HOTTEST
Elyse Betters Picaro / ZDNETNot too long ago, I wrote that AI agents were the future of AI: tools that could carry out tasks for you, like ordering groceries or booking meetings. OpenAI’s latest launch makes that reality appear a bit closer. Also: AI agents will change work and society in internet-sized ways, says AWS VPOn Thursday, during a live stream, OpenAI launched a ChatGPT agent, which the company claims can handle complex tasks for you from start to finish. Some examples OpenAI provided were looking at your calendar and writing a briefing based on your upcoming events, or even planning and buying ingredients for a meal you were thinking of cooking. Let’s dive in. How it worksOpenAI’s most cutting-edge features, including Operator and deep research, gave the public a taste of the company’s agentic capabilities and now power this new agent mode. Operator, which launched in January, was created to interact directly with a web browser to carry out actions for you, while deep research is an agentic feature that can search the web for you and compose a detailed report in minutes that would otherwise take humans hours.After noticing that many of the queries being fed to Operator were a better fit for Deep Research, OpenAI decided to combine the two in this new experience — and add a few new tools.Also: Microsoft is saving millions with AI and laying off thousands – where do we go from here?For starters, the ChatGPT agent uses a visual browser that interacts with the web through a graphical user interface (GUI), a text-based browser, a terminal, and direct API access, according to the blog post. It also uses ChatGPT connectors, a feature that allows users to connect apps like Gmail and GitHub to ChatGPT so it can pull relevant information to fulfill their requests. With all of those different sources of information, ChatGPT is able to reason through which is the best for the task at hand and pull information accordingly. This processing is done using its own virtual computer and distinguishes between reasoning and action based on human instruction, which allows it to retain context while pulling from multiple tools. More
Credit: CyberX Microsoft is acquiring IoT security vendor CyberX for an undisclosed amount, the two companies announced on June 22. Microsoft plans to integrate CyberX’s products and technologies with its existing set of IoT security products, officials said. CyberX allows customers to see their existing IoT assets so they can manage and better secure those devices, […] More
McAfee announced Monday that it will sell its enterprise security business to a consortium led by Symphony Technology Group in a deal worth $4 billion. McAfee, which went public in October, said the deal is meant to bolster its efforts to become a pure-play consumer cybersecurity company.
Since its split from Intel in early 2017, McAfee has pivoted to cloud services and worked to build out its platform with a focus on its enterprise product portfolio. However, the company is now narrowing focus and directing its resources to the consumer side of the business in a bid for long term growth.
“This transaction will allow McAfee to singularly focus on our consumer business and to accelerate our strategy to be a leader in personal security for consumers,” said McAfee chief executive Peter Leav, in a statement.
Intel bought McAfee in 2011 and rebranded as Intel Security in 2014. A year later, Intel Security adjusted its strategy to refocus the business on endpoint security, as well as threat intelligence, analytics, and orchestration. McAfee was spun out from Intel through a deal with TPG Capital, which owns 51 percent of McAfee.
When the deal closes, the McAfee brand name will be retained and used for the consumer business. The enterprise unit will get a new name and brand refresh in the coming months.
RELATED: MoreImage: npm, Armand Khoury, ZDNet
The npm security team has removed today a malicious JavaScript library from the npm website that contained malicious code for opening backdoors on programmers’ computers.The JavaScript library was named “twilio-npm,” and its malicious behavior was discovered over the weekend by Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.
In a report published today, Sonatype said the library was first published on the npm website on Friday, was discovered on the same day, and removed today after the npm security team blacklisted the package.
Despite a short lifespan on the npm portal, the library was downloaded more than 370 times and automatically included in JavaScript projects built and managed via the npm (Node Package Manager) command-line utility.
Ax Sharma, the Sonatype security researcher who discovered and analyzed the library, said the malicious code found in the fake Twilio library opened a TCP reverse shell on all computers where the library was downloaded and imported inside JavaScript/npm/Node.js projects.
The reverse shell opened a connection to “4.tcp.ngrok[.]io:11425” from where it waited to receive new commands to run on the infected users’ computers.
Sharma said the reverse shell only worked on UNIX-based operating systems.
Developers asked to change credentials, secrets, keys“Any computer that has this package installed or running should be considered fully compromised,” the npm security team said today, confirming Sonatype’s investigation.
“All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm team added.
This marks the fourth major takedown of a malicious npm package over the past three months.
In late August, the npm staff removed a malicious npm (JavaScript) library designed to steal sensitive files from an infected users’ browser and Discord application.
In September, npm staff removed four npm (JavaScript) libraries for collecting user details and uploading the stolen data to a public GitHub page.
In October, the npm team removed three npm (JavaScript) packages that were also caught opening reverse shells (backdoors) on developer computers. The three packages were also discovered by Sonatype. Unlike the one discovered over the weekend, these three also worked on Windows systems, and not just UNIX-like systems. MoreMicrosoft has taken the opportunity to remind the federal government of the issues it takes with the proposed critical infrastructure legislation by flagging several aspects of the Bill that it believes could unintentionally make Australia’s security posture less secure.
The draft legislation in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, was published by the Department of Home Affairs in November. It was then introduced to Parliament in December, with Minister for Home Affairs Peter Dutton labelling it as a significant step in the protection of critical infrastructure and essential services that Australians rely upon.
The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure” that would extend the application of the Act to communications, transport, data and the cloud, food and grocery, defence, higher education, research, and health.
If passed, the laws would introduce a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD); enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
Having already highlighted concerns with the Bill before it entered Parliament, Microsoft in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has reiterated its belief that governmental intervention undermines the objectives of the proposed legislation.
“Microsoft has significant concerns about this authority … we believe that a policy allowing for direct governmental intervention would undermine the government’s objectives of defence and recovery,” it wrote.
“Rather, in many cases, it is the individual organisations themselves, and not the government, that are best positioned to determine how to appropriately respond to and mitigate the impact of cyber incidents.“It would take a preclusive amount of time for the government to come into a live incident, properly understand the fact pattern, the technologies in play and the challenges of any decisions, and then be able to direct an appropriate response.”
Elsewhere: Microsoft unsurprisingly throws support behind Australia’s Media Bargaining Code
According to Microsoft, this contributes to what military strategists have referred to as the “Fog of War”.
It’s a concept that has been applied to cyber incident responses, where additional risk is introduced during the initial phases of an ongoing crisis because the ability of subject matter experts and network defenders to adequately respond is hampered by an onslaught of information requests, speculation, and well-intended ideas from individuals or organisations when the malicious activity is yet to be fully understood by anyone.
It said further complicating any such operation is the fact that the government would be doing so without a thorough understanding of the specific resources and protocols available for deployment, and that the “resources required to obtain such knowledge would be prohibitively expensive, logistically complicated, and amount to an extremely invasive governmental intervention”.
“As such, the danger of having a government direct a private sector entity’s response without complete knowledge of the situation and the technology cannot be understated,” Microsoft said.
“Moreover, individual organisations are not only best positioned to respond; they also have as equal an incentive as the government to protect their own networks and maintain the trust of their customers.”
Microsoft added that the risk of unilateral intervention by the government greatly increases the risk of unintended collateral consequences, impacting customers directly and indirectly by undermining trust, and threatens to make entities less secure.
Microsoft’s remarks reflected many of its peers, such as Cisco, Salesforce, and Amazon Web Services (AWS) in their respective consultation submissions.
AWS is concerned that there isn’t clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal.
Cisco requested there be checks and balances for all government assistance, especially for step-in powers.
Taking this further, Microsoft said if the government believes it must retain authority to intervene in situations of extraordinary national emergency, it should also be prepared to assume full liability by indemnifying organisations for any collateral harm caused by its intervention.
HERE’S MORE More
Internet of Things
Samsung Spotlights Next-generation IoT Innovations for Retailers at National Retail Federation’s BIG Show 2017
That’s Fantasy! The World’s First Stone Shines And Leads You to The Right Way
LG Pushes Smart Home Appliances To Another Dimension With ‘Deep Learning’ Technology
The Port of Hamburg Embarks on IoT: Air Quality Measurement with Sensors