The compromised ultralytics AI library delivered XMRig miner via GitHub Actions exploit

Read More

The UK’s ICO has published its findings following a two-year trial of its Public Sector Approach, which aimed to improve data protection compliance and deter data breaches

Read More

In the ever-evolving landscape of digital security, the adage “patch or perish” encapsulates a stark reality. The timely application of software patches is not just a best practice—it is a necessity. The vulnerabilities that lurk in unpatched software can serve as gateways for cybercriminals, leading to severe breaches, operational disruptions, and substantial financial losses.

The imperative to keep software up-to-date has never been more pressing, yet patch management often takes a backseat in organizations. It’s not merely a technical oversight; it’s a question of diligence and prioritization.

The virtue of diligence—the proactive, methodical maintenance of systems—has been lost amid the rapid pace of technological growth. This article takes a deeper look at why diligence in patching is a crucial, yet often overlooked, cornerstone of cybersecurity.

The Imperative of Patching

Software patches are more than mere updates; they are crucial security mechanisms designed to address vulnerabilities, fix bugs, and even add functionality to software.

They serve as a frontline defense against a spectrum of threats that grow more sophisticated each day. Neglecting patches doesn’t just put one system at risk; it can compromise the entire network, potentially creating a cascading effect of vulnerabilities.

Cybercriminals often exploit known vulnerabilities for which patches already exist. These are known as “n-day vulnerabilities,” and their exploitation is rampant simply because organizations fail to apply fixes that are readily available.

The importance of patching should be viewed not only as a matter of hygiene but also as a competitive edge. In the current threat landscape, attackers are quick, but defenders must be quicker.

Consequences of Neglect

The repercussions of inadequate patching are well-documented yet continue to be ignored.

Unpatched systems become a fertile hunting ground for cybercriminals looking for easy prey. The result can be data breaches that compromise sensitive information, financial losses that are often uninsurable, and reputational damage that can take years to mend.

Take, for example, the infamous WannaCry ransomware attack. WannaCry leveraged a known vulnerability in Microsoft Windows, a vulnerability for which a patch had been released months earlier. Due to lax patch management, over 200,000 systems in 150 countries were compromised, causing disruptions to healthcare, manufacturing, and finance industries. The cost? Billions of dollars in damages, not to mention the incalculable impact on people’s lives due to healthcare system disruptions.

These scenarios are not isolated—they illustrate the risks inherent in ignoring patching protocols. For organizations that fail to take patch management seriously, it’s not a question of “if” they will be compromised, but “when.”

Challenges in Patch Management

Despite its importance, patch management remains fraught with challenges. It’s essential to recognize these hurdles to develop effective mitigation strategies:

Resource limitations: Smaller organizations often lack the IT resources required for consistent patch management. Even larger enterprises might struggle to dedicate the necessary manpower, given the constant barrage of patches released by software vendors.
System complexity: Modern IT ecosystems are incredibly complex, with a multitude of interdependent software applications and legacy systems. Applying a patch without testing could cause unforeseen issues, from compatibility problems to outright system failures.
Downtime concerns: Many organizations delay patching due to concerns about system downtime. Applying patches often requires rebooting systems, which may not be feasible during critical business hours. The perceived risk of operational disruption can, ironically, lead to greater long-term vulnerability.
Patch fatigue: The frequency of patch releases can lead to “patch fatigue.” IT teams are inundated with updates, making it challenging to prioritize which patches to apply and when. This fatigue can cause delays, leaving vulnerabilities exposed for longer than necessary.

Best Practices for Effective Patch Management

Patching is not just a technical task—it’s an organizational priority. Here are some strategies for improving patch diligence:

Automate Where Possible

Automating the patch management process can significantly reduce the burden on IT teams. Tools are available to handle patch deployment, prioritization, and verification, helping streamline the process.

Establish a Patch Management Policy

A formalized patch management policy ensures everyone understands the importance of timely updates. Such a policy should include timelines for critical patches, roles and responsibilities, and a schedule for regular system audits.

Test Before Deployment

Testing patches in a staging environment before deploying them in production can mitigate the risk of system outages. This step ensures compatibility and helps prevent unintended consequences.

Adopt a Risk-Based Approach

Not all patches are created equal. Adopting a risk-based approach that prioritizes patches based on the severity of the vulnerability and the exposure level of the affected system can lead to better security outcomes.

Additionally, integrating zero trust WiFi principles as part of a broader security posture helps mitigate risks associated with vulnerable endpoints connecting to the network. This strategy ensures that even if a device remains unpatched for a time, its network access is tightly controlled and monitored, reducing the overall threat surface.

Patch Regularly, But Be Ready for Exceptions

Regular patch cycles—like monthly or quarterly schedules—help maintain consistency. However, critical vulnerabilities require an immediate response, often outside of the regular patch cycle.

Train and Raise Awareness

Employees outside the IT department should also understand the importance of patching. Security is a collective responsibility, and educating the broader team can prevent individuals from inadvertently becoming weak links in the security chain.

Conclusion

“Patch or perish” is not hyperbole—it’s a reality faced by organizations every day. The costs of ignoring software updates are clear, with ample evidence in high-profile breaches that could have been prevented with timely patching. Despite the challenges, effective patch management is achievable with the right mindset, automation tools, and organizational commitment.

The forgotten virtue of diligence must be revived. It demands a proactive approach, an acknowledgment that cybersecurity threats are evolving too quickly for complacency.

In digital security, the choice is clear: patch or perish. The risks are too great, and the stakes are too high for anything less than absolute diligence. What choice will you make?

Read More

In the ever-evolving landscape of cybersecurity, threats continue to become more sophisticated and pervasive. Among various cyber threats, brute force attacks stand out due to their simplicity and effectiveness. Despite being a basic form of attack, they remain a significant threat to businesses. This blog aims to demystify brute force attacks, explore their various forms, and offer actionable insights on how to safeguard your organization against them.

Brute Force Attack Definition

A brute force attack is a trial-and-error method used by hackers to gain unauthorized access to systems, networks, or encrypted data. By systematically trying all possible combinations of passwords or encryption keys, attackers want to eventually stumble upon the correct one. The brute force definition emphasizes persistence and computing power over cunning or stealth, making it a straightforward yet powerful tactic.

The core principle of brute force attacks lies in exhaustive searching. Attackers use automated tools to attempt numerous combinations at high speed. These tools are often readily available and can be customized to target specific systems or data. While the process can be time-consuming, the availability of efficient digital computing resources such as cloud computing has significantly reduced the time required to execute these attacks. As technology advances, the speed and efficiency of brute force attacks continue to improve, posing a growing threat to businesses.

Understanding the psychology behind brute force attacks can help businesses better prepare for them. Attackers rely on the predictability of human behavior, knowing that many users opt for simple and easily guessable passwords. They exploit this tendency by targeting commonly used passwords and leveraging data from past breaches. This psychological insight underscores the importance of educating employees about secure password practices and the dangers of reusing passwords across multiple platforms.

Brute force attacks have evolved significantly over time. In the early days of computing, attackers had limited resources and relied on manual efforts to break passwords. However, advancements in technology have revolutionized the way these attacks are carried out. Today, sophisticated algorithms and vast computing power enable attackers to execute brute force attacks with unprecedented speed and accuracy. Understanding this historical evolution highlights the need for continuous adaptation in cybersecurity strategies to stay ahead of emerging threats.

How Brute Force Attacks Work

Brute force attacks are systematic and relentless, driven by the fundamental principle of exhaustive searching.

Automation is a key component of modern brute force attacks. Attackers leverage software tools and scripts to automate the process of guessing passwords or encryption keys. These tools can be configured to target specific systems or data, increasing the efficiency and effectiveness of the attack. Automation allows attackers to launch large-scale attacks with minimal effort, making it a preferred method for many cybercriminals.

The availability of powerful computing resources has transformed brute force attacks into a formidable threat. High-speed processors and cloud computing services enable attackers to perform millions of password attempts per second. This immense computing power reduces the time required to crack passwords, especially those that are weak or commonly used. Businesses must recognize the significance of this technological advantage and implement robust security measures to counteract it.

While brute force attacks may seem straightforward, they require patience and persistence. Attackers understand that success is not guaranteed, and the process can be time-consuming. However, they are willing to invest the time and resources necessary to achieve their goals. This persistence underscores the importance of implementing security measures that can withstand prolonged attacks, such as account lockout mechanisms and multi-factor authentication.

Types of Brute Force Attacks

Brute force attacks can manifest in various forms, each with its unique characteristics:

Simple Brute Force Attack

A simple brute force attack involves guessing passwords without any external logic or context, purely relying on trying all possible combinations. This method is the most basic form of brute force attack, yet it can be surprisingly effective against weak passwords. Attackers systematically test every possible combination until they find the correct one, exploiting the lack of complexity in password choices. Businesses should educate employees on the importance of using strong, complex passwords to mitigate this threat.

Dictionary Attack

A dictionary attack utilizes a pre-defined list of common passwords or phrases, significantly reducing the time needed to crack weak passwords. Attackers compile these lists from previously leaked passwords and common password choices, making it easier to target predictable password patterns. Dictionary attacks highlight the dangers of using commonly used passwords and emphasize the need for password diversity. Encouraging employees to avoid easily guessable passwords can help protect against this type of attack.

Hybrid Brute Force Attack

Hybrid brute force attacks combine dictionary and simple brute force methods by appending or prepending numbers and symbols to dictionary words. This approach increases the complexity of the attack, allowing attackers to target passwords that incorporate basic variations. Hybrid attacks demonstrate the adaptability of cybercriminals and the importance of using truly random and complex passwords. Businesses should promote the use of password managers to generate and store secure passwords for employees.

Reverse Brute Force Attack

In a reverse brute force attack, attackers begin with a known password and apply it across numerous usernames, targeting common login credentials. This method is particularly effective in situations where attackers have access to a leaked password database. By reversing the traditional approach, cybercriminals can exploit users who reuse passwords across multiple accounts. Implementing unique passwords for each account is crucial in preventing reverse brute force attacks.

Credential Stuffing

Credential stuffing leverages stolen username-password pairs from previous data breaches to gain unauthorized access to accounts. Attackers automate the process of testing these credentials across multiple websites and services. This type of attack highlights the interconnectedness of online accounts and the risks associated with password reuse. Businesses should encourage employees to use unique passwords for each account and consider implementing additional security measures, such as two-factor authentication, to protect against credential stuffing.

SSH Brute Force Attack

SSH brute force attacks specifically target Secure Shell (SSH) services by attempting various username and password combinations to gain remote access. These attacks exploit weak SSH configurations and default credentials. Businesses that rely on SSH for remote access must implement strong authentication practices, such as key-based authentication, to protect against this type of attack. Regularly reviewing and updating SSH configurations can further enhance security.

Brute Force Attack Examples

Brute force attacks have been responsible for numerous high-profile breaches, demonstrating their potential impact on businesses.

The 2012 LinkedIn Breach

In 2012, LinkedIn suffered a significant breach when hackers exploited weak encryption to expose millions of user passwords. This incident highlighted the vulnerabilities inherent in poor password policies and the importance of robust encryption practices. Businesses can learn from this breach by implementing strong password policies and encrypting sensitive data to prevent unauthorized access.

The 2016 Alibaba Breach

The 2016 Alibaba breach serves as a cautionary tale about the dangers of credential stuffing. Attackers used stolen credentials from previous data breaches to access over 20 million accounts on the platform. This breach underscores the risks associated with reusing passwords across multiple platforms. Encouraging users to adopt unique passwords and implementing additional security measures, such as multi-factor authentication, can help prevent similar incidents.

The 2019 Dunkin’ Donuts Credential Stuffing Attack

In 2019, Dunkin’ Donuts fell victim to a credential stuffing attack that compromised customer loyalty accounts. Cybercriminals leveraged stolen credentials to gain unauthorized access, emphasizing the importance of robust authentication measures. This incident highlights the need for businesses to implement strong security practices, such as monitoring login activity and utilizing multi-factor authentication, to protect customer accounts.

Brute force attacks can have devastating consequences for businesses, affecting different aspects of their operations.

Unauthorized access to sensitive data can lead to financial losses, reputational damage, and legal repercussions. Data breaches resulting from brute force attacks can expose customer information, trade secrets, and proprietary data. The financial impact of such breaches can be substantial, including costs associated with regulatory fines, legal fees, and compensating affected individuals. Businesses must prioritize data security to mitigate the risk of data breaches and protect their financial stability.

Excessive login attempts during a brute force attack can overwhelm systems, leading to service disruptions and lost productivity. The strain on servers and networks can result in downtime, preventing employees from accessing critical resources and hampering business operations. Minimizing the risk of system downtime requires robust security measures, such as rate limiting and account lockout mechanisms, to detect and block malicious login attempts.

Mitigating the effects of a successful brute force attack can result in significant financial outlay for recovery and remediation. Businesses may need to invest in additional security tools, hire cybersecurity experts, and allocate resources to incident response efforts. The costs associated with addressing the aftermath of an attack highlight the importance of proactive security measures and investing in preventive solutions to avoid costly breaches.

How to Prevent Brute Force Attacks

Preventing brute force attacks requires a multi-pronged approach. Here are some effective strategies:

Implement Strong Password Policies

Encourage the use of complex, unique passwords that combine uppercase and lowercase letters, numbers, and special characters. Regularly update passwords and avoid using common phrases or easily guessable information. Educate employees on the importance of password security and provide guidelines for creating strong passwords. Consider implementing password expiration policies to ensure that passwords are regularly updated.

Use Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to verify their identity through additional means, such as a text message or authentication app, making unauthorized access significantly more challenging. Implementing MFA can greatly reduce the risk of successful brute force attacks by adding an additional barrier for attackers to overcome. Encourage employees to enable MFA on all accounts and provide support for setting it up.

Limit Login Attempts

Implement account lockout mechanisms after a certain number of failed login attempts. This can deter attackers from continuing their efforts and protect against automated brute force tools. Configure lockout policies to temporarily disable accounts after multiple failed attempts, requiring users to verify their identity to regain access. This strategy can significantly reduce the effectiveness of brute force attacks and protect user accounts from unauthorized access.

Employ Captchas

Requiring users to complete a CAPTCHA during the login process can effectively thwart automated login attempts by distinguishing between human users and bots. CAPTCHAs add an additional layer of security by preventing automated tools from successfully executing brute force attacks. Implement CAPTCHAs on login pages and consider using more advanced solutions, such as invisible CAPTCHAs, to enhance user experience while maintaining security.

Monitor and Analyze Login Activity

Utilize security information and event management (SIEM) systems to detect abnormal login patterns. Real-time monitoring and alerting can help quickly identify and mitigate brute force attempts. Analyze login activity to identify patterns indicative of brute force attacks, such as repeated failed login attempts from a single IP address. Implementing SIEM solutions can provide valuable insights into potential security threats and enable timely response to mitigate attacks.

Secure SSH Access

For SSH brute force attack prevention, use key-based authentication instead of passwords, configure firewalls to limit access, and disable root login to enhance security. Regularly review and update SSH configurations to ensure that they adhere to best practices. Implementing additional security measures, such as intrusion detection systems, can further protect SSH access from brute force attacks.

LevelBlue Brute Force Attack Cybersecurity

As businesses work to strengthen their cybersecurity resilience, partnering with a trusted provider becomes crucial. LevelBlue offers comprehensive managed security services and consulting services to protect against brute force attacks and other cyber threats.

LevelBlue Security Awareness Training: Our cybersecurity awareness training helps your employees to understand risks and how to keep your network safe.
LevelBlue Multifactor Authenticator: Provide an added layer of protection to ensure secure access to your corporate network.
LevelBlue Managed Threat Detection and Response: Protect your organization with 24×7, proactive security monitoring powered by our open XDR platform, LevelBlue USM Anywhere, and LevelBlue Labs™ threat intelligence.
LevelBlue Managed Endpoint Security with SentinelOne: Protect your endpoints at machine speed with integrated threat intelligence and 24/7 threat monitoring by the LevelBlue SOC.
LevelBlue Incident Response Retainer: Our organized approach helps you quickly contain a cybersecurity incident that limits damage and reduces recovery time and costs.

Conclusion

Brute force attacks remain a persistent threat in the digital landscape. By understanding how these attacks work and implementing strong security measures, businesses can significantly reduce their risk exposure. Partnering with a trusted cybersecurity provider like LevelBlue ensures that your organization is equipped to defend against brute force attacks and other cyber threats, safeguarding your valuable data and maintaining your reputation. Protect your business today by investing in advanced cybersecurity solutions.

For more information on how LevelBlue can help your business stay secure, contact us today.

Read More

This new ransomware group is likely a new variant of Babuk, said Cyble threat intelligence analysts

Read More

For a technology that seems startling in its modernity, AI sure has a long history. Google Translate, OpenAI chatbots, and Meta AI image generators are built on decades of advancements in linguistics, signal processing, statistics, and other fields going back to the early days of computing—and, often, on seed funding from the U.S. Department of Defense. But today’s tools are hardly the intentional product of the diverse generations of innovators that came before. We agree with Morozov that the “refuseniks,” as he calls them, are wrong to see AI as “irreparably tainted” by its origins. AI is better understood as a creative, global field of human endeavor that has been largely captured by U.S. venture capitalists, private equity, and Big Tech. But that was never the inevitable outcome, and it doesn’t need to stay that way.

The internet is a case in point. The fact that it originated in the military is a historical curiosity, not an indication of its essential capabilities or social significance. Yes, it was created to connect different, incompatible Department of Defense networks. Yes, it was designed to survive the sorts of physical damage expected from a nuclear war. And yes, back then it was a bureaucratically controlled space where frivolity was discouraged and commerce was forbidden.

Over the decades, the internet transformed from military project to academic tool to the corporate marketplace it is today. These forces, each in turn, shaped what the internet was and what it could do. For most of us billions online today, the only internet we have ever known has been corporate—because the internet didn’t flourish until the capitalists got hold of it.

AI followed a similar path. It was originally funded by the military, with the military’s goals in mind. But the Department of Defense didn’t design the modern ecosystem of AI any more than it did the modern internet. Arguably, its influence on AI was even less because AI simply didn’t work back then. While the internet exploded in usage, AI hit a series of dead ends. The research discipline went through multiple “winters” when funders of all kinds—military and corporate—were disillusioned and research money dried up for years at a time. Since the release of ChatGPT, AI has reached the same endpoint as the internet: it is thoroughly dominated by corporate power. Modern AI, with its deep reinforcement learning and large language models, is shaped by venture capitalists, not the military—nor even by idealistic academics anymore.

We agree with much of Morozov’s critique of corporate control, but it does not follow that we must reject the value of instrumental reason. Solving problems and pursuing goals is not a bad thing, and there is real cause to be excited about the uses of current AI. Morozov illustrates this from his own experience: he uses AI to pursue the explicit goal of language learning.

AI tools promise to increase our individual power, amplifying our capabilities and endowing us with skills, knowledge, and abilities we would not otherwise have. This is a peculiar form of assistive technology, kind of like our own personal minion. It might not be that smart or competent, and occasionally it might do something wrong or unwanted, but it will attempt to follow your every command and gives you more capability than you would have had without it.

Of course, for our AI minions to be valuable, they need to be good at their tasks. On this, at least, the corporate models have done pretty well. They have many flaws, but they are improving markedly on a timescale of mere months. ChatGPT’s initial November 2022 model, GPT-3.5, scored about 30 percent on a multiple-choice scientific reasoning benchmark called GPQA. Five months later, GPT-4 scored 36 percent; by May this year, GPT-4o scored about 50 percent, and the most recently released o1 model reached 78 percent, surpassing the level of experts with PhDs. There is no one singular measure of AI performance, to be sure, but other metrics also show improvement.

That’s not enough, though. Regardless of their smarts, we would never hire a human assistant for important tasks, or use an AI, unless we can trust them. And while we have millennia of experience dealing with potentially untrustworthy humans, we have practically none dealing with untrustworthy AI assistants. This is the area where the provenance of the AI matters most. A handful of for-profit companies—OpenAI, Google, Meta, Anthropic, among others—decide how to train the most celebrated AI models, what data to use, what sorts of values they embody, whose biases they are allowed to reflect, and even what questions they are allowed to answer. And they decide these things in secret, for their benefit.

It’s worth stressing just how closed, and thus untrustworthy, the corporate AI ecosystem is. Meta has earned a lot of press for its “open-source” family of LLaMa models, but there is virtually nothing open about them. For one, the data they are trained with is undisclosed. You’re not supposed to use LLaMa to infringe on someone else’s copyright, but Meta does not want to answer questions about whether it violated copyrights to build it. You’re not supposed to use it in Europe, because Meta has declined to meet the regulatory requirements anticipated from the EU’s AI Act. And you have no say in how Meta will build its next model.

The company may be giving away the use of LLaMa, but it’s still doing so because it thinks it will benefit from your using it. CEO Mark Zuckerberg has admitted that eventually, Meta will monetize its AI in all the usual ways: charging to use it at scale, fees for premium models, advertising. The problem with corporate AI is not that the companies are charging “a hefty entrance fee” to use these tools: as Morozov rightly points out, there are real costs to anyone building and operating them. It’s that they are built and operated for the purpose of enriching their proprietors, rather than because they enrich our lives, our wellbeing, or our society.

But some emerging models from outside the world of corporate AI are truly open, and may be more trustworthy as a result. In 2022 the research collaboration BigScience developed an LLM called BLOOM with freely licensed data and code as well as public compute infrastructure. The collaboration BigCode has continued in this spirit, developing LLMs focused on programming. The government of Singapore has built SEA-LION, an open-source LLM focused on Southeast Asian languages. If we imagine a future where we use AI models to benefit all of us—to make our lives easier, to help each other, to improve our public services—we will need more of this. These may not be “eolithic” pursuits of the kind Morozov imagines, but they are worthwhile goals. These use cases require trustworthy AI models, and that means models built under conditions that are transparent and with incentives aligned to the public interest.

Perhaps corporate AI will never satisfy those goals; perhaps it will always be exploitative and extractive by design. But AI does not have to be solely a profit-generating industry. We should invest in these models as a public good, part of the basic infrastructure of the twenty-first century. Democratic governments and civil society organizations can develop AI to offer a counterbalance to corporate tools. And the technology they build, for all the flaws it may have, will enjoy a superpower that corporate AI never will: it will be accountable to the public interest and subject to public will in the transparency, openness, and trustworthiness of its development.

This essay was written with Nathan E. Sanders. It originally appeared as a response in Boston Review‘s forum, “The AI We Deserve.”

Read More