Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Opensource. Show all posts

The Dual Landscape of LLMs: Open vs. Closed Source

 

AI has emerged as a transformative force, reshaping industries, influencing decision-making processes, and fundamentally altering how we interact with the world. 

The field of natural language processing and artificial intelligence has undergone a groundbreaking shift with the introduction of Large Language Models (LLMs). Trained on extensive text data, these models showcase the capacity to generate text, respond to questions, and perform diverse tasks. 

When contemplating the incorporation of LLMs into internal AI initiatives, a pivotal choice arises regarding the selection between open-source and closed-source LLMs. Closed-source options offer structured support and polished features, ready for deployment. Conversely, open-source models bring transparency, flexibility, and collaborative development. The decision hinges on a careful consideration of these unique attributes in each category. 

The introduction of ChatGPT, OpenAI's groundbreaking chatbot last year, played a pivotal role in propelling AI to new heights, solidifying its position as a driving force behind the growth of closed-source LLMs. Unlike closed-source LLMs like ChatGPT, open-source LLMs have yet to gain traction and interest from independent researchers and business owners. 

This can be attributed to the considerable operational expenses and extensive computational demands inherent in advanced AI systems. Beyond these factors, issues related to data ownership and privacy pose additional hurdles. Moreover, the disconcerting tendency of these systems to occasionally produce misleading or inaccurate information, commonly known as 'hallucination,' introduces an extra dimension of complexity to the widespread acceptance and reliance on such technologies. 

Still, the landscape of open-source models has witnessed a significant surge in experimentation. Deviating from the conventional, developers have ingeniously crafted numerous iterations of models like Llama, progressively attaining parity with, and in some cases, outperforming closed models across specific metrics. Standout examples in this domain encompass FinGPT, BioBert, Defog SQLCoder, and Phind, each showcasing the remarkable potential that unfolds through continuous exploration and adaptation within the open-source model ecosystem.

Apart from providing a space for experimentation, other points increasingly show that open-source LLMs are going to gain the same attention closed-source LLMs are getting now.

The open-source nature allows organizations to understand, modify, and tailor the models to their specific requirements. The collaborative environment nurtured by open-source fosters innovation, enabling faster development cycles. Additionally, the avoidance of vendor lock-in and adherence to industry standards contribute to seamless integration. The security benefits derived from community scrutiny and ethical considerations further bolster the appeal of open-source LLMs, making them a strategic choice for enterprises navigating the evolving landscape of artificial intelligence.

After carefully reviewing the strategies employed by LLM experts, it is clear that open-source LLMs provide a unique space for experimentation, allowing enterprises to navigate the AI landscape with minimal financial commitment. While a transition to closed source might become worthwhile with increasing clarity, the initial exploration of open source remains essential. To optimize advantages, enterprises should tailor their LLM strategies to follow this phased approach.

Enhancing API Security: CSPF's Contribution to Wallarm's Open-Source Project

 

In the ever-evolving landscape of digital security, the Cyber Security & Privacy Foundation (CSPF) remains a beacon of innovation and support. Our mission extends beyond mere advocacy for cybersecurity; we actively enhance the tools that fortify our digital world. A testament to this commitment is our recent focus on Wallarm's API Firewall, a robust tool designed to protect APIs from emerging cyber threats. 
 
Our journey with Wallarm's API Firewall began with a simple yet powerful intention: to make this tool not just effective but also adaptable to the stringent requirements of B2B and high-security environments. In doing so, we embarked on a path that not only led us to add new functionalities but also to discover and rectify hidden vulnerabilities. 
 
Introducing the AllowedIPList Feature and Addressing the Denylist Bug 
 
The new feature we introduced, the AllowedIPList, is a game-changer for API security. It restricts API access to specific, pre-approved IP addresses, an essential requirement for secure, business-to-business communications and high-security domains. This addition ensures that only authorized machines can interact with the API, thereby enhancing the security manifold. 
 
In our journey of innovation, we encountered a critical bug in the existing Denylist feature. The Denylist, designed to block requests using certain compromised keys, cookies, or tokens, had a significant flaw. The bug stemmed from a cache implementation error, leading to the failure of adding entries to the Denylist if the list was shorter than 53 characters. This vulnerability was particularly concerning for shorter tokens, commonly used in HTTP basic authentication and cookies.  
 
Our team promptly addressed this issue, ensuring that the Denylist functioned as intended, regardless of the character count. The resolution of this bug, alongside the implementation of the AllowedIPList, marked a significant enhancement in the API Firewall's security capabilities. 
 
The Broader Impact of Open-Source Contributions 
 
This initiative underscores the importance of not just using open-source software but actively contributing to it. While the immediate financial returns might be non-evident, such contributions lead to a more secure and robust digital ecosystem. It is through diverse collaboration and multiple perspectives that we can uncover and rectify latent vulnerabilities. 

Link - 

https://github.com/CSPF-Founder/api-firewall/tree/main
 
Founder & TechCore Team
Cyber Security and Privacy Foundation
https://github.com/CSPF-Founder/

Data Breach Threat: OwnCloud Users Urged to Patch Vulnerabilities Now

 


The maintainers of ownCloud, a popular open-source file-sharing software, have recently issued an alert regarding three critical security flaws that could have severe consequences. The flaws have become known through a recent announcement by ownCloud's maintainers. 

Several vulnerabilities in ownCloud pose a significant risk to the security and privacy of users, as they could allow sensitive information to be exposed and files to be modified unauthorized, compromising the security and privacy of users in ownCloud. 

A CVSS score of 10.0 has been assigned to the first vulnerability, which affects containerized deployments. This vulnerability requires the disclosure of sensitive credentials and configurations in order to exploit it. An important flaw in graphapi versions ranging for 0.2.0 to 0.3.0 has been exploited against graphapi. 

If an attacker is able to access a particular URL, crucial details about a PHP environment, including variables used to control a web server, could be revealed. The environment variables of containerized deployments may contain sensitive data such as the administrator password for the OwnCloud system, the credentials for the email server, and the license key for the software. 

Among the three critical security vulnerabilities that have been discovered in the open source file sharing software ownCloud is a vulnerability that could expose passwords for administrators and credentials for the mail server. 

The OpenSource OwnCloud system is a solution that allows users to sync and share files individually or as a team based on a self-hosted platform that allows users to access and manage files from anywhere. In addition to businesses, educational institutions, government agencies, and individuals who prefer to maintain control over their data, a cloud storage program is also used by businesses and enterprises, educational institutions, government agencies, and individuals who are conscious of their privacy.

In addition to its ownCloud site reporting that 200 million users are using OwnCloud, it also reports 600 enterprise customers. There have been three security bulletins issued by the development team behind OwnCloud this past week stating that the project could be severely compromised due to three different vulnerabilities in the project's components. 

CVE-2023-49103 is the first flaw identified, which has a CVSS v3 score of 10. This flaw allows for the theft of credentials and configuration information in containerized deployments, and it impacts all of the server's environment variables as well. 

OwnCloud recommends that immediate action be taken in order to mitigate this issue, such as deleting a particular file and disabling the PHPinfo function. It is also advised that users should change the password for the ownCloud admin account, their mail server and database credentials, as well as their access codes for Object-Store and Amazon S3. 

In order to resolve this issue, it is recommended that the  ownCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file be deleted, Docker containers should be disabled from executing the phpinfo function, and that secrets such as the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys be changed. 

A second vulnerability, rated 9.8, can be used by malicious actors to bypass WebDAV API authentication using pre-signed URLs, which has a CVSS score of 9.8. As a result of this vulnerability, users have the ability to access, modify, or delete files without their consent when their username is known and their signing key is not configured, but it impacts core versions from 10.6.0 to 10.13.0. 

Lastly, ownCloud has made a warning about a security vulnerability discovered in oauth2 before version 0.6.1 that can bypass the validation process for subdomains. By bypassing the validation code, this vulnerability enables an attacker to redirect callbacks to a top-level domain (TLD) controlled by them, which has a CVSS score of 9.0. 

OwnCloud suggests that as a temporary solution to this issue, you disable the "Allow Subdomains" option and harden the validation code in the OAUTH2 application. In the event that the user's username is known and the sign-key has not been configured (the default setting), attackers can access, edit, or delete any file without authentication. 

It has been published that the pre-signed URLs cannot be used unless a signing key has been set up for the file owner. This can be fixed by denying the use of pre-signed URLs. There is also a third flaw (CVSS v3 score: 9) that affects all versions of the oauth2 library below version 0.6.1, which is a subdomain validation bypass vulnerability. 

The attacker can inject a specially crafted redirect URL into the Oauth2 app that bypasses the validation code, allowing the attacker's callbacks to be redirected to his own domain. As a temporary workaround, a temporary workaround is provided in the bulletin of the Oauth2 application. It is recommended that the validation code be hardened in the Oauth2 application. 

Three security flaws described in the bulletins significantly damage the security and integrity of ownCloud, potentially exposing sensitive information to phishing attacks, stealthy data theft, and other possible malicious activities. Various ransomware groups have been using vulnerabilities in file-sharing platforms to steal data from thousands of companies around the world, and are using them as part of their attacks on companies that use file-sharing platforms. 

As a result of this disclosure, a proof-of-concept (PoC) exploit for a critical remote code execution vulnerability (CVE-2023-43177) has been released for the CrushFTP solution. If exploited by an unauthenticated attacker, the attacker could gain access to files, run arbitrary programs on the host, and obtain plain-text passwords through the application. Converge security researcher Ryan Emmons discovered and reported the issue, and the issue has been resolved since CrushFTP 10.5.2, the version that was released on August 10, 2023, addressed this issue.