Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Common Cloud-Native Security Misconfigurations & Fixes https://www.trendmicro.com/en_us/devops/22/i/cloud-native-security-misconfigurations-solutions.html
Cloud configuration errors are a significant concern for stakeholders invested in modern DevOps processes, thanks to the quantity of cloud-native software used in production environments these days (think of microservices, as well as serverless and containerized workloads such as Kubernetes). Misconfigured cloud environments can result in everything from poor performance, to system downtime, to data breaches. Cloud-native architectures mean the introduction of new attack surfaces. Complex architectures with various network stack components can be involved in volatile Kubernetes pod scenarios, microservices architectures primarily relying on API-based integration across systems, or applications running outside the managed cloud environment. This article provides insight into some common cloud configuration errors and how to recognize them.
Tomi Engdahl says:
Johto ja työntekijät erimielisiä etätyön tuottavuudesta työntekoa valvotaan jopa seuraamalla hiiren klikkauksia ja näppäinten painelua https://www.tivi.fi/uutiset/tv/30ff166c-9c79-4fce-9c26-fda8e247094c
Microsoftin toimitusjohtaja Satya Nadella on huolissaan johdon ja työntekijöiden välisestä kuilusta ainakin mitä tulee etätöihin.
Nadellan mukaan monia esihenkilöitä vaivaa “tuottavuusparanoia”, jossa etätöitä tekevän työntekijän epäillään laiskottelevan työajalla. The New York Times kirjoittaa, että eräät johtajat ovat menneet jopa niin pitkälle, että he suorastaan vakoilevat etätöitä tekeviä työntekijöitään muun muassa seuraamalla hiiren klikkauksia sekä näppäinten painelua. Jotkut jopa otattavat henkilökunnastaan satunnaisia kuvia varmistuakseen, että nämä varmasti viettävät aikaa työkoneensa äärellä.
Tomi Engdahl says:
What’s Going on With Cybersecurity VC Investments?
https://www.securityweek.com/whats-going-cybersecurity-vc-investments
Tomi Engdahl says:
CISA Issues Guidance on Transitioning to TLP 2.0
https://www.securityweek.com/cisa-issues-guidance-transitioning-tlp-20
The US Cybersecurity and Infrastructure Security Agency (CISA) this week published a user guide to help organizations prepare for the November 1, 2022, move from Traffic Light Protocol (TLP) version 1.0 to TLP 2.0.
TLP is used to inform recipients of sensitive information on the extent to which they may share the provided data, and relies on four labels to indicate sharing boundaries that recipients can apply.
In TLP 1.0, these four labels are TLP:RED, TLP:AMBER, TLP:GREEN, and TLP:WHITE, and restrict the sharing of information to specific participants only, to participants’ organizations, to the community, or allow full disclosure, respectively.
Changes that TLP 2.0 brings include the replacement of TLP:WHITE with TLP:CLEAR and the inclusion of TLP:AMBER+STRICT to supplement TLP:AMBER.
Thus, starting with TLP 2.0, the sharing of information will be restricted to individual recipients only, to the recipient’s organization and its clients (TLP:AMBER+STRICT will restrict the sharing to the organization only), or to the recipient’s community, or can be shared to the world.
The TLP labels can be inserted within documents (in the header and footer of each page), in automated information exchanges, emails and chats (directly prior to the information itself), and even in verbal discussions, the fact sheet on moving to TLP 2.0 explains.
Tomi Engdahl says:
Multi-Cloud Networks Require Cloud-Native Protection
https://www.securityweek.com/multi-cloud-networks-require-cloud-native-protection
according to Gartner, 80% of organizations are at some stage of vendor and solution consolidation. Because while protecting cloud workloads is essential, undue complexity can impact their ability to detect and respond to threats, especially when events lack context from the cloud control plane. Furthermore, separate tools can generate hundreds of alerts that must be hunted down by hand to understand their scope and context, leading to alert fatigue and inaccurate prioritization. As a result, cloud threats can accumulate faster than they can be resolved.
The problem is even worse in multi-cloud environments. Of course, every cloud service provider (CSP) offers security services to address vulnerability management, threat detection, risk management, data security, and auditing. However, these solutions are only available on their own platform, and few security vendors offer solutions that integrate with or across different cloud providers. As a result, security teams, particularly those that have to work across multi- and hybrid clouds, struggle to rationalize alerts, prioritize risks, and deliver comprehensive remediation. Instead, they are dealt a hand filled with complexity and visibility gaps.
Tomi Engdahl says:
https://www.gartner.com/smarterwithgartner/gartner-top-security-and-risk-trends-for-2021
Tomi Engdahl says:
‘Protestware’ is on the rise, with programmers self-sabotaging their own code. Should we be worried?
https://theconversation.com/protestware-is-on-the-rise-with-programmers-self-sabotaging-their-own-code-should-we-be-worried-190836#Echobox=1664315894
New Hacktivism Model Trends Worldwide
https://blog.checkpoint.com/2022/10/03/new-hacktivism-model-trends-worldwide/
Check Point Research outlines a new model of hacktivism now trending worldwide. Five characteristics mark today’s form of hacktivism, according to researchers: political ideology, leadership hierarchy, formal recruiting, advanced tools and public relations. CPR gives the hacktivist group Killnet as an example of the latest model, detailing its attacks by country and attack timeline. CPR warns that hacktivism that originates in conflict-related geographies has the potential to scale worldwide. Before, hacktivism was mostly focused on few individuals carrying small scale DDoS and defacement attacks. Now, hacktivism is better organized, structured and sophisticated. CPR believes the new model of hacktivism began in conflict areas in the Middle East and Eastern Europe and proliferated to other areas during
2022
Tomi Engdahl says:
Mitä tapahtuisi, jos Itämeren pohjassa oleva tietoliikennekaapeli menisi poikki? Viranomainen vastaa https://www.kauppalehti.fi/uutiset/mita-tapahtuisi-jos-itameren-pohjassa-oleva-tietoliikennekaapeli-menisi-poikki-viranomainen-vastaa/81d26302-46fc-4151-86d6-a552a6f7ef3e
Nord Stream -kaasuputkien rikkoutuminen on kohahduttanut Euroopassa ja sen ulkopuolella. Julkisuudessa on epäilty, että vuodon taustalla on ollut valtiollinen toimija. Kiristyneessä poliittisessa tilanteessa huolta onkin herättänyt ajatus siitä, että vastaavanlainen tuhotyö voisi kohdistua Itämeren pohjassa lepääville tietoliikennekaapeleille.
Suomesta niitä lähtee lukuisia esimerkiksi Ruotsin, Saksan ja Viron suuntaan. Huoltovarmuuskeskuksen julkaisemassa tiedotteessa todetaan, että kansainvälisiä tietoliikenneyhteyksiä suojataan useilla eri keinoilla. Yhteyksien katkeaminen vaatisi useita samanaikaisia poikkeamia. Tällaisilta tilanteilta varautumiseen on panostettu jo pitemmän aikaa.
Tomi Engdahl says:
Suomen tietoliikenneyhteydet suojattu monin tavoin https://www.huoltovarmuuskeskus.fi/a/suomen-tietoliikenneyhteydet-suojattu-monin-tavoin
Itämeren pohjassa rikkoutuneet Nord Stream -kaasuputket ovat herättäneet huolen siitä, voisiko samoin käydä Itämeren pohjassa kulkeville tietoliikennekaapeleille. Kansainvälisiä tietoliikenneyhteyksiä kuitenkin suojataan monin tavoin, ja yhteyksien katkeamiseen vaadittaisiin useampia samanaikaisia poikkeamia.
Mitä tapahtuisi, jos Itämeren pohjassa oleva tietoliikennekaapeli menisi poikki? Viranomainen vastaa https://www.kauppalehti.fi/uutiset/mita-tapahtuisi-jos-itameren-pohjassa-oleva-tietoliikennekaapeli-menisi-poikki-viranomainen-vastaa/81d26302-46fc-4151-86d6-a552a6f7ef3e
Nord Stream -kaasuputkien rikkoutuminen on kohahduttanut Euroopassa ja sen ulkopuolella. Julkisuudessa on epäilty, että vuodon taustalla on ollut valtiollinen toimija. Kiristyneessä poliittisessa tilanteessa huolta onkin herättänyt ajatus siitä, että vastaavanlainen tuhotyö voisi kohdistua Itämeren pohjassa lepääville tietoliikennekaapeleille.
Suomesta niitä lähtee lukuisia esimerkiksi Ruotsin, Saksan ja Viron suuntaan. Huoltovarmuuskeskuksen julkaisemassa tiedotteessa todetaan, että kansainvälisiä tietoliikenneyhteyksiä suojataan useilla eri keinoilla. Yhteyksien katkeaminen vaatisi useita samanaikaisia poikkeamia. Tällaisilta tilanteilta varautumiseen on panostettu jo pitemmän aikaa.
Tomi Engdahl says:
Is OTP a Viable Alternative to NIST’s Post-Quantum Algorithms?
https://www.securityweek.com/otp-viable-alternative-nists-post-quantum-algorithms
The quantum threat to RSA-based encryption is deemed to be so pressing that NIST is seeking a quantum safe alternative
The cracking of the SIKE encryption algorithm (deemed to be on its way to NIST standardization) on a single classical PC should make us evaluate our preconceptions on what is necessary for the post-quantum era. SecurityWeek has spoken to several cryptography experts to discuss the implications of the SIKE crack.
So, since no mathematical encryption can be proven secure, any communication using that algorithm can be decrypted if the algorithm can be broken – and SIKE demonstrates that it doesn’t always require quantum power to do so. So, at the very best, NIST’s quantum safe algorithms provide no guarantee of long-lasting security.
“There are multiple research organizations and companies working on these problems,” says Bledsoe. “In the future we will see algorithms based on OTP concepts that have answers to the current shortcomings. They will leverage information theory and become viable options as an alternative to NIST-approved algorithms.”
The pros and cons of OTP
The NIST competition is solely focused on developing new encryption algorithms that should, theoretically, survive quantum decryption. In other words, it is an incremental advance on the current status quo. This will produce quantum safe encryption. But quantum safe is not the same as quantum secure; that is, encrypted communications will only remain encrypted until the encryption is broken.
History and mathematical theory suggest this will inevitably, eventually, happen. When that does happen, we will be back to the same situation as today, and all data harvested during the use of the broken algorithm will be decrypted by the adversary. Since there is an alternative approach – the one-time pad – that is secure against quantum decryption, we should consider why this approach isn’t also being pursued.
SecurityWeek spoke to senior advocates on both sides: NIST’s computer security mathematician Dustin Moody, and Qrypt’s cofounder and CTO Denis Mandich.
Moody accepts that one-time pads provide theoretically perfect security, but suggests their use has several drawbacks that make them impractical. “The one-time pad,” he said, “must be generated by a source of true randomness, and not a pseudo-random process. This is not as trivial as it sounds at first glance.”
Mandich agrees with this, but comments, “[This is] why Qrypt uses quantum random number generators (QRNGs) licensed from the Oak Ridge National Laboratory and the Los Alamos National Laboratory.” These are quantum entropy sources that are the only known source of genuine randomness in science. (See Mitigating Threats to Encryption From Quantum and Bad Random for more information on QRNGs.)
Moody also suggests that OTP size is a problem. “The one-time pad must be as long as the message which is to be encrypted,” he said. “If you wish to encrypt a long message, the size of the one-time pad will be much larger than key sizes of the algorithms we [NIST) selected.”
Again, Mandich agrees, saying the trade-off for higher security is longer keys. “This is true for 100% of all crypto systems,” he says: “the smaller the keys, the less security is a general statement.” But he adds, “One of the other [NIST] finalists is ‘Classic McEliece’ which also has enormous key sizes but will likely be standardized. In many common use cases, like messaging and small files, McEliece keys will be much larger than OTPs.”
Moody’s next concern is authentication. “There is no way to provide authentication using one-time pads,” he said.
Here, Mandich simply disagrees. “Authentication can be provided for any type of data or endpoint.” He thinks the idea may stem from the NSA’s objection to QKD. The NSA has said, “QKD does not provide a means to authenticate the QKD transmission source.”
But Mandich adds, “A simple counter example is that the OTP of an arbitrary length may be hashed and sent in the clear between parties to authenticate that they have the same OTP. This could be appended to the encrypted data.”
“As the name implies,” said Moody, “one-time pads can only be used once. This makes them very impractical.”
But Mandich responds, “This is the trade-off to achieve higher security. Re-use of encryption keys means that breaking or getting access to the key facilitates decryption of all the previously encrypted data. OTPs are only used once, so if someone gets access to one OTP, it does not help in any other decryption.”
For Moody, the biggest problem for OTPs is the exchange of ‘keys’. “Probably the most major drawback,” he told SecurityWeek, “is that to use a one-time pad with another party, you must have securely exchanged the secret one time pad itself with the other party.”
He believes this distribution at scale is impossible and doesn’t work where the requirement is to communicate with another party that hasn’t been communicated with before. “You could send the one-time pad through the mail or via a courier, but not electronically,” he continued. “And if you could securely send the one-time pad, why didn’t you just send the message you wanted to share with the other party? Which makes the one-time pad not needed.”
Mandich points out that the difficulty in key transfer and distribution at scale apply equally to all the public key encryption keys currently being considered by NIST. “There is nothing unique about OTPs other than size,” he said. “OTPs can be generated continuously and consumed when the messages are created at a later date. There is no reason to do it simultaneously unless it is a realtime communications channel.” He adds that combining keys for decryption with the encrypted data makes it easy to attack. “Decoupling these two mechanisms [as with OTPs] makes it almost impossible.”
Finally, comments Moody, “Modern cryptosystems overcome these obstacles and are very efficient.”
Mandich concedes this point but refers to the distinction between NIST’s quantum safe approach, and the OTP’s ability to be quantum secure. “Modern systems are very efficient and a one-size-fits-all solution – but at the cost of less security. Obstacles to using OTPs have long been overcome by the cloud, high bandwidth networks, and distributed and decentralized data centers. The PQC evolution from RSA is just changing an algorithm based on a 1970s pre-internet architecture, when Alice and Bob were connected by a single copper wire channel and a few network switches.”
NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC
https://www.securityweek.com/nist-post-quantum-algorithm-finalist-cracked-using-classical-pc
Tomi Engdahl says:
White House Unveils Artificial Intelligence ‘Bill of Rights’
https://www.securityweek.com/white-house-unveils-artificial-intelligence-%E2%80%98bill-rights%E2%80%99
The Biden administration unveiled a set of far-reaching goals Tuesday aimed at averting harms caused by the rise of artificial intelligence systems, including guidelines for how to protect people’s personal data and limit surveillance.
The Blueprint for an AI Bill of Rights notably does not set out specific enforcement actions, but instead is intended as a White House call to action for the U.S. government to safeguard digital and civil rights in an AI-fueled world, officials said.
“This is the Biden-Harris administration really saying that we need to work together, not only just across government, but across all sectors, to really put equity at the center and civil rights at the center of the ways that we make and use and govern technologies,” said Alondra Nelson, deputy director for science and society at the White House Office of Science and Technology Policy. “We can and should expect better and demand better from our technologies.”
The office said the white paper represents a major advance in the administration’s agenda to hold technology companies accountable, and highlighted various federal agencies’ commitments to weighing new rules and studying the specific impacts of AI technologies. The document emerged after a year-long consultation with more than two dozen different departments, and also incorporates feedback from civil society groups, technologists, industry researchers and tech companies including Palantir and Microsoft.
It puts forward five core principles that the White House says should be built into AI systems to limit the impacts of algorithmic bias, give users control over their data and ensure that automated systems are used safely and transparently.
Tomi Engdahl says:
Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack
https://www.securityweek.com/critical-packagist-vulnerability-could-have-allowed-php-supply-chain-attack
Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.
Packagist is the default repository for PHP dependency manager Composer, aggregating public PHP packages that can be installed using Composer. Each month, Composer is used to download more than 2 billion packages.
According to Sonar’s security researchers, the recently identified vulnerability could have been used to hijack over 100 million requests to distribute malicious dependencies, leading to the potential compromise of millions of servers.
“Since Composer is the standard package manager for PHP, most open-source and commercial PHP projects would have been impacted,” Sonar says.
Tracked as CVE-2022-24828, the vulnerability is described as a command injection issue that could allow an attacker to control input that is interpreted as parameters for commands executed by Composer.
Because of this vulnerability, a user controlling a Git or Mercurial repository could target Packagist.org and Private Packagist by injecting parameters into the $file argument (impacting the Mercurial driver) or the $identifier argument (with impact on both Git and Mercurial drivers).
“Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project’s composer.json,” Composer’s maintainers note.
Missing input validation can lead to command execution via VcsDriver::getFileContent()
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
Tomi Engdahl says:
DHS Tells Federal Agencies to Improve Asset Visibility, Vulnerability Detection
https://www.securityweek.com/dhs-tells-federal-agencies-improve-asset-visibility-vulnerability-detection
The Cybersecurity and Infrastructure Security Agency (CISA) this week published Binding Operational Directive 23-01 (BOD 23-01), which requires federal agencies to take the necessary steps to improve their asset visibility and vulnerability detection capabilities within the next six months.
BOD 23-01 is the latest in a series of BODs meant to direct federal agencies towards better securing their environments against web and software vulnerabilities, either by patching them fast (BOD 19-02), by hunting for known vulnerabilities (BOD 22-01) or by defining and publishing a vulnerability disclosure policy (BOD 20-01).
“A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. […] Federal agencies are required to comply with these directives,” CISA explains.
According to the agency, BOD 23-01 is meant to help federal agencies improve their cybersecurity management capabilities by gaining visibility into all assets in their networks and the vulnerabilities impacting them.
Tomi Engdahl says:
Webinar Today: The Ultimate Insider’s Guide to DDoS Mitigation Strategies
https://www.securityweek.com/webinar-today-ultimate-insiders-guide-ddos-mitigation-strategies
Tomi Engdahl says:
Itämeren pohjapiirros
https://www.iltalehti.fi/ulkomaat/a/c4f4bd8e-3883-49f9-82fa-ed574c219345
Nord Stream -kaasuputkien lisäksi Venäjä voisi räjäyttää Suomen tietoliikenneyhteydet. Muutama vuosi sitten Venäjä tarvitsi niitä itsekin – vaan ei ehkä enää. Normaalitilanteessa yhteyksien katkaisua ei voi estää mitenkään.
Tomi Engdahl says:
SCADA Systems Involved in Many Breaches Suffered by US Ports, Terminals
https://www.securityweek.com/scada-systems-involved-many-breaches-suffered-us-ports-terminals
Law firm Jones Walker has published the results of a survey focusing on the cybersecurity preparedness of ports and terminals in the United States.
According to Jones Walker’s 2022 Ports and Terminals Cybersecurity Survey, there has been a significant increase in cyberattacks targeting this sector, and while a vast majority of the respondents claim they are prepared to handle cyber threats, many have confirmed suffering breaches in the past year.
The report is based on the responses of 125 c-suite executives, directors, security and compliance officers, and general counsel from the ports and terminals industry. The data was collected in May and comes from both blue- and brown-water facilities across the United States.
More than 90% of respondents were very confident in their overall level of cybersecurity and preparedness to withstand a cyber incident.
However, 55% said they had detected an attempt to breach their environment and 45% admitted suffering some type of breach within the past year. Fourteen percent said the incident resulted in data getting encrypted or becoming inaccessible, and 11% said the breach resulted in data exfiltration.
When asked about the types of systems involved in data breaches, 36% named supervisory control and data acquisition (SCADA) systems and 32% named field device management systems.
In addition, SCADA has been named the top ‘cybersecurity vulnerability’ of US ports and terminals.
When asked to describe the type or nature of the attack that resulted in their facility’s systems getting compromised, RDP was the top response (38%), followed by malware (26%), hacking (24%), social engineering (22%), ransomware (20%), and business email compromise (18%).
Nearly two-thirds of respondents said a solo threat actor was responsible for breaching their systems, followed at a distance by organized crime groups. State-sponsored hackers have only been blamed in 14% of cases, but they are seen by many as one of the main threats.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14084-usa-n-ydinaseiden-kyberturvassa-paljon-puutteita
Tomi Engdahl says:
Niin. Pitkään on oltu huolissaan vaalivilpistä mutta todellinen ongelma on se, että väitetään että vaalivilppiä on tapahtunut, vaikka ei olisikaan, ja ihmiset uskovat.
Yhdysvaltalaisten luottamus vaaleihin romahti – polku voi viedä kohti vallankumousta, sanoo äänestysturvallisuuden asiantuntija
https://yle.fi/uutiset/3-12639840
Harri Hursti tietää lähes kaiken Yhdysvalloissa käytettävistä äänestyslaitteista. Hän on amerikkalaismediassa tällä hetkellä tunnetuin suomalainen Sanna Marinin jälkeen.
Tomi Engdahl says:
FBI, CISA Say Malicious Cyber Activity Unlikely to Disrupt Election
https://www.securityweek.com/fbi-cisa-say-malicious-cyber-activity-unlikely-disrupt-election
The FBI and CISA have issued a public service announcement (PSA) to say that, based on their assessment, malicious cyber activities are unlikely to significantly disrupt the upcoming midterm elections in the United States.
The agencies have been tracking threat actors’ attempts to compromise election infrastructure, but said these attempts were localized and they were blocked or mitigated with minimal or no disruption. They are confident that threat actors are unlikely to be able to cause any large-scale disruption or prevent people from voting.
“As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information,” the PSA reads.
The FBI and CISA warn that threat actors continue to be interested in election systems hosting voter registration information and ones that manage non-voting election processes. They also spread or amplify false claims of election infrastructure getting compromised.
However, the agencies say these attempts cannot prevent voting or the accurate reporting of election results. In addition, they have assured the public that technological, procedural and physical controls are in place to prevent malicious cyber actors from altering votes or blocking people from voting.
The FBI warned earlier this year that US election officials had been targeted in phishing attacks.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Fake LinkedIn executive profiles, which pair AI-generated photos with text from real accounts, are becoming headaches for HR departments and invite-only groups — A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site …
Glut of Fake LinkedIn Profiles Pits HR Against the Bots
https://krebsonsecurity.com/2022/10/glut-of-fake-linkedin-profiles-pits-hr-against-the-bots/
A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.
Tomi Engdahl says:
Malware propagation methods
https://www.kaspersky.com/blog/malware-propagation-methods/45747/
Logic dictates that the most reliable way to prevent a cyberincident is to stop malware from penetrating the corporate infrastructure. So, when developing an information security strategy, experts often focus on the most obvious attack vectors like through e-mail. Most attacks do indeed start with an e-mail, but don’t forget that cybercriminals have many other malware delivery methods up their digital sleeve.
Experts from Kaspersky’s Global Research & Analysis Team have been talking about uncommon methods used to infect and spread malware that they’ve come across while analyzing recent threats.
Tomi Engdahl says:
FBI: Cyberattacks targeting election systems unlikely to affect results https://www.bleepingcomputer.com/news/security/fbi-cyberattacks-targeting-election-systems-unlikely-to-affect-results/
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) in a public service announcement says that cyber activity attempting to compromise election infrastructure is unlikely to cause a massive disruption or prevent voting.
Tomi Engdahl says:
FBI varoittaa kryptohuijauksista näin tunnistat “sianteurastuksen”
https://www.tivi.fi/uutiset/tv/1d9eee4f-0901-4d33-8f95-1703e333ccde
Yhdysvaltain liittovaltion poliisi FBI varoittaa kryptovaluuttojen sijoittamiseen liittyvien huijausten yleistymisestä. Nimenomaisesti yleistymässä on “sianteurastukseksi” kutsuttu sosiaalinen manipulaatio. Se on pitkän tähtäimen huijaus, jossa voitetaan uhrin luottamus teeskentelemällä ystävyyttä tai romanttista kiinnostusta.
Tämän jälkeen hänet ylipuhutaan sijoittamaan huijarin suosittelemalla “sijoitusalustalla”.
Tomi Engdahl says:
Australia moots changes to privacy laws after Optus data breach https://www.zdnet.com/article/australia-moots-changes-to-privacy-laws-after-optus-data-breach
Government is revising regulations to allow telcos to temporarily share some of their customers’ personal information, such as driver’s licence and passport numbers, with financial services institutions to facilitate monitoring and remediation in the event of a data breach.
Tomi Engdahl says:
Financial Times:
An investigation shows Amazon, Microsoft, and others destroy millions of data storage devices each year, creating huge waste when secure software wiping exists
Why Big Tech shreds millions of storage devices it could reuse
https://www.ft.com/content/31185370-87f3-4ecb-b64d-341bbc4e5c22
Tomi Engdahl says:
The Zero Day Dilemma
https://www.securityweek.com/zero-day-dilemma
The Zero Day Dilemma
The statement that corporate cyber security is broken has become a cliché, but it’s all too true. If consumers do not trust global brands to keep their data secure, something’s clearly not working. In fact, the digital world has become a very dangerous place. There are literally millions of viruses floating around out there, but the ones that pose the greatest threat are the zero-day attacks, which involve malware that has never been seen before. According to a 2020 report (PDF) from Ponemon Institute, 80 percent of successful breaches are zero day attacks.
The number of these attacks has been steadily growing, from 17 in 2017 to 80 in 2021. Google alone has suffered at least six zero day attacks already this year. And while this trend is alarming, what’s even more disturbing is the highly organized development process behind these attacks that has evolved over time.
It frequently begins with freelance “bug bounty hunters,” who comb through the code of new software releases by major players looking for vulnerabilities. It’s a little like panning for gold. Vulnerabilities are hard to find, but if you have the right combination of skill and luck, you can definitely strike it rich. One malware vendor — yes, there are “vendors” in this ecosystem — has offered $2.5 million for Android vulnerabilities, and will pay comparable sums for other operating systems and enterprise scale applications. When these organizations get their hands on a vulnerability, they’ll be able to sell it for a lot more. Vulnerabilities that lend themselves to ransomware are especially valuable because most companies that become victims have no choice but to pay.
Why are zero day exploits so effective, and so highly prized by bad actors? The reason has to do with the way cyber security defenses work.
To sum up, the problem of the zero day attack has not been solved because every approach depends on knowledge of events that have happened in the past, whether it’s known malware or known “normal” network/application behavior that serves as a benchmark for spotting malware-caused anomalies.
The ideal zero day solution would not depend on known bad urls or patterns from the past. It would be able to intercept and evaluate URL clicks at every endpoint, isolate suspicious payloads, and actually see how they behave in isolation before passing them through. Such a solution would operate at the far left of the kill chain like spam/virus blockers, but it would not fail in the face of a zero day attack.
It has long been the conventional wisdom that preventive solutions like this are impossible to build. Now, however, given the power of the cloud, this approach is viable. Vastly superior preventive technology won’t let companies abandon their other security solutions any time soon, but for once it will put the security community ahead of the bad actors instead of having to play catch-up.
Tomi Engdahl says:
Organizations Urged to Patch Vulnerabilities Commonly Targeted by Chinese Cyberspies
https://www.securityweek.com/organizations-urged-patch-vulnerabilities-commonly-targeted-chinese-cyberspies
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published a list of the top vulnerabilities that Chinese state-sponsored cyberspies have been exploiting in attacks since 2020.
In a joint advisory, the three US agencies warn of continuous abuse of vulnerable appliances by Chinese advanced persistent threat (APT) actors in attacks targeting the US and allied nations, mainly with the purpose of stealing intellectual property and maintaining access to compromised networks.
The Chinese APTs, the US agencies say, represent “one of the largest and most dynamic threats to U.S. government and civilian networks” due to the continuous targeting of government and critical infrastructure with new and adaptive techniques.
However, Chinese hackers continue to exploit known vulnerabilities when targeting networks of interest, and the US agencies urge organizations in all sectors to apply available patches in a timely manner to prevent potential compromise.
“NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks,” the three agencies note.
“Many of the CVEs indicated […] allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks,” CISA, the FBI, and the NSA note.
The three agencies also point out that the state-sponsored actors use virtual private networks (VPNs) to hide their activities and that initial access is gained by targeting web-facing applications.
Tomi Engdahl says:
Lauren Feiner / CNBC:
Biden signs an EO to implement Privacy Shield 2.0, the EU-US data transfer framework seeking to address EU concerns of surveillance by US intelligence agencies — – President Joe Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe.
Biden signs executive order with new framework to protect data transfers between the U.S. and EU
https://www.cnbc.com/2022/10/07/biden-signs-executive-order-to-protect-data-transfers-between-us-eu.html
President Joe Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe.
A European court undid an earlier version of the framework in 2020.
The new Privacy Shield seeks to address European concerns of surveillance by U.S. intelligence agencies.
President Joe Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe, the White House announced Friday.
The new framework fills a significant gap in data protections across the Atlantic since a European court undid a previous version in 2020. The court found the U.S. had too great an ability to surveil European data transferred through the earlier system.
The court case, known as Schrems II, “created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner consistent with EU law,”
The so-called Privacy Shield 2.0 seeks to address European concerns about possible surveillance by U.S. intelligence agencies.
The new framework will allow individuals in the EU to seek redress through an independent Data Protection Review Court made up of members outside of the U.S. government. That body “would have full authority to adjudicate claims and direct remedial measures as needed,” according to the March fact sheet.
The executive order directs the U.S. intelligence community to update policies and procedures to fit the new privacy protections in the framework. It also instructs the Privacy and Civil Liberties Oversight Board, an independent agency, to examine those updates and conduct an annual review of whether the intelligence community has fully adhered to binding redress decisions.
“The EU-U.S. Data Privacy Framework includes robust commitment to strengthen the privacy and civil liberties safeguards for signals intelligence, which will ensure the privacy of EU personal data,” Commerce Secretary Gina Raimondo told reporters Thursday.
The EU will then conduct an “adequacy determination” of the measures, the White House said. It will assess the sufficiency of the data protection measures in order to restore the data transfer mechanism.
American tech companies and industry groups applauded the measure, with Meta’s president of global affairs, Nick Clegg, writing on Twitter, “We welcome this update to US law which will help to preserve the open internet and keep families, businesses and communities connected, wherever they are in the world.”
But some consumer and data privacy watchdogs critiqued the extent of the data protections.
BEUC, a European consumer group, said in a release that the framework “is likely still insufficient to protect Europeans’ privacy and personal data when it crosses the Atlantic.”
Tomi Engdahl says:
This Is the ‘GrayKey 2.0,’ the Tool Cops Use to Hack Phones
Grayshift filed a series of documents with the FCC that reveal the looks of the new cellphone unlocking device.
https://www.vice.com/en/article/93an8a/this-is-the-graykey-20-the-tool-cops-use-to-hack-phones
Tomi Engdahl says:
https://wololo.net/2022/10/04/tutorial-running-the-ps5-4-03-exploit-on-windows-with-additional-dns-security-telemetry-blocking-etc/
Tomi Engdahl says:
https://www.theguardian.com/technology/2022/oct/04/ransomware-hunters-the-self-taught-tech-geniuses-fighting-cybercrime
Tomi Engdahl says:
https://www.nixu.com/blog/nixu-threat-intelligence-bulletin-russian-hackers-targeting-energy-sector-baltic-sea-region
Tomi Engdahl says:
https://danialzahoor.blogspot.com/2022/09/imhex-hex-editor-for-reverse-engineers.html
Tomi Engdahl says:
Scientists Investigating 30-Year-Old Mystery Of Rare Antigens Discover Entirely New Blood Group
Welcome to the party, Er4 and Er5.
https://www.iflscience.com/scientists-investigating-30-year-old-mystery-rare-antigens-discover-entirely-new-blood-group-65606
Tomi Engdahl says:
Biden Signs Executive Order on US-EU Personal Data Privacy
https://www.securityweek.com/biden-signs-executive-order-us-eu-personal-data-privacy
Executive order requires that US signals intelligence activities be conducted “only in pursuit of defined national security objectives”
US President Joe Biden signed an executive order on Friday designed to protect the privacy of personal data transfers between the EU and the United States and address European concerns about US intelligence collection activities.
The executive order provides a new legal framework for trans-Atlantic data flows that are critical to the digital economy, the White House said.
It will be subject to review and ratification by the European Commission, a process expected to take several months.
“This is a culmination of our joint efforts to restore trust and stability to trans-Atlantic data flows,” Commerce Secretary Gina Raimondo told reporters.
“It will enable a continued flow of data that underpins more than a trillion dollars in cross-border trade and investment every year.”
US tech giants have faced a barrage of lawsuits from EU privacy activists concerned about the ability of US intelligence services to access the personal data of Europeans.
Europe’s top court has invalidated previous arrangements after hearing complaints that US laws violate the fundamental rights of EU citizens.
The White House said the executive order addresses concerns raised by the Court of Justice of the European Union when it ruled that the previous framework known as Privacy Shield did not provide adequate protection.
Privacy Shield, struck down in July 2020, was the successor to another EU-US deal, Safe Harbor, which was itself torpedoed by a court ruling in 2015.
Businesses have since resorted to legally uncertain workarounds to keep the data flow moving, with hope that the two sides could come up with something stronger in the long term.
US officials acknowledged that the new pact will almost certainly face intense legal scrutiny that began after revelations by Edward Snowden of mass digital spying by US agencies.
Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities
https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
Tomi Engdahl says:
Industry Reactions to Conviction of Former Uber CSO Joe Sullivan: Feedback Friday
https://www.securityweek.com/industry-reactions-conviction-former-uber-cso-joe-sullivan-feedback-friday
Former Uber security chief Joe Sullivan has been found guilty by a jury over his role in covering up a massive data breach suffered by the ride sharing giant in 2016.
Sullivan was found guilty of obstructing an FTC investigation of a 2014 data breach at Uber, and deliberately hiding a felony from authorities, charges for which he faces up to eight years in prison. Sentencing will be set at a later date.
Sullivan served as Uber’s CSO between April 2015 and November 2017. In 2016, the company suffered a breach, with hackers stealing the information of over 50 million users and drivers. The attackers extorted Uber and were paid $100,000 through the company’s bug bounty program. They were allegedly instructed by Sullivan to sign non-disclosure agreements falsely claiming that no data had been stolen.
The full impact of the incident came to light one year later, after Uber appointed a new CEO. Sullivan was fired after it was revealed that he had hidden the full extent of the breach from Uber’s new management.
The attackers, later identified as two individuals from Florida and Canada, pleaded guilty in 2019, and they appear to have been instrumental in the case against Sullivan.
Industry professionals have commented on the outcome of the case and its implications for CISOs. Some of them have shared thoughts on whether mandatory breach notification requirements, such as the ones proposed by the SEC, would make a difference in situations like this.
Sounil Yu, CISO, JupiterOne:
“This case has set a terrible precedent that creates confusion around who should take liability for decisions during an incident response event. In this particular case, it was clear that Joe Sullivan coordinated his actions with the blessing of executive management, yet Joe was the one that ended up holding the bag. This is like court martialing a soldier but letting their commanding officer who gave the order go scot free.
We CISOs will need to closely review our incident reporting policies (perhaps with our own personal attorney) to ensure that it is clear how and when liability for certain decisions are transferred to the firm or to other identified executives. Until there is greater clarity on who owns the liability, the net effect may be that CISOs will push to report more than the executive management may be comfortable with.”
Neil Thacker, CISO, EMEA, Netskope:
“The international CISO community has been watching this one very closely, and hypothesising about the repercussions for some time. There is very little doubt among my peers that this case was about a serious misjudgment on the part of a CISO, but hindsight is a wonderful thing and we will probably never fully understand the complex factors and influences that led to his decisions. One of the biggest concerns within the community is an acknowledgment of the possible pressure that may have been exerted from other internal authorities upon the CISO, which led him to make the decisions. We won’t know the full repercussions for some time, but I would expect that we will see a number of CISOs and (aspiring CISOs) opting to make different career decisions based on this latest example of the personal risk burden, and we may see this further impacting the existing skills crisis in cyber security.”
David Lindner, CISO, Contrast Security:
“The entire situation is extremely unfortunate for Uber and the broader legal/security communities. What Uber did was cover up a breach through means of hiding it as a bug bounty submission. The conviction of the security chief is a good start but for what was disclosed there should be even more accountability of the executives and even board members.
Transparency is the only path forward for organizations. Transparency of breaches, transparency of known vulnerabilities, and transparency of the components used to build their software. Uber failed in being transparent and it has resulted in not only a fine but in the conviction of a human behind the decisions. We will see more of this if we don’t move to transparency fast.”
https://www.securityweek.com/former-uber-ciso-joe-sullivan-found-guilty
Tomi Engdahl says:
Organizations Urged to Patch Vulnerabilities Commonly Targeted by Chinese Cyberspies
https://www.securityweek.com/organizations-urged-patch-vulnerabilities-commonly-targeted-chinese-cyberspies
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published a list of the top vulnerabilities that Chinese state-sponsored cyberspies have been exploiting in attacks since 2020.
In a joint advisory, the three US agencies warn of continuous abuse of vulnerable appliances by Chinese advanced persistent threat (APT) actors in attacks targeting the US and allied nations, mainly with the purpose of stealing intellectual property and maintaining access to compromised networks.
The Chinese APTs, the US agencies say, represent “one of the largest and most dynamic threats to U.S. government and civilian networks” due to the continuous targeting of government and critical infrastructure with new and adaptive techniques.
However, Chinese hackers continue to exploit known vulnerabilities when targeting networks of interest, and the US agencies urge organizations in all sectors to apply available patches in a timely manner to prevent potential compromise.
“NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks,” the three agencies note.
The 20 top vulnerabilities that Chinese hackers have been targeting in attacks over the past two years impact popular software from Microsoft, Apache, VMware, Cisco, Atlassian, and others.
Alert (AA22-279A)
Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
https://www.cisa.gov/uscert/ncas/alerts/aa22-279a
Tomi Engdahl says:
Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors https://www.cisa.gov/uscert/ncas/alerts/aa22-279a
This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.
Tomi Engdahl says:
TOP 10 unattributed APT mysteries
https://securelist.com/top-10-unattributed-apt-mysteries/107676/
Targeted attack attribution is always a tricky thing, and in general, we believe that attribution is best left to law enforcement agencies.
The reason is that, while in 90%, it is possible to understand a few things about the attackers, such as their native language or even location, the remaining 10% can lead to embarrassing attribution errors or worse. High-profile actors make every effort to stay undetected inside the victim’s infrastructure and to leave as few traces as they can.
Tomi Engdahl says:
Pysäyttävä selvitys: Joka toinen suomalainen verkkokauppa ei pidä huolta asiakkaiden tiedoista https://www.iltalehti.fi/tietoturva/a/d4cfb603-3d38-4dd9-b7c8-aa11a7c04d9e
Suomessa vain joka toinen yritys suojaa asiakkaidensa tiedot asianmukaisesti, käy ilmi vahvojen tunnistamispalveluiden toimittaja Identisuren julkaisemasta pohjoismaisesta vertailusta.
Tomi Engdahl says:
Satoja tai jopa tuhansia suomalaisyrityksiä huijattu epäillyssä verkkotunnuspetoksessa https://yle.fi/uutiset/3-12652825?origin=rss
Oulun poliisilaitoksen talousrikosyksikkö tutkii valtakunnallista verkkotunnuksiin liittyvää petossarjaa. Epäillyssä rikosten sarjassa on kyse Espanjasta käsin tehdystä petollisesta puhelinmyynnistä.
Rikosnimikkeinä ovat törkeä petos, törkeän petoksen yritys ja markkinointirikos.
Tomi Engdahl says:
Teknologiajätit loivat digitaalisen maailman, jonka säännöistä päättää pieni piiri https://yle.fi/uutiset/3-12627532?origin=rss
Teknologiayhtiöt ovat ottaneet valtioiden roolin digitaalisessa maailmassa. Yhä suurempi osa niin työ- kuin yksityiselämästä tapahtuu alustoilla, joiden säännöt ovat osa teknologiajättien liiketoimintaa.
Tomi Engdahl says:
As NIST Prepares For Quantum Safe Security, IBM Rolls Out Support
https://www.forbes.com/sites/tiriasresearch/2022/10/07/as-nist-prepares-for-quantum-safe-security-ibm-rolls-out-support/?sh=19dbefb83ba5
The world of cryptography moves at a very slow, but steady pace. New cryptography standards must be vetted over an extended period and therefore new threats to existing standards need to be judged by decades-long timelines because updating crypto standards is a multiyear journey.
Tomi Engdahl says:
Do You Need To Delete WhatsApp’ After Serious New Warning?
https://www.forbes.com/sites/zakdoffman/2022/10/09/do-you-need-to-delete-whatsapp-on-your-apple-iphone-or-google-android-and-use-imessage-or-telegram
More alarming headlines for WhatsApp this week, as its latest security threat prompted a warning for its 2 billion users to “stay away from WhatsApp, ” claiming that the world’s most popular messenger “has now been a surveillance tool for 13 years.”
Tomi Engdahl says:
Callback phishing attacks evolve their social engineering tactics https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-evolve-their-social-engineering-tactics/
Callback phishing operations have evolved their social engineering methods, keeping old fake subscriptions lure for the first phase of the attack but switching to pretending to help victims deal with an infection or hack. Successful attacks infect victims with a malware loader that drops additional payloads such as remote access trojans, spyware, and ransomware.
Tomi Engdahl says:
Tuore selvitys: Digiuhat kasvavat, mutta suomalaisia ei juuri huoleta https://www.is.fi/digitoday/tietoturva/art-2000009123971.html
Digi- ja väestötietovirasto selvitti kyselyllä suomalaisten näkemyksiä digitietoturvasta. Turvallisuusviranomaiset ovat varoittaneet suomalaisia kyberuhkien kasvusta.
Tomi Engdahl says:
EU-US Data Sharing Deal Is Signed Off – But May Face Further Challenges https://www.forbes.com/sites/emmawoollacott/2022/10/10/eu-us-data-sharing-deal-is-signed-offbut-may-face-further-challenges
US president Joe Biden has signed an executive order limiting the ability of US national security agencies to access European citizens’
personal information, as part of a data-sharing deal with the EU.
Tomi Engdahl says:
UK Spy Chief to Warn of ‘Huge’ China Tech Threat
https://www.securityweek.com/uk-spy-chief-warn-huge-china-tech-threat
Britain’s GCHQ spy agency chief will warn Western countries Tuesday of the “huge threat” from China seeking to exploit its tech dominance to control its own citizens and gain influence abroad.
Jeremy Fleming, the director of the cybersecurity agency, is set to tell a British defence studies body that the Chinese Communist Party views technologies such as satellite systems and digital currencies as a “tool to gain advantage”.
In excerpts of his speech released late Monday, Fleming will use the annual “security lecture” at RUSI think tank to argue China could act in ways representing “a huge threat to us all”.
He will urge the UK and its allies to respond urgently.
China’s Threat”At GCHQ it is our privilege and duty to see the sliding door moments of history. This feels like one of those moments,” Fleming will say.
“Our future strategic technology advantage rests on what we as a community do next. I’m confident that together we can tilt that in our collective favour.”
Tomi Engdahl says:
https://www.securityweek.com/zero-day-dilemma
Tomi Engdahl says:
Google has released the Hacking Google game/experience. It’s a series of Capture The Flag challenges, just for fun, but good practice working though a security problem.
https://h4ck1ng.google/home