Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
OWASP SwSec 5D Tool Provides SDLC Maturity Ratings, Aids Software Supply Chain
https://www.securityweek.com/owasp-swsec-5d-tool-provides-sdlc-maturity-ratings-aids-software-supply-chain/
SwSec 5D framework aims to provide a roadmap for secure software development, and its use would help improve security in the software supply chain.
The Open Source Foundation for Application Security (OWASP) announced a five-dimensional secure software development maturity reference framework (SwSec 5D) in May 2023. Its function is to provide a roadmap for secure software development, and its use would help improve security in the software supply chain.
The project lead for the OWASP SwSec 5D is Matteo Meucci, CEO at IMQ Minded Security. The company is an SDLC consulting firm, and Meucci has worked with OWASP since 2002. The five-dimensional approach to SDLC was conceived by IMQ Minded Security, donated to OWASP in 2018, and since then refined for release by OWASP.
Meucci believes there are five separate dimensions in secure development, and that all five must be adequately satisfied.
The five dimensions are processes, testing, team, awareness, and standards. The SwSec 5D model is a framework and tool for meeting and measuring a firm’s maturity in these five dimensions. The framework is described in the OWASP Software Security 5D Framework document (PDF download), and the tool delivering the maturity assessment is an online Google Form. The maturity measurement process can be performed in just a couple of hours, weaknesses highlighted, and improvements implemented.
PROCESSES are those processes used to manage security risks throughout the SDLC, such as risk assessment, security requirements, threat modeling, security design, software acceptance, and security bug fixing.
The TEAM dimension describes the personnel functions required for secure development, such as AppSec managers or CISOs, security champions, AppSec specialists, satellite architects, satellite developers, and satellite auditors.
The AWARENESS dimension focuses on the awareness and training of the team members involved in the software development life cycle.
The TESTING dimension focuses on testing and evaluating the software, including the use of tools such as SAST, DAST, IAST and RASP. Manual testing should be provided through a security code review and penetration testing.
The STANDARDS dimension focuses on the use of existing development standards, such as the OWASP SAMM model.
The maturity assessment is delivered through a simple questionnaire and scored by the responses (example question: “Are most of your applications and resources categorized by risk?”). Each response is given a score ranging from 0 to 3, and a fully mature secure SDLC will return a mean value of three.
Meucci and OWASP believe that an effective secure SDLC requires demonstrable maturity in all five dimensions. The SwSec 5D maturity model will help companies achieve greater security in their own internal developments, but will also aid the software supply chain by quantifying the security maturity of bought-in web applications.
https://raw.githubusercontent.com/OWASP/www-project-software-security-5d-framework/4c4ea93b21ebec6ace6e26be0f66b5dda9c327cf/assets/images/OWASP%20SwSec%205D%20Framework%20v1.pdf
Tomi Engdahl says:
Hackers backed by North Korea have stolen billions of dollars in crypto over the last five years.
https://www.pandasecurity.com/en/mediacenter/security/north-korea-stolen-crypto/
The dictatorship has been looking for ways to decrease the impact of the sanctions imposed by Western nations, and stealing crypto has proven to be an effective way to get funds. Wall Street Journal first reported the story and said that approximately half of the country’s ballistic missile program is funded with stolen crypto assets.
The hackers have developed a list of sophisticated tricks that allow them to weasel their way into the networks of possible targets, including companies and wealthy people.
Sometimes a North Korean hacker would pose as a recruitment officer to get an employee’s attention. The cybercriminal would then share an infected file with the unsuspecting company employee. The malicious code would then be used as a backdoor for the hackers to get into the targeted company’s network and launch an attack on the enterprise.
Tomi Engdahl says:
Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders https://blog.talosintelligence.com/researcher-spotlight-gergana-talos-ir/
Gergana Karadzhova-Dangela is used to being with users during some of their toughest moments.
Today, she spends much of her time responding to active cybersecurity incidents with Cisco Talos Incident Response, helping customers work through active attacks, many of which put personal data or sensitive information at risk.
And while admittedly less high stakes, her first job in IT at Mount Holyoke College in a small town in Massachusetts prepared her for this.
There, she had an information technology support job with the college where she would help service students’ computers — many showed up in tears worried they’d lost the entirety of an important project or paper.
Tomi Engdahl says:
A Cybersecurity Wish List Ahead of NATO Summit
Assuming NATO can play a greater part in the cybersecurity of its members, possibly through a more formal NATO Cyber Command, the question then becomes ‘what should we hope for?’
https://www.securityweek.com/a-cybersecurity-wish-list-ahead-of-nato-summit/
Tomi Engdahl says:
Privacy
Europe Signs Off on a New Privacy Pact That Allows People’s Data to Keep Flowing to US
https://www.securityweek.com/europe-signs-off-on-a-new-privacy-pact-that-allows-peoples-data-to-keep-flowing-to-us/
The EU signed off on a new agreement over the privacy of people’s personal information that gets pinged across the Atlantic, aiming to ease European concerns about electronic spying by American intelligence agencies.
The European Union signed off Monday on a new agreement over the privacy of people’s personal information that gets pinged across the Atlantic, aiming to ease European concerns about electronic spying by American intelligence agencies.
The EU-U.S. Data Privacy Framework has an adequate level of protection for personal data, the EU’s executive commission said. That means it’s comparable to the 27-nation’s own stringent data protection standards, so companies can use it to move information from Europe to the United States without adding extra security.
U.S. President Joe Biden signed an executive order in October to implement the deal after reaching a preliminary agreement with European Commission President Ursula von der Leyen. Washington and Brussels made an effort to resolve their yearslong battle over the safety of EU citizens’ data that tech companies store in the U.S. after two earlier data transfer agreements were thrown out.
“Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations,” EU Justice Commissioner Didier Reynders said at a press briefing in Brussels.
Tomi Engdahl says:
Cloudflare, Palo Alto Networks and Zscaler tumble as Microsoft expands in cybersecurity
https://www.cnbc.com/2023/07/12/palo-alto-networks-and-zscaler-tumble-as-microsoft-expands-in-security.html
KEY POINTS
Microsoft introduced products under the Secure Service Edge umbrella.
Some analysts cautioned that it’s early for the new products. Pricing information isn’t available yet.
Tomi Engdahl says:
The 8 Best Free Anti-Virus Programs for Linux
https://www.tecmint.com/best-antivirus-programs-for-linux/
Tomi Engdahl says:
Microsoft Edge users now have 5GB of free built-in VPN
https://www.neowin.net/news/microsoft-edge-users-now-have-5gb-of-free-built-in-vpn/
In addition to features that may raise an eyebrow or two at first glance, Microsoft Edge has many excellent tools that improve your browsing experience. Edge VPN (powered by CloudFlare) is one such feature, and, as the name implies, it is a straightforward one-click VPN service that can help you reclaim a bit of your privacy.
Until recently, Edge VPN offered only 1GB of free data, which is too little for modern browsing. Now Microsoft has confirmed that the default quota has been increased to a more comfortable level.
Tomi Engdahl says:
https://www.neowin.net/news/microsoft-edge-users-now-have-5gb-of-free-built-in-vpn/
Tomi Engdahl says:
https://ploum.net/2023-06-23-how-to-kill-decentralised-networks.html
Tomi Engdahl says:
https://www.cgdirector.com/uefi-vs-legacy-bios-boot-mode/
Tomi Engdahl says:
Näin hylkäät salasanat – ota käyttöön avainkoodi, joka toimii pian kaikkialla internetissä https://www.is.fi/digitoday/tietoturva/art-2000009645720.html
Tomi Engdahl says:
Google Disables Internet Access for Thousands of Its Employees
It’s an experiment to try and reduce the risk of cyberattacks.
https://uk.pcmag.com/security/147817/google-disables-internet-access-for-thousands-of-its-employees
Tomi Engdahl says:
HACKERS CREATE CHATGPT RIVAL WITH NO ETHICAL LIMITS
bySHARON ADARLO
https://futurism.com/the-byte/chatgpt-rival-no-guardrails
Tomi Engdahl says:
SlashNext employees found out about WormGPT on a hacker forum, where the developer has been selling access to the bot since March and boasting that it can do “all sorts of illegal stuff.”
Tomi Engdahl says:
Cybersecurity advice for boards: Pursue growth in an environment of escalating cyber threats
http://shared.sponsoredcontent.com/article/557669
Tomi Engdahl says:
The Biden administration is tackling smart devices with a new cybersecurity label / The US Cyber Trust Mark would require smart products to meet certain thresholds, including ongoing software security support, to qualify for the program
https://www.theverge.com/2023/7/18/23798153/fcc-cyber-trust-mark-biden-security
The Biden administration is launching a new cybersecurity label for smart devices today.
https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/
Tomi Engdahl says:
Researchers find deliberate backdoor in police radio encryption algorithm
https://www.wired.com/story/tetra-radio-encryption-backdoor/
Tomi Engdahl says:
The system you are talking could be the digital coffee pot…. what is the business process that the system supports? If you understand the organisation and understand the business process that sits in top of that system to the extent that you provide a ball park figure of the cost of a compromise, they will patch ,update or change the system.Cyber is all about money, regulation and if you work with industrial control systems then safety.
Tomi Engdahl says:
How to Fake a GPS Location on Your Phone
Change your iPhone or Android location to anywhere in the world
https://www.lifewire.com/fake-gps-location-4165524
Changing the location on your iPhone or Android device involves tricking your phone into telling apps that you’re located somewhere you’re not. In most cases, when you spoof your GPS location, every location-based app on your phone will be fooled.
This might seem like a weird thing to do, since most of us use GPS for tasks that need our real location, like when finding directions and weather updates. However, there are legitimate reasons to change your phone’s location to a fake one.
Unfortunately, doing so isn’t very straightforward. There isn’t a “fake GPS location” setting built in to either iOS or Android, and neither do most apps let you spoof your location through a simple option
Android Location Spoofing
Search for “fake GPS” on Google Play, and you’ll find tons of options, some free and others not, and some that require your phone to be rooted.
One app that doesn’t need your phone to be rooted—so long as you’re using Android 6.0 or newer—is called FakeGPS Free, and it’s really easy to use it to fake your Android phone location.
If you’re interested in trying a different Android location spoofer, we’ve confirmed that the following free location changing apps work much like FakeGPS Free: Fake GPS, Fly GPS, and Fake GPS Location.
Another method is to use Xposed Framework. You can install an app, such as Fake My GPS, to let certain apps use the pretend location and others use your real location.
iPhone Location Spoofing
Faking your iPhone location isn’t as easy as it is on an Android device—you can’t just download an app for it. However, software makers have built desktop programs that make this easy.
Fake iPhone or iPad Location With 3uTools
3uTools is the best way to fake your iPhone or iPad location because the software is free, and we’ve confirmed that it works with iOS and iPadOS 16.
Tomi Engdahl says:
ESRB wants to scan kids’ faces to enforce game ratings
The controversial move would employ age estimation software to police who can play M-rated games and above.
https://www.pcworld.com/article/2007644/esrb-plans-to-scan-kids-faces-to-enforce-ratings-system.html
The Entertainment Software Rating Board, better known as the ESRB, is the self-regulating body for video games in the United States. It’s the organization responsible for those E, T, and M ratings you see on video game boxes. Apparently the Board is preparing to not only rate games to inform parents about their content, but enforce who plays them directly. A new proposal to the FTC will actually scan players’ faces and determine via software how old they are, keeping “M for Mature” and “Adults Only” games out of the hands (or at least the controllers) of minors.
The 24-page proposal is being made in cooperation with SuperAwesome, a software subsidiary of ESRB member Epic Games, along with Yoti, a firm that specialized in age verification. According to a report from GamesIndustry.biz, the proposed system would ask the user to take a photo of their face (presumably either with a device’s built-in camera, like a phone or webcam, or upload one via an app), check for a live human presence, and then submit the photo for “estimation” of age.
Why put in such a complex system, when the E-M rating is supposed to inform parents’ game-buying decisions already? The document says that the system is being built to comply with the Children’s Online Privacy Protection (COPPA) rule put in place by the FTC. But that rule was implemented way back in 1998 — it’s the reason most online services require you to affirm your age, checking whether you’re at least 13 before using it.
The ESRB proposal says that the risk is “easily outweighed” by the benefits. What risk? That’s covered by another portion of the document: “Images are immediately, permanently deleted, and not used by Yoti for training purposes.” Something tells me that parents and privacy groups are going to have an issue with a system that takes thousands or millions of pictures of children’s faces, no matter how many platitudes are offered. We’ll see whether the FTC will have the same objections.
Tomi Engdahl says:
Google rolls out ‘unknown tracker alerts’ for unknown Bluetooth tracking devices: Here’s everything you need to know
https://www.techlusive.in/news/google-rolls-out-unknown-tracker-alerts-for-unknown-bluetooth-tracking-devices-heres-everything-you-need-to-know-1394075/
Android users can also use their Android device to scan for trackers by themselves and get a guide on how to deal with them
Story Highlights
Google has started to roll out unknown tracker alerts.
Android will alert users when an unknown Bluetooth device is near them.
Google first revealed the feature at the I/O 2023 event.
Android users will get an alert automatically if an unknown Bluetooth device is moving along with them. In addition to this, they can also use their Android device to scan for trackers by themselves and get a guide on how to deal with them if they find any tracking devices.
This is a very useful feature as various reports have shown that Bluetooth tracking devices are being misused for stalking and other illegal activities. Apple gradually addressed this issue and introduced new privacy warnings and alerts in its devices
What to do if a tracker is found?
Android users can then click on the notification to see a map of where the tracker was detected following them. They will also be able to make the tracker beep, which will help them find the device. And, once the device is located, users can hold it close to the back of their phone to learn more. Some devices will show their serial number or some details about the owner.
Android users will also get advice on how to turn off the Bluetooth device so the owner can’t follow them and get more updates from the tracker.
In addition to this, Android users can also check their surroundings by themselves if they think a Bluetooth tracker might be around. This manual scan can be started by going to Android’s Settings, then “Safety & Emergency” and then tapping on the option “Unknown tracker alerts” and clicking on the “Scan Now” button.
Moreover, Google and Apple also collaborated in May to create a common standard for how users can be warned about Bluetooth devices tracking them without their consent. The standard is likely to be ready by the year’s end. In the meantime, Google seems to have introduced its own specification to protect Android users.
Google also said at I/O 2023 that it would update its Find My Device network to help users find other lost things, such as headphones, phones and everyday items. However, these updates are delayed because Google is now collaborating with Apple to finish the common unwanted tracker alert standard by the end of the year.
Tomi Engdahl says:
LTE wireless connections used by billions aren’t as secure as we thought
https://arstechnica.com/information-technology/2018/06/lte-wireless-connections-used-by-billions-arent-as-secure-as-we-thought/#amp_tf=L%C3%A4hde%3A%20%251%24s&aoh=16907380855162&referrer=https%3A%2F%2Fwww.google.com&share=https%3A%2F%2Farstechnica.com%2Finformation-technology%2F2018%2F06%2Flte-wireless-connections-used-by-billions-arent-as-secure-as-we-thought%2F
How is 4G LTE encrypted?
https://security.stackexchange.com/questions/21395/how-is-4g-lte-encrypted
Tomi Engdahl says:
As cybersecurity evolves, organizations must adapt to the ever-changing threat landscape to protect their critical assets. In this webinar, we will delve into two emerging paradigms in cybersecurity: SASE (secure access service edge) and zero trust architecture. SASE represents a transformational approach to network security that consolidates networking and security functions. It aims to provide secure access to applications and resources, regardless of the user’s location, while reducing management complexity. On the other hand, zero trust architecture challenges the traditional security perimeter by assuming that no user or device can be trusted by default, requiring continuous verification and authentication to all resources. It shifts the focus from perimeter-based security to a more granular and dynamic approach, minimizing the attack surface while preventing lateral network movement.
Tomi Engdahl says:
Visibility of open source vulnerabilities is now a bigger challenge than ever before, as open source libraries have become a growing target for hackers. With software developers freely pulling components from public repositories, how do security leaders keep track of what’s in their environments?
Tomi Engdahl says:
Josh Ye / Reuters:
China plans to require app developers to file business details with the government or face sanctions from March 2024, likely creating headaches for developers
China to require all apps to share business details in new oversight push
https://www.reuters.com/world/china/china-require-all-apps-share-business-details-new-oversight-push-2023-08-09/
HONG KONG, Aug 9 (Reuters) – China will require all mobile app providers in the country to file business details with the government, its information ministry said, marking Beijing’s latest effort to keep the industry on a tight leash.
The Ministry of Industry and Information Technology (MIIT) said late on Tuesday that apps without proper filings will be punished after the grace period that will end in March next year, a move that experts say would potentially restrict the number of apps and hit small developers hard.
You Yunting, a lawyer with Shanghai-based DeBund Law Offices,said the order is effectively requiring approvals from the ministry. The new rule is primarily aimed at combating online fraud but it will impact on all apps in China, he said.
Rich Bishop, co-founder of app publishing firm AppInChina, said the new rule is also likely to affect foreign-based developers which have been able to publish their apps easily through Apple’s (AAPL.O) App Store without showing any documentation to the Chinese government.
Bishop said that in order to comply with the new rules, app developers now must either have a company in China or work with a local publisher.
Tomi Engdahl says:
Google warns again it will start deleting inactive accounts in December https://www.bleepingcomputer.com/news/google/google-warns-again-it-will-start-deleting-inactive-accounts-in-december/
In emails sent over the weekend, Google warned customers again that it would start deleting inactive accounts on December 1st, 2023.
The company will only enforce this rule for accounts that haven’t been used or signed into within two years but will first notify the users their accounts are eligible for deletion.
Tomi Engdahl says:
Multiple Chinese APTs establish major beachheads inside US infrastructure https://arstechnica.com/security/2023/08/multiple-chinese-apts-establish-major-beachheads-inside-us-infrastructure/
Hacking teams working for the Chinese government are intent on burrowing into the farthest reaches of US infrastructure and establishing permanent presences there if possible. In the past two years, they have scored some wins that could seriously threaten national security.
Tomi Engdahl says:
EU looks the other way as Greek spyware mess heralds more trouble https://www.euractiv.com/section/law-enforcement/news/eu-looks-the-other-way-as-greek-spyware-mess-heralds-more-trouble/
communicating with their European peers, according to the latest findings. But EU institutions insist on considering the matter a national affair.
Ninety-two Greeks, including politicians, ministers, and journalists, have received infected SMS associated with the Predator spyware, the Greek Data Protection Authority said on Thursday (27 July).
Tomi Engdahl says:
How to manage a mass password reset due to a ransomware attack https://www.bleepingcomputer.com/news/security/how-to-manage-a-mass-password-reset-due-to-a-ransomware-attack/
Interrupted classes, disrupted planning, and postponed events – IT outages have a big impact on modern university life. But as challenging as a typical IT outage may be, ransomware-induced downtime adds a whole new dimension of anxiety for IT teams.
Tomi Engdahl says:
CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities https://www.cisa.gov/news-events/alerts/2023/08/01/cisa-and-international-partner-ncsc-no-release-joint-cybersecurity-advisory-threat-actors-exploiting
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.
Tomi Engdahl says:
USB drive malware attacks spiking again in first half of 2023
https://www.bleepingcomputer.com/news/security/usb-drive-malware-attacks-spiking-again-in-first-half-of-2023/
What’s old is new again, with researchers seeing a threefold increase in malware distributed through USB drives in the first half of 2023
A new report by Mandiant outlines how two USB-delivered malware campaigns have been observed this year; one named ‘Sogu,’ attributed to a Chinese espionage threat group ‘TEMP.HEX,’ and another named ‘Snowydrive,’ attributed to UNC4698, which targets oil and gas firms in Asia.
Tomi Engdahl says:
Australian Senate committee recommends further bans on Chinese social media apps https://www.theregister.com/2023/08/02/australia_foreign_interference_social_report/
WeChat accused of ‘contempt for Parliament ‘ as transparency rules floated for all social media. An Australian Senate Committee has recommended banning Chinese social media apps in the land down under, on grounds the Communist Party of China uses them to spread propaganda and misinformation.
Tomi Engdahl says:
Finland sees fourfold spike in ransomware attacks since joining NATO, senior cyber official says https://therecord.media/finland-sees-fourfold-spike-in-rasomware-attacks-nato
Ransomware attacks targeting Finnish organizations have increased four-fold since the Nordic country began the process of joining NATO last year, according to a senior official.
In an interview with Recorded Future News on Thursday, Sauli Pahlman, the deputy director general for Finland’s National Cyber Security Centre (NCSC), cautioned that “correlation doesn’t equal causality,” but said he believed the surge in cases was linked to geopolitics.
Tomi Engdahl says:
China floats strict screentime limits and content crimps for kids https://www.theregister.com/2023/08/03/china_kids_internet_restrictions_plan/
The Chinese government has floated a plan to limit the amount of time minors can spend using electronic devices and the content they can access, plus a plan to ensure the nation’s entire content ecosystem produces age-appropriate material.
The plan, outlined on Tuesday by the Central Cyberspace Affairs Commission, proposes that devices used by kids – including smartphones, tablet computers, smart watches and other wearables – include a “minor mode” that parents can enable.
Tomi Engdahl says:
How Malicious Android Apps Slip Into Disguise https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-disguise/
Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.
Tomi Engdahl says:
FBI, CISA, and NSA reveal top exploited vulnerabilities of 2022 https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-top-exploited-vulnerabilities-of-2022/
In collaboration with CISA, the NSA, and the FBI, Five Eyes cybersecurity authorities have issued today a list of the 12 most exploited vulnerabilities throughout 2022.
Cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom called on organizations worldwide to address these security flaws and deploy patch management systems to minimize their exposure to potential attacks.
Tomi Engdahl says:
Brit healthcare body rapped for WhatsApp chat sharing patient data https://www.theregister.com/2023/08/03/nhs_ico_warning/
Staff at NHS Lanarkshire – which serves over half a million Scottish residents
- used WhatsApp to swap photos and personal info about patients, including children’s names and addresses.
Following a probe, the UK Information Commissioner’s Office (ICO) has now issued a heavily redacted official reprimand to the organization, which oversees three hospitals plus clinics and more across rural and urban Lanarkshire in the Central Lowlands of Scotland. It said a group chat created in March 2020 – just as the UK government issued the first COVID lockdown – was in breach of Article 58 of the UK GDPR.
Tomi Engdahl says:
670 ICS Vulnerabilities Disclosed by CISA in First Half of 2023: Analysis
https://www.securityweek.com/670-ics-vulnerabilities-disclosed-by-cisa-in-first-half-of-2023-analysis/
CISA disclosed 670 ICS vulnerabilities in the first half of 2023, but roughly one-third have no patches or mitigations from the vendor.
The US Cybersecurity and Infrastructure Security Agency (CISA) disclosed 670 vulnerabilities affecting industrial control systems (ICS) and other operational technology (OT) products in the first half of 2023, according to industrial asset and network monitoring company SynSaber.
SynSaber’s analysis, conducted in collaboration with the ICS Advisory Project, shows that CISA published 185 ICS advisories in the first half of 2023, down from 205 in the first half of 2022. The number of vulnerabilities covered in these advisories dropped by 1.6% in H1 2023 compared to H1 2022.
More than 40% of the flaws impact software and 26% affect firmware. OEMs continued to report most of these vulnerabilities — more than 50% — followed by security vendors (28%) and independent researchers (9%).
Critical manufacturing and energy are the critical infrastructure sectors most likely to be impacted by the CVEs reported in the first half of 2023.
Of the CVEs disclosed in H1 2023, 88 have been rated ‘critical’ and 349 have been rated ‘high severity’. More than 100 flaws require both local/physical access to the targeted system and user interaction, and 163 require some type of user interaction, regardless of network availability.
Thirty-four percent of the reported vulnerabilities don’t have a patch or remediation available from the vendor, up from 13% in the first half of 2022, but roughly the same as in the second half of 2022.
https://14520070.fs1.hubspotusercontent-na1.net/hubfs/14520070/Collateral/SynSaber+ICS-Advisory-Project_ICS-Vulnerabilities_First-Half-2023.pdf
Tomi Engdahl says:
These Are the Top Five Cloud Security Risks, Qualys Says
https://www.securityweek.com/these-are-the-top-five-cloud-security-risks-qualys-says/
Cloud security specialist Qualys has provided its view of the top five cloud security risks, drawing insights and data from its own platform and third parties.
Cloud security specialist Qualys has provided its view of the top five cloud security risks, drawing insights and data from its own platform and third parties.
The five key risk areas are misconfigurations, external-facing vulnerabilities, weaponized vulnerabilities, malware inside a cloud environment, and remediation lag (that is, delays in patching).
The 2023 Qualys Cloud Security Insights report (PDF) provides more details on these risk areas. It will surprise no-one that misconfiguration is the first. As long ago as January 2020, the NSA warned that misconfiguration is a primary risk area for cloud assets – and little seems to have changed. Both Qualys and the NSA cite misunderstanding or avoidance of the concept of shared responsibility between cloud service providers (CSP) and cloud consumers is a primary cause of misconfiguration.
Qualys finds that misconfiguration (measured against the CIS benchmarks) is present in 60% of Google Cloud Platform (GCP) usage, 57% of Azure, and 34% of Amazon Web Services (AWS).
Travis Smith, VP of the Qualys threat research unit, suggests, “The reason AWS configurations are more secure than their counterparts at Azure and GCP can likely be attributed to the larger market share… there is more material on securing AWS compared to other CSPs in the market.”
The report urges greater use of the Center for Internet Security (CIS) benchmarks to harden cloud environments. “No organization will deploy 100% coverage,” adds Smith, “but the [CIS benchmarks mapped to the MITRE ATT&CK tactics and techniques] should be strongly considered as a baseline if organizations want to reduce the risk of experiencing a security incident in their cloud deployments.”
The second big risk comes from external facing assets that contain a known vulnerability. Cloud assets with a public IP can be scanned by attackers looking for vulnerabilities. Log4Shell, an external facing vulnerability, is used as an example. “Today, patches exist for Log4Shell and its known secondary vulnerabilities,” says Qualys. “But Log4Shell is still woefully under remediated with 68.44% of detections being unpatched on external-facing cloud assets.”
Log4Shell also illustrates the third risk: weaponized vulnerabilities. “The existence of weaponized vulnerabilities is like handing anyone a key to your cloud,”
The fourth risk is the presence of malware already in your cloud. While this doesn’t automatically imply ‘game over’, it will be soon if nothing is done. “The two greatest threats to cloud assets are cryptomining and malware; both are designed to provide a foothold in your environment or facilitate lateral movement,” says the report. “The key damage caused by cryptomining is based on wasted cost of compute cycles.”
While this may be true for miners, it is worth remembering that the miners found a way in.
In short, if you find a cryptominer in your cloud, start looking for additional malware, and find and fix the miner’s route in.
The fifth risk is slow vulnerability remediation – that is, an overlong patch timeframe. We have already seen that Log4Shell has a remediation time of more than 136 days, if it is done at all. The same general principle will apply to other patchable vulnerabilities.
Effective patching quickly lowers the quantity of vulnerabilities in your system and improves your security. Statistics show that this is more effectively performed by some automated method. “In almost every instance,” says the report, “automated patching proves to be a more effective remediation path than hoping manual efforts will effectively deploy critical patches and keep your business safer.”
For non-Windows systems, the effect of automated patching is an 8% improvement in the patch rate, and a two-day reduction in the time to remediate.
Related to the remediation risk is the concept of technical debt – the continued use of end-of-support (EOS) or end-of-life (EOL) products. These products are no longer supported by the supplier – there will be no patches to implement, and future vulnerabilities will automatically become zero day threats unless you can otherwise remediate.
“More than 60 million applications discovered during our investigation are end-of-support (EOS) and end-of-life (EOL),” notes the report. Furthermore, “During the next 12 months, more than 35,000 applications will go end-of-support.”
Tomi Engdahl says:
Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities
https://www.securityweek.com/five-eyes-agencies-call-attention-to-most-frequently-exploited-vulnerabilities/
Five Eyes government agencies have published a list of the software vulnerabilities that were most frequently exploited in malicious attacks in 2022.
Tomi Engdahl says:
Cyberattacks on governments and public services were way up this spring, research shows https://therecord.media/cyberattacks-on-governments-way-up
Cyberattacks on governments and public entities worldwide surged by 40% from March to May compared to the previous quarter, according to researchers at the cybersecurity firm BlackBerry.
During this period, researchers identified more than 55,000 attacks carried out by nation-state and financially motivated hackers. Government entities in North America, Australia, South Korea, and Japan were the most heavily targeted.
Tomi Engdahl says:
Ransomware attacks cost manufacturing sector $46 billion in downtime since 2018, report claims https://www.tripwire.com/state-of-security/ransomware-attacks-cost-manufacturing-sector-46-billion-downtime-2018-report
Newly-released research reveals the eye-watering costs that the manufacturing sector has suffered in recent years at the hands of ransomware. The analysis, by Comparitech, looked at 478 confirmed ransomware attacks on manufacturing companies between 2018 and July 2023, in an attempt to determine their true cost.
Whereas many of the headlines connected with ransomware have focused on the ransoms demanded by cybercriminal gangs, Comparitech’s research also explored the cost of downtime – with day-to-day operations impacted, and production lines sometimes brought to a standstill meaning that customer orders cannot be fulfilled.
Tomi Engdahl says:
Teach a Man to Phish and He’s Set for Life https://krebsonsecurity.com/2023/08/teach-a-man-to-phish-and-hes-set-for-life/
KrebsOnSecurity goes through a phishing message received by an anonymous reader of the blog. The phishing site made to appear as if it were part of a mailbox delivery report from Microsoft 365 about messages that had failed to deliver.
The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.
Tomi Engdahl says:
Google explains how Android malware slips onto Google Play Store https://www.bleepingcomputer.com/news/security/google-explains-how-android-malware-slips-onto-google-play-store/
The Google Cloud security team acknowledged a common tactic known as versioning used by malicious actors to slip malware on Android devices after evading the Google Play Store’s review process and security controls.
The technique works either by introducing the malicious payloads through updates delivered to already installed applications or by loading the malicious code from servers under the threat actors’ control in what is known as dynamic code loading (DCL).
Tomi Engdahl says:
Code leaks are causing an influx of new ransomware actors https://blog.talosintelligence.com/code-leaks-new-ransomware-actors/
Ransomware gangs are consistently rebranding or merging with other groups or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.
This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.
Tomi Engdahl says:
UK Warns Of Stalking Risks From Connected Devices https://www.forbes.com/sites/emmawoollacott/2023/08/07/uk-warns-of-stalking-risks-from-connected-devices/
The ‘vast majority’ of domestic abuse cases in the UK now involve the use of technology such as spyware, a UK government committee has warned.
The Culture, Media and Sport Committee launched an inquiry a year ago to investigate the benefits and potential dangers of connected technology, such as smart speakers, virtual assistants and wearable fitness trackers.
And, they say, with most domestic abusers now collecting recordings and images of their victims or monitoring their movements, the government should make it a priority to tackle the problem.
Tomi Engdahl says:
Time is money, and online game scammers have lots of it https://www.welivesecurity.com/en/scams/time-is-money-and-online-game-scammers-have-lots-of-it/
Gamers and cybersecurity professionals have something in common – the ever-terrible presence of hacking, scams, and data theft – but how and why would anyone want to target gamers?
One of the more worrying trends of the past few years within the gaming sphere has been the introduction of microtransactions, which ask you to provide your money in case you want to fast-track an in-game event or buy better equipment, or additional skins for your character, for example. Nowadays, this can ring true both for multiplayer and single-player games; hence there are many more opportunities for malicious actors to take advantage of you.
Tomi Engdahl says:
Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft
https://www.securityweek.com/threat-actors-abuse-cloudflare-tunnel-for-persistent-access-data-theft/
Threat actors have been observed abusing an open source tool named Cloudflared to maintain persistent access to compromised systems and to steal information without being detected, cybersecurity firm GuidePoint Security reports.
Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user’s origin. The tool creates an outbound connection over HTTPS, with the connection’s settings manageable via the Cloudflare Zero Trust dashboard.
Threat actors have been observed abusing the open source Cloudflare Tunnel tool Cloudflared to maintain stealthy, persistent access to compromised systems.
Tomi Engdahl says:
https://www.securityweek.com/cisa-unveils-cybersecurity-strategic-plan-for-next-3-years/