Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Not-Too-Safe Boot: Remotely Bypassing Endpoint Security Solutions (AV/EDR/…) and Anti-Tampering Mechanisms https://zerodayzone.com/2023/05/12/not-too-safe-boot-remotely-bypassing-endpoint-security-solutions-av-edr-and-anti-tampering-mechanisms/
In this article, we provide an in-depth analysis of the Not-Too-Safe Boot technique, which has been designed to bypass Endpoint Security Solutions like antivirus (AV), endpoint detection and response (EDR) and anti-tampering mechanisms remotely.
This method builds on a local execution technique first published in 2007 and later utilized in a real world scenario by a ransomware in 2019.
By leveraging native Windows functionalities, Not-Too-Safe Boot is a review of the original technique (that was used only locally) that enables attackers, with administrative privileges over the victim system, to remotely force to boot in safe mode and carry out malicious activities.
Tomi Engdahl says:
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/
Over the past few months, Check Point Research has closely monitored a series of targeted attacks aimed at European foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we track as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.
Our comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks.
The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware. This blog post will delve into the intricate details of analyzing the “Horse Shell” router implant. We will share our insights into the implant’s functionality and compare it to other router implants associated with Chinese state-sponsored groups.
By examining this implant, we hope to shed light on the techniques and tactics utilized by the Camaro Dragon APT group and provide a better understanding of how threat actors utilize malicious firmware implants in network devices in their attacks.
Tomi Engdahl says:
VirusTotal AI code analysis expands Windows, Linux script support https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-expands-windows-linux-script-support/
Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature.
While launched only with support for analyzing a subset of PowerShell files, Code Insight can now also spot malicious Batch (BAT), Command Prompt (CMD), Shell (SH), and VBScript (VBS) scripts.
Besides the list of additions included in Google’s announcement, BleepingComputer was also able to discover that the company added support for AutoHotkey (AHK) and Python
(PY) scripting languages.
Tomi Engdahl says:
Microsoft is scanning the inside of password-protected zip files for malware https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/
Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday.
Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form.
Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.
While analysis of password-protected files in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint.
On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password “infected.”
Tomi Engdahl says:
Not An Afterthought: Security By Design
https://www.forbes.com/sites/emilsayegh/2023/05/16/not-an-afterthought-security-by-design/
Recent incidents such as the ChatGPT software leak and the Activision Blizzard data breach highlight the urgent need for enhanced cybersecurity measures to be built in at every level of application and software development. Security must be built into the core of any product or technological advancement during the early stages of design.
Unfortunately, many software companies still treat cybersecurity as an afterthought.
They often focus on developing and releasing products and services quickly with security added along the way, or even worse after everything else has been completed.
This approach can be disastrous, as demonstrated by countless cyberattacks capitalizing on substandard security measures. These attacks serve as a reminder of how crucial it is that security is built-in from the very beginning of the development process.
Tomi Engdahl says:
You may not care where you download software from, but malware does https://www.welivesecurity.com/2023/05/16/you-may-not-care-where-download-software-malware-does/
One of the pieces of advice that security practitioners have been giving out for the past couple of decades, if not longer, is that you should only download software from reputable sites. As far as computer security advice goes, this seems like it should be fairly simple to practice.
But even when such advice is widely shared, people still download files from distinctly nonreputable places and get compromised as a result. I have been a reader of Neowin for over a couple of decades now, and a member of its forum for almost that long.
But that is not the only place I participate online: for a little over three years, I have been volunteering my time to moderate a couple of Reddit’s forums (subreddits) that provide both general computing support as well as more specific advice on removing malware. In those subreddits, I have helped people over and over again as they attempted to recover from the fallout of compromised computers.
Attacks these days are usually financially motivated, but there are other unanticipated consequences as well. I should state this is not something unique to Reddit’s users.
These types of questions also come up in online chats on various Discord servers where I volunteer my time as well.
Tomi Engdahl says:
The Windows Registry
http://windowsir.blogspot.com/2023/05/the-windows-registry.html
When it comes to analyzing and understanding the Windows Registry, where do we go, as an industry, to get the information we need?
Why does this even matter?
Well, an understanding of the Registry can provide insight into the target (admin, malicious insider, cyber criminal, nation-state threat actor) by what they do, what they don’t do, and how they go about doing it.
The Registry can be used to control a great deal of functionality and access on endpoints, going beyond just persistence. Various keys and values within the Registry can determine what we can see or not see, what we can do or not do,
Tomi Engdahl says:
Ukraine, Ireland, Iceland and Japan officially join NATO’s cyber defense center https://therecord.media/nato-ccdcoe-ukraine-iceland-ireland-japan
The flags of Ukraine, the Republic of Ireland, Iceland and Japan were hoisted in Tallinn, Estonia, on Tuesday as the four nations officially joined NATO’s Cooperative Cyber Defense Center of Excellence (CCDCOE).
The CCDCOE was founded in 2008, a few years after Estonia joined NATO, in the wake of a wave of cyberattacks targeting the country when it relocated a Soviet war memorial from the center of the capital Tallinn to a military cemetery a few kilometers away.
The digital attempts to hobble the country were groundbreaking. They showed what a nation could face as a result of cyber hostilities and prompted a major research effort into cyberwarfare at NATO, which resulted in the creation of the center of excellence as well as the Tallinn Manual, examining how international law applied to cyber conflict.
Tomi Engdahl says:
The distinctive rattle of APT SideWinder https://www.group-ib.com/blog/hunting-sidewinder/
In February 2023, Group-IB’s Threat Intelligence team released a technical report about previously unknown phishing attacks conducted by the APT group SideWinder: Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021. As always, Group-IB customers and partners were the first to get access to the report through the interface of Group-IB’s Threat Intelligence platform.
One of them was Bridewell, a leading cyber security services company based in the UK and a long-standing MSSP partner of Group-IB in Europe. Our colleagues from Bridewell have been using Group-IB’s Threat Intelligence, Digital Risk Protection, and Attack Surface Management solutions to support the cybersecurity services they offer to its customers.
Bridewell’s in-house threat intelligence experts read Group-IB’s report on SideWinder and came up with their own significant findings about SideWinder. The Bridewell team shared this information with our Threat Intelligence unit, which led to this joint blog post.
By bringing together the research capabilities of both companies, we developed and described new hunting methods so that we could track one of the most prolific APT groups more efficiently.
Tomi Engdahl says:
Minas – on the way to complexity
https://securelist.com/minas-miner-on-the-way-to-complexity/109692/
Sometimes when investigating an infection and focusing on a targeted attack, we come across something we were not expecting. The case described below is one such occurrence.
In June 2022, we found a suspicious shellcode running in the memory of a system process.
We decided to dig deeper and investigate how the shellcode was initially placed into the process and where on the infected system the threat was hidden.
We named this malware Minas. From our reconstruction of the infection chain, we determined that it originated by running an encoded PowerShell script as a task, which we believe with low confidence was created through GPO.
Tomi Engdahl says:
Youve been kept in the dark (web): exposing Qilins RaaS program https://www.group-ib.com/blog/qilin-ransomware/
In the wake of increasing ransomware attacks, do security leaders strongly believe that their organization is secure enough, especially when cyber threats are only growing in sophistication? Group-IBs Hi-Tech Crime Trends 2022/2023 Report recently revealed that the impact of ransomware attacks will continue to grow in 2023 and beyond, with trends such as the Ransomware-as-a-Service market . Additionally, ransomware strains are proliferating quicker than the improvements in cyber defenses to detect and contain them, rendering organizations underprepared in facing whats coming. In order to stay ahead, businesses need to stay informed about the most critical cybersecurity threats and threat actors that have recently surfaced and are going strong in the current year and beyond. In this blog, we aim to provide a detailed breakdown of the ransomware group Qilin (aka Agenda ransomware). This group, discovered in August 2022, has been targeting companies in critical sectors with ransomware written in the Rust
Tomi Engdahl says:
New ZIP domains spark debate among cybersecurity experts https://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/
Cybersecurity researchers and IT admins have raised concerns over Google’s new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery. Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs. While the ZIP and MOV TLDs have been available since 2014, it wasn’t until this month that they became generally available, allowing anyone to purchase a domain, like bleepingcomputer.zip, for a website. However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications
Tomi Engdahl says:
Building cyber skills and roles from CyBOK foundations https://www.ncsc.gov.uk/blog-post/building-cyber-skills-and-roles-from-cybok-foundations
NCSC Deputy Director for Cyber Growth Chris Ensor explains how we have used the Cyber Security Body of Knowledge to build the early foundations for professional standards and what it is we are building. In the NCSC, weve always seen CyBOK as a key enabler in making sure the UK has a higher quality and more established, recognised and structured cyber security profession. Underpinned by Royal Charter, it is the role of the UK Cyber Security Council to establish professional standards and pathways for a cyber career that is built on CyBOK
Tomi Engdahl says:
Linux security: What is sudo and why is it so important?
https://www.zdnet.com/article/why-sudo-is-so-important-in-linux-and-how-to-use-it/
Back in the early days of Linux, things were exponentially more complicated. The distributions were far less mature, but they also required the use of a particular system account to get certain things done. That account was root, and with it, you had unlimited power over your operating system. Back then, any command that required administrative privileges was run via the root user. In order to do that, you either had to change to the root user (with the su command) or log in as the root user. Both of these options were eventually considered a security issue. Why? If you logged in as the root user and walked away from your system, anyone could do anything they wanted to it. The same thing holds true with changing to the root user and leaving a terminal window open. Eventually, it was decided something had to give. Out of that need, sudo was born. Sudo stands for “superuser do” and effectively gives a regular user (one that belongs to the admin group) access to administrator-like powers
Tomi Engdahl says:
It’s really OK to take a break sometimes, especially in security https://blog.talosintelligence.com/newsletter-may-18-2023/
You probably already know this by now, but May is Mental Health Awareness Month across the globe.
Many people will apply this time of reflection and education to their personal lives — it’s easy to discuss anxiety, depression and other mental health concerns when it comes to things like personal relationships, friendships, family and how you express yourself.
I think not enough of us are applying the discussions we have every May to work, though.
After all, many of us spend more than half our day working, and probably even more than that, thinking about work. And yes, it’s important to maintain healthy relationships around you and share your feelings with loved ones openly, but I would like us all to start being more honest about how work can affect our mental health.
This is particularly a problem in the cybersecurity industry, where burnout is constantly a cloud hanging over the workforce. A study last year from email security company Mimecast found that 84 percent of cybersecurity professionals are experiencing some form of burnout and it’s impeding their motivation at work.
Tomi Engdahl says:
Accessibility as a cyber security priority https://www.ncsc.gov.uk/blog-post/accessibility-as-a-cyber-security-priority
3 years ago, Anna (not her real name) was diagnosed with a neurological autoimmune disease in which her body attacks substances that are naturally found in the body, causing pain and vision loss.
Before her diagnosis, Anna worked in software technology and felt very confident and safe online. She now uses glasses, a magnifying glass and screen magnification where needed.
Anna has no peripheral vision or depth perception. Face ID, or proving her identity by taking a photo of herself on her phone are impossible as she does not have the vision to line up her face with the camera.
Tomi Engdahl says:
Saako lapsen puhelimen tutkia? Teleoperaattori ehdottaa tällaisia turvakeinoja vanhemmille https://www.is.fi/digitoday/mobiili/art-2000009559425.html
Neljä viidestä 5–12-vuotiaan lapsen vanhemmasta pitää vähintään jossain määrin hyväksyttävänä lapsen puhelimen sisällön tarkastamista jopa ilman lapsen lupaa. Näin kertoo DNA:n vuosittaisen Koululaistutkimuksen uusi vuosikerta.
Perustuslain mukaan lapsellakin on oikeus viestintäsalaisuuteen. Kuitenkin tutkimuksen mukaan 5–12-vuotiaiden lasten vanhemmat haluavat tietää, mitä lapsi julkaisee sosiaalisessa mediassa sekä missä chat-ryhmissä lapsi on osallisena ja millaisia keskusteluja niissä käydään.
DNA:n mukaan taustalla näyttää olevan huoli siitä, että lapsi altistuu haitallisille, esimerkiksi seksiä, väkivaltaa tai päihteitä käsitteleville sivustoille tai kontakteille. Samalla kuitenkin vanhemmille on yhä tärkeämpää kunnioittaa lapsensa yksityisyyttä netissä.
Operaattorin mukaan tämä ristiriita asenteissa on ratkaistavissa torjumalla vahingolliselle sisällölle altistumista etukäteen.
Tomi Engdahl says:
Malicious emails aimed at Taiwan have spiked in 2023 https://therecord.media/malicious-emails-aimed-at-taiwan-spiked
Government employees and a variety of companies in Taiwan have been the targets of a wave of malicious emails this year amid rising concerns about China’s plans for its island neighbor.
Researchers at cybersecurity firm Trellix said they have observed a significant rise in extortion emails aimed at Taiwan government officials, with a 30-fold increase year-on-year in the number of malicious emails in January.
Joseph Tal, senior vice president of Trellix Advanced Research Center, said in the report that over the past few years his team has noticed that geopolitical conflicts “are one of the main drivers for cyberattacks on a variety of industries and institutions.”
In recent months, an already tense atmosphere around Taiwan has worsened, with senior Chinese officials increasingly making forceful statements about Taiwan’s future. Foreign Affairs Ministry Spokesman Wang Wenbin said last month that “Taiwan’s return to China… is an important part of the post-war international order.”
Tomi Engdahl says:
Microsoft decides it will be the one to choose which secure login method you use https://www.theregister.com/2023/05/18/microsoft_azure_system_authentication/
Microsoft wants to take the decision of which multi-factor authentication (MFA) method to use out of the users’ hands and into its own.
The software maker this week is rolling out what it calls system-preferred authentication for MFA, which will present individuals signing in with the most secure method and then alternatives if that method is unavailable.
Redmond first unveiled the feature in a disabled state in April and is now making it generally available to all commercial users through the Azure Portal or Graph APIs, with the decision whether to enable it for tenants now resting with administrators.
That said, in July Microsoft will make system-preferred authentication a default feature in its Azure Entra portfolio for all user accounts, with more information coming out next month.
Tomi Engdahl says:
Two Factor Authentication Apps: Mistakes To Malware
https://hackaday.com/2023/05/17/two-factor-authentication-apps-mistakes-to-malware/
Everyone in security will tell you need two-factor authentication (2FA), and we agree. End of article? Nope. The devil, as always with security, is in the details. Case in point: in the last few weeks, none less than Google messed up with their Google Authenticator app. The security community screamed out loud, and while it’s not over yet, it looks like Google is on the way to fixing the issue.
Since 2FA has become a part of all of our lives – or at least it should – let’s take a quick dip into how it works, the many challenges of implementing 2FA correctly, what happened with Google Authenticator, and what options you’ve got to keep yourself safe online.
You probably know or use Google Authenticator, Microsoft Authenticator, or an app like Authy. What all of these authenticator apps have in common is the generation of a time-dependent six digit number, given a secret key. Perhaps you scanned that secret key into your phone in the form of a QR code? If any of the above sounds familiar, you’ve used a time-based one-time password (TOTP).
Tomi Engdahl says:
Cloudflare Unveils New Secrets Management Solution
https://www.securityweek.com/cloudflare-unveils-new-secrets-management-solution/
Cloudflare introduces Secrets Store, a new solution to help developers and organizations securely store and manage secrets.
Cloudflare on Thursday announced Secrets Store, a new solution designed to help developers and organizations securely store and manage secrets across the Cloudflare platform.
Any variable that needs to be stored securely and accessed by authorized users only is considered a secret, including credentials, cryptographic keys, tokens, and more.
Failure to store secrets securely when building an application can lead to a data breach or the application’s compromise, and ensuring good secret management becomes essential.
The use of a secrets manager can streamline the development process, as it ensures the security of sensitive information and helps meet security best practices, while providing ease of use to allow developers to build efficiently.
With sensitive data residing across machines, in the cloud, or on local infrastructure, the new Secrets Store aims to make it easier for its customers to manage these secrets across Cloudflare’s services.
Currently in beta, the management solution will allow administrators to set specific rules on who can view, create, modify, or delete secrets, as well as to access audit logs for every secret-related event, to track the access and use of their sensitive information.
https://www.cloudflare.com/lp/secrets-store/
Tomi Engdahl says:
Industrial Secure Remote Access Is Essential, but Firms Concerned About Risks
https://www.securityweek.com/industrial-secure-remote-access-is-essential-but-firms-concerned-about-risks/
Secure remote access is essential for industrial organizations, but many are concerned about the associated risks, a new study shows.
Secure remote access is essential for industrial organizations, but many employees who took part in a recent survey expressed concerns about the associated risks.
Cyolo, a firm that provides zero trust identity-based access solutions for IT and OT systems, on Wednesday published a new report titled ‘The State of Industrial Secure Remote Access’.
The report is based on a survey of more than 200 cybersecurity, IT and engineering professionals conducted by Takepoint Research in the first quarter of 2023. The respondents represented organizations of all sizes from North America, Europe and other regions around the world.
The survey found that industrial secure remote access (I-SRA) is important for many organizations, particularly for allowing third party access (cited by 72% of respondents), increasing productivity (68%), collecting data (51%) and reducing costs (41%).
The study showed some differences between industries. In the oil and gas industry, for instance, 83% of organizations need I-SRA for third party access and only 48% need it for data collection. In the manufacturing sector, however, remote access is needed for data collection in 72% of cases.
“Such differences include each organization’s business context, as well as various industrial, regional, and company-specific factors. Factors that influence operations include regulations, labor availability/cost, and the utilization of operational data for productivity and safety enhancement,” Cyolo explained in its report.
Tomi Engdahl says:
Cybercrime
Triple Threat: Insecure Economy, Cybercrime Recruitment and Insider Threats
https://www.securityweek.com/triple-threat-insecure-economy-cybercrime-recruitment-and-insider-threats/
A wave of layoffs, coupled with increased recruitment efforts by cybercriminals, could create the perfect conditions for insider threats to flourish
So far in 2023, layoffs have resulted in tens of thousands of tech workers losing their jobs. And that’s just in tech. Across sectors, employees are feeling the ramifications of economic uncertainty. Ransomware attacks are continuing and growing more sophisticated. And it’s not only the attacks that are growing more sophisticated; so are cybercrime recruitment efforts. All the while, the cybersecurity skills gap persists for most organizations.
All of these factors have the potential to create a perfect storm in terms of insider risks. Here’s what you need to be doing to stay protected against them.
Tomi Engdahl says:
https://www.securityweek.com/triple-threat-insecure-economy-cybercrime-recruitment-and-insider-threats/
From a technological standpoint, organizations and their security leaders should:
Use deception technology to quickly create a fake network that automatically deploys decoys and lures that are indistinguishable from the traffic and resources used in the real network. This is one of the most effective ways to address insider threats.
Segment the network to confine activity to certain areas. A zero trust approach may be particularly useful for operations that require greater discretion.
Encrypt data at all points: at rest, in use and in transit. Buy tools that can quickly and efficiently decrypt data.
Use configuration management tools to examine and rapidly spot devices that are not configured correctly.
Use solutions that can track user activity and behavior, including any infractions of policies, and use machine learning to spot anomalous behavior.
Use file tracking tools and keep an eye on data access and file transfers.
Enhance identity and access management (IAM), using multi-factor authentication (MFA), for example.
Tomi Engdahl says:
Quantum Decryption Brought Closer by Topological Qubits
https://www.securityweek.com/quantum-decryption-brought-closer-by-topological-qubits/
Quantinuum claims the most powerful quantum computer currently available –through cloud-based access from Quantinuum, and available through Azure Quantum in June 2023.
Quantinuum has demonstrated the controlled creation and manipulation of non-Abelian anyons – or, put more simply, brought the arrival of large-scale, error resistant quantum computers much closer.
Quantinuum
The processing power of quantum computers is derived from the ability of qubits (quantum bits) to offer multiple states, rather than the simple binary offering available in classical computers. The problem is that qubits are not stable and are highly subject to external disturbance from noise and heat. The most common solution to this problem is to use additional qubits to provide error correction to the operational qubits – but the result is that a general purpose operational quantum computer will require millions of qubits working together.
There is an alternative approach. Rather than use additional fragile ‘traditional’ qubits for error correction, create more stable qubits that require less error correction. This is the purpose of the topological qubit.
Tomi Engdahl says:
New SBOM Hub Helps All Stakeholders in Software Distribution Chain
https://www.securityweek.com/new-sbom-hub-designed-to-help-all-stakeholders-in-software-distribution-chain/
Lineaje introduces SBOM360 Hub, an exchange allowing software producers, sellers, and consumers to publish, share and use SBOMs and related compliance artifacts.
Lineaje has launched SBOM360 Hub, a platform for software producers, sellers, and consumers to publish, share and use software bills of materials (SBOMs) and related compliance artifacts.
The new hub, Lineaje says, should help software producers and sellers be compliant with Executive Order 14028, which takes effect in September 2023, and which requires them to deliver SBOMs and linked attestation artifacts to customers.
SBOM360 Hub is a unified exchange that enables organizations to access and evaluate vendors’ SBOMs.
The platform allows software producers and sellers to create and publish attested, compliant SBOMs, along with self-attestation forms, and related artifacts for each product and SKU sold on their private hubs.
Software distributors and resellers can request SBOMs from vendors and make them available to their distribution channels and customers.
Software consumers can subscribe to SBOM360 Hub to find SBOMs from specific vendors and to receive notifications on software updates and vulnerabilities.
Tomi Engdahl says:
Mobile & Wireless
Google Announces New Rating System for Android and Device Vulnerability Reports
https://www.securityweek.com/google-announces-new-rating-system-for-android-and-device-vulnerability-reports/
Google is updating its vulnerability reports rating system to encourage researchers to provide more details on the reported bugs.
Google on Wednesday announced that it’s updating the Android and Google Devices Vulnerability Reward Program (VRP) with a new system for rating the quality of bug reports.
The new quality rating system, the internet giant says, should encourage researchers to provide more details on the identified security defects and should also help address them faster.
Per the new rating system, received vulnerability reports will be rated as ‘high’, ‘medium’, or ‘low’ quality, and will be awarded bounty rewards accordingly.
“The highest quality and most critical vulnerabilities are now eligible for larger rewards of up to $15,000,” the internet giant says.
Google expects researchers to describe the identified flaw clearly and accurately and to include in their reports the device name and version, a full root cause analysis of the bug, a high-quality proof-of-concept (PoC) demonstrating the issue, and a step-by-step explanation of how to reproduce it.
Google also says that it’s no longer assigning CVEs for most Android vulnerabilities that are assigned ‘moderate’ severity ratings.
Google also says that it’s no longer assigning CVEs for most Android vulnerabilities that are assigned ‘moderate’ severity ratings.
New Android & Google Device Vulnerability Reward Program Initiatives
https://security.googleblog.com/2023/05/new-android-google-device-VRP.html
We are pleased to announce that we are implementing a new quality rating system for security vulnerability reports to encourage more security research in higher impact areas of our products and ensure the security of our users. This system will rate vulnerability reports as High, Medium, or Low quality based on the level of detail provided in the report. We believe that this new system will encourage researchers to provide more detailed reports, which will help us address reported issues more quickly and enable researchers to receive higher bounty rewards.
Tomi Engdahl says:
Jo 4 vuotta vanha reititin voi olla iso riski
https://etn.fi/index.php/13-news/14986-jo-4-vuotta-vanha-reititin-voi-olla-iso-riski
Monen suomalaisen kotona lojuu liian vanha reititin, joka hidastaa merkittävästi kodin laitteiden toimintaa ja on pahimmillaan tietoturvariski. DNA varoittaa, että vanha reititin voi olla vakava tietoturvariski, jos siihen ei esimerkiksi saa enää tietoturvapäivityksiä.
Operaattorin palvelukehitysjohtaja Ville Partasen mukaan ulkoisista merkeistä on harvoin mahdollista nähdä, että oman kodin reititin on käynyt vanhaksi. Yleisimmät merkit heikosti toimivasta reitittimestä näkyvätkin silloin, kun verkkoon lisätään uusia laitteita. Tällöin pätkimistä alkaa yleensä huomata esimerkiksi suoratoistopalveluiden toiminnassa tai etäpalaverin videoyhteydessä.
- Jos kodin netti tökkii jatkuvasti ja reititintä pitää toistuvasti käynnistellä uudestaan, niin silloin on kyllä selkeä aika vaihtaa reititin. Nyrkkisääntönä sanoisin, että peruskäyttäjälle neljä vuotta vanha reititin on jo ikääntynyt. Edistynyt käyttäjä saattaa vaihtaa jo kahdenkin vuoden välein, sanoo Partanen.
Partanen muistuttaa, että tökkivä netti on kuitenkin pientä sen rinnalla, mitä vanhentunut reititin voi pahimmillaan aiheuttaa.
- Jos laite on riittävän vanha, siihen ei välttämättä ole saatavilla tietoturvapäivityksiä tai niiden tekeminen on niin hankalaa, että käyttäjä vain antaa asian olla. Pahimmillaan hakkeri saattaa kaapata tällaisen laitteen ja käyttää sitä laittomaan toimintaan.
Tomi Engdahl says:
Privacy Sandbox Initiative: Google to Phase Out Third-Party Cookies Starting 2024 https://thehackernews.com/2023/05/privacy-sandbox-initiative-google-to.html
Google has announced plans to officially flip the switch on its twice-delayed Privacy Sandbox initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser. To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024
Tomi Engdahl says:
Making The Most Of A Penetration Test: The Organizational Perspective https://www.forbes.com/sites/davidbalaban/2023/05/19/making-the-most-of-a-penetration-test-the-organizational-perspective/
Proactive security is gathering steam today, wherein penetration testing (pentesting) is a Swiss Army knife strategy. In plain words, its about breaking bad for a while to simulate a real attackers actions. This offensive approach can be an eye-opening experience to enterprises in terms of their vulnerabilities and applicable fixes.
The internet is rife with information about penetration testing types and methodologies, so this article will zoom in on a few key aspects, including those that call forth confusion and misconceptions among organizations that decide to jump on the pentesting bandwagon
Tomi Engdahl says:
Many Android Phones Can Be Unlocked With A Photo https://www.forbes.com/sites/emmawoollacott/2023/05/19/many-android-phones-can-be-unlocked-with-a-photo/
Many phones that can be unlocked using facial recognition can be fooled by a photograph, research has found. According to consumer body “Which?”, scammers can bypass the screen lock on certain Android phones and access sensitive information. Researchers tested 48 phones and found that 19 could be unlocked with a photoeven a low-resolution one printed on normal paperof the owner
Tomi Engdahl says:
Cyber Signals: Shifting tactics fuel surge in business email compromise https://www.microsoft.com/en-us/security/blog/2023/05/19/cyber-signals-shifting-tactics-fuel-surge-in-business-email-compromise/
Today Microsoft released the fourth edition of Cyber Signals highlighting a surge in cybercriminal activity around business email compromise (BEC). Microsoft has observed a 38 percent increase in cybercrime as a service (CaaS) targeting business email between 2019 and 2022. Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBIs Recovery Asset Team
(RAT) initiated the Financial Fraud Kill Chain (FFKC) on 2,838 BEC complaints involving domestic transactions with potential losses of more than USD590 million
Tomi Engdahl says:
Russian IT guy sent to labor camp for DDoSing Kremlin websites https://www.theregister.com/2023/05/19/russian_it_worker_ddos/
A Russian IT worker accused of participating in pro-Ukraine denial of service attacks against Russian government websites has been sentenced to three years in a penal colony and ordered to pay 800,000 rubles (about $10,000). According to the state-owned TASS news agency, a Russian regional court handed down the sentence against Yevgeny Kotikov, who is said to have supported Kyiv during Russia’s invasion of Ukraine. To this end he and others DDoSed government websites including those belonging to the Russian president and the country’s Ministry of Defense, we’re told
Tomi Engdahl says:
Google will delete accounts inactive for more than 2 years https://www.bleepingcomputer.com/news/security/google-will-delete-accounts-inactive-for-more-than-2-years/
Google has updated its policy for personal accounts across its services to allow a maximum period of inactivity of two years. After that time has passed, the accounts “may” be deleted, along with all their contents, settings, preferences, and user-saved data. This includes all data stored on services such as Gmail, Docs, Drive, Meet, Calendar, Google Photos, and YouTube. However, this new policy will not apply to Google accounts for organizations such as schools or businesses
Tomi Engdahl says:
Cloudflare Unveils New Secrets Management Solution
https://www.securityweek.com/cloudflare-unveils-new-secrets-management-solution/
Cloudflare introduces Secrets Store, a new solution to help developers and organizations securely store and manage secrets.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14986-jo-4-vuotta-vanha-reititin-voi-olla-iso-riski
Tomi Engdahl says:
Are Your APIs Leaking Sensitive Data?
https://thehackernews.com/2023/05/are-your-apis-leaking-sensitive-data.html
It’s no secret that data leaks have become a major concern for both citizens and institutions across the globe. They can cause serious damage to an organization’s reputation, induce considerable financial losses, and even have serious legal repercussions. From the infamous Cambridge Analytica scandal to the Equifax data breach, there have been some pretty high-profile leaks resulting in massive consequences for the world’s biggest brands. To make things more interesting, the most prominent attack vector is likely not what you or anyone thinks.
Believe it or not, application programming interfaces (APIs) are a leading culprit of exposure and compromise
Tomi Engdahl says:
Kaleva: Kyberhyökkäys rinnastettavissa aseelliseen hyökkäykseen – Nato voisi vastata jopa ydinaseilla
Tarpeeksi vahva kyberhyökkäys voisi aiheuttaa jopa sotilaallisia vastatoimia. Ydinhyökkäys vaatisi kuitenkin saman mittakaavan tuhot kyberiskussa.
https://www.iltalehti.fi/tietoturva/a/7449bcf6-2cef-4d05-8797-9edffeb48db4
Tomi Engdahl says:
Network Security
Cutting Through the Noise: What is Zero Trust Security?
https://www.securityweek.com/cutting-through-the-noise-what-is-zero-trust-security/
With proactive steps to move toward Zero Trust, technology leaders can leverage an old, yet new, idea that must become the security norm.
The Zero Trust framework has emerged as the leading security protocol for complex enterprises.
According to ZTEdge, 80% of organizations have plans to embrace a zero-trust security strategy this year, and global spending on Zero Trust will more than double between now and 2025.
This rapid growth comes more than a decade after Forrester’s John Kindervag first coined the term “Zero Trust” and nearly 30 years since the concept’s genesis was first published. Zero Trust has become so popular recently as organizations have seen its value in multi-faceted environments that feature cloud, on-premise, and legacy architecture.
Even before the Covid-19 pandemic, the size of technology ecosystems was growing at an astounding clip thanks to the increased use of hybrid cloud solutions and Software-as-a-Service applications. The Covid-19 pandemic served as another catalyst with more remote workers further expanding services and networks, leaving enterprises with an untenable area to defend.
Zero Trust gives users the bare minimum of permissions to do their job. This helps ensure that if an account is compromised, the bad actor only has limited access and cannot easily move throughout your network. Zero Trust also goes beyond just users and provides protection for all connected devices to a network, including Internet of Things technologies like webcams, smart devices, smart televisions, and badge scanners.
Is Zero Trust Right for You?
Zero Trust works on the concept that no user should be trusted by default and by being very granular about defining and verifying exactly what resource any user or device is able to access. Since no online user can be fully trusted, they must provide identity verification, even if they’ve identified their identity in another part of the system.
Tomi Engdahl says:
GAO Tells Federal Agencies to Fully Implement Key Cloud Security Practices
GAO report underlines the need for federal agencies to fully implement key cloud security practices.
https://www.securityweek.com/gao-tells-federal-agencies-to-fully-implement-key-cloud-security-practices/
Tomi Engdahl says:
Hypervisors and Ransomware: Defending Attractive Targets https://securityintelligence.com/articles/hypervisors-and-ransomware-defending-attractive-targets/
Increased use of virtualization comes with both operational efficiencies and abilities to deploy a sound resilience strategy specifically related to recovery. With solid backup and restoration methods and disaster recovery planning, spinning up some images and backups can be relatively easy when needed. Done well, they facilitate quick recovery with minimal impact and disruption. But when an organization employs virtualization, the underlying infrastructure that powers all of that, such as the hypervisor, also becomes a prime target
Tomi Engdahl says:
Skills gap puts EU cybersecurity rule compliance to the test https://www.euractiv.com/section/cybersecurity/news/skills-gap-puts-eu-cybersecurity-rule-compliance-to-the-test/
A number of new regulatory requirements are set to enter into force with the revised Networks and Information Security Directive (NIS2) and the Cyber Resilience Act, which will set security standards for connected devices. A new regulatory framework to increase cybersecurity resilience is falling into place at the EU level, but it risks exposing the growing shortage of cyber-talent in regulators and companies
Tomi Engdahl says:
Did you know only 42% of companies are actively monitoring the dark web for threats?
That is a surprisingly low number when so many threat actors are planning their next attack on the dark web. If your organization isn’t monitoring the dark web, you could be missing out on important information that can help mitigate attacks.
https://go.recordedfuture.com/inside-dark-web-brief?utm_campaign=dark-web-brief&utm_source=securityweek&utm_medium=cpc&utm_content=20230523&utm_term=dedicated
Tomi Engdahl says:
Wired:
Leaked responses from 20 countries to an EU proposal show the majority favor some form of scanning encrypted messages, with Spain wanting an EU-wide E2EE ban — In response to an EU proposal to scan private messages for illegal material, the country’s officials said it is “imperative that we have access to the data.”
Leaked Government Document Shows Spain Wants to Ban End-to-End Encryption
https://www.wired.com/story/europe-break-encryption-leaked-document-csa-law/
In response to an EU proposal to scan private messages for illegal material, the country’s officials said it is “imperative that we have access to the data.”
Tomi Engdahl says:
Bobby Allyn / NPR:
TikTok sues Montana over its new law intending to ban the app, citing the First Amendment, the state’s lack of authority on national security issues, and more — TikTok has filed a federal lawsuit against Montana after the state passed a law last week intended to ban the app from being downloaded within its borders.
TikTok sues Montana over its new law banning the app
https://www.npr.org/2023/05/22/1177541355/tiktok-sues-lawsuit-montana-law-ban
Tomi Engdahl says:
Devin Coldewey / TechCrunch:
OpenAI CEO Sam Altman, President Greg Brockman, and Chief Scientist Ilya Sutskever say the world will likely need a regulatory body for superintelligence — AI is developing rapidly enough and the dangers it may pose are clear enough that OpenAI’s leadership believes that the world needs …
OpenAI leaders propose international regulatory body for AI
https://techcrunch.com/2023/05/22/openai-leaders-propose-international-regulatory-body-for-ai/
Tomi Engdahl says:
Huw Jones / Reuters:
Securities watchdog IOSCO proposes the first global crypto regulations, covering conflicts of interest, custody, and more, aiming to finalize them by year-end — International securities watchdog IOSCO on Tuesday proposed the first global approach to regulating cryptoasset markets …
https://www.reuters.com/business/watchdog-proposes-first-set-global-rules-crypto-sector-2023-05-23/
Tomi Engdahl says:
The “Rip and Replace” Cellular Infrastructure Debacle
May 16, 2023
The FCC’s Rip and Replace Program, aimed at ridding the U.S.’s network infrastructure of risky Chinese-made equipment, is proving to be more difficult than it bargained for.
https://www.mwrf.com/technologies/embedded/systems/article/21266055/microwaves-rf-the-rip-and-replace-cellular-infrastructure-debacle?utm_source=RF+MWRF+Today&utm_medium=email&utm_campaign=CPS230519070&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R
All the way back in July 2021, the U.S. Federal Communications Commission (FCC) voted unanimously to institute a $1.9 billion “rip-and-replace” effort to subsidize the costs for smaller network operators to rid their networks of Chinese-made equipment, mostly from Huawei and ZTE. These firms’ wares have been deemed to pose a national security risk, as the FBI found that the attractively priced Chinese gear was turning up atop cellular towers in unnervingly close proximity to a number of midwestern U.S. military installations.
This all sounds like a prudent plan, one that’s attracting bipartisan legislative support especially in light of the Chinese spy balloons and “secret police stations” that have been exposed in recent months. If you can get Republican and Democrat members of Congress to agree on anything, it must be important. The prospect of Chinese intelligence using telecom gear to harvest military and/or commercial secrets is not to be taken lightly.
But as with many of the “best laid plans of mice and men,” there are a few stumbling blocks. For one, as of about a year ago, the FCC reported to Congress that two-thirds of the applications it had received thus far from network operators for rip-and-replace reimbursements were “materially deficient,” which is to say they weren’t completed to the FCC’s satisfaction.
However, the bigger problem was that the FCC’s cost estimate to remove all of the Huawei/ZTE equipment was $5.3 billion, far higher than the $1.9 billion initially appropriated by Congress. Demand for the funding among small, rural telecom network operators quickly outstripped supply. Thus, the FCC began a triaging effort that had been mandated by Congress, allocating funding to approved applicants with 2 million or fewer customers. Yet, the FCC says it has received 126 applications for funding that go beyond its $1.9 billion appropriation.
Tomi Engdahl says:
“Our research discovers how the rolling shutter and movable lens structures widely found in smartphone cameras modulate structure-borne sounds onto camera images, creating a point-of-view (POV) optical-acoustic side channel for acoustic eavesdropping. The movement of smartphone camera hardware leaks acoustic information because images unwittingly modulate ambient sound as imperceptible distortions. Our experiments find that the side channel is further amplified by intrinsic behaviors of Complementary Metal-oxide–Semiconductor (CMOS) rolling shutters and movable lenses such as in Optical Image Stabi- lization (OIS) and Auto Focus (AF).”
https://arxiv.org/ftp/arxiv/papers/2301/2301.10056.pdf
Tomi Engdahl says:
Löydä haavoittuvuus – tienaa satatuhatta euroa
https://etn.fi/index.php/13-news/15001-loeydae-haavoittuvuus-tienaa-satatuhatta-euroa
LähiTapiola on päättänyt tuplata Bug Bounty -ohjelmansa kautta valkohattuhakkereille tarjoamansa maksimipalkkion. Aiemmin tietoturvahaavoittuvuuksien löytämiseen tähtäävän ohjelman enimmäispalkkiona oli 50 000 euroa. Nyt summa on nostettu 100 000 euroon.
Satatonnia on kansainväliselläkin mittapuulla houkutteleva. Suomessa yhdenkään yrityksen palkkiot eivät ole aiemmin yltäneet samalle tasolle. – Tavoittelemme maailmanluokan hakkereita palveluidemme kimppuun.