Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,203 Comments
Tomi Engdahl says:
https://cybernews.com/security/why-you-should-stop-using-sms-for-two-factor-authentication/
Tomi Engdahl says:
https://duo.com/docs/trusted-endpoints
Duo’s Trusted Endpoints feature lets you define and manage trusted endpoints and grant secure access to your organization’s applications with policies that verify systems using device certificates, application verification, or management status.
Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications can be identified as managed, or can block access to various applications from systems that aren’t managed.
Tomi Engdahl says:
Signal unveils how far US law enforcement will go to get information about people
https://www.zdnet.com/article/signal-unveils-how-far-us-law-enforcement-will-go-to-get-information-about-people/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
The encrypted messaging developer said Santa Clara County police wanted very specific personal information of certain users, including IP addresses along with dates and times for each login.
In the search warrant, Santa Clara Police sought to get the name, street address, telephone number, and email address of a specific Signal user. It also wanted billing records, the dates of when the account was opened and registered, inbound and outbound call detail records, voicemails, video calls, emails, text messages, IP addresses along with dates and times for each login, and even all dates and times the user connected to Signal.
In response to the search warrant, Signal provided law enforcement authorities with timestamps regarding the account specified in the search warrant. The timestamps showed the dates that the account last connected to Signal.
Search warrant for Signal user data, Santa Clara County
https://signal.org/bigbrother/santaclara/
Tomi Engdahl says:
Laajoista kansalaisia koskevista tietoturvahäiriöistä ja -tilanteista tiedotetaan 112 Suomi -sovelluksen avulla https://www.epressi.com/tiedotteet/tietoturva/laajoista-kansalaisia-koskevista-tietoturvahairioista-ja-tilanteista-tiedotetaan-112-suomi-sovelluksen-avulla.html
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus kertoo jatkossa laajoista kansalaisia koskevista tietoturvahäiriöistä ja -tapahtumista myös 112 Suomi -mobiilisovelluksessa.
Tomi Engdahl says:
Ransomware Has Disrupted Almost 1, 000 Schools in the US This Year https://www.vice.com/en/article/4awyvp/ransomware-has-disrupted-almost-1000-schools-in-the-us-this-year
There have been more than 70 ransomware attacks affecting around 1,
000 U.S. schools this year, and it may get worse before it gets better. This week is busier than normal for a week that does not include 2nd Tuesday, so we are going with a two-part listing. For Part
1 we have ten vendor disclosures from B&R Automation (3),
PEPPERL+FUCHS, MB Connect, CODESYS (4), and Dell.
Tomi Engdahl says:
Network Scanning Traffic Observed in Public Clouds https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/
Tracking network scanning activities can help researchers understand which services are being targeted. By monitoring the origins of the scanners, researchers can also identify compromised endpoints. If a host belonging to a known organization suddenly starts to scan a part of the internet, it is a strong indicator that the host is compromised.
Tomi Engdahl says:
Bloomberg:
A look at student activity monitoring software GoGuardian, whose usage in US schools exploded during lockdowns as some say it adds to kids’ psychological strain
Big Teacher Is Watching: How AI Spyware Took Over Schools
https://www.bloomberg.com/news/features/2021-10-28/how-goguardian-ai-spyware-took-over-schools-student-devices-during-covid
The pandemic caused schools to embrace laptops, tablets, Zoom, and an app called GoGuardian that tracks everything students (and, sometimes, parents) do online.
Tomi Engdahl says:
3 Questions for MDRs Helping to Get Your Enterprise to XDR
https://www.securityweek.com/3-questions-mdrs-helping-get-your-enterprise-xdr
An XDR implementation can quickly turn into a very large consulting project requiring significant time and budget
But over the last couple of years, the acceleration of digital transformation, remote work and moving to the cloud have forced security practitioners to take a more holistic approach to detection and response.
Security practitioners have had to rethink detection to include a breadth and depth of information from disparate systems and sources across the infrastructure in order to better understand and defend against threats. Similarly, they have had to update their approach to response to include all the enforcement points across the infrastructure impacted by an attack. And to support these new detection and response requirements, they’ve had to prioritize and improve how systems and tools work together. As a result, Extended Detection and Response (XDR) is gaining a lot of traction.
But even more change is afoot. Couple this evolution with the global cybersecurity talent shortage of over three million professionals, and organizations are also rethinking their overall approach to security operations. The promise of XDR is predicated on enabling integration and data flow across the infrastructure for prevention, detection and response. However, many organizations struggle to implement and manage XDR solutions. Even if the XDR solution vendor has great APIs that are “easy” to write to, getting data from on-premises, legacy applications to a cloud platform is a considerable undertaking. An XDR implementation can quickly turn into a very large consulting project requiring significant time and budget.
So, some organizations choose to outsource a portion or the entire function to a managed detection and response (MDR) service provider that offers XDR as a service. An offshoot of the traditional Managed Security Service Providers (MSSPs) market, MDR is a burgeoning category in cybersecurity services and is forecasted to grow from $975 million in 2020 to nearly $7.3 billion in 2028. Gartner defines MDR providers as delivering 24/7 threat monitoring, detection and response services using a combination of technologies and human expertise.
If you are among the growing group of organizations looking to an MDR provider to supplement your security operations with XDR, make sure you consider these three factors.
1. How can you cover more attack vectors for companies?
2. Are you able to bring in and utilize the right external data sources for companies?
3. Can you get all tools and all teams to work in concert?
Tomi Engdahl says:
NSA, CISA Release 5G Cloud Security Guidance
https://www.securityweek.com/nsa-cisa-release-5g-cloud-security-guidance
The NSA and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released the first in a series of guidance documents for securing 5G cloud infrastructure.
The guidance comes from the Enduring Security Framework (ESF), a public-private partnership between the NSA, CISA, the Defense Department, the intelligence community, as well as IT, communications, and defense industrial base companies.
The first of the four-part series on securing 5G clouds focuses on preventing and detecting lateral movement.
5G networks rely on cloud infrastructures for agility, resilience and scalability. These networks need to be secure as they will be a tempting target for threat actors looking to cause disruptions or compromise information.
Tomi Engdahl says:
MITRE, CISA Announce 2021 List of Most Common Hardware Weaknesses
https://www.securityweek.com/mitre-cisa-announce-2021-list-most-common-hardware-weaknesses
MITRE and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list.
Composed of the most frequent and critical errors that result in serious hardware vulnerabilities, the list includes a total of 12 entries, with five additional weaknesses that scored just outside the final list also mentioned.
The list is meant to raise awareness of common hardware weaknesses and to help prevent hardware vulnerabilities at the source, MITRE says.
In addition to instructing designers and programmers on how errors can be eliminated during product development, the list can help analysts and engineers plan security testing and evaluation, as well as consumers to ask suppliers to deliver more secure hardware.
The list is also expected to help managers and CIOs assess the progress of their efforts to secure hardware and to decide where resources should be directed to build tools and automation processes to mitigate a wide class of vulnerabilities, MITRE notes.
The final 2021 CWE Most Important Hardware Weaknesses list includes the 12 entries that scored highest during analysis.
2021 CWE Most Important Hardware Weaknesses
Five other weaknesses (the Hardware Weaknesses on the Cusp) scored just outside of the final list, but risk-decision makers and those performing mitigations should still consider these in their analyses, MITRE says.
Tomi Engdahl says:
Google Introduces New Open-Source Data Privacy Protoco
https://www.securityweek.com/google-introduces-new-open-source-data-privacy-protocol
Google last week took the wraps off Private Set Membership (PSM), a cryptographic protocol meant to ensure privacy during specific queries.
The protocol helps clients check whether a specific identifier is present in a list held by a server, in a privacy-preserving manner: the client identifier is transmitted encrypted, the server doesn’t learn the result of the query, and the client doesn’t learn details on the set of identifiers on the server, other than whether the queried identifier is or isn’t a member of the set.
“As an example, users may want to check membership of a computer program on a block list consisting of known malicious software before executing the program. Often, the set’s contents and the queried items are sensitive, so we designed Private Set Membership to perform this task while preserving the privacy of our users,” Google explains.
Starting Chrome 94, Google says, Chrome OS devices leverage the privacy-focused protocol to complete the enrollment process, which involves verifying device information with Google, such as whether it is enterprise enrolled or pre-packaged with a license.
Private Set Membership, which is available in open source, leverages Google’s open source homomorphic encryption library to ensure that encrypted data can be operated even without decryption, as well as oblivious hashing, a cryptographic technique where two parties can jointly compute a hash while keeping each of their contributions hidden.
https://github.com/google/private-membership
Private Set Membership (PSM) is a cryptographic protocol that allows clients to privately query whether the client’s identifier is a member of a set of identifiers held by a server in a privacy-preserving manner.
At a high level, PSM provides the following privacy guarantees:
The server does not learn the client’s queried identifier in the plaintext.
The server does not learn whether the client’s query results in a membership or non-membership determination.
The querying client does not learn any information about the set of identifiers that are stored by the server beyond whether the querying client’s identifier is a member or not of the server-held set of identifiers. In other words, the querying client learns the bare minimum amount of information which is only the answer of the membership query.
Tomi Engdahl says:
Ransomware decryptor roundup: BlackByte, Atom Silo, LockFile, Babuk decryptors released https://www.zdnet.com/article/ransomware-decryptor-roundup-blackbyte-atom-silo-lockfile-babuk-decryptors-released/
This follows the release of multiple decryptors over the past few months, including REvil/Sodinokibi. Ransomware decryptors for the BlackByte, Atom Silo, LockFile and Babuk strains were released over the last two weeks, highlighting some amount of progress in the fight against a few of the smaller ransomware gangs.
Tomi Engdahl says:
FBI: HelloKitty ransomware adds DDoS attacks to extortion tactics
https://www.bleepingcomputer.com/news/security/fbi-hellokitty-ransomware-adds-ddos-attacks-to-extortion-tactics/
The U.S. Federal Bureau of Investigation (FBI) has sent out a flash alert warning private industry partners that the HelloKitty ransomware gang (aka FiveHands) has added distributed denial-of-service (DDoS) attacks to their arsenal of extortion tactics.
Tomi Engdahl says:
Lessons from a real-life ransomware attack https://blog.malwarebytes.com/ransomware/2021/11/lessons-from-a-real-life-ransomware-attack/
Ransomware attacks, despite dramatically increasing in frequency this summer, remain opaque for many potential victims. It isn’t anyone’s fault, necessarily, since news articles about ransomware attacks often focus on the attack, the suspected threat actors, the ransomware type, and, well, not much else. In immediate recovery, first prioritize and then look for “surprise” systems
Tomi Engdahl says:
Microsoft Defender for Windows is getting a massive overhaul
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-windows-is-getting-a-massive-overhaul/
Microsoft Defender for Windows is getting a massive overhaul allowing home network admins to deploy Android, iOS, and Mac clients to monitor antivirus, phishing, compromised passwords, and identity theft alerts from a single security dashboard.
Tomi Engdahl says:
Microsoft warns of rise in password sprays targeting cloud accounts
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-rise-in-password-sprays-targeting-cloud-accounts/
The Microsoft Detection and Response Team (DART) says it detected an increase in password spray attacks targeting privileged cloud accounts and high-profile identities such as C-level executives.
Tomi Engdahl says:
China Tightens Control Over Company Data With Transfer Rules
https://www.securityweek.com/china-tightens-control-over-company-data-transfer-rules
Companies in China would need government approval to transfer important data abroad under proposed rules announced Friday that would tighten Beijing’s control over information and might disrupt operations for international corporations.
The measure is needed to protect the Chinese public and “safeguard national security,” the Cyberspace Administration of China said.
President Xi Jinping’s government sees information about China’s 1.4 billion people as a potential security risk in private hands. It has issued a flurry of rules tightening control over how companies gather and handle information.
A crackdown on data security launched in late 2020 fueled anxiety among investors, who have knocked more than $1.3 trillion off the total market value of e-commerce platform Alibaba, games and social media operator Tencent and other tech giants.
Tomi Engdahl says:
New York Times:
Meta plans to shut down Facebook’s decade-old facial recognition system this month, deleting the face scan data of 1B+ users following legal and regulatory woes — Saying it wants “to find the right balance” with the technology, the social network will delete the face scan data of more than one billion users.
https://www.nytimes.com/2021/11/02/technology/facebook-facial-recognition.html
Tomi Engdahl says:
Facebook to Shut Down Face-Recognition System, Delete Data
https://www.securityweek.com/facebook-shut-down-face-recognition-system-delete-data
Facebook said it will shut down its face-recognition system and delete the faceprints of more than 1 billion people amid growing concerns about the technology and its misuse by governments, police and others.
“This change will represent one of the largest shifts in facial recognition usage in the technology’s history,” Jerome Pesenti, vice president of artificial intelligence for Facebook’s new parent company, Meta, wrote in a blog post on Tuesday. “Its removal will result in the deletion of more than a billion people’s individual facial recognition templates.”
He said the company was trying to weigh the positive use cases for the technology “against growing societal concerns, especially as regulators have yet to provide clear rules.”
An Update On Our Use of Face Recognition
https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/
We’re shutting down the Face Recognition system on Facebook. People who’ve opted in will no longer be automatically recognized in photos and videos and we will delete more than a billion people’s individual facial recognition templates.
This change will also impact Automatic Alt Text (AAT), which creates image descriptions for blind and visually-impaired people. After this change, AAT descriptions will no longer include the names of people recognized in photos but will function normally otherwise.
We need to weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules.
Tomi Engdahl says:
Destructive’ cyberattack hits National Bank of Pakistan https://therecord.media/destructive-cyberattack-hits-national-bank-of-pakistan/
The incident, which took place on the night between Friday and Saturday, impacted the bank’s backend systems and affected servers used to interlink the bank’s branches, the backend infrastructure controlling the bank’s ATM network, and the bank’s mobile apps.
Tomi Engdahl says:
Bandwidth.com expects to lose up to $12M following DDoS extortion attempt https://therecord.media/bandwidth-com-expects-to-lose-up-to-12m-following-ddos-extortion-attempt/
Bandwidth Inc. expects to lose between $9 million and $12 million because of service downtime caused by a series of DDoS attacks the company dealt with during late September and early October this year.
The attackers tried to obtain money from Bandwith Inc. by attacking its Bandwidth.com portal, through which the company provided on-demand server infrastructure to smaller VoIP telephony providers.
Tomi Engdahl says:
Google patches zero-day vulnerability, and others, in Android
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/google-patches-zero-day-vulnerability-and-others-in-android/
Google has issued security patches for the Android Operating System.
In total, the patches address 39 vulnerabilities. There are indications that one of the patched vulnerabilities may be under limited, targeted exploitation.
Tomi Engdahl says:
Google to Pay Hackers $31, 337 for Exploiting Patched Linux Kernel Flaws https://thehackernews.com/2021/11/google-to-pay-hackers-31337-for.html
Google on Monday announced that it will pay security researchers to find exploits using vulnerabilities, previously remediated or otherwise, over the next three months as part of a new bug bounty program to improve the security of the Linux kernel.
Tomi Engdahl says:
Over 30, 000 GitLab servers still unpatched against critical bug https://www.bleepingcomputer.com/news/security/over-30-000-gitlab-servers-still-unpatched-against-critical-bug/
A critical unauthenticated, remote code execution GitLab flaw fixed on April 14, 2021, remains exploitable, with over 50% of deployments remaining unpatched. The vulnerability is tracked as CVE-2021-22205 and has a CVSS v3 score of 10.0, allowing an unauthenticated, remote attacker to execute arbitrary commands as the ‘git’ user (repository admin).
Tomi Engdahl says:
Facebook deletes 1 billion faceprints in Face Recognition shutdown https://www.bleepingcomputer.com/news/technology/facebook-deletes-1-billion-faceprints-in-face-recognition-shutdown/
Facebook announced today that they will no longer use the Face Recognition system on their platform and will be deleting over 1 billion people’s facial recognition profiles.
Tomi Engdahl says:
EU to adopt new cybersecurity rules for smartphones, wireless, IoT devices
https://therecord.media/eu-to-adopt-new-cybersecurity-rules-for-smartphones-wireless-iot-devices/
The European Commission has ordered an update to the Radio Equipment Directive in order to introduce new cybersecurity guidelines for radio and wireless equipment sold on the EU market, such as mobile phones, tablets, fitness trackers, and other smart IoT devices.
The delegated act, which is a bureaucratic mechanism used by the European Commission to tell EU bodies to update legislation, lists three new security measures that device makers must incorporate in the design of their products in order to be allowed to sell products in the EU. These include:
Improve network resilience: Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality.
Better protect consumers’ privacy: Wireless devices and products will need to have features to guarantee the protection of personal data. The protection of children’s rights will become an essential element of this legislation. For instance, manufacturers will have to implement new measures to prevent unauthorised access or transmission of personal data.
Reduce the risk of monetary fraud: Wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.
https://eur-lex.europa.eu/summary/glossary/delegated_acts.html
Tomi Engdahl says:
Google Triples Bounty for Linux Kernel Exploitation
https://www.securityweek.com/google-triples-bounty-linux-kernel-exploitation
Google is sweetening the pot for bug bounty researchers finding and exploiting privilege escalation flaws in the Linux kernel.
Over the next three months, Google plans to shell out US$31,337 for privilege escalation exploits using an already patched vulnerability, and $50,337 for a zero-day kernel flaw or a novel exploitation technique.
These amount to a tripling of Google’s bug bounty payments and are meant to incentivize hackers to share zero-days or mitigation bypasses for Linux kernel defects with major security implications.
“We hope the new rewards will encourage the security community to explore new Kernel exploitation techniques to achieve privilege escalation and drive quicker fixes for these vulnerabilities,” Google said in a note announcing the program.
Google said the base rewards for exploiting a publicly patched vulnerability is $31,337 (at most one exploit per vulnerability) and noted that the reward can go up to $50,337 USD in two cases:
If the vulnerability was otherwise unpatched in the Kernel (0day).
If the exploit uses a new attack or technique, as determined by Google.
Trick & Treat! Paying Leets and Sweets for Linux Kernel privescs and k8s escapes
https://security.googleblog.com/2021/11/trick-treat-paying-leets-and-sweets-for.html
Starting today and for the next 3 months (until January 31 2022), we will pay 31,337 USD to security researchers that exploit privilege escalation in our lab environment with a patched vulnerability, and 50,337 USD to those that use a previously unpatched vulnerability, or a new exploit technique.We are constantly investing in the security of the Linux Kernel because much of the internet, and Google—from the devices in our pockets, to the services running on Kubernetes in the cloud—depend on the security of it. We research its vulnerabilities and attacks, as well as study and develop its defenses.But we know that there is more work to do. That’s why we have decided to build on top of our kCTF VRP from last year and triple our previous reward amounts (for at least the next 3 months).
Tomi Engdahl says:
Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years
https://www.securityweek.com/google-paid-over-29-million-bug-bounty-rewards-10-years
Google says it has paid more than $29 million in rewards for pre-patch vulnerability data over the past 10 years.
Since the launch of Google Vulnerability Rewards Program (VRP) 10 years ago, the company said it paid bounties on 11,055 vulnerabilities that were reported by 2,022 researchers from 84 countries. To date, the company paid a total of $29,357,516.
Separately, the search giant announced that it is bringing all of its VRPs (Abuse, Android, Chrome, Google, and Play) together on a single online platform — bughunters.google.com.
Tomi Engdahl says:
FBI: Ransomware Attacks Exploit Financial Business Events
https://www.securityweek.com/fbi-ransomware-attacks-exploit-financial-business-events
The Federal Bureau of Investigation (FBI) this week issued an industry-wide notification to raise awareness about ransomware operators leveraging information on mergers, acquisitions and stock valuations to launch extortion attacks on businesses.
Ransomware actors are known for performing extensive research prior to launching an attack on victims, using publicly available information, along with material non-public data. Should the victim refrain from paying the ransom, the attackers threaten to disclose the gathered information publicly, thus attempting to extort the victim, the FBI warned.
“Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims,” it added.
The FBI said ransomware victims are often carefully selected from a pool of entities infected by an access broker with Trojan malware that is usually mass distributed.
The selection is performed based on initial reconnaissance during which non-publicly available information is identified and harvested to be used as leverage during the extortion phase.
“Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established,” according to the FBI advisory.
Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
https://www.ic3.gov/Media/News/2021/211101.pdf
Tomi Engdahl says:
Facebook app
An Update On Our Use of Face Recognition
https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/
Tomi Engdahl says:
While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they’ll be able to unlock it at some point in the future. The threat comes from quantum computers, which work very differently from…
Hackers are stealing data today so quantum computers can crack it in a decade
https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-computers-us-homeland-security-cryptography/?utm_source=Facebook&utm_medium=tr_social&utm_campaign=site_visitor.unpaid.engagement
The US government is starting a generation-long battle against the threat next-generation computers pose to encryption.
Tomi Engdahl says:
https://techcrunch.com/2021/11/03/us-bans-trade-with-security-firm-nso-group-over-pegasus-spyware/?tpcc=tcplusfacebook
Tomi Engdahl says:
Linux Foundation adds software supply chain security to LFX
https://www.zdnet.com/article/linux-foundation-adds-software-supply-chain-security-to-lfx/
Our software supply chains are under attack. The Linux Foundation, via its LFX tools, is set to defend them. Enhanced and free to use, LFX Security makes it easier for open source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing automated vulnerability detection capabilities
Tomi Engdahl says:
The Booming Underground Market for Bots That Steal Your 2FA Codes
https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo
The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts. “The bot is great for people who don’t have social engineering skills, “
Tomi Engdahl says:
CISA creates catalog of known exploited vulnerabilities, orders agencies to patch https://therecord.media/cisa-creates-catalog-of-known-exploited-vulnerabilities-orders-agencies-to-patch/
The US Cybersecurity and Infrastructure Security Agency has established today a public catalog of vulnerabilities known to be exploited in the wild and has issued a binding operational directive ordering US federal agencies to patch affected systems within specific timeframes and deadlines. CISA Director Jen Easterly said that while the binding operational directive is can only force US federal agencies to take action, all organizations should take action and patch the listed vulnerabilities, as the same exploits are also used to attack private entities as well. Seel also:
https://us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-22-01-reducing-significant-risk-known-exploited
Tomi Engdahl says:
https://www.securityweek.com/microsoft-announces-new-endpoint-security-solution-smbs
Tomi Engdahl says:
CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch
https://www.securityweek.com/cisa-lists-300-exploited-vulnerabilities-organizations-need-patch
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released a list of roughly 300 vulnerabilities that are known to have been exploited, and it has issued a binding operational directive (BOD) instructing government organizations to patch these security flaws.
The catalog currently includes vulnerabilities found in products from Accellion, Adobe, Apple, Apache, Android, Arcadyan, Arm, Atlassian, BQE, Cisco, Citrix, D-Link, DNN, Docker, DrayTek, Drupal, ExifTool, Exim, EyesOfNetwork, F5, ForgeRock, Fortinet, Google, IBM, ImageMagick, Ivanti, Kaseya, LifeRay, McAfee, Micro Focus, Microsoft, Mozilla, Nagios, Netgear, Netis, Oracle, PlaySMS, Progress, Pulse Secure, Qualcomm, rConfig, Realtek, Roundcube, SaltStack, SAP, SIMalliance, SolarWinds, Sonatype, SonicWall, Sophos, Sumavision, Symantec, TeamViewer, Telerik, Tenda, ThinkPHP, Trend Micro, TVT, Unraid, vBulletin, VMware, WordPress, Yealink, Zoho (ManageEngine), and ZyXEL.
CISA’s list of known exploited vulnerabilities
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Tomi Engdahl says:
Microsoft Announces New Endpoint Security Solution for SMBs
https://www.securityweek.com/microsoft-announces-new-endpoint-security-solution-smbs
Microsoft on Tuesday announced the upcoming availability of Microsoft Defender for Business, an enterprise-grade endpoint security solution catered for small and medium-sized businesses (SMBs).
Soon to become available in preview, the solution is meant for organizations of up to 300 employees, to keep them protected from rising cyber threats, such as ransomware attacks and other types of malware intrusions.
With Defender for Business, Microsoft promises capabilities such as antivirus, threat and vulnerability management, and endpoint detection and response (EDR), across a broad range of desktop and mobile platforms, including Windows, macOS, Android, and iOS.
Introducing Microsoft Defender for Business
https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/introducing-microsoft-defender-for-business/ba-p/2898701
Tomi Engdahl says:
https://www.niemanlab.org/2021/11/facebook-is-blocking-access-to-data-about-how-much-misinformation-it-spreads-and-who-is-affected/
Tomi Engdahl says:
Biden admin’s bug fix mandate aims to prevent the next major cybersecurity attack
Federal agencies have six months to patch cybersecurity threats found between 2017 and 2020
https://www.theverge.com/2021/11/3/22761208/biden-administration-security-vulnerabilities-patch
Tomi Engdahl says:
https://techcrunch.com/2021/11/02/microsoft-azure-expands-its-hybrid-and-multi-cloud-reach/
Tomi Engdahl says:
GitLab servers are being exploited in DDoS attacks in excess of 1 Tbps
https://therecord.media/gitlab-servers-are-being-exploited-in-ddos-attacks-in-excess-of-1-tbps/
Tomi Engdahl says:
Digging into Google’s push to freeze ePrivacy
Across Europe, big adtech’s reach has grown long indeed…
https://techcrunch.com/2021/11/01/digging-into-googles-push-to-freeze-eprivacy/
Google has responded to allegations contained in a recently unsealed US antitrust lawsuit that it worked covertly to stall European Union privacy legislation that could have blasted a huge hole in its behaviorial advertising business.
Tomi Engdahl says:
Criminals Can’t Wait to Add Your IoT Device to Their DDoS Networks
https://www.bitdefender.com/blog/hotforsecurity/criminals-cant-wait-to-add-your-iot-device-to-their-ddos-networks/
The idea that our IoT devices might present an attractive target may seem ridiculous. What could attackers achieve by compromising my vacuum cleaner or my smart TV? Well, it turns out that simple access to those devices is a coveted prize.
Whether we’re aware or not, our homes have become smart hubs filled with intelligent devices. We have smart TVs (some with really powerful hardware), vacuums, washing machines, speakers, personal assistants, streaming devices, surveillance cameras, network-attached devices (NAS), smartphones and PCs. And that only scratches the surface of what people have inside their homes.
Any of these devices might have vulnerabilities that would allow attackers to take control or at least compromise them. While we can’t compare a compromised PC with a compromised washing machine, it doesn’t mean that laundry appliance holds no interest.
Tomi Engdahl says:
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
https://www.bitdefender.com/blog/hotforsecurity/bitdefender-study-reveals-how-consumers-like-and-dislike-managing-passwords/
n support of #CyberSecurityAwarenessMonth, Bitdefender is rolling out the results of a global survey of online behaviors across 11 countries. When analyzing all respondent behaviors, from password reuse to sharing of account details and lack of security solutions installed, almost 60% of consumers were deemed “exposed” or “rather exposed.” Just 11% could be described as “secure” in terms of their cybersecurity practices. Poor password management stands out as a major vulnerability among consumers.
According to the results, consumers use an average of 8 online platforms. The most popular are Facebook, WhatsApp, YouTube, Instagram, Gmail, TikTok and Snapchat. However, most consumers have both social media and online shopping accounts. 63% percent of respondents reported having a social media account and 54% an online shopping account. Other top services include video streaming, at 40%, telecommunication and health platforms, at 29%, and utility services, at 28%.
Tomi Engdahl says:
Almost half of rootkits are used for cyberattacks against government organizations
Research institutes are also in the firing line.
https://www.zdnet.com/article/almost-half-of-rootkits-are-used-to-strike-government-targets/
Tomi Engdahl says:
Ceremony activates one-of-a-kind battalion to support cyberspace operations
https://www.army.mil/article/251542/ceremony_activates_one_of_a_kind_battalion_to_support_cyberspace_operations
A new unit joined the Army’s arsenal for supporting and defending its critical networks and assuring dominance in the information dimension with the activation of the 60th Offensive Cyberspace Operations Signal Battalion (OCOSB) in a ceremony at Fort Gordon, Ga., Oct. 20, 2021.
During the ceremony battalion commander Lt. Col. Kevin J. Weber and Command Sgt. Maj. Tyrone Cooper uncased the 60th’s colors.
The activation marks the beginning of a new mission for the battalion, explained 1st Lt. Garrett Steinbrugge, executive officer for Company C, 60th OCOSB.
Tomi Engdahl says:
Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice https://www.state.gov/reward-offers-for-information-to-bring-darkside-ransomware-variant-co-conspirators-to-justice/
The U.S. Department of State announces a reward offer of up to $10, 000, 000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group. In addition, the Department is also offering a reward offer of up to $5, 000, 000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident.
Tomi Engdahl says:
FBI: Ransomware gangs hit several tribal-owned casinos in the last year https://www.bleepingcomputer.com/news/security/fbi-ransomware-gangs-hit-several-tribal-owned-casinos-in-the-last-year/
The FBI’s Cyber Division said in a private industry notification issued earlier this week that ransomware gangs have hit several tribal-owned casinos, taking down their systems and disabling connected systems. These attacks are part of a long series of similar incidents going back to 2016, with damages estimated in the millions of dollars in recent months.
Tomi Engdahl says:
LähiTapiola maksaa taitavalle hakkerille jopa 50 000 dollarin palkkion [TILAAJILLE] https://www.kauppalehti.fi/uutiset/lahitapiola-maksaa-taitavalle-hakkerille-jopa-50000-dollarin-palkkion/8a40c7fe-89a7-4e35-b476-631c8c167efe
Vakuutusyhtiö LähiTapiola on hyväntahtoisten hakkereiden ystävä. Sillä on jatkuvasti pyörivä Bug Bounty -ohjelma, joka kannustaa hakkereita etsimään tietoturva-aukkoja yhtiön järjestelmistä. Palkkion suuruus vaihtelee viiden- ja viidenkymmenentuhannen dollarin välillä. Palkkio on sitä suurempi, mitä vakavamman haavoittuvuuden hakkeri löytää.
“Tämä on vähän kuin Afrikan savannilla”, Niemelä sanoo. “Jos leijona tulee ja lähtee gnulauman perään, emme me ainakaan viimeisiä ole, niitä jotka jäävät kiinni. Pitää olla siellä edustassa, että se leijona ei saa meitä kiinni, vaan nappaa heikomman. Rikolliset keskittyvät helppoihin kohteisiin, ei niihin, jotka suojautuvat.”