Biz & IT

Apollo raises $22M for its GraphQL platform

Published

4 years ago

June 13, 2019

Apollo, a San Francisco-based startup that provides a number of developer and operator tools and services around the GraphQL query language, today announced that it has raised a $22 million growth funding round co-led by Andreessen Horowitz and Matrix Partners. Existing investors Trinity Ventures and Webb Investment Network also participated in this round.

Today, Apollo is probably the biggest player in the GraphQL ecosystem. At its core, the company’s services allow businesses to use the Facebook -incubated GraphQL technology to shield their developers from the patchwork of legacy APIs and databases as they look to modernize their technology stacks. The team argues that while REST APIs that talked directly to other services and databases still made sense a few years ago, it doesn’t anymore now that the number of API endpoints keeps increasing rapidly.

Apollo replaces this with what it calls the Data Graph. “There is basically a missing piece where we think about how people build apps today, which is the piece that connects the billions of devices out there,” Apollo co-founder and CEO Geoff Schmidt told me. “You probably don’t just have one app anymore, you probably have three, for the web, iOS and Android . Or maybe six. And if you’re a two-sided marketplace you’ve got one for buyers, one for sellers and another for your ops team.”

Managing the interfaces between all of these apps quickly becomes complicated and means you have to write a lot of custom code for every new feature. The promise of the Data Graph is that developers can use GraphQL to query the data in the graph and move on, all without having to write the boilerplate code that typically slows them down. At the same time, the ops teams can use the Graph to enforce access policies and implement other security features.

“If you think about it, there’s a lot of analogies to what happened with relational databases in the ’80s,” Schmidt said. “There is a need for a new layer in the stack. Previously, your query planner was a human being, not a piece of software, and a relational database is a piece of software that would just give you a database. And you needed a way to query that database, and that syntax was called SQL.”

Geoff Schmidt, Apollo CEO, and Matt DeBergalis, CTO

GraphQL itself, of course, is open source. Apollo is now building a lot of the proprietary tools around this idea of the Data Graph that make it useful for businesses. There’s a cloud-hosted graph manager, for example, that lets you track your schema, as well as a dashboard to track performance, as well as integrations with continuous integration services. “It’s basically a set of services that keep track of the metadata about your graph and help you manage the configuration of your graph and all the workflows and processes around it,” Schmidt said.

The development of Apollo didn’t come out of nowhere. The founders previously launched Meteor, a framework and set of hosted services that allowed developers to write their apps in JavaScript, both on the front-end and back-end. Meteor was tightly coupled to MongoDB, though, which worked well for some use cases but also held the platform back in the long run. With Apollo, the team decided to go in the opposite direction and instead build a platform that makes being database agnostic the core of its value proposition.

The company also recently launched Apollo Federation, which makes it easier for businesses to work with a distributed graph. Sometimes, after all, your data lives in lots of different places. Federation allows for a distributed architecture that combines all of the different data sources into a single schema that developers can then query.

Schmidt tells me the company started to get some serious traction last year and by December, it was getting calls from VCs that heard from their portfolio companies that they were using Apollo.

The company plans to use the new funding to build out its technology to scale its field team to support the enterprises that bet on its technology, including the open-source technologies that power both the services.

“I see the Data Graph as a core new layer of the stack, just like we as an industry invested in the relational database for decades, making it better and better,” Schmidt said. “We’re still finding new uses for SQL and that relational database model. I think the Data Graph is going to be the same way.”

Source link

Biz & IT

Vulnerabilities in Supermicro BMCs could allow for unkillable server rootkits

Published

3 hours ago

October 4, 2023

Francisco Peguero

Getty Images

If your organization uses servers that are equipped with baseboard management controllers from Supermicro, it’s time, once again, to patch seven high-severity vulnerabilities that attackers could exploit to gain control of them. And sorry, but the fixes must be installed manually.

Typically abbreviated as BMCs, baseboard management controllers are small chips that are soldered onto the motherboard of servers inside data centers. Administrators rely on these powerful controllers for various remote management capabilities, including installing updates, monitoring temperatures and setting fan speeds accordingly, and reflashing the UEFI system firmware that allows servers to load their operating systems during reboots. BMCs provide these capabilities and more, even when the servers they’re connected to are turned off.

Code execution inside the BMC? Yup

The potential for vulnerabilities in BMCs to be exploited and used to take control of servers hasn’t been lost on hackers. In 2021, hackers exploited a vulnerability in BMCs from HP Enterprise and installed a custom rootkit, researchers from Amnpardaz, a security firm in Iran, reported that year. ILObleed, as the researchers named the rootkit, hid inside the iLO, a module in HPE BMCs that’s short for Integrated Lights-Out.

ILObleed was programmed to destroy data stored on disk. If admins reinstalled the operating system, iLObleed would remain intact and reactivate the disk-wiping attack repeatedly. The unknown attackers responsible took control of the BMCs by exploiting a vulnerability HPE had fixed four years earlier. In June, the National Security Agency urged admins to follow guidance to prevent such incidents.

Researchers from security firm Binarly on Tuesday disclosed seven high-severity vulnerabilities in the IPMI (Intelligent Platform Management Interface) BMC firmware. Supermicro has acknowledged the vulnerabilities, thanked Binarly, and provided patching information here. There’s no automated way to install the updates. Supermicro said it’s unaware of any malicious exploitation of the vulnerabilities in the wild.

One of the seven vulnerabilities, tracked as CVE-2023-40289, allows for the execution of malicious code inside the BMC, but there’s a catch: Exploiting the flaw requires already obtained administrative privileges in the web interface used to configure and control the BMCs. That’s where the remaining six vulnerabilities come in. All six of them allow cross-site scripting, or XSS, attacks on machines used by admins. The exploit scenario is to use one or more of them in combination with CVE-2023-40289.

In an email, Binarly founder and CEO Alex Matrosov wrote:

Exploiting this vulnerability requires already obtained administrative privileges in the BMC Web Interface. To achieve it, a potential attacker can utilize any of the XSS vulnerabilities we found. In such a case, the exploitation path will look like this potential scenario:

1. an attacker prepares a malicious link with the malicious payload
2. includes it in phishing emails (for example)
3. when this click is opened, the malicious payload will be executed inside BMC OS.

Admins can remotely communicate with Supermicro BMCs through various protocols, including SSH, IPMI, SNMP, WSMAN, and HTTP/HTTPS. The vulnerabilities Binarly discovered can be exploited using HTTP. While the NSA and many other security practitioners strongly urge that BMC interfaces be isolated from the Internet, there’s evidence that this advice is routinely ignored. A recent query to the Shodan search engine revealed more than 70,000 instances of Supermicro BMC that have their IPMI web interface publicly available.

Enlarge / A screenshot showing Shodan results.

The road map for exploiting the vulnerabilities against servers with Supermicro interfaces exposed this way is illustrated below:

Enlarge / The road map for exploiting a BMC that has its web interface exposed to the Internet.

In Tuesday’s post, Binarly researchers wrote:

First, it is possible to remotely compromise the BMC system by exploiting vulnerabilities in the Web Server component exposed to the Internet. An attacker can then gain access to the Server’s operating system via legitimate iKVM remote control BMC functionality or by flashing the UEFI of the target system with malicious firmware that allows persistent control of the host OS. From there, nothing prevents an attacker from lateral movement within the internal network, compromising other internal hosts.

All the vulnerabilities Binarly discovered originate in IPMI firmware third-party developer ATEN developed for Supermicro. While ATEN patched CVE-2023-40289 six months ago, the fix never made its way into the firmware.

“This is a supply chain problem because it can be other BMC vendors that can be potentially impacted by these vulnerabilities,” Matrosov wrote.

Biz & IT

Facebook’s new AI stickers can generate Mickey Mouse holding a machine gun

Published

9 hours ago

October 4, 2023

Francisco Peguero

Enlarge / A selection of AI-generated stickers created in Facebook Messenger and shared on social media site X.

Less than a week after Meta unveiled AI-generated stickers in its Facebook Messenger app, users are already abusing it to create potentially offensive images and sharing the results on social media, reports VentureBeat. In particular, an artist named Pier-Olivier Desbiens posted a series of virtual stickers that went viral on X on Tuesday, starting a thread of similarly problematic AI image generations shared by others.

“Found out that facebook messenger has ai generated stickers now and I don’t think anyone involved has thought anything through,” Desbiens wrote in his post. “We really do live in the stupidest future imaginable,” he added in a reply.

Available to some users on a limited basis, the new AI stickers feature allows people to create AI-generated simulated sticker images from text-based descriptions in both Facebook Messenger and Instagram Messenger. The stickers are then shared in chats, similar to emojis. Meta uses its new Emu image synthesis model to create them and has implemented filters to catch many potentially offensive generations. But plenty of novel combinations are slipping through the cracks.

The questionable generations shared on X include Mickey Mouse holding a machine gun or a bloody knife, the flaming Twin Towers of the World Trade Center, the pope with a machine gun, Sesame Street’s Elmo brandishing a knife, Donald Trump as a crying baby, Simpsons characters in skimpy underwear, Luigi with a gun, Canadian Prime Minister Justin Trudeau flashing his buttocks, and more.

This isn’t the first time AI-generated imagery has inspired threads full of giddy experimenters trying to break through content filters on social media. Generations like these have been possible in uncensored open source image models for over a year, but it’s notable that Meta publicly released a model that can create them without more strict safeguards in place through a feature integrated into flagship apps such as Instagram and Messenger.

Notably, OpenAI’s DALL-E 3 has been put through similar paces recently, with people testing the AI image generator’ filter limits by creating images that feature real people or include violent content. It’s difficult to catch all the potentially harmful or offensive content across cultures worldwide when an image generator can create almost any combination of objects, scenarios, or people you can imagine. It’s yet another challenge facing moderation teams in the future of both AI-powered apps and online spaces.

Enlarge / A selection of AI-generated stickers created in Facebook Messenger.

Over the past year, it has been common for companies to beta-test generative AI systems through public access, which has brought us doozies like Meta’s flawed Galactica model last November and the unhinged early version of the Bing Chat AI model. If past instances are any indication, when something offensive gets wide attention, the developer typically reacts by either taking it down or strengthening built-in filters. So will Meta pull the AI stickers feature or simply clamp down by adding more words and phrases to its keyword filter?

When VentureBeat reporter Sharon Goldman questioned Meta spokesperson Andy Stone about the stickers late Tuesday, he pointed to a blog post titled Building Generative AI Features Responsibly and said, “As with all generative AI systems, the models could return inaccurate or inappropriate outputs. We’ll continue to improve these features as they evolve and more people share their feedback.”

Biz & IT

They’ve begun: Attacks exploiting vulnerability with maximum 10 severity rating

Published

1 day ago

October 3, 2023

Francisco Peguero

Getty Images

Ransomware hackers have started exploiting one or more recently fixed vulnerabilities that pose a grave threat to enterprise networks around the world, researchers said.

One of the vulnerabilities has a severity rating of 10 out of a possible 10 and another 9.9. They reside in WS_FTP Server, a file-sharing app made by Progress Software. Progress Software is the maker of MOVEit, another piece of file-transfer software that was recently hit by a critical zero-day vulnerability that has led to the compromise of more than 2,300 organizations and the data of more than 23 million people, according to security firm Emsisoft. Victims include Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.

About as bad as it gets

CVE-2023-40044, as the vulnerability in WS_FTP Server is tracked, and a separate vulnerability tracked as CVE-2023-42657 that was patched in the same October 28 update from Progress Software, are both about as critical as vulnerabilities come. With a severity rating of 10, CVE-2023-40044 allows attackers to execute malicious code with high system privileges with no authentication required. CVE-2023-42657, which has a severity rating of 9.9, also allows for remote code execution but requires the hacker to first be authenticated to the vulnerable system.

Last Friday, researchers from security firm Rapid7 delivered the first indication that at least one of these vulnerabilities might be under active exploitation in “multiple instances. On Monday, the researchers updated their post to note they had discovered a separate attack chain that also appeared to target the vulnerabilities. Shortly afterward, researchers from Huntress confirmed an “in-the-wild exploitation of CVE-2023-40044 in a very small number of cases within our partner base (single digits currently).” In an update Tuesday, Huntress said that on at least one hacked host, the threat actor added persistence mechanisms, meaning it was attempting to establish a permanent presence on the server.

Also on Tuesday came a post on Mastodon from Kevin Beaumont, a security researcher with extensive ties to organizations whose enterprise networks are under attack.

“An org hit by ransomware is telling me the threat actor got in via WS_FTP, for infos, so you might want to prioritize patching that,” he wrote. “The ransomware group targeting WS_FTP are targeting the web version.” He added advice for admins using the file transfer program to search for vulnerable entry points using the Shodan search tool.

A bit shocking

CVE-2023-40044 is what’s known as a deserialization vulnerability, a form of bug in code that allows user-submitted input to be converted into a structure of data known as an object. In programming, objects are variables, functions, or data structures that an app refers to. By essentially transforming untrusted user input into code of the attacker’s making, deserialization exploits have the potential to carry severe consequences. The deserialization vulnerability in WS_FTP Server is found in code written in the .NET programming language.

Researchers from security firm Assetnote discovered the vulnerability by decompiling and analyzing the WS_FTP Server code. They eventually identified a “sink,” which is code designed to receive incoming events, that was vulnerable to deserialization and worked their way back to the source.

“Ultimately, we discovered that the vulnerability could be triggered without any authentication, and it affected the entire Ad Hoc Transfer component of WS_FTP,” Assetnote researchers wrote Monday. “It was a bit shocking that we were able to reach the deserialization sink without any authentication.”

Besides requiring no authentication, the vulnerability can be exploited by sending a single HTTP request to a server, as long as there’s what’s known as a ysoserial gadget pre-existing.

The WS_FTP Server vulnerability may not pose as grave a threat to the Internet as a whole compared to the exploited vulnerability in MOVEit. One reason is that a fix for WS_FTP Server became publicly available before exploits began. That gave organizations using the file-transfer software time to patch their servers before they came under fire. Another reason: Internet scans find many fewer servers running WS_FTP Server as compared to MOVEit.

Still, the damage to networks that have yet to patch CVE-2023-40044 will likely be as severe as what was inflicted on unpatched MOVEit servers. Admins should prioritize patching, and if that’s not possible right away, disable server-ad hoc transfer mode. They should also analyze their environments for signs they’ve been hacked. Indicators of compromise include: