The head of Britain's domestic intelligence agency warned the country's leading research universities on Thursday that foreign states are targeting their institutions and imperilling national security. The Record: "We know that our universities are being actively targeted by hostile actors and need to guard against the threat posed to frontier research in the most sensitive sectors," said the deputy prime minister Oliver Dowden, who also attended the briefing. The threat requires "further measures," said the deputy PM, who announced that the government was launching a consultation with the sector so it could "do more to support our universities and put the right security in place to protect their cutting-edge research."

The briefing was delivered by Ken McCallum, the director general of MI5, alongside Dowden and the National Cyber Security Centre's interim chief executive, Felicity Oswald. It was made to the vice-chancellors of the Russell Group, a collective of the country's 24 leading universities. Among the range of measures being considered is having MI5, the domestic security agency, carry out security vetting on key researchers involved in a "small proportion of academic work, with a particular focus on research with potential dual uses in civilian and military life."

A now-abandoned USB worm that backdoors connected devices has continued to self-replicate for years since its creators lost control of it and remains active on thousands, possibly millions, of machines, researchers said Thursday. ArsTechnica: The worm -- which first came to light in a 2023 post published by security firm Sophos -- became active in 2019 when a variant of malware known as PlugX added functionality that allowed it to infect USB drives automatically. In turn, those drives would infect any new machine they connected to, a capability that allowed the malware to spread without requiring any end-user interaction. Researchers who have tracked PlugX since at least 2008 have said that the malware has origins in China and has been used by various groups tied to the country's Ministry of State Security.

For reasons that aren't clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported. The researchers purchased the IP address and connected their own server infrastructure to "sinkhole" traffic connecting to it, meaning intercepting the traffic to prevent it from being used maliciously. Since then, their server continues to receive PlugX traffic from 90,000 to 100,000 unique IP addresses every day.

U.S. authorities consider DJI a security threat. Congress is weighing legislation to ban it [non-paywalled link], prompting a lobbying campaign from the company, which dominates the commercial and consumer drone markets. The New York Times: DJI is on a Defense Department list of Chinese military companies whose products the U.S. armed forces will be prohibited from purchasing in the future. As part of the defense budget that Congress passed for this year, other federal agencies and programs are likely to be prohibited from purchasing DJI drones as well. The drones -- though not designed or authorized for combat use -- have also become ubiquitous in Russia's war against Ukraine.

The Treasury and Commerce Departments have penalized DJI over the use of its drones for spying on Uyghur Muslims who are held in camps by Chinese officials in the Xinjiang region. Researchers have found that Beijing could potentially exploit vulnerabilities in an app that controls the drone to gain access to large amounts of personal information, although a U.S. official said there are currently no known vulnerabilities that have not been patched. Now Congress is weighing legislation that could kill much of DJI's commercial business in the United States by putting it on a Federal Communications Commission roster blocking it from running on the country's communications infrastructure.

The bill, which has bipartisan support, has been met with a muscular lobbying campaign by DJI. The company is hoping that Americans like Mr. Nordfors who use its products will help persuade lawmakers that the United States has nothing to fear -- and much to gain -- by keeping DJI drones flying. "DJI presents an unacceptable national security risk, and it is past time that drones made by Communist China are removed from America," Representative Elise Stefanik, Republican of New York and one of the bill's primary sponsors, said in an emailed statement this month.

Sam Altman of OpenAI and the chief executives of Nvidia, Microsoft and Alphabet are among technology-industry leaders joining a new federal advisory board focused on the secure use of AI within U.S. critical infrastructure, in the Biden administration's latest effort to fill a regulatory vacuum over the rapidly proliferating technology. From a report: The Artificial Intelligence Safety and Security Board is part of a government push to protect the economy, public health and vital industries from being harmed by AI-powered threats, U.S. officials said. Working with the Department of Homeland Security, it will develop recommendations for power-grid operators, transportation-service providers and manufacturing plants, among others, on how to use AI while bulletproofing their systems against potential disruptions that could be caused by advances in the technology.

In addition to Nvidia's Jensen Huang, Microsoft's Satya Nadella, Alphabet's Sundar Pichai and other leaders in AI and technology, the panel of nearly two dozen consists of academics, civil-rights leaders and top executives at companies that work within a federally recognized critical-infrastructure sector, including Kathy Warden, chief executive of Northrop Grumman, and Delta Air Lines Chief Executive Ed Bastian. Other members are public officials, such as Maryland Gov. Wes Moore and Seattle Mayor Bruce Harrell, both Democrats.

Thomas Claburn reports via The Register: Baltimore police have arrested Dazhon Leslie Darien, the former athletic director of Pikesville High School (PHS), for allegedly impersonating the school's principal using AI software to make it seem as if he made racist and antisemitic remarks. Darien, of Baltimore, Maryland, was subsequently charged with witness retaliation, stalking, theft, and disrupting school operations. He was detained late at night trying to board a flight at BWI Thurgood Marshall Airport. Security personnel stopped him because the declared firearm he had with him was improperly packed and an ensuing background check revealed an open warrant for his arrest.

"On January 17, 2024, the Baltimore County Police Department became aware of a voice recording being circulated on social media," said Robert McCullough, Chief of Baltimore County Police, at a streamed press conference today. "It was alleged the voice captured on the audio file belong to Mr Eric Eiswert, the Principal at the Pikesville High School. We now have conclusive evidence that the recording was not authentic. "The Baltimore County Police Department reached that determination after conducting an extensive investigation, which included bringing in a forensic analyst contracted with the FBI to review the recording. The results of the analysis indicated the recording contained traces of AI-generated content." McCullough said a second opinion from a forensic analyst at the University of California, Berkeley, also determined the recording was not authentic. "Based off of those findings and further investigation, it's been determined the recording was generated through the use of artificial intelligence technology," he said.

According to the warrant issued for Darien's arrest, the audio file was shared through social media on January 17 after being sent via email to school teachers. The recording sounded as if Principal Eric Eiswert had made remarks inflammatory enough to prompt a police visit to advise on protective security measures for staff. [...] The clip, according to the warrant, led to the temporary removal of Eiswert from his position and "a wave of hate-filled messages on social media and numerous calls to the school," and significantly disrupted school operations. Police say it led to threats against Eiswert and concerns about his safety. Eiswert told investigators that he believes the audio clip was fake as "he never had the conversations in the recording." And he said he believed Darien was responsible due to his technical familiarity with AI and had a possible motive: Eiswert said there "had been conversations with Darien about his contract not being renewed next semester due to frequent work performance challenges." "It is clear that we are also entering a new deeply concerning frontier as we continue to embrace emerging technology and its potential for innovation and social good," said John Olszewski, Baltimore County Executive, during a press conference. "We must also remain vigilant against those who would have used it for malicious intent. That will require us to be more aware and more discerning about the audio we hear and the images we see. We will need to be careful in our judgment."

prisoninmate shares a report from 9to5Linux: Canonical released today Ubuntu 24.04 LTS (Noble Numbat) as the latest version of its popular Linux-based operating system featuring some of the latest GNU/Linux technologies and Open Source software. Powered by Linux kernel 6.8, Ubuntu 24.04 LTS features the latest GNOME 46 desktop environment, an all-new graphical firmware update tool called Firmware Updater, Netplan 1.0 for state-of-the-art network management, updated Ubuntu font, support for the deb822 format for software sources, increased vm.max_map_count for better gaming, and Mozilla Thunderbird as a Snap by default.

It also comes with an updated Flutter-based graphical desktop installer that's now capable of updating itself and features a bunch of changes like support for accessibility features, guided (unencrypted) ZFS installations, a new option to import auto-install configurations for templated custom provisioning, as well as new default installation options, such as Default selection (previously Minimal) and Extended selection (previously Normal)."

An anonymous reader quotes a report from the New York Times: The Federal Communications Commission voted on Thursday to restore regulations that expand government oversight of broadband providersand aim to protect consumer access to the internet, a move that will reignite a long-running battle over the open internet. Known as net neutrality, the regulations were first put in place nearly a decade ago under the Obama administration and are aimed at preventing internet service providers like Verizon or Comcast from blocking or degrading the delivery of services from competitors like Netflix and YouTube. The rules were repealed under President Donald J. Trump, and have proved to be a contentious partisan issue over the years while pitting tech giants against broadband providers.

In a 3-to-2 vote along party lines, the five-member commission appointed by President Biden revived the rules that declare broadband a utility-like service regulated like phones and water. The rules also give the F.C.C. the ability to demand broadband providers report and respond to outages, as well as expand the agency's oversight of the providers' security issues. Broadband providers are expected to sue to try to overturn the reinstated rules.

The core purpose of the regulations is to prevent internet service providers from controlling the quality of consumers' experience when they visit websites and use services online. When the rules were established, Google, Netflix and other online services warned that broadband providers had the incentive to slow down or block access to their services. Consumer and free speech groups supported this view. There have been few examples of blocking or slowing of sites, which proponents of net neutrality say is largely because of fear that the companies would invite scrutiny if they did so. And opponents say the rules could lead to more and unnecessary government oversight of the industry.

An anonymous reader quotes a report from MIT Technology Review: Almost all keyboard apps used by Chinese people around the world share a security loophole that makes it possible to spy on what users are typing. The vulnerability, which allows the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups, according to researchers at the Citizen Lab, a technology and security research lab affiliated with the University of Toronto.

These apps help users type Chinese characters more efficiently and are ubiquitous on devices used by Chinese people. The four most popular apps -- built by major internet companies like Baidu, Tencent, and iFlytek -- basically account for all the typing methods that Chinese people use. Researchers also looked into the keyboard apps that come preinstalled on Android phones sold in China. What they discovered was shocking. Almost every third-party app and every Android phone with preinstalled keyboards failed to protect users by properly encrypting the content they typed. A smartphone made by Huawei was the only device where no such security vulnerability was found.

In August 2023, the same researchers found that Sogou, one of the most popular keyboard apps, did not use Transport Layer Security (TLS) when transmitting keystroke data to its cloud server for better typing predictions. Without TLS, a widely adopted international cryptographic protocol that protects users from a known encryption loophole, keystrokes can be collected and then decrypted by third parties. Even though Sogou fixed the issue after it was made public last year, some Sogou keyboards preinstalled on phones are not updated to the latest version, so they are still subject to eavesdropping. [...] After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed. But a few companies have been unresponsive, and the vulnerability still exists in some apps and phones, including QQ Pinyin and Baidu, as well as in any keyboard app that hasn't been updated to the latest version.

Google is delaying the end of third-party cookies in Chrome -- again. This marks the third time Google pushed back its original deadline set in January 2020, when the company said it would phase out third-party cookies "within two years" to improve internet security. Digiday reports: The announcement was made on Tuesday ahead of quarterly reports from Google and the ever-watchful U.K. Competition and Markets Authority (CMA), keeping tabs on how this whole situation unfolds.

"We recognize that there are ongoing challenges related to reconciling divergent feedback from the industry, regulators and developers, and will continue to engage closely with the entire ecosystem," according to a statement Google posted on its website for the Privacy Sandbox. "It's also critical that the CMA has sufficient time to review all evidence including results from industry tests, which the CMA has asked market participants to provide by the end of June. Given both of these significant considerations, we will not complete third-party cookie deprecation during the second half of Q4."

Google did not outline a more specific timetable beyond hoping for 2025. [...] "We remain committed to engaging closely with the CMA and ICO and we hope to conclude that process this year," Google's statement read. "Assuming we can reach an agreement, we envision proceeding with third-party cookie deprecation starting early next year." "We welcome Google's announcement clarifying the timing of third-party cookie deprecation. This will allow time to assess the results of industry tests and resolve remaining issues," said a spokesperson from the CMA. "Under the commitments, Google has agreed to resolve our remaining competition concerns before going ahead with third-party cookie deprecation. Working closely with the ICO we expect to conclude this process by the end of 2024."

At the start of the year, Google started purging third-party cookies for one percent of browser traffic.

An anonymous reader quotes a report from Wired: Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world. On Wednesday, Cisco warned that its so-called Adaptive Security Appliances -- devices that integrate a firewall and VPN with other security features -- had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored. "This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," a blog post from Cisco's Talos researchers reads. Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. "The investigation that followed identified additional victims, all of which involved government networks globally," the company's report reads. In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances. Cisco advises that customers apply its new software updates to patch both vulnerabilities.

A separate advisory (PDF) from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. "A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself," the advisory reads.

According to the Wall Street Journal, a deal for IBM to acquire HashiCorp could materialize in the next few days. Shares of HashiCorp jumped almost 20% on the news.

UPDATE 4/24/24: IBM has confirmed the deal valued at $6.4 billion. "IBM will pay $35 per share for HashiCorp, a 42.6% premium to Monday's closing price," reports Reuters. "The acquisition will be funded by cash on hand and will add to adjusted core profit within the first full year of closing, expected by the end of 2024." HashiCorp's shares continued to surge Tuesday on the news. CNBC reports: Developers use HashiCorp's software to set up and manage infrastructure in public clouds that companies such as Amazon and Microsoft operate. Organizations also pay HashiCorp for managing security credentials. Founded in 2012, HashiCorp went public on Nasdaq in 2021. The company generated a net loss of nearly $191 million on $583 million in revenue in the fiscal year ending Jan. 31, according to its annual report. In December, Mitchell Hashimoto, co-founder of HashiCorp, whose family name is reflected in the company name, announced that he was leaving.

Revenue jumped almost 23% during that period, compared with 2% for IBM in 2023. IBM executives pointed to a difficult economic climate during a conference call with analysts in January. The hardware, software and consulting provider reports earnings on Wednesday. Cisco held $9 million in HashiCorp shares at the end of March, according to a regulatory filing. Cisco held early acquisition talks with HashiCorp, according to a 2019 report.

Andy Greenberg reports via Wired: More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data. In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would "cover a substantial proportion of people in America."

Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.

Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack -- and the profit AlphV extracted from it -- will lead ransomware gangs to further target health care companies. "It 100 percent encourages other actors to target health care organizations," Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. "And it's one of the industries we don't want ransomware actors to target -- especially when it affects hospitals." Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.

An anonymous reader quotes a report from Ars Technica: There's a new Linux distro on the scene today, and it's a bit specialized. Its development was led by the automotive electronics supplier Elektrobit, and it's the first open source OS that complies with the automotive industry's functional safety requirements. [...] With Elektrobit's EB corbos Linux for Safety Applications (that sure is a long name), there's an open source Linux distro that finally fits the bill, having just been given the thumbs up by the German organization TUV Nord. (It also complies with the IEC 61508 standard for safety applications.) "The beauty of our concept is that you don't even need to safety-qualify Linux itself," said Moritz Neukirchner, a senior director at Elektrobit overseeing SDVs. Instead, an external safety monitor runs in a hypervisor, intercepting and validating kernel actions.

"When you look at how safety is typically being done, look at communication -- you don't safety-certify the communication specs or Ethernet stack, but you do a checker library on top, and you have a hardware anchor for checking down below, and you insure it end to end but take everything in between out of the certification path. And we have now created a concept that allows us to do exactly that for an operating system," Neukirchner told me. "So in the end, since we take Linux out of the certification path and make it usable in a safety-related context, we don't have any problems in keeping up to speed with the developer community," he explained. "Because if you start it off and say, 'Well, we're going to do Linux as a one-shot for safety,' you're going to have the next five patches and you're off [schedule] again, especially with the security regulation that's now getting toward effect now, starting in July with the UNECE R155 that requires continuous cybersecurity management vulnerability scanning for all software that ends up in the vehicle."

"In the end, we see roughly 4,000 kernel security patches within eight years for Linux. And this is the kind of challenge that you're being put up to if you want to participate in that speed of innovation of an open source community as rich as that of Linux and now want to combine this with safety-related applications," Neukirchner said. Elektrobit developed EB corbos Linux for Safety Applications together with Canonical, and together they will share the maintenance of keeping it compliant with safety requirements over time.

A Shanghai flying taxi company says that China's "low altitude" industry is edging ahead of western rivals, thanks to more supportive regulators, technological breakthroughs and cut-throat competition in the Chinese logistics sector. From a report: The total market created by electric vertical take-off and landing, or eVTOL, aircraft is forecast to be worth $1.5tn a year by 2040 in a base-case assessment by Morgan Stanley analysts, with potential customers across airlines, logistics, emergency services, agriculture, tourism and security operations. China's AutoFlight Group won airworthiness certification from the Civil Aviation Administration of China in late March for the design and parts for its unmanned CarryAll aircraft -- a global first for an eVTOL weighing more than 1 tonne being cleared by regulators.

Kellen Xie, AutoFlight vice-president, said that while the company is also seeking similar approvals in Europe, the CAAC has been "quite supportive" of the new industry. "They work longer hours... they are determined to actually speed up the process of bringing this new technology into reality," he said. EVTOL aircraft take off vertically, like helicopters, but then transition into fixed-wing mode for travelling at higher speeds, offering faster and more efficient transport than ground-based options. Analysts point to a labyrinth of regulatory and safety hurdles, but supporters say the technology could fundamentally reshape how humans travel and freight is moved, in a level of disruption akin to the introduction of mass-market cars and commercial airlines. Most eVTOL aircraft are still in the testing stages and vary widely in terms of how fast and high they can fly and how much weight they can carry.

North Korean animators have been secretly working on major international TV shows, including an Amazon superhero series and an upcoming HBO Max children's anime, according to a report by cybersecurity researchers. The findings, detailed in a report by the Stimson Center think tank's 38 North Project and Google-owned security firm Mandiant, provide a glimpse into how North Korea can use skilled IT workers to raise funds for its heavily sanctioned regime.

Researcher Nick Roy discovered a misconfigured cloud server on a North Korean IP address in December, containing thousands of animation files, including cells, videos, and notes discussing ongoing projects. Some images appeared to be from Amazon's "Invincible" and HBO Max's "Iyanu: Child of Wonder." The server, which mysteriously stopped being used at the end of February, likely allowed work to be sent to and from North Korean animators, according to Martyn Williams, a senior fellow on the 38 North Project. U.S. sanctions prohibit companies from working with North Korean entities, but the researchers say it is unlikely that the companies involved were aware of the animators' origins. The report suggests the contracting arrangement was several steps removed from the major producers.

This week the Register spoke to former senior White House cyber policy director A.J. Grotto — who complained it was hard to get even slight concessions from Microsoft: "If you go back to the SolarWinds episode from a few years ago ... [Microsoft] was essentially up-selling logging capability to federal agencies" instead of making it the default, Grotto said. "As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach." Grotto told us Microsoft had to be "dragged kicking and screaming" to provide logging capabilities to the government by default. [In the interview he calls it "an epic fight" which lasted 18 months."] [G]iven the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best.

That illustrates, Grotto said, that "they [Microsoft] just have a ton of leverage, and they're not afraid to use it." Add to that concerns over an Exchange Online intrusion by Chinese snoops, and another Microsoft security breach by Russian cyber operatives, both of which allowed spies to gain access to US government emails, and Grotto says it's fair to classify Microsoft and its products as a national security concern.
He estimates that Microsoft makes 85% of U.S. government productivity software — and has an even greater share of their operating systems. "Microsoft in many ways has the government locked in, he says in the interview, "and so it's able to transfer a lot of these costs associated with the security breaches over to the federal government."

And about five minutes in, he says, point-blank, that "It's perfectly fair" to consider Microsoft a national security threat, given its dominance "not just within the federal government, but really in sort of the boarder IT marketplace. I think it's fair to say, yeah, that a systemic compromise that affects Microsoft and its products do rise to the level of a national security risk."

He'd like to see the government encourage more competition — to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance...

Long-time Slashdot reader tippen shared this report from the Register: AI agents, which combine large language models with automation software, can successfully exploit real world security vulnerabilities by reading security advisories, academics have claimed.

In a newly released paper, four University of Illinois Urbana-Champaign (UIUC) computer scientists — Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang — report that OpenAI's GPT-4 large language model (LLM) can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing the flaw. "To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description," the US-based authors explain in their paper. "When given the CVE description, GPT-4 is capable of exploiting 87 percent of these vulnerabilities compared to 0 percent for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit)...."

The researchers' work builds upon prior findings that LLMs can be used to automate attacks on websites in a sandboxed environment. GPT-4, said Daniel Kang, assistant professor at UIUC, in an email to The Register, "can actually autonomously carry out the steps to perform certain exploits that open-source vulnerability scanners cannot find (at the time of writing)."
The researchers wrote that "Our vulnerabilities span website vulnerabilities, container vulnerabilities, and vulnerable Python packages. Over half are categorized as 'high' or 'critical' severity by the CVE description...."

"Kang and his colleagues computed the cost to conduct a successful LLM agent attack and came up with a figure of $8.80 per exploit"

SiliconANGLE reports that to help organizations detect vulnerabilities earlier, Red Hat has "announced updates to its Trusted Software Supply Chain that enable organizations to shift security 'left' in the software supply chain." Red Hat announced Trusted Software Supply Chain in May 2023, pitching it as a way to address the rising threat of software supply chain attacks. The service secures software pipelines by verifying software origins, automating security processes and providing a secure catalog of verified open-source software packages. [Thursday's updates] are aimed at advancing the ability for customers to embed security into the software development life cycle, thereby increasing software integrity earlier in the supply chain while also adhering to industry regulations and compliance standards.

They start with a new tool called Red Hat Trust Artifact Signer. Based on the open-source Sigstore project [founded at Red Hat and now part of the Open Source Security Foundation], Trust Artifact Signer allows developers to sign and verify software artifacts cryptographically without managing centralized keys, to enhance trust in the software supply chain. The second new release, Red Hat Trusted Profile Analyzer, provides a central source for security documentation such as Software Bill of Materials and Vulnerability Exploitability Exchange. The tool simplifies vulnerability management by enabling proactive identification and minimization of security threats.

The final new release, Red Hat Trusted Application Pipeline, combines the capabilities of the Trusted Profile Analyzer and Trusted Artifact Signer with Red Hat's internal developer platform to provide integrated security-focused development templates. The feature aims to standardize and accelerate the adoption of secure development practices within organizations.
Specifically, Red Hat's announcement says organizations can use their new Trust Application Pipeline feature "to verify pipeline compliance and provide traceability and auditability in the CI/CD process with an automated chain of trust that validates artifact signatures, and offers provenance and attestations."

An anonymous reader shared this report from the Washington Post: U.S. government officials were scrambling Friday night to prevent what they fear could be a significant loss of access to critical national security information, after two major U.S. communications providers said they would stop complying with orders under a controversial surveillance law that is set to expire at midnight, according to five people familiar with the matter.

One communications provider informed the National Security Agency that it would stop complying on Monday with orders under Section 702 of the Foreign Intelligence Surveillance Act, which enables U.S. intelligence agencies to gather without a warrant the digital communications of foreigners overseas — including when they text or email people inside the United States. Another provider suggested that it would cease complying at midnight Friday unless the law is reauthorized, according to the people familiar with the matter, who spoke on the condition of anonymity to discuss sensitive negotiations.

The companies' decisions, which were conveyed privately and have not previously been reported, have alarmed national security officials, who strongly disagree with their position and argue that the law requires the providers to continue complying with the government's surveillance orders even after the statute expires. That's because a federal court this month granted the government a one-year extension to continue intelligence collection.
UPDATE (4/20/2024): US Passes Bill Reauthorizing 'FISA' Surveillance for Two More Years.

China ordered Apple to remove some of the world's most popular chat messaging apps from its app store in the country, the latest example of censorship demands on the iPhone seller in the company's second-biggest market. WSJ: Meta's WhatsApp and Threads as well as messaging platforms Signal, Telegram and Line were taken off the Chinese App Store Friday [non-paywalled link]. Apple said it was told to remove certain apps because of national security concerns, without specifying which. "We are obligated to follow the laws in the countries where we operate, even when we disagree," an Apple spokesperson said in a statement.

These messaging apps, which allow users to exchange messages and share files individually and in big groups, combined have more than three billion users globally. They can only be accessed in China through virtual private networks that take users outside China's Great Firewall, but are still commonly used. Beijing has often viewed such platforms with caution, concerned that these apps could be used by its citizens to spread negative content and organize demonstrations or social movements. Much of the news China censors at home often makes it beyond the Great Firewall through such channels.