Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
How TikTok is turning a generation of video addicts into a data goldmine
https://www.theguardian.com/commentisfree/2022/jun/25/how-tiktok-is-turning-a-generation-of-video-addicts-into-a-data-goldmine?CMP=fb_a-technology_b-gdntech
The Chinese tech giant is taking surveillance capitalism to a new level. It’s almost enough to make you feel sorry for Zuckerberg
The existential threat that TikTok poses to the social media giants, though, is not demographic: it’s about attention. As the Nobel economics laureate Herbert Simon pointed out decades ago, in a world where information (and entertainment) is abundant, the critical scarce resource becomes attention and Facebook/Meta et al are now locked in combat for that. Since attention is a finite resource (there are only so many hours in a day) competition between them has become a zero-sum game. The more attention one attracts, the less there is for the others.
And this is where TikTok seems to be winning hands down. Its users currently spend an average of 52 minutes a day on it and 90% of them visit the app more than once a day. According to Scott Galloway, a seasoned observer of the tech world, the average session lasts 11 minutes, which is enough time to watch 26 videos of about 25 seconds each. He tells an instructive story about what that might mean in practice.
Tomi Engdahl says:
https://github.com/enaqx/awesome-pentest
Tomi Engdahl says:
https://medium.com/@turkishhoodie010/the-dirty-cow-race-condition-attack-7ba27f78f865
Tomi Engdahl says:
https://thehackernews.com/2022/06/multiple-backdoored-python-libraries.html
Tomi Engdahl says:
YKSITYISYYDENSUOJA – DIGIMARKKINOINNIN TÄRKEIN TRENDI VUONNA 2022
https://parcero.fi/blogi/yksityisyydensuoja-digimarkkinoinnin-tarkein-trendi-vuonna-2022/
Tomi Engdahl says:
Facebook is locking people out of their accounts. Here’s how to activate Facebook Protect
Facebook Protect emails look like phishing scams, but are in fact, legit. Why this Star editor stopped ignoring them and here’s how to make sure you don’t get locked out.
https://www.thestar.com/business/2022/06/16/facebook-is-locking-people-out-of-their-accounts-heres-how-to-activate-facebook-protect.html
Tomi Engdahl says:
Over 900,000 Kubernetes instances found exposed online
https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-instances-found-exposed-online/
Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks.
Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface.
It enjoys massive adoption and growth rates thanks to its scalability, flexibility in multi-cloud environments, portability, cost, app development, and system deployment time reductions.
However, if Kubernetes isn’t configured properly, remote actors might be able to access internal resources and private assets that weren’t meant to be made public.
Tomi Engdahl says:
Cyber-Physical Security: Benchmarking to Advance Your Journey
https://www.securityweek.com/cyber-physical-security-benchmarking-advance-your-journey
Operational resilience is a priority and organizations are decisive about protecting cyber-physical systems (CPS) in today’s consolidated and converged reality
Over the last few years, the pandemic, rapid growth in several sectors and geographies, and the work from home paradigm shift have significantly accelerated the convergence of IT and operational technology (OT) networks and necessitated a consolidated strategy to address cyber risks across cyber-physical systems (CPS). Companies began to rise to the challenge and streamlined their IT and cybersecurity strategies to reflect this reality. This meant:
• Bringing OT and IT experts together to define a consolidated strategy
• Looking for efficiency and cost optimizations across the cybersecurity product stack that can address both fields
• Mapping their progress against an industry-defined and tested framework, to understand where they stand versus the competition and communicate risk and opportunities to the board
Cybersecurity, especially for CPS, evolved from being a cost factor, to an enabler for digital transformation, to a differentiating advantage for companies that truly excel at it.
Today, our physical world is very dependent on its digital components as we strive for greater efficiency, automation, and cost and time savings by leveraging the power of AI and insights from data analytics. These advancements all require CPS interconnectivity so we can share data and take advantage of simplified and more efficient workflows.
In my discussions with CISOs and security leaders, the framework is very helpful in:
• Benchmarking against peers, competitors, and the industry as a whole
• Highlighting the risk to the organization relative to the market, which is important in communicating risk to the board
• Explaining the need for investment in CPS security and the priorities
The Gartner OT/CPS Security Journey has six phases.
Tomi Engdahl says:
MITRE shares this year’s list of most dangerous software bugs https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-list-of-most-dangerous-software-bugs/
MITRE shared this year’s top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years.
Tomi Engdahl says:
FBI: Stolen PII and deepfakes used to apply for remote tech jobs https://www.bleepingcomputer.com/news/security/fbi-stolen-pii-and-deepfakes-used-to-apply-for-remote-tech-jobs/
The Federal Bureau of Investigation (FBI) warns of increasing complaints that cybercriminals are using Americans’ stolen Personally Identifiable Information (PII) and deepfakes to apply for remote work positions.
Tomi Engdahl says:
MITRE shares this year’s list of most dangerous software bugs
https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-list-of-most-dangerous-software-bugs/
The table below provides insight into the most critical and current security weaknesses affecting software worldwide.
Rank ID Name Score KEV Count (CVEs) Rank Change vs. 2021
1 CWE-787 Out-of-bounds Write 64.20 62 0
2 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.97 2 0
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 22.11 7 +3 upward trend
4 CWE-20 Improper Input Validation 20.63 20 0
5 CWE-125 Out-of-bounds Read 17.67 1 -2 downward trend
6 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 17.53 32 -1 downward trend
7 CWE-416 Use After Free 15.50 28 0
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.08 19 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.53 1 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 9.56 6 0
11 CWE-476 NULL Pointer Dereference 7.15 0 +4 upward trend
12 CWE-502 Deserialization of Untrusted Data 6.68 7 +1 upward trend
13 CWE-190 Integer Overflow or Wraparound 6.53 2 -1 downward trend
14 CWE-287 Improper Authentication 6.35 4 0
15 CWE-798 Use of Hard-coded Credentials 5.66 0 +1 upward trend
16 CWE-862 Missing Authorization 5.53 1 +2 upward trend
17 CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 5.42 5 +8 upward trend
18 CWE-306 Missing Authentication for Critical Function 5.15 6 -7 downward trend
19 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.85 6 -2 downward trend
20 CWE-276 Incorrect Default Permissions 4.84 0 -1 downward trend
21 CWE-918 Server-Side Request Forgery (SSRF) 4.27 8 +3 upward trend
22 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 3.57 6 +11 upward trend
23 CWE-400 Uncontrolled Resource Consumption 3.56 2 +4 upward trend
24 CWE-611 Improper Restriction of XML External Entity Reference 3.38 0 -1 downward trend
25 CWE-94 Improper Control of Generation of Code (‘Code Injection’) 3.32 4 +3 upward trend
Tomi Engdahl says:
Further Examination into External Attack Surface https://public-exposure.inform.social/post/from-assets-to-exposure/
This write-up will concentrate on the process of moving from cataloguing assets to having an idea on the attack surface involved.
Tomi Engdahl says:
The Link Between AWM Proxy & the Glupteba Botnet https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/
On December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade.
Tomi Engdahl says:
YARAify: Defensive tool scans suspicious files against a large repository of YARA rules https://portswigger.net/daily-swig/yaraify-defensive-tool-scans-suspicious-files-against-a-large-repository-of-yara-rules
YARAify can scan files using public YARA rules, integrate public and non-public YARA rules from Malpedia, operated by Germany’s Fraunhofer Institute, and scan using open and commercial ClamAV signatures.
Tomi Engdahl says:
CISA Calls for Expedited Adoption of Modern Authentication Ahead of Deadline
https://www.securityweek.com/cisa-calls-expedited-adoption-modern-authentication-ahead-deadline
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers detail sophisticated malware targeting various routers and taking over Windows, macOS, and Linux devices, in North America and Europe for ~2 years — Router-stalking ZuoRAT is likely the work of a sophisticated nation-state, researchers say. — An unusually advanced hacking group …
A wide range of routers are under attack by new, unusually sophisticated malware
Router-stalking ZuoRAT is likely the work of a sophisticated nation-state, researchers say.
https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/
Tomi Engdahl says:
Securing the Metaverse and Web3
https://www.securityweek.com/securing-metaverse-and-web3
Security must be built into the metaverse as it moves from science fiction to science reality
The terms ‘web3’ (Web 3.0) and ‘metaverse’ have been so heavily promoted by the cryptocurrency and gaming industries that it is easy to think it’s a niche terminology with little overall business value. That would be wrong. Each technology offers valuable business opportunities — but their synergy could change the nature of the future internet.
Web3 fundamentally comprises the blockchain technology that underpins cryptocurrency. Cryptocurrencies are still searching for legitimacy beyond an a risky and highly speculative investment opportunity. They haven’t found it. They are loved by speculators and widely used by criminals but largely shunned by a business world that prefers the greater stability of fiat currencies (Bitcoin dropped in value from around $60,000 in November 2021 to less than $18,000 in June 2022).
Nevertheless, cryptocurrency paints itself as the future of global finance (not impossible, but a long and hard road). By promoting the underlying technology as web3, and describing it as the future of the internet, it gains some credibility for its own futuristic claims.
The metaverse is any technology that provides an immersive experience, so that users feel as if they are part of the experience rather than just spectators of a flat or moving web page. The gaming industry has been moving in this direction for years – but the reality of fully immersive virtual reality is still largely in the future.
Nevertheless, the metaverse potential goes way beyond gaming, driven by the human preference to talk ‘in person’. Immersive virtual reality on social platforms will allow people to meet and talk face-to-face, will bring remote workers together more effectively than Zoom, will allow genuine distributed learning from junior school to metaversities, will facilitate effective remote medical consultations – and much more.
The synergy between web3 and the metaverse will come from the greater need for fine-grained and secure access control into, and identity within, the metaverse – something that can be effectively delivered in a secure decentralized manner by web3’s blockchain technology. It is the focus on identity within the metaverse, and the ability for web3 to deliver that identity securely and across multiple metaverses, that leads some commentators to describe web3 as the enabler of the metaverse.
Tomi Engdahl says:
Start using Modern Auth now for Exchange Online https://www.theregister.com/2022/06/29/cisa-microsoft-modern-auth/
The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October. “Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth, ” CISA wrote.
“After completing the migration to Modern Auth, agencies should block Basic Auth.”. The agency adds that Basic Auth is often used by legacy applications or custom-built business software, and that many user-facing applications, such as Outlook Desktop and Outlook Mobile App, already have been moved to Modern Auth via Microsoft security updates. The advisory:
https://www.cisa.gov/sites/default/files/publications/switch-to-modern-authentication-in-exchange-online-062822-508.pdf
Tomi Engdahl says:
Telecom Security Forum: National Authorities and Telecom Regulators Analyse Policy Implementation & Current Cyber Threats https://www.enisa.europa.eu/news/enisa-news/telecom-security-forum-national-authorities-and-telecom-regulators-analyse-policy-implementation-current-cyber-threats
The Telecom Security Forum gathered national authorities and telecom regulators around a busy agenda covering the role of telecom sector in the Ukraine crisis, policy topics like the 5G toolbox and Open RAN, technical topics such as the Flubot mitigation and SS7 interconnection attacks, and future technologies like quantum satellites and post-quantum cryptography. More than 150 participants attended this year’s edition of the Forum. In addition to the Forum, ENISA also hosted the 37th meeting of the ECASEC Expert Group (European Competent Authorities for Secure Electronic Communications), as well as meetings of the NIS Cooperation group for core internet and digital services, and the 5G cybersecurity group, responsible for the EU 5G toolbox. On Friday, ENISA organizes a knowledge-building seminar for authorities on 5G security and telecom attacks.
Tomi Engdahl says:
Ukraine targeted by almost 800 cyberattacks since the war started https://www.bleepingcomputer.com/news/security/ukraine-targeted-by-almost-800-cyberattacks-since-the-war-started/
Ukrainian government and private sector organizations have been the target of 796 cyberattacks since the start of the war on February 24, 2022, when Russia invaded Ukraine. According to Ukraine’s cybersecurity defense and security agency SSSCIP (short for State Service of Special Communications and Information Protection), the country’s networks have been under a constant barrage of hacking attempts since the war started. The country’s government and local authorities, as well as its defense organizations, are the key sectors that have been targeted the most during the first months of the war, in a total of 281 attacks.
Tomi Engdahl says:
2022 0-day In-the-Wild Exploitationso far https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html
This blog post is an overview of a talk, ” 0-day In-the-Wild Exploitation in 2022so far”, that I gave at the FIRST conference in June 2022. The slides are available here. For the last three years, we’ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the 2021 Year in Review report, which we published just a few months ago in April. While we plan to stick with that annual cadence, we’re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022.
Tomi Engdahl says:
How mercenary hackers sway litigation battles https://www.reuters.com/investigates/special-report/usa-hackers-litigation/
A trove of thousands of email records uncovered by Reuters reveals Indian cyber mercenaries hacking parties involved in lawsuits around the world showing how hired spies have become the secret weapon of litigants seeking an edge. The Reuters report is based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It also draws on a unique database of more than 80,
000 emails sent by Indian hackers to 13, 000 targets over a seven-year period.
Tomi Engdahl says:
China lured graduate jobseekers into digital espionage https://arstechnica.com/information-technology/2022/06/china-lured-graduate-jobseekers-into-digital-espionage/
Chinese university students have been lured to work at a secretive technology company that masked the true nature of their jobs:
researching Western targets for spying and translating hacked documents as part of Beijing’s industrial-scale intelligence regime.
They had responded to job advertisements at Hainan Xiandun, a company that was located in the tropical southern island of Hainan. Hainan Xiandun is alleged by a 2021 US federal indictment to have been a cover for the Chinese hacking group APT40. Western intelligence agencies have accused APT40 of infiltrating government agencies, companies and universities across the US, Canada, Europe and the Middle East, under the orders of China’s Ministry of State Security (MSS).
Tomi Engdahl says:
Israel plans Cyber-Dome’ to defeat digital attacks from Iran and others https://www.theregister.com/2022/06/30/israel_cyber_dome/
The new head of Israel’s National Cyber Directorate (INCD) has announced the nation intends to build a “Cyber-Dome” a national defense system to fend off digital attacks. Gaby Portnoy, director general of INCD, revealed plans for Cyber-Dome on Tuesday, delivering his first public speech since his appointment to the role in February.
Portnoy is a 31-year veteran of the Israeli Defense Forces, which he exited as a brigadier general after also serving as head of operations for the Intelligence Corps, and leading visual intelligence team Unit 9900.
Tomi Engdahl says:
Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses https://www.crowdstrike.com/blog/how-crowdstrike-traces-the-evolution-of-ecrime/
Cybercriminals are constantly evolving their operations, the methods they use to breach an organization’s defenses and their tactics for monetizing their efforts. In the CrowdStrike 2022 Global Threat Report, we examined how the frequency and sophistication of ransomware attacks has grown in the past year. What are the forces driving this growth, and how exactly do cybercriminals make money?
Tomi Engdahl says:
Using process creation properties to catch evasion techniques https://www.microsoft.com/security/blog/2022/06/30/using-process-creation-properties-to-catch-evasion-techniques/
We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques breaks some assumptions made by security products and enables attackers to escape antimalware scans by circumventing process creation callbacks using a legacy process creation syscall. Publicly known variations of this class are process doppelganging, process herpaderping, and process ghosting. This blog post presents our detailed analysis of how this process execution class works and how it takes advantage of Windows functionalities to evade detection. It also presents a peek into the research, design, and engineering concerns that go into the development of a detection method aiming to be as robust and future-proof as possible.
Tomi Engdahl says:
https://www.securityweek.com/securing-metaverse-and-web3
Tomi Engdahl says:
https://www.securityweek.com/rsac22-and-infosecurity-europe-three-weeks-two-events
Tomi Engdahl says:
Companies are desperate for cybersecurity workers—more than 700K positions need to be filled
https://fortune.com/education/business/articles/2022/06/30/companies-are-desperate-for-cybersecurity-workers-more-than-700k-positions-need-to-be-filled/
The need for cybersecurity professionals has been growing rapidly, even faster than companies can hire—and that demand is expected to continue. The number of unfilled cybersecurity jobs worldwide grew 350% between 2013 and 2021, from 1 million to 3.5 million, according to Cybersecurity Ventures. The industry researcher also predicts that in five years, the same number of jobs will still be open.
In the U.S., there are about 1 million cybersecurity workers, but there were around 715,000 jobs yet to be filled as of November 2021, according to a report by EMSI Burning Glass, a market research company. If so many bodies are needed to fill seats in cybersecurity roles, then what’s the holdup on companies and universities preparing future professionals to take these jobs?
There’s no one answer to that question
“Cybersecurity jobs see the skill requirements evolve far more rapidly than many other fields,” Markow, who specializes in cybersecurity job market research, explains. “Cybersecurity jobs are, by nature, more likely to fuse together skill sets from disparate domains. If you think about it, every new technology now has a digital component, and every technology with a digital component needs to have a digital security component.”
Why it’s difficult to fill cybersecurity roles
While companies are looking to hire cybersecurity professionals in droves, the industry often requires that workers have certain credentials or certifications on top of education requirements, Markow explains. An example is a CISSP certification, which is required for many top-level cybersecurity roles that are in high demand—and have high-paying salaries, to the tune of about $120,000.
Bottom line: Even if you have an undergrad or graduate degree in cybersecurity, computer science, or an adjacent field, that may not be enough to land certain jobs in the industry.
“Employers have been very slow to reduce either credential requirements or education requirements for cybersecurity jobs, despite the hiring difficulty that they have,” Markow says. “We really haven’t seen any noticeable shift in the share of cybersecurity openings that are available to workers who don’t have either a bachelor’s degree or at least three-to-five years of prior work experience.”
The talent companies need
Some employers, however, are developing talent pipelines for cybersecurity roles. One employer in particular that hires swaths of cybersecurity professionals is Deloitte; as of May 2021, the company employed more than 22,000 cybersecurity workers around the world under its Deloitte Cyber business line. In fact, Deloitte was named as the top company for hiring cybersecurity talent by Datamation.
Other top cybersecurity employers include PwC, EY, Booz Allen Hamilton, and KPMG. Research from EMSIBG also shows that in recent months, financial services requested more cybersecurity workers than professional services companies.
In step with global trends, the demand for cybersecurity talent at Deloitte continues to grow, Deborah Golden, Deloitte US Cyber and Strategic Risk leader, tells Fortune.
“The cybersecurity landscape used to be contained within four walls. Obviously where we are today, that’s truly not the case,” she says. “The pandemic pushed change into a bit of hyper speed, but we were already headed into digital transformation. Because of that, we are becoming overly diverse in terms of the types skills we’re looking for, from everything from deep cyber to domain expertise.”
“Don’t be concerned if you don’t have all the certifications or the degrees or the capabilities that you think were historically needed for cyber,” Golden advises. “Given where the market is today, there’s a need to have greater diversity of thought, and just candidly, more and different types of skill sets and backgrounds coming to solve.”
Breaking into cybersecurity
Undergraduate and graduate degree programs focused on cybersecurity continue to be a popular route for entering the industry. But like Deloitte, other companies are also provide in-house training for current employees who are looking to enter the cybersecurity workforce.
If you’re already in a technical role—but not specifically cybersecurity—Markow suggests finding ways to “bake” cybersecurity into your current role. This could involve learning a new skillset through shorter-term training opportunities or bootcamps.
Another way to get your feet wet is to prepare to take one of the entry-level cybersecurity certification tests, such as Security Plus.
“You’ll learn a lot about the field just in preparing for the exam,” he says. “And then if, and when, you obtain the credential, you already have a credential that’s in demand and requested by many employers, which is just going to make it all that much easier for you to find your first job and enter in advance your career in cybersecurity.”
Tomi Engdahl says:
https://whatismyipaddress.com/ip-lookup
https://whatismyipaddress.com/
Tomi Engdahl says:
https://fortune.com/education/business/articles/2022/06/30/companies-are-desperate-for-cybersecurity-workers-more-than-700k-positions-need-to-be-filled/
Tomi Engdahl says:
Karstulalainen Harri Laitinen kehitti ”pomminkestävän” pikaviestimen – tällainen on Kilpi https://www.is.fi/digitoday/mobiili/art-2000008916609.html
Tomi Engdahl says:
Ultrasonic Cross-device tracking technology
https://dailyedutalk.blog/2022/06/25/ultrasonic-cross-device-tracking-technology/#Ultrasonic-cross-device-tracking-unavoidable
Advance organizations or individuals like hackers and especially advertisers need very little information about you. While most of us who care about privacy do not allow even block them to track. But they still want this information without our permission. Ultrasonic cross-device tracking technology takes place major assist to get back that information to them.
Everywhere you go and whatever you might be doing as long as you have an electronic device with a microphone, speakers, or gyroscope that device might be listening. Not just your phone but also your laptop, tablet, smartwatch, tv, or IoT-enabled home appliances. All participating in the most undercover and unavoidable method of tracking your location and behavior.
Beacons are emitting high-frequency sounds and receivers are listening to those signals during advertisement breaks. your tv will emit ultrasounds that you won’t be able to hear but your phone and dog will.
In this case, it would generate an identifier with information about you watching a particular tv program at a given time your phone will save this information and make it available for apps on your phone to read and transfer to advertisers. what just happened here is called Ultrasonic Cross-Device Tracking.
It’s a method of linking multiple devices of a user to track their behavior and location. It works with all devices equipped with regular microphones, speakers, or even gyroscope sensors. Ultrasonic audio beacons can be embedded in any form of media such as tv programs, websites, online videos, apps on your phones, or even digital billboards and banners.
It works both ways using ultrasound audio beacons can always detect when your phone is nearby and likewise apps on your phone can listen for potential audio beacons to track what you do and see.
The only constraint of ultrasonic tracking is bitrate and distance. The bandwidth of high-frequency transmission is about 10 to 20 bits per second, that aren’t a lot of data that can be transmitted. It is just enough to transfer identifiers from your phone and nearby beacons to communicate your proximity, location, and fingerprinting information such as what browser or device type do you use.
High-frequency sounds are not going to travel a fast distance. the limit of this technology, at least what is publicly known is no less than 65 feet. that may not sound like much but it is enough to transfer data in densely populated urban areas even from air gap machines, that is even if you keep all of your devices completely off the grid your data can travel on high-frequency sounds and hop between devices until it reaches one that is connected to the internet.
The ultrasonic Cross-Device tracking method is usually completely permissionless and secret. you won’t receive any notifications and oftentimes, you’ll never know what apps on your phone or websites you visit have ultrasonic beacons or receivers in them. you won’t be able to stop it even if you disable location services or take your phone completely offline, enable airplane mode, remove your sim card, and cut off all network access, the transmission of data via ultrasonic means is going to work outside of all radio signals.
Ultrasonic tracking has proven to be so effective it can even de-anonymize TOR users, audio beacons can bypass tor by sending true location information and the original IP address of a TOR user straight to the adversaries or advertisers.
If that doesn’t scare you enough ultrasonic transmissions happen instantly and without any authentication or encryption, your sensitive data is blasted into the air for several meters and can be collected by other devices. Adversaries can potentially build a mesh network of audio beacons to collect sensitive data of all the devices in proximity.
There is a mechanism to opt-out of this tracking, revoking the app’s permission to access your microphone. Only allow microphones for apps while in use and only for those apps that truly need it or features you use, but restricting microphone access is only going to mitigate a portion of high-frequency tracking signals.
One of the other best defense mechanisms would be with microphone hardware switches that completely cut off the electric current from even going into your mic these are currently introduced only in a couple of non-mainstream projects.
Even that wouldn’t be enough to stop ultrasonic tracking in 2018 researchers from Yale and Technical University of Darmstadt in Germany found a way to exploit gyroscope sensors to do the ultrasonic cross-device tracking and transmission with zero permission access.
A gyroscope is a tiny sensor in a phone that measures its rotation rate to estimate its orientation in space. These sensors are designed to have a resonance frequency between 19 to 29 kilohertz which is well within the ultrasonic range. This makes gyroscopes responsive to exploitation for ultrasonic transmission with a bandwidth of 10 to 20 bits per second using gyroscopes doesn’t usually require special permissions which is why this is a zero permission access.
Restricting access to the sensor is only available on Graphene OS.
In 2017 researchers in Germany found hundreds of apps using audio beacons and some of them have been downloaded millions of times the biggest names in their findings listed McDonald’s and Krispy Kreme.
Google and Apple will have to develop tools for users to toggle off permission to access gyroscope sensors as well since these can be used for tracking effectively. The best approach would be to use hardware switches that kill power going into microphones and sensors so that they can’t be exploited even if the software settings are compromised.
Tomi Engdahl says:
Toll fraud malware: How an Android application can drain your wallet https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/
Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware and it continues to evolve. Compared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique behaviors. Whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve. Toll fraud has drawn media attention since Joker, its first major malware family, found its way to the Google Play Store back in 2017. Despite this attention, there’s not a lot of published material about how this type of malware carries out its fraudulent activities.
Our goal for this blog post is to share an in-depth analysis on how this malware operates, how analysts can better identify such threats, and how Android security can be improved to mitigate toll fraud.
Tomi Engdahl says:
CERT-EU Cyber Brief – June 2022
https://www.cert.europa.eu/static/MEMO/2022/TLP-WHITE-CERT-EU-Cyber_Brief-01-07-v1.0.pdf
Cyber Security Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency.
Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE. In the month of June 2022, CERT-EU analysed 259 open source reports for this monthly Cyber Brief.
Tomi Engdahl says:
Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs
ReversingLabs recently discovered of a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks. Our analysis suggests that the threat actor responsible for this campaign likely obtained the underlying code for AstraLocker 2.0 from a leak of the Babuk ransomware in September 2021. Links between the two campaigns include shared code and campaign markers, while a Monero wallet address listed for ransom payment is tied to the Chaos Ransomware gang. The “smash and grab” attack methodology as well as other features suggest the attacker behind this malware is low-skill and looking to cause disruption, compared with the more patient, methodical, and measured approach to compromises used by Babuk and other, more sophisticated ransomware outfits. This underscores the risk posed to organizations following code leaks like that affecting Babuk, as a large population of low-skill, high-motivation actors leverage the leaked code for use in their own attacks.
Tomi Engdahl says:
EU consumer groups take aim at Google’s surveillance system’
https://www.euractiv.com/section/data-protection/news/eu-consumer-groups-take-aim-at-googles-surveillance-system/
Ten consumer groups coordinated by the European Consumer Organisation
(BEUC) have accused Google of unfairly steering consumers to sign up for a Google account, allowing the company to harvest large amounts of personal data. They state that Google prevents consumers from protecting their privacy, which would constitute an unfair commercial practice since, under the EU’s General Data Protection Regulation, users should be offered privacy by design and by default. The complaint is the last of a growing row that is seeing consumer organisations play an increasingly active role in enforcing the GDPR via complaints related to consumer protection. The most significant recent cases concern WhatsApp and TikTok.
Tomi Engdahl says:
Warrants Can Force Google To Look Through Your Search HistoryA Tragic Arson Case May Decide If That’s Constitutional https://www.forbes.com/sites/thomasbrewster/2022/06/30/warrants-can-force-google-to-look-through-your-search-historya-tragic-arson-case-may-decide-if-thats-constitutional/
The government has repeatedly demanded Google hand over information on anyone searching specific terms. For the first time, lawyers and privacy advocates are challenging the lawfulness of those searches in court, in the case of an arson that led to the deaths of two small girls and their parents. While success might mean the killers go unpunished, Price and other privacy advocates argue that it’s more important to protect the privacy of every person in the country.
That’s because unlike most search warrants, keyword searches don’t target a specific person or property. Instead, they could potentially hand law enforcement data on dozens, hundreds or even thousands of people unrelated to the case at hand. “No other warrant… could authorize the search of every house in America, ” says Price. “And no warrant should be able to compel a search of everyone’s Google search query.”
Tomi Engdahl says:
How to Present Cloud Risk to the Board
https://www.trendmicro.com/en_us/ciso/22/f/cloud-risk-management-assessment-plan.html
Quantifying and qualifying cyber risk is a longstanding challenge for CISOs. It was already a challenge for on-premise infrastructure when you knew what assets you had and where all the data lived. Cloud migration raises the bar, making it even more challenging to pinpoint cyber risk with a growing digital attack surface composed of distributed infrastructure and independently managed cloud resources used across the company. To help empower CISOs to more succinctly present their cloud risk and security posture to their board, we asked ourselves, “If a CISO has 15 minutes and one slide to present to the board, how could they communicate their company’s cloud risk?”
Tomi Engdahl says:
Reducing data exfiltration by malicious insiders https://www.ncsc.gov.uk/guidance/reducing-data-exfiltration-by-malicious-insiders
This guidance can help organisations to reduce the likelihood of data exfiltration by malicious insiders. It’s aimed at staff responsible for delivering insider risk mitigation programmes, including technical leaders, business delivery owners, senior line managers, and staff working in HR, data protection and legal departments. Malicious insider activity is relatively rare, but can have a major impact on an organisation when it does occur. It is defined as when anyone who has legitimate access to your organisation’s assets exploits their position for unauthorised purposes (so not just employees, but also contractors, partners and suppliers). Your organisational risk mitigation decisions should be based upon achieving a balance between business delivery needs, policies and technical controls. Mitigations for data exfiltration should be understood by all employees, embedded in relevant policies, and supported by the organisation’s security culture.
Tomi Engdahl says:
Ransomware review: June 2022
https://blog.malwarebytes.com/threat-intelligence/2022/07/ransomware-review-june-2022/
Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom. In June, LockBit was the most active ransomware, just as it has been all year. The month was also notable for the disappearance of Conti, and the large number of attacks by groups alleged to have links with the disbanded group. The service industry remained the hardest hit industry sector, and the USA the most attacked country. The number of attacks in the USA continued to dwarf other countries, with more known victims than Canada and all the European countries in our list combined.
Tomi Engdahl says:
Zero Trust: What does it actually mean and why would you want it?
https://www.theregister.com/2022/06/30/zero_trust_expectations/
Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs. In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns. For me, the easiest way to conceptualize zero trust is by considering what it is not. Perimeter-based security (as provided by perimeter firewalls for
example) is a good counterexample. The idea of a firewall is that there is an inside and an outside, with systems on the inside being “trusted” and those outside being “untrusted”.
Tomi Engdahl says:
Microsoft Defender adds network protection for Android, iOS devices https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-adds-network-protection-for-android-ios-devices/
Microsoft has introduced a new Microsoft Defender for Endpoint (MDE) feature in public preview to help organizations detect weaknesses affecting Android and iOS devices in their enterprise networks. After enabling the new Mobile Network Protection feature on Android and iOS devices you want to monitor, the enterprise endpoint security platform will provide protection and notifications when it detects rogue Wi-Fi-related threats and rogue certificates (the primary attack vector for Wi-Fi networks). Threats it can spot include rogue hardware such as Hak5 Wi-Fi Pineapple devices which both pen-testers and cybercriminals can use to capture data shared within the network. MDE will also alert users to switch networks if it spots a suspicious or unsecured network and push notifications when it discovers open Wi-Fi networks.
Tomi Engdahl says:
What to do about inherent security flaws in critical infrastructure?
https://www.theregister.com/2022/07/03/inherent_security_flaws_ics/
The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues 56 to be exact that criminals could use to launch cyberattacks against critical infrastructure. But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts. “Industrial control systems have these inherent vulnerabilities, ” Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. “That’s just the way they were designed. They don’t have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB.”
Tomi Engdahl says:
Dutch university wins big after Bitcoin ransom returned
https://www.dw.com/en/dutch-university-wins-big-after-bitcoin-ransom-returned/a-62337229
Part of a Bitcoin ransom paid by Maastricht University three years ago has been returned and, thanks to a more than tenfold increase in the cryptocurrency’s value, the cyberattack victims have even made a profit, local news reported on Saturday. The university was hit with a ransomware attack in 2019 that locked them, and their students, out of valuable data until they agreed to pay a 200, 000 ($208, 000) ransom in Bitcoin.
Tomi Engdahl says:
Give Up GitHub: The Time Has Come!
https://sfconservancy.org/blog/2022/jun/30/give-up-github-launch/
Those who forget history often inadvertently repeat it. Some of us recall that twenty-one years ago, the most popular code hosting site, a fully Free and Open Source (FOSS) site called SourceForge, proprietarized all their code never to make it FOSS again. Major FOSS projects slowly left SourceForge since it was now, itself, a proprietary system, and antithetical to FOSS. FOSS communities learned that it was a mistake to allow a for-profit, proprietary software company to become the dominant FOSS collaborative development site.
SourceForge slowly collapsed after the DotCom crash, and today, SourceForge is more advertising link-bait than it is code hosting. We learned a valuable lesson that was a bit too easy to forget especially when corporate involvement manipulates FOSS communities to its own ends. We now must learn the SourceForge lesson again with Microsoft’s GitHub.
Tomi Engdahl says:
Näin jaat kotiverkkosi paljastamatta salasanaasi https://www.is.fi/digitoday/art-2000008917615.html
https://www.howtogeek.com/667423/how-to-share-wi-fi-passwords-from-android-to-any-smartphone/
Tomi Engdahl says:
Google: Half of 2022′s Zero-Days Are Variants of Previous Vulnerabilities
https://www.securityweek.com/google-half-2022s-zero-days-are-variants-previous-vulnerabilities
Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.
According to Google Project Zero researcher Maddie Stone, nine of the in-the-wild zero-days seen so far this year could have been prevented had organizations applied more comprehensive patching.
“On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug,” Stone says.
The most recent of these issues is the Follina vulnerability in the Windows platform. Tracked as CVE-2022-30190, it is a variant of an MSHTML zero-day tracked as CVE-2021-40444.
CVE-2022-21882 is another Windows vulnerability that is a variant of an in-the-wild zero-day that was improperly resolved last year, namely CVE-2021-1732.
Tomi Engdahl says:
Dutch Uni Gets Cyber Ransom Money Back… With Interest
https://www.securityweek.com/dutch-uni-gets-cyber-ransom-money-back-interest
A Dutch university that fell victim to a massive ransomware attack has partly received back its stolen money… which in the meantime more than doubled in value, a news report said on Saturday.
The southern Maastricht University in 2019 was hit by a large cyberattack in which criminals used ransomware, a type of malicious software that locks valuable data and can only be accessed once the victim pays a ransom amount.
“The criminals had encrypted hundreds of Windows servers and backup systems, preventing 25,000 students and employees from accessing scientific data, library and mail,” the daily De Volkskrant said.
The hackers demanded 200,000 euros ($208,000) in bitcoins.
“After a week the university decide to accede to the criminal gang’s demand,” the paper said.
“This was partly because personal data was in danger of being lost and students were unable to take an exam or work on their theses,” it said.
Dutch police traced part of the ransom paid to an account belonging to a money launderer in Ukraine.
Tomi Engdahl says:
Justin Ling / Wired:
A look at national security concerns around modern cars filled with cameras and sensors, as a Chinese town bans Teslas during a communist party conclave — Putting sensor-packed Chinese cars on Western roads could be a privacy issue. Just ask Tesla. China’s Electric Dream
Is Your New Car a Threat to National Security?
Putting sensor-packed Chinese cars on Western roads could be a privacy issue. Just ask Tesla.
https://www.wired.com/story/china-cars-surveillance-national-security/