Inserting a Backdoor into a Machine-Learning System

Read Time:1 Minute, 21 Second

Interesting research: “ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks, by Tim Clifford, Ilia Shumailov, Yiren Zhao, Ross Anderson, and Robert Mullins:

Abstract: Early backdoor attacks against machine learning set off an arms race in attack and defence development. Defences have since appeared demonstrating some ability to detect backdoors in models or even remove them. These defences work by inspecting the training data, the model, or the integrity of the training procedure. In this work, we show that backdoors can be added during compilation, circumventing any safeguards in the data preparation and model training stages. As an illustration, the attacker can insert weight-based backdoors during the hardware compilation step that will not be detected by any training or data-preparation process. Next, we demonstrate that some backdoors, such as ImpNet, can only be reliably detected at the stage where they are inserted and removing them anywhere else presents a significant challenge. We conclude that machine-learning model security requires assurance of provenance along the entire technical pipeline, including the data, model architecture, compiler, and hardware specification.

Ross Anderson explains the significance:

The trick is for the compiler to recognise what sort of model it’s compiling—whether it’s processing images or text, for example—and then devising trigger mechanisms for such models that are sufficiently covert and general. The takeaway message is that for a machine-learning model to be trustworthy, you need to assure the provenance of the whole chain: the model itself, the software tools used to compile it, the training data, the order in which the data are batched and presented—in short, everything.

Read More

PCI DSS v4.0

Read Time:3 Minute, 55 Second

2022 is the year that much of the world managed, to varying degrees of success, to get back to normal.  People ramped up traveling, returned to in-person activities and many returned to the office.  The pandemic changed most aspects of day-to-day life, but hackers and other bad actors generally continued making life difficult for businesses, governments, and non-profit entities.

As a result, there have been some innovative new ways to target networks and IT infrastructures that keep CISOs and their teams up at night.  A sample of those types of concerning threat vectors include Ransomware as a Service, targeting IOT/OT infrastructure, general supply chain attacks.  Tried and true methods, like phishing, and targeting unpatched or outdated systems to find vulnerabilities also continued.

Data shows that threats are increasing in volume and impact across every industry and government agency.  The Cybersecurity and Infrastructure Security Agency (CISA) recently reported that 14 critical US sectors have been the subject to intense ransomware attacks and the FBI identified over 2,000 ransomware attacks between January and July of 2022. (source)  CheckPoint estimates that 1 out of 40 organizations will be hit by a ransomware attack and 84% of those sees some amount of data exfiltration.  IBM appraises the average cost of a data breach at $4.3M and the recovery time from such attacks is approximately 22 days.

And with all of that said, the World Economic Forum still attributes 95% of all data breaches to human error.

The cybersecurity industry is fighting back.  The PCI Security Standards Council (PCI SSC) sorted through over 6,000 pieces of feedback from over 200 organizations, to help it create the new standard aimed at significantly reducing the success of these types of attacks in the future.  On May 31, 2022, the PCI SSC released version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS).  This provides an accepted baseline of technical and operational requirements designed to protect various types of user account data.  The updated standard and Summary of Changes document are available now on the PCI SSC website.

Version 4.0 is a significant update to the standard, so to enable organizations to understand the new requirements and plan, execute and test updates, the current version of 3.2.1 remains active through March 31, 2024.  Assessors are undergoing training and certification for the new standard now, and once available, they will be able to assess to either the current or new standard, based upon the plans of the organization. 

The new standard had many expected updates based upon evolving payment card industry security needs.  There are also changes to the frequency of expected effort, shifting from specific durations between work to the idea that security is a continuous process. 

The stated goals for PCI DSS v4.0 are as follows:

Continue to Meet the Security Needs of the Payment Industry;
Promote Security as Continuous Process;
Add Flexibility for Different Methodologies; and
Enhance Validation Methods.

Source: At a Glance: PCI DSS v4.0 (pcisecuritystandards.org)

PCI DSS compliance is a requirement for any organization that handles credit card or other types of payment card data.  Organizations that use this type of data without this compliance will face penalties and daily fines, not to mention risk of a data breach that could cost millions in settlements, legal fees and reputational loss.  Simply stated, ignoring this update is not optional if your organization plans to process credit card or other payment data.

With a fully trained team of PCI assessors, AT&T Cybersecurity Consulting can provide assessments, remediation consulting, program development, penetration testing and code review services that help companies achieve PCI compliance and general security best practices.  We are able to leverage solutions such as Unified Security Management (USM) as a tool to manage threat detection and response for an environment.  We are also able to provide managed services powered by best of breed technology platforms.  For example, Client Side Code Scanning services provide by the AT&T Managed Vulnerability Program (MVP) team can quickly and continuously monitor in-scope web application JavaScript and Content Security Policies (CSPs) to identify compliance gaps with PCI DSS 4.0 so that plans can be created for remediation.

To help further ramp on PCI DSS 4.0 details, you can review a couple of online resources from the PCI Security Standards Council:

PCI DSS v4.0 Resource Hub
PCI SSC Document Library

And when you’re ready to engage with one of the industry leaders in security compliance solutions, you can read more and then reach out to us via the web form, or contact your AT&T business partner.

Read More

Kolide gives you real-time fleet visibility across Mac, Windows, and Linux, answering questions MDMs can’t

Read Time:23 Second

Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for their support! Device security is a lot like Mount Everest: it’s tough to scale. When you’re a small company dominated by engineers, you can keep up with fleet management with nothing more than trust and … Continue reading “Kolide gives you real-time fleet visibility across Mac, Windows, and Linux, answering questions MDMs can’t”

Read More

How legacy tech impedes zero trust and what to do about it

Read Time:33 Second

As organizations embrace the zero-trust security model, legacy tech has created some roadblocks. In fact, replacing or rebuilding existing legacy infrastructures is the biggest challenge to implementing zero trust, according to a recent study.

General Dynamics’ 2022 Zero Trust Research Report surveyed 300 IT and program managers across US federal, civilian, and defense agencies, which are mandated to adopt a zero-trust model under a 2021 presidential executive order. The survey found that 58% of them listed the legacy tech challenge ahead of determining what set of technologies are needed (50%), lack of IT staff expertise (48%), and cost (46%).

To read this article in full, please click here

Read More

CVE-2021-35226

Read Time:9 Second

An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.

Read More

USN-5669-2: Linux kernel vulnerabilities

Read Time:1 Minute, 32 Second

It was discovered that the SUNRPC RDMA protocol implementation in the Linux
kernel did not properly calculate the header size of a RPC message payload.
A local attacker could use this to expose sensitive information (kernel
memory). (CVE-2022-0812)

Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation
in the Linux kernel did not provide sufficient randomization when
calculating port offsets. An attacker could possibly use this to expose
sensitive information. (CVE-2022-1012, CVE-2022-32296)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel’s Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

Read More