Connect with us

Startups

The Log4j vulnerability is bad. Here’s the good news

Published

on

A critical vulnerability discovered in Log4j, a widely deployed open source Apache logging library, is almost certain to be exploited by hackers — probably very soon. Security teams are working full-throttle to patch their systems, trying to prevent a calamity. (The massive 2017 privacy records breach of Equifax involved a similar vulnerability.) It’s a very bad day, and it could get much worse soon.

But in some regards at least, businesses are in a better position to avoid a catastrophe now than in the past. This being 2021, there are some advantages now when it comes to responding to a zero-day bug of this severity, security executives and researchers told VentureBeat.

First and foremost, “the world is primed for responding to these disclosures, with companies moving to mitigate issues within hours,” said Brian Fox, chief technology officer at Sonatype, in an email. “This particular issue is potentially more dangerous because Log4j is widely adopted. [But] the Apache Log4j team pushed out a fix with urgency. How quickly they moved greatly reduced the chance of severely negative, long-term impacts.”

Proactive approach

Dave Klein, director of cyber evangelism at Cymulate, said that while the severity of the situation can’t be downplayed — he expects an exploit within 48 hours — the response to the discovery of the vulnerability shows that “we’re getting better at being proactive.”

“In the past, you literally had zero days that were two years long,” Klein told VentureBeat. “Today, it really has changed. What we’re seeing is a better situation where the world is finding bug bounties useful, finding vulnerabilities, doing proof of concepts … I’d argue that this is a great example of [security in] 2021.”

Crucially, the Apache Log4j team “worked overnight in a nearly unprecedented way to understand and turn around a fix on this quickly,” Fox said. “Oftentimes, zero day reports can take months to come to fruition from report to release. This one appears to have happened within days.”

The heightened awareness around cybersecurity has also led to greater buy-in at the corporate leadership level, including in the boardroom, which makes a difference too, Klein said.

“For me, cybersecurity is finally at a point where the boardroom gets it. And even if they don’t understand it completely, they’re reaching out to someone in technical leadership and saying, ‘I need to understand this better,’” he said. “What’s really happening is, the world’s waking up.”

Technological factors

On top of that, automation technologies for scanning open source code, such as software composition analysis (SCA), have found growing adoption in recent years. So has the use of detection and response capabilities, which could be crucial for uncovering threats in a situation like this.

There does appear to be less reliance on the Log4j Java library now than in the past, as well. “There’s more heterogeneity in the Java logging space than there was for a long time,” said Arshan Dabirsiaghi, cofounder and chief scientist at Contrast Security, in an email. “For a long time, the only thing we used was Log4j. It’s not even the default library in some major frameworks anymore.”

Regardless, “we’ll be seeing this vulnerability for the rest of our careers in all the nooks and crannies of our IT footprint,” Dabirsiaghi said. “But five years ago, it would have been a lot worse.”

‘Long tail’ vulnerability

None of this is to minimize how bad the situation is for security teams and how much worse things could get in the event of an exploit.

The threat posed by the remote code execution (RCE) vulnerability in Log4j is to potentially enable an attacker to remotely access and control devices.

“Since this vulnerability is a component of dozens if not hundreds of software packages, it could be hiding anywhere in an organization’s network, especially enterprises with massive environments and systems,” said Karl Sigler, senior security research manager at Trustwave SpiderLabs, in an email.

“The fact that this occurred during December just means a lot of holiday time is going to be missed for security teams that have to respond to threats trying to take advantage of this mass vulnerability,” Sigler said. “This vulnerability is going to have a really long tail, and will likely ruin weekends and vacations for many IT and information security professionals across the globe.”

Given the scale of affected devices and exploitability of the bug, “it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, in an email.

Update and be vigilant

Security firms say the vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j. Organizations are “advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications,” Morgan said.

One silver lining is that the configuration mitigations for the vulnerability are “straightforward” and can be easily implemented, said John Bambenek, principal threat hunter at Netenrich, in an email.

Services including Apple iCloud and Steam, and apps including Minecraft, have been found to have vulnerabilities to the RCE vulnerability, according to LunaSec.

Ultimately, according to Amit Yoran, CEO of Tenable, “the good news is that we know about it.”

“The fact that it has come to light means we’re in a race to find and fix it before bad actors take full advantage of it,” Yoran said.

Source link

Startups

Down rounds are still rare by historical standards • TechCrunch

Published

on

If you thought that the recent venture capital market was tough, let me tell you about 2016, 2017, 2018, 2019 and 2020.

With the first week of December under our belts, we’re not too far away from the end of the year. And that means that 2022’s venture capital story has largely been written. It’s not a single narrative; instead, this year started on a high, with momentum from the monstrous 2021 funding period persisting into the new year. From that point, we’ve seen a slowdown accelerate into what some consider a downturn.


The Exchange explores startups, markets and money.

Read it every morning on TechCrunch+ or get The Exchange newsletter every Saturday.


Startups raised lots of capital this year. Less, yes, than last year, but more than in nearly any year in recent memory. It’s still a good time to build a tech upstart.

Does that perspective feel too sunny when we hear so much doom and gloom on Twitter regarding startup prospects in a more conservative investing climate?

Source link

Continue Reading

Startups

Howie Mandel gets a digital twin from DeepBrain AI

Published

on

Howie Mandel is stepping into the metaverse. DeepBrain AI has created a pretty realistic AI version of comedian and actor Mandel.

Deepbrain AI, based in South Korea and Palo Alto, California, calls its creation “AI Howie,” and it’s an interactive virtual human and digital twin for immersive and personalized fan experiences. AI Howie mentions VentureBeat and talks to me in the attached videos.

Unlike the “deepfakes” of Tom Cruise and other actors, the real Howie Mandel cooperated with DeepBrain AI to create the virtual human AI replica of the famous comedian, actor, host, and technology enthusiast. We used “virtual Paris” AI character at our recent MetaBeat event in San Francisco.

“I am equally thrilled, excited, and terrified to finally have the ability of showing up and doing things without going anywhere or doing anything,” said Mandel, in a statement. “Thank you, DeepBrain.”

DeepBrain AI applies deep learning technology to create hyper-realistic virtual humans through its AI Studios and the AI Human platforms. These virtual humans are digital twins of the real person, with the same appearance, voice, gestures, and subtle mannerisms. The AI Studios platform enables script-to-video software that synthesizes dynamic video content in seconds, producing the quickest and most
realistic AI-generated videos. The script-to-video editor makes it easy for customers to select a model and then make it say something based on a script. Within a minute or so the video is made.

This is a powerful communication and marketing tool for celebrities, professional athletes, news anchors, and even politicians. Before working with Howie Mandel, the DeepBrain AI team created digital twins of Premier League soccer superstar Son Heung-Min, multiple news anchors across Asia, and South Korean president Yoon Suk-yeol.

Joe Murphy, business development manager for DeepBrain AI, said in an interview with VentureBeat that the virtual Howie is a conversational model that you pepper with questions. DeepBrain AI designs and develops these virtual humans for the purpose of creating digital twins (like Howie Mandel), digital people, and avatars.

It takes about four weeks of machine learning work to create a Howie Mandel digital twin.

“We create models of real people,” Murphy said. “We also have completely synthetic virtual humans. That is what we’ll call digital people. And then avatars are just the basic Roblox type of avatars. But where our technology comes in with the digital twins is we go through a deep learning process to clone the person’s voice, their mannerisms, their face, the way their eyes move, the way their lips move.”

He added, “So we create what we call the digital twin of the real person with all the uniqueness of that person. Our mission is to use this technology that we’ve developed throughout Asia and bring it to America.”

In addition to the script-to-video capabilities, the company provides fully conversational experiences with its AI Human software. The AI Human solution enables fans to interact and engage with AI Howie by simply asking questions. For example, when asked, “What was your favorite act on AGT this season?” the AI Howie model responds in real-time to support interactive, fun, and engaging fan experiences.

AI Humans are available within mobile apps, web browsers, or voice-activated kiosks.

“Our vision is to humanize digital experiences and empower creative teams to generate immersive content at scale,” said Eric Jang, DeepBrain AI CEO. “Working with Howie Mandel was a fun experience, and we are excited to see how the AI Howie collaboration will connect with his fans worldwide.”

DeepBrain AI, (formerly Moneybrain), a conversational AI startup based in Seoul, South Korea, has raised $44 million in a series B round led by Korea Development Bank at a post-money valuation of $180 million. The company started in 2016 and it has raised $54 million to date. The company has 130 employees.

The AI is being used for AI news anchors in South Korea and China at four different television networks. The networks flag that the anchor is an AI avatar so that no one gets confused.

The real Howie Mandel spent about a day shooting video with DeepBrain AI.

While multiple companies are working on virtual humans, DeepBrain AI’s avatars are hyperrealistic. One of Asia’s largest insurance companies is also using it, as is a “brand ambassador” for a soccer team.

“When we worked with Howie Mandel, we went down to his studio in Los Angeles, we provided a script, and fed our training data into our neural network,” Murphy said.

It took about a day to do a video shoot with Mandel and about three to four weeks of machine learning time on the computers to generate the first AI model.

Back in January, DeepBrain AI opened its office in Palo Alto, California, and it is talking to partners in Silicon Valley and the rest of the U.S. Over time, Murphy said that the hope is to create AI avatars in realistic 3D for the metaverse. In South Korea, kiosks are appearing in places like banks with both 2D avatars and 3D avatars.

Over time, Murphy said the avatars have gotten better at mannerisms, lip sync, and subtle gestures. The speed of real-time responses in conversations has also gotten faster. The company is talking about doing more with game companies and major brands.

Source link

Continue Reading

Startups

This Doggy DNA Test Ships Free for the Holidays

Published

on

Opinions expressed by Entrepreneur contributors are their own.

Every pet owner wants the best for their animal sidekick. They want to spend as much time as possible with them, even at the office. But being the best dog owner you can be isn’t all about just being present. It helps to understand your dog on a genotypic as well as phenotypic level. That’s one reason why doggy DNA tests have become so popular.



DNA My Dog

If you’re wondering what to get for your pooch this holiday season, look no further than the DNA My Dog Breed Identification Test. If you order by December 8, you’ll get free shipping, but that date is coming up fast so don’t delay.

This simple, painless kit requires just a swab of your dog’s cheek to get a detailed report delivered in two weeks or less. That report includes a custom photo certificate of the breed breakdown found in your dog’s genetic breed composition, a percentage breakdown of the levels found in your dog’s DNA, and a report on the dominant breeds, personality traits, and health concerns that your dog may be genetically predisposed to. All of that information will help you be a better friend to your dog, making smarter decisions about food, training, and healthcare.

The DNA My Dog Kit was awarded at the 2020 GHO Biotechnology Awards and user Bonnie H. writes, “I loved this experience!!! The kit came immediately with great instructions. The results came exactly when promised. When I couldn’t open the attachment with the results, I emailed my concern and got instant help! To find out his DNA has been the coolest experience!”

Lock in free shipping on a unique gift for your dog by December 8. Grab the DNA My Dog Breed Identification Test on sale for 24% off $79 at just $59.99 now.

Prices subject to change.

Continue Reading

Trending

URGENT: CYBER SECURITY UPDATE