Testers Challenge 2024 announced 

Posted in Commentary with tags on October 24, 2024 by itnerd

The annual Testers Challenge by TestDevLab has been announced, inviting anyone around the world to compete in the multi-level challenge for valuable prizes and the glory of being named a top tester in the world. The competition will go live on November 7, and will last until November 18th. It is made up of 3 stages in 3 complexity levels, wherein participants will look for software bugs and solve them using logical thinking to advance to the next level. The first three to reach the finish line will be crowned winners.

The challenge is created for people who like to tinker with tech and break things. This can range from professional software testers to people who just like to play around with software and logic puzzles. Each level will have one problem that needs to be solved, ranging from functional, security, and accessibility topics to audiovisual bugs and challenges. Interested participants are invited to try out the warmup round on the Testers Challenge website to get a taste of what lies ahead.

The Testers Challenge has been hosted for four years. The previous Testers Challenge had over 3,000 participants worldwide, and the first-place winner was an IT student from the UK. 

TestDevLab organizes a variety of initiatives for the testers community. In addition to the Testers Challenge, they also organize TDL School – a set of courses to develop a career in the software testing industry. 

This year, first, second, and third-place winners will have the chance to select their prize from the prize pot made up of an Oura Ring, InMotion V10F Unicycle, and Sony WH-1000XM5/L Wireless Noise-Cancelling Headphones. 

Leave a comment »

AI repository Hugging Face loaded with malicious files to steal info

Posted in Commentary with tags on October 23, 2024 by itnerd

OODA Loop reports today that “Hackers Have Uploaded Thousands Of Malicious Files To Hugging Face Repository” based on input from Protect AI.  

The OODA Loop story reads in part: “The old Trojan horse computer viruses that tried to sneak malicious code onto your system have evolved for the AI era,” said Ian Swanson, Protect AI’s CEO and founder.

  “The Seattle, Washington-based startup found over 3,000 malicious files when it began scanning Hugging Face earlier this year. Some of these bad actors are even setting up fake Hugging Face profiles to pose as Meta or other technology companies to lure downloads from the unwary, according to Swanson. A scan of Hugging Face uncovered a number of fake accounts posing as companies like Facebook, Visa, SpaceX and Swedish telecoms giant Ericsson. One model, which falsely claimed to be from the genomics testing startup 23AndMe, had been downloaded thousands of times before it was spotted…”

Mali Gorantla, Chief Scientist at AppSOC had this to say:

  “It should surprise no one that Hugging Face has become a magnet for malware and bad actors. In the last year, the number of AI models available on Hugging Face has tripled, now topping 1 million. Data scientists and AI developers love experimenting with this vast amount of open-source data to build and train new AI applications. The problem is that most security teams have little visibility into what models or datasets have been downloaded or where they exist. I can’t think of a more obvious place to embed malware, infiltrate corporate defenses, and hide your tracks.”

Security teams need to change their tactics so that they have visibility and are able to uncover this sort of thing. Because this is clearly the next “big thing” that threat actors are engaged in.

Leave a comment »

ESET Bulks Up its ESET HOME Security Offerings to Protect Against AI-Driven Threats

Posted in Commentary with tags on October 23, 2024 by itnerd

 ESET today announced its upgraded consumer offering, ESET HOME Security, with new features, such as ESET Folder Guard, Multithread Scanning, and Identity Protection featuring Dark Web Monitoring. These enhancements to ESET HOME Security, as an all-in-one solution for consumers, correspond to the increasing number of advanced, automated, and AI-driven threats targeting individuals and address growing concerns about data privacy, ransomware attacks, phishing, and scams.  

ESET HOME Security is available across all major operating systems—Windows, macOS, Android, iOS—and covers all typical smart home devices. Improvements have been made to enhance the existing layers of protection, including upgrades to the Link Scanner and Password Manager. Security for Mac users has been improved with a new unified Firewall offering both basic and advanced setup options in the main Graphical User Interface (GUI).  

Some of the top new and improved features include:  

New Dark Web Monitoring — ESET Identity Protection is now available in Canada, providing users with advanced tools to safeguard their personal information. This feature scours the dark web, black market chat rooms, blogs, and other data sources for the illegal trading and selling of personal data. ESET’s cutting-edge technology delivers prompt alerts, enabling users to take immediate action and mitigate potential identity theft risks. 

New ESET Folder Guard — This technology helps protect Windows users’ valuable data from malicious apps and threats, such as ransomware, worms, and wipers (malware that can damage users’ data). Users can create a list of protected folders — files in these folders can’t be modified or deleted by untrusted applications.   

New Multithread Scanning  Improves scanning performance for multi-core processor devices using Windows by distributing scanning requests among available CPU cores. There can be as many scanning threads as the machine has processor cores. 

Improved Gamer Mode — This feature is for users who demand uninterrupted usage of their software without pop-up windows and want to minimize CPU usage. The improved version allows users to create a list of apps automatically starting gamer mode. For cautious players, there is also a new option to display interactive alerts while gamer mode is running.  

This robust all-in-one security product is an ideal solution for all who have concerns beyond general cybersecurity, and it includes privacy protection, identity protection, performance optimization, device protection, and smart home protection. Because in a world of advanced cyberthreats, quality matters. 

More information about the consumer offering and subscription tiers can be found here

Leave a comment »

Unit 42 Research: Novel Jailbreaking Technique ‘Deceptive Delight’

Posted in Commentary with tags on October 23, 2024 by itnerd

Today, Palo Alto Networks Unit 42 shares that it has identified a new jailbreaking technique, ‘Deceptive Delight,’ which can bypass the safety guardrails of state-of-the-art LLMs to generate unsafe content. The findings highlight significant vulnerabilities in AI systems, revealing the urgent need for enhanced security measures to prevent the misuse of Gen AI technologies.

Key findings detail that Deceptive Delight:

  • Achieves a 65% attack success rate against open-source and proprietary AI models, significantly outperforming the 5.8% attack success rate achieved when sending unsafe topics directly to these models without using any jailbreak techniques.
  • Embeds unsafe topics within benign narratives, cleverly tricking LLMs into producing harmful content while focusing on seemingly harmless details.
  • Employs a multi-turn approach, where the model is prompted progressively across multiple interactions, enhancing both the relevance and severity of the unsafe output generated and increasing the likelihood of harmful content creation.

You can find the full blog here.

Leave a comment »

On Now! Nikon Pop-Up Experience at Yorkdale Mall

Posted in Commentary with tags on October 23, 2024 by itnerd

From now until October 24, Nikon Canada is hosting a Nikon Pop-Up Experience at Yorkdale Mall in Toronto!

Inspired by its heritage models, the Nikon Zfc and Zf cameras, the concept of Nikon’s Pop-Up is a retro diner with antique furniture and neon lights. It also has the opportunity to check out Nikon’s latest cameras.

At the ‘Nikon Diner’ there will be an ‘IG Worthy’ vintage-style photobooth where visitors will be able to take home physical photos.

Guests will be encouraged to share their photobooth image on social using the #NikonCreators and #NikonDiner hashtags for a chance to win a Zfc kit! Visitors will also be able to engage in “diner chats” with Nikon ambassadors and creators, who will share photo and video tips and tricks.

Visit the ‘Nikon Diner’ at Yorkdale during mall hours between Oct 17th-24th! It is located right next to Canada Goose near Entrance E.

Leave a comment »

Wallarm Releases Q3 2024 API ThreatStats Report

Posted in Commentary with tags on October 23, 2024 by itnerd

Wallarm, a global leader in API security, today unveiled its API ThreatStats Report for Q3 2024, revealing critical insights into the increasing number of API vulnerabilities and breaches impacting industries worldwide. The report confirms the trend of increasing numbers of API vulnerabilities across sectors and an escalating threat landscape specifically targeting APIs due to their accessibility and valuable data.

Wallarm’s researchers uncovered a 21% increase in API vulnerabilities from the second quarter of 2024. Additionally, the vulnerabilities had an average Common Vulnerability Scoring System (CVSS) score of 7, with many scoring at 7.5, indicating high severity and reflecting how easily threat actors can exploit API issues. The substantial growth in discovered vulnerabilities highlights the expanding threat landscape, where APIs remain a primary target for cyberattacks across multiple sectors.

Key insights on API Q3 data breaches include:

  • Client-Side API Vulnerabilities Expose Hidden Risks Not Covered by the OWASP API Top-10: Many breaches this quarter, like those at Hotjar, Business Insider, and Explore Talent, originated from client-side API flaws, such as OAuth misconfigurations and Cross-Site Scripting (XSS), which the OWASP API Top-10 does not adequately address. Developers often mistakenly consider OAuth a security improvement, but it becomes a critical weakness when misconfigured, enabling account takeovers and large-scale data exposure. These incidents reveal that client-side API security needs more attention and a dedicated approach to prevent such breaches.
  • API Misconfigurations Amplify Breach Scale: Poorly secured APIs, especially those with weak authentication and authorization controls, lead to large-scale breaches because attackers can access and download entire datasets, not just isolated portions. This finding was evident in incidents at Deutsche Telekom and Fractal ID, where unauthenticated API access allowed attackers to exploit massive amounts of personal data, tariff information, and user tracking. Unlike traditional malware attacks that may target random subsets of data, API breaches often result in complete data extraction, making the impact far more severe.
  • APIs Are a Common Weak Link Across Diverse Industries: This summer’s breaches affected a wide range of sectors, from telecommunications (Deutsche Telekom) and transportation (Metro Pacific Tollways Corporation) to blockchain and Web3 platforms (Fractal ID). These incidents prove that no industry is immune, and API vulnerabilities are a universal challenge across traditional and cutting-edge tech landscapes. Securing APIs requires consistent, industry-wide efforts to address evolving attack vectors.

As detailed in the report, another key discovery this quarter is the integral role of API security in AI systems. There is no AI without APIs—they are essential in connecting models, data, and infrastructure. API vulnerabilities directly impact AI functionalities, and AI features can introduce unique vulnerabilities into APIs. Addressing AI exploits and API vulnerabilities is crucial for comprehensive security, as they are deeply interconnected.

The increase in API vulnerabilities emphasizes the urgency for businesses to stay vigilant and invest in comprehensive API security measures. Wallarm is the only solution that unifies best-in-class API protection and real-time blocking capabilities to protect the entire API and web application portfolio in multi-cloud,  cloud-native, and on-premise environments and empowers organizations to defend against these growing threats.

To download the full API ThreatStats Q3 2024 Report, visit http://www.wallarm.com/resources/q324-api-threatstats-report.

Leave a comment »

The Internet Archive Has Been Pwned Again

Posted in Commentary with tags on October 22, 2024 by itnerd

The Internet Archive has experienced yet another breach, this time involving their Zendesk email support platform with 800+ support tickets, despite warnings about stolen GitLab authentication tokens by threat actors.

“It’s dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets,” reads an email from the threat actor.

Since Saturday night, BleepingComputer reported receiving multiple emails from individuals who got replies to old Internet Archive removal requests, alerting them to the breach caused by the organization’s failure to properly rotate their stolen authentication tokens.

Recipient of these emails told BleepingComputer that they had to upload personal identification when requesting a removal of a page from the Wayback Machine.

“Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine your data is now in the hands of some random guy. If not me, it’d be someone else,” the threat actor’s email continues.

Steve Hahn, EVP Sales US, BullWall had this to say:

  “Multiple successive attacks is unfortunately the norm, not the exception. When a threat actor has a successful attack they have typically spent months in the environment undetected. They have worked for long term persistence. Setting up dozens or hundreds of back up accounts and credentials, running scripts to cover their tracks, set up fresh, unprotected VMs, done vulnerability scans, laid second wave traps, such as embedding malicious macros into internal documents that will launch a whole new attack. The latter is quite crafty. We all know we shouldn’t “enable macros” on any file we get from an untrusted source, but when it’s on an internal share and it’s a document you use regularly, you have no hesitancy to hit the “enable macros” button. In terms of how often a company is hit in successive attacks, I’ve seen numbers as high as 78% and that does ring true to my personal observations.”

It’s bad enough that this site got pwned. But to get pwned three times is insane. Hopefully the Internet Archive takes steps to make sure that there is not a fourth time as this is pretty embarrassing.

Leave a comment »

New Targus rolling laptop case makes commuting effortless for those carrying a heavy workload

Posted in Commentary with tags on October 22, 2024 by itnerd

Targus today announced the arrival of its new 16” Transit 4-Wheel Rolling Laptop Case designed for commuting professionals and students who regularly carry a heavy workload. This durable, lightweight four-wheel roller simplifies mobile lifestyles by allowing professionals and students on the go to stay organized and productive throughout their day, while keeping their tech and gear protected. 

 According to a May 2024 Gallup survey that analyzed work arrangements and locations among U.S. full-time, remote-capable employees, 53% of respondents work in hybrid environments while 21% work on-site. Additionally, a recent Pew Research Center survey found that three in five American workers do not have jobs that can be carried out remotely. 

The 16” Transit 4-Wheel Rolling Laptop Case (TBR044GL) is a sleek, classic-looking laptop case that is durable, lightweight, and easy to maneuver with its smooth, four-wheel rolling design. It features a large main compartment for garments, files, or books and a secondary compartment with a padded sleeve to store and protect a 15-16” laptop. It has other travel-friendly features, as well, like a top quick-access pocket for small essentials, front pocket with organization panel, and hideaway telescopic handle that stores neatly away. It is perfectly suited for carrying through airport checkpoints and storing onboard a flight with ease and efficiency. Compact and lightweight, this rolling laptop case is 16.25”x8.0”x17.0” (L x W x H) and weighs ~5.31 lbs. while still offering plenty of spacious compartments for tech and personal items. Durable and made to last, this high-quality rolling laptop case is backed by a Limited Lifetime Warranty.

The new 16” Transit 4-Wheel Rolling Laptop case can be purchased now at Targus.com and participating retailers. For additional product details, availability, and pricing, visit Targus.com

Leave a comment »

Security Breach Exposes Data From UN Women 

Posted in Commentary with tags on October 22, 2024 by itnerd

Recently, cybersecurity researcher Jeremiah Fowler discovered an unsecured database revealing 115,000+ records and 228 GB of data tied to the UN Women. This crucial organization aids global efforts to combat gender-based violence and champion women’s rights. 

The exposed data included highly sensitive materials like victim’s accounts, financial summaries, passport scans, staff lists, and funding requests. Some files contained personally identifiable information (PII) and confidential details, posing significant privacy risks for charity workers and beneficiaries

You can read the detailed report here: https://www.vpnmentor.com/news/report-unwomen-breach/

Leave a comment »

Rogers And Other Canadian Telcos Have Given You A Great Reason To Ditch Using Their Hardware For Their TV Services

Posted in Commentary with tags on October 22, 2024 by itnerd

Rogers isn’t exactly well loved by Canadians. In fact, no Canadian telco really is. But Rogers specifically is in the crosshairs of many Canadians because of price increases that many Rogers customers weren’t specifically told of. A few Rogers customers went public with CBC a few days ago to express their displeasure:

Here’s the core issue. Rogers customers are seeing unexpected increases in TV box rental fees by $7 a month. Something that Rogers is able to do because it’s buried in the fine print of their contract. That in my opinion is fine if it is properly disclosed to customers before they sign on the dotted line. But in many of the cases that have come to light, that hasn’t happened. Thus customers are mad. To be fair, Rogers aren’t the only Canadian telco that does this. I’ve heard of TELUS and Bell doing something similar with their equipment rentals.

My advice is that if you must get TV from a big three telco, don’t rent their TV hardware. Bell has the Fibe TV app on a variety of platforms. TELUS has the TV+ app on the App Store and Play Store. Ditto for Rogers with their Ignite TV app on the App Store and Play Store. None of these options require you to rent hardware from any Canadian telco, and you get the same experience as if you did. Which means that you save money at the end of the day. Though I suspect that if there’s a critical mass of people switching to these options, the big three telcos will find some way to bill you extra for it.

It will be interesting to see what if anything the big three in general, and Rogers specifically does to respond to this backlash from consumers. Because this kind of has the smell of the negative option billing fiasco that Rogers found itself in the middle of many years ago. Government outlawed the practice as a result of that fiasco, and one has to wonder if the same thing will happen here.

Leave a comment »

« Older Entries
Newer Entries »