Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Hackers went after personally identifiable information the most, study says https://www.scmagazine.com/news/data-security/hackers-went-after-personally-identifiable-information-the-most-study-says
A recently released study that analyzed the top 100 breaches from July
2021 to July 2022 showed that hackers went after personally identifiable information 42.7% of the time. Out of all of the types of data available for cybercriminals to steal credit card info, passwords, source code, etc. the authors of the Imperva study said that PII is the most valuable since criminals can compile more PII from the dark web to then engage in harder to prevent fraud or full-on identity theft. Study at https://www.imperva.com/resources/whitepapers/More-Lessons-Learned-from-Analyzing-100-Data-Breaches_WP.pdf
Tomi Engdahl says:
Lähes puolet Euroopan 5G-datasta menee yhä kiinalaisten laitteiden läpi
https://etn.fi/index.php/13-news/14434-laehes-puolet-euroopan-5g-datasta-menee-yhae-kiinalaisten-laitteiden-laepi
Pari vuotta sitten Ruotsi kielsi Huawein ja ZTE:n verkkolaitteiden käytön 5G-verkoissaan. Tanskalaisen konsulttiyritys Strand Consultin raportti kuitenkin kertoo, että kiinalaisilla toimittajilla on yli 50 prosentin osuus 5G-markkinoista kahdeksassa Euroopan maassa.
Joulun aikaan julkistettu raportti osoittaa, että niiden maiden määrä, joissa kiinalaiset yritykset toimittivat yli 50 prosenttia matkaviestinverkkojen radio-osasta, väheni vuoden aikana 16:sta kahdeksaan. Niiden maiden määrä, joissa on vain kiinalaisia radiolaitteita, on pudonnut kolmesta yhteen.
11 Euroopan maassa 5G-verkot on rakennettu ilman kiinalaisia 5G-laitteita. Samaan aikaan suurten maiden, kuten Saksan, Italian, Puolan, Espanjan, Portugalin ja Itävallan operaattoreilla on paljon Huawein ja ZTE:n radiolaitteita. Strand Consultin mukaan tämä tarkoittaa, että 41 prosenttia Euroopan 5G-liikenteestä kulkee kiinalaisten laitteiden kautta.
Tomi Engdahl says:
https://www.securityweek.com/many-13-new-mac-malware-families-discovered-2022-linked-china
Tomi Engdahl says:
Ransomware Hit 200 US Gov, Education and Healthcare Organizations in 2022
https://www.securityweek.com/ransomware-hit-200-us-gov-education-and-healthcare-organizations-2022
More than 200 government, education, and healthcare organizations in the United States fell victim to ransomware in 2022, data gathered by cybersecurity firm Emsisoft shows.
At a US-led summit in 2021, roughly 30 nations vowed to intensify the battle against ransomware, but ransomware groups remain a constant threat to both public and private sectors in the US and abroad.
Tomi Engdahl says:
XDR and the Age-old Problem of Alert Fatigue
https://www.securityweek.com/xdr-and-age-old-problem-alert-fatigue
XDR’s fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture
According to 451 Research’s M&A Knowledgebase, cybersecurity M&A activity in 2021 reached an all-time high total deal value of $74.1 billion. Contributing to that growth, extended detection and response (XDR) went from zero to 28 deals in 19 months and is expected to drive continued M&A activity, with good reason. Extending its research into XDR, 451 Research recently found that XDR is now the most frequently reported area of augmentation to SIEM/security analytics with 43% of respondents citing it as the top technology to combine with these core security operations technologies.
Tomi Engdahl says:
More Political Storms for TikTok After US Government Ban
https://www.securityweek.com/more-political-storms-tiktok-after-us-government-ban
TikTok faces an uncertain year ahead in the United States as anti-China Republicans take greater control in Congress demanding tighter scrutiny for the highly popular video sharing app. Owned by Chinese tech giant ByteDance, TikTok has become a political punching bag for US conservatives who allege that the app downloaded by millions of US young people can be circumvented for spying or propaganda by the Chinese Communist Party (CCP).
Tomi Engdahl says:
Predictions 2023: Big Tech’s Coming Security Shopping Spree
https://www.securityweek.com/predictions-2023-big-techs-coming-security-shopping-spree
Tomi Engdahl says:
Karen Hao / Wall Street Journal:
The Cyberspace Administration of China will start regulating “deep synthesis” tech like AI-powered image, audio, and text-generation software on January 10 — Beijing is among the first governments to regulate hyper-realistic, AI-generated media
China, a Pioneer in Regulating Algorithms, Turns Its Focus to Deepfakes
Beijing is among the first governments to regulate hyper-realistic, AI-generated media
https://www.wsj.com/articles/china-a-pioneer-in-regulating-algorithms-turns-its-focus-to-deepfakes-11673149283?mod=djemalertNEWS
China is implementing new rules to restrict the production of ‘deepfakes,’ media generated or edited by artificial-intelligence software that can make people appear to say and do things they never did.
Beijing’s internet regulator, the Cyberspace Administration of China, will begin enforcing the regulation—on what it calls “deep synthesis” technology, including AI-powered image, audio and text-generation software—starting Tuesday, marking the world’s first comprehensive attempt by a major regulatory agency to curb one of the most explosive and controversial areas of AI advancement.
Such technologies, which underpin wildly popular applications such as ChatGPT, a text generator developed by OpenAI, and Lensa, an automated maker of personalized digital avatars, also pose new challenges for their potential to generate more deceptive media that could fuel misinformation and casts doubt on the veracity of virtually anything in the digital realm.
The new regulations, among other things, prohibit the use of AI-generated content for spreading “fake news,” or information deemed disruptive to the economy or national security—broadly defined categories that give authorities wide latitude to interpret.
Tomi Engdahl says:
Ian Smith / Financial Times:
UK-based insurer Beazley launches the first cyber catastrophe bond, typically used for hurricanes and extreme weather, as the industry combats ransomware claim — Template eyed as source of capital for area of insurance in high demand — Lloyd’s of London insurer Beazley has launched …
Insurer Beazley launches first catastrophe bond for cyber threats
https://www.ft.com/content/a945d290-a7f1-427c-84a6-b0b0574f7376
Tomi Engdahl says:
Uusi kyberturvallisuusdirektiivi käyttöön 2024
https://www.uusiteknologia.fi/2023/01/09/uusi-kyberturvallisuusdirektiivi-kayttoon-2024/
Euroopassa halutaan vahvistaa kyberturvallisuuden tasoa uusilla EU-säädöksillä. Suomessa sen kansallinen toimeenpanohanke käynnistyi jo, mutta säädösten voimaantuloon voi mennä vielä kesään 2024 asti. Uuden kyberturvallisuusdirektiivin tavoitteena on vahvistaa sekä EU:n yhteistä että jäsenvaltioiden kansallista kyberturvallisuuden tasoa tiettyjen kriittisten sektoreiden osalta.
Tomi Engdahl says:
Kolme teknologiajättiä sopi salasanattomasta tulevaisuudesta – mitä riskejä kirjautumisavaimiin liittyy?
https://www.iltalehti.fi/digiuutiset/a/4b01d9ff-c8e0-42aa-9c2b-d70ea7d66571
Keväällä 2022 kolme yhdysvaltalaista teknologiajättiä ilmoittivat, että ne ryhtyvät yhdessä panostamaan salasanattoman tulevaisuuden kehitykseen.
Apple, Google ja Microsoft ilmoittivat toukokuussa 2022 yhteisestä pyrkimyksestä päästä kokonaan eroon salasanoista.
Pikkuhiljaa päätöksen vaikutukset ryhtyvät näkymään kuluttajien elämässä, kun yritykset lisäävät salasanattomia vaihtoehtoja ja kuluttajat siirtyvät käyttämään niitä.
– Kokonainen siirtyminen salasanattomaan maailmaan alkaa siitä, kun kuluttajat tekevät siitä luonnollisen osan elämäänsä, sanoo Microsoftin identiteettiohjelmien vastaava varajohtaja Alex Simons Applen tiedotteessa.
FIDO alliance
Tietotekniikan professori ja Aalto-yliopiston tietotekniikan laitoksen johtaja Janne Lindqvist kertoo, että yrityksien ilmoitus on lähtökohtaisesti hyvä uutinen.
– Kolme isoa yritystä on ilmoittanut, että he panostavat salasanattomaan FIDO alliance standardiin. Tämä ei siis ole yritysten oma keksintö, vaan he tulevat ottamaan käyttöön näitä standardeja ja tekemään yhteistyötä asian parissa.
https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/
Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins
https://www.apple.com/fi/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/
An Expansion of Passwordless Standard Support
Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms.
These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins:
Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.
In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method.
Tomi Engdahl says:
This is the end, Windows 7 and 8 friends. Microsoft support ends this week https://www.theregister.com/2023/01/09/microsoft_windows_7_8_support_ends/
As Microsoft has been warning, the company is yanking support for Windows 7 Extended Security Update (ESU) and Windows 8 and 8.1 on Tuesday, January 10, which means users of those OSes will need to shift to Windows 10 or 11 to continue getting technical assistance and software updates
Tomi Engdahl says:
Supreme Court dismisses spyware company NSO Groups claim of immunity https://therecord.media/supreme-court-dismisses-spyware-company-nso-groups-claim-of-immunity/
The Supreme Court dismissed on Monday an attempt by the Israeli spyware vendor NSO Group to claim immunity from legal challenges. The same claim of immunity had previously been dismissed twice by U.S.
courts, first by a California district court and then by the Ninth Circuit. The Supreme Courts website on Monday was updated to say that NSO Groups most recent petition had also been denied
Tomi Engdahl says:
The Mac Malware of 2022
https://objective-see.org/blog/blog_0x71.html
While the specimens may have been reported on before (i.e. by the AV company that discovered them), this blog aims to cumulatively and comprehensively cover all the new Mac malware of 2022 – in one place yes, with samples of each malware available for download. After reading this blog post, you should have a thorough understanding of recent threats targeting macOS. This is especially important as Macs continue to flourish, especially compared to other personal computers brands. In fact, an industry report from late 2022 showed that the year-over-year growth of all of the top 5 computer companies declined significantly except for Apple who saw a 40% increase!
Tomi Engdahl says:
https://www.securityweek.com/xdr-and-age-old-problem-alert-fatigue
Tomi Engdahl says:
AWS Enables Default Server-Side Encryption for S3 Objects
https://www.securityweek.com/aws-enables-default-server-side-encryption-s3-objects
AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.
Initially introduced in 2011, SSE-S3 handles both encryption and decryption, along with key management. An opt-in feature until now, SSE-S3 relies on Advanced Encryption Standard (AES) encryption with 256-bit keys managed by AWS.
“S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting,” AWS announced.
https://aws.amazon.com/blogs/aws/amazon-s3-encrypts-new-objects-by-default/
Tomi Engdahl says:
FCC Proposes Tighter Data Breach Reporting Rules for Wireless Carriers
https://www.securityweek.com/fcc-proposes-tighter-data-breach-reporting-rules-wireless-carriers
Tomi Engdahl says:
Secrets to a Good Security Webinar or Conference Presentation
https://www.securityweek.com/secrets-good-security-webinar-or-conference-presentation
Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies
Lately, I’ve been fortunate enough to attend a few different in-person professional events and conferences. After a hiatus from these events due to Covid-19, I was reminded of a few observations I had made and lessons I had learned prior to the pandemic.
Here are five tips for making a presentation that will keep the audience engaged and off of their mobile phones and laptops:
1. We get it: I’m always amazed at how many presentations recount the same problems we as a community have been aware of and discussing for 5, 10, 15, or even 20 years. Yeah, we get it. We are familiar with these problems – maybe more so than you are. We know that the sky is falling – or at least you aren’t the first person to tell us it is. We see your high-level, broad stroke, general industry numbers – they are most likely the same numbers we’ve seen in countless other places.
2. We represent our companies: When presenting, it is important to remember that we represent ourselves, yes, but also, the companies we work for. Thus, if we aren’t adding anything to the dialogue or to the overall state of knowledge in the security and fraud fields, we are not representing our companies well. Why? In my experience, companies that have what to add to the discussion send people to conferences who will represent them well and arm those representatives with the right insights, data, and key takeaways to make a great presentation. We should not underestimate the impression of our companies that conference attendees take from our presentations, and we should prepare our presentations accordingly.
3. Show me the data: In my experience, customers, peers, collaborators, and other presentation attendees are often wowed by specific, relevant data. Never underestimate the value of the right data. Not high-level, broad-stroke, general industry data, but rather, data based upon your company’s specific findings and/or research.
4. Show me practical advice: Ultimately, most of us are judged on our professional performance by the actions we take, the accomplishments we achieve, and the milestones we hit. As such, most of us are always looking for new and practical advice that we can learn from and implement in our daily work lives. It is precisely because of this that providing a number of actionable takeaways that a person can take with them from your presentation goes a long way. The best presentations are those that provide actionable advice that security and fraud professionals can experiment with and implement in their respective work environments soon after returning from the event.
5. Don’t be an ambulance chaser: Did you choose your presentation topic based on what is “hot”, “popular”, or “in the news”? If so, that is a poor choice in my opinion. Most people enjoy conference presentations where they learn something and/or can take something back with them from those presentations. That means that as presenters, it is our job to share expert knowledge that we may have in a given area. Can we tie that knowledge to current events? Sure, but current events cannot be the entirety of the presentation. Our audiences are actively seeking knowledge and advice that they can take with them and act upon.
It seems strange to me that I should need to explicitly state what seems somewhat obvious to so many of us in the security and fraud fields. Yet, if it is obvious, it certainly isn’t widely implemented
Tomi Engdahl says:
10 Computer Security Myths to Stop Believing
https://www.youtube.com/watch?v=rIVeisk_G1M
Tomi Engdahl says:
GitHub Introduces Automatic Vulnerability Scanning Feature
https://www.securityweek.com/github-introduces-automatic-vulnerability-scanning-feature
Microsoft-owned code hosting platform GitHub is now providing developers with the option to have their code repositories automatically scanned for vulnerabilities.
Available as a ‘default setup’ option, the new feature is meant to help code builders find and resolve vulnerabilities faster.
Available for JavaScript, Python, and Ruby repositories, it allows open source developers and enterprises to enable code scanning without the use of a .yaml file and will immediately provide them with insights into their code’s issues.
To enable the new option, GitHub users should head to the ‘Settings’ tab in their repositories and then navigate to ‘Code security and analysis’, under ‘Security’.
Tomi Engdahl says:
How a Recession Will Affect CISOs?
https://www.securityweek.com/how-recession-will-affect-cisos
Is the United States heading toward a recession? If we are, then profits will dip, and belts will be tightened while we wait for the government to turn things round. Most, but not all, businesses will survive; but all will be affected.
The big question is what should CISOs, cybersecurity professionals and cybersecurity vendors do to ensure they and their companies do survive the turbulence.
Is a recession inevitable?
According to IMF director Kristalina Georgieva (January 2, 2022) contractions in the three major economies – the US, EU, and China – will drive a global recession during 2023. The UK will face a deeper and more prolonged recession than other major countries, but the outlook for the US is less clear.
Some pundits have claimed the US was in recession as long ago as summer 2022. Other business leaders say it is unavoidable during 2023. Jeff Bezos reportedly said, “The probabilities say if we’re not in a recession right now, we’re likely to be in one very soon. Take as much risk off the table as you can. Hope for the best, but prepare for the worst… The probabilities in this economy tell you to batten down the hatches.”
Tomi Engdahl says:
Windows 7 Extended Security Updates, Windows 8.1 Reach End of Support
https://www.securityweek.com/windows-7-extended-security-updates-windows-81-reach-end-support
Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.
Windows 7 reached end of life (EoL) on January 14, 2020, but Microsoft gave customers the option to continue receiving important security updates through its ESU program. However, ESUs will no longer be available for purchase after January 10, 2023.
Windows 8.1 support ends on the same day. Computers running this version of Windows will continue to function, but will no longer receive technical support, software updates and, importantly, security updates or patches. In addition, Microsoft will not be offering an ESU program for Windows 8.1.Windows 8.1 reaches end of life
“Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations,” the tech giant warns.
Microsoft also announced that Edge 109, scheduled for release on January 12, is the last version to support Windows 7, Windows 8.1, and Windows Server 2008 R2, Server 2012 and Server 2012 R2.
Windows Server 2012 and Server 2012 R2 will reach end of support on October 10, 2023. After this date, these operating systems will no longer receive security and non-security updates, bug fixes, technical support, or online technical content updates.
Tomi Engdahl says:
Laajat kyberturvatalkoot käynnistyvät Suomessa alle kaksi vuotta armonaikaa
https://www.tivi.fi/uutiset/tv/3ead9b67-82ae-407a-98e8-2c9193b7bcb8
Suomessa alkaa kyberturvallisuuden saattaminen uudelle tasolle Euroopan unionin kyberturvallisuusdirektiivin myötä. Uuden direktiivin velvoitteiden sulauttaminen Suomen lainsäädäntöön on käynnistynyt 2.
tammikuuta liikenne- ja viestintäministeriön päätöksellä
Tomi Engdahl says:
Using MSPs to administer your cloud services https://www.ncsc.gov.uk/blog-post/using-msps-to-administer-your-cloud-services
Building, operating, and securing technology is hard. It takes a lot of time, effort, and skills. And like many of the challenges in modern enterprises, its subject to ever-tightening budgets. It’s for these reasons that we advocate giving as much security responsibility to your cloud provider as possible, as they operate at a scale that makes it more practical for them to carry out key security activities.
However, the shared responsibility model still requires you to: choose a cloud provider that can meet your needs and configure (and use) the service well. That includes making effective use of the cloud services security features, and continuing to operate and secure the things youve put in the cloud
Tomi Engdahl says:
Homeland Security, CISA builds AI-based cybersecurity analytics sandbox https://www.theregister.com/2023/01/10/dhs_cisa_cybersecurity_sandbox/
The Department of Homeland Security (DHS) [...] and Cybersecurity and Infrastructure Security Agency (CISA) picture a multicloud collaborative sandbox that will become a training ground for government boffins to test analytic methods and technologies that rely heavily on artificial intelligence and machine learning techniques
Tomi Engdahl says:
Microsofts new AI can simulate anyones voice with 3 seconds of audio https://arstechnica.com/information-technology/2023/01/microsofts-new-ai-can-simulate-anyones-voice-with-3-seconds-of-audio/
On Thursday, Microsoft researchers announced a new text-to-speech AI model called VALL-E that can closely simulate a person’s voice when given a three-second audio sample. Once it learns a specific voice, VALL-E can synthesize audio of that person saying anythingand do it in a way that attempts to preserve the speaker’s emotional tone
Tomi Engdahl says:
Dark Web Markets Compete For The Drug Trafficking And Illegal Pharmacy Monopoly https://resecurity.com/blog/article/dark-web-markets-compete-drug-trafficking-illegal-pharmacy-monopoly
Major drug markets in the Dark Web are now worth around $315 million annually according to the United Nations Office on Drugs and Crime (UNODC). Resecurity estimates this figure to be significantly higher in 2023, the annual sales of illegal drugs in the Dark Web for 2022 exceeded $470 million. [...] According to Resecurity® HUNTER team, the following 10 Marketplaces are currently representing the core ecosystem of drug trafficking in the Dark Web. [...] Around the beginning of Q3 2022, multiple drug shops were identified in the Dark Web providing customers with a customized Android-based mobile app for purchases and secure communications, as well as sending instructions to couriers. The significance of this new trend is increasing OPSEC measures (of threat actors) and a visible shift from traditional communications channels to proprietary (developed by other actors operating in Dark Web)
Tomi Engdahl says:
TCP Floods Are Again the Leading DDoS Attack Vector https://www.csoonline.com/article/3685048/tcp-floods-are-again-the-leading-ddos-attack-vector.html
“By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies,” says Richard Hummel, threat intelligence lead at NETSCOUT. “In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised new attack vectors, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications.” Report at https://www.netscout.com/threatreport
Tomi Engdahl says:
https://hackaday.com/2023/01/10/adventures-in-robotic-safe-cracking/
Tomi Engdahl says:
Intel Adds TDX to Confidential Computing Portfolio With Launch of 4th Gen Xeon Processors
https://www.securityweek.com/intel-adds-tdx-confidential-computing-portfolio-launch-4th-gen-xeon-processors
Intel announced on Tuesday that it has added Intel Trust Domain Extensions (TDX) to its confidential computing portfolio with the launch of its new 4th Gen Xeon enterprise processors.
The chip giant has launched the 4th Gen Xeon scalable CPUs, codenamed Sapphire Rapids, alongside the Intel Xeon CPU Max series, codenamed Sapphire Rapids HBM, and the Data Center GPU Max series, codenamed Ponte Vecchio.
4th Gen Intel Xeon processorAccording to Intel, the new products bring increased performance in AI, analytics, networking, security, storage, and high performance computing (HPC).
In terms of security, Intel puts the spotlight on confidential computing, with the company’s portfolio being expanded to include Intel TDX, which isolates data and code in use at the virtual machine level using hardware-isolated trust domains.
TDX allows users to deploy existing applications into a confidential environment for increased privacy and compliance. The feature will be available through cloud providers such as Microsoft, Google, IBM and Alibaba, in many cases through a simple setting in a cloud configurator.
Intel says TDX gives users confidentiality from the cloud provider and other cloud tenants, while helping them ensure compliance with data privacy and governance regulations.
Intel® Trust Domain Extensions (Intel® TDX)
https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html
Tomi Engdahl says:
Chris Metinko / Crunchbase News:
Analysis: cybersecurity startups raised $15.3B in 2022, down by a third from a record $22.8B raised in 2021 but still 68% higher than the $9.1B raised in 2020
Venture To Cybersecurity Drops By A Third
https://news.crunchbase.com/cybersecurity/venture-to-cybersecurity-drops-by-a-third/
Venture capital in cybersecurity hit a record high in 2021 — like it did in many industries — but last year could not come close to matching those peak times.
Funding to cybersecurity startups dropped by a third in 2022, according to Crunchbase data. While 2021 saw a record $22.8 billion roll into startups in the sector, that number fell to $15.3 billion last year.
However, the 2022 venture total still represents a 68% increase from 2020 — which until last year was the high-water mark for venture funding in the industry.
The downside, however, is that investment dollars trended downward as the past year went on — something that may not bode well for startups in 2023.
The fourth quarter saw only $2.4 billion go to cyber startups, the lowest amount of venture investment in the sector since the third quarter of 2020 — which saw $1.6 billion invested — according to Crunchbase data.
Tomi Engdahl says:
Top KEVs in the U.S. Financial Services Sector https://lookingglasscyber.com/blog/threat-intelligence-insights/top-kevs-in-financial-services/
Across the U.S. financial sector, more than half of the vulnerabilities our platform detected reside in the insurance subsector, roughly a quarter fell under credit intermediaries, and about one in three of all vulnerabilities were carried over from third party services providers. The most common KEV [Known exploited vulnerability] detected in the U.S. financial services sector is seven years old, but one of the most commonly detected by our platform in critical infrastructure sectors. The next most common KEV in the sector was CVE-2021-31206, which is a known, frequently exploited vulnerability in Microsoft Exchange Server
Tomi Engdahl says:
Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog
https://isc.sans.edu/diary/rss/29426
TriOp is capable of gathering (among other data) information about the number of IPs where Shodan detected systems affected by different vulnerabilities. It should be mentioned that Shodan currently seems capable of detecting only 44 of the 870 vulnerabilities in the KEV catalog, so TriOp will by default only look for systems affected by those. It should also be mentioned that since most checks that Shodan does to determine whether a specific system is vulnerable are based only on version checks and other passive methods, the identification of vulnerable systems will not be 100% accurate. Nevertheless, it can be an interesting source of information as well as a basis for a simple mechanism for discovery of unpatched systems
Tomi Engdahl says:
Kyberrikoksen uhri ei ole tyhmä
https://www.tivi.fi/uutiset/tv/3f5e37d3-6bc1-4a8f-b509-b1f3a59aee60
Valitettava tosiasia on, että kuka tahansa meistä tai läheisistämme voi joutua rikoksen uhriksi internetiä käyttäessään. Meissä jokaisessa on sisäänrakennettuja haavoittuvuuksia kuten toivoa, pelkoa ja hyväntahtoisuutta. Rikolliset käyttävät näitä häikäilemättömästi hyväkseen. [...] Kyberrikoksen uhreja pitää tukea rikoksen jälkeen.
Riippuen tapahtuneesta, uhri on saattanut menettää pääsyn tärkeille käyttäjätileilleen tai jopa koko omaisuutensa. He tarvitsevat apua saadakseen takaisin sen minkä menettivät: olipa se pääsy tilille tai luottamus teknologiaan. Mutta yksi asia on varmaa. Uhrit eivät kaipaa yhtäkään heidän suuntaansa osoittavaa syyttävää sormea
Tomi Engdahl says:
How Many ICS-OT Directed Attacks In 2022?
https://www.linkedin.com/pulse/how-many-ics-ot-directed-attacks-2022-dale-peterson
Daniel Ehrenreich posited in a LinkedIn comment that the number of ICS-OT directed attacks in a year is in the two digits range (10 – 99). My definition, not Daniel’s, of an ICS-OT directed attack is an attack that is designed to compromise the availability or integrity of the ICS. [...] Even if the number of ICS-OT directed cyber attacks is in triple digits, this is dwarfed by the number of attacks that unintentionally find their way to the ICS or ICS security perimeter.
This is reflected by the limited published data where most ICS outages due to a cyber attack are caused by ransomware or some mass market malware / attack code
Tomi Engdahl says:
NATO and the EU set up taskforce on resilience and critical infrastructure https://www.nato.int/cps/en/natohq/news_210611.htm
NATO and the EU agreed to create a taskforce on resilience and critical infrastructure protection, NATO Secretary General Jens Stoltenberg and European Commission President Ursula von der Leyen announced on Wednesday (11 January 2023) in Brussels
Tomi Engdahl says:
Applications Five Years or Older Likely to have Security Flaws https://www.infosecurity-magazine.com/news/apps-five-years-likely-to-have/
Nearly 32% of newly introduced enterprise applications contain security flaws from the first vulnerability scan, software security firm Veracode found in its latest annual State of Software Security Report, published on January 11, 2022. While the report also shows what the Veracode researchers call a honeymoon period that runs until a year and a half after introducing the applications, where fewer flaws are found to be introduced in the applications code; this number picks up again after a longer period. By the time they have been in production for five years, nearly 70% of applications contain at least one security flaw. Report at https://www.veracode.com/state-of-software-security-report
Tomi Engdahl says:
Malware-based attacks on ATMs A summary https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/
Malware-based attacks that rely on physical access are becoming increasingly popular. Today, however, we can already see some security improvements in current assessments. However, our experience shows that the improvement within the last years is still insufficient. Many protections could still be circumvented to exploit initial vulnerabilities. This is usually not because manufacturers and banks deliberately avoid security precautions, but because the whole environment and its processes often do not allow simple security upgrades
Tomi Engdahl says:
Creatively malicious prompt engineering
https://labs.withsecure.com/publications/creatively-malicious-prompt-engineering
The experiments demonstrated in our research proved that large language models can be used to craft email threads suitable for spear phishing attacks, “text deepfake a persons writing style, apply opinion to written content, write in a certain style, and craft convincing looking fake articles, even if relevant information wasnt included in the models training data. We concluded that such models are potential technical drivers of cybercrime and attacks. Report at https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Creatively-malicious-prompt-engineering.pdf
Tomi Engdahl says:
2023 prediction: Security workforce shortage will lead to nationally significant cyberattack https://www.malwarebytes.com/blog/business/2023/01/2023-prediction-security-workforce-shortage-will-lead-to-nationally-significant-cyberattack
While organizations have made major investments in cybersecurity recently, hiring additional staff members to manage complex systems, processes, and people does not appear to be a priority. In 2022, the security employment gap expanded by 40 percent to 700,000 unfilled positions in the US alone. “The cybersecurity talent shortage is one of the most significant and threatening challenges facing our industry today,” said Barbara Massa, executive vice president at Mandiant, in an article for CNN
Tomi Engdahl says:
API Security in a Cloud-Native World
https://www.paloaltonetworks.com/blog/2023/01/api-security-in-a-cloud-native-world/
Developers are taking an API-first approach to building applications, tools and processes. But, as developers build, manage, publish and leverage APIs for applications, security teams are often ten steps behind in terms of understanding how to secure the APIs from risks inherent to their unique configurations and use. Hackers are aware of this lag. The lack of security controls, coupled with the increase in API usage and traffic, have made APIs a prime target for bad actors hunting for vulnerabilities and API misconfigurations to access the valuable data and resources within applications
Tomi Engdahl says:
4 Predictions for Cyber Insurance Requirements 2023 https://www.trendmicro.com/en_us/ciso/23/a/cyber-insurance-requirements-2023.html
As the threat landscape evolves and the cost of data breaches increase, so will cyber insurance requirements from carriers. Cyber Risk Specialist Vince Kearns shares his 4 predictions for 2023
Tomi Engdahl says:
Joulukuun kybersää oli pääosin sateinen, vaikka mukaan mahtui myös positiivisia uutisia
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kybersaa_12/2022
Vuosi 2022 päätettiin sateisessa kybersäässä. Viestintäverkkojen toimivuus oli joulukuussakin hyvällä tasolla, mutta palvelunestohyökkäykset lisääntyivät voimakkaasti. Sosiaalisen median tilimurtoja ilmoitetaan tasaista tahtia, ja tilien suojaamiseen kannattaakin kiinnittää huomiota. Lääkinnällisten laitteiden ylläpidon jatkuvuus puolestaan on tärkeää niin tietoturvan kuin eettisyyden vuoksi
Tomi Engdahl says:
Sophisticated ‘Dark Pink’ APT Targets Government, Military Organizations
https://www.securityweek.com/sophisticated-dark-pink-apt-targets-government-military-organizations
Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.
Referred to as Dark Pink, the threat actor was seen launching seven successful attacks against high-profile targets since June 2022, but it appears to have been active since at least mid-2021, based on the activity associated with a GitHub account.
Between June and December 2022, Dark Pink successfully breached military and government agencies, a religious organization, and a non-profit organization. The targets were located in Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam.
During the same period, the hacking group also launched a cyberattack against a European state development agency based in Vietnam.
Tomi Engdahl says:
Quantum Computing, Software Quality, and Security Will Intensify in 2023
Jan. 12, 2023
New hardware will put the onus on software developers to deliver better quality applications.
https://www.electronicdesign.com/technologies/embedded-revolution/article/21258007/keysight-technologies-quantum-computing-software-quality-and-security-will-intensify-in-2023
Tomi Engdahl says:
Top 10 Observability Tools to Pay Attention to in 2023
https://acure.io/blog/top-observability-tools/
Tomi Engdahl says:
https://hackaday.com/2023/01/13/this-week-in-security-cacti-rce/
SBOMs and VEX
Software Bill of Materials (SBOMs) is a popular buzzword these days, and we haven’t really look at the idea yet, here on this column. The idea has been around for a while, based on the tradition Bill of Materials that might come with a hardware build. A SBOM is simply the list of libraries and binaries that are part of a software solution. The ideal is that a business would have SBOMs for all their software and appliance solutions, and can automatically check whether they have any exposure to published CVEs.
It sounds great, but unfortunately it’s not quite as simple as it sounds. The article from Chainguard above is primarily about Vulnerability Exploitability eXchange (VEX) documents, a standardized format for declaring a product immune to a vulnerability.
Reflections on Trusting VEX (or when humans can improve SBOMs)
https://www.chainguard.dev/unchained/reflections-on-trusting-vex-or-when-humans-can-improve-sboms
Software bills of materials (SBOMs) are one of the rising stars of supply chain security. One way of understanding them is to picture SBOMs as a list of all the components used to build a program. The promise of SBOM is to grant us full transparency into the composition of the software we are using to let us know all the ingredients that went in the kitchen when it was baked.
The extreme transparency enabled by SBOMs can come with a downside; however, false positives when running a security scanner against it can easily come up as we are listing EVERYTHING, regardless of how components are used. If a piece of software includes a component, say a library, known to have a vulnerability in the linked version, a scanner may report the whole application as vulnerable, even if the component is not used.
To curb the noise of false positives when scanning an SBOM, software publishers can turn them off using VEX. But how can you trust a statement that turns off security alerts?
What is VEX? And What Are Its Benefits?
A piece of software can contain a component with a vulnerability yet not be vulnerable itself. This can, for instance, be the result of certain configuration settings that render the vulnerability inapplicable. This fact is the motivation behind VEX, which is a DHS initiative under Cybersecurity & Infrastructure Security Agency (CISA). Vulnerability Exploitability eXchange (VEX) is a data format that lets upstream software producers inform downstream software consumers whether a given vulnerability affects the software application in question.
With VEX, a human can let other people (and security scanners) know that a particular vulnerability affects a piece of software. VEX can also reverse a previous non-impact statement when applicable if, for example, a new library is linked or software is added to a project. Experts assessing impact can capture their findings, along with their reasoning, in a machine-readable format that tools down the stream can consume to make a final call on whether or not they should trust software.
Tomi Engdahl says:
Is ChatGPT a cybersecurity threat?
https://techcrunch.com/2023/01/11/chatgpt-cybersecurity-threat/
Tomi Engdahl says:
REST-Attacker – Designed As A Proof-Of-Concept For The Feasibility Of Testing Generic Real-World REST Implementations
https://www.kitploit.com/2023/01/rest-attacker-designed-as-proof-of.html?m=1
Tomi Engdahl says:
AppSec Tales II | Sign-in
https://pentestmag.com/appsec-tales-ii-sign-in/