What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:
First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.
New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.
Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.
A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.
Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?
Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.
CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?
How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.
Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.
It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.
We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”
Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.
You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.
IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.
The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.
Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.
Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.
Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.
Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.
DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.
TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.
Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.
Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.
The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.
Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.
Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.
Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at Uusiteknologia.fi on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.
USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.
The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.
There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.
Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.
Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.
Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.
Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.
DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.
Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.
4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.
Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.
Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.
PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.
Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.
It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.
Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security Threats. But do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.
Old outdated encryption technologies refuse to die. MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.
Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.
The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.
The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program.
You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.
You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.
Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.
Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
810 Comments
Tomi Engdahl says:
Q1 2019 Cyber Attacks Timeline
https://www.hackmageddon.com/2019/05/23/q1-2019-cyber-attacks-timeline/
Tomi Engdahl says:
https://semiengineering.com/week-in-review-iot-security-auto-46/
Fortinet issued its quarterly report on cyberthreats for the first quarter of 2019. “Due to their widespread use, Microsoft and Apache are permanent fixtures on the list for as long as we can remember. Routers of various types—represented this quarter by D-Link, Netcore, DASAN, and Linksys—have become staples as well over the last couple of years. But remote code execution attempts against the ThinkPHP development framework did pique our interest,” the report says. It adds, “40 different malware families (not variants) made the weekly top five list over the quarter when measured by volume per device.
https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-q1-2019.pdf
Tomi Engdahl says:
From https://semiengineering.com/week-in-review-iot-security-auto-46/
IoT devices for consumer applications are showing up in enterprise networks, potentially compromising those systems, Zscaler ThreatLabz reports. Security researchers say 91.5% of IoT transactions happen over a plaintext channel, and only 18% running that use SSL exclusively to communicate in enterprise settings.
Consumer IoT Devices Are Compromising Enterprise Networks
https://www.darkreading.com/iot/consumer-iot-devices-are-compromising-enterprise-networks/d/d-id/1334777
While IoT devices continue to multiply, the latest studies show a dangerous lack of visibility into those connected to enterprise networks.
With data pulled from more than 1,000 enterprise organizations running one or more IoT devices in its network, the “2019 IoT Threats Report” study was conducted by researchers at Zscaler ThreatLabZ. Their goal was to survey the IoT attack surface within typical enterprises by looking at IoT device footprints over the course of a one-month period. It found that the organizations under study were running 270 different IoT device profiles from 153 different IoT manufacturers. All told, these devices pumped out 56 million device transactions over the course of a single month.
For the most part, all of that IoT data is flying around in the clear. Researchers found that 91.5% of IoT transactions are conducted over a plaintext channel, and a scant 18% of IoT devices running that use SSL exclusively to communicate in enterprise settings.
That low level of encryption should come as no surprise, considering how many consumer-class devices were represented in the mix of IoT devices found in these business environments.
“Many of the devices are employee-owned, and this is just one of the reasons they are a security concern,” the report explained.
“Often, the IoT malware payloads contain a list of known default username/password names, which, among other things, enables one infected IoT device to infect another,” the report noted. It explained that Mirai, in particular, also favored leveraging vulnerabilities in IoT management frameworks that could help attackers achieve remote code execution.
Similar to those heady early days of smartphone proliferation, enterprises are reporting extremely low visibility into IoT device prevalence and activity within their networks. A study released by Ponemon Institute earlier this month showed that only 5% of organizations say they keep an inventory of all managed IoT devices.
Tomi Engdahl says:
Tips for a Cyber Safe Vacation
https://www.us-cert.gov/ncas/current-activity/2019/05/24/Tips-Cyber-Safe-Vacation
Tomi Engdahl says:
Squirrels and Security — It’s a Thing!
https://www.eeweb.com/profile/loucovey/articles/squirrels-and-security-its-a-thing
Tomi Engdahl says:
The Intelligent SOC Can be a Reality Today
https://www.securityweek.com/intelligent-soc-can-be-reality-today
External factors, including security tools shifting to the cloud, the rise of Endpoint Detection and Response (EDR) solutions, and the cybersecurity talent shortage, are presenting challenges for security operations centers (SOCs). There is a lot of talk right now about the need for SOCs to become more efficient and effective to address not only these factors but to also become more ‘intelligent.’ However, this notion of an intelligent SOC is not new.
1) Uses multisource threat intelligence strategically and tactically.
2) Uses advanced analytics to operationalize security intelligence.
3) Automates whenever feasible.
4) Adopts an adaptive security architecture.
5) Proactively hunts and investigates.
The good news is that Gartner had a vision of the SOC of the future which still holds true. Even better news, we now have the tools and technologies we need to make the intelligent SOC a reality – and we can all agree it is time.
Tomi Engdahl says:
Best Practices for Securely Moving Workloads Into the Cloud
https://www.securityweek.com/best-practices-securely-moving-workloads-cloud
Gartner’s latest IT spending forecast predicts that spending on data center systems will reach $195 billion in 2019, but decrease to $190 billion through 2022. In contrast, spending on cloud infrastructure services will grow from $39.5 billion in 2019 to $63 billion through 2021. This cloud shift would be even more pronounced if many organizations still weren’t reluctant to embark on cloud transformation projects or concerned about security risks of moving workloads to the cloud. Let’s consider whether or not cloud security concerns are justified.
Best Practices
To limit their exposure to these attacks, organizations need to rethink their enterprise security strategy and move to an identity-centric approach based on a Zero Trust model: “never trust, always verify, enforce least privilege”. This concept should be extended to the organization’s workforce, as well as partners, privileged IT admins, and outsourced IT.
Now when it comes to your cloud environment, the following best practices should be considered to stop the #1 cause of today’s breaches – privileged access abuse.
• Apply a Common Security Model Across the Entire Infrastructure When it comes to cloud adoption, one leading inhibitor is the myth that the cloud requires a unique security model, as it resides outside the traditional network perimeter. However, conventional security and compliance concepts still apply in the cloud.
• Consolidate Identities – Avoid additional silos of identity that expand the attack surface, increase overhead, and lead to identity sprawl. Instead of local cloud provider IAM accounts and access keys, use centralized identities (e.g., Active Directory) and enable federated login.
• Ensure Accountability – Shared privileged accounts (e.g., AWS EC2-user and administrator) are anonymous. Ensure 100% accountability by having users log in with their individual accounts and only elevate privilege as required. Manage entitlements centrally from Active Directory, mapping roles and groups to cloud provider roles.
• Apply Least Privilege and Privilege Elevation – Grant users “just enough privilege” to complete the task at hand in the cloud provider management console, cloud provider services, and on cloud provider instances. Implement cross-platform privilege management for cloud provider management console, Windows, and Linux instances.
• Audit Everything – Log and monitor both authorized and unauthorized user sessions to cloud provider instances. Associate all activity to an individual, and report on both privileged activity and access rights.
• Enforce Multi-Factor Authentication – To defeat in-progress attacks and ensure higher levels of user assurance, implement multi-factor authentication (MFA) for cloud service management, on login and privilege elevation for cloud provider instances, when checking out vaulted passwords.
Using Zero Trust Privilege services can extend corporate security policies and best practices to cloud environments, while reducing costs (e.g., by avoiding site-to-site VPN for identity directory synchronization purposes), improving scalability across multi-VPCs, -SaaS, and -directory environments, and minimizing security blind spots through centralized management.
Tomi Engdahl says:
5 Things Every SMB Should Know to Strengthen Defenses
https://www.securityweek.com/5-things-every-smb-should-know-strengthen-defenses
With National Small Business Week celebrated earlier this month, now is a good time to highlight five things SMB executives should know to prepare themselves and strengthen their defenses.
1. SMBs are attractive targets. While 43% of attacks target small businesses according to SCORE, the 2018 Verizon Data Breach Investigations Report finds that 58% of small businesses have experienced a breach, indicating a high success rate.
2. The impact of an attack can be devastating. Depending on the nature and scope of the campaign, recovering from a cyber attack can be difficult and costly, if not impossible, for these businesses. SMBs are less likely to have multiple locations or business segments, and their core systems are typically more interconnected.
3. SMBs are most concerned with these cyber threats. In Cisco’s research of 1,816 SMBs across 26 countries, we found (PDF) respondents lose the most sleep over:
• Targeted attacks against employees – think well-crafted phishing campaigns
• Advanced persistent threats – advanced malware the world hasn’t see before
• Ransomware – which can be particularly harmful since SMBs are more inclined to pay ransoms because they simply can’t afford the downtime and lack of access to critical data
4. Don’t forget about these other threats. Despite worries about ransomware, the threat is diminishing as more adversaries shift their focus to cryptomining – stealing computing power to mine cryptocurrencies and generate revenue
5. These tips can help strengthen defenses. There are many ways – across people, processes, and tools – to drive improvements in cybersecurity. Below are a few recommendations.
• Approach outsourcing and the cloud with open eyes.
• Strengthen security processes.
• Look for integrated tools.
Even if SMBs don’t have the resources for a comprehensive security assessment and possible overhaul, incremental change is better than none.
Tomi Engdahl says:
Onko pilvi turvallinen?
http://www.etn.fi/index.php/13-news/9528-onko-pilvi-turvallinen
Fortum halusi dedikoidut, aina palomuurien läpi menevät yhteydet, joissa palomuurisäännöt tulisivat automatisoidusti. Parviaisen mukaan tämä osoittautui hankalaksi.
- Kenelläkään toimittajalla ei ollut kattavaa palomuuriratkaisua. Kaikilla oli hienoja esitteitä, mutta toteutettuja käyttöönottoja ja toimivia ohjeita vähän. Myös toimittajien vastuusta oli suuria epäselvyyksiä.
Parviaisen mukaan Fortumissa ajateltiin, että pilven käyttö eri palveluissa oli jo arkipäivää. – Sen sijaan huomasimme, että olimme ensimmäisenä liikkeellä.
Hänen mukaansa yksi iso haaste pilvipalveluiden käytössä on se, että perinteisen IT-tietoturvan ammattilaiset ja pilviosaajat puhuvat eri kielellä ja eri termein. – On erilaisia käsityksiä siitä, mitä tietoturva on. Aivan alussa vain IP-numero oli kaikille yhteinen tuttu asia.
Tomi Engdahl says:
Framing the Problem: Cyber Threats and Elections
https://www.fireeye.com/blog/threat-research/2019/05/framing-the-problem-cyber-threats-and-elections.html
This year, Canada, multiple European nations, and others will host high profile elections. The topic of cyber-enabled threats disrupting and targeting elections has become an increasing area of awareness for governments and citizens globally. To develop solutions and security programs to counter cyber threats to elections, it is important to begin with properly categorizing the threat. In this post, we’ll explore the various threats to elections FireEye has observed and provide a framework for organizations to sort these activities.
While there is increasing global awareness of threats to elections, election administrators and others continue to face challenges in ensuring the integrity of the vote.
Tomi Engdahl says:
Nation-State Security: Private Sector Necessity
https://www.securityweek.com/nation-state-security-private-sector-necessity
Attackers With the Backing and Sophistication of Nation-States Are Increasingly Targeting Commercial Entities
There is no one-size-fits-all mold for attackers in the security space. We can – and should – do our best to stay informed regarding the latest threat assessments, industry trends, and breach disclosures. While threats facing private industry and government may once have looked distinctly different, the line separating attackers pursuing these two arenas is now so blurred that it’s often hard to distinguish one from another.
Tomi Engdahl says:
Technology is Not Our Problem
https://www.securityweek.com/technology-not-our-problem
The Security Vendor Space is Extremely Noisy and Increasingly Out of Touch With the Needs of the Enterprise
the day-to-day security challenges that confront an enterprise has reminded me quite starkly of several things:
1. Modern enterprises and their security programs are remarkably complex
2. Addressing gaps in the security program is less about technology and more about people and process
3. The security vendor space is extremely noisy and increasingly out of touch with the needs of the enterprise
4. Advice and guidance tend to be too abstract and difficult to operationalize
5. Reporting, metrics, and communicating the value that the security team provides remain a significant challenge
6. The regulatory environment is increasingly complex, pulling resources away from other important security functions
Of course, we still have problems that need to be solved, but contrary to what we’re being inundated with on a daily basis by our vendors, technology isn’t our problem. How so? Allow me to explain.
1. Complexity: For those of us with experience working in enterprise security programs, it will come as no surprise that they are complex. What I’ve noticed, however, is that the complexity has increased significantly over the last several years.
2. Gaps: Naturally, gaps in an enterprise’s security posture require attention. In recent years, however, the scope and variety of the gaps an enterprise faces has increased significantly.
3. Vendor Space: The security vendor space is remarkably crowded. Many vendors use the same language, claim to solve the same problems, and say that they operate in multiple different markets.
4. Advice: I suppose it isn’t very hard to come by advice in life. Good advice, however, is something else entirely. Many security consultancies have some interesting ideas and novel approaches. Unfortunately, where I often see advice break down is on the bridge from theory to practice. In practice, there are often complicating issues, external factors, and extenuating circumstances that make it impossible to apply textbook advice.
5. Reporting: The efforts of a security team can all too easily go unnoticed. After all, security is a field in which no news is good news. In other words, if a security team is doing its job well, nothing ever happens, and when it does, it’s quickly and efficiently contained and remediated.
6. Regulation: The number of regulations that a security team is forced to contend with seems to increase on a yearly basis. It may not be fun, but it is increasingly part of life in the security field. With increasing regulation comes increasing strain on valuable security resources.
Tomi Engdahl says:
Get Cross-Functional: Learn to Let Go and Embrace DevSecOps
https://www.securityweek.com/get-cross-functional-learn-let-go-and-embrace-devsecops
In many organizations, building and securing apps has typically been a siloed affair. The product owner, the network engineer, the developer and the security engineer all come from different teams. And all too often, these teams become fiefdoms that believe their focus is the company’s primary objective.
Today with Agile and DevOps moving faster and faster, this methodology has become a risk in itself. Since the security team often lacks up-front knowledge of the project, the threat model assessment is done after the fact. Controls amount to a wrapper around any new application or service because the security team steps in late as the security czar without really understanding why the business is developing the app in the first place. Then the business can’t release the new application on time because the threat model assessment can take weeks or months to accomplish.
Tomi Engdahl says:
Security startup Bugcrowd on crowdsourcing bug bounties: ‘Cybersecurity is a people problem’
https://techcrunch.com/2019/05/31/bugcrowd-crowdsourcing-cybersecurity/
Bugcrowd relies much more on people than it does on technology.
For as long as humans are writing software, developers and programmers are going to make mistakes
“Cybersecurity is fundamentally a people problem,” he said. “Humans are actually the root of the problem,” he said. And when humans made coding mistakes that turn into bugs or vulnerabilities that be exploited, that’s where Bugcrowd comes in — by trying to mitigate the fallout before they can be maliciously exploited.
Tomi Engdahl says:
An Analyst’s Review of Top Cyber Certs
https://pentestmag.com/an-analysts-review-of-top-cyber-certs/
Tomi Engdahl says:
Life Beyond Malware
https://pentestmag.com/life-beyond-malware/
Tomi Engdahl says:
Why women are indefinitely sharing their locations
https://techcrunch.com/2019/04/30/why-women-are-indefinitely-sharing-their-locations/
Women are throwing caution to the wind around data collection in exchange for reassurance that someone trusted is watching
Rae Witte
Tomi Engdahl says:
Watching the Watchers using Deception Techniques
https://pentestmag.com/watching-the-watchers-using-deception-techniques/
Tomi Engdahl says:
Moskova suunnittelee maailman suurimpiin lukeutuvaa valvontajärjestelmää: Yli 200 000 kasvojentunnistuskameraa
https://yle.fi/uutiset/3-10809450
Tomi Engdahl says:
The Hidden Flaws of Archives in Java
https://blog.ripstech.com/2019/hidden-flaws-of-archives-java/?utm_medium=CPC&utm_source=Facebook&utm_campaign=276149&utm_term=security&utm_content=The+Hidden+Flaws+of+Archives+in+Java
Archives such as Zip, Tar, Jar or 7z are useful formats to collect and compress multiple files or directories in a container-like structure. In web applications they are often used to import data sets and especially in Java, archives like Jar, War or Apk are used to aggregate Java class files and resources into one single file.
Tomi Engdahl says:
Artificial Intelligence and Cybersecurity
The Crossroads of Artificial Intelligence, Machine Learning, and Deep Learning
https://pentestmag.com/artificial-intelligence-and-cybersecurity/
Tomi Engdahl says:
From Beginner to Expert as Penetration Tester
https://pentestmag.com/from-beginner-to-expert-as-penetration-tester/
Tomi Engdahl says:
how i beat an online course scammer
https://www.ryanckulp.com/online-course-scam/
Tomi Engdahl says:
US now requires social media info for visa applications
You’ll need to share details for five years.
https://www.engadget.com/2019/06/01/us-requires-social-media-info-for-visa-applications/
Tomi Engdahl says:
I’ll Let Myself In: Tactics of Physical Pen Testers
https://m.youtube.com/watch?v=rnmcRTnTNC8&feature=share
Tomi Engdahl says:
”Maailman vaarallisin läppäri” myytiin 1,2 miljoonalla eurolla
https://muropaketti.com/tietotekniikka/tietotekniikkauutiset/maailman-vaarallisin-lappari-myytiin-12-miljoonalla-eurolla/
‘World’s Most Dangerous Laptop’ Is On Sale for $1.2 Million
https://gadgets.ndtv.com/laptops/news/worlds-most-dangerous-on-sale-for-1-2-million-the-persistence-of-chaos-2043499
HIGHLIGHTS
A laptop loaded with six dangerous viruses is being sold in an auction
Bids on the auction have already crossed $1.2 million
The six viruses have resulted in damages worth $100 billion globally
Tomi Engdahl says:
The moment when you realize every server in the world is vulnerable
https://medium.com/free-code-camp/hash-table-attack-8e4371fc5261
Hash tables. Dictionaries. Associative arrays. Whatever you like to call them, they are everywhere in software. They are core. And when someone finds a vulnerability in such a low-level data structure, almost all software is implicated.
This is a story of one of those core vulnerabilities, and how it took a decade to uncover and resolve. The story is pretty amazing.
Unfortunately, collisions open the door to the biggest weakness in hash tables. As soon as we have collisions, the time required for accessing an element starts gradually creeping up because we have to loop through the list within the bucket.
The idea was simple: If we have an algorithm that is normally a superfast O(1) in time complexity, but that has an obscure, unlikely corner case where a huge O(n²) nested loop can happen, our algorithm might be vulnerable to attack. Specifically, if an attacker can force an application into the corner through carefully crafted inputs, then they can overwhelm the CPU.
Tomi Engdahl says:
BLUETOOTH’S COMPLEXITY HAS BECOME A SECURITY RISK
https://www.wired.com/story/bluetooth-complex-security-risk/amp
Tomi Engdahl says:
https://www.dna.fi/yrityksille/blogi/-/blogs/ala-nakerra-yrityksen-tietoturvaa-sd-wan-innostuksen-vallassa?utm_source=facebook&utm_medium=linkad&utm_content=artikkeli_ala_nakerra_yrityksen_tietoturvaa_sd_wan_innostuksen_vallassa&utm_campaign=pk_jatkuva_some_19
Tomi Engdahl says:
New Cybersecurity Regulations About to Hit Everyone
https://pentestmag.com/new-cybersecurity-regulations-about-to-hit-everyone/
Tomi Engdahl says:
ePrivacy: Private data retention through the back door
https://edri.org/eprivacy-private-data-retention-through-the-back-door/
Captured states – e-Privacy Regulation victim of a “lobby onslaught”
https://edri.org/coe-eprivacy-regulation-victim-of-lobby-onslaught/
Tomi Engdahl says:
https://pentestmag.com/artificial-intelligence-and-cybersecurity/
Tomi Engdahl says:
The Most Expensive Lesson Of My Life: Details of SIM port hack
https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
Tomi Engdahl says:
Overheard at Machine Identity Protection Global Summit 2019
https://www.venafi.com/blog/overheard-machine-identity-protection-global-summit-2019
Tomi Engdahl says:
Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years
https://www.venafi.com/blog/deja-vu-linkedin-second-tls-certificate-expiry-2-years
Tomi Engdahl says:
THANKS TO FACEBOOK, YOUR CELLPHONE COMPANY IS WATCHING YOU MORE CLOSELY THAN EVER
https://theintercept.com/2019/05/20/facebook-data-phone-carriers-ads-credit-score/
Tomi Engdahl says:
How to Run a Simple Purple Team Operation on a Zero Budget
https://pentestmag.com/how-to-run-a-simple-purple-team-operation-on-a-zero-budget/
Purple teaming is a glossy phrase given to the action of getting your blue (Cyber defence) and red team (offence/pen-test) to work together. They are, after all, working toward the same goal, securing the same infrastructure.
Tomi Engdahl says:
Password expiration is dead, long live your passwords
https://techcrunch.com/2019/06/02/password-expiration-is-dead-long-live-your-passwords/
May was a momentous month, which marked a victory for sanity and pragmatism over irrational paranoia. I’m obviously not talking about politics. I’m talking about Microsoft finally — finally! but credit to them for doing this nonetheless! — removing the password expiration policies from their Windows 10 security baseline.
Although NIST and others precede this and deserve that credit, I think it’s worth taking a moment to recognize this moment in time as truly a fundamental change in the industry.
AdChoices
Password expiration is dead, long live your passwords
Jon Evans
@rezendi / 6 hours ago
password
May was a momentous month, which marked a victory for sanity and pragmatism over irrational paranoia. I’m obviously not talking about politics. I’m talking about Microsoft finally — finally! but credit to them for doing this nonetheless! — removing the password expiration policies from their Windows 10 security baseline.
SwiftOnSecurity
@SwiftOnSecurity
· May 31, 2019
Replying to @SwiftOnSecurity
[UPDATE] Microsoft recommendation to NOT force user password changes on a schedule is now their official published security guidance for Windows customers. This obviates decades of common-knowledge, in response to evidence it’s actually harmful to securityhttps://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/ …
Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903
Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1903 (a.k.a., “19H1”), and for Windows Server version 1903. Download the…
blogs.technet.microsoft.com
SwiftOnSecurity
@SwiftOnSecurity
Although NIST and others precede this and deserve that credit, I think it’s worth taking a moment to recognize this moment in time as truly a fundamental change in the industry.
434
7:22 AM – May 31, 2019
Twitter Ads info and privacy
81 people are talking about this
Many enterprise-scale organizations (including TechCrunch’s owner Verizon) require their users to change their passwords regularly. This is a spectacularly counterproductive policy. To quote Microsoft:
Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives … If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
…If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration? …Periodic password expiration is an ancient and obsolete mitigation of very low value
If you have a password at such an organization, I recommend you send that blog post to its system administrators. They will ignore you at first, of course, because that’s what enterprise administrators do, and because information security (like transportation security) is too often an irrational one-way ratchet because our culture of fear incentivizes security theater rather than actual security — but they may grudgingly begin to accept that the world has moved on.
Instead: Use a password manager like LastPass or 1Password. (They have viable free tiers! You really have no excuse.) Use it to eliminate or at least minimize password re-use across sites. Use two-factor authentication wherever possible. Yes, even SMS two-factor authentication, despite number-porting and SS7 attacks, because it’s still better than one-factor authentication.
And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos.
Tomi Engdahl says:
https://www.owasp.org/index.php/Testing_for_NoSQL_injection
Tomi Engdahl says:
This Doormat Can Tell Who You Are for Multi-Factor Authentication
https://blog.hackster.io/this-doormat-can-tell-who-you-are-for-multi-factor-authentication-1f01928897a8
Tomi Engdahl says:
How Can You Use Pinning to Secure Keys and Certificates?
https://www.venafi.com/blog/how-can-you-use-pinning-secure-keys-and-certificates
Tomi Engdahl says:
https://cyberx-labs.com/resources/risk-report-2019/
Tomi Engdahl says:
Exploiting The Entity: XXE (XML External Entity Injection)
https://pentestmag.com/exploiting-the-entity-xme-xml-external-entity-injection/
Tomi Engdahl says:
https://pentestmag.com/iot-security-its-complicated/
Tomi Engdahl says:
Cyber security crisis looms as 72% of professionals consider leaving their jobs
https://www.cloudpro.co.uk/it-infrastructure/security/8105/cyber-security-crisis-looms-as-72-of-professionals-consider-leaving
Alert fatigue and lack of talent are pushing information security specialists to the brink
Cyber security professionals in the UK are struggling to hold back the ever-increasing wave of threats with limited resources, leading many to consider quitting their jobs.
These are the findings of a survey of 300 specialists working in large UK organisations with 500 employees or more.
Tomi Engdahl says:
As surveillance culture grows, can we even hope to escape its reach?
https://www.theguardian.com/commentisfree/2019/may/19/as-surveillance-culture-grows-can-we-even-hope-to-escape-its-reach
The world over, the actions of citizens are being monitored on an unprecedented scale
If you want to protect your privacy, you must have something to hide. And if you actually do something to protect your privacy, well, that’s “disorderly behaviour”.
There is considerable panic in the west about the Chinese tech firm Huawei acting as a Trojan horse for Beijing. But perhaps we should worry less about the tech company than about the social use of technology. Much has been written about Beijing’s development of a dystopian surveillance state. It’s not just in China, though, that what one observer has called “algorithmic governance” is beginning to take hold.
Tomi Engdahl says:
Working at a CERT and shifting to Technical Lead
https://pentestmag.com/working-at-a-cert-and-shifting-to-technical-lead/
Tomi Engdahl says:
Apple is now the privacy-as-a-service company
https://techcrunch.com/2019/06/03/apple-is-now-the-privacy-as-a-service-company/
Tomi Engdahl says:
How to Write a Secure Code in C/C++ Programming Languages
https://pentestmag.com/write-secure-code-cc-programming-languages/
Secure coding in C/C++ programming languages is a big deal. The two languages, which are commonly used in a multitude of applications and operating systems, are popular, flexible, and versatile. However, these languages are inherently vulnerable to exploitation.
Tomi Engdahl says:
https://blog.sonatype.com/malicious-attacks-on-open-source-are-going-to-get-worse