Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Black Hat Preview: The Business of Cyber Takes Center Stage
https://www.securityweek.com/black-hat-preview-the-business-of-cyber-takes-center-stage/
The cybersecurity industry heads to Las Vegas this week for Black Hat in a state of economic contraction, confusion and excitement. Can the promise of AI overcome the hype cycle to truly solve security problems?
Tomi Engdahl says:
Microsoft Shares Guidance and Resources for AI Red Teams
https://www.securityweek.com/microsoft-shares-guidance-and-resources-for-ai-red-teams/
Microsoft has shared guidance and resources from its AI Red Team program to help organizations and individuals with AI security.
Microsoft on Monday published a summary of its artificial intelligence (AI) red teaming efforts, and shared guidance and resources that can help make AI safer and more secure.
The tech giant said its AI red teaming journey started more than two decades ago, but it launched a dedicated AI Red Team in 2018. It has since been working on developing AI security resources that can be used by the whole industry.
The company has now shared five key lessons learned from its red teaming efforts. The first is that AI red teaming is now an umbrella term for probing security, as well as responsible AI (RAI) outcomes. In the case of security, it can include finding vulnerabilities and securing the underlying model, while in the case of RAI outcomes the Red Team’s focus is on identifying harmful content and fairness issues, such as stereotyping.
https://www.microsoft.com/en-us/security/blog/2023/08/07/microsoft-ai-red-team-building-future-of-safer-ai/
Tomi Engdahl says:
Government
White House Holds First-Ever Summit on the Ransomware Crisis Plaguing the Nation’s Public Schools
https://www.securityweek.com/white-house-holds-first-ever-summit-on-the-ransomware-crisis-plaguing-the-nations-public-schools/
CISA will step up training for the K-12 sector and technology providers, including Amazon Web Services and Cloudflare, will offer grants and free software.
Tomi Engdahl says:
Protection is No Longer Straightforward – Why More Cybersecurity Solutions Must Incorporate Context
https://www.securityweek.com/protection-is-no-longer-straightforward-why-more-cybersecurity-solutions-must-incorporate-context/
Context helps complete the picture and results in actionable intelligence that security teams can use to make informed decisions more quickly.
It is well known that when it comes to cybersecurity, today’s modern network demands solutions that go beyond simple one-size-fits-all approaches. Traditional methods of protection have proven inadequate against evolving threats and modern cybersecurity solutions often integrate multiple security tools and technologies.
These considerations combined with the increasing volume of data generated from various sources makes context essential for filtering and prioritizing security alerts. As such, context-aware – and more importantly, context-inclusive – cybersecurity solutions have emerged as a crucial approach to tackle these challenges effectively.
Incorporating context into a threat investigation goes well beyond simply looking at an IP address. And while knowing the IP address is an important piece of information, it is really just the beginning. Analysts must look further for other key pieces of information such as:
Who owns the IP address?
What environment does it reside in?
What applications is the IP communicating with?
Perhaps even, what operating system is on the host?
Because there is no one-size-fits-all approach to security, teams often have to consider a device’s details to determine if anomalous behavior is just new or malicious.
Tomi Engdahl says:
Cyber Insurance
UK Think Tank Proposes Greater Ransomware Reporting From Cyberinsurance to Government
https://www.securityweek.com/uk-think-tank-proposes-greater-ransomware-reporting-from-cyberinsurance-to-government/
The Royal United Services Institute (RUSI) examined the relationship between cyberinsurance and ransomware, and proposes greater reporting from victims to government, enforced through insurance policies.
The Royal United Services Institute (RUSI) is an independent UK think tank that has been in existence since 1831. It has examined the relationship between cyberinsurance and ransomware, and proposes greater reporting from victims to government, enforced through insurance policies.
Specifically, RUSI finds that ransomware is prevalent among malicious attackers because it is profitable, easy, and low risk. Cyberinsurance does not cause ransomware. “While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to set higher ransom demands, the conclusion that ransomware operators are deliberately targeting organizations with insurance has been overstated.”
The report, Cyber Insurance and the Ransomware Challenge (PDF) starts from the basis that cyberinsurers are innocent parties in the ransomware wars. Manu Singh, VP of risk engineering at Cowbell, agrees with this conclusion. “The narrative that cyber insurance providers are the catalyst of ransomware is a dangerous simplification of the facts,” he told SecurityWeek.
However, RUSI believes that the lack of a consistent advocated response to ransomware is a separate and distinct problem. It does not recommend a blanket ban on the payment of ransoms, but suggests that the UK government’s black-and-white position on ransom payments has created “a vacuum of assurance and advice on best practices for ransom negotiations and payments.”
https://static.rusi.org/OP-cyber-insurance-ransomware-challenge-web-final.pdf
Tomi Engdahl says:
No evidence ransomware victims with cyber insurance pay up more often, UK report says https://therecord.media/ransomware-cyber-insurance-payments-uk-report
There is no “compelling evidence” that victims of ransomware attacks who have cyber insurance are more likely to make an extortion payment than those without, according to new research examining the role of the insurance industry in driving the criminal ecosystem.
The independent study, published Monday and sponsored by the U.K.’s National Cyber Security Centre (NCSC) and the Research Institute for Sociotechnical Cyber Security, addresses concerns that the cyber insurance industry is aiding cybercriminals by covering ransom payments.
Tomi Engdahl says:
Android-puhelimet voivat pian varoittaa, jos kannoilla on pahantahtoinen Apple-laite
https://www.tivi.fi/uutiset/tv/d84a0ece-f320-4108-9156-901c9a818d51
Google ja Apple ilmoittivat toukokuussa ryhtyvänsä kimppaan bluetooth-seurantalaitteiden standardoinnissa. Tarkoitus on vaikeuttaa AirTagien ja Tile-kikkareiden avulla tehtävää stalkkausta ja ei-toivottua seurantaa.
Osana uudistusta Android-laitteet voivat pian ilmoittaa käyttäjälleen Applen AirTagista, joka näyttää roikkuvan mukana ilman omistajaansa.
Tomi Engdahl says:
P2PInfect server botnet spreads using Redis replication feature https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/
Threat actors are actively targeting exposed instances of SSH and Redis Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect.
Tomi Engdahl says:
NIS-2: EU Directive Takes a Massive Step towards Increased Security https://www.gdatasoftware.com/blog/2023/07/37787-eu-directive-takes-a-massive-step-towards-increased-security
NIS-2 aims to establish an EU wide common security standard for critical infrastructures and adjacent industries as well as vital supply chains. Here is a brief recap – and also a good reason why even non critical industries should pay close attention.
Tomi Engdahl says:
Automatically Finding Prompt Injection Attacks https://www.schneier.com/blog/archives/2023/07/automatically-finding-prompt-injection-attacks.html
Researchers have just published a paper showing how to automate the discovery of prompt injection attacks. The paper shows how those can be automatically generated. And we have no idea how to patch those vulnerabilities in general.
(The GPT people can patch against the specific one in the example, but there are infinitely more where that came from.)
Tomi Engdahl says:
US And EU Agree Big Tech Data Sharing Deal https://www.forbes.com/sites/emmawoollacott/2023/07/11/us-and-eu-agree-big-tech-data-sharing-deal/
The U.S. and EU have agreed a new data-sharing pact allowing European data to be stored in the U.S.—but privacy campaigners look set to challenge it.
U.S. companies such as Facebook and Google will be allowed to operate under the EU-U.S. Data Privacy Framework if they commit to a detailed set of privacy obligations.
These include deleting personal data when it is no longer necessary for the purpose for which it was collected, and ensuring continuity of protection when personal data is shared with third parties. If data is wrongly handled, EU residents can turn to a free-of-charge independent dispute resolution mechanism and an arbitration panel.
Tomi Engdahl says:
The Spies Who Loved You: Infected USB Drives to Steal Secrets https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets.
Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.
Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense
Tomi Engdahl says:
Routers from the Underground: Exposing AVrecon https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/
Lumen Black Lotus Labs® identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.” Apart from a single reference to AVrecon in May 2021, the malware has been operating undetected for more than two years. Black Lotus labs performed an extensive analysis documenting the malware functionality, its size, and how it fits into the cybercrime ecosystem.
We assess the purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth. This assessment is based on observed telemetry and the analysis of functionality in the binary that allows the actor to interact with a remote shell and deploy subsequent binaries. Using Lumen’s global network visibility, Black Lotus Labs has determined the composition of a network that has infiltrated more than 70,000 machines, gaining a persistent hold in more than 40,000 IPs in more than 20 countries.
Tomi Engdahl says:
Facebookista kiinalaistrollien leikkikenttä – tavoitteena kaaos
https://www.tivi.fi/uutiset/tv/3eeb5463-cd9f-4e36-b0db-05d048cbabb5
Sosiaalisessa mediassa ja eritoten Facebookissa tapahtuva kiinalaisista tileistä lähtöisin toteutettu provosoiva kommentointi on lisääntymässä.
Kyseistä toimintaa kutsutaan trollaamiseksi.
Tällaisten tilien tavoitteena on hakea uusia keinoja eripuran synnyttämiseen kansalaisten keskuudessa muissa valtioissa. Facebookin edustajat kertoivat asiasta Australian viranomaisille tiistaina.
Euroopassa Facebookin emoyhtiö Meta on poistanut hiljattain lukuisia valheellisia väittämiä levittäneitä tilejä. Kaikkia tilejä operoitiin järjestelmällisesti Kiinasta.
Tomi Engdahl says:
What to Expect When Reporting Vulnerabilities to Microsoft https://msrc.microsoft.com/blog/2023/07/what-to-expect-when-reporting-vulnerabilities-to-microsoft/
Before you submit a report, please check whether the issue you’re reporting meets the definition of a security vulnerability. Once you are confident that your submission meets Microsoft’s security service definition, go to our Researcher Portal and log in to report it. If you do not yet have an account, you will have the option of creating one at that time.
This article explains what you can expect to happen after you submit a vulnerability.
Tomi Engdahl says:
Thousands of images on Docker Hub leak auth secrets, private keys https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/
Researchers at the RWTH Aachen University in Germany published a study revealing that tens of thousands of container images hosted on Docker Hub contain confidential secrets, exposing software, online platforms, and users to a massive attack surface.
Docker Hub is a cloud-based repository for the Docker community to store, share, and distribute Docker images. These container-creation templates include all of the necessary software code, runtime, libraries, environment variables, and configuration files to easily deploy an application in Docker.The German researchers analyzed 337,171 images from Docker Hub and thousands of private registries and found that roughly 8.5% contain sensitive data such as private keys and API secrets.
The paper further shows that many of the exposed keys are actively used, undermining the security of elements that depend on them, like hundreds of certificates.
Tomi Engdahl says:
CISA orders govt agencies to mitigate Windows and Office zero-days https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-mitigate-windows-and-office-zero-days/
CISA ordered federal agencies to mitigate remote code execution zero-days affecting Windows and Office products that were exploited by the Russian-based RomCom cybercriminal group in NATO phishing attacks.
The security flaws (collectively tracked as CVE-2023-36884) have also been added to CISA’s list of Known Exploited Vulnerabilities on Monday.
Federal agencies have been given three weeks, until August 8th, to secure their systems by implementing mitigation measures shared by Microsoft one week ago.
Tomi Engdahl says:
US govt bans European spyware vendors Intellexa and Cytrox https://www.bleepingcomputer.com/news/security/us-govt-bans-european-spyware-vendors-intellexa-and-cytrox/
The U.S. government has banned European commercial spyware manufacturers Intellexa and Cytrox, citing risks to U.S. national security and foreign policy interests.
The Commerce Department’s Bureau of Industry and Security (BIS) added four commercial entities to its Entity List: Intellexa S.A. from Greece, Intellexa Limited from Ireland, Cytrox Holdings Zrt from Hungary, and Cytrox AD from North Macedonia.
This decision was motivated by the four companies’ involvement in trafficking cyber exploits used to gain unauthorized access to the devices of high-risk individuals worldwide, threatening their security and privacy.
According to the U.S. State Department, the deployment of these surveillance tools on a worldwide scale aimed to intimidate political adversaries, suppress dissent, restrict freedom of speech, and keep track of journalists’ and activists’ activity, thereby sustaining a climate of repression and human rights violations.
Tomi Engdahl says:
90-luvun etsityin hakkeri on kuollut – ensimmäinen yritysmurto 16-vuotiaana vuonna 1979
https://www.tivi.fi/uutiset/tv/4a47fb97-59ac-4228-a3af-5bbf3970b729
Entinen hakkeri Kevin Mitnick kuoli sunnuntaina 16. heinäkuuta haimasyöpää vastaan käydyn taistelun jälkeen. Hän oli 59-vuotias.
Mitnick sai syöpädiagnoosin yli vuosi sitten ja oli ollut hoidettavana University of Pittsburgh Medical Centerissä, kertoo lasvegaslaisen hautaustoimiston julkaisema kuolinilmoitus.
Mitnick tunnetaan parhaiten 90-luvun alun rikossarjastaan, jossa hän varasti tuhansia tiedostoja, ohjelmistoja ja luottokorttinumeroita kymmenistä eri tietokoneverkoista ympäri Yhdysvaltoja. Hän tunkeutui puhelin- ja tietoverkkoihin, luki yksityisiä sähköposteja ja vandalisoi niin hallituksen, yritysten kuin opetuslaitostenkin tietojärjestelmiä. Poliisi oli hänen jäljillään kahden vuoden ajan, ja tuohon aikaan häntä kutsuttiin ”maailman etsityimmäksi hakkeriksi”.
Tomi Engdahl says:
Open-source supply chain attacks expand to the banking sector https://therecord.media/banks-open-source-software-supply-chain-cyberattacks-npm
Two banks have been targeted by open-source software supply chain attacks in recent months in what researchers are calling the first such incidents of their kind.
In separate operations in February and April, the perpetrators uploaded packages carrying malicious scripts to the npm open-source software platform, analysts at Checkmarx said.
In one attack, a hacker posted several infected packages with scripts inside that identified the victim’s operating system. Depending on if it was Windows, Linux, or MacOS, the script decoded other encrypted files in the package.
Those files were then used to download malicious code onto a targeted computer.
Tomi Engdahl says:
Apple Threatens to Pull iMessage and FaceTime from U.K. Amid Surveillance Demands https://thehackernews.com/2023/07/apple-threatens-to-pull-imessage-and.html
Apple has warned that it would rather stop offering iMessage and FaceTime services in the U.K. than bowing down to government pressure in response to new proposals that seek to expand digital surveillance powers available to state intelligence agencies.
The development, first reported by BBC News, makes the iPhone maker the latest to join the chorus of voices protesting against forthcoming legislative changes to the Investigatory Powers Act (IPA) 2016 in a manner that would effectively render encryption protections ineffective.
Tomi Engdahl says:
CVSS 4.0 Is Here, But Prioritizing Patches Still a Hard Problem https://www.darkreading.com/vulnerabilities-threats/cvss-4-prioritizing-patches-hard-problem
The soon-to-be-released Version 4.0 of the Common Vulnerability Scoring System
(CVSS) promises to fix a number of issues with the severity metric for security bugs. But vulnerability experts say that prioritizing patches or measuring exploitability will still be a tough nut to crack.
The Forum of Incident Response and Security Teams (FIRST) released a preview of the next version of the CVSS last week at its annual conference. Version 4 will do away with the vague “temporal” metric, replacing it with the more descriptive “threat” metric and it will add other factors to the base metric calculation.
Tomi Engdahl says:
EU governments reject requiring manufacturers to report vulnerabilities to central cyber agency https://therecord.media/eu-rejects-requirements-for-manufacturers
European Union governments have pushed back on the central role initially suggested for the bloc’s cybersecurity agency, rejecting a proposal requiring manufacturers to report actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA).
Instead, in its amended version of the proposed Cyber Resilience Act (CRA), the European Council calls for manufacturers to disclose vulnerabilities to the national Computer Security Incident Response Team (CSIRT) in the country where they are based.
Tomi Engdahl says:
Navigating The Landscape Of Hacktivist DDoS Attacks https://www.forbes.com/sites/davidbalaban/2023/07/26/navigating-the-landscape-of-hacktivist-ddos-attacks/
The cyber-world is witnessing a remarkable surge in DDoS attacks orchestrated by hacktivists. The scope of these attacks is broad and indiscriminate – they target everyone, from large-scale businesses to small media outlets.
The activity of hacktivists has noticeably intensified over the previous year, a trend that can be attributed to a clear cause: the flurry of socio-political events globally has created a heightened sense of unease within society. DDoS attack aimed at airports, media, essay writing websites, and gaming platforms
- these incidents represent just a fraction of the rampant cyber threats permeating the Internet today.
Tomi Engdahl says:
CISA: Most cyberattacks on gov’ts, critical infrastructure involve valid credentials https://therecord.media/cisa-cyberattacks-using-valid-credentials
More than half of all cyberattacks on government agencies, critical infrastructure organizations and state-level government bodies involved the use of valid accounts, according to a new report from the Cybersecurity and Infrastructure Security Agency (CISA).
The report of the agency’s findings, published on Wednesday, noted that threat actors “completed their most successful attacks via common methods, such as phishing and using default credentials.”
—
Tomi Engdahl says:
SEC to require companies to disclose cybersecurity incidents https://therecord.media/SEC-to-require-companies-to-disclose-cyber
The Securities and Exchange Commission approved new rules Wednesday requiring companies that it regulates to quickly disclose “material” cybersecurity incidents and share the details of their cybersecurity risk management, strategy, and governance with the commission on an annual basis.
The commission also adopted similar rules for foreign companies doing business in the U.S.
Tomi Engdahl says:
Spotlight on shadow IT
https://www.ncsc.gov.uk/blog-post/spotlight-on-shadow-it
‘Shadow IT’ (also known as ‘grey IT’) is the name given to those unknown IT assets used within an organisation for business purposes.
Whilst often thought of in terms of rogue devices connected to the corporate network, shadow IT can also apply to cloud technologies or services. For example, if users are storing sensitive, enterprise data in their personal cloud accounts (perhaps to access the data from another location or device), then that’s also shadow IT. Most organisations will have some level of shadow IT, even if they don’t realise.
Tomi Engdahl says:
Kaspersky APT trends report Q2 2023
https://securelist.com/apt-trends-report-q2-2023/110231/
For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. This is our latest installment, focusing on activities that we observed during Q2 2023.
These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
Tomi Engdahl says:
The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html
This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes.
41 in-the-wild 0-days were detected and disclosed in 2022, the second-most ever recorded since we began tracking in mid-2014, but down from the 69 detected in 2021. Although a 40% drop might seem like a clear-cut win for improving security, the reality is more complicated.
Tomi Engdahl says:
Pörssiyhtiöille tuli kova ukaasi: 4 päivää aikaa kertoa tietomurrosta https://www.tivi.fi/uutiset/tv/ed84467f-9241-4a3f-91f5-37906e5891be
Tietomurron kohteeksi joutuneiden yhdysvaltalaisten pörssiyhtiöiden on jatkossa tiedotettava tietomurrosta neljän päivän kuluessa, mikäli murto voi aiheuttaa ”merkityksellisiä” seurauksia.
Yhdysvaltain arvopaperi- ja pörssikomissio SEC ehdotti sääntömuutoksia alun perin maaliskuussa, ja ne hyväksyttiin tämän viikon keskiviikkona. Voimaan säännöt tulevat myöhemmin tänä vuonna.
Tomi Engdahl says:
Pohjois-Korean hakkerit iskivät nyt Viroon – 34 miljoonaa euroa varastettiin
https://www.tivi.fi/uutiset/tv/6341ed19-a924-4179-b8c2-a0d4e93c4921
Rikos tapahtui lähes samaan aikaan kuin toinen kryptovaluuttojen käsittelyyn keskittyvään yritykseen kohdistunut miljoonaluokan varkaus.
Virolainen kryptovaluutoilla tehtävien maksujen käsittelypalvelu CoinsPad on joutunut varkauden kohteeksi. Yhtiöltä varastettiin noin 37,2 miljoonan dollarin eli noin 34 miljoonan euron edestä kryptovaluuttoja.
Tomi Engdahl says:
Call of Duty -servereillä levisi matomainen haitake – tartuntaan riitti pelkkä pelisessioon liittyminen https://www.tivi.fi/uutiset/tv/59068ce8-d17c-4cde-ac1f-cc896172c02c
Vanha Call of Duty -peli on yllättäen joutunut hakkereiden kynsiin. Vuonna
2009 ilmestyneen ja uskollisen pelaajakunnan keränneen Call of Duty: Modern Warfare 2 -pelin pc-version palvelimet on ajettu alas matomaisen haitakkeen levittyä häijyllä tavalla.
Tomi Engdahl says:
Hackers Deploy “SUBMARINE” Backdoor in Barracuda Email Security Gateway Attacks https://thehackernews.com/2023/07/hackers-deploy-submarine-backdoor-in.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a “novel persistent backdoor” called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances.
“SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup,” the agency said.
Tomi Engdahl says:
Israel’s largest oil refinery website offline amid cyber attack claims https://www.bleepingcomputer.com/news/security/israels-largest-oil-refinery-website-offline-amid-cyber-attack-claims/
Website of Israel’s largest oil refinery operator, BAZAN Group is inaccessible from most parts of the world as threat actors claim to have hacked the Group’s cyber systems.
The Haifa Bay-based BAZAN Group, formerly Oil Refineries Ltd., generates over
$13.5 billion in annual revenue and employs more than 1,800 people.
Tomi Engdahl says:
U.S. Hunts Chinese Malware That Could Disrupt American Military Operations https://www.nytimes.com/2023/07/29/us/politics/china-malware-us-military-bases-taiwan.html
American intelligence officials believe the malware could give China the power to disrupt or slow American deployments or resupply operations, including during a Chinese move against Taiwan.
Tomi Engdahl says:
Google: Android patch gap makes n-days as dangerous as zero-days https://www.bleepingcomputer.com/news/security/google-android-patch-gap-makes-n-days-as-dangerous-as-zero-days/
Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that elevates the value and use of disclosed flaws for extended periods.
More specifically, Google’s report highlights the problem of n-days in Android functioning as 0-days for threat actors.
Tomi Engdahl says:
Digital assets continue to be prime target for malvertisers https://www.malwarebytes.com/blog/threat-intelligence/2023/08/digital-assets-continue-to-be-prime-target-for-malvertisers
Cyber-criminals continue to impersonate brands via well-crafted phishing websites. We previously covered attacks on both consumers and businesses via online searches for popular brands leading to scams or malware.
Digital assets such as cryptocurrencies or NFTs are highly coveted by threat actors due to the high gains that can be made, even via a simple phishing attack. In this blog post, we investigate a malicious ad on Microsoft Bing for LooksRare, an NFT marketplace.
Tomi Engdahl says:
Google is picking up the pace of Chrome security update releases https://www.theverge.com/2023/8/8/23824818/google-chrome-116-security-update-weekly-release
Google’s “milestone” Chrome releases in the stable channel that come every four weeks will now be accompanied by weekly security updates (previously
biweekly) to help close the “patch gap” between fixes appearing in Canary / Beta releases and when they go out to most users.
Bad actors could potentially see what changes are made in beta builds and can confirm and exploit vulnerable users before the stable channel sees an update due to the gap — a real problem for a platform with billions of users who would be vulnerable. Previously, patch gaps were around 35 days long for Chrome versions older than 77 and were reduced to about 15 days with the implementation of a biweekly patch cycle. Now, the new weekly updates address this gap
Tomi Engdahl says:
Automated Security Control Assessment: When Self-Awareness Matters
https://www.securityweek.com/automated-security-control-assessment-when-self-awareness-matters/
Automated Security Control Assessment enhances security posture by verifying proper, consistent configurations of security controls, rather than merely confirming their existence.
Exploitation of software vulnerabilities by cyber adversaries has dominated headlines the last couple of months (e.g., Ivanti EPMM flaw, Points.com, BeyondTrust, PaperCut NG/MF, Microsoft Power Platform), creating the perception that these are the primary causes of many of today’s data breaches. However, according to the 2023 Verizon Data Breach Investigations Report, the exploitation of vulnerabilities as a threat action “has kept stable in incidents and is actually less prominent in breaches, dropping from 7% to 5%.” Nonetheless, the exploitation of software vulnerabilities remains one of the three primary methods in which attackers gain unauthorized access to an organization, with stolen credentials and phishing leading the way. This raises the question of what organizations should do to minimize their exposure.
Most security practitioners are aware that an effective vulnerability management program is the cornerstone of any organization’s cybersecurity initiative because they know that software vulnerabilities, if left unidentified and unaddressed, can bring their business down. However, advancements in technology across an organization (e.g., digitalization, cloud adoption), growing employee numbers and their associated work locations, as well as the overall complexity of the IT environment, often inhibit timely detection and remediation of software vulnerabilities.
As an example, according to the 2023 Resilience Index (PDF) more than 80% of devices use the Microsoft® Windows® OS, with the large majority on Windows 10. This might appear homogenous and easy to manage; however, the reality is that IT practitioners are struggling to keep their employees’ endpoints up to date with fourteen different versions and more than 800 builds and patches present. Adding to the complexity IT and security teams must deal with is the number of installed applications on devices. According to the same report, there are sixty-seven applications installed on the average enterprise device, with 10% of those devices having more than one hundred applications installed.
Tomi Engdahl says:
White House Offers Prize Money for Hacker-Thwarting AI
The White House launched an Artificial Intelligence Cyber Challenge competition for creating new AI systems that can defend critical software from hackers.
https://www.securityweek.com/white-house-offers-prize-money-for-hacker-thwarting-ai/
Tomi Engdahl says:
Apple Lists APIs That Developers Can Only Use for Good Reason
To boost user privacy, Apple is requiring app developers to declare a reason to use specific APIs.
https://www.securityweek.com/apple-lists-apis-that-developers-can-only-use-for-good-reason/
Tomi Engdahl says:
Industry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday
https://www.securityweek.com/industry-reactions-to-new-sec-cyber-incident-disclosure-rules-feedback-friday/
Several industry professionals comment on the SEC’s new cybersecurity incident disclosure rules and their implications.
The US Securities and Exchange Commission (SEC) has adopted new cybersecurity incident disclosure rules for public companies, but there is concern that the new rules could actually be helping cybercriminals.
Publicly traded companies will be required to disclose security breaches that have a material impact within four business days, and regularly provide information on their risk management processes and practices.
While some have applauded the SEC’s initiative, others are concerned that the disclosure requirements could actually help cybercriminals by providing them with information that they could leverage for hacking and extortion.
Industry professionals have commented on various aspects of the new disclosure rules, including benefits, potential problems, and challenges for affected organizations.
Tomi Engdahl says:
https://www.securityweek.com/hacker-conversations-youssef-sammouda-bug-bounty-hunter/
Tomi Engdahl says:
The Good, the Bad and the Ugly of Generative AI
Thinking through the good, the bad, and the ugly now is a process that affords us “the negative focus to survive, but a positive one to thrive.”
https://www.securityweek.com/the-good-the-bad-and-the-ugly-of-generative-ai/
Tomi Engdahl says:
https://www.securityweek.com/industry-reactions-to-new-sec-cyber-incident-disclosure-rules-feedback-friday/
Tomi Engdahl says:
Government
US, Australia Issue Warning Over Access Control Vulnerabilities in Web Applications
https://www.securityweek.com/us-australia-issue-warning-over-access-control-vulnerabilities-in-web-applications/
US and Australian government agencies provide guidance on addressing access control vulnerabilities in web applications.
New guidance from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) warns developers, vendors, and organizations of access control vulnerabilities in web applications.
Described as insecure direct object reference (IDOR) issues, they allow threat actors to read or tamper with sensitive data via application programming interface (API) requests that include the identifier of a valid user.
These requests are successful because the authentication or authorization of the user submitting the request is not properly validated, the three agencies explain.
IDOR vulnerabilities, the guidance notes, allow users to access data they should not be able to access either on the same privilege level or at a higher privilege level, to modify or delete data they should not be able to, or to access a function they should not be able to.
The flaws can be triggered by modifying the HTML form field data in the body of a POST request, by modifying identifiers in URLs or cookies to the identifiers of other users, or by intercepting and modifying legitimate requests using web proxies.
“These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers,” ACSC, CISA, and NSA say.
Preventing Web Application Access Control Abuse
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.
ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce prevalence of IDOR flaws and protect sensitive data in their systems.
Tomi Engdahl says:
Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ https://www.dhs.gov/news/2023/08/10/cyber-safety-review-board-releases-report-activities-global-extortion-focused
Today, the U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) report summarizing the findings of its review into the activities associated with a threat actor group known as Lapsus$.
The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and outlined 10 actionable recommendations for how government, companies, and civil society can better protect against Lapsus$ and similar groups.
Tomi Engdahl says:
CISA Director: US has lessons to learn about anticipating threats, disruption https://therecord.media/cisa-jen-easterly-black-hat-cyberthreats-resilience
U.S. residents and businesses need to be better prepared for inevitable disruptions caused by cyberattacks, according to the head of the country’s cybersecurity agency.
Speaking alongside Ukrainian cybersecurity chief Viktor Zhora at the Black Hat cybersecurity conference, Cybersecurity and Infrastructure Security Agency
(CISA) Director Jen Easterly said Americans need to mirror Ukraine’s resilience in the face of an onslaught of damaging cyberattacks.
“We know, given the state of networks today — the connectivity, the interdependence, the vulnerabilities that persist because technology is not secure by design — we are very likely to see attacks that cause great disruption, so [we are] learning from you about the resilience of cyber, operational resilience of cyber,” Easterly said before turning to Zhora.
Tomi Engdahl says:
AI IS NOW BETTER THAN HUMANS AT SOLVING THOSE ANNOYING “PROVE YOU’RE A HUMAN” TESTS
https://futurism.com/the-byte/ai-better-solving-captchas-prove-human
Researchers have found that bots are shockingly good at completing CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), which are those small, annoying puzzles designed — ironically — to verify that you’re really human.
Tomi Engdahl says:
https://www.amazon.com/Codebreaking-Practical-Guide-Elonka-Dunin/dp/1718502729?ref=d6k_applink_bb_dls&dplnkId=33136a27-e8c6-411e-9cd6-246e89bdc3cd
https://nostarch.com/codebreaking