Cyber trends for 2023

1,768 Comments

1. September 20, 2023 at 10:02 am

   Tomi Engdahl says:

   Angela Fu / Poynter:
   A Las Vegas Review-Journal reporter and her colleagues faced social media attacks when users, including Elon Musk, distorted her coverage of a fatal hit-and-run — The Las Vegas Review-Journal is facing a harassment campaign stoked by Elon Musk, one year after a reporter was killed for his coverage.

   Reply
2. September 20, 2023 at 10:08 am

   Tomi Engdahl says:

   Angela Fu / Poynter:
   A Las Vegas Review-Journal reporter and her colleagues faced social media attacks when users, including Elon Musk, distorted her coverage of a fatal hit-and-run — The Las Vegas Review-Journal is facing a harassment campaign stoked by Elon Musk, one year after a reporter was killed for his coverage.

   A reporter made sure a retired police chief’s death didn’t go uncovered. Then social media attacked her.
   https://www.poynter.org/reporting-editing/2023/a-reporter-made-sure-a-retired-police-chiefs-death-didnt-go-uncovered-then-social-media-attacked-her/

   The Las Vegas Review-Journal is facing a harassment campaign stoked by Elon Musk, one year after a reporter was killed for his coverage.

   When retired police chief Andreas Probst was killed in a hit-and-run last month, Las Vegas Review-Journal crime reporter Sabrina Schnur was the first journalist to arrive on the scene.

   Schnur was also the first local reporter to talk to Probst’s family, penning an obituary to ensure that his widow’s and daughter’s voices would be heard.

   And she was the reporter who instructed a source with video footage of the killing to go to the police, just nine hours before police announced a murder charge in the case.

   But despite her work documenting Probst’s death, Schnur became the target of anti-Semitic attacks and death wishes over the weekend as social media users questioned why the “media” wasn’t properly covering the attack. Screenshots of the month-old obituary’s headline sparked outrage among readers who falsely assumed the Review-Journal was downplaying Probst’s death.

   The obituary originally ran on Aug. 18 with the headline “Retired police chief killed in bike crash remembered for laugh, love of coffee.” At that point, police did not yet know that the killing was intentional. Thirteen days later, on Aug. 31, a source approached Schnur with a video showing the driver in the crash intentionally hitting Probst and laughing about it with the passenger. She connected the source with the police, and the Review-Journal covered the subsequent murder charge.

   But when that video went viral over the weekend, social media users shared screenshots of the old obituary, taking issue with the phrase “bike crash.” They filled Schnur’s inbox and social media mentions with increasingly personal attacks and accused her of being anti-white. They shared her photo and made anti-Semitic comments. They circulated her office phone number and told her that they hoped she would get cancer, that they hoped she would die. They found her private social media accounts and dug through her Twitter, unearthing posts she’d made as a teenager, going as far back as 2015.

   “That’s what started to scare me — if they’re taking the time to go through my Twitter, what else are they taking the time to find on me?” Schnur said. “I started to piece together, OK, if I was going to just cyber stalk someone, what things would they be able to find on me? I started to feel genuinely unsafe at that point.”

   On Sunday morning, Elon Musk, the billionaire owner of X, formerly known as Twitter, amplified one of the screenshots, posting “An innocent man was murdered in cold blood while riding his bicycle. The killers joked about it on social media Yet, where is the media outrage? Now you begin to understand the lie.” That post had 68.2 million views as of Monday evening.

   A request for comment sent to X generated an automated email response.

   The Review-Journal’s social media accounts and other staff also received vicious attacks. When Schnur shared that she’d received 700 notifications on X and an onslaught of angry emails and voicemails, editors jumped in to support her and make sure she was safe.

   Executive editor Glenn Cook said that during his 30-plus years in journalism, he’d never seen vitriol of this volume or intensity. “It’s like a fire hose of hatred to the face,”

   In an attempt to slow the harassment, editors changed the Aug. 18 obituary’s headline — which Schnur did not write — so that it read “hit-and-run” instead of “bike crash.” The Review-Journal then published a story about the online harassment in an attempt to correct the record. Cook told staff scheduled to work on Sunday not to come into the office as a safety precaution.

   “We know firsthand that social media vitriol can turn into something worse,” Cook said. “That’s one of the takeaways from what we dealt with with Jeff German’s murder.”

   “I’m not going to stop writing because some people on Twitter are upset.”

   Reply
3. September 20, 2023 at 11:22 am

   Tomi Engdahl says:

   OT/IoT and OpenTitan, an Open Source Silicon Root of Trust
   A silicon root of trust (S-RoT) is designed to provide security to those parts of a device that can be attacked by a third party. The question remains, however: can the S-RoT itself be attacked?
   https://www.securityweek.com/ot-iot-and-opentitan-an-open-source-silicon-root-of-trust/

   OpenTitan is a project aimed at bringing the success of open source software to the silicon design space – specifically a silicon-level root of trust. The project achieved RTL Freeze in June 2023, and will be generating engineering sample silicon by the end of this year.

   The project is managed by LowRISC, a UK non-profit organization founded in the Cambridge University computer lab in 2014 by Dr Gavin Ferris and Prof Rob Mullins (who also co-founded the Raspberry Pi Foundation with Pi’s creator Eben Upton in 2008).

   LowRISC became steward of the OpenTitan project in March 2019, and has been working with partners including Google, Western Digital, Seagate and others.

   Reply
4. September 21, 2023 at 7:16 am

   Tomi Engdahl says:

   Nick Huber / Financial Times:
   Research: the global cyber workforce reached 4.7M in 2022 while still short by 3.4M; Statista: average salary for cyber professionals was between $120K-$150K

   Wanted: another 3mn cyber professionals
   Ever greater demand for security staff is increasing wage inflation and skills gaps
   https://www.ft.com/content/7c048b07-4e4b-4f54-8aa4-dcde1ee71a13

   Governments and companies are still struggling to find cyber security staff after more than a decade in which demand has outstripped supply, and sent wages spiralling higher.

   In 2022, the global shortage of cyber security professionals stood at 3.4mn, compared with a total cyber workforce of 4.7mn, according to research by ISC2, an association for cyber security professionals. The gap was particularly wide in the aerospace, government, education, insurance and transportation sectors, it found. To fill all the current vacancies, the workforce must grow by about 70 per cent, says ISC2 chief executive, Clar Rosso.

   And the biggest skills shortages were in soft skills — communicating and dealing with other people — and cloud computing, according to separate global research by Isaca, another IT security association.

   This inability to acquire and retain cyber security workers is already creating vulnerabilities in the private and public sectors. More than half of the respondents to ISC2 who reported workforce shortages said that staff deficits put their organisations at “moderate” or “extreme” risk of cyber attack.

   In response to the heightened threat, fresh recruitment initiatives have been launched. ISC2 is offering an “entry level” certification in cyber security — part of a wider plan by the US government to partner with organisations and fill hundreds of thousands of vacancies. At the same time, smaller schemes — through institutions such as Toronto Metropolitan University — are retraining “mid-career” workers in cyber security and helping them find jobs in the industry.

   However, despite these efforts to boost supply, competition to hire cyber security workers is still fierce — keeping salaries high. In 2022, average global salaries for cyber security professionals ranged between about $128,000 and $150,000, according to Statista, a research and data provider.

   In this buoyant market, job candidates can dictate their employment terms. “[They] can choose where they work, and when they work, and how they work,” says Karoli Hindriks, chief executive of Jobbatical, an AI-powered platform that helps tech workers relocate.

   Reply
5. September 21, 2023 at 11:24 am

   Tomi Engdahl says:

   These skills need not be cyber specific.

   Broad skills, such as business acumen and calmness under pressure, can be just as important in cyber security roles as technical skills, which candidates can be taught.

   However, despite signs that the pool of candidates for cyber security roles is widening, there is room for improvement. Tes.

   She feels this is a mistake. “The adversary [cyber security criminals] is diverse and, if we’re going to keep up, we need diversity of thought, diversity of skills, diversity of background,” Hopkins says.

   https://www.ft.com/content/7c048b07-4e4b-4f54-8aa4-dcde1ee71a13

   Reply
6. September 21, 2023 at 11:58 am

   Tomi Engdahl says:

   BBC:
   After Meta criticized the UK’s potential E2EE rules, the UK says Meta “failed to provide assurances” over keeping its platforms “safe from sickening abusers”

   Braverman and Facebook clash over private message plans
   https://www.bbc.com/news/technology-66854622

   Facebook’s owner Meta has hit back at a government campaign strongly critical of its plans to encrypt messages.

   Protecting messages with end-to-end-encryption would mean that they could only be read by sender and recipient.

   Home Secretary Suella Braverman said encryption could not come at the cost of children’s safety, amid fears it can be used to conceal child abuse.

   Meta argues that encryption protects users from invasion of privacy.

   “We don’t think people want us reading their private messages”, the firm said.

   “The overwhelming majority of Brits already rely on apps that use encryption to keep them safe from hackers, fraudsters and criminals”, it added.

   Ms Braverman set out her concerns to Meta in a letter co-signed by technology experts, law enforcement, survivors and leading child safety charities in July.

   Reply
7. September 22, 2023 at 7:09 am

   Tomi Engdahl says:

   NCSC-UK:] Building on our history of cryptographic research https://www.ncsc.gov.uk/blog-post/building-on-our-history-cryptographic-research

   We’ve just published a paper for the cryptographic community in which we release two new designs for cryptographic algorithms known as block cipher modes of operation, or ‘modes’. We’re also sharing the supporting security analysis and design rationale. We’ve named the new modes GLEVIAN and VIGORNIAN*.

   Reply
8. September 22, 2023 at 7:09 am

   Tomi Engdahl says:

   Quantum Resistance and the Signal Protocol https://signal.org/blog/pqxdh/

   Today we are happy to announce the first step in advancing quantum resistance for the Signal Protocol: an upgrade to the X3DH specification which we are calling PQXDH. With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards.

   Reply
9. September 22, 2023 at 7:10 am

   Tomi Engdahl says:

   CISA’s catalog of must-patch vulnerabilities crosses the 1,000 bug mark after
   2 years
   https://therecord.media/cisa-known-exploited-vulnerability-catalog-passes-1000

   CISA officials explained in a statement this week that the list was created in
   2021 primarily because there are too many vulnerabilities for defenders to patch – there were more than 25,000 new bugs released in 2022 alone.

   “The purpose of the KEV is simple: while focusing on vulnerabilities that have been exploited isn’t sufficient, it’s absolutely necessary – so let’s start there,” they said. “Every organization should be prioritizing mitigation of KEVs as part of a vulnerability management program that enables prioritization based on organizational attributes such as how a vulnerable product is being used and the exploitability of the relevant system.”

   Reply
10. September 22, 2023 at 7:10 am

    Tomi Engdahl says:

    India’s biggest tech centers named as cyber crime hotspots https://www.theregister.com/2023/09/21/india_cybercrime_trends_report/

    India is grappling with a three-and-a-half year surge in cyber crime, with analysis suggesting cities like Bengaluru and Gurgaon – centers of India’s tech development – are also hubs of evil activity.

    The report – A Deep Dive into Cybercrime Trends Impacting India from the non-profit Future Crime Research Foundation (FCRF) – identified cyber crime hot spots, as well as the most popular types of infosec assaults, from January
    2020 until June 2023.

    Report at
    https://drive.google.com/file/d/192gIh708WWTmXzrBoqqxhe7wa0IAPXXl/view?pli=1

    Reply
11. September 22, 2023 at 7:11 am

    Tomi Engdahl says:

    2023 Unit 42 Attack Surface Threat Report Highlights the Need for ASM https://www.paloaltonetworks.com/blog/2023/09/attack-surface-threat-report-highlights-need-for-asm/

    Most organizations have an attack surface management problem, and they don’t even know it, because they lack full visibility of the various IT assets and owners. One of the biggest culprits of these unknown risks are remote access service exposures, which made up nearly one out of every five issues we found on the internet. Defenders need to be vigilant, because every configuration change, new cloud instance or newly disclosed vulnerability begins a new race against attackers.

    Today’s attackers can scan the entire IPv4 address space for vulnerable targets in minutes. Of the 30 common vulnerabilities and exposures (CVEs) analyzed, three were exploited within hours of public disclosure and 63% were exploited within 12 weeks of the public disclosure. Of the 15 remote code execution (RCE) vulnerabilities analyzed by Unit 42, 20% were targeted by ransomware gangs within hours of disclosure, and 40% of the vulnerabilities were exploited within 8 weeks of publication.

    80% of security exposures are present in cloud environments compared to on-premises at 19%. Cloud-based IT infrastructure is always in a state of flux, changing by more than 20% across every industry every month. Nearly 50% of high-risk, cloud-hosted exposures each month were a result of the constant change in cloud-hosted new services going online and/or old ones being replaced. Over 75% of publicly accessible software development infrastructure exposures were found in the cloud, making them attractive targets for attackers.

    Over 85% of organizations analyzed had Remote Desktop Protocol (RDP) internet-accessible for at least 25% of the month, leaving them open to ransomware attacks or unauthorized login attempts.

    Reply
12. September 22, 2023 at 7:12 am

    Tomi Engdahl says:

    Singapore may split liability for phishing losses between banks and victims https://www.theregister.com/2023/09/20/singapore_phishing_split_fraud/

    Singapore officials announced on Monday that next month they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses flowing from scams.

    Reply
13. September 22, 2023 at 7:12 am

    Tomi Engdahl says:

    FCC plays whack-a-mole with telcos accused of profiting from robocalls https://arstechnica.com/tech-policy/2023/09/fcc-plays-whac-a-mole-with-telcos-accused-of-profiting-from-robocalls/

    One Owl Telecom is a US-based gateway provider that routes phone calls from outside the US to consumer phone companies such as Verizon. “Robocalls on One Owl’s network apparently bombarded consumers without their consent with prerecorded messages about fictitious orders,” the Federal Communications Commission said yesterday.

    On August 1, the FCC sent One Owl a Notification of Suspected Illegal Robocall Traffic ordering it to investigate robocall traffic identified by USTelecom’s Industry Traceback Group, block all of the identified traffic within 14 days, and “continue to block the identified gateway traffic as well as substantially similar traffic on an ongoing basis.”

    “One Owl faces a simple choice—comply or lose access to US communications networks,” FCC Enforcement Bureau Chief Loyaan Egal said in a press release.

    Reply
14. September 22, 2023 at 7:12 am

    Tomi Engdahl says:

    P2PInfect botnet activity surges 600x with stealthier malware variants https://www.bleepingcomputer.com/news/security/p2pinfect-botnet-activity-surges-600x-with-stealthier-malware-variants/

    The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023.

    Cado Security researchers who have been following the botnet since late July 2023, report today seeing global activity, with most breaches impacting systems in China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan.

    Reply
15. September 22, 2023 at 12:13 pm

    Tomi Engdahl says:

    https://etn.fi/index.php/13-news/15333-mistae-tietaeae-ettae-aelypuhelintasi-vakoillaan

    Reply
16. September 23, 2023 at 1:04 pm

    Tomi Engdahl says:

    The entire point of the CVE system is to identify the origin of a vulnerability so anyone making or using software downstream from the origin can easily tell if they’re vulnerable. And if the CVEs cover the same underlying vulnerability, the teams involved in its discovery should have coordinated and made that clear.

    Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters
    No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin.
    https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/?utm_source=facebook&utm_brand=ars&utm_social-type=owned&utm_medium=social&fbclid=IwAR0adkCktQ_P1gH5jQEurWump7XTHgSFF8JWu3EdY9pipu2zOJW2eOHz4Do

    Incomplete information included in recent disclosures by Apple and Google reporting critical zero-day vulnerabilities under active exploitation in their products has created a “huge blindspot” that’s causing a large number of offerings from other developers to go unpatched, researchers said Thursday.

    Two weeks ago, Apple reported that threat actors were actively exploiting a critical vulnerability in iOS so they could install espionage spyware known as Pegasus. The attacks used a zero-click method, meaning they required no interaction on the part of targets. Simply receiving a call or text on an iPhone was enough to become infected by the Pegasus, which is among the world’s most advanced pieces of known malware.

    Four days later, Google reported a critical vulnerability in its Chrome browser. The company said the vulnerability was what’s known as a heap buffer overflow that was present in WebP. Google went on to warn that an exploit for the vulnerability existed in the wild. Google said that the vulnerability, designated as CVE-2023-4863, was reported by the Apple Security Engineering and Architecture team and Citizen Lab.

    On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images.

    Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems that developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability that’s under active exploitation.

    “Since the vulnerability is scoped under the overarching product containing the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products,” Rezillion researchers Ofri Ouzan and Yotam Perkal wrote. “This creates a HUGE blindspot for organizations blindly relying on the output of their vulnerability scanner.”

    Google has further come under criticism for limiting the scope of CVE-2023-4863 to Chrome rather than in libwebp. Further, the official description describes the vulnerability as a heap buffer overflow in WebP in Google Chrome.

    In an email, a Google representative wrote: “Many platforms implement WebP differently. We do not have any details about how the bug impacts other products

    The representative noted that the WebP image format is mentioned in its disclosure and the official CVE page. The representative didn’t explain why the official CVE and Google’s disclosure did not mention the widely used libwebp library or that other software was also likely to be vulnerable.

    The Google representative didn’t answer a question asking if CVE-2023-4863 and CVE-2023-41064 stemmed from the same vulnerability.

    The number of apps, frameworks, code libraries, and other packages that incorporate libwebp and have yet to receive a patch is unknown. While Microsoft patched CVE-2023-4863 in its Edge browser, the company confirmed in an email on Thursday that other vulnerable products and code packages had yet to be patched.

    Microsoft offerings known to remain vulnerable are Teams, a widely used collaboration platform, and the developer tool Visual Studio Code.

    Both products are built on the Electron framework, which was also affected by CVE-2023-4863.

    The number of affected software packages is too large to check all of them.

    Reply
17. September 25, 2023 at 8:25 am

    Tomi Engdahl says:

    AI-generated books force Amazon to cap e-book publications to 3 per day https://arstechnica.com/information-technology/2023/09/ai-generated-books-force-amazon-to-cap-ebook-publications-to-3-per-day/

    On Monday, Amazon introduced a new policy that limits Kindle authors from self-publishing more than three books per day on its platform, reports The Guardian. The rule comes as Amazon works to curb abuses of its publication system from an influx of AI-generated books.

    Since the launch of ChatGPT, an AI assistant that can compose text in almost any style, some news outlets have reported a marked increase in AI-authored books, including some that seek to fool others by using established author names. Despite the anecdotal observations, Amazon is keeping its cool about the scale of the AI-generated book issue for now. “While we have not seen a spike in our publishing numbers,” they write, “in order to help protect against abuse, we are lowering the volume limits we have in place on new title creations.”

    Reply
18. September 25, 2023 at 10:10 am

    Tomi Engdahl says:

    ”Perusoikeudet romukoppaan” – EU:n aikomus vakoilla kaikkea viestiliikennettä saa raskasta kritiikkiä
    https://www.kauppalehti.fi/uutiset/perusoikeudet-romukoppaan-eun-aikomus-vakoilla-kaikkea-viestiliikennetta-saa-raskasta-kritiikkia/6c311186-7ac8-4a17-82a9-53277909e719

    Tietoliikenteen ja tietotekniikan keskusliitto Ficom kritisoi Euroopan komission asetusehdotusta lapsiin kohdistuvan seksuaaliväkivallan ehkäisyä ja torjuntaa koskevista säännöistä.

    ”Tämä johtaisi vakavaan perus- ja ihmisoikeuksien rajoitukseen sekä rajoittaisi muiden oikeutettujen tavoitteiden, kuten tietoturvan, varmistamista”, Ficomin lakimies Asko Metsola kirjoittaa.

    Euroopan parlamentin oma ylimääräinen vaikutustenarviointi on Ficomin kanssa samoilla linjoilla, Ficom kertoo.

    Reply
19. September 25, 2023 at 10:13 am

    Tomi Engdahl says:

    Käytetyn auton ostaja osaa vaatia avaimia, mutta auton sovelluksen poistaminen entisen omistajan puhelimesta ei välttämättä tule mieleen
    https://yle.fi/a/74-20049325

    EU:n tietosuojaviranomaiset käsittelevät useassa maassa autojen sovelluksista tehtyjä kanteluja. Yhdessä tapauksessa vanhalla omistajalla oli edelleen pääsy myymänsä auton tietoihin sovelluksessa.

    Sähköistymisen myötä autojen omat sovellukset ovat yleistyneet vauhdilla.
    Puhelin on kätevä laite latauksen hallinnointiin ja seurantaan.

    Mutta ovat sovellukset yleistyneet myös polttomoottorilla varustettujen autojen kohdalla. Autoliike Deltan toimitusjohtaja Pekka Pättiniemi arvioi, että tällä hetkellä kaikissa keskihintaisissa ja sitä kalliimmissa uusissa autoissa on jo oma sovellus.

    – Yleisin käytetty yhdistettävyysominaisuus on lämmityksen laittaminen päälle etänä. Toinen on lukituksen varmistaminen. Ja sitten on auton sijainnin seuranta, Pättiniemi kertoo.

    Kaikki nämä ominaisuudet ovat hyödyllisiä – etenkin silloin, kun sovellus on liitetty omaan autoon.

    Viime vuosina internetin keskustelupalstoilta on voinut lukea tapauksista, joissa käytettynä myydyn auton tiedot ovat unohtuneet edellisen omistajan sovellukseen. Tällaisissa tapauksissa vanha omistaja on voinut seurata auton liikkeitä ja halutessaan säätää asetuksia.

    – Jos uusi omistaja ei tiedä ominaisuudesta, eikä huomaa siirtää sitä omalle puhelimelleen, niin silloin näin voi käydä, Pättiniemi sanoo.

    Reply
20. September 25, 2023 at 10:16 am

    Tomi Engdahl says:

    Evasive Gelsemium hackers spotted in attack against Asian govt https://www.bleepingcomputer.com/news/security/evasive-gelsemium-hackers-spotted-in-attack-against-asian-govt/

    A stealthy advanced persistent threat (APT) tracked as Gelsemium was observed in attacks targeting a Southeast Asian government that spanned six months between 2022 and 2023.

    Gelsemium is a cyberespionage group operational since 2014, targeting government, education, and electronic manufacturers in East Asia and the Middle East.

    Reply
21. September 25, 2023 at 11:33 am

    Tomi Engdahl says:

    What is DNS Rebinding Attack?
    https://hackersonlineclub.com/what-is-dns-rebinding-attack/

    What is DNS Rebinding Attack? And How it Works And Protection?
    DNS rebinding is a form of computer attack or can say domain name computer based attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.
    A DNS rebinding attack uses JavaScript in a malicious Web page to gain control of a router.
    DNS rebinding attack can be used to breach a private network by causing the victim’s web browser to access machines at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks or other malicious activities.
    Cybercriminal can also do DNS rebinding attack through Malicious advertising and then they can access private information on the network.
    How DNS Rebinding works?
    The attacker registers a domain (such as anydomain.com) and delegates it to a DNS server under the attacker’s control. The server is configured to respond with a very short time to live (TTL) record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker’s DNS server first responds with the IP address of a server hosting the malicious client-side code.
    For instance, they could point the victim’s browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim’s computer.
    The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim’s browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.
    How can we Protect Themselves?
    The following techniques attempt to prevent DNS rebinding attacks:
    1. Always use a strong password for your router.
    2. To Disable admin access console to your router from any external network.
    3. Web browsers can implement DNS pinning: the IP address is locked to the value received in the first DNS response.
    4. This technique may block some legitimate uses of Dynamic DNS, and may not work against all attacks. However, it is important to fail safe (stop rendering) if the IP address does change, because using an IP address past the TTL expiration can open the opposite vulnerability when the IP address has legitimately changed and the expired IP address may now be controlled by an attacker.
    5. Private IP addresses can be filtered out of DNS responses.
    6. External public DNS servers with this filtering e.g. OpenDNS.
    7. Local sysadmins can configure the organization’s local nameservers to block the resolution of external names into internal IP addresses. This has the downside of allowing an attacker to map the internal address ranges in use.
    8. DNS filtering in a firewall or daemon e.g. dnswall.
    9. Web servers can reject HTTP requests with an unrecognized Host header.
    10. The Firefox NoScript extension provides partial protection (for private networks)
    11. It was first discovered in 1996 and affected Java Virtual Machine.

    Reply
22. September 25, 2023 at 11:51 am

    Tomi Engdahl says:

    ZTNA’s untapped potential to both reduce cyber risk and empower businesses to:
    • Provide slick experiences to even your riskiest users like contractors, temporary hires, and developers
    • Maintain continuity during critical junctures like M&A and cloud migrations
    • Roll out phishing-resistant MFA (like hard keys) everywhere to everyone
    • Set the groundwork for a whole roadmap of security use cases even after that VPN is (mostly) gone

    Reply
23. September 25, 2023 at 11:55 am

    Tomi Engdahl says:

    IPv6 represents 20% of reported malicious IPs, reports recent CrowdSec research. With such rapid high adoption, it was inevitable that IPv6 eventually started registering on cybersecurity radars.

    Reply
24. September 25, 2023 at 12:00 pm

    Tomi Engdahl says:

    AI Is Now Better Than Humans at Solving Those Annoying “Prove You’re a Human” Tests
    https://futurism.com/the-byte/ai-better-solving-captchas-prove-human
    Researchers have found that bots are shockingly good at completing CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), which are those small, annoying puzzles designed — ironically — to verify that you’re really human.
    In fact, as the team led by Gene Tsudik at the University of California, Irvine discovered, the bots are actually way better and faster at solving these tests than us, a worrying sign that the already-aging tech is on its way out.

    Reply
25. September 25, 2023 at 1:55 pm

    Tomi Engdahl says:

    DHS Publishes New Recommendations on Cyber Incident Reporting
    https://www.securityweek.com/dhs-publishes-new-recommendations-on-cyber-incident-reporting/

    DHS has published a new set of recommendations to help federal agencies better report cyber incidents and protect critical infrastructure.

    The US Department of Homeland Security (DHS) on Tuesday published a new document containing recommendations on how federal agencies can streamline cyber incident reporting, to help protect critical infrastructure entities.

    Titled Harmonization of Cyber Incident Reporting to the Federal Government (PDF), the document offers a definition of reportable cyber incidents and of reporting timeline, and recommends the adoption of a model reporting form within federal agencies.

    Additionally, the document details when incident reporting might be delayed, including situations when this action would pose a risk to “critical infrastructure, national security, public safety, or an ongoing law enforcement investigation”.

    https://www.dhs.gov/sites/default/files/2023-09/DHS%20Congressional%20Report%20-%20Harmonization%20of%20Cyber%20Incident%20Reporting%20to%20the%20Federal%20Government.pdf

    Reply
26. September 25, 2023 at 1:57 pm

    Tomi Engdahl says:

    From Audit to Assurance: Pixelle’s OT Security Triumph with TXOne Security Inspection
    https://www.txone.com/case-studies/pixelle-ot-security-triumph-with-txone-security-inspection/?utm_source=SecurityWeek&utm_medium=paid&utm_campaign=SW%20eblast&utm_content=

    Paper manufacturer, Pixelle Specialty Solutions, had been requested by their insurance carrier to meet new OT security requirements as part of an audit that would help determine their premiums.

    “TXOne was the first solution we found, and frankly, I couldn’t find much competition,” said Mr. Long. “We explained to the insurance company what the portable security devices did and how they worked. And they basically said, ‘Well, that satisfies our requirements,’ and they checked them off.”

    Security Inspection
    Ensure asset integrity with rapid, installation-free asset and device scans, allowing for defense of air-gapped environments and improved supply chain security.
    https://www.txone.com/products/security-inspection/

    The OT zero trust-based malware inspection and cleanup tool that prevents insider threat and supply chain attacks
    OT zero trust begins the moment a device enters your work site, be it for onboarding or in the hands of trusted personnel. Put a stop to insider threat and prevent supply chain attacks by flexibly securing integrity from the very beginning of the asset life cycle.

    Even after onboarding, some endpoints – air-gapped and stand-alone assets – continue to require specialized protection. Many of them are highly sensitive and cannot accept installation or changes to their configurations. Portable Inspector provides all this with no installation required.

    To eliminate the shadow OT, asset information will be collected during every scan and sent to the central management console where it’s easily reviewed and archived. All of Portable Inspector’s scans are centrally logged for easy reference, alongside the asset inventory it creates during scans that is, like the rest of its features, specifically designed to ease compliance with regulations.

    Portable Inspector’s convenient USB form-factor is easy even for non-experts to use, with LED lights that show the inspection result after scanning either Windows or Linux devices. This installation-free device’s portability and user-friendliness are tailored to the fast-moving needs of ICS environments.

    Leaders in Aerospace and Transportation use Portable Inspector to protect stand-alone and mobile assets from malware.
    Organizations in the Pharmaceutical, Chemical, and Medical industries use Portable Inspector to scan highly-sensitive mission-critical devices that cannot accept installations.
    Semiconductor and Automotive organizations use Portable Inspector to streamline the audits that are necessary to comply with industry regulations.

    Reply
27. September 25, 2023 at 2:00 pm

    Tomi Engdahl says:

    CLOUD SECURITY
    Intel Launches New Attestation Service as Part of Trust Authority Portfolio
    Intel announces general availability of attestation service that is part of Trust Authority, a new portfolio of security software and services.
    https://www.securityweek.com/intel-launches-new-attestation-service-as-part-of-trust-authority-portfolio/

    Reply
28. September 25, 2023 at 2:02 pm

    Tomi Engdahl says:

    MANAGEMENT & STRATEGY
    Staying on Topic in an Off Topic World
    https://www.securityweek.com/staying-on-topic-in-an-off-topic-world/

    Learning how to keep discussions on-topic is an important skill for security professionals to learn, and it can allow them to continue to improve their security programs.

    Have you ever been in a meeting where someone keeps taking the discussion off topic? Have you ever tried to get answers to straightforward questions when speaking with someone, only to have them constantly going off on what seem to be tangents? Have you ever been part of an email thread or chat group where the discussion just seems to go around in circles?

    We might not want to believe it, but this is often a tactic employed by certain personality types. In other words, it is seldom the case that a person cannot focus or is scatter-brained. Rather, it is far more likely that they are deliberately trying to derail what should be a relatively straightforward discussion.

    You might ask why a person would do this. Different people have different motivations, but typically people do this for one of the following reasons:

    They are looking for control/power (knowledge is power after all)
    They are looking to hide information (perhaps because they are embarrassed by something or perhaps because it undermines an ulterior motive they have)
    They do not know the answer but do not want to admit to that
    They do not want to accept responsibility for a poor decision or a mistake they may have made
    They are looking to avoid being exposed for having lied and/or hidden information in the past

    Here are five tips for dealing with this a person who keeps getting off-topic in order to keep your security program on track:

    Remove emotion: One of the tricks that these types of people employ is to try and tug at your emotions. They may try to make you feel guilty for wanting to stay on-topic.

    Do not engage: One of the most successful tactics that off-topic people use is to entice their “opponents” to engage. If you are trying to keep a discussion on-topic and someone tries to derail that discussion, politely but firmly casting that derailment aside and getting back on-topic is highly effective.

    Stay on-topic: Even the most upstanding security professionals who have the best intentions can get off-topic from time to time. Set clear goals and desired outcomes at the beginning of each meeting, email thread, chat, and discussion. Resist the temptation to digress and to add in excessive details that don’t add value or don’t help move things along.

    Stick to facts: Sticking to facts is critical. All it takes is for an on-topic person to slip up once. If we throw in one point that isn’t fact-based, the off-topic person will seize the opportunity and use it to twist the discussion and accuse us of misleading others (or perhaps something else). Then the discussion becomes about that, rather than the issue at hand. It simply isn’t worth it – it is far better to rely on facts.

    Choose your battles: As security professionals, we’re very analytical. While it may be tempting to refute every claim and statement with evidence that counters it, it is not smart to do that. It is best to stick to the important points. Understand which battles are worth fighting and which ones can be let go for the time being. A big part of keeping matters on-topic is knowing when attempting to set the record straight will serve no other purpose other than to play into what the off-topic person wants. Namely, to further derail the discussion. This is a tough one to adhere to, but it is an important one.

    Reply
29. September 25, 2023 at 2:18 pm

    Tomi Engdahl says:

    OT Cybersecurity Insurance: Present Landscape and Future Outlook
    https://www.txone.com/blog/ot-cybersecurity-insurance/?utm_source=SecurityWeek&utm_medium=paid&utm_campaign=SW%20eblast&utm_content=

    Cybersecurity insurance is an essential part of OT cybersecurity risk management
    From a cybersecurity perspective, there are only two types of companies: those that have been hacked and those that will be hacked. As for corporate risk managers, apprehending and addressing all the threats leveled at targets may pose a challenge. In the worst-case scenario, if all defenses fail, cybersecurity insurance can be used to cover losses, as it also aids organizations in disaster recovery. Cybersecurity insurance is often viewed as a risk transfer strategy, a trend of mitigation that is steadily being adopted in the OT field. Data from the cybersecurity insurance market corroborates our observation that companies are now recognizing the strategic importance of OT cybersecurity insurance.

    Traditionally, IT cybersecurity concerns centered around safeguarding third-party data and privacy liabilities. However, the landscape has evolved, with recent cybersecurity incidents indicating a significant shift towards first-party threats such as ransom demands, business disruptions, harm to reputation, and even physical harm. Ransomware has become the weapon of choice for attacking OT environments, and threat actors can now purchase plug-and-play ransomware kits available on the “dark web,” contributing to the proliferation of incidents through what is known as Ransomware-as-a-Service (RaaS). This surge in ransomware could result in more targeted attacks against businesses, particularly vulnerable small and medium-sized enterprises. Should these businesses holding sensitive data be attacked, they would face longer downtime, higher business interruption costs, increased litigation, and regulatory penalties.

    According to a report by Guidehouse Insights, electric utilities in 2022 saw a 25-30% increase in premiums for cyber insurance. In contrast, other types of energy companies in the commercial insurance sector experienced more than a doubling of their premiums. Furthermore, Guidehouse predicts that by 2030, the global cyber insurance market for energy will grow from $102 million in 2021 to $442 million, boasting a compound annual growth rate (CAGR) of 17.7%. The firm also warned that power plants might encounter the most significant hikes in premium rates. Beyond utilities, we believe that the surging demand for OT insurance could extend to other industries, including transportation, critical manufacturing, chemicals, aerospace, and more. While the OT cybersecurity insurance market remains relatively small, its rapid growth means many managers are beginning to recognize its value in their OT cybersecurity strategy.

    Reply
30. September 25, 2023 at 2:31 pm

    Tomi Engdahl says:

    Gartner® Report: Innovation Insight for Cyber-Physical Systems Protection Platforms
    “(CPS) asset-centric security is evolving, anchored by a new set of CPS protection platform vendors”
    https://xage.com/gartner-report-innovation-insight-for-cyber-physical-systems-protection-platforms/?utm_campaign=FY22%20ZTRA%20Campaign%20-%20Oct%202022&utm_medium=email&_hsmi=243056682&_hsenc=p2ANqtz-_40gnsypBWOp3yiNzVYPM950J_5n6nT8zjeD7ptx8aGroEsIbdHowQtXLbHUFxkioaqHqASkk08CdGu71zQqBFbAjGtZY3SkMyy9ia5zZ_1lASCls&utm_content=243056682&utm_source=hs_automation

    Gartner states that security by obscurity mindset is no longer acceptable for operational security as ransomware attacks now bring entire plants or pipelines down. And traditional IT security tools do not work in environments with unique protocols where safety and resilience are paramount.

    Key findings highlighted in this report:

    “The changing technology and threat landscape is forcing security and risk management leaders to think about security differently when it comes to cyber-physical systems.
    Beyond “security by obscurity” and network-centric security based on firewalls and segmentation, an asset-centric view of CPS security is emerging.
    This new view is enabled by a new type of security solution that starts with asset discovery and wraps additional security features around these assets. This is all deployed in a platform environment that can feed other enterprise security tools.”

    Reply
31. September 26, 2023 at 6:09 am

    Tomi Engdahl says:

    Ovatko tietosi pimeässä verkossa? Uusi maksullinen työkalu lupaa löytää ne – toimii myös Suomessa https://www.tivi.fi/uutiset/tv/8bc6bfd9-ba76-44c3-aff4-225385754b8d

    On olemassa useita palveluja, jotka varoittavat käyttäjäänsä, jos tämän tiedot ovat vuotaneet tietomurron seurauksena. Esimerkiksi Troy Huntin perustama Have I Been Pwned? -sivusto täyttää tänä vuonna kymmenen vuotta, ja siihen nojaa myös vuonna 2018 aloittanut Mozillan Firefox Monitor -palvelu.

    Alkuvuonna 2023 palveluiden keskuuteen saapui uusi tulokas Googlen oman Dark web -raportin muodossa. Kesän päätteeksi se tuli myös suomalaisten ulottuville.

    Google-tilin omistajana pääsee halutessaan tarkistamaan milloin tahansa, onko oma sähköpostiosoite päätynyt pimeään verkkoon. Muiden tietojen esiintymistä pimeässä verkossa pääsee tutkimaan vain maksullisella Google One -tilauksella.

    Reply
32. September 26, 2023 at 7:42 am

    Tomi Engdahl says:

    Navigating the Digital Frontier in Cybersecurity Awareness Month 2023
    https://www.securityweek.com/navigating-the-digital-frontier-in-cybersecurity-awareness-month-2023/

    ZTNA stands out as a solution that enables organizations to minimize their attack surface while ensuring the productivity and security of their remote workforce.

    This October will mark the 20th anniversary of Cybersecurity Awareness Month, a pivotal initiative launched under the guidance of the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA). It’s primary goal is to empower Americans with knowledge that enables them to stay safe and secure online.

    In the spirit of reflection, this year’s campaign theme, “20 Years of Cybersecurity Awareness Month”, takes a critical look at the evolution of security education and awareness, while also examining the path ahead in securing our interconnected world. This year’s NCSA campaign will put a spotlight on crucial cybersecurity practices, including the importance of regularly updating software, recognizing and reporting phishing attempts, enabling multi-factor authentication (MFA), using strong passwords, and employing password managers. While these fundamentals are undeniably vital, organizations must recognize the need to go beyond them to fortify their cyber resilience.

    Hackers often choose the path of least resistance, typically targeting the weakest link in the cybersecurity chain—humans. As a result, a significant number of data breaches today stem from credential harvesting campaigns, often followed by credential stuffing attacks. Once attackers infiltrate a network, they can laterally traverse it, seeking privileged accounts and credentials that provide access to an organization’s most sensitive data and critical infrastructure. Consequently, it comes as no surprise that IBM Security’s Cost of Data Breach Report for 2023 identifies stolen or compromised credentials as the most common initial attack vector, accounting for 15% of data breaches.

    Reply
33. September 26, 2023 at 7:43 am

    Tomi Engdahl says:

    Cyberwarfare
    China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
    https://www.securityweek.com/chinas-offensive-cyber-operations-in-africa-support-soft-power-efforts/

    Chinese state-sponsored threat groups have targeted telecoms, financial and government organizations in Africa as part of soft power efforts.

    Chinese state-sponsored threat groups have targeted telecommunications, financial and government organizations in Africa in support of Beijing’s soft power agenda in the region, according to SentinelOne.

    Earlier this year, SentinelOne reported seeing a Chinese cyberespionage group targeting telecoms providers in the Middle East as part of an operation dubbed Tainted Love.

    The cybersecurity firm revealed on Thursday that the same threat actor, which could be linked to China’s APT41 group, has also been observed targeting a North African telecommunications organization as part of what appears to be an operation supporting China’s soft power efforts.

    “The timing of this activity aligned closely with Chinese telecommunication soft power interests in Africa, as the organization was in private negotiations for further regional expansion in areas. Strategic objectives in such intrusions highlight interest from China in internal business knowledge on negotiations, providing competitive advantage, or prepositioning for retained technical access for intelligence collection,” SentinelOne noted.

    Reply
34. September 26, 2023 at 7:56 am

    Tomi Engdahl says:

    ICS/OT
    Every Network Is Now an OT Network. Can Your Security Keep Up?
    https://www.securityweek.com/every-network-is-now-an-ot-network-can-your-security-keep-up/

    Many previously isolated OT networks, like manufacturing, processing, distribution, and inventory management, have now been woven into larger IT networks.

    Every network today is now an OT network. Or it will be soon. Of course, part of this transformation is due to the ongoing convergence of OT and IT networks. As many of us have experienced, previously isolated OT networks, like manufacturing, processing, distribution, and inventory management, have now been woven into our larger IT networks. This integration enables better controls, more responsiveness, broad interconnectivity for better communication, and seamless resource expansion, distribution, and redistribution. It also introduces new security risks.

    But that’s just half the story. Modern enterprise IT networks must now include smart, energy-efficient physical resources. Fortinet’s new carbon-neutral campus, for example, includes integrated OT smart building elements like automated lighting, windows, shades, HVAC systems, and a wide variety of headless IoT devices—and we have had to integrate all of them into our IT network fully. As a result, our network, like many of yours, now faces many of the same challenges that industrial environments have experienced for years. These issues are compounded further in extended environments like smart cities or organizations with multiple smart campus environments.

    And as more and more of your business operations are digitized, securing such complex, hybrid network environments will only become increasingly challenging. Add things like mobile workers, cloud-based services and resources, edge computing, and essential business applications like streaming video, and the legacy security solutions and strategies you have in place will inevitably begin to create bottlenecks and gaps in your protection—if they haven’t already.

    Securing today’s expanding hybrid networks requires a holistic approach, beginning with rethinking how and where security is implemented. Here are five things your organization needs to consider before you spend another dollar on expanding your legacy security toolset.

    Start with a universal, integrated security platform. Most organizations have dozens of point security solutions deployed across their distributed network that struggle to share real-time threat information and coordinate an effective response. Visibility and control are essential to effective security, but as networks expand, they struggle to keep up

    Use security tools designed to operate as a single system. Your security platform must include a portfolio of security technologies designed to serve as a single, integrated solution. A centralized, single-pane-of-glass management system, consistent policy deployment and enforcement, the sharing of real-time threat intelligence, and the ability to operate natively in any cloud environment should be table stakes for designing and implementing a modern network security system. This includes solutions designed specifically for OT environments, including ruggedized systems, OT-specific modules, and deep interoperability with OT systems.

    Converge your network and security. Many legacy systems treat networking and security as siloed functions, but it’s critical to build infrastructure and leverage solutions that bring security and networking together, meaning they have critical security functionality woven directly into their operations or, better yet, have been built on a security platform. Networking equipment that can implement security elements natively and in concert with the larger security posture ensures that IoT and OT devices connect to the network with the appropriate security context. For example, Secure SD-WAN converges security and networking functions to ensure optimal user experience without sacrificing security. Additionally, organizations can route traffic from IoT and OT devices for security checks in the cloud via SSE or SASE points of presence. This seamless convergence of networking and security means all devices, even those without an agent, connect securely.

    Implement zero trust everywhere. One of the biggest risks of legacy network environments is that they were often built around an implicit trust model. Automatically trusting traffic that has passed through a demarcation point is a recipe for disaster, especially with highly mobile users and devices and widely deployed applications and other resources. Zero trust takes the opposite approach where every user, device, and application must be authenticated per session, are only granted access to the resources needed to do their job, and are monitored end to end to detect any deviations from their sanctioned behavior. Going a step further, universal zero trust network access, which applies the same principles to remote and on-premises users and devices, is the best way to ensure the same access controls are applied to any connection, regardless of location.

    Use AI. But you need to understand it before you buy it. AI is the new buzzword in security and networking. It can potentially detect complex threats before they launch, fix misconfigurations, take on manual tasks to free up IT staff to work on higher-order issues, reduce the time to detect and respond to breaches, and much more. But there is remarkably little consistency in what vendors mean when they slap an AI label on their product.

    Networks are undergoing the most rapid transformation in their history. And for a long time, we’ve been advising IT leaders that their security must keep up. And now, as nearly every IT network becomes an IT-OT network, the stakes are even higher. This means that if you’ve been putting off redesigning your security systems, now is the time to make it a priority.

    Reply
35. September 26, 2023 at 8:56 am

    Tomi Engdahl says:

    Balkan Insight:
    Investigation: some stakeholders, like AI firms selling CSAM scanning tech, funded lobbying efforts for EU Commissioner Ylva Johansson’s CSAM scanning proposal — By Giacomo Zandonini, Apostolis Fotiadis and Luděk Stavinoha

    ‘Who Benefits?’ Inside the EU’s Fight over Scanning for Child Sex Content
    Giacomo Zandonini, Apostolis Fotiadis and Luděk Stavinoha
    https://balkaninsight.com/2023/09/25/who-benefits-inside-the-eus-fight-over-scanning-for-child-sex-content/

    An investigation uncovers a web of influence in the powerful coalition aligned behind the European Commission’s proposal to scan for child sexual abuse material online, a proposal leading experts say puts rights at risk and will introduce new vulnerabilities by undermining encryption.

    In early May 2022, days before she launched one of the most contentious legislative proposals Brussels had seen in years, the European Union’s home affairs commissioner, Ylva Johansson, sent a letter to a US organisation co-founded in 2012 by the movie stars Ashton Kutcher and Demi Moore.

    The organisation, Thorn, develops artificial intelligence tools to scan for child sexual abuse images online, and Johansson’s proposed regulation is designed to fight the spread of such content on messaging apps.

    “We have shared many moments on the journey to this proposal,” the Swedish politician wrote, according to a copy of the letter addressed to Thorn executive director Julie Cordua and which BIRN has seen.

    Johansson urged Cordua to continue the campaign to get it passed: “Now I am looking to you to help make sure that this launch is a successful one.”

    That campaign faces a major test in October when Johansson’s proposal is put to a vote in the Civil Liberties Committee of the European Parliament. It has already been the subject of heated debate.

    The regulation would obligate digital platforms – from Facebook to Telegram, Signal to Snapchat, TikTok to clouds and online gaming websites – to detect and report any trace of child sexual abuse material, CSAM, on their systems and in their users’ private chats.

    It would introduce a complex legal architecture reliant on AI tools for detecting images, videos and speech – so-called ‘client-side scanning’ – containing sexual abuse against minors and attempts to groom children.

    Welcomed by some child welfare organisations, the regulation has nevertheless been met with alarm from privacy advocates and tech specialists who say it will unleash a massive new surveillance system and threaten the use of end-to-end encryption, currently the ultimate way to secure digital communications from prying eyes.

    The EU’s top data protection watchdog, Wojciech Wiewiorowski, warned Johansson about the risks in 2020, when she informed him of her plans.

    They amount to “crossing the Rubicon” in terms of the mass surveillance of EU citizens, he said in an interview for this story. It “would fundamentally change the internet and digital communication as we know it.”

    Johansson, however, has not blinked. “The privacy advocates sound very loud,” the commissioner said in a speech in November 2021. “But someone must also speak for the children.”

    The proposed regulation is excessively “influenced by companies pretending to be NGOs but acting more like tech companies”, said Arda Gerkens, former director of Europe’s oldest hotline for reporting online CSAM.

    If the regulation undermines encryption, it risks introducing new vulnerabilities, critics argue. “Who will benefit from the legislation?” Gerkens asked. “Not the children.”

    Enter ‘WeProtect Global Alliance’

    Among the few traces of Thorn’s activities in the EU’s lobby transparency register is a contribution of 219,000 euros in 2021 to the WeProtect Global Alliance, the organisation that had a video conference with Kutcher and Von der Leyen in late 2020.

    WeProtect is the offspring of two governmental initiatives – one co-founded by the Commission and the United States, the other by Britain.

    They merged in 2016 and, in April 2020, as momentum built for legislation to CSAM with client-side scanning technology, WeProtect was transformed from a British government-funded entity into a putatively independent ‘foundation’ registered at a residential address in Lisse, on the Dutch North Sea coast.

    Minutes after the proposed regulation was unveiled in May last year, Labrador Jimenez emailed his Commission colleagues: “The EU does not accept that children cannot be protected and become casualties of policies that put any other values or rights above their protection, whatever these may be.”

    He said he was looking forward to “seeing many of you in Brussels during the WeProtect Global Alliance summit” the following month.

    Self-interest

    In June 2022, shortly after the roll out of Johansson’s proposal, Thorn representatives sat down with one of the commissioner’s cabinet staff, Monika Maglione. An internal report of the meeting, obtained for this investigation, notes that Thorn was interested to understand how “bottlenecks in the process that goes from risk assessment to detection order” would be dealt with.

    Detection orders are a crucial component of the procedure set out within Johansson’s proposed regulation, determining the number of people to be surveilled and how often.

    European Parliament sources say that in technical meetings, Zarzalejos, the rapporteur on the proposal, has argued in favour of detection orders that do not necessarily focus on individuals or groups of suspects, but are calibrated to allow scanning for suspicious content.

    This, experts say, would unlock the door to the general monitoring of EU citizens, otherwise known as mass surveillance.

    Asked to clarify his position, Zarzalejos’ office responded: “The file is currently being discussed closed-doors among the shadow rapporteurs and we are not making any comments so far”.

    The EU Centre to Prevent and Combat Child Sexual Abuse, which would be created under Johansson’s proposal, would play a key role in helping member states and companies implement the legislation; it would also vet and approve scanning technologies, as well as purchase and offer them to small and medium companies.

    As a producer of such scanning technologies, a role for Thorn in supporting the capacity building of the EU Centre database would be of significant commercial interest to the company.

    “The more they frame this as a huge problem in the public discourse and to regulators, the more they incentivise large tech companies to outsource their dealing of the problems to them,” Whittaker said in an interview for this story.

    Effectively, such AI firms are offering tech companies a “get out of responsibility free card”, Whittaker said, by telling them, “’You pay us (…) and we will host the hashes, we will maintain the AI system, we will do whatever it is to magically clean up this problem”.

    “So it’s very clear that whatever their incorporation status is, that they are self-interested in promoting child exploitation as a problem that happens “online,” and then proposing quick (and profitable) technical solutions as a remedy to what is in reality a deep social and cultural problem. (…) I don’t think governments understand just how expensive and fallible these systems are, that we’re not looking at a one-time cost. We’re looking at hundreds of millions of dollars indefinitely due to the scale that this is being proposed at.”

    Lack of scientific input

    Johansson has dismissed the idea that the approach she advocates will unleash something new or extreme, telling MEPs last year that it was “totally false to say that with a new regulation there will be new possibilities for detection that don’t exist today”.

    But experts question the science behind it.

    Matthew Daniel Green, a cryptographer and security technologist at John Hopkins University, said there was an evident lack of scientific input into the crafting of her regulation.

    “In the first impact assessment of the EU Commission there was almost no outside scientific input and that’s really amazing since Europe has a terrific scientific infrastructure, with the top researchers in cryptography and computer security all over the world,” Green said.

    AI-driven scanning technology, he warned, risks exposing digital platforms to malicious attacks and would undermine encryption.

    “If you touch upon built-in encryption models, then you introduce vulnerabilities,” he said. “The idea that we are going to be able to have encrypted conversations like ours is totally incompatible with these scanning automated systems, and that’s by design.”

    In a blow to the advocates of AI-driven CSAM scanning, US tech giant Apple said in late August that it is impossible to implement CSAM-scanning while preserving the privacy and security of digital communications. The same month, UK officials privately admitted to tech companies that there is no existing technology able to scan end-to-end encrypted messages without undermining users’ privacy.

    According to research by Imperial College academics Ana-Maria Cretu and Shubham Jain, published last May, AI driven Client Side Scanning systems could be quietly tweaked to perform facial recognition on user devices without the user’s knowledge. They warned of more vulnerabilities that have yet to be identified.

    “Once this technology is rolled out to billions of devices across the world, you can’t take it back”, they said.

    Law enforcement agencies are already considering the possibilities it offers.

    Europol officials floated the idea of using the proposed EU Centre to scan for more than just CSAM, telling the Commission, “There are other crime areas that would benefit from detection”. According to the minutes, a Commission official “signalled understanding for the additional wishes” but “flagged the need to be realistic in terms of what could be expected, given the many sensitivities around the proposal.”

    Ross Anderson, professor of Security Engineering at Cambridge University, said the debate around AI-driven scanning for CSAM has overlooked the potential for manipulation by law enforcement agencies.

    “The security and intelligence community have always used issues that scare lawmakers, like children and terrorism, to undermine online privacy,” he said.

    “We all know how this works, and come the next terrorist attack, no lawmaker will oppose the extension of scanning from child abuse to serious violent and political crimes.”

    Reply
36. September 26, 2023 at 8:58 am

    Tomi Engdahl says:

    Leke Oso Alabi / Financial Times:
    Gripped by worker shortages, some security companies are using robots developed by 1X, Knightscope, Ava Robotics, Ascento, and others to augment human labor

    Security companies are turning to robots as the labour shortage bites
    https://www.ft.com/content/4635f501-f915-4ea4-8235-0017a0137a94

    Reply
37. September 26, 2023 at 2:18 pm

    Tomi Engdahl says:

    Jo 4000 salasanahyökkäystä sekunnissa
    https://etn.fi/index.php/13-news/15317-jo-4000-salasanahyoekkaeystae-sekunnissa

    Loihde Trust järjesti tänään kyberturvallisuuteen keskittyneen tilaisuuden, jossa käytiin lpi ajankohtaisia verkon turvallisuusasioita. Microsoftin asiantuntija Virve Kettunen kertoi, että tällä hetkellä Microsoftin verkkoihin kohdistuu jo 4000 salasanahyökkäystä sekunnissa. – Vuosi sitten luku oli 800, alkuvuodesta tuhat ja nyt jo siis 4000. Tämä kertoo jotain siitä, kuinka älyttömän räjähdysmäistä kasvu on.

    Kyberiskuihin vastaaminen ja varautuminen on erittäin nopeaa kilpajuoksua. – Kalasteluviestin klikkaamisesta menee reilu tunti yli 72 minuuttia siihen, että hyökkääjä pääsee käsiksi henkilökohtaiseen dataan

    Reply
38. September 26, 2023 at 6:30 pm

    Tomi Engdahl says:

    Softwares for cybersecurity enthusiasts:

    1. Operating systems – Kali Linux
    2. Email Security – Deshashed
    3. Web Hacking – BurpSuite
    4. Port Scan – Nmap
    5. Training – HackTheBox
    6. Data Modification – CyberChef
    7. Intrusion Detection System – Snort
    8. Firewall – PfSense

    #CyberSec

    Reply
39. September 27, 2023 at 8:25 am

    Tomi Engdahl says:

    CISO Strategy
    The CISO Carousel and its Effect on Enterprise Cybersecurity
    https://www.securityweek.com/the-ciso-carousel-and-its-effect-on-enterprise-cybersecurity/

    CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO, and constant churn can leave cracks or gaps in security.

    The average tenure of a Chief Information Security Officer said to sit between 18 to 24 months. This is barely enough time to get feet under the table, never mind a meaningful seat at the table. Two questions arise: why is there such volatile churn in this space; and how does it affect enterprise cybersecurity?

    Reasons for CISO churn
    Cause #1: the scapegoat effect

    The potential for CISOs to be used as scapegoats for security incidents is widely accepted and potentially growing.

    It can simply be internal: ‘We got breached under your watch, so we’ll blame you and let you go.’ But it can equally be a complex external issue ultimately caused by a lack of legal clarity in the Computer Fraud and Misuse Act (CFAA), a lack of clarity on bounty hunting and security research, and regulatory pressure for security professionals to protect personal information.

    Cause #2: lack of board support

    Board recognition of the importance of the CISO and cybersecurity is slowly growing, but remains far from optimum. An August 2023 survey by BSS of 150 UK security decision makers found that only 28% felt their role was valued; 22% were actively involved in the wider business strategy; and only 9% said cybersecurity was always in the top three priorities on boardroom agendas.

    BSS director Chris Wilkinson commented, “CISOs need a seat at the table. Such a poor level of prioritization for information security is unacceptable in a world of evolving threats that can result in significant financial and reputational penalties.”

    Cause #3: stress and burnout

    Stress is another cause of CISO churn. It’s not stress on its own, but the cumulative mental and emotional debilitation caused by multiple, different, and continuous stressors: burnout.

    Burnout can strike suddenly. A CISO may think he or she is handling stress effectively, but a single, final straw can suddenly and unexpectedly tip the balance. Burnout can cause physical and/or mental collapse. Sufferers may need to take extended time out, move to a less stressful position, or simply leave the industry altogether. “Some CISOs are moving into consultancy,” comments Sarakar, “especially when they have the experience, but they don’t want the operational fatigue.”

    “The CISO job can be a stressful one, especially when you have accountability without authority,” explains Yu. “If CISOs are held responsible for security outcomes but aren’t given the tools or power to influence those outcomes, they will feel helpless and frustrated, leading to decreased morale and motivation.”

    A recent survey by Salt Security lists six of the top personal stressors experienced by CISOs globally. Noticeably, the threat of personal litigation is #1 (48%). Only 1% of CISOs don’t feel they face any personal challenges.

    Cause #4: the next big challenge
    Jennifer Pittman-Leeper

    Not all CISO churn is caused by the job’s difficulty. There are many CISOs that are simply very good at their job and can confidently ride all the difficulties. Such people thrive on challenge and career progression. The difficulty is that career progression within the same organization is likely to be difficult. The only option is to take on a new challenge in a different organization with potentially a larger budget, a bigger security team, greater responsibility, more authority, and – probably – higher remuneration and benefits. These CISOs have simply outgrown their existing position and need to move on to the next big challenge.

    “CISOs are a special breed,” explains Jennifer Pittman-Leeper, whole of state strategist at Tanium. “They want to help, but if their hands are tied, they aren’t willing to stick around assuming the risk for an organization that isn’t willing to put in the hard work and reduce risk. They also love a good challenge. Once they get an organization on a good path, they are ready to tackle the next cyber mountain. A CISO skill set is quite unique – it’s a mix of introvert and extrovert, technical and strategic, communicator and listener. If you have a good one, it is in your best interest to keep them as long as you can.”

    Effect of CISO churn

    CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO, and new CISOs may have different beliefs on how to implement security. Constant churn can leave cracks or gaps in security.

    New CISOs will also need to understand the business before being able to secure it –that in itself is a challenge. Sarakar believes that only “about 10-20% [of CISOs] actually understand business context, 10-20% have low experience or are underqualified, and the rest have medium understanding of business context.”

    The average tenure for a CISO is often quoted as 18 months. Pittman-Leeper analyzes this: “I think the reason is for the first six months they are trying to figure out their way at the organization. Learn who is who, what the real story is. The next six months are spent trying to effect change and policy. These six months are critical – they will either meet resistance and not be able to improve the security posture or they will be successful in implementing meaningful change. The last six months are spent ensuring compliance and helping the stragglers along the way – or looking for a job where they will be able to help an organization.”

    The result of this timeline is just a short period of effective cybersecurity, between settling in and trying to find a way out: there is little time for the CISO to implement seriously effective security controls.

    Obviously, the 18-month tenure does not apply to all CISOs and all organizations – more mature and especially larger organizations tend to keep the same CISO for longer periods – but new and smaller organizations are the ones most likely to suffer from rapid churn.

    Solution

    There is only one real solution to the CISO Carousel: better communication. While boards must learn to love their CISOs (which includes respect, responsiveness, resources, and support); CISOs must better understand business imperatives and better communicate cybersecurity imperatives to business leaders.

    Respect and support go beyond simply paying inflated salaries (although adequate compensation is essential). You cannot buy enthusiasm – it must be fostered by respect and support. Above all, the fear of scapegoating should be eliminated by genuine support. CISOs rarely criticize each other. When a breach occurs in another company, the general feeling is ‘there but for the grace of God go I’. Breaches cannot be eliminated. CISOs need to be confident that the expectation is to limit and ameliorate breaches, and that one single success by an elite hacker with a zero day exploit won’t lead to dismissal.

    Reply
40. September 28, 2023 at 8:39 pm

    Tomi Engdahl says:

    https://www.facebook.com/groups/shahidzafar/permalink/6979365775415823/

    Top 10 cybersecurity certifications to enhance your career:

    1. eLearnSecurity Junior Penetration Tester (eJPT)
    2. ISC)2 Certified Information Systems Security Professional (CISSP)
    3. (ISC)2 Certified Cloud Security Professional (CCSP)
    4. ISACA Certified Information Security Manager (CISM)
    5. Certified Ethical Hacker (CEH)
    6. CompTIA Security+
    7. CompTIA PenTest+
    8. Offensive Security Certified Professional (OSCP)
    9. Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK)
    10. Cloud Security Alliance (CSA) Certificate of Cloud Auditing Knowledge (CCAK)

    These certifications can significantly boost your cybersecurity career prospects.

    -
    I prefer this view.. you might have to open the link in a real browser, not Facebook.

    https://pauljerimy.com/security-certification-roadmap/

    Reply
41. September 29, 2023 at 5:54 am

    Tomi Engdahl says:

    Työn alla oleva laki antaisi poliisille pääsyn kaikkeen yksityiseen viestintään – näin sitä perustellaan puolesta ja vastaan https://www.is.fi/digitoday/art-2000009884437.html

    EU-komission ehdotus laajentaisi taistelua lapsipornoa vastaan perusoikeuksiin kajoamalla. Suomi muodostaa asiaan parhaillaan kansallista kantaa.

    PIKAVIESTIMIEN vahvan salauksen purkamisen mahdollistavan lakiesityksen käsittely on edennyt Suomessa valiokuntavaiheeseen. Kyseessä on EU-komission lakiehdotus, jonka takana on lapsiin kohdistuvan seksuaalisen väkivallan vastainen taistelu.

    Alkuperäisessä ehdotuksessa Euroopan parlamentin ja neuvoston asetukseksi ja valtioneuvoston kirjelmässä ehdotetaan velvoitteita internet-yhtiöille, joihin kuuluvat muun muassa pikaviestimet, verkkotallennustilan tarjoajat ja teleoperaattorit. Velvoitteiden mukaan yhtiöiden tulisi tunnistaa niiden palveluissa liikkuva seksuaaliväkivaltaa todistava kuvamateriaali ja grooming. Lisäksi tulisi perustaa erillinen lapsiin kohdistuvan seksuaaliväkivallan EU-torjuntakeskus.

    Kokonaisuudessaan ehdotuksen nimi on Euroopan komission ehdotus Euroopan parlamentin ja neuvoston asetukseksi lapsiin kohdistuvan seksuaaliväkivallan ehkäisystä ja torjuntaa koskevista säännöistä. Puhekielessä siitä käytetään nimeä CSAM-laki tai chat control.

    Liikenne- ja viestintävaliokunta otti poikkeuksellisen kriittisen näkökulman ehdotukseen. Huoli yksityisen viestinnän vaarantumisesta on suuri.

    “Liikenne- ja viestintävaliokunta ilmoittaa, että se suhtautuu erittäin kriittisesti siihen, että sääntely näyttää käytännössä edellyttävän vahvan salauksen käytön rajoittamista, mikä heikentäisi viestinnän ja viestintään liittyvien palvelujen tietoturvan tasoa.”

    Ehdotusta vastustaneet tahot pitivät lapsiin kohdistuvan seksuaaliväkivallan torjuntaa ehdottoman tärkeänä, mutta salauksen purkua vääränä keinona siihen.

    Pääesikunta kiinnitti huomiota (pdf) siihen, että viestinnän salauksen purkaminen heikentää kyberturvallisuutta, ja vaikutukset kohdistuisivat kaikkiin käyttäjiin.

    Likenne- ja viestintäministeriön ehdotusta vastustava kanta oli poikkeuksellisen selkeä:

    – Ministeriön arvion mukaan asetusehdotus tarkoittaisi – – että palveluntarjoajien tulisi joko luopua tehokkaasta päästä päähän -salauksesta, luoda ns. takaovia päästäkseen salattuun sisältöön tai saada pääsy sisältöön käyttäjän päätelaitteella ennen sisällön salaamista, ministeriö kirjoittaa lausunnossaan

    Liikenne- ja viestintävirasto Traficom toteaa lausunnossaan (pdf), että käytännössä palveluntarjoajalla olisi palvelimellaan pääsy kaikkeen käyttäjän palveluun lähettämään teksti-, kuva- ja ääniviestipohjaiseen sisältöön. Mikäli palveluntarjoaja joutuisi tietomurron tai sisäisen väärinkäytöksen kohteeksi, voisi tekijällä olla mahdollista saada pääsy kaikkien käyttäjien viestisisältöihin.

    KYBERALA ry:n toimitusjohtaja Peter Sund pitää keskustelun kielenkäyttöä ongelmallisena. Hänen mukaansa salaus joko on vahvaa tai ei ole, mutta tätä yritetään keskustelussa hälventää. Jos viranomaisella on yleisavain kaikkeen viestintään, luottamuksellinen viestintä katoaa nykymuodossaan. Ehdotusta kannattavat tahot eivät tee näkyväksi sitä, että seuranta edellyttää ulkopuolisen toimijan tekemää salausten purkua.

    – Ne, joilla on intressi päästä luottamukselliseen viestintään kiinni, ovat hiljaa siitä, mitä se tarkoittaa teknisessä mielessä, Sund sanoo.

    Sundin mukaan liikenne- ja viestintäministeriön lausunnossaan mainitsemia takaportteja voi hyödyntää kuka tahansa, jolla sellainen on tiedossa tai halu ja kyky selvittää heikkoudet – myös rikolliset ja vakoojat.

    Suurin ongelma liittyy kuitenkin Sundin mukaan tunnistamismääräykseen, jollaisen jotkut tahot vaikuttavat hyväksyvän riittäväksi edellytykseksi salauksen purkamiselle.

    – Kyse ei ole yksittäisistä viesteistä. Käytännössä seurannan kohteeksi joutuu suuri joukko ihmisiä ja organisaatioita. Tämä koskee yksityisten ihmisten lisäksi myös liiketoiminnassa käytettäviä sovelluksia. Ison ihmisjoukon viestintä päätyy tutkittavaksi ennen kuin ketään epäillään rikoksesta, Sund sanoo.

    Reply
42. September 29, 2023 at 6:04 am

    Tomi Engdahl says:

    Työn alla oleva laki antaisi poliisille pääsyn kaikkeen yksityiseen viestintään – näin sitä perustellaan puolesta ja vastaan https://www.is.fi/digitoday/art-2000009884437.html

    PIKAVIESTIMIEN vahvan salauksen purkamisen mahdollistavan lakiesityksen käsittely on edennyt Suomessa valiokuntavaiheeseen. Kyseessä on EU-komission lakiehdotus, jonka takana on lapsiin kohdistuvan seksuaalisen väkivallan vastainen taistelu.

    Alkuperäisessä ehdotuksessa Euroopan parlamentin ja neuvoston asetukseksi ja valtioneuvoston kirjelmässä ehdotetaan velvoitteita internet-yhtiöille, joihin kuuluvat muun muassa pikaviestimet, verkkotallennustilan tarjoajat ja teleoperaattorit. Velvoitteiden mukaan yhtiöiden tulisi tunnistaa niiden palveluissa liikkuva seksuaaliväkivaltaa todistava kuvamateriaali ja grooming.
    Lisäksi tulisi perustaa erillinen lapsiin kohdistuvan seksuaaliväkivallan EU-torjuntakeskus.

    Kokonaisuudessaan ehdotuksen nimi on Euroopan komission ehdotus Euroopan parlamentin ja neuvoston asetukseksi lapsiin kohdistuvan seksuaaliväkivallan ehkäisystä ja torjuntaa koskevista säännöistä. Puhekielessä siitä käytetään nimeä CSAM-laki tai chat control.

    Reply
43. September 29, 2023 at 6:45 am

    Tomi Engdahl says:

    Government
    Government Shutdown Could Bench 80% of CISA Staff
    https://www.securityweek.com/80-of-cisa-staff-at-risk-of-furlough-as-government-shutdown-looms/

    Roughly 80% of CISA staff will be sent home at the end of the week in case of a government shutdown.

    Roughly 80% of the staff at US cybersecurity agency CISA may be sent home at the end of the week as a government shutdown looms.

    The US government will partially shut down on Sunday unless lawmakers reach a deal on a funding bill. A shutdown will result in the furlough of hundreds of thousands of non-essential federal employees and the suspension of many services.

    The Department of Homeland Security has announced the number of employees that would stay on during a shutdown for each of its agencies. In the case of CISA, which had 3,117 employees as of June 17, only 571 would remain during a lapse in appropriations. This means that more than 80% of its workers would be furloughed.

    A government shutdown can have a significant impact on cybersecurity, including increasing criminal activity, failure to renew digital certificates, failure to deploy security patches, and denting the government’s ability to recruit talent.

    In CISA’s case, the agency plays an important role in protecting the government and the private sector against cyber threats.

    This includes issuing warnings over actively exploited vulnerabilities, helping investigate high-impact cyberattacks, creating guidance, aiding critical infrastructure organizations beef up their security, conducting cyber exercises, and assisting with incident response.

    “The silver lining for cybersecurity in any government shutdown is that most government personnel involved with cybersecurity operations are likely to be classified as essential and will be exempt from furlough. These would include roles like security monitoring and incident response, but generally not roles like security governance,” commented Jake Williams, veteran cybersecurity expert and faculty at IANS Research.

    “The dark cloud is that in many government agencies, large percentages of the tactical security operations work is performed by contractors, who have historically not had the same exemptions to remain in place. In any shutdown scenario, there will be fewer staff available for security monitoring and response,” Williams added.

    Reply
44. September 29, 2023 at 6:52 am

    Tomi Engdahl says:

    Risk Management
    Moving From Qualitative to Quantitative Cyber Risk Modeling
    https://www.securityweek.com/moving-from-qualitative-to-quantitative-cyber-risk-modeling/

    Migrating to a quantitative cyber risk model of analysis allows for more accurate data, which leads to more informed decision-making.

    Reporting on cyber risk is a table stakes initiative for information security leaders. After speaking with key stakeholders within organizations, recurring questions for CISOs and cybersecurity leaders have been:

    What are our top cyber risks?
    Are we effectively managing our cyber risks?
    Are we investing in the right cyber controls?
    How do we evaluate the effectiveness of our information security program?
    Are we spending enough or too much?

    When dealing with qualitative risk modeling that looks at matrices showing likelihood and impact with loosely defined categories of “high” or “critical”, we come across a number of limitations.

    To begin, thresholds aren’t well defined. The ceiling of a “high” isn’t easily distinguishable from the floor of a “critical” without measurements. Thus, there’s no associative, measurable explanation of whether cyber risks have materially increased or decreased.

    Secondly, the risk tolerance level isn’t typically found within the risk matrix readout. The absence of an overlay of risk appetite/tolerance is a big miss. Without applying this to risk tolerance, the risk readout is incomplete and the relevance is missing. If an organization’s risk tolerance levels can sustain a higher level of risk in certain areas, then stating higher risks in those areas can be informative, but unworthy of immediate focus.

    Thirdly, financial relevance is a cornerstone to making informed business decisions in for-profit and not-for-profit organizations. Without an indicator of dollars of loss associated with the risk readout, how are organizations to know if prioritization of spend is aligned with the greatest potential risk? Akin to this is the knowledge of how much potential financial risk can be mitigated by making investments in cybersecurity related controls. With qualitative risk reporting, this is another gap.

    Migrating to a quantitative cyber risk model of analysis and reporting allows for more accurate data, which leads to more informed decision-making. The shift is not an easy one for many.

    What is interesting is that measuring cyber risk is a lot like measuring other risks. Yes, it is more of a recent phenomenon because of the innovation of technology’s evolution in housing and transferring data. But, at its core, the elements are quite similar.

    There is still a reluctance to measure cyber risk in a more effective manner than the inertia-driven approach of ordinal scales (e.g., the risk is based upon the intersection of likelihood and the impact level). Why is there an allergic reaction to measuring cyber risk using a quantitative method?

    One of the main reasons people give is that it is just too complex and/or difficult. It is seen at the same difficulty level as desalinating the ocean. It is a more astute approach, but due to inherent biases and/or ineffectiveness in conveying cyber risk measurements, practitioners have been led to believe the juice is not worth the squeeze. However, according to Hubbard, “Many organizations use these methods right now, even when their backgrounds had nothing to do with quantitative risk analysis.”

    Within the context of migrating to quantitative risk analysis, the benefits are pivotal for those practitioners looking to demonstrate cyber risk in a more accurate manner by reducing uncertainty and demonstrating more business-relevant outputs. Whether it is embedding risk tolerance or applying financial relevance or departing from loosely defined terminology of high, medium, or low, the approach of measuring cyber risk quantitatively is directionally much more correct than the alternatives in use today.

    Reply
45. September 29, 2023 at 6:55 am

    Tomi Engdahl says:

    Identity & Access
    Navigating the Digital Frontier in Cybersecurity Awareness Month 2023
    https://www.securityweek.com/navigating-the-digital-frontier-in-cybersecurity-awareness-month-2023/

    ZTNA stands out as a solution that enables organizations to minimize their attack surface while ensuring the productivity and security of their remote workforce.

    In the spirit of reflection, this year’s campaign theme, “20 Years of Cybersecurity Awareness Month”, takes a critical look at the evolution of security education and awareness, while also examining the path ahead in securing our interconnected world. This year’s NCSA campaign will put a spotlight on crucial cybersecurity practices, including the importance of regularly updating software, recognizing and reporting phishing attempts, enabling multi-factor authentication (MFA), using strong passwords, and employing password managers. While these fundamentals are undeniably vital, organizations must recognize the need to go beyond them to fortify their cyber resilience.

    Hackers often choose the path of least resistance, typically targeting the weakest link in the cybersecurity chain—humans. As a result, a significant number of data breaches today stem from credential harvesting campaigns, often followed by credential stuffing attacks. Once attackers infiltrate a network, they can laterally traverse it, seeking privileged accounts and credentials that provide access to an organization’s most sensitive data and critical infrastructure. Consequently, it comes as no surprise that IBM Security’s Cost of Data Breach Report for 2023 identifies stolen or compromised credentials as the most common initial attack vector, accounting for 15% of data breaches.

    Despite years of advocacy for robust password policies and widespread multi-factor authentication adoption, many users still rely on weak passwords or reuse them across multiple accounts. Attackers can effortlessly exploit these practices, gaining access to numerous accounts tied to the same user. Thus, security practitioners can no longer presume implicit trust among applications, users, devices, services, and networks. This shift in mindset has prompted numerous organizations to embrace a Zero Trust approach, contemplating the augmentation of conventional network access security methods like virtual private networks (VPNs) and demilitarized zones (DMZs) with Zero Trust Network Access (ZTNA) solutions.

    ZTNA solutions establish identity- and context-based logical access boundaries around applications or sets of applications. Access is granted to users based on a wide range of factors, such as the device in use, device posture (e.g., the presence and functionality of anti-malware software), access request timestamp, and geolocation. The solution dynamically determines the appropriate access level for each specific access request, recognizing that the risk levels of users, devices, and applications are in constant flux.

    When selecting ZTNA solutions, you’ll encounter a plethora of vendors vying for your attention.

    To successfully navigate the challenges of today’s digital landscape, organizations must break free from the cycle of password dependency. While numerous approaches can lead to this goal, ZTNA stands out as a solution that enables organizations to minimize their attack surface while ensuring the productivity and security of their remote workforce.

    Reply
46. September 29, 2023 at 12:41 pm

    Tomi Engdahl says:

    Do Bounties Hurt FOSS?
    https://hackaday.com/2023/09/27/do-bounties-hurt-foss/

    Reply
47. October 2, 2023 at 7:37 am

    Tomi Engdahl says:

    Analysis of Time-to-Exploit Trends: 2021-2022
    https://www.mandiant.com/resources/blog/time-to-exploit-trends-2021-2022

    Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between
    2021 and 2022. Sixty-two percent (153) of the vulnerabilities were first exploited as zero-day vulnerabilities. The number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit (TTEs) we are seeing are decreasing.

    Exploitation of a vulnerability is most likely to occur before the end of the first month following the release of a patch. Microsoft, Google, and Apple continue to be the most exploited vendors year-over-year, but the last two years were the first time the top three vendors accounted for less than 50 percent of the overall vulnerabilities exploited.

    Reply
48. October 2, 2023 at 7:44 am

    Tomi Engdahl says:

    FBI warns energy sector of likely increase in targeting by Chinese, Russian hackers https://therecord.media/fbi-warning-energy-sector-increased-hacking-china-russia

    Global energy supply changes will likely increase Chinese and Russian hackers’
    targeting of critical energy infrastructure, according to an FBI notification sent to the energy industry and obtained by Recorded Future News. The alert, issued Thursday, cites factors such as increased U.S. exports of liquefied natural gas (LNG); changes in the global crude oil supply chain favoring the U.S.; ongoing Western pressure on Russia’s energy supply; and China’s reliance on oil imports.

    The notification does not refer to any specific advanced persistent threat
    (APT) hacking groups associated with China or Russia, nor does it point to specific cybersecurity incidents involving critical infrastructure. Instead, it broadly notes the attractiveness of U.S. networks for foreign intrusions and reminds recipients that Chinese and Russian hackers are constantly trying to explore key systems and improve their ability to exploit gaps they discover.

    Reply
49. October 2, 2023 at 7:46 am

    Tomi Engdahl says:

    FBI: Dual ransomware attack victims now get hit within 48 hours https://bleepingcomputer.com/news/security/fbi-dual-ransomware-attack-victims-now-get-hit-within-48-hours/

    The FBI has warned about a new trend in ransomware attacks where multiple strains are deployed on victims’ networks to encrypt systems in under two days. FBI’s warning comes in the form of a Private Industry Notification prompted by trends observed starting July 2023. The federal law enforcement agency explains that ransomware affiliates and operators have been observed using two distinct variants when targeting victim organizations. Variants used in these dual ransomware attacks include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.

    “This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” the FBI said. “Second ransomware attacks against an already compromised system could significantly harm victim entities.”

    Reply
50. October 2, 2023 at 7:47 am

    Tomi Engdahl says:

    Nuoret lankeavat verkkohuijauksiin useammin kuin isovanhempansa – Verkkopalveluiden turvallisuus ei saa olla vain käyttäjän varassa https://www.tivi.fi/uutiset/tv/2aabf7f2-d9ed-4953-8bd1-8e2ffa540ecd

    Z-sukupolven jäsenet lankeavat huijauksiin ja joutuvat hakkeroiduksi paljon useammin kuin heidän isovanhempansa. Tieto käy ilmi Deloitten tutkimuksesta, josta kertoi Vox.com-julkaisu. Artikkelin tutkimus viittaa amerikkalaisiin Z-sukupolven nuoriin, mutta tulokset ovat sovitettavissa laajemmin.

    Kotimaassa Yle kertoo jutussaan, että nuorten digitaitoja pidetään parempina kuin ne todellisuudessa ovat. Z-sukupolvella viitataan 90-luvun lopun ja 2010-luvun alun välillä syntyneisiin. Nuoret ovat raportoineen joutuneensa tietojen kalastelun, identiteettivarkauksien, romanssihuijausten ja verkkokiusaamisen uhriksi vanhempia sukupolvia useammin.

    Deloitten tutkimus osoittaa, että Z-sukupolven amerikkalaisnuoret joutuivat kolme kertaa todennäköisemmin nettihuijauksen kohteeksi kuin 1946-1964-vuosina syntyneet isovanhempansa. Z-sukupolvi joutui myös kaksi kertaa todennäköisemmin hakkeroiduksi sosiaalisessa mediassa kuin boomer-ikäiset.

    Reply