Cyber security trends for 2022

Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.

Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.

Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.

Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.

Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).

Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.

Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.

Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.

In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.

The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.

Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.

Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf

Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”

Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks

Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.

3,062 Comments

  1. Tomi Engdahl says:

    How Technology Can Think Globally and Act Locally to Inform Global Cyber Policies
    https://www.securityweek.com/how-technology-can-think-globally-and-act-locally-inform-global-cyber-policies

    As a cybersecurity professional, I appreciate the impact that cyber policy can have on the adoption of and effective utilization of technology. We see this working today in very advanced, mature industries. In the automotive industry, policies around safety for instance, have done wonders to reduce the number of injuries resulting from an accident. Likewise, policies for manufacturing and chemical production help reduce the risk associated with handling dangerous chemicals. Cybersecurity is far less mature than the automotive or chemical industries, however, it is influencing and being impacted by evolving cyber policies and regulations.

    As a provider of email security solutions, I spend much of my time looking at how best to leverage a security ecosystem that is powered by millions of contributors. It is therefore encouraging to me to see the many strategic activities happening in cyber policy among the world’s most powerful nations. Over time, and assuming solid diplomacy engenders trust in these relationships, these activities will help mature cybersecurity in a positive direction.

    Reply
  2. Tomi Engdahl says:

    Suomi on maailman kyberturvallisin maa
    https://etn.fi/index.php/13-news/13944-suomi-on-maailman-kyberturvallisin-maa

    Suomi on Euroopan ja koko maailman kyberturvallisin maa. Tämä käy ilmi Reboot Digital PR Servicesin uusimmasta tutkimuksesta.

    Tutkimuksessa Suomi nousi maailman kyberturvallisimmaksi maaksi. Kyberuhkapisteitä Suomelle tuli 12,6/100. Tutkimuksen mukaan Suomessa on alle 300 tietojenkalastelusivustoa ja yhteensä vain 11 vaarantunutta tietokonetta 100 000 internetin käyttäjää kohti.

    Itävalta on rankkauksessa toisella sijalla pistemäärällä 19,8.

    Tutkimuksessa analysoitiin yli 90 maata ympäri maailmaa. Datan keräsi Reboot.
    https://www.rebootonline.com/digital-pr/

    Reply
  3. Tomi Engdahl says:

    Josephine Wolff / Wired:
    Cyber insurers are failing to reduce companies’ cyber risk exposure and to cover breached firms’ costs after state-sponsored cyberattacks that fall short of war

    Who Pays for an Act of Cyberwar?
    Cyberinsurance doesn’t cover acts of war. But even as cyberattacks mount, the definition of “warlike” actions remains blurry.
    https://www.wired.com/story/russia-ukraine-cyberwar-cyberinsurance/

    This summer marks the fifth anniversary of the most expensive cyberattack ever: the NotPetya malware, released by Russia in June 2017, that shut down computer systems at companies and government agencies around the world, causing upward of $10 billion in damage due to lost business, repairs, and other operational disruptions. Half a decade later, the businesses affected by NotPetya are still sorting out who will pay those considerable costs in a series of legal disputes that will have serious ramifications for the rapidly growing cyberinsurance industry, as well as for the even more rapidly growing number of state-sponsored cyberattacks that blur the line between cyberwar and standard-issue government cyberactivity.

    Reply
  4. Tomi Engdahl says:

    Introducing our new machine learning security principles https://www.ncsc.gov.uk/blog-post/introducing-our-new-machine-learning-security-principles
    Why the security of artificial intelligence (AI) and machine learning
    (ML) is important, how it’s different to standard cyber security, and why the NCSC has developed specific security principles.

    Reply
  5. Tomi Engdahl says:

    Tältä näyttää puhelinsovellus, jolla voi ensi vuonna todistaa henkilöllisyytensä asiantuntijan mukaan tietosuojahuolet ovat turhia
    https://yle.fi/uutiset/3-12584973
    Jatkossa henkilöllisyytensä voi todistaa suoraan puhelimesta.
    Uudistuksen myötä sähköinen tunnistautuminen myös ilman pankkitunnuksia on mahdollista. Digitaalinen henkilöllisyystodistus vahvistaa ihmisten valtaa omiin tietoihinsa.

    Reply
  6. Tomi Engdahl says:

    Eight-Year Study Shows the Dark Side of WordPress Plugins https://www.cc.gatech.edu/news/eight-year-study-shows-dark-side-wordpress-plugins
    Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory (CyFI Lab) have uncovered 47, 337 malicious plugins across 24, 931 unique WordPress websites through a web development tool they named YODA.

    Reply
  7. Tomi Engdahl says:

    Japan declares war on floppy disks for government use https://arstechnica.com/information-technology/2022/08/japan-declares-war-on-floppy-disks-for-government-use/
    Japan’s newly appointed Minister of Digital Affairs, Taro Kono, has declared war on the floppy disk and other forms of obsolete media, which the government still requires as a submission medium for around 1, 900 types of business applications and other forms. The goal is to modernize the procedures by moving the information submission process online.

    Reply
  8. Tomi Engdahl says:

    Staying On Top of TLS Attacks With SSL Certificate
    https://cybersecuritynews.com/staying-on-top-of-tls-attacks/

    The Transport Layer Security (TLS)/ Secure Socket Layer (SSL) protocol is critical to ensuring data confidentiality, privacy, security, and integrity in transit on the internet. However, they are not 100% immune from being attacked by threat actors who leverage SSL/ TLS vulnerabilities to orchestrate attacks. The most effective way to stay on top of these TLS attacks is by deploying the best SSL certificates for websites.

    How do the best SSL certificates protect websites? Read on to find out.

    Reply
  9. Tomi Engdahl says:

    Jätä nämä esineet somekuvien ulkopuolelle – tietoturva-asiantuntija: “Kännykällä otetusta kuvasta voi jäljentää kotiavaimen”
    https://yle.fi/uutiset/3-12594462

    Sosiaaliseen mediaan saattaa huomaamattaan julkaista arkisesta tilanteesta kuvan, jota voidaan käyttää rikoksentekovälineenä. Tietoturva-asiantuntija ja nettipoliisi kertovat, mitä esineitä ei pitäisi näkyä julkaistavissa kuvissa.

    Reply
  10. Tomi Engdahl says:

    New Cybersecurity Regulations Are Coming. Here’s How to Prepare.
    https://hbr.org/2022/08/new-cybersecurity-regulations-are-coming-heres-how-to-prepare

    Cybersecurity has reached a tipping point. After decades of private-sector organizations more or less being left to deal with cyber incidents on their own, the scale and impact of cyberattacks means that the fallout from these incidents can ripple across societies and borders.

    Now, governments feel a need to “do something,” and many are considering new laws and regulations. Yet lawmakers often struggle to regulate technology — they respond to political urgency, and most don’t have a firm grasp on the technology they’re aiming to control. The consequences, impacts, and uncertainties on companies are often not realized until afterward.

    In the United States, a whole suite of new regulations and enforcement are in the offing: the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all working on new rules. In addition, in 2021 alone, 36 states enacted new cybersecurity legislation. Globally, there are many initiatives such as China and Russia’s data localization requirements, India’s CERT-In incident reporting requirements, and the EU’s GDPR and its incident reporting.

    Companies don’t need to just sit by and wait for the rules to be written and then implemented, however. Rather, they need to be working now to understand the kinds of regulations that are presently being considered, ascertain the uncertainties and potential impacts, and prepare to act.

    What We Don’t Know About Cyberattacks
    To date, most countries’ cybersecurity-related regulations have been focused on privacy rather than cybersecurity, thus most cybersecurity attacks are not required to be reported. If private information is stolen, such as names and credit card numbers, that must be reported to the appropriate authority.

    But, for instance, when Colonial Pipeline suffered a ransomware attack that caused it to shut down the pipeline that provided fuel to nearly 50% of the U.S. east coast, it wasn’t required to report it because no personal information was stolen. (Of course, it is hard to keep things secret when thousands of gasoline stations can’t get fuel.)

    As a result, it’s almost impossible to know how many cyberattacks there really are, and what form they take. Some have suggested that only 25% of cybersecurity incidents are reported, others say only about 18%, others say that 10% or less are reported.

    The truth is that we don’t know what we don’t know. This is a terrible situation. As the management guru Peter Drucker famously said: “If you can’t measure it, you can’t manage it.”

    What Needs To Be Reported, by Whom, and When?
    Governments have decided that this approach is untenable. In the United States, for instance, the White House, Congress, the Securities and Exchange Commission (SEC), and many other agencies and local governments are considering, pursuing, or starting to enforce new rules that would require companies to report cyber incidents — especially critical infrastructure industries, such as energy, health care, communications and financial services. Under these new rules, Colonial Pipeline would be required to report a ransomware attack.

    On its face, a similar requirement for cybersecurity seems very reasonable. The problem is, what should count as a cybersecurity “incident” is much less clear than the “near miss” of two aircraft being closer than allowed. A cyber “incident” is something that could have led to a cyber breach, but does not need to have become an actual cyber breach: By one official definition, it only requires an action that “imminently jeopardizes” a system or presents an “imminent threat” of violating a law.

    This leaves companies navigating a lot of gray area, however. For example, if someone tries to log in to your system but is denied because the password is wrong. Is that an “imminent threat”? What about a phishing email? Or someone searching for a known, common vulnerability, such as the log4j vulnerability, in your system? What if an attacker actually got into your system, but was discovered and expelled before any harm had been done?

    This ambiguity requires companies and regulators to strike a balance. All companies are safer when there’s more information about what attackers are trying to do, but that requires companies to report meaningful incidents in a timely manner.

    International companies will also need to navigate the different reporting standards in the European Union, Australia, and elsewhere, including how quickly a report must be filed — whether that’s six hours in India, 72 hours in the EU under GDPR, or four business days in the Unites States, and often many variations in each country since there is a flood of regulations coming out of diverse agencies.

    What Companies Can Do Now
    Make sure your procedures are up to the task.
    Keep ransomware policies up to date.
    Prepare for required “Software Bill of Materials” in order to better vet your digital supply chain.

    What More Should You Do?
    Someone, or likely a group in your company, should be reviewing these new or proposed regulations and evaluate what impacts they will have on your organization. These are rarely just technical details left to your information technology or cybersecurity team — they have companywide implications and likely changes to many policies and procedures throughout your organization. To the extent that most of these new regulations are still malleable, your organization may want to actively influence what directions these regulations take and how they are implemented and enforced.

    Reply
  11. Tomi Engdahl says:

    Cyber Safety for Summer Vacation
    https://www.securityweek.com/cyber-safety-summer-vacation

    Remember the Basics Before you Leave Home

    1. Keep your device up to date. Operating system and software updates contain more than new features and can often fix vulnerabilities. Running the latest software can help to reduce the risk of malware getting a foothold in your system and your data.

    2. Backup, backup, backup. Before you leave home, make sure that any device is fully backed-up. If your device has the option for cloud backup – standard on many phones today – ensure that this is enabled and running.

    3. Use strong passwords and a password manager. Most people know that having “PASSWORD1234” or “12345678” doesn’t cut it, but the importance of unique, strong passwords is something I cannot stress enough. A password manager can help for several reasons, including:

    • The ability to generate and store strong passwords

    • You only need to remember a single strong password

    • Add biometric authentication to the password manager

    • The password manager auto-enters passwords. If a keyboard logger infects the device, it will not be able to steal user information.

    4. Check that security software is enabled. The best firewall and advanced threat software in the world will only work if it’s appropriately enabled. Sometimes we might feel that the security checks slow down our internet experience, but it’s important to have all features enabled and running full scans regularly. This not only protects against incoming threats but could give an early alert to new possibilities.

    Major “Watch Outs”

    Your devices will have protection if security basics are in place to keep incoming attacks at bay, but there are still risks, and you need to be careful when, where and how to access information. Our defenses can come down during vacation time and trying to buy tickets for a waterpark visit might make us forget to check what would normally be obvious.

    Phishing is probably the oldest way to get caught, but for any criminal, it’s one of the most effective hacking strategies. Be very careful to validate links when you’re accessing new websites, and consider a few best practices:

    • Use a Google search to find the site you need and access from there – remember that sometimes the first few entries might redirect to a sales broker that will charge additional and unnecessary commission for services. Take time to read ANY site’s information before making a purchase.

    • If the URL for the website seems unusual, don’t click it.

    • Try to stay off email when on vacation. If it’s not urgent, it can wait. This can reduce the risk of a ‘quick reply’ leading to a phish.

    Reply
  12. Tomi Engdahl says:

    Deep Dive Into Ragnar Locker Ransomware Targeting Critical Industries
    https://www.securityweek.com/deep-dive-ragnar-locker-ransomware-targeting-critical-industries

    Analysis of Ragnar Locker Ransomware that has been targeting the energy sector

    The Ragnar group, operating Ragnar Locker ransomware, has been active since 2019 targeting critical industries and employing double extortion. In March 2022, the FBI warned that at least 52 entities across ten critical industry sectors have been affected. In August 2022, the group attacked Greek gas supplier Desfa, and subsequently leaked sensitive data it claimed to have stolen.

    Researchers at Cybereason have analyzed the encryption process of Ragnar Locker.

    On execution, Ragnar Locker does a location check. If the location is any country in the Commonwealth of Independent States (CIS), execution is terminated.

    It then collects host information, including the computer name and user name, and the machine GUID and Windows version. This data is concatenated and concealed by a custom hashing function. A new event is created using the combined hashes as the name. Ragnar Locker then seeks to identify existing file volumes using the Windows APICreateFileW.

    A list of services embedded within the Ragnar Locker code is decrypted. This includes vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs. If any of these are found as a running service, it is terminated by the malware.

    When the ransom note is ready, Ragnar Locker starts the encryption process. Exclusions include the files autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db; specific processes and objects such as Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.bin, ProgramData, All Users; and files with the extensions .db, .sys, .dll, lnk, .msi, .drv, .exe.

    The filenames of other files are sent to the encryption function which encrypts the corresponding file and appends the suffix ‘.ragnar_[hashed computer name]’. After encryption, Ragnar Locker creates a notepad.exe process and displays the ransom note on the user’s screen.

    The stolen data used in the double extortion process is exfiltrated continuously up to the point of encryption. Loic Castel, principal security analyst at Cybereason’s Global SOC told SecurityWeek, “In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt.. Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains.”

    Reply
  13. Tomi Engdahl says:

    Linux-järjestelmiin kohdistuvat hyökkäykset kovassa kasvussa tilanne on riistäytymässä käsistä
    https://www.tivi.fi/uutiset/tv/388e9775-5a13-4942-acfe-7615d4a98930
    Trend Micron julkaiseman tietoturvaraportin mukaan kiristyshaittaohjelmahyökkäyksiä tehtailevat verkkorikolliset kohdistavat tulevina vuosina iskujaan enenevissä määrin Linux-palvelimiin ja sulautettuihin järjestelmiin. Trend Micron mukaan tällaisiin järjestelmiin kohdistuneiden hyökkäysten määrä on kasvanut jo nyt merkittävissä määrin edellisvuoden vastaavaan ajanjaksoon verrattaessa.

    Reply
  14. Tomi Engdahl says:

    Suomalaiset yhtiöt yrittävät irtautua salasanan pakkovaihtamisesta “Ei kukaan vaihda säännöllisesti asuntonsa lukkojakaan”
    https://www.kauppalehti.fi/uutiset/suomalaiset-yhtiot-yrittavat-irtautua-salasanan-pakkovaihtamisesta-ei-kukaan-vaihda-saannollisesti-asuntonsa-lukkojakaan/dbafa0bc-6d0a-4797-b673-4b9d6e75fdb9
    WithSecuren tutkimusjohtaja Mikko Hyppönen ilmaisi hiljattain keskustelualusta Redditin kyselytuokiossa, ettei salasanan jatkuva vaihtaminen ole tietoturvan kannalta keskeistä. Suomalaisista yhtiöistä muun muassa Tietoevry on luopunut pakollisista salasanavaihdoista, koska käytössä on uudenlaisia suojaus- ja monitorointiratkaisuja.

    Reply
  15. Tomi Engdahl says:

    Facebook parent company repeatedly violated WA campaign finance law, court finds https://www.seattletimes.com/seattle-news/politics/facebook-parent-company-repeatedly-violated-wa-campaign-finance-law-court-finds/
    Meta, Facebook’s parent company, repeatedly and intentionally violated Washington campaign-ad transparency law and must pay penalties yet to be determined, a judge ruled Friday. The oral ruling was made Friday by King County Superior Court Judge Douglass North. A written order was not immediately available. In a statement, Ferguson said his office defeated Facebook’s “cynical attempt” to gut Washington’s campaign-finance transparency law. “On behalf of the people of Washington, I challenge Facebook to accept this decision and do something very simple follow the law, ” he said.

    Reply
  16. Tomi Engdahl says:

    Is It Time to Treat U.S.-Made Chips as Critical Infrastructure?
    Aug. 30, 2022
    Intel struck a $30 billion partnership with Brookfield Asset Management to help fund its factory build-out.
    https://www.electronicdesign.com/technologies/embedded-revolution/article/21249733/electronic-design-is-it-time-to-treat-usmade-chips-as-critical-infrastructure?utm_source=EG+ED+Analog+%26+Power+Source&utm_medium=email&utm_campaign=CPS220902054&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R

    Intel introduced a first-of-its-kind co-investment program for its semiconductor fabs. The new funding model aims to help ease its gargantuan capital spending burden by sharing it with outside investors.

    To that end, the Santa Clara, California-based company said it hammered out a $30 billion partnership with Brookfield Asset Management, one of the largest global asset managers, to help fund its fab expansion plans. Under the terms of the deal, Intel is responsible for 51% of the cost of building two new fabs in Chandler, Arizona, and it will maintain a controlling stake in the new facilities.

    The deal stipulates that Brookfield will provide the remaining funding for the new chip-making facilities, said Intel chief financial officer David Zinsner. The companies will reportedly split revenue produced by the fabs

    Reply
  17. Tomi Engdahl says:

    Anatoly Kurmanaev / New York Times:
    US officials say large ships are increasingly manipulating their GPS-based automatic identification systems, or AIS, to evade international laws and sanctions — A technology enabling the transmission of fake locations to carry out murky or even illegal business operations …

    https://www.nytimes.com/2022/09/03/world/americas/ships-gps-international-law.html

    Reply
  18. Tomi Engdahl says:

    Turvallisuus on ensisijaisesti tunne, johon me kaikki pystymme vaikuttamaan. Vuoden viestijä 2022 ja kyberturvallisuuden asiantuntija Jarno Limnellin avaa kolumnissaan arkisia asioita, joilla on vaikutusta turvan tunteeseen.

    https://www.kokonaisturvallisuusmessut.fi/fi/kolumni/kolumni-varautuminen-on-viisautta-mita-juuri-mina-voin-tehda/

    Reply
  19. Tomi Engdahl says:

    Australian Police Develop a New AI Tool to Combat Child Abuse https://www.pandasecurity.com/en/mediacenter/technology/police-ai-abuse/
    According to some reports, there was a tsunami’ of child exploitation image sharing during the pandemic and associated lockdowns. UK authorities have received a 1500% increase in reports of online child sexual abuse material, while Australia had a 129% spike. Realizing that they need smarter tools to deal with the huge volume of files and images, the Australian federal police have turned to artificial intelligence (AI). The system being developed by the Australian police needs to be trained and they have enlisted the help of the public. As part of the My Picture Matters’ campaign, adult Australian citizens are being asked to share 100, 000 photographs of themselves as happy children’. The new system, called AiLecs, will then be trained with the pictures to help the algorithm learn what a normal’ child image looks like. Once training is complete, AiLecs should be able to analyze the contents of a suspect’s hard drive automatically; images of happy’ children will be ignored (initially) while anything else will be flagged as suspicious.

    Reply
  20. Tomi Engdahl says:

    Kiina aloittaa valtavan internet-puhdistuksen valmistautuu kommunistisen puolueen merkittävään tapahtumaan
    https://www.tivi.fi/uutiset/tv/4d265700-8864-44fe-940e-53341d7327e8
    Kiina aloittaa kolme kuukautta kestävän kampanjan puhdistaakseen maan internetin “huhuista ja valheellisesta tiedosta”. Maan kyberhallinto kertoi suunnitelmastaan perjantaina ja kehotti samalla kiinalaisia teknologiayhtiöitä parantamaan kykyjään tunnistaa näiden tietojen levittäjät. The Registerin mukaan verkkoalustoja estetään hyväksymästä uusia käyttäjiä ja niiden nimet ilmoitetaan julkisesti, mikäli uusia sääntöjä käyttäjien jäljittämisestä ei noudateta. Paikallisia ja alueellisia hallintoja on määrätty lisäämään valvontaansa siivotakseen internetin tiedoista, jotka Peking kokee sopimattomina. Kiina on tehnyt samankaltaisia kampanjoita aikaisemminkin. Nyt aloitetun siivouksen ajankohta on kuitenkin merkittävä, sillä Kiinan kommunistinen puolue järjestää kansankongressinsa 16. lokakuuta.
    Kongressin odotetaan hyväksyvän presidentti Xi Jinpingin siirtymisen kolmannelle viisivuotiskaudelle maan johdossa.

    Reply
  21. Tomi Engdahl says:

    Play Ransomware’s Attack Playbook Similar to that of Hive, Nokoyawa https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
    In July, TrendMicro investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PLAY, ” and the ransomware group’s contact email address. Victims of this ransomware first surfaced in Bleeping Computer forums in June 2022. A month later, more details about Play ransomware were published on the “No-logs No breach” website. Further analysis of these ransomware infections, however, revealed that Play uses many tactics that follow the playbook of both Hive and Nokoyawa ransomware, including similarities in the file names and file paths of their respective tools and payloads. Earlier this year, TrendMicro found evidence that suggests that the attackers behind Nokayawa are related to those behind Hive, owing to the many similarities between their attack chains.

    Reply
  22. Tomi Engdahl says:

    DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/
    Recent studies show that more than 85% of financial institutions in Central and Western Africa have repeatedly been victimized in multiple, damaging cyberattacks. In a quarter of these cases, intrusions into network systems resulted in the worst possible outcomes for the financial and banking sector: information leaks, identity theft, money transfer fraud, and bank withdrawals on false checks. In this article, Checkpoint analyzes a malicious campaign called DangerousSavanna which has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. In the last few months, the campaign heavily focused on Ivory Coast. Judging by the victimology and tactics, techniques, and procedures (TTPs), Checkpoint can assess with medium to high confidence that the motivation behind DangerousSavanna is likely financial.

    Reply
  23. Tomi Engdahl says:

    Phishers use verified status as bait for Instagram users https://www.malwarebytes.com/blog/news/2022/09/phishers-use-verified-status-as-bait-for-instagram-users
    Another Instagram phish is doing the rounds, and will appeal to a wide variety of platform users. Bleeping Computer reports that verified status is once again being dangled as bait. Being verified gives the impression of status, or importance, on social media platforms. Often, verification is more about simply confirming that someone is in fact who they claim to be. There are many verified accounts out there for people you’ll not have heard of, and that’s perfectly fine. At the other end of the scale, it is definitely an additional status symbol for people who care about such things. It’s also very handy where confirming that high profile accounts are in fact the real deal.
    Scammers know this, and bank on it on a daily basis. Indeed, a whole sub-industry of fake verification services exists to part people from their money (and, potentially, accounts).

    Reply
  24. Tomi Engdahl says:

    Microsoft will disable Basic authentication for Exchange Online in less than a month https://www.malwarebytes.com/blog/news/2022/09/microsoft-to-disable-basic-auth-for-exchange-online-in-less-than-a-month
    Microsoft has posted a reminder on the Exchange Team blog that Basic authentication for Exchange Online will be disabled in less than a month, on October 1, 2022. The first announcement of the change stems from September 20, 2019. With so much warning you might expect organizations to be ready, and many are. But there has been an entire pandemic since then, and no shortage of other things for Exchange users to worry about. So, as always, some aren’t ready. Basic authentication sends a username and a password with every request and does not require TLS. This can leave credentials being sent back and forth over the wire in plain text, making them easy to intercept. To make matters worse, according to Microsoft, using Basic authentication means “the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible”an absolute no-no for 2022.

    Reply
  25. Tomi Engdahl says:

    Pula tietoturvaosaajista riivaa yrityksiä lähes 60 prosenttia kertoo rekrytointivaikeuksista
    https://www.kauppalehti.fi/uutiset/pula-tietoturvaosaajista-riivaa-yrityksia-lahes-60-prosenttia-kertoo-rekrytointivaikeuksista/a21782de-14f0-4806-89c5-aecbd430c7a1
    Yritysten tietoturvan suurin haaste on budjetin sijaan puute pätevistä tietoturvaosaajista, selviää intialaisen it-jätin Tata Consultancy Servicesin tekemästä tutkimuksesta. Kyselyyn Pohjoismaissa vastanneista 58 prosenttia kertoi vaikeuksista rekrytoida tietoturvaosaajia edellisvuoden aikana, yhtiö tiedottaa. Kaikista vastaajista samaa oli kokenut 45 prosenttia. Osaajia halusi rekrytoida
    60 prosenttia vastaajista ja jopa 70 prosenttia Pohjoismaisista vastaajista. Myös tietoturva-asiantuntijoiden sitouttamisessa ja pitämisessä yrityksen palveluksessa havaittiin haasteita. Näistä ongelmista raportoi 44 prosenttia kaikista ja 48 prosenttia Pohjoismaisista vastaajista.

    Reply
  26. Tomi Engdahl says:

    How to Improve Mean Time to Detect for Ransomware
    https://www.securityweek.com/how-improve-mean-time-detect-ransomware

    Training for multiple situations will help your security team make decisions more quickly

    Moving at digital speed means both good things and bad. Work gets done quickly and efficiently, but when bad guys attack, they too, move at digital speed. That’s why threat detection and incident response have to be nimble and quick. But how are we to know if that is the case?

    Mean time to detect (MTTD), or mean time to detect, is one of the key performance indicators (KPIs) used to measure what information security professionals are trying to do. MTTD measures elapsed time from intrusion to detection, or how long a problem—a vulnerability, an intrusion or some form of malicious activity—is present in the network before the relevant parties in the organization become aware.

    MTTD, sometimes called mean time to identify (MTTI), can be worked out simply by dividing the total of incident response times attributed to a technician, security team or time period by the number of incidents. It is a simple calculation, if the organization has sufficient, accurate data on incidents.

    Reply
  27. Tomi Engdahl says:

    Every company has a test environment. The good ones have a separate environment for production.

    Reply
  28. Tomi Engdahl says:

    Tietoturva kärsii pätevien osaajien puutteesta
    https://etn.fi/index.php/13-news/13965-tietoturva-kaersii-paetevien-osaajien-puutteesta

    Digitalisaation myötä kasvavat niin kyberhyökkäysten riskit kuin tietoturva-asiantuntijoiden kysyntäkin. TCS:n toteuttaman Risk & Cybersecurity Study -tutkimuksen mukaan yritysten suurin tietoturvahaaste etenkin Pohjoismaissa ei ole budjetti vaan pätevien tietoturvaosaajien puute.

    Tutkimukseen osallistui yli 600 riskienhallinta- ja tietoturvajohtajaa Pohjois-Amerikasta ja Euroopasta, myös Suomesta ja muista Pohjoismaista. Kaikista kyselyyn vastanneista 45 % ja pohjoismaisista vastaajista 58 % kertoi yrityksellään olleen vaikeuksia rekrytoida tietoturva-alan osaajia edellisvuoden aikana.

    Reply
  29. Tomi Engdahl says:

    Kiristyshaitat piinaavat suomalaisyrityksiä
    https://etn.fi/index.php/13-news/13968-kiristyshaitat-piinaavat-suomalaisyrityksiae
    Tietoturvayritys Trend Micro julkaisi tänään uuden raportin, joka paljastaa kuinka suomalaiset organisaatiot ovat alati suuremmassa vaarassa joutua toimitusketjujen kautta suoritettavien kiristyshaittaohjelmahyökkäysten uhreiksi. Tutkimuksen mukaan kokonaiset 80 prosenttia suomalaisista IT-päättäjistä uskoo yhteistyökumppaniensa ja asiakkaidensa kasvattavan myös heidän omaa riskiään joutua kiristyshaittaohjelmahyökkäysten kohteiksi.
    Haaste on erityisen akuutti siksi, että yli kolmannes (38 %) vastaajista nojaa toiminnassaan mahdollisesti heikommin suojattujen pienten ja keskisuurten yritysten muodostamiin toimitusketjuihin.
    Vuosi sitten tapahtunut kehittynyt hyökkäys IT-hallintaohjelmistojen toimittajaan johti lukuisten palveluntarjoajien ja tuhansien loppuasiakkaiden vaarantumiseen. Silti vain 45 prosenttia organisaatioista kertoo kiristyshaittaohjelmahyökkäyksistä päämiehilleen. 27 % ei jaa potentiaalisesti hyödyllistä uhkatietoa edes yhteistyökumppaneilleen.

    Reply
  30. Tomi Engdahl says:

    The Cryptography Handbook
    May 3, 2021
    This series, which is designed to be a quick study guide for product development engineers, takes an engineering rather than theoretical approach.
    https://www.electronicdesign.com/technologies/embedded-revolution/whitepaper/21127823/maxim-integrated-the-cryptography-handbook

    Designed to be a study guide for a product development engineer, this series takes an engineering rather than theoretical approach.

    Reply
  31. Tomi Engdahl says:

    “The Era Of Distributed, Independent Email Servers Is Over”
    https://hackaday.com/2022/09/07/the-era-of-distributed-independent-email-servers-is-over/

    Though there are many continuing threats to Internet freedom we can still mostly use the network our way, but with sadness we note that one piece of Internet freedom may have drawn to a close. [Carlos Fenollosa] has written a lament about how the outlook for anyone running their own mail server now looks bleak.

    After self-hosting my email for twenty-three years I have thrown in the towel. The oligopoly has won.
    https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

    Many companies have been trying to disrupt email by making it proprietary. So far, they have failed. Email keeps being an open protocol. Hurray?

    No hurray. Email is not distributed anymore. You just cannot create another first-class node of this network.

    Email is now an oligopoly, a service gatekept by a few big companies which does not follow the principles of net neutrality.

    I have been self-hosting my email since I got my first broadband connection at home in 1999. I absolutely loved having a personal web+email server at home, paid extra for a static IP and a real router so people could connect from the outside. I felt like a first-class citizen of the Internet and I learned so much.

    Over time I realized that residential IP blocks were banned on most servers. I moved my email server to a VPS. No luck. I quickly understood that self-hosting email was a lost cause. Nevertheless, I have been fighting back out of pure spite, obstinacy, and activism. In other words, because it was the right thing to do.

    But my emails are just not delivered anymore. I might as well not have an email server.

    Reply
  32. Tomi Engdahl says:

    FBI, DOJ defend offensive’ actions against Chinese, Russian operations https://therecord.media/fbi-doj-defend-offensive-actions-against-chinese-russian-operations/
    Representatives from the Justice Department and FBI defended offensive cyber operations taken over the last two years against Chinese and Russian government hacking campaigns after critics questioned the privacy implications of government agencies unilaterally going into devices to remove malware. Adam Hickey, deputy assistant attorney general at the Justice Department, and Bryan Vorndran, assistant director of the cyber division at the FBI, told an audience at the Billington Cybersecurity conference this week that the agencies were justified in the actions taken to stop the Hafnium campaign by Chinese state actors and the Cyclops Blink operation by Russian army hackers.
    Both operations involved warrants that allowed government agents to go into devices and remove malware installed by hackers from both countries.

    Reply
  33. Tomi Engdahl says:

    Credential Gathering From Third-Party Software https://unit42.paloaltonetworks.com/credential-gathering-third-party-software/
    There is a constant debate between usability and security in the software world. Many third-party programs can make their users’ lives easier and save them time by storing their credentials. However, as it turns out, this convenience often comes at the price of poor security, causing the risk of password theft. Credentials gathered in this manner can then be used during an actual cyberattack. In this article, we will explain the dangers of credential theft. We will examine some common third-party software scenarios related to credential gathering, looking into how passwords are stored, how they can be retrieved and how to monitor these actions based on real-world attack scenarios.

    Reply
  34. Tomi Engdahl says:

    Profiling DEV-0270: PHOSPHORUS’ ransomware operations https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
    Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.
    Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270′s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns.

    Reply
  35. Tomi Engdahl says:

    US Gov Issues Guidance for Developers to Secure Software Supply Chain
    https://www.securityweek.com/us-gov-issues-guidance-developers-secure-software-supply-chain
    Three U.S. government agencies — Cybersecurity and Information Security Agency (CISA), the National Security Agency (NAS) and the Office of the Director of National Intelligence (ODNI) — have announced the release of the first part of a three-part joint guidance on securing the software supply chain.
    “This document will provide guidance in line with industry best practices and principles which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure,” the group said.

    Reply
  36. Tomi Engdahl says:

    Linux malware on a rise reaching all-time high in H1 2022
    https://atlasvpn.com/blog/linux-malware-on-a-rise-reaching-all-time-high-in-h1-2022

    Ruth C. | July 27, 2022

    Until recently, cybercriminals have largely ignored Linux compared to other more popular operating systems. However, the new data shows that cyber attack trends are shifting.

    According to the data presented by the Atlas VPN team, the number of new Linux malware reached record highs in the first half of 2022, as nearly 1.7 million samples were discovered.

    Compared to the same period last year, when 226,324 samples were found, new Linux malware numbers soared by close to 650%.

    Reply
  37. Tomi Engdahl says:

    Cybersecurity – the More Things Change, the More They Are The Same
    https://www.securityweek.com/cybersecurity-more-things-change-more-they-are-same

    Security teams need an architecture where disparate systems and sources that talk in different languages and use different formats can communicate

    In the cybersecurity industry, the more things change, the more they stay the same. We pride ourselves on innovation, however this adage seems like a fitting description for our current cycle of innovation where new tools, solutions and approaches come to market with some new acronym.

    We have alphabet soup with terms like SIEM, SOAR, TIP, TDIR and XDR that lead to confusion, not to a path to solve broad security problems.

    We keep searching for that silver bullet, but there really is no silver bullet in security. Maybe that is because we keep looking at the challenge of security through the lens of a tool or solution versus the broader picture of getting the pieces to work together in a single architecture.

    The bad guys look at the entire playing field. Defenders need to as well.

    There are some encouraging signs that this cycle may be ending. We are starting to hear more about architectures, including some new debates on whether an approach should be considered a solution or viewed as an architecture. One recent example is the cybersecurity mesh architecture (CSMA) by Gartner. Gartner states that CSMA provides the foundation for people and machines to connect securely from multiple locations across hybrid and multicloud environments, channels, and diverse generations of applications, protecting all the organization’s digital assets. Sounds like exactly what is needed in today’s increasingly cloud-based world. But what is it going to take to correlate the identities of people with something that happened in the SIEM or on the network or to correlate machine identity with email or another cloud application?

    What is needed is an architecture where disparate systems and sources that talk in different languages and use different formats can communicate. Sounds similar to other recent concepts, especially the evolution of Extended Detection and Response (XDR) and, before that, to Security Orchestration Automation and Response (SOAR).

    The promise of XDR is to enable detection and response across the enterprise, which requires ALL tools and ALL teams working in concert. Chasing the newest acronym, vendors were quick to jump on the bandwagon and recast their tools as XDR solutions. But whether a vendor proposes a closed ecosystem or an approach where they start with a core capability and build from there, the universal truth is that organizations have tools from multiple providers, and the appetite to rip and replace is low in the near-term. Not to mention the fact that new vendors and solutions will continue to emerge given the ongoing innovation required to keep up with new use cases, threats and threat vectors. This has led to a debate on whether XDR is a solution or really an architectural approach whereby open interoperability between existing security technologies and new capabilities enables detection and response across the enterprise.

    Prior to XDR, when the SOAR product category emerged, we had a similar discussion. Over time, organizations began to realize that to be effective SOAR couldn’t be about just running the same processes over and over again.

    Detection and response are dynamic and variable.

    Breaking the cycle with open interoperability

    Even though things have changed—from SOAR to XDR to CSMA—they have also stayed the same. These new categories are not solutions but really architectures. At least CSMA is being positioned as an architecture out of the gate, which may keep the industry on a faster path to delivering value. As Gartner states up front, “IT leaders must integrate security tools into a cooperative ecosystem.” But how are security teams going to connect the dots between people and machines across their organization’s environment, including hybrid and multicloud?

    To begin with, integration must be broad to cover a range of tools, including all internal data sources – the SIEM system, log management repository, identity management, endpoint, network, case management system and other security infrastructure – on premise and in the cloud. It must also integrate with the multiple external data sources organizations subscribe to – commercial, open source, government, industry and existing security vendors. This requires a combination of out-of-the-box connectors for popular data sources, and custom connectors that can be written and deployed within hours.

    Reply
  38. Tomi Engdahl says:

    Carly Page / TechCrunch:
    Cisco Talos: the Lazarus group exploited the Log4j flaw in VMware Horizon servers of energy providers in the US, Canada, and Japan from February to July 2022

    North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies
    https://techcrunch.com/2022/09/08/north-korea-lazarus-united-states-energy/

    Security researchers have linked a new cyber espionage campaign targeting U.S., Canadian and Japanese energy providers to the North Korean state-sponsored Lazarus hacking group.

    Threat intelligence company Cisco Talos said Thursday that it has observed Lazarus — also known as APT38 — targeting unnamed energy providers in the United States, Canada and Japan between February and July this year. According to Cisco’s research, the hackers used a year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMware Horizon servers to establish an initial foothold onto a victim’s enterprise network, before deploying bespoke malware known as “VSingle” and “YamaBot” to establish long-term persistent access. YamaBot was recently attributed to the Lazarus APT by Japan’s national cyber emergency response team, known as CERT.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*