Organizations need to address security misconfigurations in their environments so that Russian state-sponsored threat actors don’t get to them first.
Daily Archives: April 19, 2022
Undetectable Backdoors in Machine-Learning Models
New paper: “Planting Undetectable Backdoors in Machine Learning Models:
Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate “backdoor key”, the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees.
First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is “clean” or contains a backdoor.
Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an “adversarially robust” classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.
Oracle Critical Patch Update Advisory – April 2022
Community Defense Against Ransomware
This virtual Cybersecurity Modernization Summit explored the ongoing challenge of cybersecurity in the state and local government and higher education communities.
US Officials Increase Warnings About Russian Cyber-Attacks
The energy and finance sectors are likely to be targeted by Russian cyber-criminals
Funky Pigeon Suspends Orders Following Cyber-Attack
The retailer is currently investigating whether personal data was accessed in the attack
[R1] Tenable.sc 5.21.0 Fixes Fix Multiple Third-Party Vulnerabilities
Out of caution, and in line with best practice, Tenable has upgraded the bundled components to address the potential impact of these issues. Tenable.sc 5.21.0 updates the following components to address the identified vulnerabilities:
jQuery UI upgraded from 1.12.0 to 1.13.1
MomentJS upgraded from 2.29.1 to 2.29.2
Funky Pigeon stalls orders after hackers breach its systems
Online greeting cards business Funky Pigeon was forced to close its doors temporarily last week after a “cybersecurity incident.”
Visitors to the company’s website were still being greeted as recently as Monday with a message saying that it could not accept new orders.
For cutting-edge web application and API protection – Trust Indusface WAAP
Graham Cluley Security News is sponsored this week by the folks at Indusface. Thanks to the great team there for their support! With APIs grown into a dominant mechanism of the modern web, protecting web applications and APIs becomes the default requirement of AppSec. This calls for a unified risk-based mitigation solution. Indusface WAAP, a … Continue reading “For cutting-edge web application and API protection – Trust Indusface WAAP”
LinkedIn Becomes the Most Impersonated Brand for Phishing Attacks
The research found that phishing attempts impersonating LinkedIn made up 52% of attacks globally in Q1 2022