Welcome back to another wonderful week of discounts with the guy who lives and breathes gaming. And not just any games, my friendthe best ones actually worth buying / playing / storing in a shameful pile to probably never be touched again. Personally, I'm all about the surprisingly early 30%+ discounts I'm seeing on Dragon Age Veilguard and Star Wars Outlaws. So maybe start saving there.In retro news, I'm commemorating the 19th anniversary of Resident Evil 4, a port that blew PS2 owner minds like a .223 calibre Semi-Auto Rifle round to the melon. Though I'd already dropped about 60 hours incessantly replaying this via my (better looking and sounding) GameCube version, I recall being instantly re-smitten when I booted this on 'Station. The new big cherry on top? Separate Ways, a roughly 2.5-hour mini adventure that slipped us into the impractical heels of a TMP-packing Ada Wong. Truly, RE4 was in the top 3 games of a console flush with all-time greats. Anybody who skips the Remake is Ganados levels of loco.Happy Bday Resident Evil 4 This Day in Gaming - Age of Mythology (PC) 2002. Redux- Resident Evil 4 (PS2) 2005. Redux- Sonic Colors (DS,Wii) 2010. ReduxTable of ContentsNice Savings for Nintendo SwitchOctopath Traveler IIIf you liked Octopath Traveler (or even any of the Bravely Default games) Octopath Traveler 2 is another good ol' fashioned 80-hour JRPGJoy-Con Pair (-21%) - A$95Lets Sing 2024 2-Mic Bndl (-43%) - A$57Pro Controller (-21%) - A$79Hades (-60%) - A$15Transistor (-80%) - A$4.79Expiring Recent DealsLego Skywalker Saga Galactic (-75%) - A$28.73Mario & Luigi: Brothership (-21%) - A$62.95Detective Pikachu Returns (-23%) - A$53.95West of Loathing (-64%) - A$5.76Nickelodeon All-Star Brawl (-90%) - A$6.99No More Heroes (-70%) - A$8.98Or gift a Nintendo eShop Card.Switch Console PricesHow much to Switch it up?Switch Zelda: $629 $509 | Switch Original: $499 $428 | Switch OLED Black: $539 $489| Switch OLED White: $539 $489 | Switch Lite: $329 $293 | Switch Lite Hyrule: $339 $309See itBack to topPurchase Cheap for PCStar Wars Col.The Force is strong with this one! Get 14 epic games in one massive line-up with the Star Wars Collection.XCOM 2 (-95%) - A$2.99The Division Gold Ed. (-75%) - A$18.73Dead Space [2023] (-70%) - A$26.98Thrustmaster USAF Multiplat headset (-22%) - A$140Far Cry 6 (-75%) - A$22.48Metal Slug Bndl (-80%) - A$4.59Expiring Recent DealsDisney-Pixar Cars (-100%) - FREE w/PrimeDishonored: Definitive Ed. (-100%) - FREE w/PrimeBioShock: The Collection (-80%) - A$15.99Metro 2033 Redux (-90%) - A$2.99Metro Last Light (-90%) - A$2.99Metro Exodus (-90%) - A$4.49Battlefield 2042 (-92%) - A$7.19Or just get a Steam Wallet Card.PC Hardware PricesSlay your pile of shame.Official launch in NovSteam Deck 256GB LCD: $649 | Steam Deck 512GB OLED: $899 | Steam Deck 1TB OLED: $1,049See it at SteamBack to topExciting Bargains for XboxDeath Stranding DirectorsWell, heres a surprise release that nobody saw coming at all. Also, one of the weirdest games Ive played in recent memory. Definitely do some investigation before you pull the trigger on this. A real love it or hate it proposition.Expiring Recent DealsMetaphor: ReFantazio (-14%) - A$99FF XII: The Zodiac Age (-56%) - A$35.53Suicide Squad: KTJL (-69%) - A$36Jedi Survivor (-38%) - A$ 67.99The Quarry (-91%) - A$9The Outer Worlds (-67%) - A$14.95Or just invest in an Xbox Card.Xbox Console PricesHow many bucks for a 'Box?Series S Black: $549 $513 | Series S White:$499 $481 | Series X: $799 | Series S Starter: N/ASee itBack to topPure Scores for PlayStationRed Dead 2Combined with strong writing and direction, the result is a game thats sincere instead of satirical, and funny while remaining capable of some supremely well-earned emotional moments, especially throughout the excellent crescendo and epilogue. 10/10.Hogwarts Legacy (-66%) - A$34Witcher 3: Wild Hunt Complete (-55%) - A$34.95Star Wars Outlaws (-30%) - A$77Marvels Spider-Man 2 (-21%) - A$99FF VII: Rebirth (-33%) - A$79.95Expiring Recent DealsDragon's Dogma 2 (-45%) - A$59Suicide Squad: KTJL (-69%) - A$36NBA 2K24 Kobe Ed. (-87%) - A$15Resi 4 Gold (-40%) - A$41.97Rayman Legends (-80%) - A$4.99Limbo/Inside Bndl (-75%) - A$10.23Or purchase a PS Store Card.PS5 Pro Enhanced BargainNeed a cheap Pro showcase title?Demons Souls - $124.95 / $104Even without a Pro Enhancement, the visuals of this '24 remake of a '09 PS3 classic already knocked my chainmail socks off. That said, there is indeed a vaguely described "PS5 Pro" toggle in the Display Adjustment menu. It seems to be a 4K-like 60fps Fidelity Mode, which, I think, looks noticeably better than the base experience thanks to additional tessellation density and a new contact shadow system that adds finer micro-detail to stonework (which is everywhere). Basically, I'm fixing to replay this all over again now. As a busy reviewer who's always on The Next Thing, I need a bona fide reason to look backwards; PS5 Pro Enhancement feels (and looks) like a worthy one.PlayStation Console PricesWhat you'll pay to 'Station.PS5 Pro $1,199 | PS5 Slim Disc:$799 $795 | PS5 Slim Digital:$679 $639 | PS VR2: $879 | PS VR2 + Horizon: $959 $949 | PS Portal: $329See itBack to topLegit LEGO DealsSonic: Amys Island40 bucks off a 6-character set? Thats worth every ring.Expiring Recent DealsMinecraft The Frog House (-40%) - A$59.97Animal Crossing: Julians Birthday (-40%) - A$12Star Wars C-3PO (-19%) - A$159Back to top Adam Mathew is our Aussie deals wrangler. He plays practically everything, often on YouTube.

This review contains spoilers for The Penguin episode 8.By the end of the eighth and final episode of The Penguin, Sofia has become a very different person. No longer the morally conflicted daughter of mob boss Carmine Falcone, no longer the patsy sentenced to Arkham for her fathers murder of seven women as the Hangman, she has become Sofia Gigante and she appears to have won the gang war against Salvatore Maroni (now dead) and Oz.So, of course, she monologues, telling a story to Oz and his mother Frances about a trio of birds she saw when she was a little girl. According to Sofia, the mother bird doted on the stronger of the two baby birds, at least until she went away one day and came back to find that the weaker bird had pushed the stronger one out of the nest before it could fly.Of course, Sofia tells this story as part of her psychological game with Oz and Frances, referring to the former killing his brothers and the latter ignoring it. But the story also fits a show called The Penguin, and not just because its about a flightless bird. Because The Penguin ended up being a series in which Cristin Milioti, a lesser-known performer playing an unknown character, ended up pushing the Academy Award-nominated Colin Farrell out of the spotlight.To be clear, this is a good thing. A spinoff series from The Batman about the Penguin always reeked of corporate desperation, of the increasingly pathetic Warner Bros. studio trying to milk whatever it can from its hits to prop up its streaming service HBO Go HBO Max Max. While Colin Farrell absolutely popped as Oz in The Batman, he worked in part because the movie did not ask him to do any emotional heavy lifting. He could waddle and shout and call Batman Mr. Vengance, and it provided a comic book break from a heavy film.But after a few clunky opening episodes, it became clear that showrunner Lauren LeFranc had something more in mind than just the continuing adventures of the Penguin. Instead, she used the opportunity given to an HBO superhero show to make a show about the ability or inability of women to change a world ruined by, but still dominated by, patriarchy. Written by LeFranc and directed by Jennifer Getzinger, the finale A Great or Little Thing brings an end to Sofias failed attempt to break from her fathers ways. She gets a bravado sequence in which burns her fathers house and belongings, staring imperiously while a rocking version ofIn the Pines aka Where Did You Sleep Last Night? plays on the soundtrack.Its framed as a moment of triumph for Sofia, even as it raises questions about her ability to actually break from Carmines model, a model that builds power on the backs of destroyed women. How will Sofia Gigante be different than Carmine Falcone?Turns out, she doesnt have to worry about answering that question, because Oz comes back to seize control. While not quite as overt as Roman Sioniss misogynistic rallying cry at the climax of Birds of Prey, Oz gets all the small gangs to work against Sofia in part because shes a crazy woman. And so, the reign of Sofia Gigante comes to an end after shes betrayed by men, including the cops she thought she had bought, and put back in Arkham, once again Julians control.LeFranc pairs this theme with the culmination of Ozs storyline with Frances. As seen in a flashback, Frances made a deal with old school gangster Rex Calabrese, Ozs hero, to kill the boy and rid her of, in her words, the devil in her house. Instead, she changes her mind at the last second, making Oz promise to give her the high life that she always wanted.The Penguin presents Francess final fate as a EC Comics style twist of fate. According to Oz, he did everything he did for her, including all of the backstabbing and murder and manipulation that we see throughout the series. Thus, she earns an ironic punishment, comatose and trapped in Ozs penthouse, for her callous power grabbing.Of course, Oz didnt really want to do anything to Frances. Instead, he wanted a woman he could control, and Frances was the only one available. Theres something haunting in the final scene, when Oz walks out of his mothers room and into the great room of his new digs to find Eve Karlo dressed as younger Francis (she really is Clayface, it turns out). As the two dance together, she says again and again that she loves him and is proud of him. The real Frances would never say those words, so Oz forced Eve to become a version of Frances he could mold.A Great or Little Thing elegantly brings the two storylines together and pairs their themes. But not everything works so well. The episode doesnt really resolve the wreckage of Sofias bombing the Bliss plant, an explosion small enough that Oz and others survive, despite being right next to it, but large enough to blow a giant hole in the center of Gotham. The explosion does give one last chance for Oz to show off his ability to manipulate, but it feels more like a narrative cul-de-sac that preserves the wreckage of Riddlers attack. By not dealing with the explosion, The Penguin lets those who go into The Batman 2 having only seen the previous movie think that theyre just dealing with another Riddler bomb.Speaking of cul-de-sacs, Vics storyline proves to be a big nothing, as hes strangled by Oz just when he thinks that the two have bonded. The show set up Vic as Ozs foil, another boy forced into a violent system that wouldnt give him a fair shake otherwise. But when Oz suffocates the kid, he proves that he was never like Vic at all. He wasnt a good kid forced into a bad situation. He was just evil.Getzinger holds on the shot of Ozs disgusting, twisted face as he strangles the life out of Vic, making sure everyone knows that hes a monster. But heres the thing: we never really doubted that he was a monster. He never seemed sympathetic, even when the show wanted so badly for Vic to add shades to what was clearly a one-note character.In the end, Victor best represents what The Penguin could have been the show, not the person. The series could have been just more Batman content, devoting way too much time to a character who doesnt have enough depth to carry it. And, to be clear, The Penguin sometimes was that empty series. The entire sequence of Ozs men killing the heads of Gotham families feels like a poor cover of the baptism scene from The Godfather.To the credit of LeFranc and her collaborators, The Penguin proved itself much more. The world didnt need another show about a sad-sack, one dimensional Batman villain, but it did need a show about a woman vying for power that could never be hers. In the end, Im grateful that The Penguin became that show, even if it had to push the Penguin out of the nest to do it.All eight episodes of The Penguin are now streaming on Max.Learn more about Den of Geeks review process and why you can trust our recommendationshere.

Imagine this: the very tools you trust to protect you onlineyour two-factor authentication, your car's tech system, even your security softwareturned into silent allies for hackers. Sounds like a scene from a thriller, right? Yet, in 2024, this isn't fiction; it's the new cyber reality. Today's attackers have become so sophisticated that they're using our trusted tools as secret pathways, slipping past defenses without a trace.For banks , this is especially alarming. Today's malware doesn't just steal codes; it targets the very trust that digital banking relies on. These threats are more advanced and smarter than ever, often staying a step ahead of defenses.And it doesn't stop there. Critical systems that power our cities are at risk too. Hackers are hiding within the very tools that run these essential services, making them harder to detect and harder to stop. It's a high-stakes game of hide-and-seek, where each move raises the risk.As these threats grow, let's dive into the most urgent security issues, vulnerabilities, and cyber trends this week. Threat of the WeekFBI Probes China-Linked Global Hacks: The FBI is urgently calling for public assistance in a global investigation into sophisticated cyber attacks targeting companies and government agencies. Chinese state-sponsored hacking groupsidentified as APT31, APT41, and Volt Typhoonhave breached edge devices and computer networks worldwide.Exploiting zero-day vulnerabilities in edge infrastructure appliances from vendors like Sophos, these threat actors have deployed custom malware to maintain persistent remote access and repurpose compromised devices as stealthy proxies. This tactic allows them to conduct surveillance, espionage, and potentially sabotage operations while remaining undetected.Tips for Organizations:Update and Patch Systems: Immediately apply the latest security updates to all edge devices and firewalls, particularly those from Sophos, to mitigate known vulnerabilities like CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236.Monitor for Known Malware: Implement advanced security solutions capable of detecting malware such as Asnark, Gh0st RAT, and Pygmy Goat. Regularly scan your network for signs of these threats.Enhance Network Security: Deploy intrusion detection and prevention systems to monitor for unusual network activity, including unexpected ICMP traffic that could indicate backdoor communications. Top NewsAndroid Banking Trojan ToxicPanda Targets Europe: A new Android banking trojan dubbed ToxicPanda has been observed targeting over a dozen banks in Europe and Latin America. It's so named for its Chinese roots and its similarities with another Android-focused malware named TgToxic. ToxicPanda comes with remote access trojan (RAT) capabilities, enabling the attackers to conduct account takeover attacks and conduct on-device fraud (ODF). Besides obtaining access to sensitive permissions, it can intercept one-time passwords received by the device via SMS or those generated by authenticator apps, which enables the cybercriminals to bypass multi-factor authentication. The threat actors behind ToxicPanda are likely Chinese speakers.VEILDrive Attack Exploits Microsoft Services: An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. In doing so, it allows the threat actors to evade detection. The attack has been so far spotted targeting an unnamed critical infrastructure entity in the U.S. It's currently not known who is behind the campaign.Crypto Firms Targeted with New macOS backdoor: The North Korean threat actor known as BlueNoroff has targeted cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices. Unlike other recent campaigns linked to North Korea, the latest effort uses emails propagating fake news about cryptocurrency trends to infect targets with a backdoor that can execute attacker-issued commands. The development comes as the APT37 North Korean state-backed group has been linked to a new spear-phishing campaign distributing the RokRAT malware.Windows Hosts Targeted by QEMU Linux Instance: A new malware campaign codenamed CRON#TRAP is infecting Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. This allows the unidentified threat actors to maintain a stealthy presence on the victim's machine.AndroxGh0st Malware Integrates Mozi Botnet: The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, alongside deploying the Mozi botnet malware. While Mozi suffered from a steep decline in activity last year, the new integration has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before. Trending CVEsRecently trending CVEs include: CVE-2024-39719, CVE-2024-39720, CVE-2024-39721, CVE-2024-39722, CVE-2024-43093, CVE-2024-10443, CVE-2024-50387, CVE-2024-50388, CVE-2024-50389, CVE-2024-20418, CVE-2024-5910, CVE-2024-42509, CVE-2024-47460, CVE-2024-33661, CVE-2024-33662. Each of these vulnerabilities represents a significant security risk, emphasizing the importance of regular updates and monitoring to protect data and systems. Around the Cyber WorldUnpatched Flaws Allow Hacking of Mazda Cars: Multiple security vulnerabilities identified in the Mazda Connect Connectivity Master Unit (CMU) infotainment unit (from CVE-2024-8355 through CVE-2024-8360), which is used in several models between 2014 and 2021, could allow for execution of arbitrary code with elevated permissions. Even more troublingly, they could be abused to obtain persistent compromise by installing a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) of the vehicle. The flaws remain unpatched, likely because they all require an attacker to physically insert a malicious USB into the center console. "A physically present attacker could exploit these vulnerabilities by connecting a specially crafted USB device such as an iPod or mass storage device to the target system," security researcher Dmitry Janushkevich said. "Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges."Germany Drafts Law to Protect Researchers Reporting Flaws: The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to researchers who discover and responsibly report security vulnerabilities to vendors. "Those who want to close IT security gaps deserve recognitionnot a letter from the prosecutor," the ministry said. "With this draft law, we will eliminate the risk of criminal liability for people who take on this important task." The draft law also proposes a penalty of three months to five years in prison for severe cases of malicious data spying and data interception that include acts motivated by profit, those that result in substantial financial damage, or compromise critical infrastructure.Over 30 Vulnerabilities Found in IBM Security Verify Access: Nearly a three dozen vulnerabilities have been disclosed in IBM Security Verify Access (ISVA) that, if successfully exploited, could allow attackers to escalate privileges, access sensitive information, and compromise the entire authentication infrastructure. The vulnerabilities were found in October 2022 and were communicated to IBM at the beginning of 2023 by security researcher Pierre Barre. A majority of the issues were eventually patched at the end of June 2024.Silent Skimmer Actor Makes a Comeback: Organizations that host or create payment infrastructure and gateways are being targeted as part of a new campaign mounted by the same threat actors behind the Silent Skimmer credit card skimming campaign. Dubbed CL-CRI-0941, the activity is characterized by the compromise of web servers to gain access to victim environments and gather payment information. "The threat actor gained an initial foothold on the servers by exploiting a couple of one-day Telerik user interface (UI) vulnerabilities," Palo Alto Networks Unit 42 said. The flaws include CVE-2017-11317 and CVE-2019-18935. Some of the other tools used in the attacks are reverse shells for remote access, tunneling and proxy utilities such as Fuso and FRP, GodPotato for privilege escalation, and RingQ to retrieve and launch the Python script responsible for harvesting the payment information to a .CSV file.Seoul Accuses Pro-Kremlin Hacktivists of Targeting South Korea: As North Korea joins hands with Russia in the ongoing Russo-Ukrainian War, DDoS attacks on South Korea have ramped up, the President's Office said. "Their attacks are mainly private-targeted hacks and distributed denial-of-service (DDoS) attacks targeting government agency home pages," according to a statement. "Access to some organizations' websites has been temporarily delayed or disconnected, but aside from that, there has been no significant damage."Canada Predicts Indian State-Sponsored Attacks amid Diplomatic Feud: Canada has identified India as an emerging cyber threat in the wake of growing geopolitical tensions between the two countries over the assassination of a Sikh separatist on Canadian soil. "India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country's efforts to promote its global status and counter narratives against India and the Indian government," the Canadian Centre for Cyber Security said. "We assess that India's cyber program likely leverages commercial cyber vendors to enhance its operations."Apple's New iOS Feature Reboots iPhones after 4 Days of Inactivity: Apple has reportedly introduced a new security feature in iOS 18.1 that automatically reboots iPhones that haven't been unlocked for a period of four days, according to 404 Media. The newly added code, called "inactivity reboot," triggers the restart so as to revert the phone to a more secure state called "Before First Unlock" (aka BFU) that forces users to enter the passcode or PIN in order to access the device. The new feature has apparently frustrated law enforcement efforts to break into the devices as part of criminal investigations. Apple has yet to formally comment on the feature. Resources, Guides & Insights Expert WebinarTurn Boring Cybersecurity Training into Engaging, Story-Driven Lessons Traditional cybersecurity training is outdated. Huntress SAT is using storytelling to make learning engaging, memorable, and effective. Gamification + phishing defense = a game-changing approach to security. Ready to transform your team's security awareness? Join the webinar NOW!How Certificate Revocations Impact Your Security (and How to Fix It Fast) Certificate revocations can disrupt operations, but automation is the game-changer! Discover how rapid certificate replacement, crypto agility, and proactive strategies can keep your systems secure with minimal downtime. Cybersecurity ToolsP0 Labs recently announced the release of new open-source tools designed to enhance detection capabilities for security teams facing diverse attack vectors. YetiHunter - Detects indicators of compromise in Snowflake environments.CloudGrappler - Queries high-fidelity, single-event detections related to well-known threat actors in cloud environments like AWS and Azure.DetentionDodger - Identifies identities with leaked credentials and assesses potential impact based on privileges.BucketShield - A monitoring and alerting system for AWS S3 buckets and CloudTrail logs, ensuring consistent log flow and audit-readiness.CAPICHE Detection Framework (Cloud API Conversion Helper Express) - Simplifies cloud API detection rule creation, supporting defenders in creating multiple detection rules from grouped APIs. Tip of the WeekStrengthen Security with Smarter Application Whitelisting Lock down your Windows system like a pro by using built-in tools as your first line of defense. Start with Microsoft Defender Application Control and AppLocker to control which apps can run - think of it as a bouncer that only lets trusted apps into your club. Keep an eye on what's happening with Sysinternals Process Explorer (it's like CCTV for your running programs) and use Windows Security Center to guard your browsers and folders. For older Windows versions, Software Restriction Policies (SRP) will do the job. Remember to set up alerts so you know when something suspicious happens.Don't trust any app until it proves itself - check for digital signatures (like an app's ID card) and use PowerShell safely by requiring signed scripts only. Keep risky apps in a sandbox (like Windows Sandbox or VMware) - it's like a quarantine zone where apps can't hurt your main system. Watch your network with Windows Firewall and GlassWire to spot any apps making suspicious connections. When it's time for updates, test them in a safe space first using Windows Update management tools. Keep logs of everything using Windows Event Forwarding and Sysmon, and review them regularly to spot any trouble. The key is layering these tools - if one fails, the others will catch the threat.ConclusionAs we face this new wave of cyber threats, it's clear that the line between safety and risk is getting harder to see. In our connected world, every system, device, and tool can either protect us or be used against us. Staying safe now means more than just better defenses; it means staying aware of new tactics that change every day. From banking to the systems that keep our cities running, no area is immune to these risks.Moving forward, the best way to protect ourselves is to stay alert, keep learning, and always be ready for the next threat. Don't forget to subscribe for our next edition. Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Nov 11, 2024The Hacker NewsCyber Resilience / Offensive SecurityCyber threats are intensifying, and cybersecurity has become critical to business operations. As security budgets grow, CEOs and boardrooms are demanding concrete evidence that cybersecurity initiatives deliver value beyond regulation compliance.Just like you wouldn't buy a car without knowing it was first put through a crash test, security systems must also be validated to confirm their value. There is an increasing shift towards security validation as it allows cyber practitioners to safely use real exploits in production environments to accurately assess the efficiency of their security systems and identify critical areas of exposure, at scale. We met with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, to discuss how to effectively communicate the business value of his Security Validation practices and tools to his upper management. Here is a drill down into how Shawn made room for security validation platforms within his already tight budget and how he translated technical security practices into tangible business outcomes that have driven purchase decisions in his team's favor.Please note that all responses below are solely the opinions of Shawn Baird and do not represent the beliefs or opinions of DTCC and its subsidiaries.Q: What value does Security Validation bring to your organization? Security Validation is about putting your defenses to the test, not against theoretical risks, but actual real-world attack techniques. It's a shift from passive assumptions of security to active validation of what works. It tells me the degree to which our systems can withstand the same tactics cybercriminals use today.For us at DTCC, we've been doing security validation for a long time, but we were looking for tech that would serve as a performance amplifier. Instead of relying solely on expensive, highly-skilled engineers to carry out manual validations across all systems, we could focus our elite teams on high-value, targeted red-teaming exercises. The automated platform has built-in content of TTPs for conducting tests, covering techniques like Kerberoasting, network scanning, brute forcing etc, relieving the team from having to create this. Tests are executed even outside regular business hours so we are not confined to standard testing windows. This approach meant we weren't stretching our security staff thin on repetitive tasks. Instead, they could focus on more complex attack scenarios and critical issues. Pentera gave us a way to maintain continuous validation across the board, without burning out our most skilled engineers on tasks that could be automated. In essence, it's become a force multiplier for our team. It goes a long way to improve our ability to stay ahead of threats while optimizing the use of our top talent.Q: How did you justify the ROI of an investment in an Automated Security Validation platform?First and foremost, we see a direct increase in our team's productivity. Automating time-consuming manual assessments and testing tasks was a game changer. By shifting these repetitive and effort-intensive tasks to Pentera, our skilled engineers could focus on more complex work. And without needing additional headcount we could significantly expand the scope of tests. Second, we're able to reduce the cost of third-party contractors. Traditionally, we relied heavily on external expert contractors, which can be costly and often limited in scope. With human expertise built into a platform like Pentera, we reduced our dependence on expensive service engagements. Instead, we have internal staff - analysts with less expertise - running effective tests. Finally, there's a clear benefit of risk reduction. By continuously validating our security posture, we can significantly reduce the probability of a breach and the potential cost of a breach, if it occurs. IBM's 2023 Cost of a Data Breach report confirms this, reporting an 11% reduction in breach costs for organizations using proactive risk management strategies. With Pentera, we achieved just thatless exposure, faster detection, and quicker remediationall of which contributed to lowering our overall risk profile.Q: What were some of the internal roadblocks or hurdles you encountered?One of the key hurdles we faced was friction from the architectural review board. Understandably, they had concerns about running automated exploits on our network, even though the platform is 'safe-by-design'. The idea of running real-world attacks in production environments can be unnerving, especially for teams responsible for the stability of critical systems.To address this, we took a phased approach. We started by running the platform on a reduced attack surface, targeting less critical systems to demonstrate its safety and effectiveness. Next, we expanded its use during a red team engagement, running it alongside our existing testing processes. Over time, we're incrementally expanding the scope, proving the platform's reliability and safety at each stage. This gradual rollout helped build confidence without risking major disruptions, so now trust in the platform is fairly well established.Q: How did you allocate the funds?We allocated the funds for Pentera under the same line item as our red teaming tools, grouped with other solutions like Rapid7 and vulnerability scanners. By positioning it alongside offensive security tools, the budgeting process was kept straightforward.We looked specifically at our cost for assessing our environment's susceptibility to a ransomware attack. Previously, we spent $150K annually on ransomware scans, but with Pentera, we could test more frequently at the same budget. This reallocation of funds made sense because it hit our key criteria, mentioned earlier: improving productivity by increasing our testing capacity without needing to hire, and reducing risk with more frequent and larger-scale testing. Lowering the chances of a ransomware attack and limiting the damage if one occurs.Q: What other considerations came into play?A few other factors influenced our decision to invest in Automated Security Validation. Employee retention was a big one. Like I said before, automating repetitive tasks kept our cybersecurity experts focused on more challenging, impactful work, which I believe has helped us retain their talent.Improvement in security operations was another point. Pentera helps us ensure our controls are properly tuned and validated, it also helps coordination between red teams, blue teams, and the SOC. From a compliance standpoint, it made it easier to compile evidence for audits - allowing us to get through the process much faster than we would otherwise. Finally, cyber insurance is another area where Pentera has added further financial value by enabling us to lower our premiums.Q: Advice to other security professionals trying to get a budget for secure validation? The performance value of Automated Security Validation is clear. Most organizations don't have the internal resources to conduct mature red teaming. Whether you have a small security team or a mature offensive security practice like we do at DTCC, it's very likely that you do not have enough security expert resources to do a full assessment. If you don't find anything, no proof of a malicious insider in your network you can't demonstrate resilience - making it harder to achieve regulatory compliance. With Pentera, you have built-in TTPs, giving you a direct path to assess how well your organization responds to threats. Based on that validation you can harden your infrastructure and address discovered vulnerabilities.The alternativedoing nothingis far riskier. The cost of a breach can result in stolen IP, lost data, and potentially shutting down operations. On the other hand, the cost of the tool brings peace of mind knowing you've reduced your exposure to real-world threats and the ability to sleep better at night.Watch the full on-demand webinar with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, and Pentera Field CISO, Jason Mar-Tang.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 11, 2024Ravie LakshmananMachine Learning / VulnerabilityCybersecurity researchers have uncovered nearly two dozen security flaws spanning 15 different machine learning (ML) related open-source projects.These comprise vulnerabilities discovered both on the server- and client-side, software supply chain security firm JFrog said in an analysis published last week.The server-side weaknesses "allow attackers to hijack important servers in the organization such as ML model registries, ML databases and ML pipelines," it said.The vulnerabilities, discovered in Weave, ZenML, Deep Lake, Vanna.AI, and Mage AI, have been broken down into broader sub-categories that allow for remotely hijacking model registries, ML database frameworks, and taking over ML Pipelines.A brief description of the identified flaws is below -CVE-2024-7340 (CVSS score: 8.8) - A directory traversal vulnerability in the Weave ML toolkit that allows for reading files across the whole filesystem, effectively allowing a low-privileged authenticated user to escalate their privileges to an admin role by reading a file named "api_keys.ibd" (addressed in version 0.50.8)An improper access control vulnerability in the ZenML MLOps framework that allows a user with access to a managed ZenML server to elevate their privileges from a viewer to full admin privileges, granting the attacker the ability to modify or read the Secret Store (No CVE identifier)CVE-2024-6507 (CVSS score: 8.1) - A command injection vulnerability in the Deep Lake AI-oriented database that allows attackers to inject system commands when uploading a remote Kaggle dataset due to a lack of proper input sanitization (addressed in version 3.9.11)CVE-2024-5565 (CVSS score: 8.1) - A prompt injection vulnerability in the Vanna.AI library that could be exploited to achieve remote code execution on the underlying hostCVE-2024-45187 (CVSS score: 7.1) - An incorrect privilege assignment vulnerability that allows guest users in the Mage AI framework to remotely execute arbitrary code through the Mage AI terminal server due to the fact that they have been assigned high privileges and remain active for a default period of 30 days despite deletion"Since MLOps pipelines may have access to the organization's ML Datasets, ML Model Training and ML Model Publishing, exploiting an ML pipeline can lead to an extremely severe breach," JFrog said."Each of the attacks mentioned in this blog (ML Model backdooring, ML data poisoning, etc.) may be performed by the attacker, depending on the MLOps pipeline's access to these resources.The disclosure comes over two months after the company uncovered more than 20 vulnerabilities that could be exploited to target MLOps platforms.It also follows the release of a defensive framework codenamed Mantis that leverages prompt injection as a way to counter cyber attacks Large language models (LLMs) with more than over 95% effectiveness."Upon detecting an automated cyber attack, Mantis plants carefully crafted inputs into system responses, leading the attacker's LLM to disrupt their own operations (passive defense) or even compromise the attacker's machine (active defense)," a group of academics from the George Mason University said."By deploying purposefully vulnerable decoy services to attract the attacker and using dynamic prompt injections for the attacker's LLM, Mantis can autonomously hack back the attacker." Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 11, 2024Ravie LakshmananVulnerability / Risk MitigationHewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities impacting Aruba Networking Access Point products, including two critical bugs that could result in unauthenticated command execution.The flaws affect Access Points running Instant AOS-8 and AOS-10 -AOS-10.4.x.x: 10.4.1.4 and belowInstant AOS-8.12.x.x: 8.12.0.2 and belowInstant AOS-8.10.x.x: 8.10.0.13 and belowThe most severe among the six newly patched vulnerabilities are CVE-2024-42509 (CVSS score: 9.8) and CVE-2024-47460 (CVSS score: 9.0), two critical unauthenticated command injection flaws in the CLI Service that could result in the execution of arbitrary code."Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211)," HPE said in an advisory for both the flaws."Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system."It's advised to enable cluster security via the cluster-security command to mitigate CVE-2024-42509 and CVE-2024-47460 on devices running Instant AOS-8 code. However, for AOS-10 devices, the company recommends blocking access to UDP port 8211 from all untrusted networks.Also resolved by HPE are four other vulnerabilities -CVE-2024-47461 (CVSS score: 7.2) - An authenticated arbitrary remote command execution (RCE) in Instant AOS-8 and AOS-10CVE-2024-47462 and CVE-2024-47463 (CVSS scores: 7.2) - An arbitrary file creation vulnerability in Instant AOS-8 and AOS-10 that leads to authenticated remote command executionCVE-2024-47464 (CVSS score: 6.8) - An authenticated path traversal vulnerability leads to remote unauthorized access to filesAs workarounds, users are being urged to restrict access to CLI and web-based management interfaces by placing them within a dedicated VLAN, and controlling them via firewall policies at layer 3 and above."Although Aruba Network access points have not previously been reported as exploited in the wild, they are an attractive target for threat actors due to the potential access these vulnerabilities could provide through privileged user RCE," Arctic Wolf said. "Additionally, threat actors may attempt to reverse-engineer the patches to exploit unpatched systems in the near future."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Final rules from the Consumer Financial Protection Bureau further the march towards open banking. What will it take to keep such data sharing secure?

John Edwards, Technology Journalist & AuthorNovember 11, 20244 Min ReadCarloscastilla via Alamy Stock PhotoAI hallucination occurs when a large language model (LLM) -- frequently a generative AI chatbot or computer vision tool -- perceives patterns or objects that are nonexistent or imperceptible to human observers, generating outputs that are either inaccurate or nonsensical.AI hallucinations can pose a significant challenge, particularly in high-stakes fields where accuracy is crucial, such as the energy industry, life sciences and healthcare, technology, finance, and legal sectors, says Beena Ammanath, head of technology trust and ethics at business advisory firm Deloitte. With generative AI's emergence, the importance of validating outputs has become even more critical for risk mitigation and governance, she states in an email interview. "While AI systems are becoming more advanced, hallucinations can undermine trust and, therefore, limit the widespread adoption of AI technologies."Primary CausesAI hallucinations are primarily caused by the nature of generative AI and LLMs, which rely on vast amounts of data to generate predictions, Ammanath says. "When the AI model lacks sufficient context, it may attempt to fill in the gaps by creating plausible sounding, but incorrect, information." This can occur due to incomplete training data, bias in the training data, or ambiguous prompts, she notes.Related:LLMs are generally trained for specific tasks, such as predicting the next word in a sequence, observes Swati Rallapalli, a senior machine learning research scientist in the AI division of the Carnegie Mellon University Software Engineering Institute. "These models are trained on terabytes of data from the Internet, which may include uncurated information," she explains in an online interview. "When generating text, the models produce outputs based on the probabilities learned during training, so outputs can be unpredictable and misrepresent facts."Detection ApproachesDepending on the specific application, hallucination metrics tools, such as AlignScore, can be trained to capture any similarity between two text inputs. Yet automated metrics don't always work effectively. "Using multiple metrics together, such as AlignScore, with metrics like BERTScore, may improve the detection," Rallapalli says.Another established way to minimize hallucinations is by using retrieval augmented generation (RAG), in which the model references the text from established databases relevant to the output. "There's also research in the area of fine-tuning models on curated datasets for factual correctness," Rallapalli says.Related:Yet even using existing multiple metrics may not fully guarantee hallucination detection. Therefore, further research is needed to develop more effective metrics to detect inaccuracies, Rallapalli says. "For example, comparing multiple AI outputs could detect if there are parts of the output that are inconsistent across different outputs or, in case of summarization, chunking up the summaries could better detect if the different chunks are aligned with facts within the original article." Such methods could help detect hallucinations better, she notes.Ammanath believes that detecting AI hallucinations requires a multi-pronged approach. She notes that human oversight, in which AI-generated content is reviewed by experts who can cross-check facts, is sometimes the only reliable way to curb hallucinations. "For example, if using generative AI to write a marketing e-mail, the organization might have a higher tolerance for error, as faults or inaccuracies are likely to be easy to identify and the outcomes are lower stakes for the enterprise," Ammanath explains. Yet when it comes to applications that include mission-critical business decisions, error tolerance must be low. "This makes a 'human-in the-loop', someone who validates model outputs, more important than ever before."Related:Hallucination TrainingThe best way to minimize hallucinations is by building your own pre-trained fundamental generative AI model, advises Scott Zoldi, chief AI officer at credit scoring service FICO. He notes, via email, that many organizations are now already using, or planning to use, this approach utilizing focused-domain and task-based models. "By doing so, one can have critical control of the data used in pre-training -- where most hallucinations arise -- and can constrain the use of context augmentation to ensure that such use doesn't increase hallucinations but re-enforces relationships already in the pre-training."Outside of building your own focused generative models, one needs to minimize harm created by hallucinations, Zoldi says. "[Enterprise] policy should prioritize a process for how the output of these tools will be used in a business context and then validate everything," he suggests.A Final ThoughtTo prepare the enterprise for a bold and successful future with generative AI, it's necessary to understand the nature and scale of the risks, as well as the governance tactics that can help mitigate them, Ammanath says. "AI hallucinations help to highlight both the power and limitations of current AI development and deployment."About the AuthorJohn EdwardsTechnology Journalist & AuthorJohn Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.See more from John EdwardsNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports

Nishad Acharya, Head of Talent Network, TuringNovember 11, 20244 Min ReadNicoElNino via Alamy StockAs IT leaders, were facing increasing pressure to prove that our generative AI investments translate into measurable and meaningful business outcomes. It's not enough to adopt the latest cutting-edge technology; we have a responsibility to show that AI delivers tangible results that directly support our business objectives.To truly maximize ROI from GenAI, IT leaders need to take a strategic approach -- one that seamlessly integrates AI into business operations, aligns with organizational goals, and generates quantifiable outcomes. Lets explore advanced strategies for overcoming GenAI implementation challenges, integrating AI with existing systems, and measuring ROI effectively.Key Challenges in Implementing GenAIIntegrating GenAI into enterprise systems isnt always straightforward. There are several hurdles IT leaders face, especially surrounding data and system complexity. Data governance and infrastructure. AI is only as good as the data its trained on. Strong data governance enforces better accuracy and compliance, especially when AI models are trained on vast, unstructured data sets. Building AI-friendly infrastructure that can handle both the scale and complexity of AI data pipelines is another challenge, as these systems must be resilient and adaptable.Related:Model accuracy and hallucinations. GenAI models can produce non-deterministic results, sometimes generating content that is inaccurate or entirely fabricated. Unlike traditional software with clear input-output relationships that can be unit-tested, GenAI models require a different approach to validation. This issue introduces risks that must be carefully managed through model testing, fine-tuning, and human-in-the-loop feedback.Security, privacy, and legal concerns. The widespread use of publicly and privately sourced data in training GenAI models raises critical security and legal questions. Enterprises must navigate evolving legal landscapes. Data privacy and security concerns must also be addressed to avoid potential breaches or legal issues, especially when dealing with heavily regulated industries like finance or healthcare.Strategies for Measuring and Maximizing AI ROIAdopting a comprehensive, metrics-driven approach to AI implementation is necessary for assessing your investments business impact. To ensure GenAI delivers meaningful business results, here are some effective strategies:Define high-impact use cases and objectives: Start with clear, measurable objectives that align with core business priorities. Whether its improving operational efficiency or streamlining customer support, identifying use cases with direct business relevance ensures AI projects are focused and impactful.Quantify both tangible and intangible benefits: Beyond immediate cost savings, GenAI drives value through intangible benefits like improved decision-making or customer satisfaction. Quantifying these benefits gives a fuller picture of the overall ROI.Focus on getting the use case right, before optimizing costs: LLMs are still evolving. It is recommended that you first use the best model (likely most expensive), prove that the LLM can achieve the end goal, and then identify ways to reduce cost to serve that use case. This will make sure that the business need is not left unmet.Run pilot programs before full rollout: Test AI in controlled environments first to validate use cases and refine your ROI model. Pilot programs allow organizations to learn, iterate, and de-risk before full-scale deployment, as well as pinpoint areas where AI delivers the greatest value, learn, iterate, and de-risk before full-scale deployment.Track and optimize costs throughout the lifecycle: One of the most overlooked elements of AI ROI is the hidden costs of data preparation, integration, and maintenance that can spiral if left unchecked. IT leaders should continuously monitor expenses related to infrastructure, data management, training, and human resources.Continuous monitoring and feedback: AI performance should be tracked continuously against KPIs and adjusted based on real-world data. Regular feedback loops allow for continuous fine-tuning, ensuring your investment aligns with evolving business needs and delivers sustained value. Related:Overcoming GenAI Implementation RoadblocksRelated:Successful GenAI implementations depend on more than adopting the right technologythey require an approach that maximizes value while minimizing risk. For most IT leaders, success depends on addressing challenges like data quality, model reliability, and organizational alignment. Heres how to overcome common implementation hurdles:Align AI with high-impact business goals. GenAI projects should directly support business objectives and deliver sustainable value like streamlining operations, cutting costs, or generating new revenue streams. Define priorities based on their impact and feasibility.Prioritize data integrity. Poor data quality prevents effective AI. Take time to establish data governance protocols from the start to manage privacy, compliance, and integrity while minimizing risk tied to faulty data.Start with pilot projects. Pilot projects allow you to test and iterate real-world impact before committing to large-scale rollouts. They offer valuable insights and mitigate risk.Monitor and measure continuously. Ongoing performance tracking ensures AI remains aligned with evolving business goals. Continuous adjustments are key for maximizing long-term value.About the AuthorNishad AcharyaHead of Talent Network, TuringNishad Acharya leads initiatives focused on the acquisition and experience of the 3M global professionals on Turing's Talent Cloud. At Turing, he has led critical roles in Strategy and Product that helped scale the company to a Unicorn. With a B.Tech from IIT Madras and an MBA from Wharton, Nishad has a strong foundation in both technology and business. Previously, he led strategy & digital transformation projects at The Boston Consulting Group. Nishad brings a passion for AI and expertise in tech services coupled with extensive experience in sectors like financial services and energy.See more from Nishad AcharyaNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports

Exciting job opportunity UNICEFs Office of Innovation is looking for two Senior Full-Stack Developers to take the engineering lead on an ambitious projectThe Learning Cabinet! This online platform connects education decision-makers worldwide with curated EdTech solutions tailored to their unique contexts. What Youll Do: As a Senior Full-Stack Developer, youll spearhead a headless Drupal and Next.js platform deployed on Cloudflare, empowering education decision-makers to access EdTech tools that will make a tangible difference in childrens learning outcomes. You'll collaborate with an agile, interdisciplinary team to come up with innovative solutions and implement exciting value propositionsall geared towards impactful change.Whats in it for You?Be part of a global team at the forefront of tech innovation for social good. Use your expertise to shape an MVP into a scalable solution that can reach help reaching millions of children and solve a global learning crisis.Work remotely with a passionate team and join us for a 3-day design sprint in beautiful Helsinki, Finland! Are you ready to use your skills to reimagine education for every child?Apply today, and lets make education a transformative journey for all! Terms of Reference - developer post 1 Related Jobs See more Full-Stack Programming jobs