Cyber trends for 2023

Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.

HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.

Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.

Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications

Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.

Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.

Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.

MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.

Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.

EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.

Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.

Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.

Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.

Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.

Governance: For boards and management, heightened pressure around climate action dovetails with the SEC’s proposed rules about cybersecurity oversight, which may soon become law. When they do, companies will need to prepare for more disclosures about their cybersecurity policies and procedures. With fresh scrutiny on directors’ cybersecurity expertise, or lack thereof, boards will need to take their cyber savviness to the next level as well.

Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.

Auditing: Audit’s role in corporate governance and risk management has been evolving. Once strictly focused on finance and compliance, internal audit teams are now increasingly expected to help boards and executive management identify, prioritize, manage and mitigate interconnected risks across the organization.

Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workersleaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.

Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers

Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.

Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”

Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.

Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,

War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.

Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

ISC: ICS and SCADA systems remain trending attack targets also in 2023.

Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.

Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.

PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.

SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.

Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.

Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.

Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.

MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!

Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-

Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.

VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.

AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.

AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?

Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.

Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.

Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.

Sources:

Asiantuntija neuvoo käyttämään pilkkua sala­sanassa – taustalla vinha logiikka

Overseeing artificial intelligence: Moving your board from reticence to confidence

Android is adding support for updatable root certificates amidst TrustCor scare

Google Play now lets children send purchase requests to guardians

Diligent’s outlook for 2023: Risk is the trend to watch

Microsoft will turn off Exchange Online basic auth in January

Google is letting businesses try out client-side encryption for Gmail

Google Workspace Gets Client-Side Encryption in Gmail

The risk of escalation from cyberattacks has never been greater

Client-side encryption for Gmail available in beta

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Microsoft: Edge update will disable Internet Explorer in February

Is Cloud Native Security Good Enough?

The Privacy War Is Coming

Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023

Google Chrome preparing an option to block insecure HTTP downloads

Cyber attacks set to become ‘uninsurable’, says Zurich chief

The Dark Risk of Large Language Models

Police Must Prepare For New Crimes In The Metaverse, Says Europol

Policing in the metaverse: what law enforcement needs to know

Cyber as important as missile defences – an ex-NATO general

Misconfigurations, Vulnerabilities Found in 95% of Applications

Mind the Gap

Yritysten kyberturvassa edelleen isoja aukkoja Asiantuntija: Kysymys jopa kansallisesta turvallisuudesta

Personnel security in the cloud

Multi-factor auth fatigue is real – and it’s why you may be in the headlines next

MFA Fatigue attacks are putting your organization at risk

Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience | News | European Parliament

NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset

Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

Poor software costs the US 2.4 trillion

Passkeys Now Fully Supported in Google Chrome

Google Takes Gmail Security to the Next Level with Client-Side Encryption

Executives take more cybersecurity risks than office workers

NIST Retires SHA-1 Cryptographic Algorithm

NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Over 85% of Attacks Hide in Encrypted Channels

GitHub Announces Free Secret Scanning, Mandatory 2FA

Leaked a secret? Check your GitHub alerts…for free

Data Destruction Policies in the Age of Cloud Computing

Why PCI DSS 4.0 Should Be on Your Radar in 2023

2FA is over. Long live 3FA!

Google: With Cloud Comes APIs & Security Headaches

Digesting CISA’s Cross-Sector Cybersecurity Performance Goals

Zero Trust Shouldnt Be The New Normal

Don’t click too quick! FBI warns of malicious search engine ads

FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users

Kyberturvan ammattilaisista on huutava pula

Is Enterprise VPN on Life Support or Ripe for Reinvention?

Cyber as important as missile defences – an ex-NATO general

1,768 Comments

  1. Tomi Engdahl says:

    An IBM Hacker Breaks Down High-Profile Attacks https://securityintelligence.com/posts/an-ibm-hacker-breaks-down-high-profile-attacks/
    On September 19, 2022, an 18-year-old cyberattacker known as teapotuberhacker (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. In addition, the malicious actor claimed responsibility for a similar security breach affecting ride-sharing company Uber just a week prior. According to reports, they infiltrated the companys Slack by tricking an employee into granting them access. Then, they spammed the employees with multi-factor authentication (MFA) push notifications until they gained access to internal systems, where they could browse the source code.
    Incidents like the Rockstar and Uber hacks should serve as a warning to all CISOs. Proper security must consider the role info-hungry actors and audiences can play when dealing with sensitive information and intellectual property. Stephanie Carruthers, Chief People Hacker for the XForce Red team at IBM Security, broke down how the incident at Uber happened and what helps prevent these types of attacks

    Reply
  2. Tomi Engdahl says:

    IoT vendors faulted for slow progress in setting up vulnerability disclosure programs https://portswigger.net/daily-swig/iot-vendors-faulted-for-slow-progress-in-setting-up-vulnerability-disclosure-programs
    IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy. The figure, based on the latest annual report from the IoT Security Foundation (IoTSF), compares to the 9.7% of IoT (Internet of Things) vendors that were reported to have a disclosure policy in the 2018 edition of the same study. The IoTSFs latest study was based on a review of practice of
    332 companies who sell consumer-focused IoT products. The review, carried out by mobile and IoT security consultancy Copper Horse, covered security practices tied to a range of products ranging from tablets and routers to smart home lighting controls and smart speakers

    Reply
  3. Tomi Engdahl says:

    We’re just shouting into the void, says US watchdog offering cybersecurity advice https://www.theregister.com/2023/01/24/gao_cybersecurity_recommendations/
    Since coming into office two years ago, the Biden Administration has made the cyber defenses of US government agencies as well as the private sector a key focus. However, the US Government Accountability Office (GAO) Congress’ auditing and investigative arm says that since 2010, it has made about 335 cybersecurity recommendations, but that almost 60 percent of those have not been implemented by the end of 2022. At a time when increasingly sophisticated cyberthreats against the government are growing, not following through on about 190 of those recommendations could have significant ramifications, the agency said in a report this month, the first of four it plans to roll out to highlight the primary cybersecurity areas the federal government needs to address

    Reply
  4. Tomi Engdahl says:

    Cybercrime
    Learning to Lie: AI Tools Adept at Creating Disinformation
    https://www.securityweek.com/learning-to-lie-ai-tools-adept-at-creating-disinformation/

    Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

    Artificial intelligence is writing fiction, making images inspired by Van Gogh and fighting wildfires. Now it’s competing in another endeavor once limited to humans — creating propaganda and disinformation.

    When researchers asked the online AI chatbot ChatGPT to compose a blog post, news story or essay making the case for a widely debunked claim — that COVID-19 vaccines are unsafe, for example — the site often complied, with results that were regularly indistinguishable from similar claims that have bedeviled online content moderators for years.

    “Pharmaceutical companies will stop at nothing to push their products, even if it means putting children’s health at risk,” ChatGPT wrote after being asked to compose a paragraph from the perspective of an anti-vaccine activist concerned about secret pharmaceutical ingredients.

    Reply
  5. Tomi Engdahl says:

    NSA Publishes Security Guidance for Organizations Transitioning to IPv6
    https://www.securityweek.com/nsa-publishes-security-guidance-organizations-transitioning-ipv6/

    NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

    Reply
  6. Tomi Engdahl says:

    Will Knight / Wired:
    The Brookings Institution: from 2008 to 2021, Chinese companies accounted for 201 facial recognition tech export deals, followed by US companies with 128 deals

    China Is the World’s Biggest Face Recognition Dealer
    https://www.wired.com/story/china-is-the-worlds-biggest-face-recognition-dealer/

    Experts fear sales of the technology also export authoritarian ideas about biometric surveillance. The second largest exporter is the US.

    Reply
  7. Tomi Engdahl says:

    TA444: The APT Startup Aimed at Acquisition (of Your Funds) https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
    In the world of tech startups, luminaries and charlatans alike boast of the value of rapid iteration, testing products on the fly, and failing forward. TA444, a North Korea-sponsored advanced persistent threat group, has taken these mantras to heart. TA444, which overlaps with public activity called APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and COPERNICIUM, is likely tasked with generating revenue for the North Korean regime. That tasking has historically involved the targeting of banks to ultimately funnel cash to the Hermit Kingdom or handlers abroad. More recently, TA444 has turned its attention, much like the tech industry, to cryptocurrency. While we do not know if the group has ping pong tables or kegs of some overrated IPA in its workspace, TA444 does mirror the startup culture in its devotion to the dollar and to the grind

    Reply
  8. Tomi Engdahl says:

    How ChatGPT will change cybersecurity
    https://www.kaspersky.com/blog/chatgpt-cybersecurity/46959/
    If we strip ChatGPT down to the bare essentials, the language model is trained on a gigantic corpus of online texts, from which it remembers which words, sentences, and paragraphs are collocated most frequently and how they interrelate. Aided by numerous technical tricks and additional rounds of training with humans, the model is optimized specifically for dialog. On underground hacker forums, novice cybercriminals report how they use ChatGPT to create new Trojans. The bot is able to write code, so if you succinctly describe the desired function (save all passwords in file X and send via HTTP POST to server Y), you can get a simple infostealer without having any programming skills at all. When InfoSec analysts study new suspicious applications, they reverse-engineer, the pseudo-code or machine code, trying to figure out how it works. Although this task cannot be fully assigned to ChatGPT, the chatbot is already capable of quickly explaining what a particular piece of code does

    Reply
  9. Tomi Engdahl says:

    Attacking The Supply Chain: Developer
    https://www.trendmicro.com/en_us/research/23/a/attacking-the-supply-chain-developer.html
    In 2021, we published an entry identifying the weak parts of the supply chain security. In the face of the surge in documented attacks, the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions. In this entry, we focus on one specific part of the supply chain: the developers themselves. To find a suitable attack model focusing on the developer, we must first understand who is considered the developer (and therefore the target), their workflow, and their daily tools. We also set the focus on how developers and their respective tools can be abused to compromise the supply chain, and how understanding these threat scenarios allows developers and the organizations to decide which tradeoffs to make to protect their projects and themselves

    Reply
  10. Tomi Engdahl says:

    Memory safe programming languages are on the rise. Here’s how developers should respond https://www.zdnet.com/article/memory-safe-programming-languages-are-on-the-rise-heres-how-developers-should-respond/
    Developers across government and industry should commit to using memory safe languages for new products and tools, and identify the most critical libraries and packages to shift to memory safe languages, according to a study from Consumer Reports. The US nonprofit, which is known for testing consumer products, asked what steps can be taken to help usher in “memory safe” languages, like Rust, over options such as C and C++. Consumer Reports said it wanted to address “industry-wide threats that cannot be solved through user behavior or even consumer choice” and it identified “memory unsafety”
    as one such issue. The report, Future of Memory Safety, looks at range of issues, including challenges in building memory safe language adoption within universities, levels of distrust for memory safe languages, introducing memory safe languages to code bases written in other languages, and also incentives and public accountability

    Reply
  11. Tomi Engdahl says:

    Dependency Mapping for DevSecOps
    https://www.trendmicro.com/en_us/devops/23/a/dependency-mapping-plus-tools.html
    Today, DevOps teams use a staggering array of interconnected applications and infrastructure systems to build their continuous integration and continuous deployment (CI/CD) pipelines. These components are called dependencies because they depend on each other to enhance the functionality of an application. While dependencies shorten the release cycle and simplify developers lives, without proper security in place, these pipelines can be exposed to critical risks. In a worst-case scenario, it can cause dependency hell. While a robust DevSecOps approach should seemingly prevent such incidents, in reality, many organizations overlook security in the race to release products faster. But with the modern IT landscape being a complex maze comprising a mix of cloud, on-premises, and hybrid resources, it isn’t easy to gain absolute visibility into the supporting infrastructure and artifacts that underpin modern applications. In such a scenario, simply monitoring apps and their dependencies for performance is not enough. They also need to be monitored for security risks. After all, a vulnerability in even one of the connected interfaces or components could invite an attack that brings down the entire system. To avoid this, you must know your dependencies well and map them so that even if cybercriminals make changes to your codebase, you’re aware of it and can quickly bolster your security stance

    Reply
  12. Tomi Engdahl says:

    Registry Vulnerability Scanning: Early Prevention for Max Efficiency https://blog.checkpoint.com/2023/01/25/registry-vulnerability-scanning-early-prevention-for-max-efficiency/
    The earlier you catch security vulnerabilities, the less likely they are to cause damage to your organization and incur costs for repairing them later. Most companies have security policies that are designed to detect security vulnerabilities even before they are deployed, particularly when it comes to spinning up new instances of a container workload. However, even if your organization has created security procedures, its not easy to make sure everyone implements those procedures. For this reason, security automation, including early detection through vulnerability scanning, is an essential part of your security posture. Early prevention of configuration errors means higher efficiency down the road when the development team is concentrating on code deployment. The move from virtual machines to containers has allowed DevOps teams to provide tools for developers to spin up their own container instances simply and rapidly. While this frees up DevOps time and creates a much more agile organization, it also opens up the possibility for human error, spread across more individuals in the organization. For example, a developer could use open-source code snippets and miss details such as hard-coded credentials in the code snippets. Even when the developer is adhering to all the policies in writing their own code, this kind of error can slip in

    Reply
  13. Tomi Engdahl says:

    IPv6 for Dummies: NSA pushes security manual on DoD admins https://www.theregister.com/2023/01/25/nsa_ipv6_guidelines/
    The US National Security Agency (NSA) has published a guidance document for system administrators to help them mitigate potential security issues as their organizations transition to Internet Protocol version 6 (IPv6). The prosaically named “IPv6 Security Guidance” [PDF] was compiled for admins inside the Department of Defense (DoD), but is likely to prove useful as a quick reference for anyone managing the transition from IPv4 to IPv6, which could turn out to be a more drawn-out experience than was originally anticipated. One of the recommendations is pretty basic: education. Successfully securing an
    IPv6 network requires, at a minimum, a fundamental knowledge of the differences between the IPv4 and IPv6 protocols and how they operate, the NSA says, so all network administrators should receive proper training

    Reply
  14. Tomi Engdahl says:

    Learning to Lie: AI Tools Adept at Creating Disinformation
    https://www.securityweek.com/learning-to-lie-ai-tools-adept-at-creating-disinformation/

    Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

    Reply
  15. Tomi Engdahl says:

    Why CISOs Make Great Board Members
    https://www.securityweek.com/why-cisos-make-great-board-members/

    Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make for successful board members.

    As I discussed previously, the past three years created a perfect storm situation with lasting consequences for how we think about cybersecurity:

    Digital transformation accelerated significantly. Projects took off due to the pandemic and remote everything—work, manufacturing, healthcare, you name it—became imperative for business survival.
    Ransomware went for the jugular. Critical infrastructure organizations had to navigate an escalating threat landscape, especially a surge in ransomware attacks as threat actors understood that the value of operational technology (OT) networks and the availability of crypto payment infrastructure improved their chances for pay-outs.
    Cybersecurity became critical to business. Under siege, businesses prioritized building resilience for which cybersecurity is essential and, when done well, can drive competitive advantage.

    The impact of this perfect storm on boardroom conversations has been that cybersecurity technologies and teams have shifted from being viewed as a cost center to a business enabler. The shift is so crucial to business outcomes that Gartner expects that by 2025, 70% of CEOs will mandate a culture of resilience and recommends risk leaders recognize resilience as a strategic imperative to survive a confluence of threats. The mission is no longer just to protect, but to build trust that the business can operate even under strenuous conditions and to accelerate innovation within business units. That is very different from how security teams operated for the last two decades.

    Reply
  16. Tomi Engdahl says:

    Password Dependency: How to Break the Cycle
    https://www.securityweek.com/password-dependency-how-to-break-the-cycle/

    Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

    The world has been taught numerous life lessons over the last couple of years, but it’s clear that millions of people still haven’t learned one of the most basic when it comes to security. A report from NordPass has revealed that millions of people still haven’t broken the habit of using easy-to-remember, but easy-to-hack passwords. Of the 200 most common passwords, ‘password’ took the number one spot, but unfortunately for the more than four million people using it, it can be broken in less than a second. Other popular passwords included ‘guest’ and the ever-so-creative ‘123456’. When it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

    Typically, hackers seek the path of least resistance and target the weakest link in the cyber defense chain ― humans. Consequently, most of today’s data breaches are front-ended by credential harvesting campaigns, followed by credential stuffing attacks. Once inside, hackers can fan out and move laterally across the network, hunting for privileged accounts and credentials that help them gain access to an organization’s most critical infrastructure and sensitive data. In fact, a study by the Identity Defined Security Alliance (IDSA) reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

    Today’s economic climate exacerbates these cyber risks, and the impact of the COVID-19 pandemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ dependency on passwords. This creates new challenges in minimizing access-related risks across traditional datacenters, cloud, and DevOps environments. As a result, organizations need to look beyond usernames and passwords when it comes to granting access to valuable data and critical systems. While employee education and training can help, what’s needed are additional measures to ensure secure access…which is what Zero Trust Network Access (ZTNA) provides.

    Reply
  17. Tomi Engdahl says:

    New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
    https://www.securityweek.com/new-open-source-ot-security-tool-helps-address-impact-of-upcoming-microsoft-patch/
    Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.
    Industrial cybersecurity firm Otorio has released an open source tool designed to help organizations detect and address issues related to an upcoming update from Microsoft.
    Otorio’s DCOM Hardening Toolkit, which is available for free on GitHub, is a PowerShell script that lists weak DCOM authentication applications installed on the tested workstation and provides functionality to address associated security issues.
    The tool is useful for organizations that use the OPC Data Access (DA) protocol for communications between PLCs and software within OT networks. OPC DA relies on Microsoft’s Distributed Component Object Model (DCOM) technology, which can introduce serious vulnerabilities.
    The newer OPC Unified Architecture (UA) protocol does not rely on DCOM so it’s not affected by the same security issues, but many industrial organizations still rely on OPC DA.
    The problems that the Otorio tool aims to address are related to some changes that Microsoft has been making.
    In 2021, Microsoft informed customers about CVE-2021-26414, a Windows server security feature bypass flaw. Addressing CVE-2021-26414 requires hardening DCOM, which could cause problems for some organizations using it and that is why Microsoft is gradually implementing changes. The goal is to give users enough time to check and resolve any compatibility issues.
    The first updates were released by Microsoft in June 2021, with the DCOM hardening disabled by default. The second updates, released in June 2022, enabled the hardening by default, but allowed users to disable the changes manually.
    The last updates, scheduled for March 2023, will keep the hardening enabled and users will not be able to disable it.
    Otorio’s DCOM Hardening Toolkit can be used to learn whether an OT network includes unsecured DCOM that will become inoperable after the new update is rolled out in March, and it also provides remediation instructions.
    “If a company applies the March patch and loses critical visibility and communication between nodes in its network, it could experience significant financial losses. Our goal is to prevent that kind of catastrophe,” said Yair Attar, CTO and co-founder of Otorio.
    DCOM Hardening Toolkit
    https://github.com/otoriocyber/DCOM-HardeningTool

    Reply
  18. Tomi Engdahl says:

    CISA Provides Resources for Securing K-12 Education System

    CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

    https://www.securityweek.com/cisa-provides-resources-for-securing-k-12-education-system/

    Reply
  19. Tomi Engdahl says:

    Malicious Prompt Engineering With ChatGPT
    https://www.securityweek.com/malicious-prompt-engineering-with-chatgpt/

    The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

    The release of OpenAI’s ChatGPT available to everyone in late 2022 has demonstrated the potential of AI for both good and bad. ChatGPT is a large-scale AI-based natural language generator; that is, a large language model or LLM. It has brought the concept of ‘prompt engineering’ into common parlance. ChatGPT is a chatbot launched by OpenAI in November 2022, and built on top of OpenAI’s GPT-3 family of large language models.

    Tasks are requested of ChatGPT through prompts. The response will be as accurate and unbiased as the AI can provide.

    Prompt engineering is the manipulation of prompts designed to force the system to respond in a specific manner desired by the user.

    Prompt engineering of a machine clearly has overlaps with social engineering of a person – and we all know the malicious potential of social engineering. Much of what is commonly known about prompt engineering on ChatGPT comes from Twitter, where individuals have demonstrated specific examples of the process.

    WithSecure (formerly F-Secure) recently published an extensive and serious evaluation (PDF) of prompt engineering against ChatGPT.

    Creatively malicious prompt engineering
    https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Creatively-malicious-prompt-engineering.pdf

    Reply
  20. Tomi Engdahl says:

    Menghan Xiao / SC Media:
    Using automation, Trellix patches nearly 62K open-source projects susceptible to a Python path traversal flaw first disclosed in 2007, affecting ~350K projects — The Trellix research team said they have patched nearly 62,000 open-source projects that were susceptible to a 15-year-old path …
    Trellix automates patching for 62,000 open-source projects linked to a 15-year-old Python bug
    https://www.scmagazine.com/analysis/application-security/trellix-automates-patching-for-62000-open-source-projects-linked-to-a-15-year-old-python-bug

    The Trellix research team said they have patched nearly 62,000 open-source projects that were susceptible to a 15-year-old path traversal vulnerability in the Python programming ecosystem.

    The team identified the bug, tracked under CVE-2007-4559, in Python’s tarfile module late last year. It was first reported to the Python project in 2007 but left unchecked. Since then, it’s presence has greatly expanded as it has been used in approximately 350,000 open-source projects and countless other closed-source or proprietary software projects.

    To minimize the vulnerability surface area the team drew inspiration from security researcher Jonathan Leitschuh’s DEFCON 2022 talk on fixing vulnerabilities at scale, spending months conducting automated patching to close the vulnerability in 61,895 open-source projects, according to a Jan. 23 Trellix blog post.

    Trellix Advanced Research Center Patches 61,000 Vulnerable Open-Source Projects
    https://www.trellix.com/en-us/about/newsroom/stories/research/trellix-advanced-research-center-patches-vulnerable-open-source-projects.html

    Late last year, the Trellix Advanced Research Center team uncovered a vulnerability in Python’s tarfile module. As we dug in, we realized this was CVE-2007-4559 – a 15-year-old path traversal vulnerability with potential to allow an attacker to overwrite arbitrary files. CVE-2007-4559 was reported to the Python project on 2007, and left unchecked, had been unintentionally added to an estimated 350,000 open-source projects and prevalent in closed-source projects.

    Today, we’re excited to share an update on this work. Through GitHub, our vulnerability research team has patched 61,895 open-source projects previously susceptible to the vulnerability. This work was led by Kasimir Schulz and Charles McFarland, and concluded earlier this month.

    Reply
  21. Tomi Engdahl says:

    Dozens of Cybersecurity Companies Announced Layoffs in Past Year
    https://www.securityweek.com/tens-of-cybersecurity-companies-announced-layoffs-in-past-year/

    Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

    Reply
  22. Tomi Engdahl says:

    US Government Agencies Warn of Malicious Use of Remote Management Software
    https://www.securityweek.com/us-government-agencies-warn-of-malicious-use-of-remote-management-software/

    CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

    The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning organizations of malicious attacks using legitimate remote monitoring and management (RMM) software.

    IT service providers use RMM applications to remotely manage their clients’ networks and endpoints, but threat actors are abusing these tools to gain unauthorized access to victim environments and perform nefarious activities.

    In malicious campaigns observed in 2022, threat actors sent phishing emails to deploy legitimate RMM software such as ConnectWise Control (previously ScreenConnect) and AnyDesk on victims’ systems, and abuse these for financial gain.

    The observed attacks focused on stealing money from bank accounts, but CISA, NSA, and MS-ISAC warn that the attackers could abuse RMM tools as backdoors to victim networks and could sell the obtained persistent access to other cybercriminals or to advanced persistent threat (APT) actors.

    Reply
  23. Tomi Engdahl says:

    Mapping Threat Intelligence to the NIST Compliance Framework Part 2
    https://www.securityweek.com/mapping-threat-intelligence-to-the-nist-compliance-framework-part-2/

    How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

    Reply
  24. Tomi Engdahl says:

    Malicious Prompt Engineering With ChatGPT
    https://www.securityweek.com/malicious-prompt-engineering-with-chatgpt/

    The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

    Reply
  25. Tomi Engdahl says:

    Francois Murphy / Reuters:
    Austrian police say a hacker, arrested in November, tried to sell the name, gender, address, and DOB of “presumably every citizen” in Austria, or ~9.1M people

    Dutch hacker obtained virtually all Austrians’ personal data, police say
    https://www.reuters.com/world/europe/dutch-hacker-obtained-virtually-all-austrians-personal-data-police-say-2023-01-25/

    Reply
  26. Tomi Engdahl says:

    Bill Toulas / BleepingComputer:
    Yandex says the company’s systems were not hacked and blames a former employee for leaking a code repository, after 44.7GB of files appeared on a hacking forum

    Yandex denies hack, blames source code leak on former employee
    https://www.bleepingcomputer.com/news/security/yandex-denies-hack-blames-source-code-leak-on-former-employee/

    A Yandex source code repository allegedly stolen by a former employee of the Russian technology company has been leaked as a Torrent on a popular hacking forum.

    Yesterday, the leaker posted a magnet link that they claim are ‘Yandex git sources’ consisting of 44.7 GB of files stolen from the company in July 2022. These code repositories allegedly contain all of the company’s source code besides anti-spam rules.

    A Yandex source code repository allegedly stolen by a former employee of the Russian technology company has been leaked as a Torrent on a popular hacking forum.

    Yesterday, the leaker posted a magnet link that they claim are ‘Yandex git sources’ consisting of 44.7 GB of files stolen from the company in July 2022. These code repositories allegedly contain all of the company’s source code besides anti-spam rules.

    Software engineer Arseniy Shestakov analyzed the leaked Yandex Git repository and said it contains technical data and code about the following products:

    Yandex search engine and indexing bot
    Yandex Maps
    Alice (AI assistant)
    Yandex Taxi
    Yandex Direct (ads service)
    Yandex Mail
    Yandex Disk (cloud storage service)
    Yandex Market
    Yandex Travel (travel booking platform)
    Yandex360 (workspaces service)
    Yandex Cloud
    Yandex Pay (payment processing service)
    Yandex Metrika (internet analytics)

    Yandex Services Source Code Leak
    Short overview of breach contents
    https://arseniyshestakov.com/2023/01/26/yandex-services-source-code-leak/

    Reply
  27. Tomi Engdahl says:

    Äly­laitteiden tieto­turvassa kauan odotettu parannus – monet tuotteet voivat pian poistua kauppojen hyllyiltä https://www.is.fi/digitoday/tietoturva/art-2000009354599.html

    Tietoturvattomat laitteet voidaan jatkossa poistaa väkisin myynnistä. Viranomainen hoputtaa kauppiaita valmistautumaan nyt.

    1. ELOKUUTA vuonna 2024 on merkittävä päivä elektroniikkaa ostavien kuluttajien kannalta. Tästä päivästä lähtien tietoturvavaatimusten vastaiset laitteet voidaan lain nojalla poistaa myynnistä.

    Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus kertoo, että taustalla on Euroopan unionin radiolaitedirektiivi, jonka siirtymäkausi on menossa. Keskus mainitsee laitteiden tyypillisenä ongelmana oletuksena heikot salasanat ja tietoja suojaavan salauksen puuttumisen.

    Tietoturvavaatimuksia sovelletaan esimerkiksi internetiin liitettäviin laitteisiin, leluihin, lastenhoitoon liittyviin laitteisiin ja päälle puettaviin laitteisiin. Käyttäjien yksityisyyden suojaamisen ohella vaatimusten odotetaan estävän rahaa tavoittelevia petoksia, joissa hyödynnetään verkkoon liitettyjä laitteita.

    TIETOTURVAONGELMAA on pahentanut internet-yhteyden lisääminen useisiin sellaisiin laitteisiin, joissa sellaista ei perinteisesti ole ollut. Tällaisia laitteita ovat vaikkapa kodin älykkäät valaisimet, kodinkoneet tai lukuisat erilaiset lasten lelut. Valmistajilla puolestaan ei aina ole ollut osaamista tai halukkuutta huolehtia tietoturvasta.

    Reply
  28. Tomi Engdahl says:

    How ChatGPT will change cybersecurity
    https://www.kaspersky.com/blog/chatgpt-cybersecurity/46959/

    A new generation of chatbots creates coherent, meaningful texts. This can help out both cybercriminals and cyberdefenders.

    Reply
  29. Tomi Engdahl says:

    SSTImap – Automatic SSTI Detection Tool With Interactive Interface
    https://www.kitploit.com/2023/01/sstimap-automatic-ssti-detection-tool.html?m=1

    SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.

    This tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation.

    Reply
  30. Tomi Engdahl says:

    Apple’s passkeys could be better than passwords. Here’s how they’ll work.
    Can a new system improve the way we sign into websites and apps?
    https://www.popsci.com/technology/how-apple-passkeys-differ-passwords/

    Reply
  31. Tomi Engdahl says:

    Pet fish commits credit card fraud on owner using a Nintendo Switch
    Lesson: Don’t let your pets use your gaming gear
    https://www.techspot.com/news/97334-pet-fish-commits-credit-card-fraud-owner-using.html

    Reply
  32. Tomi Engdahl says:

    Oops, War Thunder Gamers Accidentally Leaked Sensitive F-16 Secrets Online
    This isn’t the first time they’ve shared classified data to win internet battles.
    https://www.popularmechanics.com/military/weapons/a42573614/war-thunder-players-share-classified-documents-f16-leak/

    Reply
  33. Tomi Engdahl says:

    Avoimen lähdekoodin sovellusten tulevaisuus vaakalaudalla – EU:n suunnitelmille rajua ryöpytystä
    Timo Tamminen28.1.202311:05AVOIN LÄHDEKOODIEU
    EU:n Cyber Resilience Act -lakiehdotuksella (CRA) on haittavaikutuksia.
    https://www.tivi.fi/uutiset/avoimen-lahdekoodin-sovellusten-tulevaisuus-vaakalaudalla-eun-suunnitelmille-rajua-ryopytysta/aa473dbf-da95-4566-baae-22c4518d5459

    Euroopan unioni haluaa oman ”CE-merkinnän” myös ohjelmistoille. Tarkoituksena on, että sovellusten kehittäjien vastuu niiden toiminnasta lisätään kattamaan koko ohjelmiston suunnitellun elinkaaren.

    Reply
  34. Tomi Engdahl says:

    Protecting Data: Can we Engineer Data Sharing?
    https://www.enisa.europa.eu/news/protecting-data-can-we-engineer-data-sharing
    To celebrate the European Data Protection Day on 28 January 2023, ENISA publishes today its report on how cybersecurity technologies and techniques can support the implementation of the General Data Protection Regulation (GDPR) principles when sharing personal data

    Reply
  35. Tomi Engdahl says:

    Äly­laitteiden tieto­turvassa kauan odotettu parannus monet tuotteet voivat pian poistua kauppojen hyllyiltä https://www.is.fi/digitoday/tietoturva/art-2000009354599.html
    1. elokuuta vuonna 2024 on merkittävä päivä elektroniikkaa ostavien kuluttajien kannalta. Tästä päivästä lähtien tietoturvavaatimusten vastaiset laitteet voidaan lain nojalla poistaa myynnistä. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus kertoo, että taustalla on Euroopan unionin radiolaitedirektiivi, jonka siirtymäkausi on menossa. Keskus mainitsee laitteiden tyypillisenä ongelmana oletuksena heikot salasanat ja tietoja suojaavan salauksen puuttumisen

    Reply
  36. Tomi Engdahl says:

    Data Privacy: How the Growing Field of Regulations Impacts Businesses https://securityintelligence.com/posts/data-privacy-regulations-impacts-businesses/
    The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become – and stay – compliant must find a solution that can do more than just respond to current challenges.
    Take a look at upcoming trends when it comes to data privacy regulations and how to follow them

    Reply
  37. Tomi Engdahl says:

    Lords question ‘extensive’ government online safety powers
    Digital minister Paul Scully defends government Online Safety plans to give secretary of state powers to direct Ofcom
    https://www.computerweekly.com/news/252529613/Lords-question-extensive-government-online-safety-powers?utm_campaign=20230127_Lords+question+%E2%80%98extensive%E2%80%99+government+online+safety+powers&utm_medium=EM&utm_source=MDN&source_ad_id=-1&asrc=EM_MDN_259195381&bt_ee=pvJwYXzI2G%2FlOgyww9U%2FsVlQwSgLMMOX5tApK1CudOLPkStF7sWvLXoWdifxY%2FTo&bt_ts=1675009671105

    Safeguards will be written into the Online Safety Bill to ensure the secretary of state does not unduly interfere with the work or independence of online harms regulator Ofcom, digital minister Paul Scully has told a Lords committee.

    Under the draft Online Safety Bill, which was first published in May 2021 but has since undergone numerous changes, the secretary of state for the Department of Culture, Media and Sport (DCMS) has the power to direct Ofcom’s regulatory priorities and to modify its codes of practice for tech firms for reasons of public safety, national security and “public policy”.

    Reply
  38. Tomi Engdahl says:

    Avoimen lähdekoodin sovellusten tulevaisuus vaakalaudalla – EU:n suunnitelmille rajua ryöpytystä
    Timo Tamminen28.1.202311:05AVOIN LÄHDEKOODIEU
    EU:n Cyber Resilience Act -lakiehdotuksella (CRA) on haittavaikutuksia.
    https://www.tivi.fi/uutiset/avoimen-lahdekoodin-sovellusten-tulevaisuus-vaakalaudalla-eun-suunnitelmille-rajua-ryopytysta/aa473dbf-da95-4566-baae-22c4518d5459
    Euroopan unioni haluaa oman ”CE-merkinnän” myös ohjelmistoille. Tarkoituksena on, että sovellusten kehittäjien vastuu niiden toiminnasta lisätään kattamaan koko ohjelmiston suunnitellun elinkaaren.

    EU Cyber Resilience Act: Good for Software Supply Chain Security, Bad for Open Source?
    https://blog.sonatype.com/eu-cyber-resilience-act-good-for-software-supply-chain-security-bad-for-open-source
    Following the software supply chain attack on Solarwinds and the worldwide panic from the vulnerability affecting Log4j, government and regulatory bodies around the world have been trying to address this looming problem: How do you secure and protect software supply chains as they become a greater target for cybersecurity attacks?
    In the United States, the two Presidential Executive Orders of February 2021 and May 2021 started the conversation about protecting critical U.S. federal systems from cyberattacks. This has since turned into a steady drumbeat of activity intensifying and spreading beyond the borders of the United States and into the private sector.
    Requiring SBOMs was a starting point
    From the beginning, I was (and still am) a big proponent of SBOMs. At Sonatype, we contributed the initial security extension to CycloneDX several years ago because we wanted to use this as the basis of our integration APIs instead of inventing yet another format. We continue to be active in driving adoption of this and other standards across the ecosystems we influence and of course support ingestion and exporting of SBOMs from our tools.
    I was happy to see the Executive Order making SBOMs a requirement for sales to the US government
    What is the Cyber Resilience Act?
    The Cyber Resilience Act (CRA) is the European Union’s proposed regulation to combat threats affecting any digital entity and to “bolster cybersecurity rules to ensure more secure hardware and software products.”
    Taken directly from European Commission itself, they describe two main goals that were kept in mind when developing this proposal:
    Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
    Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
    Why the Cyber Resilience Act is good for software supply chain security
    Just like all of the other proposals, the CRA calls for vendors and producers of software to have, among many other things, a detailed understanding of what’s inside their software (an SBOM). However and most importantly, the CRA demands that we go one step further, and have the ability to recall — which implies active management of the entire supply chain. This is the approach we’ve been missing from so many other policies
    Why the Cyber Resilience Act (might) be bad for Open Source
    With all of the good that the CRA brings in evolving the regulatory conversations past SBOMs, the current draft has some problematic language that could actually hurt the future of open source.
    But first, what it gets right about open source. Page 15, Paragraph 10 attempts to exempt, or carve out, open source software (OSS) from the regulations, saying:
    In order not to hamper innovation or research, free and open-source software
    developed or supplied outside the course of a commercial activity should not be
    covered by this Regulation. This is in particular the case for software, including its
    source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable.
    This is good, even great. OSS and project maintainers should be exempt from these regulations that apply liability, as this will have the effect of quashing innovation and sharing of ideas via code.
    However, in the same paragraph, the CRA attempts to draw a line between commercial and non-commercial use of open source software:
    In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
    In other words, it appears that a developer or supplier deriving commercial benefit from the open source software would make it subject to the CRA. While one can see the intent of the language, as it’s written, there is A LOT of ambiguity around the phrase “developed or supplied outside the course of commercial activity.”
    What does this mean for open source software?
    In terms of what this means for open source software, it’s very, very unclear. How would this apply to companies like us who run Maven Central? Or, other public repositories, like PyPi and npm? Would organizations that provide open source content and derive a commercial benefit from this activity suddenly be willing to shoulder potentially unlimited liability for the content?
    Further, since not every open source vulnerability applies to all possible usage of a particular component, it’s impossible for a repository like Central or npm to assess the impact of every vulnerability. It is very rare that a vulnerability applies to all uses of a component. So, what is one to do in that situation? If we remove the component to solve an issue for one user, we may cause irreparable damage for another who is using it safely.
    Another issue arises from trying to know when an open source project ceases to exist as part of a repository. Many times projects can get to a stable place and stop making active updates, but it is very difficult to tell if that means they are completely unresponsive to future vulnerability disclosures or not.
    Imagine the unintended consequences
    The current wording in the CRA would create a mess for open source. And, I’m almost positive, a very unintended mess that would affect access to the European market.
    If this regulation becomes European Union law without further clarifications, the effect on open source software could be quite detrimental. If open source producers and distributors who also derive commercial benefit from developing or distributing open source are suddenly liable for every defect and vulnerability within a public repository, the only logical conclusion is a balkanization of open source.
    EU’s proposed CE mark for software could have dire impact on open source
    https://devclass.com/2023/01/24/eus-proposed-ce-mark-for-software-could-have-dire-impact-on-open-source/
    The EU’s proposed Cyber Resilience Act (CRA), which aims to “bolster cybersecurity rules to ensure more secure hardware and software products,” could have severe unintended consequences for open source software, according to leaders in the open source community.
    The proposed Act can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements “throughout the whole life cycle.” Second is to offer a “coherent cybersecurity framework” by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to “use products with digital elements securely.”
    The draft legislation includes an impact assessment that says “for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations.” This extra cost is part of a total cost of compliance, including the burden on businesses and public authorities, estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually.
    The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is “deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe.”
    He sets what he expects will be required of the Eclipse Foundation, including developing, documenting and implementing policies and procedures for “every project at the Eclipse Foundation.”
    Milinkovich also notes that the CRA aims to restrict “unfinished software” so that it is “not available on the market for purposes other than testing.” Use of interim builds and software that is under intense development is common in the open source community, and licenses are not currently restricted to testing.
    The Open Source Initiative (OSI) has submitted feedback to the European Commission asking for “further work on the Open Source exception to the requirements within the body of the Act.” The OSI would like responsibility for compliance to be removed from “any actor who is not a direct commercial beneficiary of deployment.”
    Open source advocate and OSI standard director Simon Phipps said the legislation “may harm open source” and the current text of the legislation “will cause extensive problems for open source software,” partly because of ambiguities in the wording, and partly because it does not recognise “the way open source communities actually function.”
    Olaf Kolkman, exec level advisor to the Internet Society, also expressed concerns saying that “the regulation should be modified to make it clear that software produced under an open source license and distributed on not-for-profit basis is out of scope for the regulation.”
    It is a complex issue because use of open source software in the “digital elements” of products is commonplace.
    Cyber Resilience Act
    https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
    The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.

    Reply
  39. Tomi Engdahl says:

    Open-source software vs. the proposed Cyber Resilience Act
    https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/

    NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act (CRA) intends to ensure cybersecurity of products with digital elements by laying down requirements and obligations for manufacturers.
    ‘Commercial’ + Critical = Compliance overload?

    In this post we will share our understanding of the legislation and its (unintended) negative effects on developers of open-source software. At this point, we have questions and concerns, not answers or solutions.

    We feel the current proposal misses a major opportunity. At a high level the ‘essential cybersecurity requirements’ are not unreasonable, but the compliance overhead can range from tough to impossible for small, or cash-strapped developers. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support via the CRA, the current proposal will overload small developers with compliance work.

    However, if you share our concerns, this is what you can do:

    Spread the word. Help your fellow developers. Talk to people around you with legal and policy skills. Let them know how the CRA proposal affects them, their organisation or society at large.
    Read the proposal. This post concentrates on high-level scoping. There is more. There is also an EC proposal on liability.
    Get in touch and talk with policy makers at the Commission, your government or your favorite ITRE MEP: the rapporteur is Nicola Danti, while the shadow rapporteurs are Henna Virkkunen, Eva Kaili Beatrice Covassi, Ignazio Corrao and Evžen Tošenovský.

    Reply
  40. Tomi Engdahl says:

    Windows 10:n myynti loppuu
    https://etn.fi/index.php/13-news/14526-windows-10-n-myynti-loppuu

    Vuodenvaihteessa ylivoimaisesti suosituin Windows-versio oli vuonna 2015 esitelty Windows 10. Kaikista Windows-mikroista kympin osuus oli karvan alle 68 prosenttia. Ylihuomisesta lähtien sen myynti kuitenkin päättyy.

    Tammikuun viimeisen päivän jälkeen kuluttajilla ei ole enää mahdollista hankkia Windows 10:ä koneeseensa. Tämä koskee sekä Home- että Pro-versiota. Aktiivisille Windows 10 -lisensseille on luvassa päivityksiä 12 kuukauden ajan.

    Microsoft toki kehottaa kaikkia käyttäjiä päivittämään Windowsinsa versioon 11. Tämä ei valitettavasti toimi läheskään kaikilla vanhemmilla koneilla. Jos omassa koneessa pyörii Windows 10, eikä päivitys 11:een ole mahdollista, lupaa Microsoft tietoturvapäivityksiä lokakuun 14. päivään asti vuonna 2025.

    ”Kymppi” oli aikanaan iso päivitys Windowsiin. Sen myötä esimerkiksi Internet Explorer korvattiin Edge-selaimella. Kympin piti olla myös viimeinen Windows. Microsoft yritti saada käyttäjiä päivittämään koneensa kymppiin yhden vuoden kuluessa, mutta sehän ei onnistunut.

    Microsoftin ongelma ei kuitenkaan ole Windows 10, vaan Windows 7. Vasta viime kesänä uusimman Windows 11:n käyttäjämäärä kasvoi vanhan seiskan ohi.

    Reply
  41. Tomi Engdahl says:

    Management & Strategy
    The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
    https://www.securityweek.com/the-effect-of-cybersecurity-layoffs-on-cybersecurity-recruitment/

    SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment in cybersecurity.

    On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a combined 28,000 people; Twitter has reportedly lost 5,200 people; Meta (Facebook, etcetera) is laying off 11,000… This is just the tech giants, and almost all the staff looking for new positions are, by definition, tech-savvy – and some will be cybersecurity professionals.

    Layoffs are not limited to the tech giants. Smaller cybersecurity vendor firms are also affected. OneTrust has laid off 950 staff (25% of employees); Sophos has laid off 450 (10%); Lacework (300, 20%); Cybereason (200, 17%); OwnBackup (170, 17%); OneTrust (950, 25%) and the list goes on.

    SecurityWeek examined how this layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment in cybersecurity.

    The skills gap

    The skills gap is a mismatch between the skills available in the workforce, and the skills required by employers. Required skills are continuously evolving with new technology and business transformation. People can learn how to use computers, and many staff currently being laid off will already have done so. But it is far easier to learn how to use computers than it is to learn how computers work. It is in the latter area that the skills gap becomes a talent gap for cybersecurity.

    So, the first observation is that current large-scale layoffs may slightly reduce the skills gap at the computer usage level but will likely have little effect on the cybersecurity-specific talent gap where employment requires a knowledge of how computers work. The talent gap is simply too large, and layoffs in these areas are likely to be readily absorbed by new security startups and expanding companies. Many of the companies involved in cybersecurity reductions will almost certainly need to rehire next year or soon after.

    Reply
  42. Tomi Engdahl says:

    AJ Vicens / CyberScoop:
    Kaspersky: from January 2020 to June 2022, hacker groups offered salaries from six figures to $1.2M, bonuses, and paid leave to attract talent on the dark web — Despite the obvious risks, tech jobs with hacking groups can be alluring for those who need the money or want to do the work.

    Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web
    https://cyberscoop.com/cybercrime-groups-jobs-talent-dark-web/

    Despite the obvious risks, tech jobs with hacking groups can be alluring for those who need the money or want to do the work.

    Cybercrime is a booming business. So, like any other thriving market, the masterminds behind ransomware syndicates or online scam operations need workers, too. And they aren’t just looking for other criminal hackers. Developers, administrators and designers are in high demand.

    And just as the cybersecurity market is competing for the best talent, cybercriminals are also offering high salaries and perks to attract the best. Some ads boasted annual salaries as high as $1.2 million for the skilled hackers.

    According to new analysis from the cybersecurity firm Kaspersky, it appears that developers are the most sought after within the cybercrime ecosystem. The company’s researchers reviewed roughly 200,000 employment-related messages posted on 155 dark web forums between January 2020 and June 2022. The number of posts peaked in March 2022, possibly because of COVID-19-related lockdowns and income reductions in multiple countries. Nevertheless, job posts — both seeking employment and listing jobs — have exceeded 10,000 per quarter, the analysis found.

    Reply
  43. Tomi Engdahl says:

    Erin Mulvaney / Wall Street Journal:
    A look at MetaBirkins, 100 NFTs created by a self-described entrepreneur and artist in 2021, as Hermès goes to court in NYC seeking to stop the use of its brand

    Virtual Birkin Bags on Trial in Hermès Case Testing IP Rights
    https://www.wsj.com/articles/virtual-birkin-bags-on-trial-in-hermes-case-testing-ip-rights-11674962955?mod=djemalertNEWS

    Lawsuit is an early test of how a company can exercise its rights against virtual assets it didn’t authorize

    The Birkin handbag, made by French luxury brand Hermès, for decades has been a symbol of wealth, sold through exclusive shops and mysterious wait-lists at prices that reach tens of thousands of dollars or more.

    A self-described entrepreneur and artist in 2021 set out to offer another way to own a Birkin, with a digital nonfungible token. Mason Rothschild created a series of 100 digital images he called MetaBirkins, depicting fur-covered purses in the same shape and style as the Hermès RMS -0.03% luxury product, which he sold as digital tokens on virtual marketplaces. The NFTs sometimes have sold at prices similar to the real handbags.

    Beginning Monday, Mr. Rothschild’s MetaBirkins go on trial in New York in a case at the intersection of trademark law and constitutional protections for freedom of expression. Hermès is seeking to stop Mr. Rothschild from using its brand, the destruction of the NFTs and his profits plus other financial damages. Mr. Rothschild says his MetaBirkins are artwork protected by the First Amendment.

    Neither Hermès nor its lawyers responded to requests for comment. Mr. Rothschild declined to comment.

    Legal analysts say the trial represents an important early test of how a company can exercise its rights against virtual assets it didn’t authorize.

    The specter of the unregulated metaverse is top of mind for companies that worry their brands will be used—and abused—as virtual reality expands, said Thomas Brooke, an intellectual property lawyer with Holland & Knight LLP.

    The case “will give us more guideposts for what to do with NFTs,” Mr. Brooke said. “With any new technology the courts are often having to apply existing law and figure out what works.”

    NFTs, blockchain-based unique assets that can be collected and traded, exploded in recent years as investors have flocked to marketplaces where tokens are sold. Lawsuits have followed, with retail brands and other companies claiming trademark and copyright infringement.

    Among other pending cases, Nike Inc. is suing online marketplace StockX over virtual sneakers depicting the brand’s well-known swoosh that it sold as NFTs in combination with the resale of Nike sneakers. StockX denied the claims and said the introduction of the tokens expedites the process of authenticating and processing the physical items it sells

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*