the technology you employ, you’ll gain: 

  • Advanced analytics, such as dwell time.
  • Records of touchless contact exchanges.
  • Event gamification for attendees.
  • Lead collection for sponsors.
  • Integrated tracking and reminders for session check-ins.

The behavioral data you collect, combined with pre- and post-event surveys, deepens event insights and facilitates more personalized opportunities for attendees, speakers and sponsors. 

Experiment and follow the data 

Data empowers event experience leaders to test new ideas and follow where the data leads. 

Experimentation can apply to anything from registration forms and email marketing subject lines to in-session polling strategies and other event messaging. Start small, and choose three to five key metrics to test based on past event data. Once you put an experiment out into the world, evaluate the results. Then plan for your next experiment based on what you learned and pivot your event strategies as needed to keep refining your efforts. 

Data maturity powers advanced insights 

Actionable data not only enables better event experiences, it also empowers CMOs and marketing leaders to demonstrate the impact of events. Prioritizing a data maturity model ensures you can effectively communicate the value of your event experience program to all stakeholders, especially as organizations navigate economic uncertainty. Rather than evaluating data in a vacuum, a data maturity model connects each event touchpoint, providing insights that allow you to align event strategy against key success metrics.

Four steps comprise data maturity: 

  • Data capture: Accessing your data is the first tactic. Your organization needs the ability to gather data holistically, including granular information like session attendance and demographics. 
  • Data integration: Connecting the data you capture to your business systems enables you to take action in the future. 
  • Data utilization: Use the integrated data to offer the audience more valuable event experiences. Identify and curate precise data points to help achieve personalized experience goals, such as customized communications, to help increase conversion and attendance rates. 
  • Data translation: Take what you’ve learned from past events and act. Using actionable data insights from past events to inform decision-making results in a virtuous cycle, constantly renewing and improving event experiences.  

When you can access, integrate and activate your event data, your teams will maximize ROI by optimizing the attendee experience, driving lead generation and contributing to overall marketing goals in measurable ways.

Attendee expectations continue to evolve, and rather than trying to return to business as usual, event experience leaders must leverage data to direct and inform event decisions. There’s never been a more exciting time to collect onsite and virtual data, experiment and iterate on data findings, personalize event experiences and take your sales pipeline to the next level. 

Alon Alroy is CMO and cofounder of Bizzabo.

Source link

Continue Reading

Startups

The future of generative AI and its ethical implications 

Published

on

Generative AI is revolutionizing how we experience the internet and the world around us. Global AI investment surged from $12.75 million in 2015 to $93.5 billion in 2021, and the market is projected to reach $422.37 billion by 2028.

While this outlook might make it sound as if generative AI is the “silver bullet” for pushing our global society forward, it comes with an important footnote: The ethical implications are not yet well-defined. This is a severe problem that can inhibit continued growth and expansion. 

What generative AI is getting right

Most generative AI use cases provide lower-cost and higher-value solutions. For example, generative adversarial networks (GANs) are particularly well-suited for furthering medical research and speeding up novel drug discovery

It’s also becoming clear that generative AI is the future of text, image and code generation. Tools like GPT-3 and DALLE-2 are already seeing widespread use in AI text and image generation. They have become so good at these tasks that it’s nearly impossible to distinguish human-made content from AI-generated content.

Event

Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.


Register Now

The million-dollar question: What are the ethical implications of this technology?

Generative AI technology is advancing so rapidly that it’s already outpacing our ability to imagine future risks. We must answer critical ethical questions on a global scale if we hope to stay ahead of the curve and see long-term, sustainable market growth. 

First, it’s important to briefly discuss how foundation models like GPT-3, DALLE-2 and related tools work. They are deep learning tools that essentially try to “outdo” other models by creating more realistic images, text and speech. Then, labs like OpenAI and Midjourney train their AI on massive datasets from billions of users to make better, more sophisticated outputs.

There are numerous exciting, positive applications for these tools. But we would be remiss as a society not to recognize the possibility of exploitation and the legal gray areas this technology exposes.

For example, two significant questions are currently in debate: 

Should a program be able to attribute the results to itself, even though its output is derivative of many inputs?

While there is no universal standard for this, the situation has already come up in legal spheres. The U.S. Patent and Trademark Office and the European Patent Office have rejected patent applications filed by the “DABUS” AI developers (who are behind the Artificial Inventor Project) because the applications cited the AI as the inventor. Both patent offices ruled that non-human inventors are ineligible for legal recognition. However, South Africa and Australia have ruled that AI can be recognized as an inventor on patent applications. Additionally, New York-based artist Kris Kashtanova recently received the first U.S. copyright for creating a graphic novel with AI-generated artwork.

One side of the debate says that generative AI is essentially an instrument to be wielded by a human creator (like using Photoshop to create or modify an image). The other side says the rights should belong to the AI and possibly its developers. It’s understandable that developers who create the most successful AI models would want the rights for content creation. But it’s highly unlikely that this will succeed long-term.

It’s also important to note that these AI models are reactive. That means the models can only “react” or produce outputs according to what they’re given. Once again, that puts control into the hands of humans. Even the models that are left to refine themselves are still ultimately driven by the data that humans give them; therefore, the AI cannot really be an original creator. 

How do we manage the ethics of deepfakes, intellectual property and AI-generated works that mimic specific human creators?

People can easily find themselves the target of AI-generated fake videos, explicit content and propaganda. This raises concerns about privacy and consent. There is also a looming possibility that people will be out of work once AI can create content in their style with or without their permission. 

A final problem arises from the many instances where generative AI models consistently show biases based on the datasets they are trained on. This may complicate the ethical issues even further, because we must consider that the data used as training input is someone else’s intellectual property, someone who may or may not consent to their data being used for that purpose.

Adequate laws have not yet been written to address these issues around AI outputs. Generally speaking, however, if it is ruled that AI is simply a tool, then it follows that the systems cannot be responsible for the work they create. After all, if Photoshop is used to create a fake pornographic image of someone without consent, we blame the creator and not the tool. 

If we take the view that AI is a tool, which seems most logical, then we cannot directly attribute ethics to the model. Instead, we have to look deeper at the claims made about the tool and the people who are using it. This is where the true ethical debate lies. 

For example, if AI can generate a believable thesis project for a student based on a few inputs, is it ethical for the student to pass it off as their own original work? If someone uses a person’s likeness in a database to create a video (malicious or benign), does the person whose likeness has been used have any say over what’s done with that creation?

These questions only scratch the surface of the possible ethical implications that we as a society must work out to continue advancing and refining generative AI. 

Despite the moral debates, generative AI has a bright, limitless future

Right now, the reuse of IT infrastructure is a growing trend fueling the generative AI market. This lowers the barriers to entry and encourages faster, more widespread technology adoption. Because of this trend, we can expect more indie developers to come out with exciting new programs and platforms, particularly when tools like GitHub Copilot and Builder.ai are available.

The field of machine learning is no longer exclusive. That means more industries than ever can gain a competitive advantage by using AI to create better, more optimized workflows, analytics processes and customer or employee support programs. 

In addition to these advancements, Gartner predicts that by 2025, at least 30% of all new drugs and discovered materials will come from generative AI models. 

Finally, there is no question that content like stock images, text and program coding will shift to being largely AI-generated. In this same vein, deceptive content will become harder to distinguish, so we can expect to see the development of new AI models to combat the dissemination of unethical or misleading content. 

Generative AI is still in its early stages. There will be growing pains as the global community decides how to manage the ethical implications of the technology’s capabilities. However, with so much positive potential, there is no doubt that it will continue to revolutionize how we use the internet.

Andrew Gershfeld is partner of Flint Capital.

Grigory Sapunov is CTO of Inten.to.

Source link

Continue Reading

Trending

URGENT: CYBER SECURITY UPDATE