Cyber trends for 2023

Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.

HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.

Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.

Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications

Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.

Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.

Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.

MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.

Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.

EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.

Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.

Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.

Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.

Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.

Governance: For boards and management, heightened pressure around climate action dovetails with the SEC’s proposed rules about cybersecurity oversight, which may soon become law. When they do, companies will need to prepare for more disclosures about their cybersecurity policies and procedures. With fresh scrutiny on directors’ cybersecurity expertise, or lack thereof, boards will need to take their cyber savviness to the next level as well.

Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.

Auditing: Audit’s role in corporate governance and risk management has been evolving. Once strictly focused on finance and compliance, internal audit teams are now increasingly expected to help boards and executive management identify, prioritize, manage and mitigate interconnected risks across the organization.

Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workersleaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.

Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers

Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.

Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”

Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.

Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,

War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.

Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

ISC: ICS and SCADA systems remain trending attack targets also in 2023.

Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.

Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.

PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.

SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.

Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.

Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.

Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.

MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!

Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-

Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.

VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.

AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.

AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?

Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.

Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.

Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.

Sources:

Asiantuntija neuvoo käyttämään pilkkua sala­sanassa – taustalla vinha logiikka

Overseeing artificial intelligence: Moving your board from reticence to confidence

Android is adding support for updatable root certificates amidst TrustCor scare

Google Play now lets children send purchase requests to guardians

Diligent’s outlook for 2023: Risk is the trend to watch

Microsoft will turn off Exchange Online basic auth in January

Google is letting businesses try out client-side encryption for Gmail

Google Workspace Gets Client-Side Encryption in Gmail

The risk of escalation from cyberattacks has never been greater

Client-side encryption for Gmail available in beta

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Microsoft: Edge update will disable Internet Explorer in February

Is Cloud Native Security Good Enough?

The Privacy War Is Coming

Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023

Google Chrome preparing an option to block insecure HTTP downloads

Cyber attacks set to become ‘uninsurable’, says Zurich chief

The Dark Risk of Large Language Models

Police Must Prepare For New Crimes In The Metaverse, Says Europol

Policing in the metaverse: what law enforcement needs to know

Cyber as important as missile defences – an ex-NATO general

Misconfigurations, Vulnerabilities Found in 95% of Applications

Mind the Gap

Yritysten kyberturvassa edelleen isoja aukkoja Asiantuntija: Kysymys jopa kansallisesta turvallisuudesta

Personnel security in the cloud

Multi-factor auth fatigue is real – and it’s why you may be in the headlines next

MFA Fatigue attacks are putting your organization at risk

Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience | News | European Parliament

NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset

Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

Poor software costs the US 2.4 trillion

Passkeys Now Fully Supported in Google Chrome

Google Takes Gmail Security to the Next Level with Client-Side Encryption

Executives take more cybersecurity risks than office workers

NIST Retires SHA-1 Cryptographic Algorithm

NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Over 85% of Attacks Hide in Encrypted Channels

GitHub Announces Free Secret Scanning, Mandatory 2FA

Leaked a secret? Check your GitHub alerts…for free

Data Destruction Policies in the Age of Cloud Computing

Why PCI DSS 4.0 Should Be on Your Radar in 2023

2FA is over. Long live 3FA!

Google: With Cloud Comes APIs & Security Headaches

Digesting CISA’s Cross-Sector Cybersecurity Performance Goals

Zero Trust Shouldnt Be The New Normal

Don’t click too quick! FBI warns of malicious search engine ads

FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users

Kyberturvan ammattilaisista on huutava pula

Is Enterprise VPN on Life Support or Ripe for Reinvention?

Cyber as important as missile defences – an ex-NATO general

1,768 Comments

  1. Tomi Engdahl says:

    useful resource for those of us that don’t spend long enough on Winblows to remember this stuff.

    Active Directory Penetration Testing Cheatsheet

    https://latesthackingnews.com/2023/04/25/active-directory-penetration-testing-cheatsheet/

    Reply
  2. Tomi Engdahl says:

    Big Tech Crackdown Looms as EU, UK Ready New Rules
    https://www.securityweek.com/big-tech-crackdown-looms-as-eu-uk-ready-new-rules/

    TikTok, Twitter, Facebook, Google, and Amazon are facing rising pressure from European authorities as London and Brussels advanced new rules Tuesday to curb the power of digital companies.

    Reply
  3. Tomi Engdahl says:

    Artificial Intelligence
    Cybersecurity Futurism for Beginners
    https://www.securityweek.com/cybersecurity-futurism-for-beginners/

    How will Artificial Intelligence develop in the near term, and how will this impact us as security planners and practitioners?

    Reply
  4. Tomi Engdahl says:

    Artificial Intelligence
    Innovation Sandbox: Cybersecurity Investors Pivot to Safeguarding AI Training Models
    https://www.securityweek.com/innovation-sandbox-cybersecurity-investors-pivot-to-safeguarding-ai-training-models/

    SecurityWeek editor-at-large Ryan Naraine expects to see an explosion of well capitalized startups promising to protect AI machine learning models behind enterprise products.

    Reply
  5. Tomi Engdahl says:

    How Long It Would Take A Hacker To Brute Force Your Password In 2023, Ranked
    https://digg.com/tech/link/how-long-it-takes-to-get-password-hacked-hive-systems-qxSILkeChI

    Reply
  6. Tomi Engdahl says:

    Näin tarkistat käyttääkö joku salaa Facebook-tiliäsi – Traficom varoittaa
    Huijarit voivat saada tilin kirjautumistiedot esimerkiksi huijauskilpailuiden kautta.
    https://www.iltalehti.fi/tietoturva/a/ec382352-8379-48a3-a5bb-57849d3376ab

    Reply
  7. Tomi Engdahl says:

    Shodan: The most dangerous search engine in the world!
    19/04/2023, 08:34
    https://en.iguru.gr/shodan-pio-epikindyni-michani-anazitisis-ston-kosmo/

    Reply
  8. Tomi Engdahl says:

    Microsoft is busy rewriting core Windows code in memory-safe Rust https://www.theregister.com/2023/04/27/microsoft_windows_rust/
    Microsoft is rewriting core Windows libraries in the Rust programming language, and the more memory-safe code is already reaching developers. Microsoft showed interest in Rust several years ago as a way to catch and squash memory safety bugs before the code lands in the hands of users; these kinds of bugs were at the heart of about 70 percent of the CVE-listed security vulnerabilities patched by the Windows maker in its own products since 2006

    Reply
  9. Tomi Engdahl says:

    ChatGPT writes insecure code
    https://www.malwarebytes.com/blog/news/2023/04/chatgpt-creates-not-so-secure-code-study-finds
    Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI’s popular chatbot, is prone to generating insecure code. “How Secure is Code Generated by ChatGPT?” is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn’t robust, despite claiming awareness of its vulnerabilities

    Reply
  10. Tomi Engdahl says:

    Many Public Salesforce Sites are Leaking Private Data https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/
    A shocking number of organizations including banks and healthcare providers are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in

    Reply
  11. Tomi Engdahl says:

    Google plans to add end-to-end encryption to Authenticator https://www.theverge.com/2023/4/27/23700612/google-authenticator-end-to-end-encryption-e2ee
    Google Authenticator is getting end-to-end encryption – eventually.
    After security researchers criticized the company for not including it with Authenticator’s account-syncing update, Google product manager Christiaan Brand responded on Twitter by saying that the company has “plans to offer E2EE” in the future

    Reply
  12. Tomi Engdahl says:

    Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks Patch Now https://thehackernews.com/2023/04/zyxel-firewall-devices-vulnerable-to.html
    Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. “Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel said in an advisory on April 25, 2023

    Reply
  13. Tomi Engdahl says:

    Chinese hackers outnumber FBI cyber staff 50 to 1, bureau director says https://www.cnbc.com/2023/04/28/chinese-hackers-outnumber-fbi-cyber-staff-50-to-1-director-wray-says.html
    “U.S. cyber intelligence staff is vastly outnumbered by Chinese hackers, Federal Bureau of Investigation Director Christopher Wray told Congress as he pleaded for more money for the agency. ‘To give you a sense of what were up against, if each one of the FBIs cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI Cyber personnel by at least
    50 to 1, Wray said [...]‘

    Reply
  14. Tomi Engdahl says:

    APT groups working together to expand operations, target more industries https://www.scmagazine.com/news/threat-intelligence/apt-groups-working-together-to-expand-operations-target-more-industries
    “Long-established threat groups appear to be cozying up to each other as a means of expanding their operations in the face of fresh competition from new APT players. [Kaspersky] says APT actors, old and new, have been busy updating their toolsets and expanding their attack vectors, both in terms of geographical location and target industries.” Source:
    https://securelist.com/apt-trends-report-q1-2023/109581/

    Reply
  15. Tomi Engdahl says:

    Google Authenticators new syncing feature raises security concerns https://www.scmagazine.com/news/identity-and-access/google-authenticators-syncing-security-concerns
    “A new Google Authenticator sync-to-cloud feature for its two-step verification app is coming under fire by privacy advocates who claim communication between endpoint and cloud is unencrypted and can be snooped on by adversaries.”

    Reply
  16. Tomi Engdahl says:

    Nuke-launching AI would be illegal under proposed US law https://arstechnica.com/information-technology/2023/04/nuke-launching-ai-would-be-illegal-under-proposed-us-law/
    U.S. legislators announce bill that seeks to prevent an artificial intelligence system from making nuclear launch decisions

    Reply
  17. Tomi Engdahl says:

    EU:n digieurohanke etenee sähköistä käteistä käytettäisiin ilman välityskuluja tai edes pankkitiliä https://www.tivi.fi/uutiset/tv/104621b3-fd48-4fd0-b7df-29285a00fecc
    Euroopan keskuspankki on huolissaan Visan ja Mastercardin ylivallasta digitaalisessa rahansiirrossa. Ratkaisu on EU:n oma digitaalinen käteinen. Euroopan keskuspankki ja euroalueen muut keskuspankit ovat jo kahden vuoden ajan suunnitelleet digitaalisen euron käyttöönottoa.
    Digitaalinen euro olisi keskuspankkien liikkeelle laskemaa käteistä rahaa siinä missä fyysisetkin kolikot ja setelit. Sitä voisi käyttää älypuhelimilla mobiilimaksamiseen kaikkialla missä nykyäänkin, mutta ilman välissä olevaa digitaalista kopiota maksukortista. Maksuista ei koituisi välityskustannuksia, eikä niiden käyttöön välttämättä tarvittaisi edes pankkitiliä

    Reply
  18. Tomi Engdahl says:

    Quick IOC Scan With Docker
    https://isc.sans.edu/diary/rss/29788
    When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I’m using to quickly scan for interesting IOCs (“Indicators of Compromise”). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities

    Reply
  19. Tomi Engdahl says:

    Unleashing the Power of Shimcache with Chainsaw https://labs.withsecure.com/tools/chainsaw-analyse-shimcache
    WithSecure Incident Response team has released a new subcommand for the Chainsaw forensic tool named analyse. This new subcommand incorporates three innovative and novel techniques to aid the analysis and timestamp enrichment of Shimcache entries. This plug-in has been included with Chainsaw v2.6 and is available from the WithSecureLabs GitHub

    Reply
  20. Tomi Engdahl says:

    Companies Increasingly Hit With Data Breach Lawsuits: Law Firm
    https://www.securityweek.com/companies-increasingly-hit-with-data-breach-lawsuits-law-firm/

    Lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken even for incidents affecting less than 1,000 people.

    Lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken more frequently even in cases where the number of impacted individuals is smaller, according to US law firm BakerHostetler.

    BakerHostetler last week published its 2023 Data Security Incident Response Report, which is based on data collected from more than 1,100 cybersecurity incidents investigated by the company in 2022.

    The report shows that 45% of incidents were network intrusions, followed by business email compromise (30%) and inadvertent data disclosure (12%). Following initial access, the most common actions were ransomware deployment (28%), data theft (24%), email access (21%), and malware installation (13%).

    Earlier this year, a blockchain data company reported seeing a significant drop in the total amount of money received by ransomware groups in 2022 ($457 million) compared to the previous year ($766 million).

    However, data collected by BakerHostetler shows that ransomware victims that did pay a ransom in 2022 paid more compared to 2021.

    The cost of forensic investigations has also increased. For the 20 largest network intrusions, the average cost increased by 24%, from $445,000 in 2021 to $550,000 in 2022.

    In addition to higher ransom demands and increased forensic costs, BakerHostetler found that a bigger percentage of incidents where the impacted organization notified individuals of a data breach resulted in at least one lawsuit. Specifically, the numbers have increased from four lawsuits out of 394 incidents in 2018 to 42 lawsuits filed for 494 incidents in 2022.

    Lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken more frequently even in cases where the number of impacted individuals is smaller, according to US law firm BakerHostetler.

    BakerHostetler last week published its 2023 Data Security Incident Response Report, which is based on data collected from more than 1,100 cybersecurity incidents investigated by the company in 2022.

    The report shows that 45% of incidents were network intrusions, followed by business email compromise (30%) and inadvertent data disclosure (12%). Following initial access, the most common actions were ransomware deployment (28%), data theft (24%), email access (21%), and malware installation (13%).

    Earlier this year, a blockchain data company reported seeing a significant drop in the total amount of money received by ransomware groups in 2022 ($457 million) compared to the previous year ($766 million).

    However, data collected by BakerHostetler shows that ransomware victims that did pay a ransom in 2022 paid more compared to 2021. The largest ransom demand seen by the firm in 2022 exceeded $90 million (compared to $60 million in 2021), and the largest ransom that was paid in 2022 was more than $8 million (compared to $5.5 million in 2021). The average ransom amount paid last year was roughly $600,000, up from $511,000 in 2021.

    The cost of forensic investigations has also increased. For the 20 largest network intrusions, the average cost increased by 24%, from $445,000 in 2021 to $550,000 in 2022.

    In addition to higher ransom demands and increased forensic costs, BakerHostetler found that a bigger percentage of incidents where the impacted organization notified individuals of a data breach resulted in at least one lawsuit. Specifically, the numbers have increased from four lawsuits out of 394 incidents in 2018 to 42 lawsuits filed for 494 incidents in 2022.

    Four of the lawsuits filed last year were in response to incidents where fewer than 1,000 people were impacted, and 14 lawsuits were filed over incidents that hit between 1,000 and 100,000 people.
    Advertisement. Scroll to continue reading.

    Another category of lawsuits has also increased: privacy-related class actions. BakerHostetler is aware of more than 50 lawsuits filed since August 2022 against hospital systems that allegedly shared patient identities and online activities via third-party website analytics tools without the user’s knowledge and consent.

    The law firm says it’s currently defending more than 200 lawsuits related to privacy or data security.

    Reply
  21. Tomi Engdahl says:

    Artificial Intelligence
    Innovation Sandbox: Cybersecurity Investors Pivot to Safeguarding AI Training Models
    https://www.securityweek.com/innovation-sandbox-cybersecurity-investors-pivot-to-safeguarding-ai-training-models/

    SecurityWeek editor-at-large Ryan Naraine expects to see an explosion of well capitalized startups promising to protect AI machine learning models behind enterprise products.

    At the annual RSA Conference shindig in San Francisco this week, a tiny Texas company called HiddenLayer won the ‘Most Innovative Startup’ prize for its technology that promises to monitor algorithms for adversarial ML attack techniques.

    The HiddenLayer win signals an interesting shift in the startup ecosystem as venture capitalists pivot from hyping AI/ML security tools to investing in new companies to protect the code flowing in and out of AI training sets.

    HiddenLayer’s pitch is a future that includes MLMDR (machine learning detection and response) platforms that monitor the inputs and outputs of your machine learning algorithms for anomalous activity consistent with adversarial ML attack techniques. The company emerged from stealth in July 2022 with $6 million in funding.

    Reply
  22. Tomi Engdahl says:

    Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment
    https://www.securityweek.com/critical-infrastructure-organizations-urged-to-identify-risky-communications-equipment/

    CISA urges organizations to review FCC’s Covered List of risky communications equipment and incorporate it in their supply chain risk management efforts.

    The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert to urge critical infrastructure organizations to scope their environments for communications equipment deemed to pose high risk.

    Per the Secure and Trusted Communications Networks Act of 2019 (PDF), federal agencies are prohibited from purchasing communications equipment and services that pose national security risks, and the Federal Communications Commission (FCC) maintains a list of such products, the Covered List.

    Available on the FCC’s website and last updated in September 2022, the list mentions telecommunications devices and services from Huawei, ZTE, Hytera, Hikvision, Dahua, China Mobile, China Telecom, China Unicom, and Pacific Network Corp.

    These products, the FCC says, “are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons”.

    Now, CISA urges organizations to review the FCC’s Covered List and take steps to identify potentially risky equipment and improve the security of their networks where necessary.

    “CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts,” CISA notes.

    CISA Urges Organizations to Incorporate the FCC Covered List Into Risk Management Plans
    https://www.cisa.gov/news-events/alerts/2023/05/01/cisa-urges-organizations-incorporate-fcc-covered-list-risk-management-plans

    Reply
  23. Tomi Engdahl says:

    Insider Q&A: OpenAI CTO Mira Murati on Shepherding ChatGPT
    https://www.securityweek.com/insider-qa-openai-cto-mira-murati-on-shepherding-chatgpt/

    OpenAI CTO Mira Murati discusses AI safeguards and the company’s vision for the futuristic concept of artificial general intelligence, known as AGI

    OpenAI was building a reputation in the artificial intelligence field but wasn’t a household name when Mira Murati joined the nonprofit research lab in 2018.

    Soon after, the San Francisco lab started a major transformation. It turned itself into a business that’s attracted worldwide attention as the maker of ChatGPT.

    Now its chief technology officer, Murati leads OpenAI’s research, product and safety teams. She’s led the development and launch of its AI models including ChatGPT, the image-generator DALL-E and the newest, GPT-4.

    Reply
  24. Tomi Engdahl says:

    CISA Asks for Public Opinion on Secure Software Attestation
    https://www.securityweek.com/cisa-asks-for-public-opinion-on-secure-software-attestation/

    CISA has opened proposed guidance for secure software development to public review and comment.

    The US Cybersecurity and Infrastructure Security Agency (CISA) has announced that proposed guidance for secure software development is now open to public review and opinion.

    For a 60-day period, the public can provide feedback on the draft self-attestation form for secure software development, which requires the providers of software for the government to confirm that specific security practices have been implemented.

    The self-attestation form has been drafted in line with the requirements of Memorandum M-22-18 (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) that the Office of Management and Budget (OMB) released in September 2022.

    “This self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before their software subject to the requirements of M-22-18 may be used by Federal agencies,” reads CISA’s Secure Software Development Attestation Common Form.

    Per M-22-18’s requirements, federal agencies may use specific software only if the developer has attested compliance with government-issued guidance on software supply chain security.

    The self-attestation requirement applies to software produced after September 14, 2022, to software-as-a-service products and other software receiving continuous code changes, and to existing software when major version changes occur.

    Department of Homeland Security
    Cybersecurity and Infrastructure Security Agency (CISA)
    Secure Software Development Attestation Form Instructions
    https://www.securityweek.com/cisa-asks-for-public-opinion-on-secure-software-attestation/

    What is the Purpose of Filling out this Form?
    The Federal Information Security Modernization Act of 2014 (FISMA) requires each Federal
    agency to provide security protections for both “information collected or maintained by or on
    behalf of an agency” and for “information systems used or operated by an agency or by a
    contractor of an agency or other organization on behalf of an agency.” FISMA and other
    provisions of Federal law authorize the Director of the Office of Management and Budget
    (OMB) to promulgate information security standards for information security systems, including
    to ensure compliance with standards promulgated by the National Institute of Standards and
    Technology (NIST)

    This self-attestation form identifies the minimum secure software development requirements a
    software producer must meet, and attest to meeting, before their software subject to the
    requirements of M-22-18 may be used by Federal agencies. This form is used by software
    producers to attest that the software they produce was developed in conformity with specified
    secure software development practices.
    The following software requires self-attestation:
    1. Software developed after September 14, 2022;
    2. Existing software that is modified by major version changes (e.g., using a semantic
    versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to
    3.0) after September 14, 2022; and
    3. Software to which the producer delivers continuous changes to the software code (such
    as software-as-a-service products or other products using continuous delivery/continuous
    deployment).
    Software products and components in the following categories are not in scope for M-22-18 and
    do not require a self-attestation:
    1. Software developed by Federal agencies; and
    2. Software that is freely obtained (e.g. freeware, open source) directly by a federal agency.

    Software Supply Chain Security Guidance Under Executive Order (EO) 14028
    Section 4e
    February 4, 2022
    https://www.nist.gov/system/files/documents/2022/02/04/software-supply-chain-security-guidance-under-EO-14028-section-4e.pdf

    Reply
  25. Tomi Engdahl says:

    Reigning in ‘Out-of-Control’ Devices
    https://www.securityweek.com/reigning-in-out-of-control-devices/

    Out-of-control devices run the gamut from known to unknown and benign to malicious, and where you draw the line is unique to your organization.

    Devices connected to network

    Endpoint detection and response (EDR) has demonstrated clear value in protecting endpoints, and in many ways provides unique visibility into local processes. However, customers and prospects tell us their percentage of EDR coverage on endpoints is in the range of 60-70%. In other words, 40-30% of devices are out of their control.

    Out-of-control devices fall into a few different categories:

    Traditional. This includes network gear like routers and switches that will never support agents and you know will always be out of control.
    Digital transformation driven. Next are the rapidly expanding number of devices and systems that are now attaching to network infrastructure, including Internet of Things (IoT) and operational technology (OT) devices like video surveillance systems, HVAC systems, and supervisory control and data acquisition (SCADA) systems. Any appliance that can’t support an agent for whatever reason can be hijacked and taken advantage of as an entryway to launch attacks.
    Rogue. Finally, there are devices people bring into your infrastructure without your knowledge. They may have added the device as a function of their job and simply forgot to add an EDR agent to it. Or perhaps they spun up a new service in the cloud but didn’t use the approved automation that adds all your infosec tools to it. However, sometimes a rogue device is plugged into the network for nefarious purposes – to conduct reconnaissance and serve as a jumping off point for a data breach or disruption.

    Not only are we blind to many devices currently connected to our networks and new devices being added every day, but also what these devices are doing. Many organizations have governance practices and policies that specify behavior. So, we often end up with a gap in visibility between what we think is happening and what is actually happening and, on top of that, a gap in capabilities to easily know if that behavior is okay or something potentially malicious that needs immediate attention.

    We live in a world rife with stories of malware existing within an organization’s infrastructure for months before it’s caught. Meanwhile data has been exfiltrated because the malicious activity happens in the shadows of the network where attackers can hide and do their work mostly undetected.

    So, the first step to reign in out-of-control devices is to gain visibility into what’s happening on the network. However, in today’s dispersed, ephemeral, encrypted, and diverse (DEED) environments, shadow areas are everywhere so it’s incredibly difficult to gain network visibility relying on conventional tools. Instead of finding one spot to monitor and do packet capture, there are dozens, if not hundreds, of spots. Deep packet capture (DPI) becomes extremely complex to manage and takes costs through the roof. That’s where metadata data comes in, allowing you to cast a light on shadow areas you can’t afford to ignore. Metadata in the form of flow data provides a passive and agentless approach to network traffic visibility across multi-cloud, on-premises, and hybrid environments, including every IP address, and every device.

    Devices connected to network

    Endpoint detection and response (EDR) has demonstrated clear value in protecting endpoints, and in many ways provides unique visibility into local processes. However, customers and prospects tell us their percentage of EDR coverage on endpoints is in the range of 60-70%. In other words, 40-30% of devices are out of their control.

    Out-of-control devices fall into a few different categories:

    Traditional. This includes network gear like routers and switches that will never support agents and you know will always be out of control.
    Digital transformation driven. Next are the rapidly expanding number of devices and systems that are now attaching to network infrastructure, including Internet of Things (IoT) and operational technology (OT) devices like video surveillance systems, HVAC systems, and supervisory control and data acquisition (SCADA) systems. Any appliance that can’t support an agent for whatever reason can be hijacked and taken advantage of as an entryway to launch attacks.
    Rogue. Finally, there are devices people bring into your infrastructure without your knowledge. They may have added the device as a function of their job and simply forgot to add an EDR agent to it. Or perhaps they spun up a new service in the cloud but didn’t use the approved automation that adds all your infosec tools to it. However, sometimes a rogue device is plugged into the network for nefarious purposes – to conduct reconnaissance and serve as a jumping off point for a data breach or disruption.

    Not only are we blind to many devices currently connected to our networks and new devices being added every day, but also what these devices are doing. Many organizations have governance practices and policies that specify behavior. So, we often end up with a gap in visibility between what we think is happening and what is actually happening and, on top of that, a gap in capabilities to easily know if that behavior is okay or something potentially malicious that needs immediate attention.

    Cast a light on shadow areas

    We live in a world rife with stories of malware existing within an organization’s infrastructure for months before it’s caught. Meanwhile data has been exfiltrated because the malicious activity happens in the shadows of the network where attackers can hide and do their work mostly undetected.

    So, the first step to reign in out-of-control devices is to gain visibility into what’s happening on the network. However, in today’s dispersed, ephemeral, encrypted, and diverse (DEED) environments, shadow areas are everywhere so it’s incredibly difficult to gain network visibility relying on conventional tools. Instead of finding one spot to monitor and do packet capture, there are dozens, if not hundreds, of spots. Deep packet capture (DPI) becomes extremely complex to manage and takes costs through the roof. That’s where metadata data comes in, allowing you to cast a light on shadow areas you can’t afford to ignore. Metadata in the form of flow data provides a passive and agentless approach to network traffic visibility across multi-cloud, on-premises, and hybrid environments, including every IP address, and every device.

    Context comes next
    Advertisement. Scroll to continue reading.

    We also need capabilities to meld visibility with context for governance, because even when you can see what is happening on the network, you still need context to understand what that traffic means.

    However, when you can enrich flow data with information from other sources, such as your EDR system, configuration management database (CMDB), and cloud security posture management (CSPM), you gain additional meaning that doesn’t necessarily exist inherently in network traffic data. You can understand the who and the what. If it turns out that it’s your pen test platform scanning as it should be, then there’s no need to worry. But if it turns out to be a sales rep’s Mac OS laptop that’s supposed to have policies in place that limit user access to specific parts of the network and applications, you may have a problem and need to investigate further.

    Operational governance: the end game

    Ultimately, reigning in out-of-control devices is about operational governance. So, the final piece is to build detections around governance policies to identify anomalous behavior and alert on it. In effect, bridging the gap between the visibility piece and the investigation piece.

    Out-of-control devices run the gamut from known to unknown and benign to malicious, and where you draw the line is unique to your organization. What’s considered out of control for a large manufacturer with an OT platform that handles all the automation for devices on the plant floor, is very different from how that’s defined in a financial services firm and likely necessitates different controls. Even within a single company, the definition of out-of-control varies whether you’re referring to the OT network or the IT network where laptops, servers, and printers reside. And even at a device level, what’s out of control in the cloud versus the data center is different. Fortunately, metadata enriched with context and overlaid with governance policies provides the flexibility needed to define and detect what is truly out of control and reign it in.

    Reply
  26. Tomi Engdahl says:

    Fake accounts on LinkedIn: time for a purge https://www.kaspersky.com/blog/purge-your-company-linkedin-page/48050/
    Among social networks, LinkedIn holds a rather unique position. The platform is designed for communication among professionals, which automatically implies contact with new people, almost complete transparency of user information, as well as a fairly high degree of trust in total strangers. The downside of this is the relative ease of creating plausible fake profiles. For instance, in the fall of 2022, security expert Brian Krebs uncovered a whole bunch of fake LinkedIn accounts purporting to belong to the Chief Information Security Officers of various major international companies. Plus several thousand fake accounts listing a real business as employer

    Reply
  27. Tomi Engdahl says:

    How to protect your small business from social engineering https://www.malwarebytes.com/blog/news/2023/05/how-to-protect-your-staff-and-business-from-social-engineering
    When Alvin Staffin received an email from his boss, he didn’t question it. In the email, Gary Bragg, then-president of Pennsylvania law firm O’Neill, Bragg & Staffin, asked Staffin to wire $580,000 to a Bank of China account. Staffin, who was VP and in charge of banking, sent the money through as asked. An hour later, he realized the request was fraudulenthe hadn’t been contacted by Bragg at all. Securing a small business from social engineering attacks is an ongoing effort that requires constant vigilance. Because social engineering relies on a criminal’s powers of persuasion, your staff’s vigilance is your first line of defence. Security software forms a vital second line, protecting your business from some social engineers’ tools, such as phishing sites, and from social engineering attacks designed to deliver malware

    Reply
  28. Tomi Engdahl says:

    Google will remove secure website indicators in Chrome 117 https://www.bleepingcomputer.com/news/google/google-will-remove-secure-website-indicators-in-chrome-117/
    Google announced today that the lock icon, long thought to be a sign of website security and trustworthiness, will soon be changed with a new icon that doesnt imply that a site is secure or should be trusted.
    While first introduced to show that a website was using HTTPS encryption to encrypt connections, the lock symbol is no longer needed given that more than 99% of all web pages are now loaded in Google Chrome over HTTPS. These also include websites used as landing pages in phishing attacks or other malicious purposes, designed to take advantage of the lock icon to trick the targets into thinking they’re safe from attacks

    Reply
  29. Tomi Engdahl says:

    So long passwords, thanks for all the phish https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html
    Starting today, you can create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in. Passkeys are a more convenient and safer alternative to passwords. They work on all major platforms and browsers, and allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN. Using passwords puts a lot of responsibility on users.
    Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesnt fully protect against phishing attacks and targeted attacks like “SIM swaps” for SMS verification. Passkeys help address all these issues

    Reply
  30. Tomi Engdahl says:

    Passkeys are the new standard to authenticate on the web https://www.passkeys.com/ Passkeys are a new way to sign in without passwords. With Touch ID and Face ID, passkeys are more secure and easier to use than passwords and any current two-factor authentication methods. Passkeys provide users a passwordless sign-in experience that is both more convenient and more secure. In a sense, Passkeys are similar to MFA, it’s a combination of something you have and something you are (your Face ID or Fingerprint). Different from passwords, Passkeys are resistant to phishing, are always strong, and they are not shared or stored on different databases. When a user sets up a passkey, a key is generated and synchronized to the cloud. When the user connects from another device in the same ecosystem, it will use the same key. Each time a passkey is being authenticated, a unique signature is generated, which expires within minutes

    Reply
  31. Tomi Engdahl says:

    NCSC-UK – CyberFlix: an interactive video – and related downloads – to help secondary school kids stay safe online https://www.ncsc.gov.uk/blog-post/cyberflix-interactive-video-and-downloads-help-secondary-school-kids-stay-safe-online
    A new initiative, aimed at 11-14 year olds, that helps them navigate the risks of online life. The NCSC is delighted to present CyberFlix, a new, interactive video learning resource for pre-teens and young teenagers, designed to raise awareness of the risks which come with using the web

    Reply
  32. Tomi Engdahl says:

    Raspberry Robin: A global USB malware campaign providing access to ransomware operators https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html
    Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail. The main aim of this blog is to share with readers the summarized details, my thoughts and findings, and what it has been like tracking Raspberry Robin since it first emerged and continues to spread. It’s a fascinating campaign that has taught me a lot about emerging and advanced cybercriminal operations work. Additional IOCs and detection opportunities are available at the end of this blog

    Reply
  33. Tomi Engdahl says:

    Apple and Google Join Forces to Stop Unauthorized Location-Tracking Devices https://thehackernews.com/2023/05/apple-and-google-join-forces-to-stop.html
    Apple and Google have teamed up to work on a draft industry-wide specification that’s designed to tackle safety risks and alert users when they are being tracked without their knowledge or permission using devices like AirTags

    Reply
  34. Tomi Engdahl says:

    Fake Websites Impersonating Association To ChatGPT Poses High Risk, Warns Check Point Research https://blog.checkpoint.com/research/fake-websites-impersonating-association-to-chatgpt-poses-high-risk-warns-check-point-research/
    In December 2022, Check Point Research (CPR) started raising concerns about ChatGPTs implications for cybersecurity. In our previous report, CPR put a spotlight on an increase in the trade of stolen ChatGPT Premium accounts, which enable cyber criminals to get around OpenAIs geofencing restrictions to secure unlimited access to ChatGPT. In this blog, we are reporting that Check Point Research have recently noticed a surge in cyberattacks leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT. We have identified numerous campaigns that mimic the ChatGPT website with the intention of luring users into downloading malicious files or disclosing sensitive information. The frequency of these attack attempts has been steadily increasing over the past few months, with tens of thousands of attempts to access these malicious ChatGPT websites

    Reply
  35. Tomi Engdahl says:

    Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
    https://www.securityweek.com/court-rules-in-favor-of-merck-in-1-4-billion-insurance-claim-over-notpetya-cyberattack/

    Court says insurers must pay Merck for losses related to the Russia-linked NotPetya cyberattack.

    The Superior Court of New Jersey Appellate Division has ruled in favor of Merck in its $1.4 billion claim against the insurance industry for denying payment for damages caused by the 2017 NotPetya cyberattack. Merck did not have separate cyber insurance, and instead relied on the ‘all risks’ element of its property insurance.

    According to Merck, within ninety seconds of the initial NotPetya infection, roughly 10,000 machines in its global network were infected by the malware, and over 40,000 machines were ultimately infected across the company globally.

    The insurers claimed that the property insurance was subject to a war exclusion clause, and the “exclusion is clear and unambiguous, and it plainly applies to the NotPetya attack.”

    Judges Currier, Mayer and Enright have now disagreed, and declared, “We have addressed the exclusion in terms of the presented circumstances before us. And we have found the Insurers have not satisfied their burden to show it could be fairly applied to the NotPetya cyberattack. That is the scope of our review. Therefore, we decline the Insurers’ request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.”

    This is an interesting position. While declining to accept the nation-state NotPetya attack as an act of war, they have also declined to define what type of cyberattack could be defined as an act of war.

    But as far as this case is concerned, that is academic. The court concluded, “terms similar to ‘hostile or warlike action’ by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective. Therefore, in addition to the plain language interpretation of the exclusion requiring the inapplicability of the exclusion, the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts all compel the conclusion that the exclusion was inapplicable to bar coverage for Merck’s losses.”

    “In many ways, this decision boils down to the Court’s thoughtful application of fundamental principles of insurance law: exclusionary provisions must be construed narrowly against the insurer, any ambiguities must be resolved in the insured’s favor and consistent with the insured’s reasonable expectations. On that score, the Court correctly determined that the plain language of the policies’ hostile/warlike action exclusion simply cannot reasonably be interpreted as encompassing a cyberattack on a non-military company providing commercial services to non-military customers.”

    Cyber is, however, considered to be a modern theater of war – and cyber changes faster than any other modern arena. Discussion will likely continue over the validity of applying historical definitions to the new world.

    Nevertheless, continued Cummings, “The mere presence of hostile or warlike action is not enough where, as here, the underlying activity is commercial in nature, and the damage is not caused by a warlike attack directed at the policyholder. In sum, the Court’s decision was a meaningful affirmation that plain language and the core, policyholder-friendly tenets of insurance law must ultimately prevail.”

    This may or may not be the end of the Merck case, but it is probably just the beginning of future arguments about what can or cannot be construed as a cyber act of war. A $1.4 billion payout is no small matter for the insurance industry and is bound to have future ramifications on the cyber – and property – insurance industry.

    Reply
  36. Tomi Engdahl says:

    Apple, Google Propose Standard to Combat Misuse of Location-Tracking Devices
    https://www.securityweek.com/apple-google-propose-standard-to-combat-misuse-of-location-tracking-devices/

    Apple and Google propose new industry specification for Bluetooth location-tracking devices, to prevent unwanted tracking.

    Apple and Google this week submitted a draft industry specification aimed at preventing unwanted location tracking.

    The initiative targets accessories with built-in location-tracking capabilities that use Bluetooth Low Energy (LE) as the transport protocol and which are small enough to be difficult to discover – such as Apple’s AirTag product.

    The document proposes a set of best practices and protocols that manufacturers of such accessories should follow to ensure that their devices are compatible with unwanted tracking detection and alerts on mobile devices.

    The initiative, the tech giants say, is meant to protect the privacy of individuals from unwanted tracking for nefarious purposes, including harassment and theft.

    “Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals,” the draft document reads.

    Additionally, the initiative proposes that individuals are alerted when a location tracker that has been separated from the owner’s device is traveling with them and that they are provided with means to identify and disable the tracker.

    Detecting Unwanted Location Trackers
    draft-detecting-unwanted-location-trackers-00
    https://datatracker.ietf.org/doc/draft-detecting-unwanted-location-trackers/

    Reply
  37. Tomi Engdahl says:

    Passkeys Support Added to Google Accounts for Passwordless Sign-Ins
    https://www.securityweek.com/passkeys-support-added-to-google-accounts-for-passwordless-sign-ins/

    Google has added passkeys support to Google accounts on all major platforms as part of the company’s passwordless sign-in efforts.

    Google announced on Wednesday that users can now sign into their Google account using passkeys. The move is part of the company’s efforts towards passwordless authentication.

    Unlike passwords, which can be compromised in phishing attacks, passkeys cannot be written down or stolen by threat actors. Passkeys are also more convenient because they make the login process easier, including by skipping the two-factor authentication (2FA) step.

    Passkeys are stored on the user’s device and presented to Google to verify the user’s identity when they log in. Instead of entering a password, users are required to simply unlock their phone or computer using an authentication method such as a local PIN, fingerprint, or face recognition.

    A passkey is a cryptographic private key whose corresponding public key is in Google’s possession. The passkey is unlocked locally and biometric data is not shared with Google or anyone else.

    Google provides a simple explanation for how passkeys work:
    https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html

    “When you sign in we ask your device to sign a unique challenge with the private key. Your device only does so if you approve this by unlocking the device. We then verify the signature with your public key.

    Your device also ensures the signature can only be shared with Google websites and apps, and not with malicious phishing intermediaries. This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.”

    Reply
  38. Tomi Engdahl says:

    Open Banking: A Perfect Storm for Security and Privacy?
    https://www.securityweek.com/open-banking-a-perfect-storm-for-security-and-privacy/

    Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security expertise or resources, are rushing new products to market.

    Open banking was born in the EU, flourished in the UK, and is now spreading around the globe – including the US. Since this is fintech it is, and will continue to be, highly targeted by criminal actors.

    There are two fundamental government approaches to this market: regulation or market forces. Europe has a penchant for regulation while the US tends to let the market shape its own areas.

    Europe started the ball rolling with the PSD2 (Payment Services Directive) legislation of 2018. It was originally aimed at securing payment services, but activated a new breed of innovative financial service apps.

    Since it is a directive rather than regulation (such as GDPR), individual member states could implement the directions in their own manner. The UK, as a major financial hub, and bolstered by Brexit (which also slackened the shackles of GDPR), took advantage of its freedom and developed the PSD2 principles into its own Open Banking System. This included a requirement for the nine largest UK banks to develop a common API standard which helped open banking to rapidly flourish.

    The advantages of a flourishing open banking ecosphere are similar for most nations. This was summarized in a December 2022 statement by the UK’s financial conduct authority (FCA): “Fully realized, open banking and then open finance can bring further benefits to consumers and businesses and will help the UK become more competitive and innovative.”

    Open banking comprises payment systems for larger organizations, and the burgeoning number of purpose-specific apps for consumers and smaller businesses. It is part of the fintech sector – but for most people, the concept of open banking is limited to the purpose-specific app market.

    Open banking in the US

    Open banking is an emerging market sector in the US. While it is less advanced than in the UK and EU, it would be wrong to think it is a new idea.

    There is no specific guidance or government initiative on open banking in the US. There is no requirement for banks to develop a standard API. There are no tailored open banking regulations, although open banking operators will be required to abide by various federal and state-level security and privacy requirements.

    But there is a strong entrepreneurial attitude and a business opportunity – hindered by non-standard APIs and the practical difficulty of writing individual APIs for all the important banks.

    The practical problems led to the early use of screen scraping by open banking apps. This is far from perfect. It requires the customer to provide credentials, but without the bank knowing who or what is using those credentials. And it can gather more data than is strictly required for its purpose.

    The banks are developing APIs, but screen scraping lingers. Capgemini explained the differences between screen scraping and API-based open banking in March 2022:

    “Screen scraping is a technology by which a customer provides its banking app login credentials to a TPP [third party provider]. The TPP then sends a software robot to the bank’s app or website to log-in on behalf of the customer and retrieve data and/or initiate a payment. Banks have less control over the data retrieved, which may go beyond account data regulated under PSD2 and may include any customer data available. With an API, banks have greater control to share only the necessary data for the TTP’s service and customers do not need to share any credentials with TPPs.”

    There is little doubt the API based approach to open banking will prevail in the US as it does in the UK and EU. This will be more secure than scraping but will still have its security issues.

    Reply
  39. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    Google plans to change Chrome’s URL bar lock icon, introduced to signify HTTPS, to a “variant of the tune icon”, because “nearly all phishing sites use HTTPS” — Google announced today that the lock icon, long thought to be a sign of website security and trustworthiness …

    Google will remove secure website indicators in Chrome 117
    https://www.bleepingcomputer.com/news/google/google-will-remove-secure-website-indicators-in-chrome-117/

    Google announced today that the lock icon, long thought to be a sign of website security and trustworthiness, will soon be changed with a new icon that doesn’t imply that a site is secure or should be trusted.

    While first introduced to show that a website was using HTTPS encryption to encrypt connections, the lock symbol is no longer needed given that more than 99% of all web pages are now loaded in Google Chrome over HTTPS.

    These also include websites used as landing pages in phishing attacks or other malicious purposes, designed to take advantage of the lock icon to trick the targets into thinking they’re safe from attacks.

    Reply
  40. Tomi Engdahl says:

    Bryce Baschuk / Bloomberg:
    Microsoft Chief Economist Michael Schwarz says AI will be used by “bad actors”, but lawmakers should wait until the tech causes “real harm” before regulating AI

    Microsoft Economist Warns Bad Actors Will Use AI to Cause Damage
    https://www.bloomberg.com/news/articles/2023-05-03/ai-will-cause-real-damage-microsoft-chief-economist-warns?leadSource=uverify%20wall

    Danger of election interference cited by Michael Schwarz
    He sees ‘clearly’ a need to regulate Artificial Intelligence

    Artificial intelligence will be dangerous in the hands of unscrupulous people, according to Microsoft Corp. Chief Economist Michael Schwarz.

    “I am confident AI will be used by bad actors, and yes it will cause real damage,” Schwarz said during a World Economic Forum panel in Geneva on Wednesday. “It can do a lot damage in the hands of spammers with elections and so on.”

    Reply
  41. Tomi Engdahl says:

    Joka toinen yritys on joutunut ransomware-uhriksi
    https://etn.fi/index.php/13-news/14928-joka-toinen-yritys-on-joutunut-ransomware-uhriksi

    Tietoturvayritys Fortinet on julkaissut uuden Global Ransomware Research Report -selvityksensä. Kiristysohjelmahyökkäysten uhka on edelleen koholla maailmanlaajuisesti. Peräti puolet kyselyyn

    vastanneista organisaatioista oli kärsinyt hyökkäyksistä kuluneen vuoden aikana.

    Raportti osoittaa, että valmiustaso, jonka käytössä olevien strategioiden koetaan antavan, ja kyky todella estää kiristysohjelmahyökkäykset ovat kaksi eri asiaa. Vaikka 78 prosenttia organisaatioista kertoi valmistautuneensa lieventämään hyökkäyksiä vähintään erittäin hyvin, kysely osoittaa, että 50 prosenttia organisaatioista oli joutunut kiristysohjelmahyökkäyksen uhriksi kuluneen vuoden aikana. Lähes puolet organisaatioista oli joutunut hyökkäyksen uhriksi useammin kuin kerran.

    Kiristysohjelmien torjumisen viidestä suurimmasta haasteesta neljä liittyy ihmisiin ja prosesseihin. Toiseksi suurimpana haasteena organisaatiot pitävät epäselvyyttä siitä, miten tietoturva taataan tilanteessa, jossa käyttäjien tiedoissa ja koulutuksessa on puutteita.

    Kysely osoittaa lähes kolmen neljästä vastaajasta maksaneen jonkinlaista lunnaita. Lunnaita maksetaan, vaikka selvä enemmistö (72 prosenttia) havaitsee häiriön parin tunnin kuluessa ja joskus jopa muutamassa minuutissa.

    Reply
  42. Tomi Engdahl says:

    Thermal Camera Plus Machine Learning Reads Passwords Off Keyboard Keys
    https://hackaday.com/2023/05/04/thermal-camera-plus-machine-learning-reads-passwords-off-keyboard-keys/

    An age-old vulnerability of physical keypads is visibly worn keys. For example, a number pad with digits clearly worn from repeated use provides an attacker with a clear starting point. The same concept can be applied to keyboards by using a thermal camera with the help of machine learning, but it also turns out that some types of keys and typing styles are harder to read than others.

    Thermal Cameras and Machine Learning Combine to Snoop Out Passwords
    By Mark Tyson
    https://www.tomshardware.com/news/thermal-cameras-and-machine-learning-combine-to-snoop-out-passwords

    AI-driven ‘thermal attack’ analyzes touch-input heat signature after you have gone.

    Researchers at the University of Glasgow have published a paper that highlights their so-called ThermoSecure implementation for discovering passwords and PINs. The name ThermoSecure provides a clue to the underlying methodology, as the researchers are using a mix of thermal imaging technology and AI to reveal passwords from input devices like keyboards, touchpads, and even touch screens.

    ThermoSecure: Investigating the Effectiveness of AI-Driven Thermal Attacks on Commonly Used Computer Keyboards
    https://dl.acm.org/doi/10.1145/3563693

    Reply
  43. Tomi Engdahl says:

    Neljä viidestä yrityksestä uskoo, että sen verkkoon murtaudutaan tänä vuonna
    https://etn.fi/index.php/13-news/14921-neljae-viidestae-yrityksestae-uskoo-ettae-sen-verkkoon-murtaudutaan-taenae-vuonna

    Trend Micro kertoo, että kansainvälisten organisaatioiden kyberriskit ovat vähentyneet ja globaali CRI-uhkaindeksi on laskenut ensimmäistä kertaa kohonneet-tasosta pykälän alaspäin, kohtalaiseen. Samalla organisaatioita kuitenkin varoitetaan sisäpiiriläisten ja myyrien muodostamasta uhasta.

    Cyber Risk Index -raportti kertoo, että eurooppalaisten organisaatioiden valmius kyberuhkiin on kohentunut. Samalla uhat ovat kuitenkin vähentyneet muualla maailmassa, mutta eivät kuitenkaan Euroopassa.

    Useimmat organisaatiot ovat kuitenkin pessimistisiä tulevaisuudennäkymistään. Useimmat tutkimukseen osallistuneet arvioivat todennäköisyyden onnistuneen kyberhyökkäyksen uhriksi joutumisesta tulevan vuoden aikana jokseenkin tai erittäin todennäköiseksi. 70 prosenttia uskoo, että hyökkääjät pääsevät käsiksi heidän asiakastietoihinsa. 78 prosenttia uskoo, että he joutuvat onnistuneen verkkohyökkäyksen kohteeksi.

    Hybridityöskentelyn kasvaessa organisaatioiden on syytäkin olla huolissaan sekä varomattomien työntekijöiden, että etätyöntekijöiden tukemiseen vaadittavan infrastruktuurin aiheuttamista vaaroista

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*