Aug 21, 2024Ravie LakshmananSoftware program Safety / Vulnerability
Cybersecurity researchers have disclosed a important safety flaw impacting Microsoft’s Copilot Studio that might be exploited to entry delicate info.
Tracked as CVE-2024-38206 (CVSS rating: 8.5), the vulnerability has been described as an info disclosure bug stemming from a server-side request forgery (SSRF) assault.
“An authenticated attacker can bypass Server-Facet Request Forgery (SSRF) safety in Microsoft Copilot Studio to leak delicate info over a community,” Microsoft mentioned in an advisory launched on August 6, 2024.
The tech large additional mentioned the vulnerability has been addressed and that it requires no buyer motion.
Tenable safety researcher Evan Grant, who’s credited with discovering and reporting the shortcoming, mentioned it takes benefit of Copilot’s capability to make exterior net requests.
“Mixed with a helpful SSRF safety bypass, we used this flaw to get entry to Microsoft’s inner infrastructure for Copilot Studio, together with the Occasion Metadata Service (IMDS) and inner Cosmos DB cases,” Grant mentioned.
Put in a different way, the assault method made it attainable to retrieve the occasion metadata in a Copilot chat message, utilizing it to acquire managed identification entry tokens, which may then be abused to entry different inner assets, together with gaining learn/write entry to a Cosmos DB occasion.
The cybersecurity firm additional famous that whereas the strategy doesn’t enable entry to cross-tenant info, the infrastructure powering the Copilot Studio service is shared amongst tenants, probably affecting a number of clients when having elevated entry to Microsoft’s inner infrastructure.
The disclosure comes as Tenable detailed two now-patched safety flaws in Microsoft’s Azure Well being Bot Service (CVE-2024-38109, CVSS rating: 9.1), that, if exploited, may allow a malicious actor to realize lateral motion inside buyer environments and entry delicate affected person knowledge.
It additionally follows an announcement from Microsoft that it’ll require all Microsoft Azure clients to have enabled multi-factor authentication (MFA) on their accounts beginning October 2024 as a part of its Safe Future Initiative (SFI).
“MFA will probably be required to sign-in to Azure portal, Microsoft Entra admin heart, and Intune admin heart. The enforcement will progressively roll out to all tenants worldwide,” Redmond mentioned.
“Starting in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure cell app, and Infrastructure as Code (IaC) instruments will start.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
Taiwanese {hardware} vendor QNAP has added a Safety Heart with ransomware safety capabilities to the most recent model of its QTS working system for network-attached storage (NAS) units.
The brand new Safety Heart in QTS 5.2 displays for suspicious file operations to detect and block ransomware threats.
If any uncommon exercise is detected, prospects can select to have volumes routinely set to read-only mode to forestall information from being modified, create quantity snapshots to revive your complete quantity when wanted, and pause quantity snapshot scheduling to keep away from crowding out the cupboard space with irregular snapshot information.
“This function actively displays file actions to preemptively defend information safety,” the corporate revealed in a press launch on Tuesday.
“Upon detecting suspicious file habits, the system swiftly implements protecting measures (corresponding to backup or blocking) to mitigate dangers and stop information loss from ransomware threats, assaults, or human error.”
The newest QTS model additionally provides quicker NAS startup and shutdown speeds (by as much as 30%), assist for TCG-Ruby self-encrypting drives (SED), in addition to speedier backup and restoration of Home windows programs, disks, folders, and information to their QNAP NAS by way of the NetBak PC Agent utility.
QTS Safety Heart monitoring settings (QNAP)
NAS units are sometimes used for backing up and sharing delicate information, which makes them helpful targets for attackers who ceaselessly goal them to steal or encrypt helpful paperwork or deploy information-stealing malware.
QNAP repeatedlywarnsprospects about brute-force assaults in opposition to NAS units uncovered on-line, which ceaselessly result in ransomware assaults [1, 2, 3].
Disable the router’s Port Forwarding operate by going to the router’s administration interface, checking the Digital Server, NAT, or Port Forwarding settings, and turning off the port forwarding setting of the NAS administration service port (ports 8080 and 433 by default).
Disable the QNAP NAS’ UPnP operate by going to myQNAPcloud on the QTS menu, clicking “Auto Router Configuration,” and unselecting “Allow UPnP Port forwarding.”
QNAP prospects must also use this step-by-step process to alter the system port quantity, toggle off SSH and Telnet connections, allow IP and account entry safety, and alter default system passwords.
Apple’s huge lineup for this fall is sort of prepared for launch. The iPhone 16 occasion is solely weeks away, and there’s a long-awaited product prone to make an look: AirPods Max 2. Traditionally, Apple prefers launching new AirPods merchandise at its September occasions, so the watch for AirPods Max 2 ought to be over quickly. Right here’s what to anticipate from the brand new AirPods Max 2.
AirPods Max 2 are anticipated to obtain a brand new chip, probably the H2 discovered within the present AirPods Professional 2.
This H2 chip will allow AirPods Max customers to expertise highly effective new audio options at present unique to the Professional line. These embody:
Adaptive Audio, which dynamically blends Transparency and Noise Cancellation modes in response to your setting
Dialog Consciousness, which robotically lowers quantity and isolates voices in response to detected talking
Personalised Quantity, which adjusts the amount of media in response to your setting
Moreover, iOS 18 introduces a number of extra new options to AirPods Professional 2, and with the H2 they need to all come to AirPods Max 2 as nicely:
The power to nod or shake your head to answer Siri
Voice Isolation if you’re on a name
Gaming-specific enhancements to Personalised Spatial Audio with dynamic head monitoring
Typically, a brand new chip doesn’t present many causes for pleasure. Particularly if you’re speaking about headphones.
However because the characteristic lists above present, the addition of the H2 chip to AirPods Max 2 will make a world of distinction. These options are a giant purpose why I really like my AirPods Professional 2. I anticipate they’ll present a compelling purpose for AirPods Max customers to improve.
USB-C charging
One other compelling purpose to improve: a USB-C port.
Following Apple’s years-long shift to a brand new common port normal, AirPods Max 2 will exchange the prevailing Lightning port and undertake USB-C for charging.
The identical change is anticipated to occur with the new AirPods 4, that are additionally prone to launch on the iPhone 16 occasion subsequent month. The primary AirPods product to obtain USB-C charging was the AirPods Professional 2, which made the swap final fall.
It’s gradual progress, however with USB-C coming to the AirPods Max, we’re formally one step nearer to the dream of an all-USB-C life.
New colours
Apple is planning to introduce quite a lot of new colour choices for the AirPods Max 2.
At the moment, the first-gen AirPods Max are available 5 colours:
Area Grey
Pink
Inexperienced
Silver
Sky Blue
There’s no phrase on what precisely the brand new colour lineup shall be. Nevertheless, we must always anticipate to see an identical variety of choices with AirPods Max 2.
AirPods Max launched in 2020, and since then colours like Midnight and Starlight have been mainstays for Apple. So it’s probably we’ll see colours alongside these traces with the AirPods Max 2.
Substitute for the Good Case
To be clear, this one is generally hypothesis. There’s been no clear rumor about Apple changing the AirPods Max’s Good Case—although this patent is one thing.
However absolutely 4 years is lengthy sufficient for Apple to give you a greater, hopefully extra protecting case for AirPods Max customers.
The unique Good Case was one of many details of criticism for Apple’s first AirPods Max, so I believe it’s probably we’ll see a brand new case with the AirPods Max 2.
If I needed to wager, although, I believe the prevailing Good Case design may stick round, whereas a sturdier case launches as an non-compulsory accent. That approach, Apple makes extra money, and it additionally offers homeowners of the unique AirPods Max the possibility to purchase it.
The included case additionally relies upon so much on AirPods Max 2’s value…
Unknown: value level
The unique AirPods Max debuted at a excessive premium of $549. Lately, you’ll be able to typically seize them at a reduction (at present $429 on Amazon). However the arrival of competing choices raises the query of whether or not Apple will cost simply as a lot for the AirPods Max 2.
Can Apple actually proceed charging $549 for its AirPods Max? My lengthy historical past with Apple merchandise sadly says ‘sure,’ however I hope a minimum of a slight value drop is coming.
AirPods Max 2: a protracted overdue replace
Whereas not one of the anticipated options for AirPods Max 2 are significantly revolutionary, they need to nonetheless add as much as a compelling possibility for patrons.
It’s been 4 entire years because the first AirPods Max debuted, making this replace lengthy overdue. Particularly since, throughout that point, AirPods Professional 2 have persistently added nice new options that the unique AirPods Max missed out on.
However we shouldn’t have to attend lengthy. Right here’s hoping the AirPods Max 2 debut as anticipated at September’s iPhone occasion, and we are able to put this lengthy delay behind us.
Are you curious about AirPods Max 2? Another options you’re hoping for? Tell us within the feedback.
FTC: We use revenue incomes auto affiliate hyperlinks.Extra.
Whereas blue groups defend, crimson groups assault. They share a standard objective, nevertheless – assist establish and deal with gaps in organizations’ defenses earlier than these weaknesses might be exploited by malicious actors. The blue/crimson crew workout routines present invaluable insights throughout the technical, procedural and human sides of safety and may in the end assist organizations fend off precise assaults.
We not too long ago checked out a number of open-source instruments that blue groups might use whereas defending in opposition to simulated assaults, in addition to at 4 devices that would, within the fallacious arms, trigger safety hassle. This time round, we’ll spherical up 5 cutting-edge, compact instruments that hobbyist {hardware} hackers in addition to crimson teamers or moral hackers might wield whereas honing their expertise or doing their job.
1. Raspberry Pi 5
Thanks particularly to its versatility, energy and vibrant community-driven ecosystem, the Raspberry Pi has grow to be a well-liked instrument amongst safety professionals, college students, and fanatics alike. Primarily an reasonably priced single-board pc, Raspberry Pi can be loaded with numerous penetration testing instruments and serve a number of roles.
It may well, for instance, ‘morph’ right into a community sniffer and seize packets for detailed evaluation or run scripts for automated safety exams. It’s additionally perfect for on-the-go testing of instruments and for analyzing Web of Issues (IoT) gadgets, figuring out vulnerabilities earlier than cybercriminals have the prospect to use them.
The Raspberry Pi helps a wide range of working programs tailor-made to completely different functions and consumer preferences. Its official working system, Raspberry Pi OS (previously Raspbian), is predicated on Debian Linux and is optimized for the ARM structure.
Moreover, common distributions like Kali Linux can be found, and so they’re particularly crafted for penetration testing and safety auditing. These distributions come pre-loaded with a set of instruments for community scanning, vulnerability evaluation, wi-fi assaults, and extra.
Additionally, listed below are a number of attention-grabbing instruments and initiatives that may leverage Raspberry Pi because the underlying {hardware} platform:
FruityWifi: Used to audit wi-fi networks and allow superior assaults by way of an online interface.
Ha-Pi: Supplies instruments for penetration testing, together with Aircrack Ng Suite and Metasploit.
Raspberry Pwn: Consists of instruments like scapy, Wireshark, and tcpdump.
Wi-fi Assault Toolkit (WAT): Performs Wi-Fi community penetration testing on ARM platforms.
PwnPi: A simplified model of Debian Wheezy for pentesting.
NetPi: A undertaking geared toward making a community analyzer with commercial-grade options.
2. HackRF One
The HackRF One is a Swiss military knife for radio frequency (RF) fanatics and professionals alike. This open-source system lets all people from curious hobbyists to seasoned professionals dive into the invisible ocean of RFs and discover and manipulate the waves that carry the whole lot out of your favourite music station to essential communication alerts.
Designed to be versatile, this single-board software-defined radio (SDR) peripheral can each transmit and obtain alerts from 1 MHz to six GHz. This huge vary means you possibly can experiment with just about any sort of wi-fi communication, from AM/FM radio to Wi-Fi and even satellite tv for pc alerts. It’s virtually like having the keys to each wi-fi protocol ever conceived, multi functional compact type issue.
Regardless of its superior capabilities, HackRF One is transportable and strong sufficient for fieldwork, permitting safety professionals to check wi-fi community vulnerabilities or RF engineers to troubleshoot sign points on the go.
Talking of which, it permits you to assess the safety of wi-fi programs, carry out replay assaults, and discover the vulnerabilities of IoT gadgets. This consists of emulating and analyzing automotive distant controls, alarms, and different gadgets, manipulating GPS alerts, speaking with RFID tags, and performing sign evaluation and satellite tv for pc communication monitoring.
3. WiFi Pineapple
Admittedly, it’s possible you’ll want a bigger pocket for this one, however this modern gadget that appears like an innocuous router holds the facility to uncover the hidden secrets and techniques of wi-fi networks. The WiFi Pineapple is used for probing the safety of wi-fi networks by simulating a traditional entry level the place it attracts unsuspecting customers. It has two community interfaces: one for offering web entry and the opposite for interacting with close by Wi-Fi gadgets.
Determine 3: WiFi Pineappleo Mark VII (supply: Hak5)
On the core of the WiFi Pineapple is its customized working system, Pineapple OS. This Linux-based OS is particularly meant for wi-fi penetration testing and comes pre-loaded with a plethora of highly effective instruments. Pineapple OS gives a secure and environment friendly surroundings, making certain that the system operates easily throughout advanced safety assessments.
Key functions:
Evil twin assaults: Creates rogue entry factors to intercept community visitors and collect delicate data.
Deauth exams: Forces disconnections from legit networks to allow man-in-the-middle assaults.
Safety assessments: Identifies vulnerabilities and configuration gaps in wi-fi networks.
Versatile performance: Supplies numerous automated and guide wi-fi community pentesting instruments.
4. Deauther Watch
The identify says all of it. Primarily a wearable that integrates capabilities for executing Wi-Fi deauthentication assaults, this gadget disrupts the Wi-Fi connection between a tool (corresponding to a smartphone, laptop computer, or IoT system) and a Wi-Fi router by sending specifically crafted deauthentication packets.
Moreover, the Deauther Watch might include options corresponding to Wi-Fi scanning and monitoring, and packet capturing to detect vulnerabilities or monitor community exercise. The ESP8266 Deauther V3 software program gives a command-line interface (CLI) by way of USB and exams 2.4 GHz WiFi networks for vulnerabilities.
5. Ubertooth One
The Ubertooth One is primarily designed for monitoring Bluetooth communications and analyses of Bluetooth packets, in addition to for the testing of Bluetooth-enabled Web of Issues (IoT) gadgets. This open-source gadget helps numerous safety testing situations, together with sniffing for delicate data exchanged over Bluetooth connections. Certainly, its capabilities of lengthen past typical Bluetooth adapters and it may be custom-made to fulfill particular safety testing wants.
It’s primarily based on the GreatFET platform and includes a succesful radio transceiver chipset. The Ubertooth One operates within the 2.4 GHz ISM band and helps Bluetooth Low Vitality (BLE) and Traditional Bluetooth protocols, making it versatile sufficient to sort out a variety of purposes.
Conclusion
As with all devices of this type, moral issues are paramount. The tech must be utilized in environments and conditions the place permission is granted, corresponding to in managed testing environments or for instructional functions. Certainly, utilizing them to conduct unsanctioned assaults is illegitimate in lots of jurisdictions and may include extreme penalties. In the meantime, organizations have to implement a mixture of technical measures, insurance policies, and consumer schooling in order that they keep protected from unauthorized use of those gadgets on their networks.
Rockset and Explo are two highly effective instruments within the real-time analytics market. Right this moment, we’re saying a milestone in our partnership: a one-click integration, enabling customers to enroll in Explo inside Rockset in a single click on!
With our one-click integration, present Rockset customers can choose Explo and join their database on to Explo from the Rockset console with out the necessity to copy and paste credentials.
Rockset and Explo Overview
Earlier than diving into the brand new one click on integration, let’s outline what every of those instruments do within the real-time analytics worth chain.
Rockset is a database made for scalable learn operation workloads. Rockset’s distinctive mannequin of separating compute and storage in addition to separating compute assets that serve totally different workloads allows querying information at scale. Rockset’s skill to isolate workloads makes having many reads and plenty of writes on a database straightforward; in truth, Rockset is ready to create a predictable queries per second (QPS) fee, even beneath intense load. As compute scales, QPS can scale roughly linearly. Information is at all times contemporary in Rockset, with information latencies within the 10s-100s of milliseconds.
Explo is an embedded analytics platform that extends Rockset’s database performance into dashboards and information stories With Explo, product groups can embed white-label dashboards instantly into their SaaS utility or platform. Moreover, Explo gives a self-service report builder that makes use of GenAI to generate stories from the Rockset database with easy pure language queries. Explo’s embedded integration with Rockset is seamless; and now, that has simply gotten even simpler.
Explo and Rockset Launch One-Click on Integration
Explo and Rockset proceed to boost the partnership which was shaped on the idea that each options might supply a greater technique to ship real-time analytics to joint clients. The one-click integration accelerates the shopper journey to real-time analytics. By simplifying the connection between these two instruments, clients can entry, visualize, and share information in hours not months.
How It Works
Inside Rockset, clients can enter an API key, click on a singular button, and provision an Explo account pending an e mail invite hyperlink.
Under are the easy steps to arrange the Rockset and Explo one-click integration and embed a visualization in your utility. The method could be performed in beneath 10 minutes.
One-Click on Integration
First, discover Explo within the Rockset Catalog.
Subsequent, click on Explo and paste in your API key and click on “One click on hook up with Explo”.
An e mail shall be despatched to you to get you began along with your Explo account. Your credentials shall be robotically linked to Explo!
Create a Dashboard
Subsequent, create a dashboard in Explo to start out making charts.
Write SQL
Subsequent, write a SQL assertion to tug information in your visualization.
Create a Chart
Subsequent, drag a chart onto the dashboard, choose a dataset, and choose configurations in your first visualization!
Embed in Your Utility
The ultimate step is to embed Explo in your utility in a single click on and fewer than 10 strains of code.
Congratulations, you’ve now efficiently created a visualization in Explo and embedded it into your utility in beneath 10 minutes!
Explo and Rockset for Actual-Time Embedded Analytics
With the brand new one-click integration, Rockset and Explo are capable of supply real-time buyer dealing with analytics sooner than ever earlier than. Rockset and Explo are a beautiful mixture while you’re on the lookout for wonderful information freshness, quick querying, and a easy, intuitive interface for shortly placing collectively top quality visualizations to share along with your customers. With Explo’s persistent connection structure and automatic question era course of, Explo makes essentially the most of Rockset’s wonderful querying infrastructure to ship real-time, top quality analytics. The one-click setup makes the preliminary integration course of even simpler than ever earlier than. Strive the Explo One-Click on setup right this moment to see how Rockset and Explo work collectively for an incredible embedded analytics expertise!
