Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, will be making educated guesses based on what has happened during the last 12 months and several years before that.
The past year has seen a rapid increase in the adoption of up-and-coming technologies. Everyday items are getting
smarter and more connected. Companies are saving millions with new technologies and cities are racing to
implement smart solutions. 5G promises to bring wireless high speed broadband to everywhere. On the other hand those solutions add new kinds of vulnerabilities. Competing in today’s digital marketplace requires that organizations are cyber-savvy. 2020 is when cybersecurity gets even weirder, so get ready.
Here are some trends and predictions for cyber security in 2020:
Cyber Attacks: Cyberattacks grow in volume and complexity.Many countries that are going to emerge as major threats in the 2020s. Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power. Cyberattacks range from targeting your database to steal information that can be sold on the dark web, to hijacking unused CPU cycles on your devices to mine for cryptocurrencies, or trying to infect vulnerable systems so they can be used later as part of a botnet.
IoT security: IoT security is still getting worse until it starts to get better. IoT security is an extremely hot topic right now and will be hot for many years to come. Industrial IoT risk has been discussed a lot. Physics dictates local application deployment, because the control rate of most industrial systems is 10 milliseconds or below. Smart Building Security Awareness Grows. The risks of the IoT in financial services are great. An explosion in IoT devices significantly raises the threat level. Gartner predicted that the world will see nearly 21 billion IoT devices by next year and it would be nice if all of them would be secure, but many of them unfortunately are not secure. Hackers are continually looking for ways to exploit device vulnerabilities. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Why? Because IoT security is complicated and security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry. IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more. You might have to do a little work with your internet of things devices to stay secure. A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack. One in every 172 active RSA certificates are vulnerable to attack. It is a good idea to build a separate network segments for IoT devices so that they are isolated from the normal office network. FBI recommends that you keep your IoT devices on a separate network.
IoT privacy: Silicon Valley Is Listening to Your Most Intimate Moments. The world’s biggest companies got millions of people to let temps analyze some very sensitive recordings made by your “smart” speakers and smart phones. A quarter of Americans have bought “smart speaker” devices such as the Echo, Google Home, and Apple HomePod. Consulting firm Juniper Research Ltd. estimates that by 2023 the global annual market for smart speakers will reach $11 billion, and there will be about 7.4 billion voice-controlled devices in the wild. That’s about one for every person on Earth. The question is, then what? Having microphones that listen all the time is concerning. Also some attackers are terrifying homeowners and making them feel violated in their own homes.
Medical systems security: Cyberattacks on Medical Devices Are on the Rise—and Manufacturers Must Respond. Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction. It’s shocking that a few years after WannaCry and NotPetya, the healthcare industry is still not prepared to deal with ransomware attacks. Many hospitals and healthcare networks that have been hit by ransomware over the past few months.
Surveillance cameras: Surveillance cameras are capturing what we do on the streets, at airports, in stores, and in much of our public space. China’s Orwellian video surveillance gets a bad rap but the US isn’t far behind as US has nearly the same ratio of security cameras to citizens as China.And the numbers are growing all over the world. One billion surveillance cameras will be deployed globally by 2021, according to data compiled by IHS Markit. Russia is building one of the world’s largest facial recognition networks and it may even be bigger than China’s 200 million camera system. China’s installed base is expected to rise to over 560 million cameras by 2021, representing the largest share of surveillance devices installed globally, with the US rising to around 85 million cameras. Now US, like China, has about one surveillance camera for every four people (in 2018 China had 350 million cameras and USA 70 million). Surveillance cameras are getting better, smaller and cheaper and can be installed almost anywhere. It would be very easy to sneak another device onto a hotel’s Wi-Fi network, stream that video over the internet to the computer.
Facial recognition: Private companies and governments worldwide are already experimenting with facial recognition technology. Facial recognition software is touted as making us safer. But mass surveillance has downsides of major proportions. Massive errors found in facial recognition tech. Facial recognition systems can produce wildly inaccurate results, especially for non-whites. Russia is building one of the world’s largest facial recognition networks. Individuals, lawmakers, developers – and everyone in between – should be aware of the rise of facial recognition, and the risks it poses to rights to privacy, freedom, democracy and non-discrimination.
Shut off Internet: Worrying worldwide trend employed by various governments: preventing people from communicating on the web and accessing information. Amid widespread demonstrations over different issues many countries have started cutting Internet connections from people. Some countries, namely China, architected their internet infrastructure from the start with government control in mind. Russia is aiming to this direction. Iran, India, Russia. For better or worse, an internet blackout limits the government’s ability to conduct digital surveillance on citizens.
Security First: Implementing Cyber Best Practices Requires a Security-First Approach. Competing in today’s digital marketplace requires that organizations be cyber-savvy. The best defense is to start with a security-driven development and networking strategy that builds a hardened digital presence from the ground up. This not only ensures that your online services and web applications are protected from compromise, but also enables security to automatically evolve and adapt right alongside the development of your digital presence, rather than it having to be constantly rigged and retrofitted to adapt to digital innovation.
Zero Trust Network Access: Many of the most damaging breaches have been the result of users gaining access to unauthorized levels of network resources and devices. Zero Trust is an enforceable, identity-driven access policy that includes seamless and secure two-factor/OTP authentication across the organization. Zero Trust Network Access ensures that all users and devices are identified, profiled, and provided appropriate network access. It also ensures that new devices are automatically assigned to appropriate network segments based on things like device profiles and owners. When combined with Network Access Control (NAC), organizations can also discover, identify, grant appropriate access, and monitor devices, thereby enhancing your access and segmentation strategy.
Anti-virus software: Only Half of Malware Caught by Signature AV. The percentage of malware that successfully bypassed signature-based antivirus scanners at companies’ network gateways has increased significantly, either by scrambling
code known as “packing” using basic encryption techniques or by the automatic creation of code variants. It seems that new approaches like machine learning and behavioral detection are necessary to catch threats. Meanwhile, network attacks have risen, especially against older vulnerabilities.
Ransomware attacks: Ransomware will remain a major threat in the coming year, as the criminal business model continues to flourish. That’s a move that security professionals have long condemned, warning that paying the ransom in a ransomware attack could end up causing more turmoil for victims – as well as inspire other cybercriminals to launch ransomware attacks. Microsoft never encourage a ransomware victim to pay. What to do with this is question. How much does a large-scale ransomware attack cost, as opposed to just hiring an adequate number of skilled IT personnel, and having disaster recovery plans in place? There is no complete security solution that could stop all attacks, but you should have decent protection. It would seem prudent to have adequate staff and offline BACKUPS to deal with this kind of situation, so decent recovery would be possible. Having no backup system is the gamble many companies and public entities seem to be playing. Good backups helps to recover from ransom attacks. There are new tactics coming to use in ransomware. A new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions. Another new tactic by ransomware developers is to release a victim’s data if they do not pay the ransom – they will publish data that they steal to a competitor if the ransom is not paid.
Public sector: Public Sector Security Is Lagging. The state of cybersecurity and resilience in the public sector needs an
urgent boost in many countries. U.S. citizens rely on state governments and local municipalities to provide a host of services everything from access to public records, law enforcement protection, education and welfare to voting and election services. Cybercriminals have been targeting state and local governments with ransomware tools, which infect an organization’s computer networks and lock up critical files.
Consumer confidence: Winning consumer confidence is crucial to the development of new digital services. In a PwC study, consumers are prepared to share personal information if it is of sufficient value to them. On the other hand, consumer confidence also needs to be earned that you keep the information safe.
API security: APIs now account for 40% of the attack surface for all web-enabled apps. It’s a good time to pay attention to API security, since some recent high-profile breaches have involved API vulnerabilities. OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Skills gap: Security teams are already grappling with serious challenges due to the growing cybersecurity skills gap, are being tasked to secure an ever-expanding network footprint. Security teams are often left to secure virtual and cloud environments, the implementation of SaaS services, DevOps projects, the growing adoption of IoT, mobile workers, and an expanding array of personal connected devices after they have already been implemented. They often do not have enough people and enough knowledge on those new technologies to do their work well. The cybersecurity unemployment rate is zero, with over 1 million jobs currently unfilled, a number that is expected to climb to 3.5 million by 2021. 145% Growth is Needed to Meet Global Demand.
Think Like Your Adversary: Cybersecurity leaders need to access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their company’s needs. Programmers Should Think like Hackers. Security must be taken into account in all programming steps.
Third party security: Most Companies Don’t Properly Manage Third-Party Cyber Risk. It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. Developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.
Privacy and surveillance: Fears Grow on Digital Surveillance. Americans are increasingly fearful of monitoring of their online and offline activities, both by governments and private companies. More than 60 percent of US adults believe it is impossible to go about daily life without having personal information collected by companies or the government. Google and Facebook help connect the world and provide crucial services to billions. But their system can also be used for surveillance. Amnesty International says Facebook and Google’s omnipresent surveillance is inherently incompatible with the right to privacy and is a danger to human rights. The claim is that the companies’ surveillance-based business model is inherently incompatible with the right to privacy and poses a threat to a range of other rights including freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination. Amnesty International has called for a radical transformation of the tech giants’ core business model and said that Google and Facebook should be forced to abandon what it calls their surveillance-based business model because it is “predicated on human rights abuse.”
5G: Forecasting that 2020 will be “the year of 5G” no longer qualifies as a bold prediction. Billions of dollars’ worth of 5G rollouts are scheduled for the coming year, which will bring the emergent technology to countries around the world. The arrival of 5G will fuel an explosion of never-before-seen IoT machines, introducing uncharted vulnerabilities and opening the door for cyber-criminals to compromise our increasingly intertwined cities. Claims that 5G offers “better security” for IoT may not ring true.
5G security: The new 5G mobile networks will be the backbone of future digitalized operations. Therefore, it is also important to ensure the security and immunity of 5G networks.The Council of the European Union has warned member states that the introduction of 5G networks poses increased security risks while also bringing economic and infrastructure benefits. ENISA, the European Union Agency for Cybersecurity has published a ThreatLandscape for 5G Networks, assessing the threats related to the fifth generation of mobile telecommunications networks (5G). Organised cybercrime, rogue insiders and nation-state-backed hackers are among the groups that could soon be targeting 5G networks. Claims that 5G offers “better security” for IoT may not ring true – with the technology remaining vulnerable to SIM-jacking attacks within private Industry 4.0-style deployments. 5G SIM-swap attacks could be even worse for industrial IoT than now. Criminals can convince telcos to port a victim’s number to a new SIM card controlled by the criminal. Trust your hardware or operator? Pah, you oughta trust nobody. Do not put all your security and identification to this SIM card.
DNS Over HTTPS (DoH): DoH encrypted DNS queries are already set to arrive in Chrome and Firefox web browsers. Microsoft Will Bring DNS Over HTTPS (DoH) to Windows 10 in an attempt to keep user traffic as private as possible. DoH support in Windows means encrypted DNS queries. Microsoft says that DoH doesn’t require DNS centralization if adoption is broad among operating systems and Internet service providers alike.
Firewall configuration: Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”. This is a human problem, not a firewall problem.
Bot attacks: Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. Organizations are Failing to Deal With Rising Bot Attacks.
Network security: Networks are continually growing in complexity and the cyberattack surface is constantly expanding. The network perimeter of today is elastic, expanding and contracting with the demands of both users and the business. In a rush to adopt digital business practices, many of these new network expansion projects are often being implemented ad hoc by individual lines of business. Routers sit at the edge of the network and see everything and they can be utilized to Making the Network the First Line of Defense. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. Cybercriminals only need to be successful once in finding a way to access the network – but the security team needs to monitor everything on the network and be right all the time to ensure security. Today’s core network is continually adapting to the introduction of new devices, applications, and workflows, along with shifting network configurations to support business requirements, requiring the use of advanced, intent-based segmentation.
Security-Driven Networking: Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board. It requires the selection and full integration of security tools that not only work together to share and correlate intelligence and coordinate a unified response to threats, but that also work seamlessly across the widest variety of environments possible.
Critical infrastructure: Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems. In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. Expect targeted attacks on critical infrastructure facilities to increase. APT33 has shifted targeting to industrial control systems software. We need to be worried about Cyber-Physical Security of the Power Grid. To protect this infrastructure you need to prioritize strategic risks that affect critical infrastructure: Concern yourself with the most important hacks, Understand the critical pieces of your infrastructure and Know your inter-dependencies.
Payment security: Payment security backslides for second straight year in 2019. Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to36.7% globally, down from 52.5% in 2018. At the same time EU’s PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties. Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use.
Election security: Nowadays, no elections can be held any longer without debate on influencing voters through online services. There are on-going accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. U.S. military cyber experts are plotting strategy in a fight against potential Russian and other cyberattacks ahead of the 2020 American and Montenegrin elections. As the 2020 Presidential election looms closer in the United
States, a key focus will be on securing election infrastructure to prevent tampering. Most of the largest US voting districts are still vulnerable to email spoofing. Also disinformation campaigns for political purposes are deeply rooted in cybercriminal endeavors. It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. Hacking is considered to be the biggest tech threats to 2020 elections in USA. Legislators are working on new laws, but it is not going to be enough in an era when technology is turning out entirely new attack surfaces.
False Flags: The use of false flags has become an important element in the playbook of several APT groups. This can be used to try to deflect attention away from those responsible for the attack or what is really happening.
Common attack tools: Cyber actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult.
Vulnerability disclosure: Most “white hat” cyber engineers seem to be driven by a sense of social responsibility best expressed as, “If you find something, say something.” Across the industry, the ethos is to share information quickly, whether the problem is a newly discovered exploit or an evolving cyber threat. The goal is to impel the affected vendor—hardware or software—to take quick action and produce a fix. There are good and bad ways to make vulnerabilities known. A premature “full disclosure” of a previously unknown issue can unleash the forces of evil, and the “black hats” often move faster than vendors or enterprise IT teams. The preferred path is a “responsible” or “coordinated” disclosure that happens behind the scenes. Public announcements occur after a specified period of time—typically 90 or 120 days. But things don’t work this way always.
Ransomware: Cybercriminals have become more targeted in their use of ransomware. It is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. There is a Ransomware ‘Crisis’ in US Schools and in many cities in USA.
Supply chain: Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations. There is the growth of counterfeit electronics.
Mobile: The main storage for our digital lives has moved from the PC to mobiles over last 10 years. Several countries have started demanding their own software (maybe in some cases also malware) to be installed to all smart phones. Putin signs law making Russian apps mandatory on smartphones, computers.
Android: Today 80% of Android apps are encrypting traffic by default. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. The heterogeneity of the Android versions will continue to be a problem in the coming year.
DDoS attacks: DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic. The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago. DNS amplification attacks accounted for 45% of the attacks, while HTTP
floods and TCP SYN attacks accounted for 14%. Mobile Devices Account for 41% of DDoS Attack Traffic.
Business security: Small and medium-sized businesses (SMBs) increasingly recognize that a reactive security posture is no longer sufficient for protecting their networks. Breaches will happen. Companies should treat cyberattacks “as a matter of when” and not “whether.” Inside threads are still a big issue as Employees are one of your biggest assets, but human beings are the weakest link in the security chain. Data leaks help attackers to craft more convincing social engineering attacks. Plan proper incident management because Quick, reliable, multichannel communication is a vital part of any incident management solution. Cybercriminals often choose very small companies as their targets because small businesses rarely spend significant money on security systems. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations.
Cyber insurance: Cyber Has Emerged as a Risk That is Not Specifically Covered by Other Insurance Policies. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow.
New encryption: The problem with encrypted data is that you must decrypt it in order to work with it. There is a powerful solution to this scenario: homomorphic encryption. Homomorphic encryption makes it possible to analyze or manipulate encrypted data without revealing the data to anyone. Just like many other populr forms of encryption, homomorphic encryption uses a public key to encrypt the data. There are three main types of homomorphic encryption: partially homomorphic encryption (keeps sensitive data secure by only allowing select mathematical functions to be performed on encrypted data); somewhat homomorphic encryption (supports limited operations that can be performed only a set number of times); fully homomorphic encryption (this is the gold standard of homomorphic encryption that keeps information secure and accessible). Cryptographers have known of the concept of homomorphic encryption since 1978 but Gentry established the first homomorphic encryption scheme in 2009.The biggest barrier to widescale adoption of homomorphic encryption is that it is still very slow. Duality, a security startup co-founded by the creator of homomorphic encryption, raises $16M.
Artificial Intelligence (AI): The buzzword for 2019 that we have all heard a thousand times was Artificial Intelligence, AI. The term AI is often interchanged with machine learning. There is a lot of research to examine AI applications on cyber security. As cyberattacks grow in volume and complexity, hopefully artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Cybersecurity tools currently use this data aggregation and pattern analysis in the field of heuristic modeling: THE TRUE FUNCTION OF AI WILL BE TO DETERMINE WITH A LONG ARC OF TIME AND DATA, WHAT “NORMAL” LOOKS LIKE FOR A USER. AI can act as an advisor to analysts, helping them quickly identify and connect the dots between threats. Finnish cyber security company F-Secure is making research on AI agents and on that Mikko Hyppönen says that AI should not used to try to imitate humans and that artificial intelligence-based attacks are expected in the near future. Another Finnish cyber security company Nixu says that Artificial intelligence is going to revolutionize cyber security. According to Orlando Scott-Cowley from Amazon Web Services machine learning is the new normal in cyber security. Advanced Machine Learning layers are to be integrated into the latest Windows cybersecurity products. Leaders in artificial intelligence warn that progress is slowing, big challenges remain, and simply throwing more computers at a problem isn’t sustainable.
2020 problems: Has your business prepared for the ‘2020 problem’? Software updates for Windows 7 will end on January 14, 2020. As of Jan. 14, 2020, Windows 7 and Server 2008 technical support and software updates will no longer be available from Windows Update. There will no longer be updates for Office 2010. Some business users can buy extended security update support with extra money for some time. Python will stop supporting Python version 2 on January 1, 2020. Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. December 2019 Patch Tuesday was the last time Microsoft ever offered security updates for devices running Windows 10 Mobile.
Crypto wars continue: A decades-old debate: Government officials have long argued that encryption makes criminal investigations too hard. Governments all over the world say that Encrypted communication is a huge issue for law enforcement and the balance between the privacy of citizens and effective policing of criminal activity is top of mind for governments, technology companies, citizens and privacy organisations all over the world. The international police organization Interpol plans to condemn the spread of strong encryption. Top law enforcement officials in the United States, United Kingdom and Australia, the larger group will cite difficulties in catching child sexual predators as grounds for companies opening up user communications to authorities wielding court warrants. Congress warns tech companies: Take action on encryption, or we will. US lawmakers are poised to “impose our will” if tech companies don’t weaken encryption so police can access data.
Do not weaken encryption: Companies, they say, should build in special access that law enforcement could use with a court’s permission. Technologists say creating these back doors would weaken digital security for everyone. Unfortunately, every privacy protection mechanism is subject to abuse by the morally challenged. That’s just a truth that must be accepted and overcome. Invading the privacy of the masses in order to catch criminals is unacceptable. Remember three things: One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. If back-doors are added to encryption, they will be abused. If You Think Encryption Back Doors Won’t Be Abused, You May Be a Member of Congress. Bad encryption can have business consequences. Apple and Facebook told the committee that back doors would introduce massive privacy and security threats and would drive users to devices from overseas. In Australia 40% of firms say they have lost sales say they have lost sales or other commercial opportunities as a result of the encryption law being in place.
2FA: The second authentication factor might be a minor inconvenience, but it provides a major security boost. With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. Two factors are much better than one, but can still be hacked. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys. Also some physical security keys can be hacked as they turn to be less secure that what they were told to be in the advertisements.
Myth of sophisticated hacker in news: It’s the latest lexical stretch for an adjective that’s widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.
New security models: Google moved from perimeter-based to cloud-native security. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery. Google’s cloud-native architecture was developed prioritizing security as part of every evolution.
Hacktivists: Hacktivists seek to obtain private information about large companies in order to embarrass or expose the company’s controversial business practices. Many companies are a treasure trove for personal information, whether they realize it or not. Experian is predicting that the emerging cannabis industry will experience an increase in data breaches and cybersecurity threats in 2020.
RCS messaging: RCS, expanded as Rich Communications Services, is a protocol that aims to replace SMS.RCS messaging has rolled out to Android users in the US. The update brings a lot of new features like chat, send hi-res videos and photos and create group chat. One criticism of RCS is that it doesn’t provide end-to-end encryption. RCS could be also better in many other security aspects. Researchers have discovered that the RCS protocol exposes most users to several cyber attacks. These risks are said to be mitigated by implementing the protocol with the security perspective in mind. The standard itself allows for poor security implementation, but GSMA advises its members to deploy rcs with the most secure settings possible.
Data breaches: Billions of Sensitive Files Exposed Online all the time. During the first six months of 2019, more than 4 billion records were exposed by data breaches. That’s a shocking statistic that’s made even more so when you realize that passwords were included in droves. On December 4, a security researcher discovered a treasure trove of more than a billion plain-text passwords in an unsecured online database. Many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores. All organizations are exposed to security breaches: from large multinationals to SMEs and public administrations. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
Phishing: Phishing remains 1 of the most pervasive online threats. Phishing emails are still managing to catch everyone out. Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Google Chrome now offers better protection against it as safe Browsing displays warning messages to users ahead of visiting dangerous websites and before downloading harmful applications. New advanced ways to phish are taken to use.With dynamite phishing, the cyber criminals read the email communication from a system already infected with an information stealer. The infected user’s correspondents then receive malicious emails that quote the last “real” email between the two parties and look like a legitimate response from the infected user. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys.
Windows: Microsoft Doesn’t Back Up the Windows Registry Anymore. It’s still possible to perform Windows Registry backups, but the option is disabled by default. It’s time to disconnect RDP from the internet as brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connection. Microsoft is ready to push a full-screen warning to Windows 7 users
who are still running the OS after January 14.
Linux: Support for 32 bit i386 architecture will be dropped by many Linux distributions. It turns out that there are essentially no upstream development resources dedicated to x86_32 Linux. Perhaps unsurprisingly, it was badly broken.
Drones: Turkey is getting military drones armed with machine guns. Drone hacking happens. There is now Dronesploit – Metasploit for drones. Metasploit-style CLI framework tailored for tinkering with everybody’s favourite unmanned flying objects.
World market war: China tells government offices to remove all foreign computer equipment. China has ordered the replacement of all foreign PC hardware and operating systems in state offices over the next three years. This will mean that China to ditch all Windows PCs by 2022.China has already some of their own Linux distros like Kylin and Deepin. Many western countries are more or less banning Huawei teleocm equipment.
Cloud security: Traditional security tools and methodologies are ill-suited to protect cloud native’s developer-driven and infrastructure-agnostic multicloud patterns. The vision as laid out by these renown analysts is straightforward. The legacy “data center as the center of the universe” network and network security architecture are obsolete and has become an inhibitor to the needs of digital business. They describe the underpinning shift to cloud infrastructure, a digital transformation that has been underway for ten years. They also point out that the corporate network cannot protect end users who consume cloud applications from any location and any device without the contorting, expensive, backhaul of traffic through the corporate data center. Gartner coins a new term for the future of security and networks, SASE (pronounced sassy), Secure Access Service Edge, which is not anything really new. SASE promises to create a ubiquitous, resilient, and agile secure network service—globally. Most of the stolen data incidents in the cloud are related to simple human errors rather than concerted attacks. Expect that through 2020, 95% of cloud security failures will be the customer’s fault. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Autocracy as a service: Now Any Government Can Buy China’s Tools for Censoring the Internet. “Autocracy as a service” lets countries buy or rent the technology and expertise they need, as they need it. China offers a full-stack of options up and down the layers of the internet, including policies and laws, communications service providers with full internet.
Geopolitics: US-China Tech Divide Could Cause Havoc. It is possible that world’s next major conflict can start in cyberspace. USA has ordered to ban certain hardware from China (Huawei and ZTE). China orders ban on US computers and software. Chinese government to replace foreign hardware and software within three years. Who needs who more?
International cyber politics: Lack of international standards for proper behavior in cyberspace prevents the United States and allies from policing adversaries as they wish to. US can’t ‘enforce standards that don’t exist’. We have international norms in the maritime; we don’t have those in cyber. It makes it difficult to enforce standard that don’t exist, and to therefore hold nations accountable for nefarious behavior. NATO did confirm in 2017 that it could invoke Article 5 of its charter should one or more member nations find themselves under a serious cyberattack that threatens critical military and civilian infrastructure.
Sources:
https://pentestmag.com/iot-security-its-complicated/
https://isc.sans.edu/diary/rss/25580
https://www.securityweek.com/case-cyber-insurance
https://www.securityweek.com/tips-help-mssps-choose-threat-intelligence-partner
https://www.zdnet.com/article/microsoft-we-never-encourage-a-ransomware-victim-to-pay/
https://www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636
https://pacit-tech.co.uk/blog/the-2020-problem/
https://www.theregister.co.uk/2019/12/09/dronesploit_framework/
https://www.securityweek.com/blunt-effect-two-edged-sword-vulnerability-disclosures
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020
https://threatpost.com/email-voted-a-weak-link-for-election-security-with-dmarc-lagging/150909/
https://www.theregister.co.uk/2019/12/04/council_of_eu_5g_risks/
https://techcrunch.com/2019/12/05/major-voting-districts-vulnerable-email-security/
https://cacm.acm.org/magazines/2019/12/241053-hack-for-hire/fulltext
http://read.uberflip.com/i/1180978-siliconexpert-growth-of-counterfeit-electronics-3/0?acctid=6759
https://www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/
https://www.theregister.co.uk/2019/12/09/china_orders_ban_on_us_computers_and_software/
https://www.securityweek.com/case-cyber-insurance
https://www.eetimes.eu/ai-will-empower-industry-4-0-when-it-arrives/
https://www.pandasecurity.com/mediacenter/security/2019-the-ransomware-tsunami/
https://blog.paloaltonetworks.com/2019/12/cloud-native-security-platform-age/
https://github.com/dhondta/dronesploit/
https://www.zdnet.com/article/1-in-every-172-active-rsa-certificates-are-vulnerable-to-exploit/
https://nationalcybersecurity.com/hacking-the-biggest-tech-threats-to-2020-elections/
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
https://www.eff.org/wp/behind-the-one-way-mirror
https://www.gdatasoftware.com/blog/2019/12/35671-early-detection-and-repulsion-of-dangerous-attacks
https://www.is.fi/digitoday/tietoturva/art-2000006342803.html
https://techcrunch.com/2019/10/30/duality-cybersecurity-16-million/
https://www.wired.com/story/sobering-message-future-ai-party/
https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html?m=1
https://www.zdnet.com/article/google-all-android-users-in-the-us-just-got-rcs-next-gen-sms/
https://www.schneier.com/blog/archives/2019/12/scaring_people_.html
https://lists.ubuntu.com/archives/ubuntu-devel-announce/2019-June/001261.html
https://lwn.net/ml/oss-security/CALCETrW1z0gCLFJz-1Jwj_wcT3+axXkP_wOCxY8JkbSLzV80GA@mail.gmail.com/
https://www.bbc.com/news/amp/world-australia-46463029
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://hub.packtpub.com/core-python-team-confirms-sunsetting-python-2-on-january-1-2020/
https://www.cnet.com/news/congress-warns-tech-companies-take-action-on-encryption-or-we-will/
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://edri.org/facial-recognition-and-fundamental-rights-101/
https://techcrunch.com/2019/12/10/insider-threats-startups-protect/
https://uk.pcmag.com/windows-10/121518/microsoft-doesnt-back-up-the-windows-registry-anymore
https://threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/
https://chiefexecutive.net/bridge-cybersecurity-skills-gap/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html
https://www.securityweek.com/most-companies-dont-properly-manage-third-party-cyber-risk
https://www.uusiteknologia.fi/2019/11/21/hyoty-panee-jakamaan-tietonsa-luottamus-ratkaisee/
https://pentestmag.com/advice-for-a-cybersecurity-leader-think-like-your-adversary/
https://www.amnesty.org/en/latest/news/2019/11/google-facebook-surveillance-privacy/
https://www.amnesty.org/en/documents/pol30/1404/2019/en/
https://www.securityweek.com/compromised-connection-5g-will-unite-cities-and-also-put-them-risk
https://www.securityweek.com/amnesty-international-calls-facebook-google-rights-abusers
https://www.securityweek.com/microsoft-will-bring-dns-over-https-doh-windows
https://www.securityweek.com/cybersecurity-workforce-gap-145-growth-needed-meet-global-demand
https://www.helpnetsecurity.com/2019/11/19/successful-soc/
https://www.securityweek.com/making-network-first-line-defense
https://techbeacon.com/security/how-prioritize-strategic-risks-affect-critical-infrastructure
https://www.securityweek.com/transitioning-security-driven-networking-strategy
https://www.theregister.co.uk/2019/11/16/5g_iot_report/
https://www.securityweek.com/us-montenegro-plot-cyber-warfare-ahead-2020-elections
https://www.securityweek.com/fears-grow-digital-surveillance-us-survey
https://www.kaspersky.com/blog/attack-on-online-retail/31786/
https://www.securityweek.com/implementing-cyber-best-practices-requires-security-first-approach
https://securelist.com/advanced-threat-predictions-for-2020/95055/
https://www.darkreading.com/cloud/smart-building-security-awareness-grows/d/d-id/1336597
https://www.cisomag.com/the-future-of-ai-in-cybersecurity/
https://www.ibm.com/security/artificial-intelligence
https://www.welivesecurity.com/2019/12/13/2fa-double-down-your-security/
https://cannatechtoday.com/experian-predicts-an-increase-in-global-cannabis-industry-data-breaches/
https://www.uusiteknologia.fi/2019/11/21/f-secure-tutkimaan-tekoalyagentteja/
https://www.securityweek.com/ongoing-research-project-examines-application-ai-cybersecurity
http://www.etn.fi/index.php/13-news/10151-mikko-hypponen-tekoalyn-ei-pida-matkia-ihmista
http://www.etn.fi/index.php/13-news/10124-nixu-selvitti-tekoaly-mullistaa-kyberturvan
http://www.etn.fi/index.php/13-news/10120-kyberturvassa-koneoppiminen-on-uusi-normaali
https://www.is.fi/digitoday/tietoturva/art-2000006316233.html
https://www.cyberscoop.com/apt33-microsoft-iran-ics/
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/
https://www.enisa.europa.eu/news/enisa-news/enisa-draws-threat-landscape-of-5g-networks/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://smartgrid.ieee.org/newsletters/november-2019/the-cyber-physical-security-of-the-power-grid
https://www.wired.com/story/un-secretary-general-antonio-guterres-internet-risks/
https://codastory.com/authoritarian-tech/russia-facial-recognition-networks/
https://www.theverge.com/2019/12/9/21002515/surveillance-cameras-globally-us-china-amount-citizens
https://www.wired.com/story/iran-internet-shutoff/
https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/
https://www.reuters.com/article/us-interpol-encryption-exclusive-idUSKBN1XR0S7
https://www.kcrw.com/news/shows/to-the-point/does-facial-recognition-software-threaten-our-freedom
1,468 Comments
Tomi Engdahl says:
Britain’s new cyber hacker cell limbers up as gloves come off in global cyber war
The UK’s new National Cyber Force could be used to launch hacking campaigns against other countries – but it could also backfire
https://www.telegraph.co.uk/technology/2020/12/13/britains-new-offensive-cyber-hacker-cell-limbers-gloves-come/
Tomi Engdahl says:
Welp, France Just Signed Off on Cyborg Soldiers
The super soldiers must retain free will, though. So that’s good.
https://www.popularmechanics.com/military/weapons/a34945348/france-approves-bionic-soldiers/
Tomi Engdahl says:
Could you be your organisation’s biggest cyber threat?
With remote and hybrid work replacing the office, hackers are exploiting new opportunities. Here’s how cybersecurity professionals are planning to navigate this future threat landscape
https://www.wired.co.uk/article/cyber-threat-companies-capita
Tomi Engdahl says:
Home Wi-Fi security tips – 5 things to check
https://nakedsecurity.sophos.com/2020/11/30/home-wi-fi-security-tips-5-things-to-check/
Tomi Engdahl says:
Report Claims CIA Controlled Second Swiss Encryption Firm
https://www.courthousenews.com/report-claims-cia-controlled-second-swiss-encryption-firm/
GENEVA, Switzerland (AFP) — Swiss politicians have voiced outrage and demanded an investigation after revelations that a second Swiss encryption company was allegedly used by the CIA and its German counterpart to spy on governments worldwide.
“How can such a thing happen in a country that claims to be neutral like Switzerland?”
Tomi Engdahl says:
Welcome To 2030: I Own Nothing, Have No Privacy And Life Has Never Been Better
https://www.forbes.com/sites/worldeconomicforum/2016/11/10/shopping-i-cant-really-remember-what-that-is-or-how-differently-well-live-in-2030/
Tomi Engdahl says:
The guardians of supercomputers, the targets of interest
https://cybernews.com/security/the-guardians-of-supercomputers-the-targets-of-interest/
Tomi Engdahl says:
This Is How a Laser Weapon Torches Drones Out of the Sky
This simple laser demonstration is actually a great crash course on how these anti-drone weapons work.
https://www.popularmechanics.com/military/aviation/a30876383/laser-weapon-drone/
Tomi Engdahl says:
Cyber security faces threat from ‘ransomware’: Yomiuri Shimbun
The paper says that ransomware, where a ransom is demanded to decrypt stolen information, has spread globally.
https://www.straitstimes.com/asia/cyber-security-faces-threat-from-ransomware-yomiuri-shimbun
Tomi Engdahl says:
Computer Security Day: Official or Not, it’s a Worthy Observance
https://www.essent.com/Blog/Blog/Computer-Security-Day-Official-or-Not-its-a-Worthy-Observance-.htm
Tomi Engdahl says:
https://www.dnsstuff.com/freetools
Tomi Engdahl says:
Is China Seeking A Secretive, Permanent Presence in America’s Computers?
https://nationalinterest.org/feature/china-seeking-secretive-permanent-presence-america%E2%80%99s-computers-173292
Tomi Engdahl says:
http://multirbl.valli.org/lookup/
Tomi Engdahl says:
How the human immune system inspired a new approach to email security
AI excels at interpreting high volume, high velocity, complex data – which is just the ticket here
https://www.theregister.com/2020/12/01/how_the_human_immune_system/
Tomi Engdahl says:
It’s hard to keep a big botnet down: TrickBot sputters back toward full health
https://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/
Tomi Engdahl says:
Uteliaisuus voi tulla kalliiksi – lue nämä kolme tositarinaa oikeudesta, ennen kuin tutkit luvatta kumppanin puhelinta
Kirjesalaisuutena tunnettu laki suojaa nykyään myös sähköpostia, yksityisviestejä ja puhelinta. Kaikki eivät tätä tiedä.
https://yle.fi/uutiset/3-10942730
Tomi Engdahl says:
Kill Chain: The Cyber War on America’s Elections | Full Documentary for DEF CON | HBO
https://www.youtube.com/watch?v=nQuwTdrVrg4
Tomi Engdahl says:
Tietoturvaltaan huonoimmat suositut ohjelmointikielet ja kuinka suuri prosenttiosuus ohjelmisto sisältää vakavia tietoturvareikiä:
1. C++ 59,3 %
2. PHP 52,6 %
3. .NET (C#) 25 %
4. Java 23,8 %
5. Python 9,6 %
6. JavaScript 8,6 %
https://www.veracode.com/state-of-software-security-report?utm_source=veracode&utm_medium=pr&utm_campaign=jr-4751120&utm_term=press-release&utm_content=soss-hub
Itse ladattava raportti:
https://www.veracode.com/sites/default/files/pdf/resources/infosheets/state-of-software-security-volume-11-flaw-frequency-by-language.pdf?_ga=2.226401434.1812143899.1608532011-100137457.1608532011
Tomi Engdahl says:
Cyber Mercenaries Don’t Deserve Immunity
https://blogs.microsoft.com/on-the-issues/2020/12/21/cyber-immunity-nso/
A growing industry of companies called private-sector offensive actors – or PSOAs – is creating and selling cyberweapons that enable their customers to break into people’s computers, phones and internet-connected devices. Now, one of these 21st-century mercenaries, called the NSO Group, is attempting to cloak itself in the legal immunity afforded its government customers, which would shield it from accountability when its weapons inflict harm on innocent people and businesses. The firm also contributes to the urgent cybersecurity challenges discussed by our president Brad Smith last week. We believe the NSO Group’s business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions. That’s why today we filed an amicus brief – along with Cisco, GitHub, Google, LinkedIn, VMWare and the Internet Association – in a legal case brought by WhatsApp against the NSO Group.
The NSO Group sold governments a program called Pegasus, which could be installed on a device simply by calling the device via WhatsApp; the device’s owner did not even have to answer. According to WhatsApp, the NSO Group used Pegasus to access more than 1,400 mobile devices, including those belonging to journalists and human rights defenders. We believe companies like NSO Group selling tools like Pegasus are concerning for three reasons.
Tomi Engdahl says:
Card-Not-Present Fraud: 4 Security Considerations for Point of Sale Businesses
https://www.tripwire.com/state-of-security/regulatory-compliance/pci/card-not-present-fraud/
As the retail world’s center of gravity shifts to the cloud, payment card fraud has followed suit. According to Verizon’s retail vulnerabilities study, attacks against e-commerce applications are by far the leading cause of retail data breaches. This trend mirrors similar outcomes in other industries, like food service. A complimentary Verizon study finds remote attacks against food service operators on the rise, as well.
In both industries, the swing to card-not-present (CNP) fraud has been sudden and swift. Verizon’s data shows an utter collapse in retail point-of-sale (POS) attacks as a share of total breaches in the past six years — from roughly 80% in 2014 to less than 10% in 2019. Web application attacks have filled the void, rising from less than 10% in 2014 to about 50% in 2019. In food service, point-of-sale attacks declined from a roughly 90% share to a sub-20% share.
Customers’ expectations haven’t kept up. According to a survey by Money Crashers, a personal finance publication, 52% of consumers aren’t concerned with the security of the payment apps they use every day. Just 30% have held off on downloading a payment app over security concerns.
Consumers’ cavalier attitudes persist despite persuasive evidence that hackers hungry for payment card information and sensitive personal data — names, addresses, ID numbers, security questions and answers — are getting better at hitting their marks. Since the beginning of 2018, remote attacks have affected a major U.S. department store chain, a popular fast-food operator, and a leading online-only clothing retailer.
And those are just the attacks that hit the news.
Tomi Engdahl says:
The U.S. Government Is Targeting Cryptocurrency to Expand the Reach of Its Financial Surveillance
https://www.eff.org/deeplinks/2020/12/us-government-targeting-cryptocurrency-expand-reach-its-financial-surveillance
One of the most important aspects of cryptocurrencies from a civil liberties perspective is that they can provide privacy protections for their users. But EFF is concerned that the U.S. government has been increasingly taking steps to undermine the anonymity of cryptocurrency transactions and importing the widespread financial surveillance of the traditional banking system to cryptocurrencies.
On Friday, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a proposed regulation that would require money service businesses (which includes, for example, cryptocurrency exchanges) to collect identity data about people who transact with their customers using self-hosted cryptocurrency wallets or foreign exchanges. The proposed regulation would require them to keep that data and turn it over to the government in some circumstances (such as when the dollar amount of transactions in a day exceeds a certain threshold).
Tomi Engdahl says:
Now it’s Europe’s turn to try to circumvent ICANN DNS policies
https://www.internetgovernance.org/2020/12/21/now-its-europes-turn-to-try-to-circumvent-icann-dns-policies/
Many large American businesses – notably, Facebook and the intellectual property interests – are strongly interested in retaining free and unrestricted access to domain name registrants’ personal information (known as Whois data). As it became clear that ICANN’s multistakeholder process would restrict that access to comply with Europe’s privacy regulation, GDPR, they lobbied the U.S. Congress to pass legislation ordering ICANN to reverse its attempts to require open access to personal data in Whois.
IGP criticized these attempts to impose US legislation on DNS governance. Imposing different national laws on the global DNS undermines the global compatibility of DNS services and could trigger a legislative arms race around the world. Fortunately, that proposed legislation has gone nowhere.
Tomi Engdahl says:
CHINA USED STOLEN DATA TO EXPOSE CIA OPERATIVES IN AFRICA AND EUROPE
https://radly.fi/blog/three-ways-to-create-a-better-customer-experience-through-machine-learning-and-ai/
The discovery of U.S. spy networks in China fueled a decadelong global war over data between Beijing and Washington.
Tomi Engdahl says:
https://cybernews.com/best-password-managers/how-to-create-a-strong-password/
Tomi Engdahl says:
https://cybernews.com/security/make-cybersecurity-a-strategic-priority-before-its-too-late/
Tomi Engdahl says:
https://pentestmag.com/leveraging-traditional-humint-methodologies-in-cyberspace/
Tomi Engdahl says:
Op-ed: Hyperwar is coming. America needs to bring AI into the fight to win — with caution
https://www.cnbc.com/2020/07/12/why-america-needs-to-bring-ai-into-the-upcoming-hyperwar-to-win.html
Hyperwar, or combat waged under the influence of AI, where human decision making is almost entirely absent from the observe-orient-decide-act (OODA) loop, already is beginning to intrude on military operations.
This is the central issue for 21st century armed conflict: the superpower that can master AI, data analytics, and supercomputing, will inevitably prevail in conflict.
The human dimension of war will be sorely tested in a hyperwar environment. It will demand the utmost of the services in recruiting, educating and training and leading the human talent able to fight and win.
Tomi Engdahl says:
The National Cyber Power Index: Does your country have a cybersecurity strategy?
https://cybernews.com/security/the-national-cyber-power-index-does-your-country-have-a-cybersecurity-strategy/
Earlier this year, Harvard’s Belfer Center published its National Cyber Power Index (NCPI), which ranks 30 countries according to their digital capabilities. Central to the rankings is the ability of a nation to both defend itself from cyberattacks and also to wage cyber warfare itself.
“Cyber Power is made up of multiple components and should be considered in the context of a country’s national objectives,” the authors explain. “Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation. Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively.”
Tomi Engdahl says:
Cross-layer attacks: New hacking technique raises DNS cache poisoning, user tracking risk
https://portswigger.net/daily-swig/cross-layer-attacks-new-hacking-technique-raises-dns-cache-poisoning-user-tracking-risk
As many as one in 20 web servers could be vulnerable to a weakness in the Linux kernel, according to security researchers.
The same weakness could also expose millions of Android device users to increased risk of tracking.
Cross-layer attacks
The vulnerability (PDF) allows hackers to mount so-called “cross-layer” attacks against the Linux kernel, exploiting a weakness in its pseudo random number generator (PRNG).
This is possible because the UDP source port generation algorithm, the IPv6 flow label generation algorithm, and the IPv4 ID generation algorithm on some Linux-based systems all plug into the flawed PRNG.
Tomi Engdahl says:
https://m.xkcd.com/705/
Tomi Engdahl says:
https://pentestmag.com/looking-at-active-cyber-threats-with-leakix/
https://leakix.net/
Tomi Engdahl says:
POWERFUL MOBILE PHONE SURVEILLANCE TOOL OPERATES IN OBSCURITY ACROSS THE COUNTRY
CellHawk helps law enforcement visualize large quantities of information collected by cellular towers and providers.
https://theintercept.com/2020/12/23/police-phone-surveillance-dragnet-cellhawk/
UNTIL NOW, the Bartonville, Texas, company Hawk Analytics and its product CellHawk have largely escaped public scrutiny. CellHawk has been in wide use by law enforcement; the software is helping police departments, the FBI, and private investigators around the United States convert information collected by cellular providers into maps of people’s locations, movements, and relationships. Police records obtained by The Intercept reveal a troublingly powerful surveillance tool operated in obscurity, with scant oversight.
CellHawk’s maker says it can process a year’s worth of cellphone records in 20 minutes, automating a process that used to require painstaking work by investigators, including hand-drawn paper plots. The web-based product can ingest call detail records, or CDRs, which track cellular contact between devices on behalf of mobile service providers, showing who is talking to whom
Tomi Engdahl says:
With the fear of cybercriminals attacking company IT networks, it’s easy to forget that the biggest risks begin closer to home. According to research conducted by Atlas VPN, the sheer scale of the risk from employees giving up access to company data is astounding.
Two in three businesses faced insider attacks in 2020
https://cybernews.com/security/two-in-three-businesses-faced-insider-attacks-in-2020/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=faced_insider&fbclid=IwAR1FC7YBtHR2vqF0ztcbPwq-SU-xuOgp9MMdkfuPZwvXj7tDoVFMWGpi4xo
The biggest risks sometimes aren’t those outside your organisation, but within.
With the fear of organised cybercriminals probing and testing company IT networks, and looking to secret away your data to capitalise on the trade secrets, or to lock it up and demand a ransom in order to free it, it can be easy to forget the biggest risks begin closer to home. But while outsider threats should always be near the top of an organisation’s list of concerns, insider threats should also be considered.
According to data analysed by Atlas VPN, 65% of organizations suffered from one or more insider attacks in the last 12 months.
Tomi Engdahl says:
It’s time to accept that disinformation is a cyber security issue
https://www.computerweekly.com/opinion/Its-time-to-accept-that-disinformation-is-a-cyber-security-issue
Tackling the manipulation of truth and facts is no easy task, and it’s time for the cyber security sector to take up the challenge
The internet, as life-changing as it can be for digitising businesses, connecting communities and informing individuals, doesn’t come with a user guide to help us navigate it. And as people become more aware of the dark side of the web, they are looking for tools that help to defend them against campaigns designed to manipulate how they think or behave.
Misinformation and disinformation are rife, but so far it’s been seen as a challenge for policy-makers and big tech, including social media platforms. However, because disinformation is by nature an online risk, it is a challenge for our cyber security ecosystem to tackle, too.
But tackling the manipulation of truth is no easy task. The sheer volume of data being created makes it hard to tell what’s real and what’s not. From destroying 5G towers to conspiracies like QAnon and unfounded concern about election fraud, distrust is becoming the default – and this can have incredibly damaging effects on society.
Disinformation and fake news is also part of the delivery package, rather than being the end goal – it is increasingly being used to deliver malware by manipulating people’s fears and heightened emotions. For example, Avast has found that fake shops claiming to sell Covid-19 cures that use the World Health Organization’s logo were intended to get people to download malware.
So far, the tech sector – primarily social media companies, given that their platforms enable fake news to spread exponentially – have tried to implement some measures, with varying levels of success.
Despite these efforts, reports stressing concerns about the issue from intelligence services and independent committees are being overlooked, while policies can’t be put in place fast enough to keep up with the ever-changing ways that fake news spreads. But it’s not just an issue of having more laws – in fact, too much regulation in some cases can be used as a guise for clamping down on free speech. We should be very wary of overusing it as a tool.
We are also seeing the rise of tech startups that are exploring ways to detect and stem the flow of disinformation, such Right of Reply, Astroscreen and Logically. These companies don’t tend to refer to themselves as cyber security companies, but you can argue that this is, in effect, what they are.
It’s a question of definitions: if we agree that cyber security isn’t just about data breaches but data integrity, then it’s clear that these companies come under the umbrella of security.
More than that, disinformation has the potential to undermine national security – and it should be at the core of our cyber defences.
Data breaches result in the loss of value, but so can data manipulation. This reflects the changing nature of cyber security at large – it’s now more about protecting an enterprise’s values, brand and reputation rather than just a network security issue.
Disinformation is still an emerging frontier for cyber security, and we will need unconventional techniques far beyond data breach notifications and regulatory fines.
Tomi Engdahl says:
https://m.reolink.com/how-to-detect-hidden-cameras
Tomi Engdahl says:
Even If It’s ‘Bonkers,’ Poll Finds Many Believe QAnon And Other Conspiracy Theories
https://www.npr.org/2020/12/30/951095644/even-if-its-bonkers-poll-finds-many-believe-qanon-and-other-conspiracy-theories
A significant number of Americans believe misinformation about the origins of the coronavirus and the recent presidential election, as well as conspiracy theories like QAnon, according to a new NPR/Ipsos poll.
Forty percent of respondents said they believe the coronavirus was made in a lab in China even though there is no evidence for this. Scientists say the virus was transmitted to humans from another species.
And one-third of Americans believe that voter fraud helped Joe Biden win the 2020 election, despite the fact that courts, election officials and the Justice Department have found no evidence of widespread fraud that could have changed the outcome.
The poll results add to mounting evidence that misinformation is gaining a foothold in American society and that conspiracy theories are going mainstream, especially during the coronavirus pandemic. This has raised concerns about how to get people to believe in a “baseline reality,”
“What this poll really illustrates to me is how willing people are to believe things that are ludicrous because it fits in with a worldview that they want to believe.”
fewer than half of Republicans said they accept the outcome of the election.
“There’s just too much information out there,” said Brooke Williams, a Republican voter and self-described QAnon follower from Oro Valley, Ariz., during a follow-up interview with NPR. “I can’t see how anybody is not thoroughly convinced that Biden was illegally elected.”
In contrast, only 11% of Democrats think voter fraud helped Biden win the election, and 93% accept the outcome.
The vast majority of Americans said they’re also worried about the spread of false information, with 4 out of 5 poll respondents saying they’re concerned about misinformation related to the coronavirus and vaccines in particular.
But Republicans were more likely than Democrats to believe misinformation about the virus, including that it was created in a lab in China and that COVID-19 is no more of a “serious threat” than the seasonal flu.
Tomi Engdahl says:
IBM Makes Encryption Paradox Practical
https://spectrum.ieee.org/tech-talk/computing/software/ibm-makes-cryptographic-paradox-practical
How do you access the contents of a safe without ever opening its lock or otherwise getting inside? This riddle may seem confounding, but its digital equivalent is now so solvable that it’s becoming a business plan.
IBM is the latest innovator to tackle the well-studied cryptographic technique called fully homomorphic encryption (FHE), which allows for the processing of encrypted files without ever needing to decrypt them first. Earlier this month, in fact, Big Blue introduced an online demo for companies to try out with their own confidential data. IBM’s FHE protocol is inefficient, but it’s workable enough still to give users a chance to take it for a spin.
Today’s public cloud services, for all their popularity, nevertheless typically present a tacit tradeoff between security and utility. To secure data, it must stay encrypted; to process data, it must first be decrypted. Even something as simple as a search function has required data owners to relinquish security to providers whom they may not trust.
Yet with a workable and reasonably efficient FHE system, even the most heavily encrypted data can still be securely processed.
It is not clear whether IBM’s scheme for FHE is any better than that of its competitors. However, by offering a service to clients, the company may have gotten the lead on tackling some of the first practical implementations of the technology, which has been in development for years.
Since the 1970s, cryptographers had considered what it would mean to process encrypted data, but no one was sure whether such an encryption scheme could exist even in theory. In 2009, Craig Gentry, then a Stanford graduate student, proved FHE was possible in his PhD dissertation.
Over the past decade, algorithmic improvements have improved the efficiency of FHE by a factor of about a billion. The technique is still anywhere from 100 to a million times slower than traditional data processing—depending on the data and the processing task.
Alice must strike a balance: too much noise and operations take too much time; too little noise and the list is unsecured. Gentry’s 2009 breakthrough was to introduce a specific, manageable amount of noise.
Tomi Engdahl says:
SolarWinds breach could reshape cybersecurity practices
https://www.epanorama.net/blog/2018/10/08/landmark-un-climate-change-report-act-now-to-avoid-climate-catastrophe-iflscience/comment-page-15/#comments
Software company SolarWinds is headquartered in Austin. Experts say the data breach involving the company’s products could lead to changes in the cybersecurity industry.
As investigations continued into the massive data breach linked to Austin-based software company SolarWinds, experts say the attack could lead to long-term changes in cybersecurity policies and procedures for government entities and private companies alike.
As many as 18,000 SolarWinds customers — out of a total of 300,000 — might have been running SolarWinds software containing a vulnerability that allowed hackers to penetrate various networks.
The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency has called the hack a grave risk to government and private networks, and experts say the damage will be difficult to detect and undo.
So far, the investigation has revealed a number of high-profile targets of the attack, including the Department of Treasury, Homeland Security, the Department of Energy and Microsoft.
While federal government officials have yet to say who they believe is responsible, The Washington Post, citing unnamed sources, reported that the attack was carried out by Russian government hackers who go by the nicknames APT29 or Cozy Bear and are part of that nation’s foreign intelligence service.
Daniel Ives, an analyst with Wedbush Securities, said the attack is the among the largest breaches in U.S history, and that it could take years to fully understand the full extent of the attack, which has “broad ramifications” going forward, he said.
“This scale, the scope of this attack is jaw-dropping,” Ives said. “I think how pervasive potentially (the hackers) got within the confines of the government and enterprises is a major wakeup call.”
SolarWinds finds itself caught in the middle of an escalating cyberwar and a broader scale of supply chain attacks, in which another company could have just as likely ended up the target, Ives said.
The hackers are believed to have made their way into a number of systems by tampering with an update server of the SolarWinds network management systems. Through it, the hackers were able to gain remote access and insert malicious code that hitched a ride on a software update.
SolarWinds has released a number of software updates to patch the problem. Reuters also reported a possible second breach around the same time in the SolarWinds system, which also has since been patched.
Widespread implications
The attack could have widespread implications for the cybersecurity industry at large, as companies and the government have become increasingly reliant on online and cloud systems. Gartner, an organization that researches technology industry trends, predicted cybersecurity spending would reach about $123.8 billion this year.
Ives said the number of cyberattacks are growing, as is their level of sophistication.
“It speaks to a cyberwar, cyberespionage, that’s been going on for a number of years but it’s continuing to get ratcheted up,” Ives said.
‘Like bed bugs’
Cybersecurity experts said it’s not possible to fully know yet if all the hackers’ access points have been removed from the systems they breached, on both the government and business level.
“It’s a little bit like bed bugs,” said David Springer, an Austin-based lawyer for Bracewell LLP who specializes in securities litigation including cybersecurity counseling and policy. “You can do a lot to try to eradicate them, but sometimes the problem gets so bad, and they’re just so into everything you kind of have to just burn your mattress. And that’s kind of where we find ourselves here.”
“Fixing SolarWinds is preventing another attack to get in that way, but it doesn’t do anything to take the hackers off the network. They’re already there, and now have enabled multiple other entry and exit points,” Springer said.
Springer said the breach has renewed conversations about cybersecurity and better steps for transparency, security and securing networks. That includes supply chain security and making sure that when the government or large corporations acquire software or updates, there is increased transparency about what’s in that software package, and having the ability to audit what’s in there to ensure it hasn’t been altered, he said. There’s also a renewed focus on internal security programs.
“A lot of times, historically, you view securing a network as a perimeter defense. The vast majority of defending you do is at the perimeter. You’re just trying to keep that guy out of your network. But then once something is happening inside your network, it’s kind of presumed to be OK,” Springer said. “Within a network, there’s not a ton of security internally. There’s definitely a renewed focus on within network.”
“Security has to stay one step ahead of the bad actors,” Ives said. “In this case, it didn’t. I think the industry learns from it, adjusts and just gets further blockades going forward, both within the confines of an organization as well as within the cloud.”
Tomi Engdahl says:
Significant vulnerabilities that crippled IT world this decade (2010-2020)
https://www.cyberciti.biz/linux-news/significant-vulnerabilities-that-crippled-it-world-this-decade-2010-2020/
The last ten years in the computer and IT security world are crippled with so many vulnerabilities. We saw massive cloud computing adoption and end-users using mobile devices with high speed 4G LTE networks. A threat actor may have exploited such weakness in modern computers and networks. Let us look into top vulnerabilities and the attack surface in this decade (2010-2020) that affected Linux/Unix, macOS, IT, cloud-computing, and computers in general.
Tomi Engdahl says:
The 7 most popular CyberNews investigations of 2020
https://cybernews.com/editorial/the-7-most-popular-cybernews-investigations/
Tomi Engdahl says:
Brexit trade deal advises governments to use Netscape Communicator and SHA-1. Why? It’s all in the DNA
A simple cut-and-paste text job from a 2008 EU treaty for genetic databases
https://www.theregister.com/2020/12/31/brexitl_obsolete_tech_explained/
People are pointing to the inclusion of Netscape Navigator and SHA-1 in the newly-minted British Brexit trade deal – yet no one seems to have realised part of the text in question is a treaty underpinning an EU-wide DNA database.
Buried in the 1,000+ pages of the UK-EU trade deal are references to the obsolete Netscape Navigator browser and even Netscape Communicator, which was declared end-of-life in 1997.
“s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages,” says page 921 of the deal, in a part named “ANNEX LAW-1: EXCHANGES OF DNA, FINGERPRINTS AND VEHICLE REGISTRATION DATA”.
Rather than being a throwback to the dusty days of dial-up internet and shouting at your mum for picking up the phone while you try to download cat GIFs, however, that annex contains the full and current text of the Prüm Convention – the treaty underpinning the European Union’s bloc-wide DNA database, to which the UK wants to keep access after departing the EU on Friday (1 January).
Unilaterally modifying a treaty with more than 20 international signatories could open a can of worms – so it’s no surprise that the whole thing has been included in the Brexit trade deal, AES-256, SHA-1 and all.
The obsolete programs and security standards laid down in the Brexit trade deal are mandated for use with the Prüm database, with criminal suspects’ fingerprints, DNA and car registration details being sent around the bloc’s various police forces by email as described in both the EU treaty and the Brexit trade deal annex.
With Britain leaving both the EU’s political and legal control, a new legal basis had to be found to enable ongoing access to the DNA database. Putting it into the UK-EU trade deal appears to be the solution.
It is not immediately obvious whether the EU’s systems for moving personal data around the internet have had security updates since 2008, though one would hope the bloc’s focus on data protection would have seen the infosec parts of the Prüm treaty being pragmatically set aside.
The EU’s own EUR-lex website, a website of EU laws similar to legislation.gov.uk, appears to show that the 2008 EU treaty’s wording has never been updated. In June this year, however, the EU Council accepted that it “needs to ensure full alignment of the new Prüm Framework with the [EU Law Enforcement Directive], especially regarding the data protection safeguards.”
Somebody’s finally noticed that the Prüm Convention’s recommendations are out of date but updating it will not be a fast process.
Sadly the BBC, whose hacks were presumably enjoying an extended period of festive cheer, reported all this dull-but-important detail by churning throwaway speculation – and even managing to quote “experts” who were curiously incurious about where the original text came from, or why a 2020 trade deal would mandate early 2000s tech.
Sneering Britons were informed that it was probably down to some tired civil servant inappropriately using copy and paste from a “late 1990s security document”; an “explanation” that is simply untrue.
Sometimes the truth is both dull and not immediately obvious
Tomi Engdahl says:
The Top Free Vulnerability Assessment Tools of 2020
https://pentestmag.com/the-top-free-vulnerability-assessment-tools-of-2020/
Tomi Engdahl says:
How to Change Your DNS Settings to Increase Speed
BY JAMES FREW
DEC 17, 2019
UPDATED 2 DAYS AGO
https://www.makeuseof.com/tag/change-dns-increase-internet-speed/
Changing your DNS settings can have a big impact on day-to-day internet speeds. Here’s how to change your DNS settings properly.
Tomi Engdahl says:
The unhackable computers that could revolutionize the future
https://www.cnn.com/2020/12/29/opinions/quantum-internet-opinion-lincoln/index.html
Tomi Engdahl says:
CISA updates SolarWinds guidance, tells US govt agencies to update right away
US federal agencies must update by the end of the year or take all SolarWinds Orion apps offline.
https://www.zdnet.com/article/cisa-updates-solarwinds-guidance-tells-us-govt-agencies-to-update-right-away/
Tomi Engdahl says:
The Narrative (December 30, 2020)
https://www.internetgovernance.org/2020/12/30/the-narrative-december-30-2020/
Tomi Engdahl says:
FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’
https://threatpost.com/fbi-warn-home-security-devices-swatting/162678/
Tomi Engdahl says:
https://www.enisa.europa.eu/events/cybersecurity_standardisation_2021/cybersecurity_standardisation_2021
Tomi Engdahl says:
https://www.darkreading.com/edge/theedge/homomorphic-encryption-the-golden-age-of-cryptography/b/d-id/1339748
Tomi Engdahl says:
10 Things You Should Never Share on Social Media
BY BEN STEGNER
APR 24, 2020
https://www.makeuseof.com/tag/9-things-never-share-social-media/
Be careful what you share on social media because you never know when something could come back and ruin your life.