Organizations need to address security misconfigurations in their environments so that Russian state-sponsored threat actors don’t get to them first.

Read More

New paper: “Planting Undetectable Backdoors in Machine Learning Models:

Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate “backdoor key”, the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees.

First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is “clean” or contains a backdoor.

Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an “adversarially robust” classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.

Read More

This virtual Cybersecurity Modernization Summit explored the ongoing challenge of cybersecurity in the state and local government and higher education communities.

Read More

The energy and finance sectors are likely to be targeted by Russian cyber-criminals

Read More

The retailer is currently investigating whether personal data was accessed in the attack

Read More

Online greeting cards business Funky Pigeon was forced to close its doors temporarily last week after a “cybersecurity incident.”

Visitors to the company’s website were still being greeted as recently as Monday with a message saying that it could not accept new orders.

Read More

Graham Cluley Security News is sponsored this week by the folks at Indusface. Thanks to the great team there for their support! With APIs grown into a dominant mechanism of the modern web, protecting web applications and APIs becomes the default requirement of AppSec. This calls for a unified risk-based mitigation solution. Indusface WAAP, a … Continue reading “For cutting-edge web application and API protection – Trust Indusface WAAP”

Read More

The research found that phishing attempts impersonating LinkedIn made up 52% of attacks globally in Q1 2022

Read More