Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Ransomware encrypts files, demands three good deeds to restore data
Shut up and take … poor kids to KFC?
https://www.theregister.com/2022/05/26/promoting_goodwill_via_malware_extortion/
Tomi Engdahl says:
https://thehackernews.com/2022/05/enemybot-linux-botnet-now-exploits-web.html
Tomi Engdahl says:
https://pentestmag.com/xss-to-exfiltrate-data-from-pdfs/
Tomi Engdahl says:
Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms
The tech giants want to roll out FIDO passkey technology in the coming year
https://www.theverge.com/2022/5/5/23057646/apple-google-microsoft-passwordless-sign-in-fido
Tomi Engdahl says:
https://digitalinvestigator.blogspot.com/2022/05/linux-commands-for-incident-response_31.html
Tomi Engdahl says:
Understand the Open Source Software Security Mobilization Plan
https://coderoasis.com/understanding-the-openssf/
The Linux Foundation and the Open Source Security Foundation (OpenSSF) have introduced the Open Source Software Security Mobilization Plan. This is in response to attacks on the software supply chain and an uptick in interest in securing them. Supply chains are appealing targets to malicious actors because they can compromise a single point and have a cascading impact across the ecosystem of customers, as the SolarWinds and Log4j attacks have shown.
Software supply chain security became a focus with U.S. President Joe Biden’s Cybersecurity Executive Order (EO) in 2021. Its “Enhancing Software Supply Chain Security” section called for input from government, academia, and industry on best practices and guidelines. The U.S. National Institute of Standards and Technology (NIST) has now published that information.
Tomi Engdahl says:
https://www.techtarget.com/searchnetworking/feature/SDP-vs-VPN-vs-zero-trust-networks-Whats-the-difference
Tomi Engdahl says:
https://arstechnica.com/information-technology/2022/05/code-execution-0day-in-windows-has-been-under-active-exploit-for-7-weeks/
Tomi Engdahl says:
Harmful chips hidden on circuit boards revealed by their power use
https://www.newscientist.com/article/2315672-harmful-chips-hidden-on-circuit-boards-revealed-by-their-power-use/
Careful observation of the power consumption of a circuit board can reveal telltale signs that an attacker has tampered with it and installed a malicious device designed to steal sensitive information or cause crashes, say researchers
Tomi Engdahl says:
This Website Can Figure Out What You’re Typing Just By Listening to Your Loud Mechanical Keyboard
Keytap3 just needs a microphone and an obnoxiously loud keyboard to eavesdrop.
https://gizmodo.com/website-can-track-mechanical-keyboard-typing-just-by-li-1848890545
Tomi Engdahl says:
Watch Hackers Destroy Industrial Systems With Code – Retia
https://m.youtube.com/watch?utm_campaign=meetedgar&utm_medium=social&utm_source=meetedgar.com&v=rIUhVDWQqTI
Tomi Engdahl says:
Healthcare organizations face rising ransomware attacks and are paying up https://www.theregister.com/2022/06/03/healthcare-ransomware-pay-sophos/
Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos. The outfit’s team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs. However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations as with other industries are finding it increasingly difficult to get insured in the first place. The report:
https://www.sophos.com/en-us/whitepaper/state-of-ransomware-in-healthcare
Tomi Engdahl says:
WinDealer dealing on the side
https://securelist.com/windealer-dealing-on-the-side/105946/
LuoYu is a lesser-known threat actor that has been active since 2008.
It primarily goes after targets located in China, such as foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and telecommunications sectors. In their initial disclosures on this threat actor, TeamT5 identified three malware families: SpyDealer, Demsty and WinDealer. The actor behind these families is capable of targeting Windows, Linux and macOS machines, as well as Android devices. In previous years, Kaspersky investigated LuoYu’s activities and was able to confirm the connection between Demsty and WinDealer.
On January 27, we delivered a joint presentation with TeamT5 and ITOCHU Corporation at Japan Security Analyst Conference (JSAC) to provide an update on the actor’s latest activities. In this article, we will focus on one of the most groundbreaking developments: the fact that LuoYu has the ability to perform man-on-the-side attacks.
Tomi Engdahl says:
Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor https://unit42.paloaltonetworks.com/popping-eagle-malware/
To better detect attacks that affect the actions of signed applications such as supply-chain attacks, dynamic-link libraries
(DLL) hijacking, exploitation and malicious thread injection we have devised a suite of analytics detectors that are able to detect global statistical anomalies. Using these new detectors, we found what seems to be an industrial espionage attack. The observed activity includes performing a specially crafted DLL hijacking attack used by a previously unknown piece of malware that we dubbed “Popping Eagle” due to several artifacts found in the samples. It also includes a second stage malicious tool written in Go dubbed “Going Eagle.”. In this particular case, we observed the attacker following this by performing several network scans and lateral movement steps. In this blog post, we discuss the hunting method, analyze the tools used in the attack and detail the actions performed by the attacker in the victim’s environment.
Tomi Engdahl says:
Using Python to unearth a goldmine of threat intelligence from leaked chat logs https://www.microsoft.com/security/blog/2022/06/01/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs/
Dealing with a great amount of data can be time consuming, thus using Python can be very powerful to help analysts sort information and extract the most relevant data for their investigation. The open-source tools library, MSTICPy, for example, is a Python tool dedicated to threat intelligence. It aims to help threat analysts acquire, enrich, analyze, and visualize data. This blog provides a workflow for deeper data analysis and visualization using Python, as well as for extraction and analysis of indicators of compromise (IOCs) using MSTICPy. Data sets from the February 2022 leak of data from the ransomware-as-a-service (RaaS) coordinated operation called “Conti” is used as case study.
Tomi Engdahl says:
Apple blocked 1.6 millions apps from defrauding users in 2021 https://www.bleepingcomputer.com/news/security/apple-blocked-16-millions-apps-from-defrauding-users-in-2021/
Apple said this week that it blocked more than 343, 000 iOS apps were blocked by the App Store App Review team for privacy violations last year, while another 157, 000 were rejected for attempting to mislead or spamming iOS users. The company added that it also blocked over 34,
500 applications from getting indexed on the App Store because they were using undocumented or hidden features. Apple also removed 155,
000 more apps for bait-and-switch tactics, such as adding new features or capabilities after approval. Throughout 2021, the App Review team stopped more than 1.6 million risky or vulnerable apps and updates from landing on the App Store and potentially defrauding users. Apple says that its efforts to protect customers from fraud attempts require the monitoring and vigilance of multiple teams focused on several areas, from App Review to Discovery Fraud.
Tomi Engdahl says:
ESET Threat Report T1 2022
https://www.welivesecurity.com/2022/06/02/eset-threat-report-t12022/
After more than two years of shielding from a global pandemic, we get a reward’: war! Several conflicts are raging in different parts of the world, but for us, this one is different. Right across Slovakia’s eastern borders, where ESET has its HQ and several offices, Ukrainians are fighting for their lives and sovereignty in this unprovoked war, facing an opponent that possesses nuclear weapons. As you will read in the ESET Threat Report T1 2022, Ukraine is resisting attacks not only in the physical world but also in cyberspace. Our Featured story recounts various cyberattacks connected to the ongoing war that ESET researchers analyzed or helped to mitigate. This includes the resurrection of the infamous Industroyer malware, attempting to target high-voltage electrical substations. The report:
https://www.welivesecurity.com/wp-content/uploads/2022/06/eset_threat_report_t12022.pdf
Tomi Engdahl says:
What Counts as “Good Faith Security Research?”
https://krebsonsecurity.com/2022/06/what-counts-as-good-faith-security-research/
The U.S. Department of Justice (DOJ) recently revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute by which federal prosecutors pursue cybercrime cases. The new guidelines state that prosecutors should avoid charging security researchers who operate in “good faith”
when finding and reporting vulnerabilities. But legal experts continue to advise researchers to proceed with caution, noting the new guidelines can’t be used as a defense in court, nor are they any kind of shield against civil prosecution.
Tomi Engdahl says:
Evasive phishing mixes reverse tunnels and URL shortening services https://www.bleepingcomputer.com/news/security/evasive-phishing-mixes-reverse-tunnels-and-url-shortening-services/
Security researchers are seeing an uptick in the use of reverse tunnel services along with URL shorteners for large-scale phishing campaigns, making the malicious activity more difficult to stop. This practice deviates from the more common method of registering domains with hosting providers, who are likely to respond to complaints and take down the phishing sites. With reverse tunnels, threat actors can host the phishing pages locally on their own computers and route connections through the external service. Using a URL shortening service, they can generate new links as often as they want to bypass detection.Many of the phishing links are refreshed in less than 24 hours, making tracking and taking down the domains a more challenging task.
Tomi Engdahl says:
The Hacker Gold Rush That’s Poised to Eclipse Ransomware https://www.wired.com/story/business-email-compromise-bec-ransomware-scams/
As governments around the world and law enforcement in the United States have grown serious about cracking down on ransomware and have started to make some progress, researchers are trying to stay a step ahead of attackers and anticipate where ransomware gangs may turn next if their main hustle becomes impractical. At the RSA security conference in San Francisco on Monday, longtime digital scams researcher Crane Hassold will present findings that warn it would be logical for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks as ransomware becomes less profitable or carries a higher risk for attackers. In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacksthough ransomware attacks can be more visible and cause more disruption and associated losses.
Tomi Engdahl says:
Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.html
As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. Called Ransomware for IoT or R4IoT by Forescout, it’s a “novel, proof-of-concept ransomware that exploits an IoT device to gain access and move laterally in an IT network and impact the OT network.”. This potential pivot is based on the rapid growth in the number of IoT devices as well as the convergence of IT and OT networks in organizations.
Tomi Engdahl says:
Threat Actors Prey on Eager Travelers
https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers
Sitting on a sunny beach full of sparkling sand. Exploring the jungle looking for exotic animals and plants. Diving into a deep blue sea where sunlight has a difficult time reaching. Partying all night at clubs in a city you have never been to. Holding hands with friends around a campfire singing Kumbaya. Eating warm food and drinking coffee in a cave in a snowy mountain. Those are some of what recently seemed to be unattainable travel fantasies that many people around the globe have been dreaming of since Covid-19 started to rapidly spread in early 2020. We’ve come a long way since then. Today, vaccinations and quarantining have led some governments to soften some of the regulations that have restricted how we live our everyday lives. Such eased regulations include eliminating travel restrictions so tourists can fill those delayed dreams. However, it’s essential for eager travelers to understand that malicious actors are just as eager to leverage that feeling of liberty to deliver malware. This blog will provide a few examples of such attacks that FortiGuard Labs recently discovered.
Tomi Engdahl says:
Handling Digital Evidence The Chain of Custody in Digital Forensics https://www.salvationdata.com/work-tips/handling-digital-evidence-the-chain-of-custody-in-digital-forensics/
Occasionally referred to as “paper trail”, the chain of custody is an important concept in digital forensics as well as the modern judicial system. The primary objective is to ensure that the digital evidence in question is legitimate, hasn’t been tempered with, and that it can stand in court. The protocol requires documenting everything in relation with the digital evidence in question. If any particular detail regarding the handling of digital evidence is omitted, its quality may come under question, and the court may rule it out as inadmissible. To make this complex issue easier to understand, we’ve prepared a comprehensive guide for you to follow.
Tomi Engdahl says:
Case Study: The Executive Stealing Company Data https://4discovery.com/2022/06/02/case-study-the-executive-stealing-company-data/
The owner of a small data analytics firm had noticed that the organization’s head of sales had included his personal Gmail address on the CC of a forwarded email. A look at previous communications from the email server revealed that this sales executive had been frequently BCC’ing their personal Gmail address in sent emails. There was a raised level of concern when the owner received notification from their email service provider, MailChimp, that a download of the company’s contact records had been completed, without the owner performing this action. The owner’s suspicions prompted them to contact their corporate attorney, who engaged 4Discovery to investigate the activity.
Tomi Engdahl says:
Digital Experience Monitoring: More Important Than Ever
https://www.securityweek.com/digital-experience-monitoring-more-important-ever
With the shift to work-from-anywhere, many organizations have seen an increase in scale of remote work locations that their IT team must support. At the same time, users expect consistent and good quality experiences no matter where they are. Ultimately, users want their technology to work, and they don’t care what happens in the backend if they can reliably and consistently access the resources they need. This means IT needs a higher level of visibility when users work from anywhere, to ensure a consistent experience regardless of location.
To add to the dilemma, digitalization and cloud adoption have made the traditional model of deploying monitoring tools in a data center unsuitable. As branch and remote users nowadays access applications directly from their endpoints, IT practitioners are often faced with inconsistent visibility and control, which in turn affects their ability to support and resolve user issues. Thus, many organizations have turned to digital experience monitoring (DEM) tools to help identify technology performance issues and align application performance to support business objectives. In fact, Gartner predicts that by 2026, at least 60% of organizations will use DEM to measure application, services, and endpoint performance from the user’s viewpoint, up from less than 20% in 2021.
Tomi Engdahl says:
Automation. Where do We Go from Here?
https://www.securityweek.com/automation-where-do-we-go-here
What’s next in the evolution of security automation and orchestration?
Over the past 20 years we’ve seen significant improvements in cybersecurity technology and tools. For example, new versions of intrusion prevention systems and firewalls were introduced using terminology like “next-generation”, which I’m not a fan of because it borders on hype. (What is after next-generation? Next-next? But I digress…) Regardless, ultimately, important revisions and upgrades were made that helped security teams improve threat detection and prevention.
Unique capabilities also emerged like automation and orchestration that became the focus of new categories like security orchestration, automation and response (SOAR) platforms which quickly proved their value by improving the throughput of analyst work. As SOAR platforms grew in popularity, vendors of related cybersecurity product categories began to envision how automation and orchestration could also be applied to their area of focus. Soon, a technology that began as a unique capability of SOAR, evolved to become a core feature in many other categories. SIEM providers acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) and extended detection and response (XDR) solutions broadened to include automation and orchestration capabilities. What’s next in the evolution of automation and orchestration?
U.S. Supreme Court Judge Louis D. Brandeis once said, “There are no shortcuts to evolution.”
From process-driven…
SOAR was off to a great start, touting the ability to increase security operations efficiency and consistency by automatically running a playbook in reaction to an incident or issue without the need for human intervention. However, as organizations began using SOAR, they encountered three main challenges:
1. In order for playbooks to run, processes need to be defined, created and maintained. Engineering work is also required to customize playbooks and standardize implementation. Many companies found SOAR was not an immediate fix to streamline security operations. Humans needs to be involved as these efforts to put automation in place can be onerous.
2. The current approach to security automation has focused on automating processes, with no regard to the data being processed. This approach works fine if you’re in a static environment doing the same thing over and over again. But in detection and response, which is dynamic and variable, that’s not the case. Playbooks are run regardless of the relevance or priority of data. If you put noisy data in, the result will be amplified noise out.
3. Process-focused playbooks are inherently inefficient and complex because the decision-making criteria and logic are built into the playbooks and updates need to be made in each playbook. This complexity grows exponentially as you increase the number of playbooks.
…evolving to data-driven
As automation continues to evolve, a new approach to accelerate detection and response is emerging based on data and business logic to automatically trigger simple actions that can be standalone or be chained together. Instead of an entire process driving automation, a data-driven approach defines the criteria for the automation and how it is executed for greater focus, accuracy and agility. Security teams can determine what action to take based on data priority and relevance to their organization. Actions can be fine-tuned in response to what matters to the organization and what is effective against the latest threat. And because automation is based on data, you can also apply the outputs from detection and response as inputs for learning and improvement. If data changes and certain thresholds are hit, additional actions can be set to run automatically.
Tomi Engdahl says:
Tikun data suojaan AES-256-salauksella
https://etn.fi/index.php/13-news/13676-tikun-data-suojaan-aes-256-salauksella
Kingston Digital Europe on esitellyt uuden salatun USB-muistitikun. IronKey Vault Privacy 50 on sertifioitu FIPS 197 -määritysten mukaan ja se salaa sisältönsä AES 256 -laitteistosalauksella XTS-tilassa.
Tikku tukee järjestelmänvalvojan, käyttäjän ja kertaluonteisen palautuksen salasanoja Complex- tai Passphrase-tiloissa. Tämä usean salasanan vaihtoehto parantaa kykyä palauttaa pääsy tietoihin, jos jokin salasanoista unohtuu. Vaikka perinteinen monimutkainen tila mahdollistaa 6–16 merkin pituisten salasanojen käyttämisen, antaa uusi tunnuslausetila antaa käyttäjille mahdollisuuden käyttää numeerista PIN-koodia, lausetta, sanaluetteloa tai jopa 10–64 merkin pituisia jonoja.
Tomi Engdahl says:
The Great Euro Sat Hack Should Be A Warning To Us All
https://hackaday.com/2022/06/02/the-great-euro-sat-hack-should-be-a-warning-to-us-all/
Military officials and civilian security researchers have been warning us for years: cyberattacks are becoming a very real part of modern warfare. Far from being limited to military targets, cyberattacks can take out everything from vital public infrastructure to commercial and industrial operations, too.
In the early hours of February 24, as the Russian invasion force began raining missiles on Ukrainian cities, another attack was in progress in the digital realm. Suddenly, satellite terminals across Europe were going offline, with many suffering permanent damage from the attack.
Details remain hazy, but researchers and military analysts have pieced together a picture of what happened that night. The Great Euro Sat Hack prove to be the latest example of how vulnerable our digital infrastructure can be in wartime.
A Network Is Only As Secure As Its Weakest Point
The KA-SAT satellite operated owned by US company Viasat was launched in 2010. It’s charged with providing broadband satellite internet across Europe, with some limited coverage also extending to parts of the Middle East. Customers of the service include residential users across Europe, and many industrial systems as well.
On February 24, when Russian forces began their full-scale invasion of Ukraine, the KA-SAT system similarly came under attack. Thousands of terminals suddenly went offline in the early hours of the morning. Far from being limited to just Ukraine, users in Greece, Poland, Italy, Hungary, and Germany were all affected.
Notably, 5,800 wind turbines in Germany had their administration systems go dark as the attack raged. When the satellite links went down, monitoring the wind turbines via SCADA systems was no longer possible. Thankfully, grid stability was not affected according to operator ENERCON, as grid operators maintained control over the wind power input to the grid via other methods.
Early reports speculated that a simple distributed denial of service (DDoS) attack may have been to blame. This type of attack, where floods of traffic are used to overwhelm a network or server, is simplistic and short-lived.
However, it quickly became apparent that a much more serious attack had taken place. Researchers analyzing the fallout noted that many terminals had been permanently taken offline, and were no longer operable. Information slowly trickled out from various sources, indicating that the satellite itself had not been tampered with, nor damaged or physically attacked in any way. Thus, the issue likely laid in the ground segment of the KA-SAT network.
Just over a month after the attack, Viasat released a statement explaining the scale and nature of the attack. According to the company’s report, action began at 03:02 AM UTC with a denial of service attack propagating from users of using SurfBeam 2 and Surfbeam2+ modems on a consumer-orientated section of the KA-SAT network. These modems located in Ukraine were generating large volumes of malicious traffic and were preventing legitimate users from remaining online. Viasat’s technical teams worked to block these malicious modems from the network, with more popping up as the team took them down.
Later analysis showed that a breach had occurred in the management systems of the KA-SAT network, via a “misconfiguration in a VPN appliance.” The attackers accessed the management network and used it to issue commands to residential modems on the network, corrupting the flash memory onboard and rendering them inoperable.
In the aftermath, security researcher Ruben Santamarta was able to lay his hands on an affected Surfbeam2 modem, as well as another clean device untouched by the attack. Dumping the flash memory from both modems was revealing. The compromised modem had heavily corrupted flash memory compared to the original, which left the modems in a non-working state. The damage was so complete in some cases that affected modems would not even display status lights when turned on. 0,000 replacement modems were ultimately shipped to customers to get them back online in the weeks following the attack.
There are still some questions to be answered regarding the attack. It’s unclear precisely how attackers entered the management segment of the KA-SAT network, and the company is reticent to publicise what happened.
Tomi Engdahl says:
DNA lupaa kattavan digiturvan kympillä kuussa
https://etn.fi/index.php/13-news/13667-dna-lupaa-kattavan-digiturvan-kympillae-kuussa
Tietoturvauhat kuten verkkopankkitunnuksia kalastelevat huijaukset ovat tulleet jäädäkseen. Samalla tarve suojautua erilaisilta huijauksilta, identiteettivarkauksilta sekä viruksilta on kasvanut. DNA:n ja F-Securen yhteistyössä toteuttama DNA Digiturva on ensimmäinen palvelu Suomessa, joka suojaa samanaikaisesti niin laitteet, henkilötiedot, salasanat kuin nettiselailunkin.
DNA Digiturva lupaa torjua tietoturvauhat ja suojata kaikki käytössä olevat laitteet, henkilötiedot, salasanat ja netin käytön. DNA Digiturva toimii mobiililaiteissa yhdellä sovelluksella, ja palvelua voi käyttää myös tietokoneissa. Kymmenelle laitteelle palvelu maksaa 9,90 euroa kuukaudessa.
Palvelun saa myös 1-2 laitteelle 6,90 eurolla kuukaudessa, mutta tämä kevytversio riittää harvoille. 14,90 eurolla kuukaudessa voi turvata 25 laitetta eli tämä versio sopii myös pienyrityksille.
Moni suomalainen kokee huolta digitaalisesta turvallisuudesta. Merkittävimpinä verkkouhkina on pidetty henkilötietojen menetystä tietomurron yhteydessä ja identiteettivarkaudesta koituvia harmeja. Myös muun muassa maksukorttitietojen vuotaminen, arkaluontoisen tai tärkeän tiedon katoaminen, pankkitilin hakkerointi sekä virukset ja haittaohjelmat huolestuttivat ihmisiä DNA:n tutkimuksen mukaan.
Tomi Engdahl says:
Video: A Civil Discourse on SBOMs
https://www.securityweek.com/video-civil-discourse-sboms
Home › Vulnerabilities
Video: A Civil Discourse on SBOMs
By SecurityWeek Video on June 01, 2022
In this highly anticipated discussion, CISA’s SBOM champion Allan Friedman and YL Ventures’ Andy Ellis joins JupiterOne’s CISO Sounil Yu to dig deeper into the U.S. government’s response to supply chain attacks, the push for mandatory software bill of materials (SBOMs), the value and limits of ingredient lists for modern software stacks, whether or not they should be exposed publicly, and how defenders should prepare for the inevitable mandates.
Tomi Engdahl says:
The Hacker Gold Rush That’s Poised to Eclipse Ransomware
https://www.wired.com/story/business-email-compromise-bec-ransomware-scams/
As governments crack down on ransomware, cybercriminals may soon shift to business email compromise—already the world’s most profitable type of scam.
Tomi Engdahl says:
Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network
https://thehackernews.com/2022/06/researchers-uncover-malware-controlling.html
Tomi Engdahl says:
How to Secure Your Home Wireless Infrastructure with Kismet and Python
https://www.freecodecamp.org/news/wireless-security-using-raspberry-pi-4-kismet-and-python/
Tomi Engdahl says:
Home Network Security – How to Use Suricata, RaspberryPI4, and Python to Make Your Network Safe
https://www.freecodecamp.org/news/home-network-security-with-suricata-raspberrypi4-python/
Tomi Engdahl says:
CRLFsuite – Fast CRLF Injection Scanning Tool
https://www.kitploit.com/2022/06/crlfsuite-fast-crlf-injection-scanning.html?m=1
CRLFsuite is a fast tool specially designed to scan CRLF injection.
Features
Single URL scanning
Multiple URL scanning
Stdin supported
GET & POST method supported
Concurrency
Best Payloads list
Headers supported
Fast and efficient scanning with negligible false-positive
https://www.veracode.com/security/crlf-injection
CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. When CRLF injection is used to split an HTTP response header, it is referred to as HTTP Response Splitting.
Tomi Engdahl says:
Closing the Door: DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices. It’s interesting to note that the number of DeadBolt-infected devices is considerably high for a ransomware family that is exclusively targeting NAS devices. DeadBolt is peculiar not only for the scale of its attacks but also for several advanced tactics and techniques that its malicious actors have implemented, such as giving multiple payment options, one for the user and two for the vendor. However, based on our analysis, we did not find any evidence that it’s possible for the options provided to the vendor to work due to the way the files were encrypted. Essentially, this means that if vendors pay any of the ransom amounts provided to them, they will not be able to get a master key to unlock all the files on behalf of affected users.
Tomi Engdahl says:
Cybersecurity Certification: breaking new ground https://www.enisa.europa.eu/news/enisa-news/cybersecurity-certification-breaking-new-ground
This year the European Union Agency for Cybersecurity (ENISA), has returned with its recurrent Cybersecurity Certification Conference.
The conference focused on the future of certification and on how the upcoming voluntary certification schemes will be further developed and implemented as part of the EU’s certification approach. Throughout the week, hybrid meetings of dedicated Ad-Hoc Working Group (AHWG) plenaries were also organised on the side-lines of the conference.
Tomi Engdahl says:
The Surreal Case of a C.I.A. Hacker’s Revenge https://www.newyorker.com/magazine/2022/06/13/the-surreal-case-of-a-cia-hackers-revenge
A hot-headed coder is accused of exposing the agency’s hacking arsenal. Did he betray his country because he was pissed off at his colleagues?. At the C.I.A., Joshua Schulte became so known for his temper that his colleagues gave him a nickname: the Nuclear Option.
Tomi Engdahl says:
Beating Ransomware With Advanced Backup and Data Defense Technologies
https://www.securityweek.com/beating-ransomware-advanced-backup-and-data-defense-technologies
Question: If we can mitigate file encryption ransomware with backup, can we mitigate double extortion by adding advanced PII protection through data encryption or tokenization?
Criminal extortion continuously evolves. Sensitive data exfiltration and threats to expose stolen data have been added to file encryption. The new term is ‘double extortion’ which is used to describe the combination of file encryption and data exfiltration. The purpose of both actions is to extort payment from the victim.
The addition of data exfiltration is the criminal response to improving backup. When encrypted files or systems can be recovered from backup, there is less or no need to pay the ransom. To counter this, ransomware gangs started to steal sensitive data before encrypting the victims’ files. Backup may recover encrypted files, but it cannot recover stolen data – which is then used to blackmail the victim.
The stolen data in double extortion is primarily personally identifiable information (PII). Exposure of this data threatens the victims with possible regulatory fines through failure to protect user information, and certain loss of brand reputation. Most victims choose to pay the ransom.
But if companies can fully protect their PII – through technologies such as encryption or tokenization – could they deal as significant a blow to data extortion as backups have done to file encrypting ransomware?
In short, could the combination of advanced backup with usable PII encryption or tokenization eliminate the threat of double extortion? If the criminals do not get a payout, they will move to some other activity.
This idea is what we shall explore. We have chosen three technology leaders to illustrate the concept: immutable backup, homomorphic encryption and cloud-based vaultless tokenization. They are not the only options.
Note that this discussion applies only to classic double extortion; that is, IT encryption and data blackmail. It doesn’t apply if the extortion attack gets into the OT.
Immutable backup
Backup is an important part of any defense against ransomware – but backup is only part of this solution. The ability to restore from backup is just as important. Veeam is one backup specialist that believes it has the solution. The key points to Veeam’s backup and restore are immutability in backup and portability in restore.
Rick Vanover“There are two different immutable copies of data that are inherently ready to drive absolute recovery,” said Rick Vanover, Veeam’s senior director of product strategy, “held on two different sites on two different control planes, and two different encryption planes.” The stored backup is encrypted, and consequently safe from hackers and data protection regulators, and there is no persistent connection to the storage, so the backup is safe from attacker interference. Recovery is ensured through a combination of data portability and customer selectable destinations.
If a victim decides to pay a ransom, and the decryption tool either fails or is withheld, then the victim has lost both the ransom fee and its systems. Even when decryption goes to plan, it can be weeks before the files are restored, and the systems released from forensic investigation. If the victim refuses to pay the ransom, he may be faced with rebuilding the entire infrastructure from whatever backup is available. Each one of these scenarios can cause long term damage to a victim’s profitability.
There are many reasons a victim may be unable to trust anything the backup came from. He could go to his hardware provider for new systems, but this would be costly and could be difficult in some supply chain conditions. “This is where Veeam’s absolute portability comes into play,” explained Vanover. “Veeam can take the backups and restore them to a service provider.”
Technically, there need be hardly a pause in operation between ransomware loss and service provider recovery. An alternative would be recovery to the public cloud. The victim then has the option of staying with the service provider or in the cloud or returning to his previously rebuilt infrastructure in the future.
Scalability is not a problem for Veeam. And since the solution is software defined, the cost is predictable irrespective of the restore location.
Homomorphic encryption
Companies store customer data for good commercial reasons. Sometimes it is for immediate use in transactions, sometimes for repeat transactions, and sometimes for market analysis. That customer information inevitably contains personally identifiable information (PII); and that PII is regulated by various industry, state and international data protection and privacy regulations – strictly speaking, if stored, it should be stored in encrypted (or tokenized) format.
But traditional encryption suffers from one major weakness: the result bears no relationship in either content or format with the source. Encrypted data cannot be processed – it needs to be decrypted first. The result can be an administrative headache to such an extent that encryption which should be used, often simply isn’t. This partly explains why double extortion data exfiltration is so successful in obtaining PII that can be used to blackmail the victim.
There have been two developments in encryption technology over the last few years that attempt to solve this problem: format preserving encryption (FPE, which makes processing encrypted data easier without always requiring decryption), and more recently, homomorphic encryption (which allows processing without decryption).
Tomi Engdahl says:
Activists Say Cyber Agency Weakens Voting Tech Advisory
https://www.securityweek.com/activists-say-cyber-agency-weakens-voting-tech-advisory
The nation’s leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes.
The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems’ ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency “has no evidence that these vulnerabilities have been exploited in any elections.”
Dominion’s systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies.
The advisory CISA released Friday is based on a report generated by University of Michigan computer scientist J. Alex Halderman, an expert witness in a long-running lawsuit that is unrelated to false allegations stemming from the 2020 election.
Tomi Engdahl says:
Apple Blocked 1.6 Million Risky, Vulnerable Apps in 2021
https://www.securityweek.com/apple-blocked-16-million-risky-vulnerable-apps-2021
Apple says its App Store fraud prevention mechanisms last year stopped potentially fraudulent transactions totaling roughly $1.5 billion.
Throughout 2021, the company prevented more than 3.3 million stolen credit cards from making purchases in the App Store, and banned nearly 600,000 accounts from ever transacting again.
The company also notes that in 2021 it rejected more than 1.6 million risky and vulnerable applications and app updates from the store, either for containing vulnerabilities that impeded functionality, or for requiring various improvements.
That figure, Apple explains, included over 835,000 problematic new apps, of which over 34,000 were apps containing hidden or undocumented features; 157,000 were spam, copycat, or otherwise misleading apps; and over 340,000 were privacy-violating apps.
Furthermore, an additional 805,000 app updates were rejected or removed from the App Store, as part of Apple’s App Review process.
Tomi Engdahl says:
Cybersecurity Certification: breaking new ground
https://www.enisa.europa.eu/news/enisa-news/cybersecurity-certification-breaking-new-ground
This year the European Union Agency for Cybersecurity (ENISA), has returned with its recurrent Cybersecurity Certification Conference.
Tomi Engdahl says:
Cisco EVP: We need to lift everyone above the cybersecurity poverty line https://www.theregister.com/2022/06/06/cisco_security_rsa/
Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration. “It’s our civic duty to ensure that everyone below the security poverty line has a level of safety, because it’s gonna eventually get to be a human-rights issue, ” Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. “This is critical infrastructure financial services, health care, transportation services like your water supply, your power grid, all of those things can stop in an instant if there’s a breach, ” he said.
Tomi Engdahl says:
The Active Adversary Playbook 2022
https://news.sophos.com/en-us/2022/06/07/active-adversary-playbook-2022/
The challenge of defending an organization against rapidly evolving, increasingly complex cyberthreats can be considerable. Adversaries continuously adapt and evolve their behavior and toolsets, leverage new vulnerabilities, and misuse everyday IT tools to evade detection and stay one step ahead of security teams. The Active Adversary Playbook 2022 details the main adversaries, tools, and attack behaviors seen in the wild during 2021 by Sophos’ frontline incident responders. It follows on from the Active Adversary Playbook 2021 and shows how the attack landscape continues to evolve. The aim is to help security teams understand what adversaries do during attacks and how to spot and defend against such activity on their network.
Tomi Engdahl says:
Keskuskauppakamarin selvitys: Yrityksiin kohdistuva hybridivaikuttaminen lisääntynyt sähkönjakelun keskeytyminen yrityksille suurin uhka https://kauppakamari.fi/tiedote/keskuskauppakamarin-selvitys-yrityksiin-kohdistuva-hybridivaikuttaminen-lisaantynyt-sahkonjakelun-keskeytyminen-yrityksille-suurin-uhka/
Keskuskauppakamarin yhdessä Huoltovarmuuskeskuksen kanssa toteuttaman Yrityksiin kohdistuva hybiridivaikuttaminen 2022- selvityksen mukaan sähkönjakelun keskeytyessä puolet yrityksistä ei kykenisi pysymään toiminnassa tai siirtämään toimintaansa uuteen paikkaan. Myös digitaalisten palvelujen ja internetin estyminen nousevat yritysten huolissa korkealle. Erityisesti suuriin yrityksiin kohdistuva hybridivaikuttaminen on selvityksen mukaan lisääntynyt ja todennäköisyys yrityksiin kohdistuvaan vaikuttamiseen on kasvanut.
Yritykset kaipaavat tietoa median rinnalla myös viranomaisilta.
Tomi Engdahl says:
Cybersecurity awareness training: What is it and what works best?
https://www.welivesecurity.com/2022/06/07/cybersecurity-awareness-training-what-is-it-what-works-best/
There’s an old adage in cybersecurity that humans are the weakest link in the security chain. That’s increasingly true, as threat actors compete to exploit credulous or careless employees. But it’s also possible to turn that weak link into a formidable first line of defense. The key is rolling out an effective security awareness training program. Research reveals that 82% of data breaches analyzed in 2021 involved a “human element.” It’s an inescapable fact of modern cyberthreats that employees represent a top target for attack. But give them the knowledge needed to spot the warning signs of an attack, and to understand when they may be putting sensitive data at risk, and there’s a huge opportunity to advance risk mitigation efforts.
Tomi Engdahl says:
HTTP/3 evolves into RFC 9114 a security advantage, but not without challenges https://portswigger.net/daily-swig/http-3-evolves-into-rfc-9114-a-security-advantage-but-not-without-challenges
This week, the Internet Engineering Task Force (IETF) released HTTP/3, published as RFC 9114. The HTTP protocol is the backbone of the web.
The Hypertext Transfer Protocol (HTTP) acts as an application layer for facilitating communication between servers and browsers, fetching resources, and transferring data. HTTPS is HTTP with additional security via encryption. HTTP/3 is the latest revision of the HTTP protocol, taking over from 2015′s HTTP/2. HTTP/3 is designed to address some of the performance issues inherent in HTTP/2, improving the user experience, decreasing the impact of packet loss without head-of-line blocking, speeding up handshake requirements, and enabling encryption by default. The protocol utilizes space congestion control over User Datagram Protocol (UDP).
Tomi Engdahl says:
For the Common Good: How to Compromise a Printer in Three Simple Steps https://www.crowdstrike.com/blog/how-to-compromise-a-printer-in-3-simple-steps/
In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. After reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them.
Fortunately, we were luckier than last year and were able to participate in the contest for the first time. By successfully exploiting both devices, we won $20, 000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers.
In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer.
Tomi Engdahl says:
4 Ways to Close the OT Cybersecurity Talent Gap
https://www.securityweek.com/4-ways-close-ot-cybersecurity-talent-gap
We have a great challenge with the gap in cybersecurity jobs in general, with estimates ranging from 2.72 million to 3.5 million job openings in 2021. However, the gap in very specialized Operational Technology (OT) cybersecurity is even greater since IT has a decades-long head start in building expertise and, therefore, a larger talent pool. According to a global survey of IT and OT security professionals conducted by Pollfish in September 2021, 90% of respondents say they are looking to hire more industrial cybersecurity professionals and roughly the same number (88%) say it has been difficult to find enough candidates with the skills and experience required to properly manage an OT network’s cybersecurity.
There are no easy solutions to close the OT cybersecurity talent gap, but here are few ideas to help you get started:
1. Cross-train your IT security staff. If you’re having challenges hiring for OT cybersecurity positions, run a hands-on training for some of your IT staff so that they can spend time shadowing OT engineers and operators. OT systems do have very different specifications, however given their long lifecycles, most of them are dated. Therefore, experienced IT staff should be pleasantly surprised to find they are familiar with many of the underlying technologies.
2. Engage with educational institutions. Look into the new OT cybersecurity programs being offered by different educational institutions. There aren’t enough programs yet, but many are starting to get created across colleges and universities.
3. Consider the role of government initiatives. At the government level, Singapore recently made huge progress towards this challenge and can serve as a role model. In October 2021, the Cyber Security Agency of Singapore (CSA) launched the Operational Technology Cybersecurity Competency Framework (OTCCF) with support from private sector entities, to provide the foundation to attract and develop talent for the country’s OT cybersecurity sector. While CSA has offered courses on OT cybersecurity for several years, the increased connectivity between IT and OT systems is driving greater demand for job roles requiring competencies in both IT and OT, so OT engineers need deeper technical training. Not only does the OTCCF map the job roles, technical skills, and core competencies that are in need, it also captures the possible career pathways, showing the options for vertical and lateral progression.
4. Lean into technology to help. Assets in industrial environments are hard to detect, hard to manage, and even harder to secure—particularly in our expanding universe of connected equipment and devices. Technology is making huge strides towards interpreting the obscurity of OT network all the way out to the Extended Internet of Things (XIoT) which includes your OT environment, Industrial IoT devices (IIoT), Internet of Medical Things (IoMT), and enterprise IoT.
Agentless solutions that are purpose built for asset visibility help identify vulnerabilities and suspicious behavior across the XIoT and provide the foundation for continuous threat monitoring to detect and track threats that cross the IT/OT boundary. Such solutions can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to look at OT environments together. Working from the same set of information, these teams can take specific steps to start minimizing risk and strengthening security in weeks, not months.
Tomi Engdahl says:
New Dragos OT-CERT Provides Free Industrial Cybersecurity Resources
https://www.securityweek.com/new-dragos-ot-cert-provides-free-industrial-cybersecurity-resources
Industrial cybersecurity firm Dragos on Tuesday announced the launch of OT-CERT, a new initiative whose goal is to provide free cybersecurity resources for industrial asset owners and operators.
The OT-CERT (Operational Technology Cyber Emergency Readiness Team) aims to help members improve their cybersecurity posture, create cybersecurity programs, and reduce risk.
Dragos says the goal is to address “a serious gap in securing industrial infrastructure: the lack of OT-specific resources readily available to the industrial infrastructure community.”
Organizations of all sizes can become members of the new Dragos OT-CERT. Using the OT-CERT portal, members will have access to OT security best practices, security maturity assessments, webinars, workshops, and tabletop exercises.
“Our goal for Dragos OT-CERT is to be a useful, relevant, and actionable community resource for industrial asset owners and operators by aligning them with the resources, training, partnerships, and community needed to make securing their OT environments possible,” said Dawn Cappelli, the director of OT-CERT.
Industrial Cybersecurity Resources for the OT Community
https://www.dragos.com/ot-cert/
OT-CERT is an Operational Technology – Cyber Emergency Readiness Team dedicated to addressing the OT resource gap that exists in industrial infrastructure. Designed to support asset owners and operators of industrial infrastructure, Dragos OT-CERT provides free cybersecurity resources for the Industrial Control System (ICS) /OT community.
OT-CERT provides free resources for the ICS/OT community, providing members with information and materials to help build an OT cybersecurity program, improve their security posture, and reduce OT risks.