Kategorie

Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability codenamed the Dirty Stream attack that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app's home directory. "The implications of this vulnerability pattern include arbitrary code execution and token theft, Newsroomhttp://www.blogger.com/profile/[email protected]

Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to streamline the management of hybrid cloud environments. While RHEL 7.9 received four more years of support, RHEL 7 Extended Life Cycle Support (ELS) is a one-time extension and may not be seen with other RHEL versions. Thus, Red Hat urges users to upgrade to RHEL 9.4 . This latest version enhances management and automation capabilities while providing proactive support for building standard operating environments (SOEs) for distributed systems.

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the REvil ransomware group orchestrated more than 2,500 ransomware attacks and demanded ransom payments in

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the REvil ransomware group orchestrated more than 2,500 ransomware attacks and demanded ransom payments in Newsroomhttp://www.blogger.com/profile/[email protected]

Sriram Karra and Christiaan Brand, Google product managers

Last year, Google launched passkey support for Google Accounts. Passkeys are a new industry standard that give users an easy, highly secure way to sign-in to apps and websites. Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts.

As more users encounter passkeys, we’re often asked questions about how they relate to security keys, how Google Workspace administrators can configure passkeys for the user accounts that they manage, and how they relate to the Advanced Protection Program (APP). This post will seek to clarify these topics.

Passkeys and security keys

Passkeys are an evolution of security keys, meaning users get the same security benefits, but with a much simplified experience. Passkeys can be used in the Google Account sign-in process in many of the same ways that security keys have been used in the past — in fact, you can now choose to store your passkey on your security key. This provides users with three key benefits:

• Stronger security. Users typically authenticate with passkeys by entering their device’s screen lock PIN, or using a biometric authentication method, like a fingerprint or a face scan. By storing the passkey on a security key, users can ensure that passkeys are only available when the security key is plugged into their device, creating a stronger security posture.

• Flexible portability. Today, users rely on password managers to make passkeys available across all of their devices. Security keys provide an alternate way to use your passkeys across your devices: by bringing your security keys with you.

• Simpler sign-in. Passkeys can act as a first- and second-factor, simultaneously. By creating a passkey on your security key, you can skip entering your password. This replaces your remotely stored password with the PIN you used to unlock your security key, which improves user security. (If you prefer to continue using your password in addition to using a passkey, you can turn off “Skip password when possible” in your Google Account security settings.)

Passkeys bring strong and phishing-resistant authentication technology to a wider user base, and we’re excited to offer this new way for passkeys to meet more user needs.

Google Workspace admins have additional controls and choice

Google Workspace accounts have a domain level “Allow users to skip passwords at sign-in by using passkeys” setting which is off by default, and overrides the corresponding user-level configuration. This retains the need for a user’s password in addition to presenting a passkey. Admins can also change that setting and allow users to sign-in with just a passkey.

When the domain-level setting is off, end users will still see a “use a security key” button on their “passkeys and security keys” page, which will attempt to enroll any security key for use as a second factor only. This action will not require the user to set up a PIN for their security key during registration. This is designed to give enterprise customers who have deployed legacy security keys additional time to make the change to passkeys, with or without a password.

Passkeys for Advanced Protection Program (APP) users

Since the introduction of passkeys in 2023, users enrolled in APP have been able to add any passkey to their account and use it to sign in. However users are still required to present two security keys when enrolling into the program. We will be updating the enrollment process soon to enable a user with any passkey to enroll in APP. By allowing any passkey to be used (rather than only hardware security keys) we expect to reach more high risk users who need advanced protection, while maintaining phishing-resistant authentication.

A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's delve into the details of the Spectre v2 exploit, its implications, and the measures being taken to mitigate its impact.

Several significant vulnerabilities have been found in the Thunderbird email client and Firefox web browser. An attacker could exploit these issues to disrupt services, obtain sensitive data, bypass security restrictions, perform cross-site tracing, run rogue programs on your computer, or escalate privileges on impacted systems.

Like antivirus software, vulnerability scans rely on a database of known weaknesses. That’s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn’t existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speaking

Like antivirus software, vulnerability scans rely on a database of known weaknesses. That’s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn’t existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speakingThe Hacker Newshttp://www.blogger.com/profile/[email protected]

Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign (formerly HelloSign) was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with the U.S. Securities and Exchange Commission (SEC), said it became aware of the "

Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign (formerly HelloSign) was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with the U.S. Securities and Exchange Commission (SEC), said it became aware of the "Newsroomhttp://www.blogger.com/profile/[email protected]

A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary

A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary Newsroomhttp://www.blogger.com/profile/[email protected]

Some of the most influential influencers on social media sites aren’t people, but computer-generated digital creations. And soon digital “people” will be commonplace in business. 

In the past, fabricated fake folks were built the old-fashioned way — using Generative Adversarial Networks (GAN) AI technology (the process behind video deepfakes). Nowadays, phony friends are build using LLM-based genAI tools.

One early digital influencer on Instagram, named Lil Miquela, has been 19 years old since 2016, is worth millions of dollars and was named one of the 25 most influential people on the Internet back in 2018, despite not being a person.

Other computer-generated influencers include Lu do Magalu, Shudu Gram, Imma, Ion Göttlich, K/DA, Bermuda, Thalasya and Aitana Lopez.

To me, the most fascinating dimension to the digital influencer phenomenon is the reaction of the public. Followers who presumably know these influencers are computer-generated actually leave comments on their posts, addressing the non-person as if they were capable of reading and understanding comments. 

It’s unsettling to think that these commenters don’t know they’re talking to a fake person, and also unsettling to think they do know — and comment anyway. Some commenters are themselves virtual influencers (no doubt playing the Instagram game of performative engagement on the accounts one wishes to steal followers from).

This is a clue to the future: A huge chunk of the public appears to be indifferent to whether the person who is “influencing” them is real or fake. 

Taking a cue from online AI influencers, businesses are starting to look at creating humans from scratch —or cloning existing humans in digital form. 

The avatar age

While non-existent social media influencers gain millions of followers, Silicon Valley’s heaviest hitters are hard at work to perfect virtual humans for business users. 

Of course, Apple, Microsoft and Meta are making huge strides with real-time avatars for communication. 

Meta’s most advanced tech — still in the lab — was demonstrated last year in an amazing video conversation between Lex Fridman and Mark Zuckerberg. 

These technologies are being employed for real-time communication. Replacing video, a 3D representation of you copies your mouth movements to match your actual voice, as well as facial expressions and body language for real-time, live communication. 

But another way to use these life-like puppets is to feed them a script, and let a computer-generated voice determine the mouth movements and all the rest. 

TikTok is already developing an AI-powered feature enabling virtual influencers to appear in video advertising on the platform. And Microsoft recently talked up an AI system called VASA-1, which can make what is basically a deepfake video, all from a single photograph and an audio clip. 

Microsoft says it won’t release the technology to the public, citing concern about possible misuse, but the technology’s existence suggests a future where people will be able to create versions of themselves (or others) via free smartphone apps. 

In fact, a company called Synthesia (backed by Nvidia) offers 160 canned AI humans, listed on a menu from which customers can choose. Users write the script (or use Synthesia’s ChatGPT-based tool to auto-create the script), then the avatar “reads” the script using natural looking mouth movements, gestures and facial expressions. The result is a polished presentation in any of 130 languages, and the final presentation is user-editable.

Why do this? For starters, Synthesia claims its product cuts video presentation creation time by 90% and dramatically reduces cost. And, of course, the multi-language feature is fantastic for companies with global reach.

Now, Synthesia is working on technology designed to turn users into avatars — full-body digital clones that are hard to tell from the real person. 

It starts with a full-body scan. From that point forward, the user has possession of a photorealistic digital double who can do all the presentations and other video content that would normally be done personally. The AI clone takes emotive cues from the words in the script, smiling during light moments, looking appropriately sad delivering bad news. The ability to convey non-verbal communication naturally is the result of Synthesia’s Express-1 AI model, which itself was trained using professional actors. 

The benefit here is that you can give high-quality video presentations without a camera or a microphone — you can build it from an airplane or the beach. Plus, you speak 130 languages and never age. 

When your clone gets an AI brain

But far more interesting than an avatar that looks and acts like you is one that thinks and communicates like you — a virtual you with an AI brain for interacting with others on your behalf. 

Meta is working on tech called “Creator A.I.” that will enable real Instagram influencers to create fake digital AI versions of themselves to interact with fans through direct messages and comments. That initiative is a glimpse of the near future of business communication. 

We’ve been talking about “digital transformation” for a decade. But it’s only recently when that transformation involved digitizing ourselves. 

Businesses are now looking to embrace the concept of digital avatars for all the same reasons as other digital transformation initiatives: Higher productivity and lower costs. This process involves the cloning of existing people. 

Any day now, an industry will emerge where your face and body are scanned, your voice is recorded and your communications are fed into the system, so it knows how you use words. From that point, a virtual version of you can leave high-resolution video messages from a simple command you give to your AI glasses. 

In other words, you say: “Send Janet a message and let her know I’ll be late.” Then Janet receives a video of “you” telling her you’ll be late. When she asks where you are now, the digital video you will tell her based on your current location. When she tells the digital you that she can’t meet late today, and that we should schedule it for another time, the video you says: “Ok, no problem. How about tomorrow, same time?” You get a notification and, after your approval, the meeting is rescheduled on your calendar. 

Likewise, when someone tries to video call you and you don’t answer, the virtual you can take your place and try to handle whatever business comes via the call.

Within a few short years, this technology will advance to the point where nobody can be sure whether they’re doing a video call with you or your AI clone. 

Presentations, pitches, training and other forms of communication you’d normally be recorded doing will be created in far less time by simply uploading a script or even a cryptic, brief set of instructions or descriptions of what your digital self is supposed to communicate. And then the AI can create a solid, appealing, polished presentation delivered by you or, rather, your clone.

Whether the ubiquity of AI clones in business sounds creepy or exciting, I can tell you that it’s absolutely going to happen. 

The embrace of virtual humans in a business context — as weird as that is — should be approached like any other major digital initiative: Define the strategy, identify specific needs, evaluate and select the right technologies and providers, estimate ROI, focus on data privacy and regulatory compliance and all the rest.

If you’re feeling overwhelmed, don’t worry. Help is on the way. Soon you’ll have a clone of your own.

Augmented Reality, Emerging Technology, Generative AI, Virtual Reality

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild. Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild. Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email Newsroomhttp://www.blogger.com/profile/[email protected]

A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. "This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent

A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. "This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent Newsroomhttp://www.blogger.com/profile/[email protected]

As companies are scramble to get ahead in the artificial intelligence (AI) arms race, one problem the face is finding and retaining AI talent.

For example, Meta has been extending job offers to candidates with AI experience without even interviewing them, and CEO Mark Zuckerberg went so far as to email researchers at Google’s DeepMind unit to recruit talent.

According to a recent study led by the Oxford Internet Institute, “AI skills are particularly valuable as they have high levels of skill complementarity, increasing worker wages by 21% on average.”

Foote Partners, a recruitment, consulting and research firm, recently published its latest IT skills and pay index, which found, not surprisingly, that companies are paying premiums for workers with AI-related abilities.

Foote Partners recognizes 47 “critical A.I. skills,” and on average, employees who obtain those skills get a pay premium of 7% to 21%. Those premiums can come in different forms, including bonuses and cash compensation.

“This is cash paid out, not as a salary increase but in addition to salary,” said David Foote, chief analyst at Foote Partners. “In fact, 28 of these core AI skills can add between 15% and 21% in pay, well above the 9.6% average premium across all 632 non-certified skills we report. They are very hot right now.”

Cash premiums for skills such as AI chatbot app developer and large language model (LLM) tuning are paid out separately from salaries so that as needs are met and the value of those talents declines, the payouts can be reduced or eliminated.

“Perhaps the main difference with skills pay is, unlike a bonus, skills pay premiums are typically paid out at every pay period — same as salary — instead of a lump sum at the end of year, which is more common with bonuses,” Foote said.

In addition, more than a dozen AI-related certifications “are showing real market value strength,” he said. Those skills include prompt engineering, neural networks, AI engineer, AI scientist, and AI model optimization.

According to Foote, a Certified Artificial Intelligence Scientist earns the highest pay premium, ranging 8% to 12%, with the average being 10% of base salary equivalent,. The next highest cash pay premium in this cluster is for a Microsoft Certified: Azure AI Engineer Associate, who can earn 9% of base equivalent in skills premium pay.

Averaging 8% of base salary equivalent in skills pay premium are: SAS Certified Professional: AI and Machine Learning; IBM Certified Specialist — AI Enterprise Workflow V1; Artificial Intelligence Engineer (AIE – all tracks); and Google Professional Machine Learning Engineer certifications.

“We’ve been tracking some of these AI-related skills for many years, updating every 90 days,” Foote said. “Others have been recently added. So, given all the volatility in the marketplace for skills cash pay premiums, there have been remarkable changes over time ,including most recently.”

Foote Partner’s findings are echoed elsewhere. Freelance work platform Upwork, which recently published its 2024 list of most in-demand skills, found that the rise of AI — especially generative AI in the last couple of years — has changed the top skills businesses seek from independent professionals. In particular, generative AI modeling, machine learning and data analytics are the top three fastest-growing data science and analytics skills, as well as among the most in-demand skills.

“In particular, skills in key programming languages commonly used in the development of AI — Python, Java, and SQL — rank among the top five most sought-after skills on the technical side in the US,” Ya Xu, head of data and AI at LinkedIn, said in a blog post.

Machine learning skills can command at least a 10% premium compared to the average tech worker, according to a survey conducted at the end of 2023 by tech staffing firm Dice. “But this is a fast-moving market where the demand is growing rapidly,” said Art Zeile, CEO of Dice. “I predict that this premium will only continue to grow as the gap between supply and demand for AI talent grows, and offering benefits such as continuous professional development and training will be key to retaining this top talent.”

A key differentiator in the job interview process now involves how a tech professional has upskilled themselves in the face of the growing demand for AI, Zeile noted.

“Now is the time to ensure that their skill sets encompass [LLM] theory and programming architecture, areas that may have been overlooked or haven’t been delved into fully,” he said. “Recruiters are looking for tech professionals who are quick on their feet and able to adapt to changes with agility and curiosity.”

In January 2023, AI or machine learning-related skill sets were referenced on 9% of tech job postings. Just over a year later, in February 2024, that figure had climbed to nearly 14% of all tech job postings, according to Zeile.

“As AI continues to evolve, its impact on organizations will be most prominent in key departments such as research and development, data analytics, and operations,” Zeile said.

To secure top AI talent in these areas, Zeile advised that companies:

• Invest in comprehensive recruiting strategies that show a full understanding of what a particular AI role actually requires — whether it’s machine learning, Python, or data science skills for tech jobs, or other content-centric skills such as copy writing and graphic design. 
• Establish competitive salaries and provide opportunities for professional growth and development. 
• Offer flexibility in the form of hybrid/remote work environments. Dice’s 2023 Tech Sentiment Report noted that remote work remains very important to tech professionals: 73% of those surveyed said it is “extremely” or “very” important to have the opportunity to work remotely at least three days a week.

While Amazon, Google, Meta and Microsoft are among the top 15 companies hiring for AI talent right now, according to Dice, there are a variety of factors tech pros must consider determining if Big Tech is right for them.

“While these Big Tech companies offer many opportunities for individuals with AI skills, candidates should also consider startups and other industries that align with their career goals and work/life balance preferences that would also still give them the ability to learn and flex their AI muscles,” Zeile said.  “Ultimately, it is up to tech professionals to decide what companies most align with their values and what kind of industries they want to work in.”

Startups, Zeille said, often provide more room for innovation and growth, but may have less rigorous AI programs in place. At the same time, compensation at Big Tech companies might be higher, but work/life balance lower. Once a candidate has decided what is important to prioritize in their future role, they can job search accordingly. 

Generative AI, IT Jobs, IT Skills

Atlassian has developed a new search tool  —  Atlassian  Rovo — that can surface data from a variety of third-party apps. Rovo, currently in preview, provides a chatbot interface to help workers access information across their organization,and even decipher workplace jargon. 

“Atlassian Rovo is designed to unlock knowledge discovery and accelerate action across the organization,” said Jamil Valliani, head of product AI at Atlassian. “Think of Rovo as a large knowledge model for your company that allows team members to move and act faster.”

There are three key elements to Rovo: Search, Chat, and Agents. 

Rovo Search expands on existing search functions in Atlassian apps, with the ability to access documents from a range of external sources in addition to data held in tools such as Jira and Confluence. This means surfacing information in third-party productivity tools such as Slack, Microsoft Teams, Figma and GitHub, as well as file storage platforms such as Google Drive and Microsoft SharePoint.  

Atlassian Rovo can help surface information and answer questions about technical jargon based on access to coporate documents.

Atlassian

Atlassian also plans to let Rovo access data from in-house applications, including finance or HR apps.

One way to access Rovo search is via the search bar in various Atlassian apps. A list of search results containing related documents is presented, as well as more detailed “knowledge cards” that present information relating to a project, for instance, or a team. Here, the knowledge card might contain links to related files, as well as information on project status, listed contributors, and more.  

Rovo Search can also learn and explain unfamiliar jargon specific to an industry or individual business based on the organization’s documents. This enables Rovo to provide definitions for acronyms and terms that appear within a Confluence document, for exam-le. It’s proved to be a popular feature, Atlassian said, and is used by three-quarters of staff testing Rovo. 

A semantic search function helps teams “connect with what they are looking for,” said Julie Mohr, principal analyst at Forrester, as well as “knowledge they didn’t know existed.” This helps employees “work the way they want to work with a comprehensive set of expressive tools — from video to pages, structured and unstructured, it is all knowledge,” she said. 

Another way to search for information is via Rovo Chat. Similar to the conversational interfaces in Microsoft’s Copilot, OpenAI’s ChatGPT, and others, the chatbot responds to user questions in natural language, with answers based on data held in documents across an organization. Links are provided to the original source.

Atlassian Rovo Chat uses genAI and a chatbot interface with natural language processing to deliver information to users.

Atlassian

Another aspect of Rovo that relies on generative AI is the addition of workflow automation “agents.” Accessible via the Rovo Chat sidebar, the Rovo Agents are tailored to a specific task. For instance, Rovo Agents can be designed to generate and review marketing content, collate feedback from various sources, or streamline processes such as clearing up Jira backlogs and organizing Confluence pages. 

Users can create their own Rovo Agents using a no-code text interface or Atlassian’s Forge app development platform. Atlassian expects there will be around 20 pre-built agents available when Rovo launches. 

Canva’s design software is an example of an Atlassian partner building its own agent. “There’s going to be a Canva agent that helps with generating simple artwork for social media posts, things that you don’t need an expert designer to do,” said Valliani. 

Atlassian Rovo agents are tailored to specific tasks and can include agents built by third-party vendors.

Atlassian

“Generative AI  has so much potential in knowledge management,” said Mohr. “Atlassian is taking the power of Confluence and improving those capabilities with sound knowledge management practices combined, with new features that take advantage of genAI.”

Making it easier to access information across an organization also means there’s potential for users to access sensitive documents. Atlassian said Rovo will respect permissions around the content it has access to, with restricted data in third-party apps remaining private.

As with any API or integration, businesses should assess risks when connecting to external systems and ensure that adequate permissions are in place around documents, said Mohr. But those risks shouldn’t put businesses off from widening access to information held across their organization, she said.

“[T]hink of all the undiscovered knowledge, all the ideas that are locked up in folders and private stores,” said Mohr. “There is a cultural change that needs to take place, where people as well as the systems understand the value of free access to knowledge.” 

Opening employee access to a wider range of information can “empower more collaboration and learning,” said Mohr, with businesses able to restrict access “when it is genuinely needed for regulatory or compliance purposes.”

Atlassian customers can join a waitlist to access Rovo in beta. The general availability date hasn’t yet been announced. 

Rovo will be sold as an add-on alongside cloud editions of Atlassian products, with a flexible pricing model based on unique users. More details will be announced at the general availability launch.

Atlassian, Chatbots, Generative AI, Productivity Software, Vendors and Providers