Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Google introduces end-to-end encryption for Gmail on the web
https://www.bleepingcomputer.com/news/security/google-introduces-end-to-end-encryption-for-gmail-on-the-web/
Google announced on Friday that it’s adding end-to-end encryption (E2EE) to Gmail on the web, allowing enrolled Google Workspace users to send and receive encrypted emails within and outside their domain.
Client-side encryption (as Google calls E2EE) was already available for users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta).
Once enabled, Gmail client-side encryption will ensure that any sensitive data delivered as part of the email’s body and attachments (including inline images) can not be decrypted by Google servers — the email header (including subject, timestamps, and recipients lists) will not be encrypted.
Tomi Engdahl says:
Google releases vulnerability scanner for open-source software, backed by community-editable database
https://venturebeat.com/security/google-releases-vulnerability-scanner-for-open-source-software-backed-by-community-editable-database/
Tomi Engdahl says:
Open-source repositories flooded by 144,000 phishing packages
https://www.bleepingcomputer.com/news/security/open-source-repositories-flooded-by-144-000-phishing-packages/
Unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, inluding NPM, PyPi, and NuGet.
The large-scale attack resulted from automation, as the packages were uploaded from accounts using a particular naming scheme, featured similar descriptions, and led to the same cluster of 90 domains that hosted over 65,000 phishing pages.
The campaign supported by this operation promotes fake apps, prize-winning surveys, gift cards, giveaways, and more. In some cases, they take victims to AliExpress via referral links.
Tomi Engdahl says:
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
https://www.analyticsinsight.net/top-reasons-not-to-become-a-self-taught-ethical-hacker-in-2023/
Tomi Engdahl says:
Infostealer Malware Market Booms, as MFA Fatigue Sets In
The successful combo of stolen credentials and social engineering to breach networks is increasing demand for infostealers on the Dark Web.
https://www.darkreading.com/threat-intelligence/infostealer-malware-market-booms-mfa-fatigue
Tomi Engdahl says:
Serious Security: MD5 considered harmful – to the tune of $600,000
https://nakedsecurity.sophos.com/2022/11/30/serious-security-md5-considered-harmful-to-the-tune-of-600000/
In a fascinating legal deliberation handed down by the French data protection regulator CNIL (Commission Nationale de l’Informatique et des Libertés), the energy company Électricité de France, or EDF for short, has been fined EUR 600,000 (about $600,000).
you need reasonable proficiency in French to understand all the ins and outs of the matter, but the overall case boils down to four infringements.
The first three are concerned with general data-related interactions with customers, covering:
Sending commercial marketing emails without proper consent.
Collecting data without clarifying what or why.
Not handling requests reliably when customers asked to see their data, to or get it deleted.
But it’s the last complaint that piqued our interest: Sur le manquement à l’obligation d’assurer la sécurité des données.
In English, this loosely translates as failure to store data securely, and relates very specifically to the insecure handling of passwords.
MD5 considered harmful
The regulator noted, amongs other things, that despite claiming it was salting-and-then-hashing passwords using an accepted hashing algorithm, EDF still had more than 25,000 users’ passwords “secured” with a single MD5 hash as recently as July 2022.
As you will have heard many times on Naked Security, storing the cryptographic hash of a password means that you can validate a password when it is presented simply by recomputing its hash and comparing it with the hash of the password that was originally chosen.
If the hashes match, then you can safely infer that the passwords match, without ever needing to store the actual password.
As long as the hashing algorithm is considered cryptographically secure, it can’t usefully be “run in reverse”
But MD5, as you probably know, has significant problems with collisions, as does its immediate successor SHA-1 (both these hashes came out in the early 1990s).
These days, neither algorithm is recommended for use anywhere, by anyone, for any purpose, given that there are similar but still-secure alternatives that can easily be used to replace them, such as SHA-256 and SHA-512:
Salting and stretching
In short, you wouldn’t expect any company, let alone an energy sector behemoth like EDF, to use MD5 for any cryptographic purpose at all, let alone for securing passwords.
Even worse, however, was the lack of salting, which is where a chunk of data that’s chosen randomly for each user is mixed in with the password before its hash is calculated.
The reason for a salt is simple: it ensures that the hash values of potential passwords cannot be calculated in advance and then brought along to help with an attack.
Salting means that you would need a complete, precomputed rainbow table for every user (the table is determined by the combination of salt + password), and you wouldn’t be able to compute each rainbow table – a task that can take several weeks and occupy terabytes of disk space – until you recovered the salts anyway,
But there’s more you need to do.
Even if you include a salt, so that precomputed “hash dictionaries” can’t be used, and you use a trusted cryptographic algorithm such as SHA-512
So you should use what’s called stretching as well, where you not only salt the initial password, but then pass the input through the hashing algorithm thousands of times or more in a loop, thus making attacks considerably more time-consuming for any crooks who want to try.
Not just an MD5 problem
Ironically, it seems that although EDF only had 25,800 passwords hashed with MD5, and claimed in its defence that it was mostly using SHA-512 instead, it still wasn’t always salting or stretching the stored hashes.
The regulator reports that 11,200,000 passwords had correctly been salted-and-hashed, but there were nevertheless 2,400,000 that had simply been hashed directly once, whether with MD5 or SHA-512.
Apparently, EDF has now got its password storage up to scratch, but the company was fined EUR 600,000 anyway, and will remain publicly listed online on CNIL’s “naughty step” for the next two years.
We can’t be sure what fine would have been imposed if the judgment had involved poor hashing only, and EDF hadn’t also had to answer for the three other data protection offences listed at the start…
…but it does go to show that bad cryptographic choices can cost you money in more ways than one!
Tomi Engdahl says:
Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable
https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
Tomi Engdahl says:
https://www.kitploit.com/2022/12/scscanner-tool-to-read-website-status.html?m=1
Tomi Engdahl says:
https://pentestmag.com/teach-this-new-generation-how-much-we-can-build-and-discover-new-things-within-our-area-an-interview-with-filipi-pires/
Tomi Engdahl says:
https://www.schneier.com/blog/archives/2022/12/captcha.html
Tomi Engdahl says:
NIST Retires SHA-1 Cryptographic Algorithm
https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard
(FIPS) 180-1. It is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As todays increasingly powerful computers are able to attack the algorithm, NIST is announcing that SHA-1 should be phased out by Dec.
31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.
Tomi Engdahl says:
New Web Tracking Technique is Bypassing Privacy Protections https://today.ucsd.edu/story/UIDsmuggling
Researchers at UC San Diego have for the first time sought to quantify the frequency of UID smuggling in the wild, by developing a measurement tool called CrumbCruncher. CrumbCruncher navigates the Web like an ordinary user, but along the way, it keeps track of how many times it has been tracked using UID smuggling. The researchers found that UID smuggling was present in about 8 percent of the navigations that CrumbCruncher made. They presented these results at the Internet Measurement Conference Oct. 25 to 27, 2022 in Nice, France. The team is also releasing both their complete dataset and their measurement pipeline for use by browser developers.
Tomi Engdahl says:
ESF Members NSA and CISA Provide Threat Assessment, Best Practices for 5G Network Slicing https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3244745/esf-members-nsa-and-cisa-provide-threat-assessment-best-practices-for-5g-networ/
Network slicing is a 5G network architecture which allows mobile service providers to divide their network up into several independent slices. [This is in] order to create specific virtual networks that cater to different clients and use cases. Todays report specifically identifies management strategies to ensure the confidentiality, integrity, and availability of each network slice.
Tomi Engdahl says:
Criminal Actors Use Business Email Compromise to Steal Large Shipments of Food Products and Ingredients https://www.ic3.gov/Media/News/2022/221216.pdf
In recent incidents, criminal actors have targeted physical goods rather than wire transfers using BEC tactics. Companies in all sectorsboth buyers and suppliersshould consider taking steps to protect their brand and reputation from scammers who use their name, image, and likeness to commit fraud and steal products.
Tomi Engdahl says:
Facebook to pay hackers up to $300,000 to uncover remote code execution bugs https://therecord.media/facebook-to-pay-hackers-up-to-300000-to-uncover-remote-code-execution-bugs/
In a newsroom post accompanying reports about the threats facing Facebook and Instagram users from spyware and covert information operations, Meta said it had so far this year paid out $2 million in rewards to researchers from more than 45 countries. Out of about
10,000 reports made to the company, Meta offered rewards to more than
750 submissions.
Tomi Engdahl says:
Agenda Ransomware Uses Rust to Target More Vital Industries https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.
Tomi Engdahl says:
The Privacy War Is Coming
Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
https://www.darkreading.com/endpoint/the-privacy-war-is-coming
Tomi Engdahl says:
Why PCI DSS 4.0 Should Be on Your Radar in 2023 https://thehackernews.com/2022/12/why-pci-dss-40-should-be-on-your-radar.html
The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
Tomi Engdahl says:
Top 4 SaaS Security Threats for 2023
https://thehackernews.com/2022/12/top-4-saas-security-threats-for-2023.html
With SaaS sprawl ever growing and becoming more complex, organizations can look to four areas within their SaaS environment to harden and secure. Threats: Misconfigurations Abound, SaaS-to-SaaS Access, Device-to-SaaS User Risk, Identity and Access Governance.
Tomi Engdahl says:
Executives take more cybersecurity risks than office workers https://www.helpnetsecurity.com/2022/12/16/executives-take-more-cybersecurity-risks-than-office-workers/
Ivanti worked with cybersecurity experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of todays cybersecurity threats and find out how companies are preparing for yet-unknown future threats. The report also revealed that leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Tomi Engdahl says:
Poor software costs the US 2.4 trillion
https://www.securitymagazine.com/articles/98685-poor-software-costs-the-us-24-trillion
This statistic is unearthed in Synopsys Inc.s The Cost of Poor Software Quality in the US: A 2022 Report. The reports findings reflect that as of 2022, the cost of poor software quality in the U.S.
which includes cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Tomi Engdahl says:
Google Takes Gmail Security to the Next Level with Client-Side Encryption https://thehackernews.com/2022/12/gmail-encryption.html
Google on Friday announced that its client-side encryption for Gmail is in beta for Workspace and education customers as part of its efforts to secure emails sent using the web version of the platform.
Client-side encryption, as the name implies, is a way to protect data at rest. It allows organizations to encrypt data on Google services with their own cryptographic keys. The data is decrypted on the client-side using keys that are generated and managed by a key management service, which is hosted in the cloud. Original at https://workspaceupdates.googleblog.com/2022/12/client-side-encryption-for-gmail-beta.html
Tomi Engdahl says:
MTTR not a viable metric for complex software system reliability and security https://www.csoonline.com/article/3683508/mttr-not-a-viable-metric-for-complex-software-system-reliability-and-security.html
Mean time to resolve (MTTR) isnt a viable metric for measuring the reliability or security of complex software systems and should be replaced by other, more trustworthy options. Thats according to a new report from Verica which argued that the use of MTTR to gauge software network failures and outages is not appropriate, partly due to the distribution of duration data and because failures in such systems dont arrive uniformly over time. Site reliability engineering (SRE) teams and others in similar roles should therefore retire MTTR as a key metric, instead looking to other strategies including service level objectives (SLOs) and post-incident data review, the report stated.
Tomi Engdahl says:
Zero Trust Shouldnt Be The New Normal
https://www.darkreading.com/edge-ask-the-experts/zero-trust-shouldnt-be-the-new-normal
Setting aside the issues and the expense associated with incorporating zero trust into an existing network, the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Tomi Engdahl says:
Dark Web Profile: Killnet Russian Hacktivist Group https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/
Killnet is a pro-Russian hacktivist group known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack that can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems.
Tomi Engdahl says:
After more than 200 takedowns, Meta confirms covert online campaigns have gone global https://therecord.media/after-more-than-200-takedowns-meta-confirms-covert-online-campaigns-have-gone-global/
In a report published Thursday looking back at enforcement actions against these covert influence campaigns, Meta said the problem is now thoroughly global with over 100 different countries, from Afghanistan to Zimbabwe being targeted, even if the United States, Ukraine, and United Kingdom remain the most common targets.
Tomi Engdahl says:
Flashpoint Year In Review: 2022 Insider Threat Landscape
https://flashpoint.io/blog/risk-intelligence-year-in-review-insider-threat/
- From January 1 to November 30, 2022, Flashpoint observed 109,146 total instances of insider recruiting, insider advertising, or general discussions involving insider-related activity. Of these, 22,985 were unique. The majority of these posts were on mid-tier English-language Telegram channels. However, the threat actor group LAPSUS$ might also be partly responsible for the growth of insider threats on Telegram.
LAPSUS$ successfully recruited insiders in large operations who were able to provide access to corporate virtual private networks (VPNs) or help bypass multi-factor authentication.
Tomi Engdahl says:
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections https://www.darkreading.com/attacks-breaches/watchguard-threat-lab-report-finds-top-threat-arriving-exclusively-over-encrypted-connections
The vast majority of malware arriving over encrypted connections [...] In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If youre not inspecting encrypted traffic on your Firebox, its very likely that this average ratio remains true, and you are missing a huge portion of malware.
Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain. ICS and SCADA systems remain trending attack targets New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric’s U.motion Builder software versions 1.2.1 and prior.
Tomi Engdahl says:
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter https://www.zimperium.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter/
Flutter, the open-source user interface (UI) software kit for cross-platform mobile applications, has helped drive new mobile applications onto the market. While Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims. During a routine analysis of applications, the Zimperium zLabs team recently discovered and analyzed a Flutter application with malicious code. This code, part of a larger predatory loan malware campaign previously discovered by K7 Security Labs, takes advantage of Flutters framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis. Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products.
Tomi Engdahl says:
GitHub Announces Free Secret Scanning, Mandatory 2FA
https://www.securityweek.com/github-announces-free-secret-scanning-mandatory-2fa
Microsoft-owned code hosting platform GitHub this week announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors.
The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, it helped identify 1.7 million potential secrets exposed in public repositories.
“Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner—for example, if the keys to your self-hosted HashiCorp Vault are exposed,” GitHub explains.
Starting this week, the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. The feature is now rolling out in beta and GitHub expects it to reach all users by the end of January 2023.
Leaked a secret? Check your GitHub alerts…for free
https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/
GitHub now allows you to track any leaked secrets in your public repository, for free. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Tomi Engdahl says:
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
https://www.securityweek.com/nist-retire-27-year-old-sha-1-cryptographic-algorithm
The US National Institute of Standards and Technology (NIST) this week recommended that IT professionals replace the SHA-1 cryptographic algorithm with newer, more secure ones.
The first widely used method of securing electronic information and in use since 1995, SHA-1 is a slightly modified version of SHA, or ‘secure hash algorithm’, the very first standardized hash function.
According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm.
“NIST is announcing that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms,” the agency within the Department of Commerce announced.
Used as the foundation of numerous security applications, including validating websites, SHA-1 secures information by generating a hash – a short string of characters resulting from a complex math operation performed on the characters of a message.
While the original message cannot be reconstructed from the hash alone, a recipient can use the hash to check whether the original message has been compromised.
The main threat to SHA-1 is the fact that today’s powerful computers can create two messages that lead to the same hash, potentially compromising an authentic message – the technique is referred to as a ‘collision’ attack.
The cost of launching collision attacks against SHA-1 has decreased significantly in recent years, and tech giants such as Google, Facebook, Microsoft and Mozilla have taken steps to move away from the cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Tomi Engdahl says:
NIST Retires SHA-1 Cryptographic Algorithm
The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable.
https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
As attacks on SHA-1 in other applications have become increasingly severe
, NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030. By that date, NIST plans to:
Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification.
Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1.
Create and publish a transition strategy for validating cryptographic modules and algorithms.
“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” Celi said. “Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that CMVP has time to respond.”
“We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible.” —Chris Celi, NIST computer scientist
Tomi Engdahl says:
US Puts 3 Dozen More Chinese Companies on Trade Blacklist
https://www.securityweek.com/us-puts-3-dozen-more-chinese-companies-trade-blacklist
The U.S. Department of Commerce is adding 36 Chinese high-tech companies, including makers of aviation equipment, chemicals and computer chips, to an export controls blacklist, citing concerns over national security, U.S. interests and human rights.
Tomi Engdahl says:
Mitchell Clark / The Verge:
Google launches client-side encryption for Gmail in beta and lets Workspace administrators sign up until January 20, coming to Gmail for Android and iOS later
Google is letting businesses try out client-side encryption for Gmail
https://www.theverge.com/2022/12/16/23513243/google-gmail-client-side-encryption-beta-enterprise
/ The long-promised feature has entered beta for some Workspace users, but it’s probably not coming to personal accounts anytime soon.
Tomi Engdahl says:
Data Destruction Policies in the Age of Cloud Computing
https://www.darkreading.com/cloud/data-destruction-policies-in-the-age-of-cloud-computing-
We must develop a cloud-compatible way of doing destruction that meets the DoD standards, or we must stop pretending and adjust our standards to this new reality. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided. It would probably be cheaper than fees charged by some of the companies providing certified physical-destruction services.
Tomi Engdahl says:
Lentoyhtiöt ovat raportoineet toistuvista gps-häiriöistä Lapissa viime viikkoina – Traficom: Ei vaaraa lentoturvallisuudelle
Traficomille on raportoitu tapauksista, joissa lentokoneet ovat menettäneet gps-signaalin 5–10 minuutiksi.
https://yle.fi/a/74-20009019
Tomi Engdahl says:
https://pentestmag.com/blockchain-vs-database-the-secure-one/
Tomi Engdahl says:
Viaton vekotin vai verkottuva vakoilija? Muista olla älykkäämpi kuin ostamasi tuote
https://kuluttaja-asiamies.fi/2022/11/21/viaton-vekotin-vai-verkottuva-vakoilija-muista-olla-alykkaampi-kuin-ostamasi-tuote/
Tomi Engdahl says:
https://techcrunch.com/2022/12/15/github-brings-free-secret-scanning-to-all-repos/
Tomi Engdahl says:
https://www.edn.com/28-nm-smart-card-chip-secures-payment-processing/
Tomi Engdahl says:
How One Man Lost $1 Million To A Crypto ‘Super Scam’ Called Pig Butchering
https://www.forbes.com/sites/cyrusfarivar/2022/09/09/pig-butchering-crypto-super-scam/?utm_campaign=socialflowForbesMainFB&utm_source=ForbesMainFacebook&utm_medium=social&sh=16f934aec8ed
Pig butchering is a relatively new long-game financial con in which “pigs,” or targets, are “butchered” by people who convince them to invest ever-larger sums in purported cryptocurrency-fueled trading platforms. The fake platforms are designed to look real, and make the victims believe that their investments are making fantastic returns — until their scammer, and all the money they believe they’ve invested, disappears.
Victims often lose significant sums, and the practice is so lucrative that it’s being scaled up and carried out en masse in countries like Cambodia, Laos and Myanmar. So far, American law enforcement officials at both the federal and local level have made little headway in recovering stolen funds or catching the perpetrators.
These scams are carried out “on a large scale, on an industrial scale — like they’re doing fraud in a factory.”
–Jan Santiago, the deputy director of the Global Anti-Scam Organization
Tomi Engdahl says:
Australian fire service operating 85 stations shuts down network after cyberattack https://therecord.media/australian-fire-service-operating-85-stations-shuts-down-network-after-cyberattack/
Australias fire and rescue service in the state of Victoria has shut down its network and is operating manually after being targeted with a cyberattack by an external third party, according to a statement released on Friday.
Tomi Engdahl says:
Glupteba malware is back in action after Google disruption
https://www.bleepingcomputer.com/news/security/glupteba-malware-is-back-in-action-after-google-disruption/
Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices. These proxies are later sold as ‘residential proxies’ to other cybercriminals. The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies. Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.
Tomi Engdahl says:
Sovellus tökki vielä 5 päivää nettihyökkäyksen jälkeen näin Helsingin seudun liikenne kommentoi https://www.is.fi/digitoday/art-2000009276469.html
HELSINGIN seudun liikenteen (HSL) viime viikkona kärsimä kyberhyökkäys on ainakin toistaiseksi ohi, mutta HSL-sovellus palasi toimintaan vasta tänään maanantaina. Reittiopas ilmoitti suurimman osan päivästä, että palveluun ei saada yhteyttä. Se on tarkoituksellista.
Huomasimme, että siinä on ollut häiriö, jota olemme selvittäneet.
Vielä emme osaa sanoa, mistä tarkalleen ottaen on kyse. Jotain siinä on hajonnut, kertoo HSL:n viestintäpäällikkö Johannes Laitila.
Tomi Engdahl says:
OP:n nimissä tulee huijausviestejä tällä niksillä voit selvittää, onko verkkosivu aito https://www.is.fi/digitoday/tietoturva/art-2000009276139.html
OP-PANKIN nimissä lähetetään parhaillaan suomalaisille tekstiviestihuijauksia. Huijauksesta tekee verrattain uskottavan se, että viesti tulee OP:n nimissä ja menee samaan tekstiviestiketjuun kuin aidot pankin viestit. Lisäksi lyhyessä suomenkielisessä, epätavallisesta toiminnasta varoittavassa viestissä ei ole kirjoitusvirheitä. JOS verkkosivun osoite on väärennetty uskottavaan muotoon, niiden aitoutta voi tarkastella tutkimalla sivulle myönnettyä varmennetta eli digitaalista allekirjoitusta.
Tomi Engdahl says:
The risk of escalation from cyberattacks has never been greater
https://arstechnica.com/information-technology/2022/12/the-risk-of-escalation-from-cyberattacks-has-never-been-greater/
With cyber, uncertainty over who is attacking pushes adversaries in a similar direction. The US shouldnt retaliate none of the time (that would make it look weak), and it shouldnt respond all of the time (that would retaliate against too many innocents). Its best move is to retaliate some of the time, somewhat capriciouslyeven though it risks retaliating against the wrong foe.
Tomi Engdahl says:
LinkedIn has massively cut the time it takes to detect security threats. Here’s how it did it https://www.zdnet.com/article/linkedin-has-massively-cut-the-time-it-takes-to-detect-security-threats-heres-how-it-did-it/
[O]ver a period of six months between March 2022 and September 2022, LinkedIn rebuilt its threat-detection and monitoring capabilities, along with its security operations centre (SOC) — and that process started with reevaluating how potential threats are analyzed and detected in the first place. [...] By using automation as part of this analysis process, Moonbase shifted the SOC towards a new model; a software-defined and cloud-centric security operation. [...] “We give our people the most context and data upfront, so that they can minimize their time spent gathering data, digging around, looking for things, and they can maximize their time on actually using the critical-thinking capacities of the human brain to understand what’s actually happening,” [IR director] Bollinger explains.
Tomi Engdahl says:
How Reveton Ransomware-as-a-Service Changed Cybersecurity https://securityintelligence.com/articles/how-reveton-raas-changed-cybersecurity/
We now see RaaS outfits with organizational capabilities that rival the most professional Software-as-a-Service (SaaS) brands. But has RaaS grown too big? The factors that led to the niches growth may also lead to its demise. Lets look at the rise and potential fall of Ransomware-as-a-Service. After Reveton, things have never been the same.
Tomi Engdahl says:
CISA researchers: Russia’s Fancy Bear infiltrated US satellite network https://www.cyberscoop.com/apt28-fancy-bear-satellite/
Because the targeted satellite communications provider used the same credentials for emergency accounts as ordinary ones, the hackers were able to re-use the stolen credentials for emergency accounts that made it easier for the hackers to move around the system. At the time of the intrusion, the company was also transmitting unencrypted supervisory control and data acquisition, or SCADA, traffic, which can include data like the state of industrial devices and commands from control centers, Emmanuel said.
Tomi Engdahl says:
A Closer Look at Windows Kernel Threats
https://www.trendmicro.com/en_us/research/22/l/a-closer-look-at-windows-kernel-threats.html
In this blog entry, we discuss the reasons why malicious actors choose to and opt not to pursue kernel-level access in their attacks. It also provides an overview of kernel-level threats that have been publicly reported from April 2015 to October 2022. We provide a more comprehensive analysis of the state of noteworthy Windows kernel threats in our research paper, An In-depth Look at Windows Kernel Threats, that we will be publishing in January 2023.