Normal view
A Tale of Two Nearly Extinct Giant Salamanders
ยฉ Chang W. Lee/The New York Times
Electrical brain stimulation can ease heartbreak, study finds
Researchers say transcranial direct-current stimulation can reduce โlove trauma syndromeโ
Breaking up, as the Neil Sedaka hit goes, is hard to do. The emotional pain of a romantic split can be so severe it has its own clinical name โ love trauma syndrome, or LTS.
But help could be at hand for those seeking to mend a broken heart. Research shows wearing a ยฃ400 headset for just a few minutes a day may ease the misery, negativity and depression that can accompany a failed relationship.
Continue reading...ยฉ Photograph: Tetra Images, LLC/Alamy
ยฉ Photograph: Tetra Images, LLC/Alamy
CVE of the month, CheckPoint Security Gateway exploit CVE-2024-24919
This month we dive into CheckPoints CVE-2024-24919 to explain what this vulnerability does and why we have seen it being used in the wild already!
The post CVE of the month, CheckPoint Security Gateway exploit CVE-2024-24919 appeared first on Security Boulevard.
Exuberantly undisciplined
-
Security Boulevard
- Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces
Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces
This post walks through the vulnerabilities we disclosed affecting Gradio, and our work with Hugging Face to harden the Spaces platform after a recently reported potential breach.
The post Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces appeared first on Horizon3.ai.
The post Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces appeared first on Security Boulevard.
Why a 3-Legged Lion and His Brother Swam Across a Crocodile-Filled River
How New Headless Chrome & the CDP Signal Are Impacting Bot Detection
Learn how the new Headless Chrome's near-perfect fingerprint and the CDP signal have impacted bot detection recently.
The post How New Headless Chrome & the CDP Signal Are Impacting Bot Detection appeared first on Security Boulevard.
In Homes With Children, Even Loaded Guns Are Often Left Unsecured
ยฉ Arin Yoon for The New York Times
-
Security Boulevard
- Cyberattack on Swedish Gambling Site During Eurovision Highlights Strategic Threats
Cyberattack on Swedish Gambling Site During Eurovision Highlights Strategic Threats
Every year, the Eurovision Song Contest captivates millions of viewers across Europe and beyond, turning a simple music competition into a cultural phenomenon. This popularity extends to various forms of betting, with numerous gambling sites offering odds on Eurovision outcomes. Eurovision has grown from a small song competition into a massive international event, drawing in [โฆ]
The post Cyberattack on Swedish Gambling Site During Eurovision Highlights Strategic Threats appeared first on Blog.
The post Cyberattack on Swedish Gambling Site During Eurovision Highlights Strategic Threats appeared first on Security Boulevard.
Mapping Snowflakeโs Access Landscape
Attack Path Management
Because Every Snowflake (Graph) isย Unique
Introduction
On June 2nd, 2024, Snowflake released a joint statement with Crowdstrike and Mandiant addressing reports of โ[an] ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts.โ A SpecterOps customer contacted me about their organizationโs response to this campaign and mentioned that there seems to be very little security-based information related to Snowflake. In their initial statement, Snowflake recommended the following steps for organizations that may be affected (or that want to avoid being affected, for that matter!):
- Enforce Multi-Factor Authentication on all accounts;
- Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.);ย and
- Impacted organizations should reset and rotate Snowflake credentials.
While these recommendations are a good first step, I wondered if there was anything else we could do once we better grasped Snowflakeโs Access Control Model (and its associated Attack Paths) and better understood the details of the attackerโs activity on the compromised accounts. In this post, I will describe the high-level Snowflake Access Control Model, analyze the incident reporting released by Mandiant, and provide instructions on graphing the โaccess modelโ of your Snowflake deployment.
These recommendations address how organizations might address initial access to their Snowflake instance. However, I was curious about โpost-exploitationโ in a Snowflake environment. After a quick Google search, I realized there is very little threat research on Snowflake. My next thought was to check out Snowflakeโs access control model to better understand the access landscape. I hoped that if I could understand how users are granted access to resources in a Snowflake account, I could start to understand what attackers might do once they are authenticated. I also thought we could analyze the existing attack paths to make recommendations to reduce the blast radius of a breach of the type Crowdstrike and Mandiant reported.
While we have not yet integrated Snowflake into BloodHound Community Edition (BHCE) or Enterprise (BHE), we believe there is value in taking a graph-centric approach to analyzing your deployment, as it can help you understand the impact of a campaign similar to the one described in the intro to thisย post.
Snowflake Access Controlย Model
My first step was to search for any documentation on Snowflakeโs access control model. I was pleased to find a page providing a relatively comprehensive and simple-to-understand model description. They describe their model as a mix of Discretionary Access Control, where โeach object has an owner, who can in turn grant access to that object,โ and Role-based Access Control, where โprivileges are assigned to roles, which are in turn assigned to users.โ These relationships are shown in the imageย below:
![](../themes/icons/grey.gif)
Notice that Role 1 โownsโ Objects 1 and 2. Then, notice that two different privileges are granted from Object 1 to Role 2 and that Role 2 is granted to Users 1 and 2. Also, notice that Roles can be granted to other Roles, which means there is a nested hierarchy similar to groups in Active Directory. One thing that I found helpful was to flip the relationship of some of these โedges.โ In this graphic, they are pointing toward the grant, but the direction of access is the opposite. Imagine that you are User 1, and you are granted Role 2, which has two Privileges on Object 1. Therefore, you have two Privileges on Object 1 through transitivity.
We have a general idea of how privileges on objects are granted, but what types of objects does Snowflake implement? They provide a graphic to show the relationship between these objects, which they describe as โhierarchical.โ
![](../themes/icons/grey.gif)
Notice that at the top of the hierarchy, there is an organization. Each organization can have one or many accounts. For example, the trial I created to do this research has only one Account, but the client that contacted me has ~10. The Account is generally considered to be the nexus of everything. It is helpful to think of an Account as the equivalent of an Active Directory Domain. Within the Account are Users, Roles (Groups), Databases, Warehouses (virtual compute resources), and many other objects, such as Security Integrations. Within the Database context is a Schema, and within the Schema context are Tables, Views, Stages (temporary stores for loading/unloading data),ย etc.
As I began understanding the implications of each object and the types of privileges each affords, I started to build a model showing their possible relationships. In doing so, I found it helpful to start at the top of the hierarchy (the account) and work my way down with respect to integrating entity types into the model. This is useful because access to entities often depends on access to their parent. For example, a user can only interact with a schema if the user also has access to the schemaโs parent database. This allows us to abstract away details and make educated inferences about lower-level access. Below, I will describe the primary objects that I consider in myย model.
Account (thinkย Domain)
The account is the equivalent to the domain. All objects exist within the context of the account. When you log into Snowflake, you log in as a user within a specific account. Most administrative privileges are privileges to operate on the account, such as CREATE USER, MANAGE GRANTS, CREATE ROLE, CREATE DATABASE, EXECUTE TASK,ย etc.
Users (precisely what you think theyย are)
Users are your identity in the Snowflake ecosystem. When you log into the system, you do so as a particular user, and you have access to resources based on your granted roles and the roleโs granted privileges.
Roles (thinkย Groups)
Roles are the primary object to which privileges are assigned. Users can be granted โUSAGEโ of a role, similar to being added as group members. Roles can also be granted to other roles, which creates a nested structure that facilitates granular control of privileges. There are ~ five default admin accounts. The first is ACCOUNTADMIN, which is the Snowflake equivalent of Domain Admin. The remaining four are ORGADMIN, SYSADMIN, SECURITYADMIN, and USERADMIN.
Warehouses
A Warehouse is โa cluster of computer resourcesโฆ such as CPU, memory, and temporary storageโ used to perform database-related operations in a Snowflake session. Operations such as retrieving rows from tables, updating rows in tables, and loading/unloading data from tables all require a warehouse.
Databases
A database is defined as โa logical grouping of schemas.โ It is the container for information that we would expect attackers to target. While the database object itself does not contain any data, a user must have access to the database to access its subordinate objects (Schemas, Tables,ย etc.).
Privileges (think Accessย Rights)
Privileges define who can perform which operation on which resources. In our context, privileges are primarily assigned to roles. Snowflake supports many privileges, some of which apply in a global or account context (e.g., CREATE USER), while others are specific to an object type (e.g., CREATE SCHEMA on a Database). Users accumulate privileges through the Roles that they have been granted recursively.
Access Graph
With this basic understanding of Snowflakeโs access control model, we can create a graph model that describes the relationships between entities via privileges. For instance, we know that a user can be granted the USAGE privilege of a role. This is the equivalent of an Active Directory user being a MemberOf a group. Additionally, we find that a role can be granted USAGE of another role, similar to group nesting in AD. Eventually, we can produce this relatively complete initial model for the Snowflake โaccessย graph.โ
![](../themes/icons/grey.gif)
This model can help us better understand what likely happened during the incident. It can also help us better understand the access landscape of our Snowflake deployment, which can help us reduce the blast radius should an attacker gainย access.
About theย Incident
As more details have emerged, it has become clear that this campaign targeted customer credentials rather than Snowflakeโs production environment. Later, on June 10th, Mandiant released a more detailed report describing some of the threat groupโs activity discovered during the investigation.
Mandiant describes a typical scenario where threat actors compromise the computers of contractors that companies hire to build, manage, or administer their Snowflake deployment. In many cases, these contractors already have administrative privileges, so any compromise of their credentials can lead to detrimental effects. The existing administrative privileges indicate that the threat actor had no need to escalate privilege via an attack path or compromise alternative identities during this activity.
Mandiant describes the types of activity the attackers were observed to have implemented. They appear interested in enumerating database tables to find interesting information for exfiltration. An important observation is that, based on the reported activity, the compromised user seems to have admin or admin-adjacent privileges on the Snowflake account.
In this section, we will talk about each of these commands, what they do and how we can understand them in the context of ourย graph.
![](../themes/icons/grey.gif)
As Mandiant describes, the first command is a Discovery command meant to list all the tables available. According to the documentation, a user requires at least the USAGE privilege on the Schema object that contains the table to execute this command directly. It is common for a production Snowflake deployment to have many databases, each with many schemas, so access to tables will likely be limited to most non-admins. We can validate this in the graph,ย though!
![](../themes/icons/grey.gif)
![](../themes/icons/grey.gif)
Next, we see that they run the SELECT command. This indicates that they must have found one or more tables from the previous command that interested them. This command works similarly to the SQL query and returns the rows in the table. In this case, they are dumping the entire table. The privilege documentation states that a user must have the SELECT privilege on the specified table (<Target Table>) to execute this command. Additionally, the user must have the USAGE privilege on the parent database (<Target Database>) and schema (<Target Schema>).
![](../themes/icons/grey.gif)
![](../themes/icons/grey.gif)
Like tables, stages exist within the schema context; thus, the requisite privilege, CREATE STAGE, exists at the schema level (aka <Redacted Schema>). The user would also require the USAGE privilege on the database (<Redacted Database>). Therefore, a user can have the ability to create a stage for one schema but not another. In general, this is a privilege that can be granted to a limited set of individuals, especially when it comes to sensitive databases/schemas.
![](../themes/icons/grey.gif)
![](../themes/icons/grey.gif)
Finally, the attackers call the COPY INTO command, which is a way to extract data from the Snowflake database. Obviously, Mandiant redacted the path, but one possible example would be to use the temporary stage to copy the data to an Amazon S3 bucket. In this case, the attacker uses the COPY INTO <location> variant, which requires the WRITE privilege. Of course, the attacker created the stage resource in the previous command, so they would likely have OWNERSHIP of the stage, granting them full control of theย object.
![](../themes/icons/grey.gif)
Build Your Ownย Graph
At this point, some of you might be interested in checking out your Snowflake Access Graph. This section walks through how to gather the necessary Snowflake data, stand up Neo4j, and build the graph. It also provides some sample Cypher queries relevant to Snowflakeโs recommendations.
Collecting Data
The first step is to collect the graph-relevant data from Snowflake. The cool thing is that this is actually a relatively simple process. Iโve found that Snowflakeโs default web client, Snowsight, does a fine job gathering this information. You can navigate to Snowsight once youโve logged in by clicking on the Query data button at the top of the Homeย page.
![](../themes/icons/grey.gif)
Once there, you will have the opportunity to execute commands. This section will describe the commands that collect the data necessary to build the graph. My parsing script is built for CSV files that follow a specific naming convention. Once your command has returned results, click the download button (downward pointing arrow) and select the โDownload asย .csvโย option.
![](../themes/icons/grey.gif)
The model supports Accounts, Applications, Databases, Roles, Users, and Warehouses. This means we will have to query those entities, which will serve as the nodes in our graph. This will download the file with a name related to your account. My parsing script expects the output of certain commands to be named in a specific way. The expected name will be shared in the corresponding sectionsย below.
Iโve found that I can query Applications, Databases, Roles, and Users as an unprivileged user. However, this is different for Accounts, which require ORGADMIN, and Warehouses, which require instance-specific access (e.g., ACCOUNTADMIN).
Applications
- Command: SHOW APPLICATIONS;
- File Name: application.csv
Databases
- Command: SHOW DATABASES;
- File Name: database.csv
Roles
- Command: SHOWย ROLES;
- File Name:ย role.csv
Users
- Command: SHOWย USERS;
- File Name:ย user.csv
Warehouses
- Command: SHOW WAREHOUSES;
- File Name: warehouse.csv
Note: As mentioned above, users can only enumerate warehouses for which they have been granted privileges. One way to grant a non-ACCOUNTADMIN user visibility of all warehouses is to grant the MANAGE WAREHOUSESprivilege.
Accounts
At this point, we have almost all the entity data we need. We have one final query that will allow us to gather details about our Snowflake account. This query can only be done by the ORGADMIN role. Assuming your user has been granted ORGADMIN, go to the top right corner of the browser and click on your current role. This will result in a drop-down that displays all of the roles that are effectively granted to your user. Here, you will select ORGADMIN, allowing you to run commands in the context of the ORGADMINย role.
![](../themes/icons/grey.gif)
Once complete, run the following command to list the accountย details.
- Command: SHOW ACCOUNTS;
- File Name: account.csv
Grants
Finally, we must gather information on privilege grants. These are maintained in the ACCOUNT_USAGE schema of the default SNOWFLAKE database. By default, these views are only available to the ACCOUNTADMIN role. Still, users not granted USAGE of the ACCOUNTADMIN role can be granted the necessary read access via the SECURITY_VIEWER database role. The following command does this (if run as ACCOUNTADMIN):
GRANT DATABASE ROLE snowflake.SECURITY_VIEWER TO <Role>
Once you have the necessary privilege, you can query the relevant views and export them to a CSV file. The first view is grants_to_users, which maintains a list of which roles have been granted to which users. You can enumerate this list using the following command. Then save it to a CSV file and rename it grants_to_users.csv.
SELECT * FROM snowflake.account_usage.grants_to_users;
The final view is grants_to_roles, which maintains a list of all the privileges granted to roles. This glue ultimately allows users to interact with the different Snowflake entities. This view can be enumerated using the following command. The results should be saved as a CSV file named grants_to_roles.csv.
SELECT * FROM snowflake.account_usage.grants_to_roles WHERE GRANTED_ON IN ('ACCOUNT', 'APPLICATION', 'DATABASE', 'INTEGRATION', 'ROLE', 'USER', 'WAREHOUSE');
Setting upย Neo4j
At this point, we have a Cypher statement that we can use to generate the Snowflake graph, but before we can do that, we need a Neo4j instance. The easiest way that I know of to do this is to use the BloodHound Community Edition docker-compose deployment option.
Note: While we wonโt use BHCE specifically in this demo, the overarching docker-compose setup includes a Neo4j instance configured to support thisย example.
To do this, you must first install Docker on your machine. Once complete, download this example docker-compose yaml file I derived from the BHCE GitHub repository. Next, open docker-compose.yaml in a text editor and edit Line 51 to point to the folder on your host machine (e.g., /Users/jared/snowflake:/var/lib/neo4j/import/) where you wrote the Snowflake data files (e.g., grants_to_roles.csv). This will create a bind mount between your host and the container. You are now ready to start the container by executing the following command:
docker-compose -f /path/to/docker-composer.yaml up -d
This will cause Docker to download and run the relevant Docker containers. For this Snowflake graph, we will interact directly with Neo4j as this model has not been integrated into BloodHound. You can access the Neo4j web interface by browsing to 127.0.0.1:7474 and logging in using the default credentials (neo4j:bloodhoundcommunityedition).
![](../themes/icons/grey.gif)
Data Ingest
Once youโve authenticated to Neo4j, it is time for data ingest. I originally wrote a PowerShell script that would parse the CSV files and handcraft Cypher queries to create the corresponding nodes and edges, but SadProcessor showed me a better way to approach ingestion. He suggested using the LOAD CSV clause. According to Neo4j, โLOAD CSV is used to import data from CSV files into a Neo4j database.โ This dramatically simplifies ingesting your Snowflake data AND is much more efficient than my initial PowerShell script. This section describes the Cypher queries that I use to import Snowflake data. Before you begin, knowing that each command must be run individually is essential. Additionally, these commands assume that youโve named your files as suggested. Therefore, the file listing of the folder you specified in the Docker Volume (e.g., /Users/jared/snowflake) should lookย this:
-rwx------@ 1 cobbler staff 677 Jun 12 20:17 account.csv
-rwx------@ 1 cobbler staff 227 Jun 12 20:17 application.csv
-rwx------@ 1 cobbler staff 409 Jun 12 20:17 database.csv
-rwx------@ 1 cobbler staff 8362 Jun 12 20:17 grants_to_roles.csv
-rwx------@ 1 cobbler staff 344 Jun 12 20:17 grants_to_users.csv
-rwx------@ 1 cobbler staff 114 Jun 12 20:17 integration.csv
-rwx------@ 1 cobbler staff 895 Jun 12 20:17 role.csv
-rwx------@ 1 cobbler staff 12350 Jun 12 20:17 table.csv
-rwx------@ 1 cobbler staff 917 Jun 12 20:17 user.csv
-rwx------@ 1 cobbler staff 436 Jun 12 20:17 warehouse.csv
Note: If you donโt have a Snowflake environment, but still want to check out the graph, you can use my sample data set by replacing file:/// with https://gist.githubusercontent.com/jaredcatkinson/c5e560f7d3d0003d6e446da534a89e79/raw/c9288f20e606d236e3775b11ac60a29875b72dbc/ in eachย query.
Ingest Accounts
LOAD CSV WITH HEADERS FROM 'file:///account.csv' AS line
CREATE (:Account {name: line.account_locator, created_on: line.created_on, organization_name: line.organization_name, account_name: line.account_name, snowflake_region: line.snowflake_region, account_url: line.account_url, account_locator: line.account_locator, account_locator_url: line.account_locator_url})
Ingest Applications
LOAD CSV WITH HEADERS FROM 'file:///application.csv' AS line
CREATE (:Application {name: line.name, created_on: line.created_on, source_type: line.source_type, source: line.source})
Ingest Databases
LOAD CSV WITH HEADERS FROM 'file:///database.csv' AS line
CREATE (:Database {name: line.name, created_on: line.created_on, retention_time: line.retention_time, kind: line.kind})
Ingest Integrations
LOAD CSV WITH HEADERS FROM 'file:///integration.csv' AS line
CREATE (:Integration {name: line.name, created_on: line.created_on, type: line.type, category: line.category, enabled: line.enabled})
Ingest Roles
LOAD CSV WITH HEADERS FROM 'file:///role.csv' AS line
CREATE (:Role {name: line.name, created_on: line.created_on, assigned_to_users: line.assigned_to_users, granted_to_roles: line.granted_to_roles})
Ingest Users
LOAD CSV WITH HEADERS FROM 'file:///user.csv' AS line
CREATE (:User {name: line.name, created_on: line.created_on, login_name: line.login_name, first_name: line.first_name, last_name: line.last_name, email: line.email, disabled: line.disabled, ext_authn_duo: line.ext_authn_duo, last_success_login: line.last_success_login, has_password: line.has_password, has_rsa_public_key: line.has_rsa_public_key})
Ingest Warehouses
LOAD CSV WITH HEADERS FROM 'file:///warehouse.csv' AS line
CREATE (:Warehouse {name: line.name, created_on: line.created_on, state: line.state, size: line.size})
Ingest Grants toย Users
LOAD CSV WITH HEADERS FROM 'file:///grants_to_users.csv' AS usergrant
CALL {
WITH usergrant
MATCH (u:User) WHERE u.name = usergrant.GRANTEE_NAME
MATCH (r:Role) WHERE r.name = usergrant.ROLE
MERGE (u)-[:USAGE]->(r)
}
Ingest Grants toย Roles
:auto LOAD CSV WITH HEADERS FROM 'file:///grants_to_roles.csv' AS grant
CALL {
WITH grant
MATCH (src) WHERE grant.GRANTED_TO = toUpper(labels(src)[0]) AND src.name = grant.GRANTEE_NAME
MATCH (dst) WHERE grant.GRANTED_ON = toUpper(labels(dst)[0]) AND dst.name = grant.NAME
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'USAGE' THEN [1] ELSE [] END | MERGE (src)-[:USAGE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'OWNERSHIP' THEN [1] ELSE [] END | MERGE (src)-[:OWNERSHIP]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLYBUDGET' THEN [1] ELSE [] END | MERGE (src)-[:APPLYBUDGET]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'AUDIT' THEN [1] ELSE [] END | MERGE (src)-[:AUDIT]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'MODIFY' THEN [1] ELSE [] END | MERGE (src)-[:MODIFY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'MONITOR' THEN [1] ELSE [] END | MERGE (src)-[:MONITOR]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'OPERATE' THEN [1] ELSE [] END | MERGE (src)-[:OPERATE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY AGGREGATION POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_AGGREGATION_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY AUTHENTICATION POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_AUTHENTICATION_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY MASKING POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_MASKING_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY PACKAGES POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_PACKAGES_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY PASSWORD POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_PASSWORD_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY PROTECTION POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_PROTECTION_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY ROW ACCESS POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_ROW_ACCESS_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'APPLY SESSION POLICY' THEN [1] ELSE [] END | MERGE (src)-[:APPLY_SESSION_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'ATTACH POLICY' THEN [1] ELSE [] END | MERGE (src)-[:ATTACH_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'BIND SERVICE ENDPOINT' THEN [1] ELSE [] END | MERGE (src)-[:BIND_SERVICE_ENDPOINT]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CANCEL QUERY' THEN [1] ELSE [] END | MERGE (src)-[:CANCEL_QUERY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE ACCOUNT' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_ACCOUNT]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE API INTEGRATION' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_API_INTEGRATION]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE APPLICATION' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_APPLICATION]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE APPLICATION PACKAGE' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_APPLICATION_PACKAGE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE COMPUTE POOL' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_COMPUTE_POOL]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE CREDENTIAL' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_CREDENTIAL]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE DATA EXCHANGE LISTING' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_DATA_EXCHANGE_LISTING]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE DATABASE' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_DATABASE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE DATABASE ROLE' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_DATABASE_ROLE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE EXTERNAL VOLUME' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_EXTERNAL_VOLUME]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE INTEGRATION' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_INTEGRATION]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE NETWORK POLICY' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_NETWORK_POLICY]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE REPLICATION GROUP' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_REPLICATION_GROUP]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE ROLE' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_ROLE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE SCHEMA' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_SCHEMA]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE SHARE' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_SHARE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE USER' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_USER]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'CREATE WAREHOUSE' THEN [1] ELSE [] END | MERGE (src)-[:CREATE_WAREHOUSE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'EXECUTE DATA METRIC FUNCTION' THEN [1] ELSE [] END | MERGE (src)-[:EXECUTE_DATA_METRIC_FUNCTION]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'EXECUTE MANAGED ALERT' THEN [1] ELSE [] END | MERGE (src)-[:EXECUTE_MANAGED_ALERT]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'EXECUTE MANAGED TASK' THEN [1] ELSE [] END | MERGE (src)-[:EXECUTE_MANAGED_TASK]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'EXECUTE TASK' THEN [1] ELSE [] END | MERGE (src)-[:EXECUTE_TASK]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'IMPORT SHARE' THEN [1] ELSE [] END | MERGE (src)-[:IMPORT_SHARE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'MANAGE GRANTS' THEN [1] ELSE [] END | MERGE (src)-[:MANAGE_GRANTS]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'MANAGE WAREHOUSES' THEN [1] ELSE [] END | MERGE (src)-[:MANAGE_WAREHOUSES]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'MANAGEMENT SHARING' THEN [1] ELSE [] END | MERGE (src)-[:MANAGEMENT_SHARING]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'MONITOR EXECUTION' THEN [1] ELSE [] END | MERGE (src)-[:MONITOR_EXECUTION]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'OVERRIDE SHARE RESTRICTIONS' THEN [1] ELSE [] END | MERGE (src)-[:OVERRIDE_SHARE_RESTRICTIONS]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'PURCHASE DATA EXCHANGE LISTING' THEN [1] ELSE [] END | MERGE (src)-[:PURCHASE_DATA_EXCHANGE_LISTING]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'REFERENCE USAGE' THEN [1] ELSE [] END | MERGE (src)-[:REFERENCE_USAGE]->(dst))
FOREACH (_ IN CASE WHEN grant.PRIVILEGE = 'USE ANY ROLE' THEN [1] ELSE [] END | MERGE (src)-[:USE_ANY_ROLE]->(dst))
} IN TRANSACTIONS
Once you finish executing these commands you can validate that the data is in the graph by running a query. The query below returns any entity with a path to the Snowflake account.
MATCH p=()-[*1..]->(a:Account)
RETURN p
![](../themes/icons/grey.gif)
This is a common way to find admin users. While Snowflake has a few default admin Roles, such as ACCOUNTADMIN, ORGADMIN, SECURITYADMIN, SYSADMIN, and USERADMIN, granting administrative privileges to custom roles is possible.
Queries
Having a graph is great! However, the value is all about the questions you can ask. Iโve only been playing around with this Snowflake graph for a few days. Still, I created a few queries that will hopefully help you gather context around the activity reported in Mandiantโs report and your compliance with Snowflakeโs recommendations.
Admins withoutย MFA
Snowflakeโs primary recommendation to reduce your exposure to this campaign and others like it is to enable MFA on all accounts. While achieving 100% coverage on all accounts may take some time, they also recommend enabling MFA on users who have been granted the ACCOUNTADMIN Role. Based on my reading of the reporting, the attackers likely compromised the credentials of admin users, so it seems reasonable to start with these highly privileged accountsย first.
There are two approaches to determining which users have admin privileges. The first is to assume that admins will be granted one of the default admins roles, as shownย below:
MATCH p=((n:User WHERE n.ext_authn_duo = "false")-[:USAGE*1..]->(r:Role WHERE r.name CONTAINS "ADMIN"))
RETURN p
![](../themes/icons/grey.gif)
Here, we see seven users who have been granted USAGE of a role with the string โADMINโ in its name. While this is a good start, the string โADMINโ does not necessarily mean that the role has administrative privileges, and its absence does not mean that the role does not have administrative privileges. Instead, I recommend searching for admins based on their effective privileges.
This second query considers that admin privileges can be granted to custom roles. For example, the MANAGE_GRANTS privilege, shown below, โgrants the ability to grant or revoke privileges on any object as if the invoking role were the owner of the object.โ This means that if a user has this privilege, they can grant themselves or anyone access to any object theyย want.
MATCH p=((n:User WHERE n.ext_authn_duo = "false")-[:USAGE*1..]->(r:Role)-[:MANAGE_GRANTS]->(a:Account))
RETURN p
![](../themes/icons/grey.gif)
Here, we see five users not registered for MFA who have MANAGE_GRANTS over the Snowflake Account. Two users are granted USAGE of the ACCOUNTADMINS role, and the other three are granted USAGE of a custom role. Both ACCOUNTADMINS and the custom role are granted USAGE of the SECURITYADMINS role, which is granted MANAGE_GRANTS on theย account.
Restated in familiar terms, two users are members of the ACCOUNTADMINS group, which is nested inside the SECURITYADMINS group, which has SetDACL right on the Domainย Head.
User Access to aย Database
According to Mandiant, most of the attackerโs actions focused on data contained within database tables. While my graph does not currently support schema or table entities, it is important to point out that the documentation states that โoperating on a table also requires the USAGE privilege on the parent database and schema.โ This means that we can use the graph to understand which users have access to which database and then infer that they likely have access to the schema and tables within the database.
MATCH p=((u:User)-[:USAGE*1..]->(r:Role)-[:OWNERSHIP]->(d:Database WHERE d.name = "<DATABASE NAME GOES HERE>"))
RETURN p
![](../themes/icons/grey.gif)
Here, the Jared and SNOWFLAKE users have OWNERSHIP of the SNOWFLAKE_SAMPLE_DATA database via the ACCOUNTADMIN role.
This query shows all users that have access to a specified databases. If you would like to check access to all databases you can run thisย query:
MATCH p=((u:User)-[:USAGE*1..]->(r:Role)-[]->(d:Database))
RETURN p
Stale Userย Accounts
Another simple example is identifying users that have never been used (logged in to). Pruning unused users might reduce the overall attack surfaceย area.
MATCH (n:User WHERE n.last_success_login = "")
RETURN n
![](../themes/icons/grey.gif)
Conclusion
I hope you found this overview and will find this graph capability useful. Iโm looking forward to your feedback regarding the graph! If you write a useful query, please share it, and I will put it in the post with credit. Additionally, if you think of extending the graph, please let me know, and Iโll do my best to facilitate it.
Before I go, I want to comment on Snowflakeโs recommendations in the aftermath of this campaign. As I mentioned, Snowflakeโs primary recommendation is to enable MFA on all accounts. It is worth mentioning, in their defense, that Snowflake has always (at least since before this incident) recommended that MFA be enabled on any user granted the ACCOUNTADMIN role (the equivalent of Domainย Admin).
![](../themes/icons/grey.gif)
That being said, the nature of web-based platforms means that if an attacker compromises a system with a Snowflake session, they likely can steal the session token and reuse it even if the user has MFA enabled. Austin Baker, who goes by @BakedSec on Twitter, pointed thisย out.
![](../themes/icons/grey.gif)
This indicates that we must look beyond how we stop attackers from getting access. We must understand the access landscape within our information systems. Ask yourself, โCan you answer which users can use the DATASCIENCE Database in your Snowflake deployment?โ With this graph, that question is trivial to answer, but without one, we find that most organizations cannot answer these questions accurately. When nested groups (roles in this case) are involved, it is very easy for there to be a divergence between intended access and effective access. This only gets worse over time. I think of it asย entropy.
We must use a similar approach for cloud accounts as on-prem administration. You donโt browse the web with your Domain Administrator account. No, you have two accounts, one for administration and one for day-to-day usage. You might even have a system that is dedicated to administrative tasks. These same ideas should apply to cloud solutions like Snowflake. Are you analyzing the data in a table? Great, use your Database Reader account. Now you need to grant Luke a role so he can access a warehouse? Okay, hop on your Privileged Access Workstation and use your SECURITYADMIN account. The same Tier 0 concept applies in this context. I look forward to hearing your feedback!
UPDATE: Luke Jennings from Push Security added a new technique to the SaaS Attack Matrix called Session Cookie Theft. This technique shows one way that attackers, specifically if they have access to the SaaS userโs workstation, can steal relevant browser cookies in order to bypass MFA. This does not mean that organizations should not strive to enable MFA on their users, especially admin accounts, however it does demonstrate the importance of reducing attack paths within the SaaS applicationโs access control model. One way to think of it is that MFA is meant to make it more difficult for attackers to get in, but once theyโre in it is all about Attack Paths. The graph approach I demonstrate in this post is the first step to getting a handle of these Attack Paths to reduce the blast radius of a compromise.
Mapping Snowflakeโs Access Landscape was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Mapping Snowflakeโs Access Landscape appeared first on Security Boulevard.
Anti-malarial drug may help treat polycystic ovary syndrome, study suggests
Herbal extract artemisinin, used in Chinese medicine, appears to stop excess testosterone production
An antimalarial drug used in ancient Chinese medicine could be an effective treatment for polycystic ovary syndrome (PCOS), a groundbreaking study suggests.
The herbal extract artemisinin appeared to stop the ovaries producing too much testosterone, and women who took the drug for 12 weeks had more regular periods. The findings from the small trial by a Chinese team have been hailed as a potential breakthrough that could lead to an entirely new approach to treating the condition that affects around one in 10 women.
Continue reading...ยฉ Photograph: megaflopp/Getty Images/iStockphoto
ยฉ Photograph: megaflopp/Getty Images/iStockphoto
If Paris Agreement Goals Are Missed, These Polar Bears Could Go Extinct
Cada elefante tiene nombre propio, sugiere un estudio
Akira Endo, Scholar of Statins That Reduce Heart Disease, Dies at 90
ยฉ Jiji Press, via Agence France-Presse — Getty Images
Rapid UTI test that cuts detection time to 45 minutes awarded Longitude prize
The ยฃ8m award goes to system that could herald โsea changeโ in antibiotic use by identifying correct treatment for urinary tract infections within 45 minutes
An ยฃ8m prize for a breakthrough in the fight against superbugs has been awarded, after a decade-long search for a winner, to a test that can identify how to treat a urinary tract infection in 45 minutes.
The test could herald a โsea changeโ in antibiotic use, the judges said as they announced the winner of the Longitude prize on antimicrobial resistance (AMR).
Continue reading...ยฉ Photograph: Sysmex
ยฉ Photograph: Sysmex
-
Security Boulevard
- CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability
CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability
Introduction Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On May 24, 2024, ZDI and Ivanti released an advisory describing a SQL injection resulting in remote code execution with a CVSS score of 9.8. In this post we will detail the internal workings of this vulnerability. Our POC can be found here. RecordGoodApp Luckily for us, the ZDI advisory told us exactly where to look for the SQL injection. A function named RecordGoodApp. After installation, we find most of the application binaries in C:\Program Files\LANDesk. Searching for RecordGoodApp we find its present in a file named PatchBiz.dll. We can use JetBrains dotPeek tool to disassemble the PatchBiz.dll C# binary. From there we can search for the RecordGoodApp method. We can readily see that the first SQL statement in the function is potentially vulnerable to an SQL injection. They use string.Format to insert the value of goodApp.md5 into the SQL query. Assuming we can find a way to influence the value of goodApp.md5 we should be able to trigger the SQL injection. Finding a Path to the Vulnerable Function Next, we would like to see if there are any [โฆ]
The post CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability appeared first on Horizon3.ai.
The post CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability appeared first on Security Boulevard.
Four Astronauts Spent 3 Days in Space. Hereโs What It Did to Their Bodies and Minds.
ยฉ SpaceX
A Big Whack That Made the Moon May Have Also Created Continents That Move
Childhood, interrupted: 12-year-old Tobyโs life with long Covid
More than 110,000 children in England and Scotland are still suffering. For Toby, it has meant pain, crushing fatigue and sadness โ as well as months off school
It is a few days after Arsenal have beaten Spurs and Iโm discussing the game with 12-year-old Toby. A huge Tottenham Hotspur supporter, Toby is also magnanimous in defeat. He admits that, despite a major second-half wobble, Arsenal (my team) are playing better football at the moment. Davies couldnโt handle Saka, Son has gone off the boil, only Romero came out with any credit.
Iโm enjoying talking football with Toby. He is clearly incredibly knowledgable as well as passionate about it. Itโs zero surprise to learn he has three fantasy football teams on the go.
Continue reading...ยฉ Photograph: Sarah Lee/The Guardian
ยฉ Photograph: Sarah Lee/The Guardian
Patch Tuesday Update โ June 2024
The post Patch Tuesday Update - June 2024 appeared first on Digital Defense.
The post Patch Tuesday Update โ June 2024 appeared first on Security Boulevard.
Morrie Markoff, Listed as Oldest Man in the U.S., Dies at 110
Akira Endo, โremarkableโ scientist who discovered statins, dies aged 90
Biochemist found cholesterol-lowering compound in 1973 and the drugs have prolonged millions of lives
The scientist whose work led to the creation of statins, a chemical that prevents heart attacks and strokes, has died aged 90.
Akira Endo found the first cholesterol-lowering compound in 1973 in a lab in Tokyo. The Japanese biochemist was said to have been inspired by Alexander Flemingโs discovery of penicillin in 1928, which lead him to study mould or fungi in order to develop medicines.
Continue reading...ยฉ Photograph: JIJI Press/AFP/Getty Images
ยฉ Photograph: JIJI Press/AFP/Getty Images
Was This Sea Creature Our Ancestor? Scientists Turn a Famous Fossil on Its Head.
ยฉ Mussini et al., Current Biology 2024
-
Security Boulevard
- Update: CVE-2024-4577 quickly weaponized to distribute โTellYouThePassโ Ransomware
Update: CVE-2024-4577 quickly weaponized to distribute โTellYouThePassโ Ransomware
Introduction Recently, Imperva Threat Research reported on attacker activity leveraging the new PHP vulnerability, CVE-2024-4577. From as early as June 8th, we have detected attacker activity leveraging this vulnerability to deliver malware, which we have now identified to be a part of the โTellYouThePassโ ransomware campaign. TellYouThePass is a ransomware that has been seen since [โฆ]
The post Update: CVE-2024-4577 quickly weaponized to distribute โTellYouThePassโ Ransomware appeared first on Blog.
The post Update: CVE-2024-4577 quickly weaponized to distribute โTellYouThePassโ Ransomware appeared first on Security Boulevard.
-
The Kingston Whig-Standard
- $25-million donation to Queen's will impact cancer research, treatment across Canada
$25-million donation to Queen's will impact cancer research, treatment across Canada
Every Elephant Has Its Own Name, Study Suggests
Personal Conflicts, Even Violence, Are Not Uncommon in Long-Term Care
ยฉ Erina Chida
Personal Conflicts, Even Violence, Are Not Uncommon in Long-Term Care
ยฉ Erina Chida
CDW Survey Surfaces Cybersecurity Tool Sprawl Challenges
![man in a black shirt looking worries and exhausted](../themes/icons/grey.gif)
Stress? What stress? 43% of IT professionals report that their organization had experienced a security breach that caused downtime and cost $1-10 million.
The post CDW Survey Surfaces Cybersecurity Tool Sprawl Challenges appeared first on Security Boulevard.
-
Cybersecurity News and Magazine
- University of Arkansas Leads Initiative to Improve Security of Solar Inverters
University of Arkansas Leads Initiative to Improve Security of Solar Inverters
University of Arkansas Solar Inverter Cybersecurity Initiative
The new project led by the University of Arkansas is funded by the U.S. Department of Energy's Solar Energy Technologies Office (SETO) and aims to strengthen the cybersecurity measures of solar inverters. Solar inverters are used to convert direct current (DC) generated from solar panels into alternating current (AC) that can be used in households and within the energy grid. This effort involves collaboration among multiple universities, laboratories, and industry partners to develop custom-designed controls infused with multiple layers of cybersecurity protocols. [caption id="attachment_75768" align="alignnone" width="800"]![University of Arkansas Solar Inverter Cybersecurity Initiative](../themes/icons/grey.gif)
Securing Renewable Energy and Electric Grids
As electric grids become increasingly digitized and connected, securing these grids becomes a top priority for the U.S. Department of Energy (DOE). The department has stated that while some cyberattacks target information technology (IT) systems, attacks on operating technology (OT) devices such as solar photovoltaic inverters could have potential physical impact, such as loss of power and creation of fires. The department cited an incident in March 2019 in which hackers managed to breach through a utilityโs web portal firewall. The attack caused random interruptions to the visibility of segments of the grid from its operators for a period of 10 hours. The DOE's Solar Energy Technologies Office (SETO) is working to ensure that the electric grid is secure and capable of integrating more solar power systems and other distributed energy resources. The agency developed a roadmap for Photovoltaic Cybersecurity, supports ongoing efforts in Distributed Energy Resources (DER) cybersecurity standards, and participates in the Office of Energy Efficiency and Renewable Energy's Cybersecurity Multiyear Program Plan, along with the Department of Energy's broader cybersecurity research activities. The Solar Energy Technologies Office has recommended the use of dynamic survival strategy based on defense-in-depth measures that functional as additional layers of security to secure individual components as well as entire systems. These layers include installing anti-virus software on DER systems (solar inverters and battery controllers) and maintaining virus protection and detection mechanisms on the firewalls and servers integrating these individual systems to the broader system of grid operation. The Office admits that implementation of this strategy into DER technologies can be complex, with different owners, operators, and systems typically involved, but maintains the strategy's importance in reducing potential cyberattacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Bad avocados, culinary standards, and knowable knowledge.
Abstract: Cultural conventions are central to tackling unsustainable consumption. In the Global North food conventions are increasingly contested due to the political importance of climate change and the share of global greenhouse gas emissions tied to animal food production and consumption. Significant reductions in meat consumption are touted as pathways to adaptation, but most consumers remain committed to consuming meat-based meals and diets with meat. To explore how consumers handle these issues in today's cultural context, this article examines culturally appropriate ways of rejecting meat reduction. The theoretical framework is based on interactionism and accounts. The empirical material is from focus group discussions with Danish consumers. We find that in discussions about using plant-based meat, norms of proper culinary conduct are held to be more pressing guides for normative assessment than climate impacts. We also show that the status and function of climate impact "knowledge" is complex and ambiguous. A shared social knowledge of the climate impacts of meat consumption appears to exist alongside "questionable knowledge" and "lack of knowledge", both of which are referred to excuse, justify, and charge others in reasoning supporting continued meat consumption. Knowledge of climate impacts is accepted when it fits cultural conventions but appears less knowable if it poses challenges to contemporary consumer culture. The article contributes insights into the ways in which cultural conventions and complex knowledge negotiations help to preserve unsustainable consumption. A summary of the publication is available at Vegconomist.
Cancer Researchers Begin Large Long-Term Study of Black Women
ยฉ Travis Dove for The Washington Post, via Getty Images
How DataDome Protects AI Apps from Prompt Injection & Denial of Wallet Attacks
LLM prompt injection and denial of wallet attacks are new ways malicious actors can attack your company through generative AI apps, such as a chatbot.
The post How DataDome Protects AI Apps from Prompt Injection & Denial of Wallet Attacks appeared first on Security Boulevard.
Have Wine for Breakfast, Put On a 51-Pound Suit and Get to the Battlefield
ยฉ Andreas D. Flouris/University of Thessaly
How Wombats May Save Other Animals From Wildfires
ยฉ Dean Lewins/EPA, via Shutterstock
A thousand sceptic hands won't keep us from the things we plan
Cybersecurity Training Reduces Phishing Threats โ With Numbers to Prove It
![AI cybersecurity](../themes/icons/grey.gif)
Train people. It makes a difference. In organizations without security awareness training, 34% of employees are likely to click on malicious links or comply with fraudulent requests.
The post Cybersecurity Training Reduces Phishing Threats โ With Numbers to Prove It appeared first on Security Boulevard.
Over $100? Time to bring out the Big Guns
booking flights on a phone is crazy. that is a laptop activityThe tweet that spawned countless TikToks ("BIG purchases require a laptop screen for FULL visibility"), hot takes ("It's laptop activity when you're a beginner"), and thinkpieces ("Looking ahead, Gen Alpha will integrate AI seamlessly into all areas of their lives"). Young shoppers are indeed driving a shift towards mobile retail. But a big factor pushing things in this direction may simply be that retailers hate when you buy big things on your laptop: "People often prefer bigger screens and keyboards for pricier purchasesโbut merchants have more levers to pull on mobile". See also: How Each Generation Shops in 2023 [HubSpot] and Gen Z's Device Preferences & Decision Drivers [Knit]
Python downloader highlights noise problem in open source threat detection
ReversingLabs researchers recently discovered a malicious, open source package: xFileSyncerx on the Python Package Index (PyPI). The package, with close to 300 registered downloads, contained separate malicious โwiperโ components. Is it an open source supply chain threat? Kind of. Further investigation by our team uncovered the fact that the downloader and wipers were created by a cybersecurity pro doing โred teamโ penetration testing of a clientโs SOC.ย
This incident highlights a growing challenge for firms that track (and defeat) open source threats. Namely: โnoiseโ in the form of grayware such as test packages as well as low-quality, low distribution malicious packages. As more attention turns to open source and supply chain threats and attacks, this low signal to noise ratio could make it harder to identify and remediate legitimate, open source software threats.ย
In this report we will discuss the findings of our research as well as the larger implications for developers and security teams, as the open source โcommonsโ become crowded with goodware, malware and grayware.
The post Python downloader highlights noise problem in open source threat detection appeared first on Security Boulevard.
8 Takeaways from Apple 2023 Threat Research
![Apple research study, data breaches, immutable storage, backup storage, ransomware data backup](../themes/icons/grey.gif)
The newly-released Apple cybersecurity threat study reveals interesting data points and demonstrates how the threat landscape is evolving.
The post 8 Takeaways from Apple 2023 Threat Research appeared first on Security Boulevard.
CISOs and Senior Leadership at Odds Over Security
![roses](../themes/icons/grey.gif)
Only half of cybersecurity leaders feel their C-suite understands cybersecurity risks, a Trend Micro survey found. Four in five have been told to downplay a potential riskโs severity.
The post CISOs and Senior Leadership at Odds Over Security appeared first on Security Boulevard.
Cyberattack Risks Keep Small Business Security Teams on Edge
![Silhouette of businesswoman against black wall with key hole](../themes/icons/grey.gif)
Three-quarters of SMBs fear that a cyberattack could put them out of business. For good reason: 96% of them have already been the victims of a cyberattack.
The post Cyberattack Risks Keep Small Business Security Teams on Edge appeared first on Security Boulevard.
CVE-2024-24919 Exploitation, Veriti Proactive Remediationย
Over the past few days, there has been a significant rise in exploitation attempts of the Check Point vulnerability identified asย CVE-2024-24919. This increase is not isolated but part of a larger pattern of sophisticated cyber attacks that utilize both manual and automated tools to scan and exploit vulnerabilities across various VPN systems. Technical Overview of [โฆ]
The post CVE-2024-24919 Exploitation, Veriti Proactive Remediationย appeared first on VERITI.
The post CVE-2024-24919 Exploitation, Veriti Proactive Remediationย appeared first on Security Boulevard.
Compromising ByteDanceโs Rspack using GitHub Actions Vulnerabilities
Overview Recently, we identified several critical Pwn Request vulnerabilities within GitHub Actions used by the Rspack repository. These vulnerabilities could allow an external attacker to submit a malicious pull request, without the requirement of being a prior contributor to the repository, and compromise the following secrets: NPM Deployment Token Compromise: Exploitation of the Pwn Request [โฆ]
The post Compromising ByteDanceโs Rspack using GitHub Actions Vulnerabilities appeared first on Praetorian.
The post Compromising ByteDanceโs Rspack using GitHub Actions Vulnerabilities appeared first on Security Boulevard.
FDA Reviews MDMA Therapy for PTSD, Citing Health Risks and Study Flaws
ยฉ Noel Celis/Agence France-Presse โ Getty Images
Alzheimerโs Takes a Financial Toll Long Before Diagnosis, Study Finds
ยฉ Krisanapong Detraphiphat/Getty Images
Scientists Find the Largest Known Genome Inside a Small Plant
Making knowledge public
Another stand-out is the bilingual Sed por Cambio: Una Guรญa Visual para Involucrarse en la Polรญtica del Agua / Thirsty for Change: Visual Guide to Getting Involved in Water Politics.