Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, will be making educated guesses based on what has happened during the last 12 months and several years before that.
The past year has seen a rapid increase in the adoption of up-and-coming technologies. Everyday items are getting
smarter and more connected. Companies are saving millions with new technologies and cities are racing to
implement smart solutions. 5G promises to bring wireless high speed broadband to everywhere. On the other hand those solutions add new kinds of vulnerabilities. Competing in today’s digital marketplace requires that organizations are cyber-savvy. 2020 is when cybersecurity gets even weirder, so get ready.
Here are some trends and predictions for cyber security in 2020:
Cyber Attacks: Cyberattacks grow in volume and complexity.Many countries that are going to emerge as major threats in the 2020s. Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power. Cyberattacks range from targeting your database to steal information that can be sold on the dark web, to hijacking unused CPU cycles on your devices to mine for cryptocurrencies, or trying to infect vulnerable systems so they can be used later as part of a botnet.
IoT security: IoT security is still getting worse until it starts to get better. IoT security is an extremely hot topic right now and will be hot for many years to come. Industrial IoT risk has been discussed a lot. Physics dictates local application deployment, because the control rate of most industrial systems is 10 milliseconds or below. Smart Building Security Awareness Grows. The risks of the IoT in financial services are great. An explosion in IoT devices significantly raises the threat level. Gartner predicted that the world will see nearly 21 billion IoT devices by next year and it would be nice if all of them would be secure, but many of them unfortunately are not secure. Hackers are continually looking for ways to exploit device vulnerabilities. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Why? Because IoT security is complicated and security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry. IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more. You might have to do a little work with your internet of things devices to stay secure. A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack. One in every 172 active RSA certificates are vulnerable to attack. It is a good idea to build a separate network segments for IoT devices so that they are isolated from the normal office network. FBI recommends that you keep your IoT devices on a separate network.
IoT privacy: Silicon Valley Is Listening to Your Most Intimate Moments. The world’s biggest companies got millions of people to let temps analyze some very sensitive recordings made by your “smart” speakers and smart phones. A quarter of Americans have bought “smart speaker” devices such as the Echo, Google Home, and Apple HomePod. Consulting firm Juniper Research Ltd. estimates that by 2023 the global annual market for smart speakers will reach $11 billion, and there will be about 7.4 billion voice-controlled devices in the wild. That’s about one for every person on Earth. The question is, then what? Having microphones that listen all the time is concerning. Also some attackers are terrifying homeowners and making them feel violated in their own homes.
Medical systems security: Cyberattacks on Medical Devices Are on the Rise—and Manufacturers Must Respond. Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction. It’s shocking that a few years after WannaCry and NotPetya, the healthcare industry is still not prepared to deal with ransomware attacks. Many hospitals and healthcare networks that have been hit by ransomware over the past few months.
Surveillance cameras: Surveillance cameras are capturing what we do on the streets, at airports, in stores, and in much of our public space. China’s Orwellian video surveillance gets a bad rap but the US isn’t far behind as US has nearly the same ratio of security cameras to citizens as China.And the numbers are growing all over the world. One billion surveillance cameras will be deployed globally by 2021, according to data compiled by IHS Markit. Russia is building one of the world’s largest facial recognition networks and it may even be bigger than China’s 200 million camera system. China’s installed base is expected to rise to over 560 million cameras by 2021, representing the largest share of surveillance devices installed globally, with the US rising to around 85 million cameras. Now US, like China, has about one surveillance camera for every four people (in 2018 China had 350 million cameras and USA 70 million). Surveillance cameras are getting better, smaller and cheaper and can be installed almost anywhere. It would be very easy to sneak another device onto a hotel’s Wi-Fi network, stream that video over the internet to the computer.
Facial recognition: Private companies and governments worldwide are already experimenting with facial recognition technology. Facial recognition software is touted as making us safer. But mass surveillance has downsides of major proportions. Massive errors found in facial recognition tech. Facial recognition systems can produce wildly inaccurate results, especially for non-whites. Russia is building one of the world’s largest facial recognition networks. Individuals, lawmakers, developers – and everyone in between – should be aware of the rise of facial recognition, and the risks it poses to rights to privacy, freedom, democracy and non-discrimination.
Shut off Internet: Worrying worldwide trend employed by various governments: preventing people from communicating on the web and accessing information. Amid widespread demonstrations over different issues many countries have started cutting Internet connections from people. Some countries, namely China, architected their internet infrastructure from the start with government control in mind. Russia is aiming to this direction. Iran, India, Russia. For better or worse, an internet blackout limits the government’s ability to conduct digital surveillance on citizens.
Security First: Implementing Cyber Best Practices Requires a Security-First Approach. Competing in today’s digital marketplace requires that organizations be cyber-savvy. The best defense is to start with a security-driven development and networking strategy that builds a hardened digital presence from the ground up. This not only ensures that your online services and web applications are protected from compromise, but also enables security to automatically evolve and adapt right alongside the development of your digital presence, rather than it having to be constantly rigged and retrofitted to adapt to digital innovation.
Zero Trust Network Access: Many of the most damaging breaches have been the result of users gaining access to unauthorized levels of network resources and devices. Zero Trust is an enforceable, identity-driven access policy that includes seamless and secure two-factor/OTP authentication across the organization. Zero Trust Network Access ensures that all users and devices are identified, profiled, and provided appropriate network access. It also ensures that new devices are automatically assigned to appropriate network segments based on things like device profiles and owners. When combined with Network Access Control (NAC), organizations can also discover, identify, grant appropriate access, and monitor devices, thereby enhancing your access and segmentation strategy.
Anti-virus software: Only Half of Malware Caught by Signature AV. The percentage of malware that successfully bypassed signature-based antivirus scanners at companies’ network gateways has increased significantly, either by scrambling
code known as “packing” using basic encryption techniques or by the automatic creation of code variants. It seems that new approaches like machine learning and behavioral detection are necessary to catch threats. Meanwhile, network attacks have risen, especially against older vulnerabilities.
Ransomware attacks: Ransomware will remain a major threat in the coming year, as the criminal business model continues to flourish. That’s a move that security professionals have long condemned, warning that paying the ransom in a ransomware attack could end up causing more turmoil for victims – as well as inspire other cybercriminals to launch ransomware attacks. Microsoft never encourage a ransomware victim to pay. What to do with this is question. How much does a large-scale ransomware attack cost, as opposed to just hiring an adequate number of skilled IT personnel, and having disaster recovery plans in place? There is no complete security solution that could stop all attacks, but you should have decent protection. It would seem prudent to have adequate staff and offline BACKUPS to deal with this kind of situation, so decent recovery would be possible. Having no backup system is the gamble many companies and public entities seem to be playing. Good backups helps to recover from ransom attacks. There are new tactics coming to use in ransomware. A new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions. Another new tactic by ransomware developers is to release a victim’s data if they do not pay the ransom – they will publish data that they steal to a competitor if the ransom is not paid.
Public sector: Public Sector Security Is Lagging. The state of cybersecurity and resilience in the public sector needs an
urgent boost in many countries. U.S. citizens rely on state governments and local municipalities to provide a host of services everything from access to public records, law enforcement protection, education and welfare to voting and election services. Cybercriminals have been targeting state and local governments with ransomware tools, which infect an organization’s computer networks and lock up critical files.
Consumer confidence: Winning consumer confidence is crucial to the development of new digital services. In a PwC study, consumers are prepared to share personal information if it is of sufficient value to them. On the other hand, consumer confidence also needs to be earned that you keep the information safe.
API security: APIs now account for 40% of the attack surface for all web-enabled apps. It’s a good time to pay attention to API security, since some recent high-profile breaches have involved API vulnerabilities. OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Skills gap: Security teams are already grappling with serious challenges due to the growing cybersecurity skills gap, are being tasked to secure an ever-expanding network footprint. Security teams are often left to secure virtual and cloud environments, the implementation of SaaS services, DevOps projects, the growing adoption of IoT, mobile workers, and an expanding array of personal connected devices after they have already been implemented. They often do not have enough people and enough knowledge on those new technologies to do their work well. The cybersecurity unemployment rate is zero, with over 1 million jobs currently unfilled, a number that is expected to climb to 3.5 million by 2021. 145% Growth is Needed to Meet Global Demand.
Think Like Your Adversary: Cybersecurity leaders need to access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their company’s needs. Programmers Should Think like Hackers. Security must be taken into account in all programming steps.
Third party security: Most Companies Don’t Properly Manage Third-Party Cyber Risk. It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. Developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.
Privacy and surveillance: Fears Grow on Digital Surveillance. Americans are increasingly fearful of monitoring of their online and offline activities, both by governments and private companies. More than 60 percent of US adults believe it is impossible to go about daily life without having personal information collected by companies or the government. Google and Facebook help connect the world and provide crucial services to billions. But their system can also be used for surveillance. Amnesty International says Facebook and Google’s omnipresent surveillance is inherently incompatible with the right to privacy and is a danger to human rights. The claim is that the companies’ surveillance-based business model is inherently incompatible with the right to privacy and poses a threat to a range of other rights including freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination. Amnesty International has called for a radical transformation of the tech giants’ core business model and said that Google and Facebook should be forced to abandon what it calls their surveillance-based business model because it is “predicated on human rights abuse.”
5G: Forecasting that 2020 will be “the year of 5G” no longer qualifies as a bold prediction. Billions of dollars’ worth of 5G rollouts are scheduled for the coming year, which will bring the emergent technology to countries around the world. The arrival of 5G will fuel an explosion of never-before-seen IoT machines, introducing uncharted vulnerabilities and opening the door for cyber-criminals to compromise our increasingly intertwined cities. Claims that 5G offers “better security” for IoT may not ring true.
5G security: The new 5G mobile networks will be the backbone of future digitalized operations. Therefore, it is also important to ensure the security and immunity of 5G networks.The Council of the European Union has warned member states that the introduction of 5G networks poses increased security risks while also bringing economic and infrastructure benefits. ENISA, the European Union Agency for Cybersecurity has published a ThreatLandscape for 5G Networks, assessing the threats related to the fifth generation of mobile telecommunications networks (5G). Organised cybercrime, rogue insiders and nation-state-backed hackers are among the groups that could soon be targeting 5G networks. Claims that 5G offers “better security” for IoT may not ring true – with the technology remaining vulnerable to SIM-jacking attacks within private Industry 4.0-style deployments. 5G SIM-swap attacks could be even worse for industrial IoT than now. Criminals can convince telcos to port a victim’s number to a new SIM card controlled by the criminal. Trust your hardware or operator? Pah, you oughta trust nobody. Do not put all your security and identification to this SIM card.
DNS Over HTTPS (DoH): DoH encrypted DNS queries are already set to arrive in Chrome and Firefox web browsers. Microsoft Will Bring DNS Over HTTPS (DoH) to Windows 10 in an attempt to keep user traffic as private as possible. DoH support in Windows means encrypted DNS queries. Microsoft says that DoH doesn’t require DNS centralization if adoption is broad among operating systems and Internet service providers alike.
Firewall configuration: Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”. This is a human problem, not a firewall problem.
Bot attacks: Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. Organizations are Failing to Deal With Rising Bot Attacks.
Network security: Networks are continually growing in complexity and the cyberattack surface is constantly expanding. The network perimeter of today is elastic, expanding and contracting with the demands of both users and the business. In a rush to adopt digital business practices, many of these new network expansion projects are often being implemented ad hoc by individual lines of business. Routers sit at the edge of the network and see everything and they can be utilized to Making the Network the First Line of Defense. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. Cybercriminals only need to be successful once in finding a way to access the network – but the security team needs to monitor everything on the network and be right all the time to ensure security. Today’s core network is continually adapting to the introduction of new devices, applications, and workflows, along with shifting network configurations to support business requirements, requiring the use of advanced, intent-based segmentation.
Security-Driven Networking: Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board. It requires the selection and full integration of security tools that not only work together to share and correlate intelligence and coordinate a unified response to threats, but that also work seamlessly across the widest variety of environments possible.
Critical infrastructure: Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems. In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. Expect targeted attacks on critical infrastructure facilities to increase. APT33 has shifted targeting to industrial control systems software. We need to be worried about Cyber-Physical Security of the Power Grid. To protect this infrastructure you need to prioritize strategic risks that affect critical infrastructure: Concern yourself with the most important hacks, Understand the critical pieces of your infrastructure and Know your inter-dependencies.
Payment security: Payment security backslides for second straight year in 2019. Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to36.7% globally, down from 52.5% in 2018. At the same time EU’s PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties. Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use.
Election security: Nowadays, no elections can be held any longer without debate on influencing voters through online services. There are on-going accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. U.S. military cyber experts are plotting strategy in a fight against potential Russian and other cyberattacks ahead of the 2020 American and Montenegrin elections. As the 2020 Presidential election looms closer in the United
States, a key focus will be on securing election infrastructure to prevent tampering. Most of the largest US voting districts are still vulnerable to email spoofing. Also disinformation campaigns for political purposes are deeply rooted in cybercriminal endeavors. It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. Hacking is considered to be the biggest tech threats to 2020 elections in USA. Legislators are working on new laws, but it is not going to be enough in an era when technology is turning out entirely new attack surfaces.
False Flags: The use of false flags has become an important element in the playbook of several APT groups. This can be used to try to deflect attention away from those responsible for the attack or what is really happening.
Common attack tools: Cyber actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult.
Vulnerability disclosure: Most “white hat” cyber engineers seem to be driven by a sense of social responsibility best expressed as, “If you find something, say something.” Across the industry, the ethos is to share information quickly, whether the problem is a newly discovered exploit or an evolving cyber threat. The goal is to impel the affected vendor—hardware or software—to take quick action and produce a fix. There are good and bad ways to make vulnerabilities known. A premature “full disclosure” of a previously unknown issue can unleash the forces of evil, and the “black hats” often move faster than vendors or enterprise IT teams. The preferred path is a “responsible” or “coordinated” disclosure that happens behind the scenes. Public announcements occur after a specified period of time—typically 90 or 120 days. But things don’t work this way always.
Ransomware: Cybercriminals have become more targeted in their use of ransomware. It is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. There is a Ransomware ‘Crisis’ in US Schools and in many cities in USA.
Supply chain: Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations. There is the growth of counterfeit electronics.
Mobile: The main storage for our digital lives has moved from the PC to mobiles over last 10 years. Several countries have started demanding their own software (maybe in some cases also malware) to be installed to all smart phones. Putin signs law making Russian apps mandatory on smartphones, computers.
Android: Today 80% of Android apps are encrypting traffic by default. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. The heterogeneity of the Android versions will continue to be a problem in the coming year.
DDoS attacks: DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic. The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago. DNS amplification attacks accounted for 45% of the attacks, while HTTP
floods and TCP SYN attacks accounted for 14%. Mobile Devices Account for 41% of DDoS Attack Traffic.
Business security: Small and medium-sized businesses (SMBs) increasingly recognize that a reactive security posture is no longer sufficient for protecting their networks. Breaches will happen. Companies should treat cyberattacks “as a matter of when” and not “whether.” Inside threads are still a big issue as Employees are one of your biggest assets, but human beings are the weakest link in the security chain. Data leaks help attackers to craft more convincing social engineering attacks. Plan proper incident management because Quick, reliable, multichannel communication is a vital part of any incident management solution. Cybercriminals often choose very small companies as their targets because small businesses rarely spend significant money on security systems. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations.
Cyber insurance: Cyber Has Emerged as a Risk That is Not Specifically Covered by Other Insurance Policies. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow.
New encryption: The problem with encrypted data is that you must decrypt it in order to work with it. There is a powerful solution to this scenario: homomorphic encryption. Homomorphic encryption makes it possible to analyze or manipulate encrypted data without revealing the data to anyone. Just like many other populr forms of encryption, homomorphic encryption uses a public key to encrypt the data. There are three main types of homomorphic encryption: partially homomorphic encryption (keeps sensitive data secure by only allowing select mathematical functions to be performed on encrypted data); somewhat homomorphic encryption (supports limited operations that can be performed only a set number of times); fully homomorphic encryption (this is the gold standard of homomorphic encryption that keeps information secure and accessible). Cryptographers have known of the concept of homomorphic encryption since 1978 but Gentry established the first homomorphic encryption scheme in 2009.The biggest barrier to widescale adoption of homomorphic encryption is that it is still very slow. Duality, a security startup co-founded by the creator of homomorphic encryption, raises $16M.
Artificial Intelligence (AI): The buzzword for 2019 that we have all heard a thousand times was Artificial Intelligence, AI. The term AI is often interchanged with machine learning. There is a lot of research to examine AI applications on cyber security. As cyberattacks grow in volume and complexity, hopefully artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Cybersecurity tools currently use this data aggregation and pattern analysis in the field of heuristic modeling: THE TRUE FUNCTION OF AI WILL BE TO DETERMINE WITH A LONG ARC OF TIME AND DATA, WHAT “NORMAL” LOOKS LIKE FOR A USER. AI can act as an advisor to analysts, helping them quickly identify and connect the dots between threats. Finnish cyber security company F-Secure is making research on AI agents and on that Mikko Hyppönen says that AI should not used to try to imitate humans and that artificial intelligence-based attacks are expected in the near future. Another Finnish cyber security company Nixu says that Artificial intelligence is going to revolutionize cyber security. According to Orlando Scott-Cowley from Amazon Web Services machine learning is the new normal in cyber security. Advanced Machine Learning layers are to be integrated into the latest Windows cybersecurity products. Leaders in artificial intelligence warn that progress is slowing, big challenges remain, and simply throwing more computers at a problem isn’t sustainable.
2020 problems: Has your business prepared for the ‘2020 problem’? Software updates for Windows 7 will end on January 14, 2020. As of Jan. 14, 2020, Windows 7 and Server 2008 technical support and software updates will no longer be available from Windows Update. There will no longer be updates for Office 2010. Some business users can buy extended security update support with extra money for some time. Python will stop supporting Python version 2 on January 1, 2020. Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. December 2019 Patch Tuesday was the last time Microsoft ever offered security updates for devices running Windows 10 Mobile.
Crypto wars continue: A decades-old debate: Government officials have long argued that encryption makes criminal investigations too hard. Governments all over the world say that Encrypted communication is a huge issue for law enforcement and the balance between the privacy of citizens and effective policing of criminal activity is top of mind for governments, technology companies, citizens and privacy organisations all over the world. The international police organization Interpol plans to condemn the spread of strong encryption. Top law enforcement officials in the United States, United Kingdom and Australia, the larger group will cite difficulties in catching child sexual predators as grounds for companies opening up user communications to authorities wielding court warrants. Congress warns tech companies: Take action on encryption, or we will. US lawmakers are poised to “impose our will” if tech companies don’t weaken encryption so police can access data.
Do not weaken encryption: Companies, they say, should build in special access that law enforcement could use with a court’s permission. Technologists say creating these back doors would weaken digital security for everyone. Unfortunately, every privacy protection mechanism is subject to abuse by the morally challenged. That’s just a truth that must be accepted and overcome. Invading the privacy of the masses in order to catch criminals is unacceptable. Remember three things: One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. If back-doors are added to encryption, they will be abused. If You Think Encryption Back Doors Won’t Be Abused, You May Be a Member of Congress. Bad encryption can have business consequences. Apple and Facebook told the committee that back doors would introduce massive privacy and security threats and would drive users to devices from overseas. In Australia 40% of firms say they have lost sales say they have lost sales or other commercial opportunities as a result of the encryption law being in place.
2FA: The second authentication factor might be a minor inconvenience, but it provides a major security boost. With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. Two factors are much better than one, but can still be hacked. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys. Also some physical security keys can be hacked as they turn to be less secure that what they were told to be in the advertisements.
Myth of sophisticated hacker in news: It’s the latest lexical stretch for an adjective that’s widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.
New security models: Google moved from perimeter-based to cloud-native security. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery. Google’s cloud-native architecture was developed prioritizing security as part of every evolution.
Hacktivists: Hacktivists seek to obtain private information about large companies in order to embarrass or expose the company’s controversial business practices. Many companies are a treasure trove for personal information, whether they realize it or not. Experian is predicting that the emerging cannabis industry will experience an increase in data breaches and cybersecurity threats in 2020.
RCS messaging: RCS, expanded as Rich Communications Services, is a protocol that aims to replace SMS.RCS messaging has rolled out to Android users in the US. The update brings a lot of new features like chat, send hi-res videos and photos and create group chat. One criticism of RCS is that it doesn’t provide end-to-end encryption. RCS could be also better in many other security aspects. Researchers have discovered that the RCS protocol exposes most users to several cyber attacks. These risks are said to be mitigated by implementing the protocol with the security perspective in mind. The standard itself allows for poor security implementation, but GSMA advises its members to deploy rcs with the most secure settings possible.
Data breaches: Billions of Sensitive Files Exposed Online all the time. During the first six months of 2019, more than 4 billion records were exposed by data breaches. That’s a shocking statistic that’s made even more so when you realize that passwords were included in droves. On December 4, a security researcher discovered a treasure trove of more than a billion plain-text passwords in an unsecured online database. Many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores. All organizations are exposed to security breaches: from large multinationals to SMEs and public administrations. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
Phishing: Phishing remains 1 of the most pervasive online threats. Phishing emails are still managing to catch everyone out. Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Google Chrome now offers better protection against it as safe Browsing displays warning messages to users ahead of visiting dangerous websites and before downloading harmful applications. New advanced ways to phish are taken to use.With dynamite phishing, the cyber criminals read the email communication from a system already infected with an information stealer. The infected user’s correspondents then receive malicious emails that quote the last “real” email between the two parties and look like a legitimate response from the infected user. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys.
Windows: Microsoft Doesn’t Back Up the Windows Registry Anymore. It’s still possible to perform Windows Registry backups, but the option is disabled by default. It’s time to disconnect RDP from the internet as brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connection. Microsoft is ready to push a full-screen warning to Windows 7 users
who are still running the OS after January 14.
Linux: Support for 32 bit i386 architecture will be dropped by many Linux distributions. It turns out that there are essentially no upstream development resources dedicated to x86_32 Linux. Perhaps unsurprisingly, it was badly broken.
Drones: Turkey is getting military drones armed with machine guns. Drone hacking happens. There is now Dronesploit – Metasploit for drones. Metasploit-style CLI framework tailored for tinkering with everybody’s favourite unmanned flying objects.
World market war: China tells government offices to remove all foreign computer equipment. China has ordered the replacement of all foreign PC hardware and operating systems in state offices over the next three years. This will mean that China to ditch all Windows PCs by 2022.China has already some of their own Linux distros like Kylin and Deepin. Many western countries are more or less banning Huawei teleocm equipment.
Cloud security: Traditional security tools and methodologies are ill-suited to protect cloud native’s developer-driven and infrastructure-agnostic multicloud patterns. The vision as laid out by these renown analysts is straightforward. The legacy “data center as the center of the universe” network and network security architecture are obsolete and has become an inhibitor to the needs of digital business. They describe the underpinning shift to cloud infrastructure, a digital transformation that has been underway for ten years. They also point out that the corporate network cannot protect end users who consume cloud applications from any location and any device without the contorting, expensive, backhaul of traffic through the corporate data center. Gartner coins a new term for the future of security and networks, SASE (pronounced sassy), Secure Access Service Edge, which is not anything really new. SASE promises to create a ubiquitous, resilient, and agile secure network service—globally. Most of the stolen data incidents in the cloud are related to simple human errors rather than concerted attacks. Expect that through 2020, 95% of cloud security failures will be the customer’s fault. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Autocracy as a service: Now Any Government Can Buy China’s Tools for Censoring the Internet. “Autocracy as a service” lets countries buy or rent the technology and expertise they need, as they need it. China offers a full-stack of options up and down the layers of the internet, including policies and laws, communications service providers with full internet.
Geopolitics: US-China Tech Divide Could Cause Havoc. It is possible that world’s next major conflict can start in cyberspace. USA has ordered to ban certain hardware from China (Huawei and ZTE). China orders ban on US computers and software. Chinese government to replace foreign hardware and software within three years. Who needs who more?
International cyber politics: Lack of international standards for proper behavior in cyberspace prevents the United States and allies from policing adversaries as they wish to. US can’t ‘enforce standards that don’t exist’. We have international norms in the maritime; we don’t have those in cyber. It makes it difficult to enforce standard that don’t exist, and to therefore hold nations accountable for nefarious behavior. NATO did confirm in 2017 that it could invoke Article 5 of its charter should one or more member nations find themselves under a serious cyberattack that threatens critical military and civilian infrastructure.
Sources:
https://pentestmag.com/iot-security-its-complicated/
https://isc.sans.edu/diary/rss/25580
https://www.securityweek.com/case-cyber-insurance
https://www.securityweek.com/tips-help-mssps-choose-threat-intelligence-partner
https://www.zdnet.com/article/microsoft-we-never-encourage-a-ransomware-victim-to-pay/
https://www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636
https://pacit-tech.co.uk/blog/the-2020-problem/
https://www.theregister.co.uk/2019/12/09/dronesploit_framework/
https://www.securityweek.com/blunt-effect-two-edged-sword-vulnerability-disclosures
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020
https://threatpost.com/email-voted-a-weak-link-for-election-security-with-dmarc-lagging/150909/
https://www.theregister.co.uk/2019/12/04/council_of_eu_5g_risks/
https://techcrunch.com/2019/12/05/major-voting-districts-vulnerable-email-security/
https://cacm.acm.org/magazines/2019/12/241053-hack-for-hire/fulltext
http://read.uberflip.com/i/1180978-siliconexpert-growth-of-counterfeit-electronics-3/0?acctid=6759
https://www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/
https://www.theregister.co.uk/2019/12/09/china_orders_ban_on_us_computers_and_software/
https://www.securityweek.com/case-cyber-insurance
https://www.eetimes.eu/ai-will-empower-industry-4-0-when-it-arrives/
https://www.pandasecurity.com/mediacenter/security/2019-the-ransomware-tsunami/
https://blog.paloaltonetworks.com/2019/12/cloud-native-security-platform-age/
https://github.com/dhondta/dronesploit/
https://www.zdnet.com/article/1-in-every-172-active-rsa-certificates-are-vulnerable-to-exploit/
https://nationalcybersecurity.com/hacking-the-biggest-tech-threats-to-2020-elections/
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
https://www.eff.org/wp/behind-the-one-way-mirror
https://www.gdatasoftware.com/blog/2019/12/35671-early-detection-and-repulsion-of-dangerous-attacks
https://www.is.fi/digitoday/tietoturva/art-2000006342803.html
https://techcrunch.com/2019/10/30/duality-cybersecurity-16-million/
https://www.wired.com/story/sobering-message-future-ai-party/
https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html?m=1
https://www.zdnet.com/article/google-all-android-users-in-the-us-just-got-rcs-next-gen-sms/
https://www.schneier.com/blog/archives/2019/12/scaring_people_.html
https://lists.ubuntu.com/archives/ubuntu-devel-announce/2019-June/001261.html
https://lwn.net/ml/oss-security/CALCETrW1z0gCLFJz-1Jwj_wcT3+axXkP_wOCxY8JkbSLzV80GA@mail.gmail.com/
https://www.bbc.com/news/amp/world-australia-46463029
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://hub.packtpub.com/core-python-team-confirms-sunsetting-python-2-on-january-1-2020/
https://www.cnet.com/news/congress-warns-tech-companies-take-action-on-encryption-or-we-will/
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://edri.org/facial-recognition-and-fundamental-rights-101/
https://techcrunch.com/2019/12/10/insider-threats-startups-protect/
https://uk.pcmag.com/windows-10/121518/microsoft-doesnt-back-up-the-windows-registry-anymore
https://threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/
https://chiefexecutive.net/bridge-cybersecurity-skills-gap/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html
https://www.securityweek.com/most-companies-dont-properly-manage-third-party-cyber-risk
https://www.uusiteknologia.fi/2019/11/21/hyoty-panee-jakamaan-tietonsa-luottamus-ratkaisee/
https://pentestmag.com/advice-for-a-cybersecurity-leader-think-like-your-adversary/
https://www.amnesty.org/en/latest/news/2019/11/google-facebook-surveillance-privacy/
https://www.amnesty.org/en/documents/pol30/1404/2019/en/
https://www.securityweek.com/compromised-connection-5g-will-unite-cities-and-also-put-them-risk
https://www.securityweek.com/amnesty-international-calls-facebook-google-rights-abusers
https://www.securityweek.com/microsoft-will-bring-dns-over-https-doh-windows
https://www.securityweek.com/cybersecurity-workforce-gap-145-growth-needed-meet-global-demand
https://www.helpnetsecurity.com/2019/11/19/successful-soc/
https://www.securityweek.com/making-network-first-line-defense
https://techbeacon.com/security/how-prioritize-strategic-risks-affect-critical-infrastructure
https://www.securityweek.com/transitioning-security-driven-networking-strategy
https://www.theregister.co.uk/2019/11/16/5g_iot_report/
https://www.securityweek.com/us-montenegro-plot-cyber-warfare-ahead-2020-elections
https://www.securityweek.com/fears-grow-digital-surveillance-us-survey
https://www.kaspersky.com/blog/attack-on-online-retail/31786/
https://www.securityweek.com/implementing-cyber-best-practices-requires-security-first-approach
https://securelist.com/advanced-threat-predictions-for-2020/95055/
https://www.darkreading.com/cloud/smart-building-security-awareness-grows/d/d-id/1336597
https://www.cisomag.com/the-future-of-ai-in-cybersecurity/
https://www.ibm.com/security/artificial-intelligence
https://www.welivesecurity.com/2019/12/13/2fa-double-down-your-security/
https://cannatechtoday.com/experian-predicts-an-increase-in-global-cannabis-industry-data-breaches/
https://www.uusiteknologia.fi/2019/11/21/f-secure-tutkimaan-tekoalyagentteja/
https://www.securityweek.com/ongoing-research-project-examines-application-ai-cybersecurity
http://www.etn.fi/index.php/13-news/10151-mikko-hypponen-tekoalyn-ei-pida-matkia-ihmista
http://www.etn.fi/index.php/13-news/10124-nixu-selvitti-tekoaly-mullistaa-kyberturvan
http://www.etn.fi/index.php/13-news/10120-kyberturvassa-koneoppiminen-on-uusi-normaali
https://www.is.fi/digitoday/tietoturva/art-2000006316233.html
https://www.cyberscoop.com/apt33-microsoft-iran-ics/
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/
https://www.enisa.europa.eu/news/enisa-news/enisa-draws-threat-landscape-of-5g-networks/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://smartgrid.ieee.org/newsletters/november-2019/the-cyber-physical-security-of-the-power-grid
https://www.wired.com/story/un-secretary-general-antonio-guterres-internet-risks/
https://codastory.com/authoritarian-tech/russia-facial-recognition-networks/
https://www.theverge.com/2019/12/9/21002515/surveillance-cameras-globally-us-china-amount-citizens
https://www.wired.com/story/iran-internet-shutoff/
https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/
https://www.reuters.com/article/us-interpol-encryption-exclusive-idUSKBN1XR0S7
https://www.kcrw.com/news/shows/to-the-point/does-facial-recognition-software-threaten-our-freedom
1,468 Comments
Tomi Engdahl says:
Advantages and Disadvantages of Cloud Security: Main Benefits, Current Risks, and the Way to Avoid Them
https://pentestmag.com/advantages-and-disadvantages-of-cloud-security-main-benefits-current-risks-and-the-way-to-avoid-them/
Tomi Engdahl says:
The Top 5 Healthcare Cybersecurity Frameworks
https://pentestmag.com/the-top-5-healthcare-cybersecurity-frameworks/
Tomi Engdahl says:
Let’s break into Payment Gateways
https://medium.com/bugbountywriteup/lets-break-into-payment-gateways-fc52523eeaca
An online payment gateway (PG) is a tunnel that connects your bank account to the platform where you need to transfer your money. A PG is software that authorizes you to conduct an online transaction through different payment modes like net banking, credit card, debit card, Unified Payments Interface (UPI), and the many online wallets that are available these days.
A PG plays the role of a third party that securely transfers your money from the bank account to the merchant’s payment portal.
Tomi Engdahl says:
What Open Source Technology Can and Can’t Do to Fix Elections
https://spectrum.ieee.org/tech-talk/computing/it/what-open-source-technology-can-cant-do-fix-elections
Tomi Engdahl says:
Rapid Change is the New Normal
https://www.securityweek.com/rapid-change-new-normal
Change is the New Normal, and it is Coming at a Speed That Few Have Been Ready For
Over the past several weeks, threat researchers have been documenting a dramatic shift in the behavior of cybercriminals. March, for example, saw a 131% increase in viruses over the previous year, many of them attributed to the rise in phishing attacks – an average of about 600 new attacks per day – targeting remote workers. At the same time, traditional attacks have fallen off, with indicators like IPS triggers and botnets dropping by over 30%.
Of course, this shift mirrors the dramatic change in how organizations do business. With millions of companies and workers suddenly transitioning to a remote worker model, cybercriminals are eager to scan this new attack surface, looking for weaknesses and security gaps to exploit. And given the rapid pace at which these changes took place, their chances of success are very high.
Tomi Engdahl says:
Cybersecurity and the economy: when recession strikes
https://blog.malwarebytes.com/cybercrime/2020/04/cybersecurity-and-the-economy-when-recession-strikes/
Cybercrime and the economy have always been intertwined, but with COVID-19 on the road to causing a seemingly inevitable global recession, many are asking what, exactly, will the impact be on cybercrime. Will criminals step up and increase malware production, ramp up phishing attacks, do whatever it takes to pull in some cash? Or will it cause a little downturn in malware making and other dubious dealings?
There’s a fair bit of assumption at work here; that a big slice of people hit by a recession will automatically turn to crime, and computer crime at that. If resources are tight and money is short, if people are so physically impacted by a recession that they need to turn to crime to survive, will they:
Invest time, electricity, and stamina they may not have on crash course hacking, malware, phishing, digging around on forums for someone—anyone—to help them so they can maybe go off and rip someone off online with no guarantee any of it will work; or
Go out and steal some food or break into physical objects such as cars?
Personally, I’d be in Camp B all the way. Camp A seems like incredibly slim vanishing returns all round.
Wages down, crime up? Not so simple
Driving the direction of technological attacks
While many folks seem to think cybercrime is the perfect place to go for replacement crime activities, the reality is it’s not quite that straightforward. In more normal times, the shifts inside online crime as a whole are represented by an ebb and flow towards different types of attack as opposed some sort of wholesale digital stampede to do something differently.
For a while now, we’ve seen consumer detections decrease while their business counterparts go up due to the juicy stuff being locked away behind corporate firewalls. Now, with so many people working from home, we expect to see cybercriminals modify their approach somewhat and start going back to poking around home computers (or at least, work computers suddenly on a home network).
Here comes the massive caveat:
It’s worth mentioning that for every “crime goes down during a recession” piece you know of, you’ll always find a few others claiming the opposite.
I’m just highlighting the potentially significant shifts in data analysis for anyone trying to figure out the cybercrime / recession link, because even the non-cybercriminal data seems to have a hard time being stacked up one way or another depending on which data is used and who is telling the story.
Playing the numbers
The answer is “sort of”, and “very cautiously”. Cybercrime from last year tends to be somewhat old hat, never mind something from 5 or 10 years ago which often looks as though it’s landed here from another planet. Everything and anything could potentially be different, from infection types, to spreading techniques, to operating systems and security tools, even down to the way everybody from security vendors and governments tally up their figures.
Present: The cybers will get us
If we wind ourselves forward to the past few years, we see talk of cybercrime specifically being a potential cause for a possible recession. In 2018, the fear of a massive attack on banking systems worldwide was touted as the way we’d all be dragged into recession town, population: us. The way this was supposed to happen is as follows:
Rogue nation state or someone with equivalent resources somehow causes a massive “cashout strike”, where a huge wave of fraudulent withdrawals happens simultaneously and this is on such a scale that the banks all fall over. Yes, this is quite speculative.
A script kiddy does…something…malicious and everything breaks. This is even more speculative.
That’s, uh, pretty much it. The article itself mentions that the banks would probably return to normal once functionality is restored, and if you’re undercutting your own “this is bad” point with “actually not really” then in all fairness it’s probably not how civilization is brought to its knees.
Tomi Engdahl says:
Covid-19 and America’s Vulnerabilities – A Way Forward
https://www.eetimes.com/covid-19-and-americas-vulnerabilities-a-way-forward/
The unfolding Covid-19 crisis exposed America’s significant economic and security vulnerabilities. We no longer produce — indeed are unable to develop — many of the things we need to run a modern, prosperous economy. From swabs, facial masks, drugs and ventilators to simple computers to advance 5G telecommunication products, we are largely dependent on overseas suppliers. The supply networks that underpin both the production and innovation of those goods long ago moved from the U.S. to Greater China. In so doing, that exodus left us with hollowed-out capabilities, broken production capacities, underutilized engineering and technical talent as well over-reliance on one relatively small region of the world.
This is precisely why the pandemic might be our last opportunity to regain prosperity. In the last two decades we have been lulled into following a specific path of financialization-induced offshoring. The huge short-term profits, coupled with the impressive decrease in the prices of consumer goods, soothed us to such degree that we lost sight of the critical requirements of a vibrant economy.
Tomi Engdahl says:
The Complete Azure Compliance Guide: HIPAA, PCI, GDPR, CCPA
https://www.varonis.com/blog/azure-hipaa/
In this guide, we’ll show you how to make your Azure system compliant
with HIPAA, PCI, the GDPR, and CCPA.
Tomi Engdahl says:
Automation of the Adversary: How to Combat Autonomous Threats With
Security Intelligence
https://www.recordedfuture.com/automated-cyber-threats/
Multi-staged malware campaigns are becoming all too frequent. So much
so, that the US-CERT has raised alerts regarding a specific one:
Emotet a prolific email distribution malware. It is known to infect a
system, perform data exfiltration, and install a second payload, such
as the banking trojan, Trickbot and it performs all of this
automatically. Executing the Emotet campaign requires well-organized
criminal activity consisting of multiple teams or varying criminal
entities.
Tomi Engdahl says:
Is CVSS the Right Standard for Prioritization?
https://www.darkreading.com/vulnerabilities—threats/is-cvss-the-right-standard-for-prioritization/a/d-id/1337712
More than 55% of open source vulnerabilities are rated high or
critical. To truly understand a vulnerability and how it might affect
an organization or product, we need much more than a number.
Tomi Engdahl says:
MACsec Fundamentals: Securing Data In Motion
Learn about the benefits of Layer 2 security with MACsec, use cases for MACsec, and MACsec properties and the protocol process.
https://semiengineering.com/macsec-fundamentals-securing-data-in-motion/
Tomi Engdahl says:
Seventy Percent of Firms Sacrifice Security for Faster Innovation
https://www.securityweek.com/seventy-percent-firms-sacrifice-security-faster-innovation
As IT infrastructures have become more complex, certain specialist functions have developed their own niche requirements connected to but separate from mainstream IT operations. Prime examples would include development, security and network. Over the years, these niche requirements have become siloed and less efficient than they should be.
In more recent years there have been attempts to break down the silos to re-integrate the functions with mainstream IT operations — and the concepts of DevOps, NetOps and SecOps, and the more nuanced DevSecOps, have evolved. The umbrella term is xOps. In all cases the purpose is to improve speed, agility, and efficiency of the niche functions through better integration with IT operations, and the process has frequently proved very successful.
However, the degree of efficiency achieved is entirely dependent on the success of reintegrating the functions with IT operations — and this is not uniform. Lehi, Utah-based automation firm SaltStack, has launched a new series of survey reports examining the current state of xOps, and starting with an examination of the state of SecOps.
SaltStack’s ‘State of XOps Report, Q2 2020′ (PDF) queried 130 verified infosec and IT leaders during January 2020. This is against the background of Gartner’s 2017 prediction that through to the end of 2020, 99% of vulnerabilities exploited will be ones already known by security and IT professionals. “A number of recent breaches indicate system misconfiguration and unpatched, known vulnerabilities, particularly of public cloud and on-premises server infrastructure and databases, are the most common cause of data exposure and successful exploits,” adds Alex Peay, SVP of product and marketing at SaltStack.
The implication is that if the vulnerabilities are known but not fixed, there is a lack of adequate collaboration between the security and IT teams. This is confirmed by the SaltStack survey. Only 54% of security leaders say they communicate effectively with the IT professionals, while a mere 45% of the IT professionals agree. While both figures are worrying, the difference also suggests over-confidence by the security team in their ability to communicate, and/or IT’s willingness to listen.
Despite this, there is a basic understanding of what should happen. For example, both security and IT managers agree that data protection should be prioritized over innovation, speed to market and cost. The reality, however, is different in practice — only 30% say this happens. A full 70% say their company sacrifices data security for faster innovation. Peay, told SecurityWeek that the cause is probably complex: “a bit of the operations team self-pressuring to complete work as quickly as possible, a lot of pressure from above, and perhaps some personality clashes between Sec and Ops.”
It is, however, a problem that needs to be solved and one that the SecOps concept isn’t yet solving. SaltStack believes the problem may lie in the different details of responsibility between the two teams. “IT operators have the mandate to rapidly innovate and push new products to market while maintaining infrastructure reliability,” says the report. “Security pros are tasked with identifying security vulnerabilities and compliance issues. The shared responsibility of taking action to remediate security issues and enforce compliance often falls between the cracks.”
These cracks may be amplified by the lack of a cross-group process that ties the two teams into working together and collaboratively. It’s a suggestion that is supported within the detail of the survey. Where cross-functional collaboration and automation tools are used, the managers are four-times more likely to say that the IT and security teams communicate effectively.
Tomi Engdahl says:
As Remote Work Becomes the Norm, Security Fight Moves to Cloud,
Endpoints
https://www.darkreading.com/cloud/as-remote-work-becomes-the-norm-security-fight-moves-to-cloud-endpoints/d/d-id/1337774
As states and cities look to lifting stay-at-home orders, the
increased level of employees working remotely will not disappear. That
means many businesses will be moving more of their infrastructure to
the cloud and having to deal with the security challenges that come
from a hybrid infrastructure, experts said this week.
Tomi Engdahl says:
US government plans to urge states to resist ‘high-risk’ internet voting
https://www.theguardian.com/us-news/2020/may/08/us-government-internet-voting-department-of-homeland-security?CMP=share_btn_fb
Department of Homeland Security draft guidelines say practice allows attackers to alter votes and imperil integrity of elections
The Department of Homeland Security has come out strongly against internet voting in new draft guidelines, breaking with its longstanding reluctance to formally weigh in on the controversial issue, even after the 2016 Russian election hacking efforts. The move comes as a number of states push to expand the use of ballots cast online.
The eight-page document, obtained by the Guardian, pulls no punches in calling the casting of ballots over the internet a “high-risk” endeavor that would allow attackers to alter votes and results “at scale” and compromise the integrity of elections. The guidelines advise states to avoid it altogether or restrict it to voters who have no other means of casting a ballot.
The document primarily addresses a type of internet voting called electronic ballot delivery and return – where digital absentee ballots that counties send to voters overseas via email or a web portal are completed and returned via email attachment, fax or direct upload – but it essentially applies to all forms of internet voting. No states currently offer full-on internet voting, but numerous states allow military and civilian voters abroad to receive and return ballots electronically, and some of these voters use an internet-based system that allows them to mark their ballot online before printing it out and mailing it back or returning it via email or fax.
Tomi Engdahl says:
Stick the Landing: 6 Steps to Broaden Your Cyber Resilience Web
https://securityintelligence.com/articles/stick-the-landing-6-steps-to-broaden-your-cyber-resilience-web/
Cyber resilience emerged as a response to the evolving need for information security. Organizations recognized that attacks were a question of when, not if, and adapted security strategy to include orchestrated response and recovery frameworks that could identify critical assets, protect key data, detect potential issues, respond to immediate threats and jump-start recovery to get businesses back on track.
As a result, enterprises went to work on building resilience “funnels” — strategies that aggregate and address issues along the traditional corporate IT stack, from local servers to third-party providers and hybrid cloud services. The advent of democratized technologies and delocalized work, however, has created a new attack avenue. Instead of funneling down into common cyber resilience capture points, many attackers take a sideways approach that targets remote users, lateral services or public connections.
To solve for emerging attack vectors, organizations need a new defensive design: the cyber resilience web. Not sure where to start? Let’s break down six critical components of this security string theory.
1. Start With Support
The first pillar of any cyber resilience framework is identification: locating key business applications and any associated risks.
2. Build Big
Protection comes next. In the context of depth-based cyber resilience, this means leveraging first-line defenses such as firewalls, malware detection tools and runtime application self-protection (RASP) solutions. Building out breadth to remediate and recover from attacks tied to expanding 5G networks, emerging industrial internet of things (IIoT) devices and the evolving security risks of remote work collaboration tools, however, requires thinking big.
3. Stick the Landing
As the “2019 Cost of a Data Breach Report” notes, it takes enterprises almost 200 days on average to detect a breach — and another 69 days to contain it. Although these timelines are going down as security technologies improve, there is another problem: attacks that escape unseen.
For web-building businesses, the goal here is “stickiness” — ensuring that identification and detection tools are sensitive and speedy enough to detect threats at a distance.
Venture Beat notes that “human layer” attacks are on the rise now that video conferencing and on-demand collaboration are essential functions.
4. Mind the Gap
Response forms the backbone of any effective cyber resilience strategy. Organizations need ordered, well-orchestrated response plans to get back on their feet and back to business as usual after a cyberattack.
When it comes to webs, however, it’s critical to mind the gap and adjust key openings as necessary. IT teams already suffer from alert fatigue — the result of an overabundance of reports and alerts from security solutions.
5. Test the Tensile Strength
Recovery is the final step in the cyber resilience life cycle, and it encompasses tools and techniques needed to evaluate response, ensure remediation and allow companies to resume essential operations. For our web-based defense design, recovery means testing the tensile strength by making sure that polices and procedures are working as intended.
6. Get a Leg Up
Cyber resilience web strategies also offer the opportunity to go beyond typical life cycle limits by proactively engaging with potential threats. That’s because the broad nature of web security strategy affords access to massive infosec datasets across multiple threat channels. By combining advanced threat identification with next-generation analysis, organizations can both defend against current attacks and predict potential vectors to secure corporate networks at scale.
Tomi Engdahl says:
Three Years After WannaCry, Ransomware Accelerating While Patching
Still Problematic
https://www.darkreading.com/attacks-breaches/three-years-after-wannacry-ransomware-accelerating-while-patching-still-problematic/d/d-id/1337794
Three years ago, the WannaCry ransomware worm quickly compromised
hundreds of thousands of out-of-date, unpatched computers and servers,
encrypting data on the systems and often shutting down operations at
affected organizations.
Tomi Engdahl says:
Ransomware now demands extra payment to delete stolen files
https://www.bleepingcomputer.com/news/security/ransomware-now-demands-extra-payment-to-delete-stolen-files/
A ransomware family has begun a new tactic of not only demanding a
ransom for a decryptor but also demanding a second ransom not to
publish files stolen in an attack. For years, ransomware operators
have been claiming to steal data before encrypting a company’s network
and then threatening to release the data if a victim does not pay.
Tomi Engdahl says:
Website Attacks Become Quieter & More Persistent
https://www.darkreading.com/attacks-breaches/website-attacks-become-quieter-and-more-persistent/d/d-id/1337799
Threat actors are pivoting away from noisy website attacks to
campaigns that are quieter and designed to remain undetected for as
long as possible. From website defacements and SEO spam, attackers are
increasingly targeting websites to install backdoors and other
stealthy malware, according to a new study by SiteLock.
Tomi Engdahl says:
U.S. Government Issues Alert on Most Exploited Vulnerabilities
https://www.securityweek.com/us-government-issues-alert-most-exploited-vulnerabilities
Between 2016 and 2019, threat actors mainly attempted to compromise systems through vulnerabilities in Microsoft Office (CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2015-1641), Apache Struts (CVE-2017-5638), Microsoft SharePoint (CVE-2019-0604), Microsoft Windows (CVE-2017-0143), Microsoft .NET Framework (CVE-2017-8759), Adobe Flash Player (CVE-2018-4878), and Drupal (CVE-2018-7600).
Attacks attempting to exploit these security issues tried to deploy a broad range of malware families, including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBoss, China Chopper, DOGCALL, FinFisher, WingBird, Toshliph, UWarrior, and Kitty, among others.
https://www.zdnet.com/article/dhs-cisa-and-fbi-share-list-of-top-10-most-exploited-vulnerabilities/
Top 10 Routinely Exploited Vulnerabilities
https://www.us-cert.gov/ncas/alerts/aa20-133a
The Cybersecurity and Infrastructure Security Agency (CISA), the
Federal Bureau of Investigation (FBI), and the broader U.S. Government
are providing this technical guidance to advise IT security
professionals at public and private sector organizations to place an
increased priority on patching the most commonly known vulnerabilities
exploited by sophisticated foreign cyber actors. This alert provides
details on vulnerabilities routinely exploited by foreign cyber
actorsprimarily Common Vulnerabilities and Exposures (CVEs)[1]to help
organizations reduce the risk of these foreign threats.
Tomi Engdahl says:
Automating Threat Detection and Response With Security Intelligence
https://www.recordedfuture.com/automated-threat-detection/
Automating threat detection and response has historically been a very
expensive and time-consuming process. However, with the prevalence of
restful Application Programming Interfaces (APIs), commercial threat
intelligence, and crowd-sourced feeds, it has never been easier and
more cost effective to do so. Through careful thought and a little bit
of Python, organizations can begin to adopt automation into their
defenses.
Tomi Engdahl says:
Organizations Conduct App Penetration Tests More Frequently – and
Broadly
https://www.darkreading.com/cloud/organizations-conduct-app-penetration-tests-more-frequently—and-broadly/d/d-id/1337811
In an encouraging sign for application security, enterprise
organizations are conducting penetration tests more frequently and
more broadly than before, data from a new Cobalt.io study suggests..
Unlike in the past where regulatory and other compliance mandates used
to be the primary driver for these tests, organizations are now
conducting them more to proactively detect and address security issues
in their software, the study found.
Tomi Engdahl says:
Five tips to stay cyber secure when working remotely
Because of the coronavirus pandemic, more people are working remotely to avoid getting sick. Consider these five tips to make sure your cyber hygiene is as strong as your physical hygiene.
https://www.controleng.com/articles/five-tips-to-stay-cyber-secure-when-working-remotely/?oly_enc_id=0462E3054934E2U
1. Use a VPN.
2. Use company-provided equipment.
3. Be conscious of where you’re storing data.
4. Be vigilant when opening and downloading attachments.
5. Use company systems whenever possible.
Tomi Engdahl says:
Industrial network security best practice advice
Four myths about networking and cybersecurity related to operations technology (OT) systems are highlighted as well as three pillars for securing industrial networks.
https://www.controleng.com/articles/best-practice-advice-to-help-enhance-industrial-network-security/?oly_enc_id=0462E3054934E2U
Tomi Engdahl says:
Why The Largest Cyberattack In History Will Happen Within Six Months
https://www.forbes.com/sites/stephenmcbride1/2020/05/14/why-the-largest-cyberattack-in-history-will-happen-within-six-months/
The coronavirus is laying the groundwork for a massive cyberattack. In fact, I’m on record today saying we’ll see the largest cyberattack in HISTORY within the next six months.
Nobody is talking about this today. Fighting hackers is the last thing on most folks’ minds. But coronavirus practically guarantees “largest cyberattack ever” will soon be plastered all over the frontpages.
The Coronavirus Just Ripped Open Every Company’s Virtual Defenses
Before the pandemic hit, employees who worked remotely were usually given special work laptops with beefed up security. For example, my friend works for the Irish tax authorities—the equivalent of the IRS. He often works from home, but under strict guidelines. He must use a dedicated work laptop and a separate, secure wi-fi connection.
He has to jump through multiple security hoops to even get past the welcome screen. For example, he must plug in a USB security stick to “unlock” work files. These measures make him difficult—but not impossible—to hack.
Every Company’s “Attack Surface” Just Exploded
Practically every employee in every firm in America is working from a makeshift desk on their kitchen table. Firms only had days to cobble together remote work plans. So you can bet most didn’t set up secure systems, like the one my friend is using. In fact, the vast majority of employees probably don’t even have dedicated work laptops.
So hundreds of millions of folks are using personal laptops–on unsecured home internet connections–to access work files. Many of which likely contain confidential information and personal data.
Hackers broke into the networks of America’s largest defense contractor, Lockheed Martin, by targeting remote workers. If they can infiltrate this system, you best believe remote workers with little security are easy pickings.
It’s Only a Matter of Time Until “The Largest Cyberattack in History” Flashes Across Your Screen
These are only the hacks we know about. Cyber intelligence firm CYFIRMA revealed cyberthreats related to coronavirus shot up 600% from February to March. It’s only a matter of time before we hear about a major cyber breach.
Look, I hope I’m dead wrong predicting that we’re about to see the biggest cyberattack in history. None of us want to see a big company or government taken down. Especially not when the world is fighting a deadly pandemic.
But remote workers are fertile ground for cyber criminals. The attack surface has never been wider, so a major cyberattack is baked in the cake. Fortunately, there is a proven pattern for making money from cyberattacks.
When major hacks hit the newswire, cyber stocks surge.
In short, investors frantically buy cyber stocks after the major cyberattacks hit the headlines. But you want to be invested before the rest of the world piles in.
Tomi Engdahl says:
ALL YOUR PASSWORDS ARE BELONG TO FPGA
https://hackaday.com/2020/05/15/all-your-passwords-are-belong-to-fpga/
When used for cracking passwords, a modern high-end graphics card will absolutely chew through “classic” hashing algorithms like SHA-1 and SHA-2. When a single desktop machine can run through 50+ billion password combinations per second, even decent passwords can be guessed in a worryingly short amount of time. Luckily, advanced password hashing functions such as bcrypt are designed specifically to make these sort of brute-force attacks impractically slow.
Cracking bcrypt on desktop hardware might be out of the question, but the folks over at [Scattered Secrets] had a hunch that an array of FPGAs might be up to the task.
Bcrypt password cracking extremely slow? Not if you are using hundreds of FPGAs!
https://hackaday.com/2020/05/15/all-your-passwords-are-belong-to-fpga/
Tomi Engdahl says:
How to set up MariaDB SSL and secure connections from clients
https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
Tomi Engdahl says:
https://pentestmag.com/how-to-protect-your-website-10-security-holes-you-need-to-care-about/
Tomi Engdahl says:
Inconvenient truths about working in Cybersecurity
https://pentestmag.com/inconvenient-truths-about-working-in-cybersecurity/
Inconvenient truths about working in Cybersecurity
1 – Cybersecurity is not all about hackers and hoodies
I have never been to the big hacker conferences such as Defcon or Black Hat. I have never hacked a system, nor have I participated at a Capture the Flag event. Because despite how cool hacking looks, it is not the only career path in Cybersecurity.
2 – Training, you need it but can’t get it
Cybersecurity, like IT requires lots of training. The more technical the job, the more training is needed. Ideally organizations should pay for training to keep the cyber workforce moving forward. However, in my experience many organizations do not and the biggest group that is left out are often women.
3 – Job lock with high switching costs
One big issue which I have seen almost nobody talk about is how cyber jobs lock you in and make it hard to switch roles due to limited flexibility or corporate culture.
4 – Not all mentors are good mentors
I’ve seen so many articles and posts that say you need a mentor. Yes it’s great to have a mentor, but not always. I can speak from experience that I’ve seen good mentors and bad ones.
5 – Long hours and burnout
I have worked at some companies that have small cyber teams that are expected to do everything with small budgets. Needless to say when required to do more with less with a large attack surface to defend, it leads to many sleepless nights working long hours leading to burn out. Sadly, this is the state of cybersecurity at many companies.
Tomi Engdahl says:
5 types of hacker bait cybercriminals find irresistible
https://www8.hp.com/ca/en/tektonika/index.php/2018/05/09/5-types-of-hacker-bait-cybercriminals-find-irresistible/
Here’s a look at five vulnerable endpoints in every office you should watch more closely:
Printers: Over half of all organizations don’t even include unsecured printers in their security strategy. That could be why 64 percent of execs think it’s “likely” their printer contains malware. Even if you’re not printing off your customer’s social security numbers and leaving them in the tray for hours, your printer is an intelligent, networked device that can also function as a wide-open door to your company’s network.
Routers: Who can forget Mirai Dyn, the distributed denial-of-service (DDoS) attack that took down the internet in 2016? It couldn’t have happened without DNS lookup requests from tens of millions of IP addresses and many, many unsecured business routers and connected devices.
Voice over IP (VoIP) phones: Your IP-phones are safe because your network has a firewall, right? The truth is VoIP phones have a lot of computing capabilities, many of which leave them completely wide open to attack. Factor in the tendency to use obvious default passwords, like “admin,” and it’s not a stretch to see how easily hackers can commandeer these devices to ring up international calling charges or eavesdrop on confidential conference calls.
Mobile devices: Smartphones have long been hailed as the weakest link in corporate network security, with one study finding that Androids comprise a staggering 81 percent of malware-infected mobile devices worldwide. Perhaps the statistic isn’t that surprising given that phones are highly susceptible to infection with malware anyway—one in 14 data breaches last year started out as a good old phishing attack where someone simply clicked a link.
PCs: Do you think your twice-daily run to refill your coffee in the break room without locking your computer is low risk? Think again—a criminal can backdoor your PC in as little as 30 seconds using $5 worth of equipment. While physical breaches are relatively rare, accounting for just 8 percent of incidents, it’s definitely not a risk you want to take.
Tomi Engdahl says:
How to decode a data breach notice
https://tcrn.ch/2WMqUjm
Most of them look largely the same. It’s my job to decode what they actually mean for the victims whose information is put at risk.
Data breach notifications are meant to tell you what happened, when and what impact it may have on you. You’ve probably already seen a few this year. That’s because most U.S. states have laws that compel companies to publicly disclose security incidents, like a data breach, as soon as possible. Europe’s rules are stricter, and fines can be a common occurrence if breaches aren’t disclosed.
But data breach notifications have become an all-too-regular exercise in crisis communications. These notices increasingly try to deflect blame, obfuscate important details and omit important facts. After all, it’s in a company’s best interest to keep the stock markets happy, investors satisfied and regulators off their backs. Why would it want to say anything to the contrary?
The next time you get a data breach notification, read between the lines. By knowing the common bullshit lines to avoid, you can understand the questions you need to ask.
“We take security and privacy seriously.”
Read: “We clearly don’t.”
“We recently discovered a security incident…”
Read: “Someone else found it but we’re trying to do damage control.”
“An unauthorized individual…”
Read: “We don’t know who’s to blame, but don’t blame us.”
“We took immediate steps…”
Read: “We sprung into action… as soon as we found out.”
“Our forensic investigation shows…”
Read: “We asked someone to tell us how f**ked we are.”
“Out of an abundance of caution, we want to inform you of the incident.”
Read: “We were forced to tell you.”
“A sophisticated cyberattack…”
Read: “We’re trying not to look as stupid as we actually are.”
“There is no evidence that data was taken.”
Read: “That we know of.”
“A small percentage of our customers are affected.”
Read: “It sounds way worse if we say ‘millions’ of users.”
Tomi Engdahl says:
Verizon 2020 DBIR: More Extensive, More Detailed and More Thorough Than Ever
https://www.securityweek.com/verizon-2020-data-breach-investigations-report-more-extensive-detailed-and-thorough-ever
Verizon Publishes 2020 Data Breach Investigation Report (DBIR) With Insights From Thousands of Confirmed
Breaches
Verizon’s 2020 Data Breach Investigations Report (DBIR) is the most extensive yet, with 81 contributing
organizations, and more than 32,000 incidents analyzed (of which 3,950 were confirmed breaches). New geographical breakouts in the just-released report have been added together with new ways of visualizing the data.
At a high level, Verizon believes the analysis provides good news to security professionals. In
particular, it notes that malware incidents are down, suggesting that current anti-malware products are
winning the battle.
Tomi Engdahl says:
‘Flight risk’ employees involved in 60% of insider cybersecurity incidents
The majority of staff planning their exit also take sensitive information with them, research suggests.
https://www.zdnet.com/article/flight-risk-employees-involved-in-60-of-insider-cybersecurity-incidents/
Employees planning to leave their jobs are involved in 60% of insider cybersecurity incidents and data leaks, new research suggests.
According to the Securonix 2020 Insider Threat Report, published on Wednesday, “flight risk” employees, generally deemed to be individuals on the verge of resigning or otherwise leaving a job, often change their behavioral patterns from two months to two weeks before conducting an insider attack.
Insider incidents are caused by individuals within an organization rather than external threat actors. Employees or contractors with privileged access to systems may cause damage, steal or sell data, or be the cause of a security failure — such as by uploading or moving confidential resources to third-party services without permission.
Tomi Engdahl says:
Risks Overshadow Benefits with Online Voting, Experts Warn
https://www.govtech.com/security/Risks-Overshadow-Benefits-with-Online-Voting-Experts-Warn.html
As governments struggle to adapt to the election challenges surrounding COVID-19, a number of states have launched Internet voting pilots. But many experts argue that these programs could easily be co-opted by malicious actors.
Tomi Engdahl says:
Database Breaches Remain the Top Cyber Threat for Organizations
https://www.recordedfuture.com/database-breaches-analysis/
With the number of affected victims growing every year, some of
today’s most serious threats to organizations are database breaches
and releases. These breaches compromise millions of pieces of
sensitive information like personally identifiable information (PII),
credentials, payment information, and proprietary data. Criminals gain
access to the data through various tactics, techniques, and procedures
(TTPs), such as phishing, malware, exploiting existing vulnerabilities
in software, insider threats, password reuse, and a number of other
methods, taking advantage of holes in security infrastructure. After
breaching an organization’s network, criminals may access the data
themselves or sell the access off at dark web auctions. The
information gathered as a result in turn frequently leads to further
breaches through techniques like business email compromise (BEC). Read
also: https://go.recordedfuture.com/hubfs/reports/cta-2020-0521.pdf
Tomi Engdahl says:
Introducing Shuffle an Open Source SOAR platform part 1
https://medium.com/security-operation-capybara/introducing-shuffle-an-open-source-soar-platform-part-1-58a529de7d12
All blue teams and information security departments have to two
problems in common: alert fatigue and a lack of development. If you
don’t give security professionals hard puzzles to solve, but rather
fires to fight, and the environment stagnates, it will eventually lead
to turnover. This is a common theme in incident response teams, and
Shuffle is looking to solve it. How can these issues be tackled head
on however? Read on and I’ll introduce you to the magic of Open
Source.
Tomi Engdahl says:
Releasing the CAPTCHA Cracken
https://labs.f-secure.com/blog/releasing-the-captcha-cracken/
However, a while ago a bit of a more interesting request came across
our desk. Our red team requested that we assist them in cracking a
CAPTCHA that was sitting in front of an Outlook Web App (OWA) portal.
The idea was that if we could reliably crack it and automate the
process, the red team would simply be able to plug in their normal
enumeration scripts required to perform the attack simulation. In
addition, it is typical to not allow lockout of accounts on OWA
portals, thereby relying almost solely on a CAPTCHA to ward off
automated attacks. We said it last year and we will say it again:
text-based CAPTCHAs are just not cutting it anymore. Unless you use a
third-party like reCaptcha, you just can’t prevent automated attacks
with a CAPTCHA anymore. Even then safety is not guaranteed! There are
some interesting new CAPTCHA samples on the market, but it is just a
matter of time before these also buckle under the CAPTCHA Cracken. We
are not saying that CAPTCHAs are useless, they should just not be seen
as the silver bullet that stops automated attacks. You have to accept
that automated attacks are a thing. You need to take a holistic view
of your authentication system. You can’t give away half the login
information with username enumeration. Weak passwords and bad password
behaviours are not going away and are almost trivial to exploit. Sucks
for usability, but accounts have to be locked after a certain number
of incorrect attempts. MFA for anything remotely sensitive is an
absolute must.
Tomi Engdahl says:
Unpatched Open Source Libraries Leave 71% of Apps Vulnerable
https://www.darkreading.com/application-security/unpatched-open-source-libraries-leave-71–of-apps-vulnerable-/d/d-id/1337856
PHP and JavaScript developers need to pay close attention because
different languages and frameworks have different rates of
vulnerability, research finds. The management of open source libraries
poses a major challenge for secure development. That’s because seven
in 10 applications use at least one flawed open source library,
inheriting vulnerabilities that could potentially be exploited,
according to a new study of more than 81, 000 applications.
Tomi Engdahl says:
Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83…
with a handy kill switch for corporate IT
https://www.theregister.co.uk/2020/05/20/google_chrome_83/
Google released Chrome 83 on Tuesday after skipping version 82
entirely due to coronavirus-related challenges, bringing with it
security for DNS queries, a revised extension interface that
developers dislike, and a few other features.
Tomi Engdahl says:
Flight risk’ employees involved in 60% of insider cybersecurity
incidents
https://www.zdnet.com/article/flight-risk-employees-involved-in-60-of-insider-cybersecurity-incidents/
Employees planning to leave their jobs are involved in 60% of insider
cybersecurity incidents and data leaks, new research suggests.
According to the Securonix 2020 Insider Threat Report, published on
Wednesday, “flight risk” employees, generally deemed to be individuals
on the verge of resigning or otherwise leaving a job, often change
their behavioral patterns from two months to two weeks before
conducting an insider attack.
Tomi Engdahl says:
DHS CISA and FBI share list of top 10 most exploited vulnerabilities
Office is the most exploited technology, followed by Apache Struts.
https://www.zdnet.com/article/dhs-cisa-and-fbi-share-list-of-top-10-most-exploited-vulnerabilities/
Tomi Engdahl says:
Here’s a list of all the ransomware gangs who will steal and leak your data if you don’t pay
https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/
Ransomware gangs are getting more aggressive these days about pursuing payments and have begun stealing and threatening to leak sensitive documents if victims don’t pay the requested ransom demand.
Tomi Engdahl says:
https://pentestmag.com/how-to-run-a-simple-purple-team-operation-on-a-zero-budget/
Tomi Engdahl says:
GOOGLE KNOWS EVERYTHING… – PART 1
https://securityqueens.co.uk/google-knows-everything-part-1/
Tomi Engdahl says:
‘Security vs Privacy’ OR ’Security & Privacy’
https://pentestmag.com/security-vs-privacy-or-security-privacy/
Tomi Engdahl says:
Life Beyond Malware
https://pentestmag.com/life-beyond-malware/
Tomi Engdahl says:
9 Body Parts as Unique as Your Fingerprint
https://www.thehealthy.com/bodies/unique-body-parts/
Tomi Engdahl says:
While software companies have tried before to fix C and C++’s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox.
Today, Rust is considered one of the safest programming languages, and an ideal replacement for C and C++, primarily due to Mozilla’s early efforts.
But Mozilla has not been the only organization that has had enough of dealing with bug-prone C and C++ code.
Microsoft is also heavily investing in exploring C and C++ alternatives. From its early Checked C project, [the company is now experimenting with Rust](https://www.zdnet.com/article/microsoft-to-explore-using-rust/), and is also building its own Rust-like “safe” programming language (part of the secretive [Project Verona](https://www.zdnet.com/article/microsoft-opens-up-rust-inspired-project-verona-programming-language-on-github/)).
Chrome: 70% of all security bugs are memory safety issues
https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/
Google software engineers are looking into ways of eliminating memory management-related bugs from Chrome.
Tomi Engdahl says:
Inside the NSA’s Secret Tool for Mapping Your Social Network
https://www.wired.com/story/inside-the-nsas-secret-tool-for-mapping-your-social-network/
Edward Snowden revealed the agency’s phone-record tracking program.
But thanks to “precomputed contact chaining, ” that database was much
more powerful than anyone knew.
Tomi Engdahl says:
eBay port scans visitors’ computers for remote access programs
https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
When visiting the eBay.com site, a script will run that performs a
local port scan of your computer to detect remote support and remote
management applications. Over the weekend, Jack Rhysider of
DarkNetDiaries discovered that when visiting eBay.com, the site
performed a port scan of his computer for 14 different ports. Many of
these ports are related to remote access/remote support tools such as
the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more.
After learning about this, BleepingComputer conducted a test and can
confirm that eBay.com is indeed performing a local port scan of 14
different ports when visiting the site. It is not confirmed why eBay
is port scanning a visitor, but based on the programs being scanned
for, it is most likely designed to detect hacked computers.
Tomi Engdahl says:
https://pentestmag.com/working-at-a-cert-and-shifting-to-technical-lead/