Su Zhang, Ph.D.

Andrew Ng’s take on California's proposed law SB-1047 is spot on: “There are many things wrong with this bill, but I’d like to focus here on just one: It defines an unreasonable “hazardous capability” designation that may make builders of large AI models potentially liable if someone uses their models to do something that exceeds the bill’s definition of harm (such as causing $500 million in damage). That is practically impossible for any AI builder to ensure. If the bill is passed in its present form, it will stifle AI model builders, especially open source developers. Some AI applications, for example in healthcare, are risky. But as I wrote previously, regulators should regulate applications rather than technology. Technology refers to tools that can be applied in many ways to solve various problems.Applications are specific implementations of technologies designed to meet particular customer needs. Safety is a property of applications, not a property of technologies (or models), as Arvind Narayanan and Sayash Kapoor have pointed out. Whether a blender is a safe one can’t be determined by examining the electric motor. A similar argument holds for AI.” #publicpolicy #policy #ai #machinelearning #ml #compliance #technology #society #sb1047 #opensourcesoftware #oss

4

A vulnerability has been identified, CVE-2024-27322, in the R programming language that permits arbitrary code execution by deserializing untrusted data. CERT Coordination Center (CERT/CC) has issued an advisory for CVE-2024-27322, cautioning against arbitrary code execution via malicious RDS or RDX files. What should you do? ⬆️ Update R to version 4.4.0 or later promptly. ⛔Until then, avoid interaction with untrusted RDS files or packages to mitigate risks. There is currently no public proof-of-concept or exploitation evidence available. https://bit.ly/44t7vFt

10

📣As we observe Memorial Day, I'd like to share some thoughts on the vastness and connectivity of the Internet. It's astounding how we interact with millions of people, many of whom we know little about. As a Marine and a war veteran🪖, I've had experiences where individuals approached me with questionable intentions, often revealing hidden agendas.🥸 In the realm of cybersecurity, vigilance is crucial. Platforms like WhatsApp and Signal are popular for their encrypted communications, but they come with their own sets of risks and considerations. While Signal is secure, it has been decrypted for court cases, which raises questions about privacy. WhatsApp, on the other hand, is often criticized for security, but its point-to-point encryption ensures conversations remain private.🔐 As someone experienced in detecting potential threats, I understand the importance of cybersecurity. However, many citizens lack this awareness. It's crucial to remain cautious when engaging with others online, as we may unknowingly interact with individuals with harmful intentions. On this Memorial Day, let's remember the sacrifices made for our freedoms and acknowledge the importance of security in protecting those freedoms. Without vigilance and sacrifice, our liberties could be at risk.🧐 Let's honor those who have served and continue to safeguard our nation. #Memorialday #technology ##Leadership https://lnkd.in/epnSXFiW

4

A silly programming error in the CrowdStrike driver running at kernel level that incomprehensibly got past all verification processes. There seems to me that there is scope for improving OS resilience to such silly vulnerabilities. Unprotected kernel extension patching mechanisms continue to be an Achiles heel in widely deployed OS, surprisingly. "The update to the channel file triggered a logic error which caused a memory allocation error. Furthermore, there was a flaw with the validation logic for memory allocations. Since the validation logic also did not detect anything wrong with the memory allocation logic, the driver simply proceeded to operate as usual. Owing to improper memory allocation, this caused the driver to crash with PAGE_FAULT_IN_NONPAGED_AREA error."

16

7 Comments

🚀 Excited to announce our latest paper: "SecureFalcon: Are We There Yet in Automated Software Vulnerability Detection with LLMs?" 🔍 Abstract: Software vulnerabilities pose significant risks, including crashes, data loss, and security breaches, compromising software quality and market adoption. Traditional bug-fixing methods often fall short, with static analysis producing false positives and formal verification being resource-intensive. ✨ Introducing SecureFalcon: An innovative model architecture with just 121 million parameters, derived from Falcon-40B, explicitly tailored for classifying software vulnerabilities. Trained on the FormAI dataset and the comprehensive FalconVulnDB, SecureFalcon identifies the top 25 most dangerous software weaknesses with remarkable accuracy. 🎯 Performance Highlights: - Achieves 94% accuracy in binary classification - Up to 92% accuracy in multiclassification - Instant CPU inference times - Outperforms models like BERT, RoBERTa, CodeBERT, and traditional ML algorithms Link to the paper: https://lnkd.in/dHMAmigQ Co-authored by: Mohamed Amine Ferrag, PhD, Ammar Battah, Norbert Tihanyi, PhD, Ridhi Jain, Diana Maimut, Fatima Alwahedi, Thierry Lestable, Ph.D, Narinder Thandi, Abdechakour Mechri, Merouane Debbah, and Lucas Cordeiro. Join us as we push the boundaries of software vulnerability detection and instant code completion frameworks. Your thoughts and feedback are most welcome! #CyberSecurity #MachineLearning #SoftwareVulnerabilities #SecureFalcon #Research #LLMs #Falcon

108

1 Comment

📚 tl;dr sec 230 BSidesSF & RSA Summaries, Cloud-Native Threat Modeling GPT, STS for GitHub ✨ Highlights 📺 Conference I wrote quick summaries of Caleb Sima's BSidesSF keynote, and Evan J Johnson's talk on Startup Security 2.0. + a nice summary of RSA announcements by SecurityWeek. 👨‍💻 AppSec 👨‍💻 - PostgreSQL Database Security Assessment Tool - Misconfig Mapper: detect security misconfigurations at scale - Intigriti - PCI DSS 4.0; Certificate Transparency Monitoring is mandatory! - Scott Helme ☁ Cloud Security ☁ - GCP IAM Brute: Tool to fuzz test permissions in GCP - scp-deny-making-agreements-purchases-and-reservations - Michael Kirchner - Patch Diffing CVE-2024-3400 from a Palo Alto NGFW Marketplace AMI - Willis Vandevanter - How an empty S3 bucket can make your AWS bill explode - Maciej Poćwierz 📦 Container Security 📦 - Tool to check Kubernetes Clusters for Deprecated API Usage - DockerPhobia: Analyze and Slim Down Docker Images - Tommy De Rossi - Hardened Container Images: Images for a Secure Supply Chain - John Speed Meyers ⛓ Supply Chain ⛓ - Chainguard releases octo-sts, STS for GitHub - Nearly 20% of Docker Hub Repositories Spread Malware & Phishing Scams - Andrey Polkovnichenko, Brian Moussalli, Shachar Menashe - How I hacked into Google’s internal corporate assets - Michael Hyndman 🛡 Blue Team 🛡 - Tool to aid in parsing protocols using Zeek, designed for ICS - ATT&CK v15: Upgraded Detections, New Analytic Format, & Cross-Domain Adversary Insights - Amy Robertson 😈 Red Team 😈 - A PoC for using Microsoft Windows printers for persistence/C2 - New tool: okta-terrify 🤖 AI + Security 🤖 - Cloud-Native Threat Modeling GPT - Jon Zeolla - Threat Actor use of AI - Rachel James - Companies Are Just a Graph of Algorithms - Daniel Miessler and much more! https://lnkd.in/gVn-VJ2u #cybersecurity #infosec #security #ciso #ai

79

3 Comments

Zoom has come a long way, from originally using AES-ECB mode to encrypt video (hint: that's very bad) to implementing PQC algos: https://lnkd.in/g88-FbTg

8

This post highlights the vital importance of FedRAMP's focus on vulnerability scanning. Any missteps in this area can cause substantial delays in receiving authorization, even if all other FedRAMP controls are met. #FedRAMP #CyberSecurity

7

Establishing a security baseline for open source projects: In this Help Net Security interview, Dana Wang, Chief Architect at OpenSSF, discusses the most significant barriers to improving open-source software security (OSS security) and opportunities for overcoming these challenges. The OpenSSF community has developed open-source security tools and projects, aiming to make security the default and promote a collaborative effort to strengthen the security posture of open-source ecosystems. What are the most significant barriers to improving OSS security, and what opportunities exist for overcoming … More → The post Establishing a security baseline for open source projects appeared first on Help Net Security.

1

Vulnerability detection software tends to either hurt application performance or fall short in accuracy. With Datadog Code Security, you get a production-ready, IAST-based solution that has earned a 100% score in the OWASP Benchmark test. Read more: https://lnkd.in/g9Cphz9N

99

1 Comment

I just listened to an episode of Kitecast with Debra Farber. Debra's comprehensive exploration of data privacy, privacy engineering, and the critical role of integrating privacy into product development was very interesting. Catch the episode here: https://lnkd.in/guiuzbTi #dataprivacy #podcast #cybersecurity #Kiteworks #Kitecast

12

July 2024 #Free Webinar Week 1 (2 CPEs)   Session 1: Building and Scaling Continuous Security-Compliance   Date & Time: July 11, 2024 6:00 PM PDT - 7:00 PM PDT   Speaker: Chintan P., Head of Product & Design, LVT (LiveView Technologies)   A practical guide on building and scaling a world class security programs.   Register here: https://lnkd.in/gCVr26cf   #ISACASV #ISACA #webinar #Compliance #Security Session 2: Preparing an effective info security compliance program for a small-and-medium business (SMB) to build trust for their service-offering   Date & Time: July 11, 2024 7:00 PM PDT - 8:00 PM PDT Speaker: Sanjay Mathur CISSP, CISM, CRISC, Partner and Info Security Professional, Frictionless Security Typically, small, and medium businesses (SMBs) are hard pressed on budget, time, and resources. Yet, they have demands of the third-party risk management (TPRM) programs of their potential corporate buyers to demonstrate trust around their service-offerings. This requires an information security and compliance program, and preparedness for an independent and objective audit and certification of their management assertion on the trustworthiness of their services.  Based on a couple of real-life scenarios of our clients, this presentation will discuss the challenges, roadblocks, and pitfalls in setting up an info security compliance program for an SMB   Register here: https://lnkd.in/gCVr26cf     #ISACASV #ISACA #webinar #Compliance #Trust

20

2 Comments

Last week was undoubtedly “PQC Week,” with an abundance of news highlighting advancements in Post-Quantum Cryptography (#PQC). From Zoom's announcement of PQC KEM integration to the US Government urging federal contractors to enhance encryption once NIST finalizes standards for Dilithium (Module-Lattice-Based Digital Signature Standard - ML-DSA FIPS-204) and SPHINCS+ (Stateless Hash-Based Digital Signature Standard - SLH-DSA - FIPS-205), it’s clear that PQC is making headlines. Few Highlights: Enterprise Initiatives: Zoom has taken a significant step by incorporating PQC Key Encapsulation Mechanisms (KEM) into their products, demonstrating a commitment to future-proofing their security. Government Mandates: The US Government is pushing federal contractors to adopt stronger encryption protocols swiftly, in line with National Institute of Standards and Technology (NIST)'s upcoming standards for FIPS-204 and FIPS-205. This underscores the critical need to transition to PQC. Emphasizing Crypto-Agility: While moving towards PQC is essential, the first step should be achieving #crypto-agility. Regardless of the strategy for adopting stronger encryption algorithms or regulatory requirements, it’s crucial to start with a comprehensive discovery and inventory of cryptographic assets. Discovery Solutions: Effective migration to PQC begins with a thorough discovery process. Identifying all cryptographic assets within an environment ensures a strategic and efficient transition, laying a solid foundation for implementing quantum-resistant algorithms. This essentially will act as the first Cryptography Bill of Materials (CBOM) for your organization. A journey of a thousand miles begins with a single step. For PQC, that step is a deep and wide discovery of your cryptographic landscape. https://lnkd.in/gUjaP6rV

97

4 Comments

There's a Lunar Backdoor? "ESET Research discovered two previously unknown backdoors – LunarWeb and LunarMail – used in the compromise of a European MFA and its diplomatic missions. LunarWeb, deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications. Both backdoors employ the technique of steganography, hiding commands in images to avoid detection. Both backdoors utilize a loader that uses the DNS domain name for decryption of the payload, share portions of their codebases, and have the unusual capability of being able to execute Lua scripts. The loader can have various forms, including trojanized open-source software, demonstrating the advanced techniques used by the attackers."

1

Attention cloud security professionals! A critical vulnerability has been discovered in a cloud logging service that could allow attackers to take control of cloud environments. This vulnerability affects all major cloud platforms, so it's important to take action immediately. The vulnerability is due to a flaw in how the service parses trace requests. Hackers could exploit this flaw to steal data, crash the service, or even gain remote access to a cloud environment. I recommend that you read the full article for more details on the vulnerability and how to patch it. In the meantime, here are some steps you can take to mitigate the risk: * Update your cloud logging service to the latest version. * Enable logging for all cloud activity. * Monitor your logs for suspicious activity. By taking these steps, you can help to protect your cloud environment from this critical vulnerability. * https://lnkd.in/g9EEDeEV

8

No LLM is secure! But there is hope in using Short Circuiting (https://lnkd.in/gh5eefB5) Problem 1: Current alignment techniques can be easily bypassed by adversaries. (https://lnkd.in/gypvde78) Problem 2: Adversarial robustness often comes at the cost of degraded performance, to the point the system becomes undeployable. (https://lnkd.in/ggS74BX4) Problem 3: Adversarial training offers no guarantees against unknown attacks. #LLM #GenerativeAI #Security

51

3 Comments