Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Think Big, Start Small, Move Fast: Applying Lessons From The Mayo Clinic to Cybersecurity
https://www.securityweek.com/think-big-start-small-move-fast-applying-lessons-mayo-clinic-cybersecurity
I have previously written about how much the Mayo Clinic impacted my life through my experience and time there. In that article I discussed their approach to multi-disciplinary patient triaging and how looking at patients as a whole, rather than a system of discrete systems, helps them to make the right decisions. This same mindset can be applied to software and design to build great products.
Another favorite takeaway, however, was Mayo’s Research Team’s mantra of Think Big, Start Small, Move Fast. It is a powerful concept that has enabled the Mayo Clinic to stay ahead, advancing medicine since the mid 1800s. This concept has also helped to advance the product development and cybersecurity domains as well.
There are books written about this, so I won’t get into the weeds of what the Mayo research teams do, however I will explore how we have adapted this in various ways. First off, like so many “mantras”, this is not prescriptive and is not a strict recipe for success. Instead, by following the general guidance that having a larger goal in mind, distilling it down and executing iteratively, you will arrive at your destination more efficiently.
Think Big
Thinking big focuses our product development team on defining the widest possible application for a service, feature, or design pattern so we can create the opportunity for force-multiplication. This increases the possibility that we’ll build something that can be reused.
Start Small
Starting small is a real challenge, because it really means starting small again and again and to do it well, it takes time and energy. It’s much like Mark Twain’s comment about not having the time to write a short note, so he wrote a long one. With the big goal in mind, it takes real effort to break the problem down to workable chunks while at respecting the overall goal at the same time. This process is iterative, and where discipline and commitment to design patterns and architecture become critical.
Move Fast
When you teach your teenager to drive, an important lesson is teaching them what they should be looking at. If they are focused on the road directly in front of the car, things move very quickly, and the ability to react is reduced. Looking up allows them to better anticipate things; where to break, where a curve’s apex is, etc. Moving fast is directly connected to moving smoothly and keeping your eyes as far down the road as possible enables that.
Our teams, whether you are on software development, intelligence teams or professional services, strive to speed up whatever we’re doing. Performance-driven metrics are one way to look at this, but you need to be careful with them. Misplaced metrics, much like looking at the road just beyond the hood, creates the illusion of speed. We seek to move smoothly relative to the bigger picture and speed up as we become better at what we’re doing. The metrics we are shooting for are not myopic. If we spend an extra week in delivering the first revision of a service within a product, but reduce the release time by three days in three other products, we’re gaining ground.
Tomi Engdahl says:
Suomalaiselle kyberosaamiselle glooriaa
https://www.uusiteknologia.fi/2022/02/02/suomalaiselle-kyberosaamiselle-glooriaa/
Suomalainen tietoturvayhtiö F-Secure sai kehujaq päätelaitteiden suojauksessa ja reagoinnissa amerikkalaisen tutkimuslaitos AV-Comparitivesin Endpoint Prevention and Response (EPR) -raportissa. Mukana on suora pdf-linkki selvitykseen ja kilpaileviin ratkaisuihin.
AV-Comparativesin raportti dokumentoi kymmenen eri tietoturvatoimittajan suorituskykyä testeissä, jotka simuloivat 50 erillistä kohdistettua hyökkäysskenaariota. Ratkaisut sertifioitiin sitten kolmella eri tasolla: Strategic Leaders, CyberRisk Visionarys ja Strong Challengers.
AV-Comparatives -organisaation F-Securen strateginen johtotaso arvio perustuu modulaarisen ja pilvipohjaisen alustan F-Secure Elementsin päätelaitesuojaus (EPP) ja päätelaite havaitsemis- ja reagointikomponenteille (EDR) tehtyihin testeihin.
AV-Comparatives -organisaation mukaan suomalaisen F-Secure Elementsin tärkeimpiä etuja olivat alhaiset kokonaiskustannukset (TCO) 5 vuoden aikana, erilaisten hälytysten yhdistäminen ja priorisointi. yksinkertainen konfigurointi ja käyttöönotto verkkotunnus- tai työryhmäympäristössä sekä erilaiset vastausvaihtoehdot havaituille uhille ja tiedot turvallisuusoperaatiokeskuksen (SOC) analyytikoille tutkittavaksi/tarkastettavaksi.
Tomi Engdahl says:
Disclosure, Panic, Patch: Can We Do Better?
https://www.darkreading.com/application-security/disclosure-panic-patch-can-we-do-better-
Yet, while the Cyentia list had the Log4j vulnerability, none of the lists had all of the recent major vulnerabilities. The Log4j issue, for example, was added after the fact to the OpenSSF list of top 100 issues. Software components like the polkit security component that are included as one of the more than 2,000 software packages in a default Linux distribution, and may not have been considered
The Apache Log4j team talks about the Log4Shell patching process https://therecord.media/the-apache-log4j-team-talks-about-the-log4shell-patching-process/
The Record spoke with Christian Grobmeier, a member of the Apache Logging team and one of the developers who maintain the Log4j library.
The interview has been lightly edited for grammar and clarity.. [
Also on log4j:
https://www.darkreading.com/vulnerabilities-threats/critical-log4j-vulnerabilities-are-the-ultimate-gift-for-cybercriminals
Tomi Engdahl says:
The Account Takeover Cat-and-Mouse Game
https://threatpost.com/account-takeover-cat-mouse-game/178128/
In an analysis of more than 21 billion application transactions analyzed by the Cequence Security Threat Research Team between June and December of last year, API-based account login and registration transactions increased by 92 percent to more than 850 million.
Highlighting the fact that attackers love APIs just as much as developers, that same dataset showed account takeover (ATO) attacks on . login APIs increased by 62 percent.
Tomi Engdahl says:
SEO poisoning pushes malware-laced Zoom, TeamViewer, Visual Studio installers https://www.bleepingcomputer.com/news/security/seo-poisoning-pushes-malware-laced-zoom-teamviewer-visual-studio-installers/
A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio.
Inside Trickbot, Russias Notorious Ransomware Gang https://www.wired.com/story/trickbot-malware-group-internal-messages/
The documents seen by WIRED include messages between senior members of Trickbot, dated from the summer and autumn of 2020, and expose how the group planned to expand its hacking operations. They lay bare key members aliases and show the ruthless attitude of members of the criminal gang.
Tomi Engdahl says:
Online Investment Fraud Network Taken Down by Law Enforcement https://www.infosecurity-magazine.com/news/online-investment-fraud-law/
The scam was conducted by an organized crime group that set up bogus websites and call centers. Call operators speaking German, Greek, English and Spanish posed as financial consultants and contacted potential investors with promises of significant profits. This led to several hundred victims making substantial investments, which they lost entirely.
Taking the bait: The modus operandi of massive social engineering waves impacting banks in Portugal https://seguranca-informatica.pt/taking-the-bait-the-modus-operandi-of-massive-social-engineering-waves-impacting-banks-in-portugal/
In this article, we will understand the modus operandi of this wide campaign, how the phishing templates are disseminated, how victims are triggered, dig into the details of the phishing templates and C2 server source-code, and learn how criminals are orchestrating all the operations.
Tomi Engdahl says:
Telehealth: A New Frontier in Medicineand Security https://securelist.com/telehealth-report-2020-2021/105642/
Phishing and malware attacks that exploit the medical theme will continue, and, with the development of telemedicine, the number of services that fraudsters use as bait will only increase. Moreover, its likely that cybercriminals will try to hack telehealth services.
Tomi Engdahl says:
FBI warns of fake job postings used to steal money, personal info https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-job-postings-used-to-steal-money-personal-info/
“The FBI warns that malicious actors or ‘scammers’ continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI says.
Tomi Engdahl says:
How Hackers Can Drain Your Bank Account With Apple And Samsung Tap-And-Pay Apps https://www.forbes.com/sites/thomasbrewster/2022/02/02/hack-drains-bank-accounts-with-apple-and-samsung-tap-and-travel-apps/
Perhaps it was unwise to give up control of my iPhone to Timur Yunosov, a Russian cybersecurity researcher who has developed a penchant for exploiting vulnerabilities in payment devices. In a matter of minutes of handing it to him, Yunosov was draining my already empty bank account, taking it into an overdraft, by just tapping the locked device onto a terminal.. [...] There are some obvious caveats. The hacks only work if the attacker has physical access to the phone. And, as MasterCard and Google have made some steps to address the problems, the hacks only work where Visa cards are the default for mobile transport payments, says Yunosov.
Tomi Engdahl says:
NIST’s new cyber-resiliency guidance: 3 steps for getting started https://www.csoonline.com/article/3648076/nist-cyber-resiliency-guidance-getting-started.html
NIST has released an updated publication of 800-160 v2. Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. The goal is to apply resilience and system security engineering to develop survivable trustworthy systems. Here are some of the documents core concepts and fundamental takeaways.
Tomi Engdahl says:
EU institutions bolster Europols mandate for data-crunching activities https://www.euractiv.com/section/data-protection/news/eu-institutions-bolster-europols-mandate-for-data-crunching-activities/
The recast mandate adopted on Tuesday (1 February) gives the law enforcement agency a legal basis for storing and processing vast amounts of personal data, practices already in place that were at the centre of an inquiry of the European Data Protection Supervisor (EDPS).
Europes most used consent system deemed incompatible with EU privacy rules https://www.euractiv.com/section/digital/news/europes-most-used-consent-system-deemed-incompatible-with-eu-privacy-rules/
The Belgian authority found that IAB Europe did not have a legal basis for processing personal data, and the legal grounds for sharing that data with vendors was inadequate. The DPA has made explicit what many observers have been saying for some time: that legitimate interests is not a valid legal basis for processing personal data obtained via non-essential cookies, Robert . Bateman, research director at the GRC World Forums, told EURACTIV.
Tomi Engdahl says:
Tutkimus: Yrityspomot huolissaan kiristyshaittaohjelmista
https://etn.fi/index.php/13-news/13121-tutkimus-yrityspomot-huolissaan-kiristyshaittaohjelmista
Trend Micron uusi tutkimus paljastaa, että yritysten ylimmän johdon ja IT-päättäjien jatkuva heikko sitoutuminen tietoturvaan saattaa viedä pohjan investoinneilta ja kasvattaa organisaatioiden kyberriskejä. – Aikoinaan haavoittuvuuksia hyödynnettiin vasta kuukausia tai jopa vuosia niiden löytämisen jälkeen. Nyt siihen menee enää tunteja, jos sitäkään, kertoo kyberturva-asiantuntija Kalle Salminen.
Tutkimuksen mukaan yli 90 prosenttia suomalaista IT- ja yrityspäättäjistä kertoo olevansa huolissaan kiristyshaittaohjelmahyökkäyksistä. Vaikka alati kasvavista uhista ollaankin huolissaan, niin tutkimuksen mukaan vain noin puolet (56 prosenttia) vastanneista tietoturvatiimeistä keskustelee kyberuhista säännöllisesti organisaation ylimmän johdon kanssa.
Tomi Engdahl says:
ECDSA and RSA are two of the world’s most widely adopted asymmetric algorithms.
ECDSA vs RSA: What Makes RSA a Good Choice
Considering that this one algorithm has been the leading choice by industry experts for almost three decades, you’ve got to admire its reliability. RSA was first standardized in 1994, and to date, it’s the most widely used algorithm. The reason why this longevity is quite essential to note is that it shows that RSA has stood the test of time. It’s an extremely well-studied and audited algorithm as compared to modern algorithms such as ECDSA.
Compared to RSA, ECDSA has been found to be more secure against current methods of cracking thanks to its complexity. ECDSA provides the same level of security as RSA but it does so while using much shorter key lengths. Therefore, for longer keys, ECDSA will take considerably more time to crack through brute-forcing attacks.
Conclusion. When it comes down to it, the choice is between RSA 2048⁄4096 and Ed25519 and the trade-off is between performance and compatibility. RSA is universally supported among SSH clients while EdDSA performs much faster and provides the same level of security with significantly smaller keys.
Sources:
https://goteleport.com/blog/comparing-ssh-keys/
https://sectigostore.com/blog/ecdsa-vs-rsa-everything-you-need-to-know/
Tomi Engdahl says:
ECDSA and RSA are two of the world’s most widely adopted asymmetric algorithms.
ECDSA vs RSA: What Makes RSA a Good Choice
Considering that this one algorithm has been the leading choice by industry experts for almost three decades, you’ve got to admire its reliability. RSA was first standardized in 1994, and to date, it’s the most widely used algorithm. The reason why this longevity is quite essential to note is that it shows that RSA has stood the test of time. It’s an extremely well-studied and audited algorithm as compared to modern algorithms such as ECDSA.
Compared to RSA, ECDSA has been found to be more secure against current methods of cracking thanks to its complexity. ECDSA provides the same level of security as RSA but it does so while using much shorter key lengths. Therefore, for longer keys, ECDSA will take considerably more time to crack through brute-forcing attacks.
Some versions of ECDSA have weaknesses. If ECDSA is so fragile, how can users protect themselves? Ideally, we recommend that you use EdDSA instead of ECDSA, which handles nonce generation much more safely by eliminating the use of RNGs. Further, Ed25519, which is EdDSA over Curve25519, is designed to overcome the side-channel attacks that have targeted ECDSA, and it is currently being standardized by NIST.
Conclusion. When it comes down to it, the choice is between RSA 2048⁄4096 and Ed25519 and the trade-off is between performance and compatibility. RSA is universally supported among SSH clients while EdDSA performs much faster and provides the same level of security with significantly smaller keys.
Sources:
https://goteleport.com/blog/comparing-ssh-keys/
https://sectigostore.com/blog/ecdsa-vs-rsa-everything-you-need-to-know/
https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/
Tomi Engdahl says:
Ex-NSA hacker tools for real world pentesting
https://www.youtube.com/watch?v=G8lrwmsx8KA
Learn real world pentesting plus which tools are the best to use with Ex-NSA Hacker Neal Bridges. Neal tells us what he carries in his backpack when doing real world pentests.
My apologies for the issues with this video. I had to remove the previously uploaded video because I had movie clips like Mr Robot and The Spy Game in the video and YouTube didn’t like them… so I had to remove the video
Menu:
0:00 ▶️ Introduction
1:17 ▶️ Neal sees pentesting differently
2:00 ▶️ Neal’s advice from experience
3:18 ▶️ Neal’s 5,000 pentests
4:30 ▶️ Take NSA and experience
5:10 ▶️ Preparation is key
5:50 ▶️ OSINT
6:30 ▶️ Actual Pentest report
7:50 ▶️ Pretexting
8:45 ▶️ Another real world example
9:30 ▶️ Planning is very important
10:15 ▶️ Leave stuff in your car?
11:55 ▶️ Right tools for the job
12:05 ▶️ Top tools
12:30 ▶️ Extra cables
12:58 ▶️ Hak5 Ethernet cable
13:10 ▶️ Is Hak5 a necessity
13:57 ▶️ Rubber Ducky
14:30 ▶️ Hak5 are great
15:00 ▶️ Real world example of equipment
15:30 ▶️ You can create your own stuff
16:10 ▶️ Your time is money
16:30 ▶️ Proxmark
17:30 ▶️ Crazy RFID reader
18:50 ▶️ Poor planning RFID example
20:20 ▶️ Your time is worth something!
21:00 ▶️ Hone your tradecraft
21:20 ▶️ Proxmark explanation
21:50 ▶️ A reader doesn’t give you access. You need a pretext
23:50 ▶️ Social engineering
25:50 ▶️ You need a story
26:04 ▶️ Social Engineering vs tech
29:00 ▶️ Physical access is king
30:00 ▶️ What to do once past the door
31:19 ▶️ Military facility pentest
33:27 ▶️ Look for a network port
34:49 ▶️ You want to get out of there
35:04 ▶️ Hak5 Lan turtle
36:35 ▶️ Back of computer vs switch
37:32 ▶️ Pop it into the back of the computer
38:11 ▶️ What about WiFi
38:50 ▶️ TP-Link WiFi Card
39:50 ▶️ Ubertooth
40:50 ▶️ HackRF One
41:56 ▶️ Hak5 Pineapple
42:09 ▶️ SDR
43:00 ▶️ Real world example
44:13 ▶️ Alfa Network Adapter
44:50 ▶️ Wifi Hacking
44:49 ▶️ Alfa not practical so much
46:20 ▶️ You cannot charge for a WiFi pentest
47:17 ▶️ You are making it real
47:45 ▶️ WiFi can be social engineering
48:47 ▶️ Captive portal
49:40 ▶️ Rogue Access point
50:40 ▶️ Real world wifi pentest example
51:30 ▶️ Port Security
51:57 ▶️ Hak5 Pineapple access corporate network
52:34 ▶️ Always social engineering
53:00 ▶️ Pyramid of pain
53:14 ▶️ Stuxnet
54:45 ▶️ Telsa attack
55:07 ▶️ NSA examples
56:32 ▶️ Human Intelligence Hacking Example
58:40 ▶️ Another hacking example
1:00:18 ▶️ WiFi hacking example
1:01:32 ▶️ Neal’s photo while hacking
1:03:22 ▶️ Once inside, you are trusted
1:03:40 ▶️ Summary of devices
1:03:55 ▶️ Hak5 switch
1:04:08 ▶️ Extra cables
1:04:15 ▶️ Hak5 Rubber Ducky
1:04:30 ▶️ Hak5 Pineapple
1:04:54 ▶️ Hak5 Bash Bunny
1:04:58 ▶️ Hak5 Packet Squirrel
1:06:26 ▶️ Ubertooth
1:06:31 ▶️ Proxmark
1:07:00 ▶️ Value of networking knowledge
1:07:32 ▶️ Neal got his CCNA
1:08:50 ▶️ Very few companies use port security properly
1:10:08 ▶️ Cain and Abel
1:11:00 ▶️ Are zero days worth it
1:12:05 ▶️ Shiny objects vs Neal’s wisdom
1:13:37 ▶️ Real world hard talk
1:14:25 ▶️ What do you recommend
1:16:55 ▶️ Neal and David going to do something
Tomi Engdahl says:
Pentesting Ethical Hacking Tool Bag:What’s In My Pentester Tool Bag 2021 HD 1080p
https://www.youtube.com/watch?v=YeHDkJVmy2o
Here finally by popular request is a follow up update to my pentesting tool kit. Or the whats in my ethical hacking pentester tech bag 2021 Spring Edition. Please note that not pictured is my laptop and monitor setup for the CPUs and software used.
Tomi Engdahl says:
10 Techy Gift Ideas for Hackers / Pentesters! Techmas Gift Guide for Christmas!
https://www.youtube.com/watch?v=9BEKwQ0eLX4
Tomi Engdahl says:
Zscaler CEO: Network security firms have ‘hijacked’ zero trust
https://lm.facebook.com/l.php?u=https%3A%2F%2Fventurebeat.com%2F2022%2F01%2F31%2Fzscaler-ceo-network-security-firms-have-hijacked-zero-trust%2F&h=AT1ySJlJk4ulxbif8MM5Fxc1ln5sgvOqD6mDDr3bSVXT2Xjf95tePbwmIcAasnd_DDq45RDPco2SM3oDSueSrEOy9eMwWMOLlQUlmj8zCPZa-6g9N0jOXtg6VPrEKvOjcQ
While the zero trust approach to security continues to gain traction with customers, the concept is increasingly being misapplied by “legacy” cybersecurity vendors, Zscaler CEO Jay Chaudhry told VentureBeat.
Chaudhry, who founded the company in 2007 and took it public in 2018, said in an interview that he’s been unhappy to see some vendors claiming their network security offerings enable zero trust.
“Either you’re zero trust or you’re network security. You don’t do both,” Chaudhry said.
True zero trust involves connecting users directly to applications without going over the network at all, he said. And that type of architecture “is the opposite of network security,” Chaudhry said.
When it comes to the zero trust concept, “legacy companies have hijacked the term,” he said. “It has lost its meaning.”
At the core of the company’s products is its Zero Trust Exchange, which combines a cloud-based secure web gateway with cloud-delivered zero trust network access (ZTNA) — ultimately ensuring that only authorized users can connect to applications. The approach is described as “zero trust” because it essentially assumes that users are unauthorized, and requires more proof of their legitimacy than traditional methods.
To achieve this, Zscaler’s Zero Trust Exchange considers additional factors beyond just authentication of identity, such as the user’s location, security posture of their device, and the application or data they’re trying to access.
With this stronger approach to verification, Zscaler says its Zero Trust Exchange prevents unauthorized users from accessing applications–and prevents lateral movement by attackers since they can’t even enter the network in the first place.
With Zscaler’s platform, “your applications are hidden behind us,” Chaudhry said. “This is totally opposite of firewalls and VPN and network security.”
Breaches such as the Colonial Pipeline ransomware attack have shown that standard network security tools such as VPNs can be “dangerous,” he said. And yet, Chaudhry said he’s now seeing vendors that claim to offer “zero trust network security.”
“Either you’re zero trust or you’re network security. You don’t do both,” he said. “Your firewall is designed as a network device. The architecture has to be opposite [from zero trust]. There’s no such thing as a ‘zero trust firewall’–they don’t go together.”
The company has two main products: Zscaler Internet Access brings a zero trust approach for securing access to the web and software-as-a-service applications, while Zscaler Private Access covers access to a company’s private applications. Both go through the Zero Trust Exchange. In 2021, Zscaler expanded its offerings to provide zero trust for workloads.
The flaw is the “most dangerous vulnerability” imaginable – but Zscaler customers have benefited from keeping their applications hidden by the Zero Trust Exchange, Chaudhry said.
“I had a number of customers who reached out to me and said, ‘Thank God I am hidden behind Zscaler. I need to patch my systems, but I’m not sweating. I have time to patch them, because they can’t be discovered and seen from the internet,’” he said. “So the faster the market embraces zero trust, the safer we will get.”
Zero trust is the architecture that’s more badly needed in cybersecurity than anything else out there. I’ve been excited to see that it’s picking up. But I’m very disappointed to see that the term has become a buzzword. Legacy companies have hijacked the term. It has lost its meaning. The whole thing started with zero trust network access. The notion was, do not put users on the network–because if you do, they can move laterally and go anywhere. And that’s the biggest security risk today.
If you look at Colonial Pipeline, they stole some VPN credentials, got on the network, moved laterally, found a high-value billing application–and then encrypted it and stole the data. It highlighted two things. It highlighted the notion that VPNs [can be] dangerous–dangerous because they put you on the network, and then you can move laterally. So the notion [of zero trust] was, connect users to applications–just applications, not to the network.
A few weeks ago, this vendor said, “We are the best zero trust network security vendor.” Either you’re zero trust or you’re network security. You don’t do both. Your firewall is designed as a network device. The architecture has to be opposite. There’s no such thing as a “zero trust firewall”–they don’t go together …
In 2021, what did you see in terms of customer adoption of zero trust? Did you see a major pickup in zero trust displacing VPN in 2021?
[Zero trust] started replacing VPN in 2020. In 2021, it became more than just a VPN replacement–it became their entire DMZ. Because if zero trust is only [replacing] VPN, then zero trust is too narrow. When customers deploy a zero trust [platform] like Zscaler, they replace all of their old-school appliances. Typically, in the DMZ they’ve got their global load balancers, their DDoS protection, their external layer of firewalls, IPS, and VPNs. With Zscaler Zero Trust Exchange, all of that goes away. We do all of that …
I think zero trust is now driven by every CIO and CISO I talk to. Fifteen months ago, when I talked to CIOs or CISOs, probably a third would say, “Yeah, I’m interested in zero trust.” Now it’s nine out of 10 that would say, “I’m interested, and I have a budget for the project.”
How do you connect users to applications without going through a network?
I came up with an analogy that people appreciate. So if I come to see you at your headquarters, I come to reception. And they stop me, check my ID, give me a badge. And then they let me go unescorted to Room 22. If they did so, I could go anywhere, to any room that’s open–Room 21, Room 19. I could move to adjacent buildings that are interconnected. That’s exactly what happens when you put people on the network, either by being in the branch office, or by being on a VPN. Not very good.
How do you solve it? Well, borrowing from the same analogy, first of all, you remove the names of the buildings. They can’t even see where you are. You go dark. Two, you remove interconnection. Each building is an independent building. You don’t even know where those buildings are. You come to the reception again, they check your ID and give you a badge. And they’ll say, “you will be escorted to Room 22–and 22 only–after being blindfolded.” You don’t even need to know when the room is. We take you there, the meeting happens–then you get blindfolded and you get escorted out. So the notion is to connect users to applications, not to the network.
For zero trust, what factors do you check before allowing access to applications?
First it’s, who are you? I need to check your identity. If that passes, we check device trust. Can we trust your device? Is it compromised, not compromised, managed, unmanaged? Perhaps I can do a different policy for an unmanaged device, but managed, I can let you go to my crown jewel application. If that passes, we do a security status check. We’re checking for malicious content. We’re checking anomalous behavior of the traffic, to see if a user is doing some crazy thing, and then we can stop them dynamically. If that’s good, we say where are you? We’re checking your destination. We can select which applications they can go to. Some people can only go to SAP, some people can only go to certain sites. If all that is good, then we connect you to the application.
What parts of zero trust for IoT/OT are already available, and what’s coming next?
If you look at IoT and OT, they’re two [different] things. IoT collects telemetry and sends information to a data lake. It could be about the health of the system and whatnot. We have our solution available [so that] when IoT devices talk to our cloud, they get connected to the right application. That’s one part. OT is generally the opposite. OT systems are control systems. They could be X-ray machines, could be MRI machines. Or they could be a power plant, and [the customer] needs to access those power plants remotely. Traditionally, they’re done VPN kind of stuff to get there–but they’re worried about it. And they use Zscaler. That’s available today. Now they want next-level functionality–they want session recording, and some of the more sophisticated security [capabilities]. Those things are under development.
What are some of the major threats you’ve seen where Zscaler’s zero trust approach has made a difference for customers?
Think of Log4j. It’s the most dangerous vulnerability. You can scan the internet, you can find all kinds of servers, you can find which ones are [vulnerable], and you can get in. Not even a password needs to be guessed. In the case of zero trust, all those applications will be hidden behind [Zscaler Zero Trust] Exchange. I had a number of customers who reached out to me and said, “Thank God I am hidden behind Zscaler. I need to patch my systems, but I’m not sweating. I have time to patch them, because they can’t be discovered and seen from the internet.” So the faster the market embraces zero trust, the safer we will get.
Tomi Engdahl says:
Zscaler CEO: Network security firms have ‘hijacked’ zero trust
https://venturebeat.com/2022/01/31/zscaler-ceo-network-security-firms-have-hijacked-zero-trust/
Tomi Engdahl says:
How Phishers Are Slinking Their Links Into LinkedIn
https://krebsonsecurity.com/2022/02/how-phishers-are-slinking-their-links-into-linkedin/
If you received a link to LinkedIn.com via email, SMS or instant message, would you click it?. Spammers, phishers and other neer-do-wells are hoping you will, because theyve long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedins parent firm Microsoft).
Tomi Engdahl says:
Cyber Signals: Defending against cyber threats with the latest research, insights, and trends https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/
Were excited to introduce Cyber Signals, a cyber threat intelligence brief informed by the latest Microsoft threat data and research. This content, which will be released quarterly, offers an expert perspective into the current threat landscape, discussing trending tactics, techniques, and strategies used by the worlds most prolific threat actors. As such, we hope its a valuable resource to Chief Information Security Officers, Chief Information Officers, Chief Privacy Officers, and their teams, as they continue to evolve technologies, policies, and processes against the constantly changing threat landscape.
Tomi Engdahl says:
Estimating the Bit Security of Pairing-Friendly Curves
https://research.nccgroup.com/2022/02/03/estimating-the-bit-security-of-pairing-friendly-curves/
The use of pairings in cryptography began in 1993, when an algorithm developed by Menezes, Okamoto and Vanstone, now known as the MOV-attack, described a sub-exponential algorithm for solving the discrete logarithm problem for supersingular elliptic curves. It wasnt until the following decade that efficient pairing-based algorithms were used constructively to build cryptographic protocols applied to identity-based encryption, short signature signing algorithms and three participant key exchanges.
Tomi Engdahl says:
Meet the NSA spies shaping the future
https://www.technologyreview.com/2022/02/01/1044561/meet-the-nsa-spies-shaping-the-future/
In his first interview as leader of the NSA’s Research Directorate, Gil Herrera lays out challenges in quantum computing, cybersecurity, and the technology American intelligence needs to master to secure and spy into the future. For someone with a deeply scientific job, Gil Herrera has a nearly mystical mandate: Look into the future and then shape it, at the level of strange quantum physics and inextricable math theorems, to the advantage of the United States.
Tomi Engdahl says:
MFA PSA, Oh My!
https://www.proofpoint.com/us/blog/threat-insight/mfa-psa-oh-my
Since the inclusion of the first password in the Compatible Time-Sharing System at MIT in 1961, people have been cognizant of information security. While multi-factor authentication (MFA) did not enter the scene until years later in 1986 with the first RSA tokens, it has recently seen widespread adoption in the consumer space.
According to MFA digital authenticator company Duo’s annual State of the Auth Report 78% of respondents have used two/multi-factor authentication (2FA/MFA) in 2021 compared to just 28% in 2017.. Threat actors are using phish kits that leverage transparent reverse proxy, which enables them to man-in-the-middle (MitM) a browser session and steal credentials and session cookies in real-time.
Tomi Engdahl says:
Cloudflare bug bounty program goes public with $3,000 rewards on offer
https://portswigger.net/daily-swig/cloudflare-bug-bounty-program-goes-public-with-3-000-rewards-on-offer
Cloudflare has launched a public bug bounty program to succeed the invite-only program in place since 2018. Critical bugs will command payouts of $3,000, high severity flaws can earn researchers up to $1,000, medium risk vulnerabilities will net them a potential $500, and low risk issues will attract $250 payouts. Up and running since Tuesday (February 1), the new program, as with its private forerunner, is hosted by HackerOne and has all Cloudflares assets in scope.
Tomi Engdahl says:
Keeping Track of Your Attack Surface for Cheap https://isc.sans.edu/forums/diary/Keeping+Track+of+Your+Attack+Surface+for+Cheap/28304/
Various commercial services that promise to keep track of your “attack surface” are sprouting like tulips in the spring (yes… for you up
north: Spring is near). But what options are there in particular for smaller companies to track your attack surface “on the cheap”?. Let’s first define “attack surface” for the purpose of this post: The attack surface is composed of exposed services that if vulnerable could be used by attackers to breach your network.
Tomi Engdahl says:
Using .ppam Files to Wrap Executable Content
https://www.avanan.com/blog/using-.ppam-files-to-wrap-executable-content
PowerPoint has a number of add-on files that add features and capabilities. One of these is the .ppam file. A little-known add-on, it has bonus commands and custom macros, among other functions. Now, this file is being used by hackers to wrap executable files.
Tomi Engdahl says:
NSA Releases 2021 Cybersecurity Year in Review https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2921744/nsa-releases-2021-cybersecurity-year-in-review/
The National Security Agency released the 2021 NSA Cybersecurity Year in Review today to highlight how its cybersecurity mission continues to prevent and eradicate threats to the nation’s most critical systems. The Year in Review shows the breadth of the NSA’s cybersecurity mission from securing key Department of Defense weapons and space systems, to collaborating with industry analysts to better protect the Defense Industrial Base, to issuing actionable cybersecurity guidance that helps network defenders protect our most sensitive systems from adversary threats.
Tomi Engdahl says:
Codex Exposed: Helping Hackers in Training?
https://www.trendmicro.com/en_us/research/22/a/codex-exposed-helping-hackers-in-training.html
In a series of blog posts, we explore different aspects of Codex and assess its capabilities with a focus on the security aspects that affect not only regular developers but also malicious users. This is the fourth and final part of the series. (Read the first, second, and third parts.). Codexs sales pitch remains that of a coding assistant:
a tool aimed at reducing the time and effort a programmer must put in to perform repetitive tasks, learning new skills and finding solutions to known, recurrent problems.
Tomi Engdahl says:
Intel expands Bug Bounty program with ‘Project Circuit Breaker’ effort https://www.zdnet.com/article/intel-expands-bug-bounty-program-with-project-circuit-breaker-effort/
Intel announced the expansion of its Bug Bounty program this week, explaining in a statement that it plans to create a new effort called “Project Circuit Breaker.”. The project will bring in an “elite” group of hackers to search for vulnerabilities in Intel’s firmware, hypervisors, GPUs, chipsets, and more. According to Intel, the program will involve “targeted time-boxed events on specific new platforms and technologies, providing training and creating opportunities for more hands-on collaboration with Intel engineers.”
Tomi Engdahl says:
How Exploit Intel Makes You Less Vulnerable
https://blogs.cisco.com/security/how-exploit-intel-makes-you-less-vulnerable
New research shows effective and efficient vulnerability management hinges on a key ingredient: exploit intel. The data arrives just in time. In 2021, a record-breaking 20,130 Common Vulnerabilities and Exposures (CVEs) were published in the National Vulnerability Database. CVEs are exploding just as attackers are growing more sophisticated, exploiting not just weaknesses in infrastructures but also human fallibility. Trying to hold back the surge can be difficult. Research from Kenna Security, now part of Cisco, and the Cyentia Institute sheds light on the limited capacity organizations have to tackle new vulnerabilities introduced each month.
Tomi Engdahl says:
Intel Patched 226 Vulnerabilities in 2021
https://www.securityweek.com/intel-patched-226-vulnerabilities-2021
Tomi Engdahl says:
Ransomware Often Hits Industrial Systems, With Significant Impact: Survey
https://www.securityweek.com/ransomware-often-hits-industrial-systems-significant-impact-survey
Ransomware attacks in many cases hit industrial control systems (ICS) or operational technology (OT) environments, and impact is often significant, according to a report published on Thursday by IoT and industrial cybersecurity company Claroty.
Claroty’s “Global State of Industrial Cybersecurity” report is based on a Pollfish survey of 1,100 IT and OT security professionals in the United States, Europe and the APAC region. More than half of respondents work for enterprises that have an annual revenue exceeding $1 billion. The survey was conducted in September 2021.
Roughly 80% of respondents admitted that their organization had experienced a ransomware attack within the past year, and nearly half said the incident had impacted their ICS/OT environment.
Only 15% of respondents said there was no impact or minimal impact on operations, and nearly 50% said there was significant impact. Seven percent said the incident resulted in a full operations shutdown that lasted for more than a week.
The cyberattack was disclosed to both authorities and shareholders in most cases, but some companies apparently did not inform anyone.
There has been a lot of debate over the past years on ransomware payments. The U.S. government has taken action against payment facilitators and issued a warning regarding potential legal implications. A recently introduced bill would require organizations to report ransomware payments.
Of the individuals who took part in the Claroty survey, 28% believe ransomware payments should be legal and there should be no requirement to inform authorities. More than 41%, on the other hand, believe these types of payments should be legal only as long as regulators or authorities are informed. Approximately 20% believe ransomware payments should be illegal.
Nearly two-thirds of respondents said reporting incidents involving IT or OT systems to government regulators should be mandatory.
When asked about the hourly cost of downtime on their company’s revenue, 8% said it was more than $5 million and 14% said it was $1 to $5 million.
As for the workforce, a vast majority of respondents believe IT security professionals in their organization are capable of managing the cybersecurity of OT/ICS environments. However, 40% said they are urgently looking to hire more industrial cybersecurity experts.
More than 80% of respondents said their ICS/OT security budget had increased moderately or significantly since the start of the pandemic. Moreover, many admitted that ransomware attacks such as the ones that hit Colonial Pipeline led to cybersecurity becoming a bigger priority and increased investment.
THE GLOBAL STATE
OF INDUSTRIAL
CYBERSECURITY 2021:
RESILIENCE AMID
DISRUPTION
https://claroty.com/wp-content/uploads/2022/02/Claroty_Report_State_of_Industrial_Cybersecurity_2021.pdf
Tomi Engdahl says:
Bridging the Gap Between Training and Behavior
https://www.securityweek.com/bridging-gap-between-training-and-behavior
While employees want to do the right thing when it comes to protecting their organization from cyber threats, we cannot expect them to be perfect
As we start off 2022, companies continue to be victimized by threat actors and ransomware gangs. These losses can threaten the continuity of a business, especially for small and medium sized enterprises who simply cannot afford ransomware incidents that cost six or seven figures to remediate. Meanwhile, the sophistication of threat actors’ techniques continues to increase.
While the cybersecurity community has done a great job of making employee training more realistic and effective through simulated phishing programs and interactive training, there remains a large gap between well trained employees and the overall security posture of an organization.
On any given day, a crafty phishing or socially engineered business email compromise can turn a well trained worker into a victim. To supplement cyber training, organizations should consider implementing a balanced approach that combines training with Zero Trust policies that enforce least privilege so employees only have access to the resources they need to perform their jobs.
Here are several easy to implement techniques that any size organization can use to apply this approach:
Zero Trust Browsing
According to Salary.com, 64% of all employees visit non-work related sites every day. Putting aside productivity concerns, employees that access websites for personal reasons can introduce malicious files or click on links that can corrupt their machine or the corporate network.
Zero Trust browsing is easy to implement with solutions that force a containerized virtual machine (VM) session in the cloud for any non-trusted internet activity, such as accessing personal email or non-trusted websites. A protocol of scanning attachments for malware before download to the local machine is also an essential piece of hygiene. These approaches allow for a more resilient cyber approach to security threats that employees can introduce in their daily workflow.
Zero Trust Application Management
In addition to web browsing, all employees have to access externally accessible work related resources such as finance/HR systems, CRM, and other tools to perform their job functions. These applications should be seamlessly accessible from any device, but they can still create attack vectors for exploitation and privilege escalation.
The bottom line is that browsing activity is an essential part of business and a key vector that can be exploited. For this reason, workplace applications should be accessed in a containerized cloud environment.
While employees want to do the right thing when it comes to protecting their organization from cyber threats, we cannot expect them to be perfect. A Zero Trust safety approach to web browsing and application access management provides guardrails that allows enterprises to stay one step ahead of threat actors.
Tomi Engdahl says:
Ransomware attacks continue to target companies. For some organizations, it may take longer to fully recover from the attacks.
https://trib.al/tza7oCz
A Majority Of Surveyed Companies Were Hit By Ransomware Attacks In 2021—And Paid Ransom Demands
https://lm.facebook.com/l.php?u=https%3A%2F%2Ftrib.al%2Ftza7oCz&h=AT3ckX9WL9HaLPRD7tywU7TnpAdaSk4dllfpnhfpYEfw6ZeRzxbd9uhixFJdCKLTpr05iVS-a2PihdaxL62fMrZKrv2gDCOI_0R4vTJ4-zKlt6eiibAeDNBolVRUT65TD7HdTcoB6eGKKvYw_A
Ransomware attacks continue to target companies. For some organizations, it may take longer to fully recover from the attacks.
NBC News reported that, “More than a month after hackers crippled Kronos, a payroll and staffing company that has become integral to many American workplaces, paychecks to employees in Indiana, Ohio and West Virginia who work for Coca-Cola Consolidated, an independent company that serves as the country’s largest distributor of Coke products, have been sporadic, according to union representatives.
“A spokesperson for Kronos noted that the company announced on Jan. 22 that it had finally restored all its services. Josh Gelinas, Coca-Cola Consolidated’s vice president of communications, said that the company ‘has continued to pay all of our teammates despite a ransomware attack in December that disabled digital timekeeping for us and thousands of other companies around the world.’”
Tomi Engdahl says:
Navy Cyber Needs a Refit
https://www.usni.org/magazines/proceedings/2022/february/navy-cyber-needs-refit
More than 15 years before cyber was introduced as the fifth domain of warfare in 2011, the Navy set the standard for investment in this field by funding new technologies such as The Onion Router (TOR), a browser that allows anonymous internet communication.1 In 2018, U.S. Cyber Command (CyberCom) was elevated to a unified combatant command and the roles of the services in support of national cyber objectives were codified
Tomi Engdahl says:
Target Open Sources Web Skimmer Detection Tool
https://www.securityweek.com/target-open-sources-web-skimmer-detection-tool
Retail giant Target this week announced the open source availability of an internal tool designed for the detection of web skimming attacks.
Dubbed Merry Maker, the tool analyzes payment page code served to users and network traffic from test payment transactions to identify any malicious indicators. The company says it has been using the tool since 2018 to perform more than one million website scans.
In addition to simulating a real site visitor and saving the generated code and network activity for analysis, the utility searches for new and known malicious domains and creates an alert when any is identified. The tool supports Basic, Kafka, and GoAlert alerts.
“Merry Maker continually simulates online browsing and completes test transactions to scan for the presence of malicious code. Merry Maker acts like a guest on Target.com by completing several typical activities including online purchases. While doing so, the tool gathers and analyzes a variety of information including network requests, JavaScript files, and browser activity to determine if there’s any type of unwanted activity,” Target explains.
Meet Merry Maker: How Target Protects Against Digital Skimming
https://tech.target.com/blog/meet-merry-maker
https://github.com/target/mmk-ui-api
Tomi Engdahl says:
The U.K. Paid $724,000 For A Creepy Campaign To Convince People That Encryption is Bad. It Won’t Work.
https://www.eff.org/deeplinks/2022/01/uk-paid-724000-creepy-campaign-convince-people-encryption-bad-it-wont-work
This week, the U.K. government launched an unprecedented and deceptive effort to kill off end-to-end encryption. They’ve hired a fancy ad agency to convince people that encrypted messages are dangerous to children.
The explicit goal of the “No Place to Hide” campaign, launched on Tuesday, is to prevent Facebook from expanding its use of end-to-end encryption. Currently, Facebook’s WhatsApp messaging system uses end-to-end encryption, but other communications systems, including Facebook Messenger, are scanned and checked against a US government database, run by the National Center for Missing and Exploited Children (NCMEC), which identifies child abuse images.
Tomi Engdahl says:
While President Joe Biden vowed to stem the growing market in “ghost guns,” the man who invented untraceable 3D printable weapons said he’s selling as many as 55 a week. https://trib.al/yAjUvwA
Tomi Engdahl says:
An implanted microchip could replace cards as a way to carry a vaccine passport that can’t be lost and is always handy.
READ MORE:
https://foxbaltimore.com/news/coronavirus/implanted-microchip-could-be-used-to-verify-covid-19-vax-status
https://theintercept.com/2022/01/01/covid-vaccine-passports-surveillance/
Tomi Engdahl says:
https://www.helsinki.fi/fi/uutiset/ihmisten-teknologia/pimea-verkko-ei-ole-vain-rikollisten-turvasatama
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/intel-unveils-circuit-breaker-bug-bounty-expansion-for-elite-hackers/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/target-open-sources-scanner-for-digital-credit-card-skimmers/
Tomi Engdahl says:
https://www.eff.org/deeplinks/2022/01/uk-paid-724000-creepy-campaign-convince-people-encryption-bad-it-wont-work
Tomi Engdahl says:
https://pentestmag.com/the-automated-soc-reviewing-the-future-of-layered-security-solutions/
Tomi Engdahl says:
https://venturebeat.com/2022/01/31/zscaler-ceo-network-security-firms-have-hijacked-zero-trust/
Tomi Engdahl says:
https://thenextweb.com/news/google-tracking-location-data-dark-patterns#Echobox=1643273475
Tomi Engdahl says:
https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html
Tomi Engdahl says:
Security experts say you no longer need a VPN — here’s why
By Emily Long published 6 days ago
Are VPNs still necessary for security and privacy? Maybe not always
https://www.tomsguide.com/news/you-may-no-longer-need-vpn
Tomi Engdahl says:
https://www.dustin.fi/solutions/tietopankki/archive/naein-otat-tietoturvan-huomioon-liiketoimintariskien-laskelmissa?fbclid=IwAR2aelCeLoTHLSo8eUFES7PNfGsWUvL7wOjpU-sTAshihY5r8UDLbrQg54o