Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Five key cybersecurity lessons for your CEO https://www.kaspersky.com/blog/5-cybersecurity-lessons-ceo/47030/
Any training requires trust in the teacher, which can be tough if the student happens to be the CEO. Establishing an interpersonal bridge and gaining credibility will be easier if you start not with strategy, but with top managements personal cybersecurity
Tomi Engdahl says:
Five key cybersecurity lessons for your CEO https://www.kaspersky.com/blog/5-cybersecurity-lessons-ceo/47030/
Any training requires trust in the teacher, which can be tough if the student happens to be the CEO. Establishing an interpersonal bridge and gaining credibility will be easier if you start not with strategy, but with top managements personal cybersecurity
Teach the team cybersecurity – and start at C-level
Integrate cybersecurity into company’s strategy and processes
Invest appropriately
Consider all risk types
Respond correctly
At a minimum, senior management must know and follow the response procedures so as not to reduce the chances of a favorable outcome. There are three fundamental steps for the CEO:
1. Immediately notify key parties about an incident; depending on the context: finance and legal departments, insurers, industry regulators, data protection regulators, law enforcement, affected customers. In many cases, the timeframe for such notification is established by law, but if not, it should be laid out it in the internal regulations. Common sense dictates that the notification be prompt but informative; that is, before notifying, information about the nature of the incident must be gathered, including an initial assessment of the scale and the first-response measures taken.
2. Investigate the incident. It’s important to take diverse measures to be able to correctly assess the scale and ramifications of the attack. Besides purely technical measures, employee surveys are also important, for example. During the investigation, it’s vital not to damage digital evidence of the attack or other artifacts. In many cases it makes sense to bring in outside experts to investigate and clean up the incident.
3. Draw up a communications schedule. A typical mistake that companies make is to try to hide or downplay an incident. Sooner or later, the true scale of the problem will emerge, prolonging and amplifying the damage — from reputational to financial. Therefore, external and internal communications must be regular and systematic, delivering information that’s consistent and of practical use to customers and employees. They must have a clear understanding of what actions to take now and what to expect in the future. It would be a good idea to centralize communications; that is, to appoint internal and external spokespeople and forbid anyone else from performing this role.
Tomi Engdahl says:
Understanding Business Email Compromise to better protect against it https://blogs.cisco.com/security/understanding-business-email-compromise-to-better-protect-against-it
Business Email Compromise (BEC) is a type of cybercrime that involves compromising or imitating legitimate business email accounts to carry out fraudulent transactions or steal sensitive information. The goal of a BEC attack is typically to trick the victim into transferring money, clicking on a malicious link, or disclosing sensitive information such as login credentials. BEC attacks can have a devastating impact on organizations of all sizes and in all industries, making it essential for businesses to be aware of the threat, understand the business risk, and take the necessary steps to protect themselves
Tomi Engdahl says:
Microsoft Defender can now isolate compromised Linux endpoints https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-now-isolate-compromised-linux-endpoints/
Microsoft announced today that it added device isolation support to Microsoft Defender for Endpoint (MDE) on onboarded Linux devices.
Enterprise admins can manually isolate Linux machines enrolled as part of a public preview using the Microsoft 365 Defender portal or via API requests
Tomi Engdahl says:
How the Atomized Network Changed Enterprise Protection
https://www.securityweek.com/how-the-atomized-network-changed-enterprise-protection/
Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.
Cyberattacks rose at a rate of 42% in the first half of 2022 and the average cost of a data breach has hit a record high of $4.35 million with costs in the U.S. peaking at $9.44 million. Unfortunately, this shouldn’t come as a surprise. Enterprise networks have changed dramatically, particularly over the last few years, and yet we continue to try to defend them with the same conventional approaches. As an industry, we’ve hit an inflection point. It’s time to fundamentally rethink the problem set and our approach to solving it.
Networks are dispersed, ephemeral, encrypted, and diverse
Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge. The capabilities, the nomenclature, and the available data for each type of infrastructure are also dispersed.
The cloud has changed the game quite a bit, making today’s networks very ephemeral. Everybody is remote and IP addresses come and go. We’re no longer just talking about dynamic host configuration protocol (DHCP). In the cloud, every time we reboot a cloud instance that instance can get a new IP address. Conventions like Canonical Name (CNAME) do that mapping behind the scenes for us. However, it’s incredibly difficult to stay on top of what we have, what it’s doing, and what’s happening to it, when what something is today may not necessarily be what it was yesterday, and teams have limited visibility and understanding of these changes.
Compliance is adding a lot of complexity to security as practices like encryption come into play.
Finally, atomized networks are extremely diverse. The temptation with security teams has always been to add a tool that is very specific to the environment that we are watching – tools for the network, for devices, for the web, for email. This was manageable when we were talking about one corporate network or even a handful of networks. But with the addition of new cloud environments, operational technology (OT) environments, and work from home models, we’ve hit an inflection point where the number of tools that are supposed to make us more secure and make security teams’ lives easier actually do neither. Security operations center (SOC), cloud operations, and network teams can only watch and do so many things, so we end up with bloat. In fact, nearly 60% of organizations surveyed say they deploy more than 30 tools and technologies for security and yet incident volume and severity keep rising.
Fragmentation and gaps are rampant
We try to get diverse teams and tools to work together by creating yet other sets of tools, like SIEMs and SOAR platforms that are meant to try to aggregate data and automate analysis and actions. But those tools have their own sets of challenges and require that we add more tools and technologies to our security stack in order to maintain protections.
Security has become so complex that organizations can’t possibly hire enough people with the right skills to do everything required to secure their atomized network. What’s more, every tool in the growing security stack serves its own purpose and every team has their own area of focus, with not enough overlap between them.
Rethinking and simplifying enterprise protection
The challenge with letting go of old technologies and methods is that humans are naturally resistant to change because it’s disruptive. New expertise, new processes, and new escalation procedures are needed. However, network atomization is even more disruptive, and the time has come to cast aside aging security approaches. Securing atomized networks requires a fundamental rethink. Not a “bolt-on”, tacking on a new capability to a legacy toolset and hoping it integrates and solves our problem. It doesn’t solve the problem. It makes it worse.
When we are no longer tied to how things used to be, then we can rearchitect the problem from scratch for the way things are today and how they will evolve. We can get to where we need to be – a common tool set, with a common language, and a common set of capabilities that can deal with the dispersed and ephemeral nature of today’s networks, doesn’t have to decrypt, and can actually help security teams work more efficiently and effectively.
Tomi Engdahl says:
OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
https://www.securityweek.com/openvex-spec-adds-clarity-to-supply-chain-vuln-warnings/
Chainguard OpenVEX Spec adds clarity to Supply Chain Vulnerability warnings specifications to help software vendors and maintainers communicate precise metadata about the vulnerability status of products.
Chainguard on Tuesday published a draft OpenVEX specification to help software vendors and maintainers communicate precise metadata about the vulnerability status of products directly to end users.
The Chainguard specification is an implementation of the NTIA’s VEX (Vulnerability Exploitability eXchange) concept that aims to provide additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.
In an interview with SecurityWeek, Chainguard chief executive Dan Lorenc said OpenVEX is designed to meet the minimum requirements defined by the U.S. government’s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs (software bill of material).
Lorenc said OpenVEX, which was designed in collaboration with CISA’s VEX working group, will allow software suppliers to communicate precise, actionable metadata to improve the signal to noise ratio and add important context to vulnerability warnings.
OpenVEX makes it easy for software producers to accurately describe their artifacts’ exploitability [and] makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns, and less time wading through erroneous findings,” Chainguard said in a note announcing the draft specification.
“OpenVEX encodes learnings of false positives and enables consumers to prioritize vulnerability reports much more effectively,” the company added.
OpenVEX Specification
https://github.com/openvex/spec
OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable. The specification is available in the OPENVEX-SPEC.md file of this repository.
OpenVEX is designed to meet the minimum requirements defined by the CISA SBOM and VEX Efforts. We believe OpenVEX meets these requirements now, and will do our best to ensure it continues to meet them as requirements change.
Note: The OpenVEX specification is currently a draft. We don’t anticipate large changes, but are open to them.
Tomi Engdahl says:
Cyber Insights 2023: Attack Surface Management
https://www.securityweek.com/cyber-insights-2023-attack-surface-management/
Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas of IT infrastructure that can be attacked.
Demise of the perimeter and growth of complexity
Attack surface management is not a new concept, notes Mark Stamford, founder and CEO at OccamSec. “As long as there has been a thing to attack, there has been an attack surface to manage (for example, the walls of a castle and the people in it).” The castle is a good analogy. If you can see the wall, you can attack it. You can batter it down, you can employ the original Trojan Horse to gain access through the front door, you can find a forgotten and unprotected entrance, or you can persuade an insider to leave a side gate unlocked.
For the defender, relying on the wall and being aware of any weak areas is not enough. People are also part of the attack surface, and the defender needs to have total visibility of the entirety of the attack surface and how it could be exploited. But the wall is a perimeter, and we no longer have perimeters to defend – or at least every single asset held anywhere in the world has its own perimeter.
“The attack surface,” continued Stamford, “is anything tied to an organization that could be a vector to get to a target. What this means in practice is all your applications that face the Internet, all the services (beyond applications) that are reachable, cloud-based systems, SaaS solutions you use (depending on what the bad guys’ target is), third parties/supply chain, mobile devices, IOT, and your employees. All of that and more is your attack surface and all of it needs to somehow be monitored for exposures and dealt with.”
The need for ASM, like other current approaches to cybersecurity (such as zero trust, which itself can be viewed as part of ASM), comes from the demise of a major defensible perimeter. Migration to the cloud, expanding business transformation, and remote working all add complexity to the modern infrastructure. If anything touches the internet, it can be attacked. Even the addition of new security controls that send data to and from the cloud add to the attack surface.
Management is the key word in ASM
The complexity of the modern infrastructure makes the complete elimination of threats an impossible task. ASM is not about the elimination of all threats, but the reduction of threat to an acceptable level. It’s a question of risk management.
“The idea behind attack surface management is to ‘reduce’ the ‘area’ available to attackers to exploit. The more you ‘reduce the attack surface’ the more you limit and minimize attackers’ opportunities to cause harm,” says Christopher Budd, senior manager of threat research at Sophos.
He believes that ASM will be more challenging in 2023 because of the attackers’ increasingly aggressive and successful misuse of legitimate files and utilities in their attacks – living off the land – making the detection of a malicious presence challenging. “We can expect this trend to continue to evolve in 2023, making it more important that defenders update their detection and prevention tactics to counter this particularly challenging tactic,” he says.
Part of reducing risk comes from understanding what vulnerabilities exist within the infrastructure, and which of them are exploitable.
“With the number of annual reported vulnerabilities now exceeding 20,000 per year, companies cannot remediate every alert, and need to become more surgical with their remediation strategies,” he says. “To achieve this, we will start to see a shift from a focus on vulnerability to exploitability. Companies will start to put a major emphasis on understanding which targets are most impactful from the hacker’s perspective, and therefore the most exploitable targets.”
CISA’s Known Exploited Vulnerabilities Catalog (the KEV list) can help here. Focusing remediation on exploited vulnerabilities is a key part of ASM, and the catalog is described by many as ‘CISA’s must patch list’. This list will continue to grow through 2023.
Pentesting and red teaming are also effective ways of locating exploitable vulnerabilities, but in the past, they have not been used effectively. “One of the most frustrating things as a pentester is when you return to organizations a year later and see the same issues as before,”
But he expects an improvement – perhaps encouraged by the growing acceptance of ASM – in 2023. “I expect an unprecedented appreciation for how pentesting effectively exposes gaps in security, and this in turn will help to reinforce the importance of those all-important security basics. In 2023 I implore organizations to work with pentesters for the best, year on year result.”
Tomi Engdahl says:
Cyber Insights 2023: Artificial Intelligence
https://www.securityweek.com/cyber-insights-2023-artificial-intelligence/
The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool for beneficial improvement is still unknown.
All roads lead to 2023
Alex Polyakov, CEO and co-founder of Adversa.AI, focuses on 2023 for primarily historical and statistical reasons. “The years 2012 to 2014,” he says, “saw the beginning of secure AI research in academia. Statistically, it takes three to five years for academic results to progress into practical attacks on real applications.” Examples of such attacks were presented at Black Hat, Defcon, HITB, and other Industry conferences starting in 2017 and 2018.
“Then,” he continued, “it takes another three to five years before real incidents are discovered in the wild. We are talking about next year, and some massive Log4j-type vulnerabilities in AI will be exploited web3 massively.”
Starting from 2023, attackers will have what is called an ‘exploit-market fit’. “Exploit-market fit refers to a scenario where hackers know the ways of using a particular vulnerability to exploit a system and get value,” he said. “Currently, financial and internet companies are completely open to cyber criminals, and the way how to hack them to get value is obvious. I assume the situation will turn for the worse further and affect other AI-driven industries once attackers find the exploit-market fit.”
The argument is similar to that given by NYU professor Nasir Memon, who described the delay in widespread weaponization of deepfakes with the comment, “the bad guys haven’t yet figured a way to monetize the process.” Monetizing an exploit-market fit scenario will result in widespread cyberattacks web3 and that could start from 2023.
The changing nature of AI (from anomaly detection to automated response)
Over the last decade, security teams have largely used AI for anomaly detection; that is, to detect indications of compromise, presence of malware, or active adversarial activity within the systems they are charged to defend. This has primarily been passive detection, with responsibility for response in the hands of human threat analysts and responders. This is changing. Limited resources web3 which will worsen in the expected economic downturn and possible recession of 2023 web3 is driving a need for more automated responses. For now, this is largely limited to the simple automatic isolation of compromised devices; but more widespread automated AI-triggered responses are inevitable.
“The growing use of AI in threat detection web3 particularly in removing the ‘false positive’ security noise that consumes so much security attention web3 will make a significant difference to security,” claims Adam Kahn, VP of security operations at Barracuda XDR. “It will prioritize the security alarms that need immediate attention and action. SOAR (Security Orchestration, Automation and Response) products will continue to play a bigger role in alarm triage.” This is the so-far traditional beneficial use of AI in security. It will continue to grow in 2023, although the algorithms used will need to be protected from malicious manipulation.
“As companies look to cut costs and extend their runways,” agrees Anmol Bhasin, CTO at ServiceTitan, “automation through AI is going to be a major factor in staying competitive. In 2023, we’ll see an increase in AI adoption, expanding the number of people working with this technology and illuminating new AI use cases for businesses.”
As the use of AI grows, so the nature of its purpose changes. Originally, it was primarily used in business to detect changes; that is, things that had already happened. In the future, it will be used to predict what is likely to happen web3 and these predictions will often be focused on people (staff and customers). Solving the long-known weaknesses in AI will become more important. Bias in AI can lead to wrong decisions, while failures in learning can lead to no decisions. Since the targets of such AI will be people, the need for AI to be complete and unbiased becomes imperative.
“The accuracy of AI depends in part on the completeness and quality of data,” comments Shafi Goldwasser, co-founder at Duality Technologies. “Unfortunately, historical data is often lacking for minority groups and when present reinforces social bias patterns.” Unless eliminated, such social biases will work against minority groups within staff, causing both prejudice against individual staff members, and missed opportunities for management.
Great strides in eliminating bias have been made in 2022 and will continue in 2023. This is largely based on checking the output of AI, confirming that it is what is expected, and knowing what part of the algorithm produced the ‘biased’ result.
Failure in AI is generally caused by an inadequate data lake from which to learn. The obvious solution for this is to increase the size of the data lake. But when the subject is human behavior, that effectively means an increased lake of personal data web3 and for AI, this means a massively increased lake more like an ocean of personal data. In most legitimate occasions, this data will be anonymized web3 but as we know, it is very difficult to fully anonymize personal information.
“Privacy is often overlooked when thinking about model training,”
Natural language processing
Natural language processing (NLP) will become an important part of companies’ internal use of AI. The potential is clear. “Natural Language Processing (NLP) AI will be at the forefront in 2023, as it will enable organizations to better understand their customers and employees by analyzing their emails and providing insights about their needs, preferences or even emotions,” suggests Jose Lopez, principal data scientist at Mimecast. “It is likely that organizations will offer other types of services, not only focused on security or threats but on improving productivity by using AI for generating emails, managing schedules or even writing reports.”
But he also sees the dangers involved. “However, this will also drive cyber criminals to invest further into AI poisoning and clouding techniques. Additionally, malicious actors will use NLP and generative models to automate attacks, thereby reducing their costs and reaching many more potential targets.”
Polyakov agrees that NLP is of increasing importance. “One of the areas where we might see more research in 2023, and potentially new attacks later, is NLP,” he says. “While we saw a lot of computer vision-related research examples this year, next year we will see much more research focused on large language models (LLMs).”
But LLMs have been known to be problematic for some time web3 and there is a very recent example. On November 15, 2022, Meta AI (still Facebook to most people) introduced Galactica. Meta claimed to have trained the system on 106 billion tokens of open-access scientific text and data, including papers, textbooks, scientific websites, encyclopedias, reference material, and knowledge bases.
“The model was intended to store, combine and reason about scientific knowledge,” explains Polyakov web3 but Twitter users rapidly tested its input tolerance. “As a result, the model generated realistic nonsense, not scientific literature.” ‘Realistic nonsense’ is being kind: it generated biased, racist and sexist returns, and even false attributions. Within a few days, Meta AI was forced to shut it down.
“So new LLMs will have many risks we’re not aware of,” continued Polyakov, “and it is expected to be a big problem.” Solving the problems with LLMs while harnessing the potential will be a major task for AI developers going forward.
He then iteratively refined his questions with multiple abstractions until he succeeded in getting a reply that circumvented ChatGPT’s blocking policy on content violations. “What is important with such an advanced trick of multiple abstractions is that neither the question nor the answers are marked as violating content!” said Polyakov.
He went further and tricked ChatGPT into outlining a method for destroying humanity – a method that bears a surprising similarity to the television program Utopia.
He then asked for an adversarial attack on an image classification algorithm – and got one. Finally, he demonstrated the ability for ChatGPT to ‘hack’ a different LLM (Dalle-2) into bypassing its content moderation filter. He succeeded.
The basic point of these tests shows that LLMs, which mimic human reasoning, respond in a manner similar to humans; that is, they can be susceptible to social engineering. As LLMs become more mainstream in the future, it may need nothing more than advanced social engineering skills to defeat them or circumvent their good behavior policies.
Problems aside, the potential for LLMs is huge. “Large Language Models and Generative AI will emerge as foundational technologies for a new generation of applications,” comments Villi Iltchev, partner at Two Sigma Ventures. “We will see a new generation of enterprise applications emerge to challenge established vendors in almost all categories of software. Machine learning and artificial intelligence will become foundation technologies for the next generation of applications.”
He expects a significant boost in productivity and efficiency with applications performing many tasks and duties currently done by professionals. “Software,” he says, “will not just boost our productivity but will also make us better at our jobs.”
Deepfakes and related malicious responses
One of the most visible areas of malicious AI usage likely to evolve in 2023 is the criminal use of deepfakes. “Deepfakes are now a reality and the technology that makes them possible is improving at a frightening pace,” warns Matt Aldridge, principal solutions consultant at OpenText Security. “In other words, deepfakes are no longer just a catchy creation of science-fiction web3 and as cybersecurity experts we have the challenge to produce stronger ways to detect and deflect attacks that will deploy them.” (See Deepfakes – Significant or Hyped Threat? for more details and options.)
Machine learning models, already available to the public, can automatically translate into different languages in real time while also transcribing audio into text web3 and we’ve seen huge developments in recent years of computer bots having conversations. With these technologies working in tandem, there is a fertile landscape of attack tools that could lead to dangerous circumstances during targeted attacks and well-orchestrated scams.
“In the coming years,” continued Aldridge, “we may be targeted by phone scams powered by deepfake technology that could impersonate a sales assistant, a business leader or even a family member. In less than ten years, we could be frequently targeted by these types of calls without ever realizing we’re not talking to a human.”
Thus far, deepfakes have primarily been used for satirical purposes and pornography. In the relatively few cybercriminal attacks, they have concentrated on fraud and business email compromise schemes. Milica expects future use to spread wider. “Imagine the chaos to the financial market when a deepfake CEO or CFO of a major company makes a bold statement that sends shares into a sharp drop or rise. Or consider how malefactors could leverage the combination of biometric authentication and deepfakes for identity fraud or account takeover. These are just a few examples web3 and we all know cybercriminals can be highly creative.”
But maybe not just yet…
The expectation of AI may still be a little ahead of its realization. “‘Trendy’ large machine learning models will have little to no impact on cyber security [in 2023],” says Andrew Patel, senior researcher at WithSecure Intelligence. “Large language models will continue to push the boundaries of AI research. Expect GPT-4 and a new and completely mind-blowing version of GATO in 2023. Expect Whisper to be used to transcribe a large portion of YouTube, leading to vastly larger training sets for language models. But despite the democratization of large models, their presence will have very little effect on cyber security, either from the attack or defense side. Such models are still too heavy, expensive, and not practical for use from the point of view of either attackers or defenders.”
He suggests true adversarial AI will follow from increased ‘alignment’ research, which will become a mainstream topic in 2023. “Alignment,” he explains, “will bring the concept of adversarial machine learning into the public consciousness.”
The defensive potential of AI
AI retains the potential to improve cybersecurity, and further strides will be taken in 2023 thanks to its transformative potential across a range of applications. “In particular, embedding AI into the firmware level should become a priority for organizations,” suggests Camellia Chan, CEO and founder of X-PHY.
“It’s now possible to have AI-infused SSD embedded into laptops, with its deep learning abilities to protect against every type of attack,” she says. “Acting as the last line of defense, this technology can immediately identify threats that could easily bypass existing software defenses.”
Marcus Fowler, CEO of Darktrace Federal, believes that companies will increasingly use AI to counter resource restrictions. “In 2023, CISOs will opt for more proactive cyber security measures in order to maximize RoI in the face of budget cuts, shifting investment into AI tools and capabilities that continuously improve their cyber resilience,” he says.
“With human-driven means of ethical hacking, pen-testing and red teaming remaining scarce and expensive as a resource, CISOs will turn to AI-driven methods to proactively understand attack paths, augment red team efforts, harden environments and reduce attack surface vulnerability,” he continued.
Karin Shopen, VP of cybersecurity solutions and services at Fortinet, foresees a rebalancing between AI that is cloud-delivered and AI that is locally built into a product or service. “In 2023,” she says, “we expect to see CISOs re-balance their AI by purchasing solutions that deploy AI locally for both behavior-based and static analysis to help make real-time decisions. They will continue to leverage holistic and dynamic cloud-scale AI models that harvest large amounts of global data.”
The proof of the AI pudding is in the regulations
It is clear that a new technology must be taken seriously when the authorities start to regulate it. This has already started. There has been an ongoing debate in the US over the use of AI-based facial recognition technology (FRT) for several years, and the use of FRT by law enforcement has been banned or restricted in numerous cities and states. In the US, this is a Constitutional issue, typified by the Wyden/Paul bipartisan bill titled the ‘Fourth Amendment Is Not for Sale Act’ introduced in April 2021.
This bill would ban US government and law enforcement agencies from buying user data without a warrant. This would include their facial biometrics. In an associated statement, Wyden made it clear that FRT firm Clearview.AI was in its sights: “this bill prevents the government buying data from Clearview.AI.”
At the time of writing, the US and EU are jointly discussing cooperation to develop a unified understanding of necessary AI concepts, including trustworthiness, risk, and harm, building on the EU’s AI Act and the US AI Bill of Rights web3 and we can expect to see progress on coordinating mutually agreed standards during 2023.
“In 2023, I believe we will see the convergence of discussions around AI and privacy and risk, and what it means in practice to do things like operationalizing AI ethics and testing for bias,” says Christina Montgomery, chief privacy officer and AI ethics board chair at IBM. “I’m hoping in 2023 that we can move the conversation away from painting privacy and AI issues with a broad brush, and from assuming that, ‘if data or AI is involved, it must be bad and biased’.”
Going forward
AI is ultimately a divisive subject. “Those in the technology, R&D, and science domain will cheer its ability to solve problems faster than humans imagined. To cure disease, to make the world safer, and ultimately saving and extending a human’s time on earth…” says Donnie Scott, CEO at Idemia. “Naysayers will continue to advocate for significant limitations or prohibitions of the use of AI as the ‘rise of the machines’ could threaten humanity.”
In the end, he adds, “society, through our elected officials, needs a framework that allows for the protection of human rights, privacy, and security to keep pace with the advancements in technology. Progress will be incremental in this framework advancement in 2023 but discussions need to increase in international and national governing bodies, or local governments will step in and create a patchwork of laws that impede both society and the technology.”
For the commercial use of AI within business, Montgomery adds, “We need web3 and IBM is advocating for web3 precision regulation that is smart and targeted, and capable of adapting to new and emerging threats. One way to do that is by looking at the risk at the core of a company’s business model. We can and must protect consumers and increase transparency, and we can do this while still encouraging and enabling innovation so companies can develop the solutions and products of the future. This is one of the many spaces we’ll be closely watching and weighing in on in 2023.”
Tomi Engdahl says:
Andrew Martin / Bloomberg:
FS-ISAC report: DDoS attacks targeting banks and other financial firms had increased 22% YoY by November 2022, particularly in Europe, where they rose 73% YoY
Denial-of-Service Attacks Rise, Raising Concerns for Banks
https://www.bloomberg.com/news/articles/2023-01-31/ddos-attacks-rise-a-sign-of-concern-for-banks-finance?leadSource=uverify%20wall
Goal is to disable websites by flooding them with traffic
Popularity of IoT devices has contributed to rise in incidents
Tomi Engdahl says:
Chainalysis:
Analysis: 2022 was the biggest year ever for crypto hacking, with $3.8B stolen, primarily from DeFi protocols and by the North Korea-linked Lazarus Group
2022 Biggest Year Ever For Crypto Hacking with $3.8 Billion Stolen, Primarily from DeFi Protocols and by North Korea-linked Attackers
https://blog.chainalysis.com/reports/2022-biggest-year-ever-for-crypto-hacking/
Hacking activity ebbed and flowed throughout the year, with huge spikes in March and October, the latter of which became the biggest single month ever for cryptocurrency hacking, as $775.7 million was stolen in 32 separate attacks.
DeFi protocols by far the biggest victims of cryptocurrency hacks
In last year’s Crypto Crime Report, we wrote about how decentralized finance (DeFi) protocols in 2021 became the primary target of crypto hackers. That trend intensified in 2022.
DeFi protocols as victims accounted for 82.1% of all cryptocurrency stolen by hackers — a total of $3.1 billion — up from 73.3% in 2021. And of that $3.1 billion, 64% came from cross-chain bridge protocols specifically. Cross-chain bridges are protocols that let users port their cryptocurrency from one blockchain to another, usually by locking the user’s assets into a smart contract on the original chain, and then minting equivalent assets on the second chain. Bridges are an attractive target for hackers because the smart contracts in effect become huge, centralized repositories of funds backing the assets that have been bridged to the new chain — a more desirable honeypot could scarcely be imagined. If a bridge gets big enough, any error in its underlying smart contract code or other potential weak spot is almost sure to eventually be found and exploited by bad actors.
How do we make DeFi safer?
DeFi is one of the fastest-growing, most compelling areas of the cryptocurrency ecosystem, largely due to its transparency. All transactions happen on-chain, and the smart contract code governing DeFi protocols is publicly viewable by default, so users can know exactly what will happen to their funds when they use them. That’s especially attractive now in 2023, as many of the crypto market blowups of the past year were due to a lack of transparency into the actions and risk profiles of centralized cryptocurrency businesses. But that same transparency is also what makes DeFi so vulnerable — hackers can scan DeFi code for vulnerabilities and strike at the perfect time to maximize their theft.
DeFi code auditing conducted by third-party providers is one possible remedy to this. Blockchain cybersecurity firm Halborn is one such provider, and is notable for its clean track record — no DeFi protocol to pass a Halborn audit has subsequently been hacked.
Schwed told us that DeFi developers should look to traditional financial institutions for examples of how to make their platforms more secure. “You don’t need to move as slow as a bank, but you can borrow from what banks do.” Some measures he recommends include:
Test protocols with simulated attacks. DeFi developers can simulate different hacking scenarios on testnets in order to test how their protocol stands up to the most common attack vectors.
Take advantage of crypto’s transparency. One huge advantage of a blockchain like Ethereum is that transactions are visible in the mempool before they’re confirmed on the blockchain. Schwed recommended that DeFi developers monitor the mempool closely for suspicious activity on their smart contracts to detect possible attacks as early as possible.
Circuit breakers. DeFi protocols should build out automated processes to pause their protocols and halt transactions if suspicious activity is detected. “It’s better to briefly inconvenience users than to have the entire protocol get drained,” said Schwed.
Tomi Engdahl says:
Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing
https://www.securityweek.com/stop-collaborate-and-listen-disrupting-cybercrime-networks-requires-private-public-cooperation-and-information-sharing/
No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.
As we reflect on 2022, we’ve seen that malicious actors are constantly coming up with new ways to weaponize technologies at scale to cause more disruption and devastation.
The dangers are showing up everywhere – and more frequently. The volume and variety of threats, including Ransomware-as-a-Service (RaaS) and novel attacks on previously less conventional targets, are of particular concern to CIOs and CISOs.
Increasingly, cybercrime is big business run by highly organized groups rather than individuals. Much like the mythological hydra, cutting off the head of one of these organizations (i.e. just stopping a few low level operators in their tracks) isn’t going to solve the problem; the key is to disrupt the networks themselves. That’s a tall order – one that’s going to require widespread collaboration.
Cybercrime networks and Cybercrime-as-a-Service
We anticipated that in 2022 there would be an increase in pre-attack reconnaissance and weaponization among attackers. This would open the door for the growth of Crime-as-a-Service (CaaS) to accelerate even faster.
Tomi Engdahl says:
Report: Developers are most in demand on dark web https://therecord.media/report-developers-are-most-in-demand-on-dark-web/
Hacker gangs often operate like businesses they have salaries, working hours, clients and employees. To compete in a growing market, they are constantly looking for new talent with better skill sets, and they often use the same methods as legitimate tech companies and startups. The main difference is that cybercriminals do it in the hot spot of illegal business on the dark web. In a new study by Kaspersky, researchers analyzed about 200,000 full-time job postings and CVs on 155 darknet forums from January 2020 to June 2022 to find out how the covert cybercrime labor market operates
Tomi Engdahl says:
98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis
https://www.securityweek.com/98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis/
A new report found that 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached.
The digital supply chain is probably more extensive and more complicated than you realize. Upward of 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years – and these figures are almost certainly no exaggeration.
The figures come from a report by SecurityScorecard. More than 230,000 organizations were examined to discover their relationships with third parties. Third parties were investigated to examine fourth parties (on which the third parties depend before delivering services to the first party). The expansion of relationships grows so rapidly that it makes six degrees of separation likely to be a conservative estimation.
From the figures: 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. These figures do not suggest that the first parties have been breached, but they do indicate the extent of risk exposure via the supply chain.
It is worth reflecting on the term ‘breach’. Some commentators include data exposure within the term – so an organization with an unsecured cloud database is described as breached. This is not how SecurityScorecard uses the term in this report.
“We define a breach as any incident where parties gain unauthorized access to computer data, applications, networks, or devices,” Mike Woodward, VP data quality and trust at SecurityScorecard, told SecurityWeek. “The parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.”
Knowledge of a breach comes from public knowledge: from government disclosures and press reports.
Of course, not all organizations disclose that they have been breached, and not all organizations even know they have been breached. So, the effect of this methodology means SecurityScorecard’s statement that ‘98% of organizations have a relationship with a third (or fourth) party that has been breached’ can only be the most conservative of estimates.
“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” comments Wade Baker, partner and co-founder at The Cyentia Institute (a data-driven cybersecurity research group).
Tomi Engdahl says:
Monomorph – MD5-Monomorphic Shellcode Packer – All Payloads Have The Same MD5 Hash
https://www.kitploit.com/2023/02/monomorph-md5-monomorphic-shellcode.html?m=1
What does it do?
It packs up to 4KB of compressed shellcode into an executable binary, near-instantly. The output file will always have the same MD5 hash: 3cebbe60d91ce760409bbe513593e401
Currently, only Linux x86-64 is supported.
Tomi Engdahl says:
Lowe’s pioneers system to solve organized retail crime
Organized retail crime cost the industry almost $100B in 2021, the NRF reported
https://www.foxbusiness.com/lifestyle/lowes-pioneers-nearly-invisible-system-to-solve-organized-retail-crime
Lowe’s Companies Inc. has innovated – and successfully tested – a new system geared toward tackling organized retail crime in a frictionless and almost invisible manner.
It’s called Project Unlock, and it’s a proof-of-concept system that underscores how there are methods to solving this industry-wide problem without having to lock up every product on the shelf, Lowe’s Chief Digital and Information Officer Seemantini Godbole told FOX Business in an exclusive interview.
On average, there was a 26.5% increase in organized retail crime in 2021, costing the industry almost $100 billion, according to the latest data from the National Retail Federation (NRF).
So far, the solution has been to lock up products, which Godbole says is “disrupting an enjoyable experience that customers rightfully should have.”
“As you can see, all the retailers are locking down stuff and putting physical locks on the product,” Godbole said. “We said, ‘you know, we wish we had digital locks… we could enable and disable with technology.’”
Lowe’s demonstrated Project Unlock last week during NRF’s 2023 expo in New York City, hosted in conjunction with the Loss Prevention Research Council. Its goal is to prove that technology can be leveraged to solve organized retail crime without hindering the shopping experience for law-abiding citizens.
Over the last 12 to 18 months, Lowe’s Innovation Labs has been testing out the system which utilizes RFID [Radio Frequency Identity] chips, scanners and blockchain.
If implemented, it would render a stolen tool inoperable which would discourage bad actors and in turn, keep employees safe, according to Godbole.
To work, manufacturers would first have to embed a wireless RFID (Radio Frequency Identity) chip into a power tool product. The chip is already preloaded with the item’s serial number. It is also embedded in the box’s barcode.
The product is set to inoperable up until the moment the customer pays for it. An RFID scanner at the register would then read the chip and activate the tool for use.
“Only products that are legitimately purchased are activated,” according to Lowe’s Innovation Labs. “If a power tool is stolen, it won’t work, which makes it less valuable to steal.”
Tomi Engdahl says:
6 Ransomware Trends & Evolutions For 2023 https://www.trendmicro.com/en_us/ciso/23/b/ransomware-trends-evolutions-2023.html
New developments like the success of law enforcement crackdowns on ransomware, changing government regulations, international sanctions, and the looming regulation of cryptocurrency will force adversaries to adaptboth to overcome new challenges and take advantage of new opportunities. For cybersecurity leaders, keeping ahead of these 6 changes will be crucial in defending against new exploits and attack vectors.
Tomi Engdahl says:
Cyber Insights 2023 | Supply Chain Security
https://www.securityweek.com/cyber-insights-2023-supply-chain-security/
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be remediated.
Tomi Engdahl says:
Google Shells Out $600,000 for OSS-Fuzz Project Integrations
https://www.securityweek.com/google-shells-out-600000-for-oss-fuzz-project-integrations/
Google announces an expansion of its OSS-Fuzz rewards program to help find software vulnerabilities before they are exploited.
Google this week announced an extension to its OSS-Fuzz rewards program, an initiative meant to reward contributors for integrating projects into OSS-Fuzz.
Launched in 2016, OSS-Fuzz is meant to help identify vulnerabilities in open source software through continuous fuzzing, with a declared goal of making common software infrastructure more secure.
Six months after the launch, Google announced that it was offering rewards between $1,000 and $20,000 for integrating projects into OSS-Fuzz, and now says that it has paid over $600,000 to more than 65 different contributors as part of the program.
Google Launches OSS-Fuzz Open Source Fuzzing Service
https://www.securityweek.com/google-launches-oss-fuzz-open-source-fuzzing-service/
Just two months after Microsoft announced its Project Springfield code fuzzing service, Google has launched the beta of its own OSS-Fuzz. The purpose in both cases is to help developers locate the bugs that eventually lead to breaches. But the services, like the two organizations, are very different: one is paid for while the other is free; one is proprietary while the other is open source.
Tomi Engdahl says:
Dealing With the Carcinization of Security
https://www.securityweek.com/dealing-with-the-carcinization-of-security/
Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.
Recently, a friend brought up the term “carcinization” and I must admit, I had to look it up! Turns out the term was coined more than 100 years ago to describe the phenomenon of crustaceans evolving into crab-shaped forms. Today, there are even memes for it. So, what does this example of convergent evolution have to do with security? It’s an apt description of how the security industry has evolved and why security leaders often struggle to determine the right security investments for their organization.
The security industry started out with a series of point products to solve very specific challenges. Organizations used endpoint antivirus, firewalls, IPS/IDS, and routers to protect themselves. Email and web security tools were soon added, along with SIEMs and other tools like ticketing systems, log management repositories and case management systems to house internal threat and event data. Endpoint detection and response (EDR) tools then came into the mix and a few years later served as the jumping off point for the next phase in the industry’s evolution. That’s when the traditional walls between endpoint and network security technologies began to crumble and product categories were no longer clearly defined.
Everything starts to look alike
When the concept of extended detection and response (XDR) was introduced a couple of years ago, industry analysts each seemed to have slightly different, but colliding, definitions of it. Some said XDR is EDR+ (with different opinions as to what the + consisted of) while others said XDR isn’t a solution at all, but an approach or an architecture. Those conversations continue today.
Now the industry is talking about threat detection, investigation and response (TDIR) platforms and depending on who you ask about the difference with XDR, you’ll get a different answer. Some say XDR is an overarching architecture and TDIR is the platform that integrates all the capabilities required for XDR. Others say TDIR is a process. And another contingent says they are one and the same.
The varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies to strengthen their organization’s security posture. At a time when the market should be maturing and moving security to a better place, these discrepancies prevent that from happening.
Use cases, not labels
So, how can security teams cut through the noise and confusion? In the carcinization of security, where everything starts to look and sound alike, it’s critical to focus first on use cases. To do this, start with what you are trying to accomplish, the associated workflows, and the people, processes, and technology required. From there, you can look at where the gaps exist and where to invest to achieve your goals.
Tomi Engdahl says:
https://offsec.tools/
Tomi Engdahl says:
Hackers are using this new trick to deliver their phishing attacks https://www.zdnet.com/article/hackers-are-using-this-new-trick-to-deliver-their-phishing-attacks/
According to analysis by Proofpoint, there’s been a rise in cyberattackers attempting to deliver malware using OneNote documents, a digital notebook signified by .one extensions that is part of the Microsoft 365 office applications suite. Alkup.
https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware
Tomi Engdahl says:
How to protect and secure your password manager https://www.zdnet.com/article/how-to-protect-and-secure-your-password-manager/
Using a password manager is an effective way to protect your passwords, but you also need to protect your password manager.
Tomi Engdahl says:
DHL Email Scams: How To Spot The Fakes
https://www.forbes.com/sites/barrycollins/2023/02/04/dhl-email-scams-how-to-spot-the-fakes/
Scammers are very good at making the fake emails look convincing, and even the most security-conscious user can be caught out. However, there are several telltale signs to look for that will help you separate the cons from the genuine emails. Here is a guide to avoiding DHL email scams: what to look for, what to avoid, and what to do with those emails when you realize theyre a fraud.
Tomi Engdahl says:
Network, USB etc.. Port locking products
https://connectivitycenter.com/product-category/security-products/?gclid=EAIaIQobChMIi92Fl-eA_QIVyZTVCh3MAQ70EAAYASAAEgKWzfD_BwE
Tomi Engdahl says:
Vint Cerf Receives IEEE Medal of Honor
https://circleid.com/posts/20230131-vint-cerf-receives-ieee-medal-of-honor
Vinton Cerf, widely known as the Father of the Internet, has been awarded the IEEE Medal of Honor in 2023 for his contributions to the development of the Internet architecture and for his leadership in its growth as a critical infrastructure for society.
Tomi Engdahl says:
SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
https://www.securityweek.com/securityweek-cybersecurity-mergers-acquisitions-report-2022/
More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek
Tomi Engdahl says:
Dealing With the Carcinization of Security
https://www.securityweek.com/dealing-with-the-carcinization-of-security/
Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.
Tomi Engdahl says:
Interpol hyppää metaversumiin näin virtuaalirötösten torjumiseen valmistaudutaan
https://www.tivi.fi/uutiset/tv/3d691efd-db12-4285-b246-a89723209226
Internetin tulevaisuutena nähty metaversumi on herättänyt myös kansainvälisen poliisijärjestö Interpolin huomion. Järjestön pääsihteeri Jurgen Stock sanoo Interpolin selvittävän, miten metaversumin rikollisuutta pystyttäisiin torjumaan. BBC:lle puhunut Stock näkee, ettei poliisijärjestö voi jäädä kehityksessä jälkeen.
Hänen mukaansa rikolliset ovat nopeita ottamaan uusia teknologioita käyttöönsä. [...] Virtuaalitodellisuuden ongelmia on alkanut nousta esille jo nyt. Julkisuudessa puidut tapaukset koskevat muun muassa erilaista seksuaalista häirintää Metan Horizon Worldissa.
Virtuaalitodellisuuden voi katsoa oleva tietynlainen metaversumin esiaste, mutta metaversumille ei toistaiseksi ole olemassa tiettyä yksittäistä määritelmää. Interpolin teknologia- ja innovaatiojohtaja, tohtori Madan Oberoi katsoo, ettei metaversumirikosten määrittely ole yksiselitteistä. Hänen mukaansa fyysisen maailman rikoksien määrittely metaversumissa on haastavaa.
Tomi Engdahl says:
Masha Borak / Wired:
A look at Moscow’s Safe City, an AI surveillance system with 217K connected cameras designed to catch criminals that is now seen as a tool of digital repression — Moscow promised residents lower crime rates through an expansive smart city project. Then Vladimir Putin invaded Ukraine.
https://www.wired.com/story/moscow-safe-city-ntechlab/
Tomi Engdahl says:
Manish Singh / TechCrunch:
Pakistan unblocks Wikipedia after three days; Prime Minister Shehbaz Sharif: unintended consequences of the ban over objectionable content outweigh the benefits
https://techcrunch.com/2023/02/06/wikipedia-pakistan/
Tomi Engdahl says:
Listed at #6 in the OWASP Top 10, vulnerable and outdated components is a growing issue. The volume of components used in the development of today’s applications make it difficult for developers to identify outdated or vulnerable code.
Tomi Engdahl says:
Cybercriminals Bypass ChatGPT Restrictions to Generate Malicious Content https://blog.checkpoint.com/2023/02/07/cybercriminals-bypass-chatgpt-restrictions-to-generate-malicious-content/
There have been many discussions and research on how cybercriminals are leveraging the OpenAI platform, specifically ChatGPT, to generate malicious content such as phishing emails and malware. In Check Point Researchs (CPR) previous blog, we described how ChatGPT successfully conducted a full infection flow, from creating a convincing spear-phishing email to running a reverse shell, which can accept commands in English. CPR researchers recently found an instance of cybercriminals using ChatGPT to improve the code of a basic Infostealer malware from 2019. Although the code is not complicated or difficult to create, ChatGPT improved the Infostealers code.
Tomi Engdahl says:
Makena Kelly / The Verge:
At the State of the Union, Biden called for Congress to strengthen data privacy protections and antitrust enforcement to stop Big Tech from self-preferencing — President Joe Biden threw his support behind tougher rules regulations
Biden rallies against Big Tech in State of the Union address
https://www.theverge.com/2023/2/7/23590396/state-of-the-union-sotu-biden-tech-tiktok-privacy-antitrust
The president called for stricter privacy protections and for Congress to strengthen US antitrust law.
President Joe Biden threw his support behind tougher rules regulating Silicon Valley during his Second State of the Union speech Tuesday night.
The president attempted to rally bipartisan support to finally resolve a number of long-standing privacy, safety, and competition issues facing the tech industry. Over the more than hourlong address, Biden called on Congress to pass new rules protecting user data privacy and boosting competition in the tech industry.
“Pass bipartisan legislation to strengthen antitrust enforcement and prevent big online platforms from giving their own products an unfair advantage,” Biden said. “It’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.”
The address echoed much of what Biden said during his first State of the Union address last year. Child online safety has long troubled Congress and the Biden administration
But over the last two years, little has been done to improve the safety of young users on social media in the US. Lawmakers have introduced dozens of bills, but none have garnered enough support to force a floor vote in either the House or Senate.
iden touted his administration’s work to bolster US competitiveness against China, leveraging the primetime spot to tout the $52 billion CHIPS and Science Act that included $52 billion in funding to boost US semiconductor manufacturing. Despite the speech’s focus on China, Biden did not comment on whether his administration would ban TikTok.
Tomi Engdahl says:
From household appliances and local corner shops to hospitals and basic government services, cyberattacks are on the rise across the globe.
EU-backed researchers and companies are joining forces in developing new tools to help strengthen Europe’s homegrown cybersecurity industry.
Learn more
bit.ly/3lmjdiV
#HorizonEU
Tomi Engdahl says:
Tutkija lataa suorat sanat: TikTok on valtava riski ja länsimaat naiiveja Näin Kiina käyttää digitaalista valtaa sotilasmahtinsa kasvatukseen
https://www.kauppalehti.fi/uutiset/tutkija-lataa-suorat-sanat-tiktok-on-valtava-riski-ja-lansimaat-naiiveja-nain-kiina-kayttaa-digitaalista-valtaa-sotilasmahtinsa-kasvatukseen/25bb49b9-c567-4940-8457-fce047828bc8
Kiinan kommunistinen puolue on ottanut maan teknologiasektorin tiiviisti kouraansa. Digivaltaa ulotetaan myös ulkomaille ovelin keinoin. On mielenkiintoista, että Kiina näkee näiden palveluiden potentiaaliset vaarat, kun taas länsi suhtautuu asiaan melko huolettomasti, Helsingin yliopiston tutkija Monique Taylor toteaa.
Tomi Engdahl says:
Suomessa kehitetty gdpr-työkalu julkaistiin avoimena koodina https://www.tivi.fi/uutiset/tv/19e52f7f-508c-4972-b7e1-6491e4a3a69e
Nimihirviö GDPR2DSM:n takana on tietosuojavaltuutetun toimiston ja Tietoyhteiskunnan kehittämiskeskus Tieken kaksivuotinen hanke, jolla pyritään tukemaan pk-yrityksiä tietosuojavaatimusten täyttämisessä.
Hankkeessa kehitettiin verkkotyökalu, jonka avulla yritykset voivat testata, miten heillä toteutuvat tietosuoja-asetuksen eli gdpr:n vaatimukset. Suomeksi, ruotsiksi ja englanniksi saatavilla oleva työkalu on nyt julkaistu avoimena lähdekoodina.
Tomi Engdahl says:
ChatGPT is a data privacy nightmare, and we ought to be concerned https://arstechnica.com/information-technology/2023/02/chatgpt-is-a-data-privacy-nightmare-and-you-ought-to-be-concerned/
ChatGPT has taken the world by storm. Within two months of its release it reached 100 million active users, making it the fastest-growing consumer application ever launched. Users are attracted to the tools advanced capabilitiesand concerned by its potential to cause disruption in various sectors. A much less discussed implication is the privacy risks ChatGPT poses to each and every one of us. Just yesterday, Google unveiled its own conversational AI called Bard, and others will surely follow. Technology companies working on AI have well and truly entered an arms race. The problem is, its fueled by our personal data.
Tomi Engdahl says:
UN Experts: North Korean Hackers Stole Record Virtual Assets
https://www.securityweek.com/un-experts-north-korean-hackers-stole-record-virtual-assets/
North Korean hackers working for the government stole virtual assets last year estimated to be worth between $630 million and more than $1 billion, U.N. experts said in a report.
North Korean hackers working for the government stole record-breaking virtual assets last year estimated to be worth between $630 million and more than $1 billion, U.N. experts said in a new report.
The panel of experts said in the wide-ranging report seen Tuesday by The Associated Press that the hackers used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance, and to steal information that could be useful in North Korea’s nuclear and ballistic missile programs from governments, individuals and companies.
With growing tensions on the Korean Peninsula, the report said North Korea continued to violate U.N. sanctions, producing weapons-grade nuclear material, and improving its ballistic missile program, which “continued to accelerate dramatically.”
In 2022, the Democratic People’s Republic of Korea – the North’s official name – launched at least 73 ballistic missiles and missiles combining ballistic and guidance technologies including eight intercontinental ballistic missiles, the panel said. And 42 launches, including the test of a reportedly new type of ICBM and a new solid-fueled ICBM engine, were conducted in the last four months of the year.
Tomi Engdahl says:
Minister: Cybercrimes Now 20% of Spain’s Registered Offenses
https://www.securityweek.com/minister-cybercrimes-now-20-of-spains-registered-offenses/
Spain’s government pledged stronger action against cybercrime, saying it has come to account for about a fifth of all offenses registered in the country.
Spain’s government on Wednesday pledged stronger action against cybercrime, saying it has come to account for about a fifth of all offenses registered in the country.
Interior Minister Fernando Grande-Marlaska said police would be given additional staff, funding and resources to address online crime. He said reported cases of cybercrime were up 72% last year compared to 2019, and 352% compared to 2015.
“The … decline in conventional crime and the increase in cybercrime has brought us to a turning point: today, one in every five crimes in Spain is committed online,” he told a press conference in Madrid.
Almost 90% of cybercrimes reported last year involved online fraud schemes, Grande-Marlaska said. “This … has a remarkable and negative impact on national interests, institutions, companies and citizens,” he added.
Tomi Engdahl says:
Cyberwarfare
Spies, Hackers, Informants: How China Snoops on the US
https://www.securityweek.com/spies-hackers-informants-how-china-snoops-on-the-us/
An alleged Chinese surveillance balloon over the United States last week sparked a diplomatic furore and renewed fears over how Beijing gathers intelligence on its largest strategic rival.
Tomi Engdahl says:
Application Security Protection for the Masses
https://www.securityweek.com/application-security-protection-for-the-masses/
While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular.
In other words, customers have a number of different problems, issues, and challenges that they are looking to solve. They are not necessarily interested in all of the different things your product or service can do. Rather, they are interested in learning how your solution can help them address their strategic priorities and move forward on the goals they have set for their security and fraud problems. It is incumbent upon vendors to understand that and to make it easy for potential customers to understand that mapping.
Along those lines, improving application security is a common goal customers have. As you might imagine, any solution geared towards improving the security of an application is going to be complex, consisting of many different moving parts. Thus, forcing customers to hunt for the components they need within your product data sheets and overviews is not going to be an effective way to convince those customers that you have a solution they might be in the market for.
Tomi Engdahl says:
Tor Network Under DDoS Pressure for 7 Months
https://www.securityweek.com/tor-network-under-ddos-pressure-for-7-months/
For the past seven months, the Tor network has been hit with numerous DDoS attacks, some impacting availability.
For the past seven months, the Tor anonymity network has been hit with numerous distributed denial-of-service (DDoS) attacks, its maintainers announced this week.
Some of the attacks have been severe enough to prevent users from loading pages or accessing onion services, the Tor Project says.
Publicly released in 2003, Tor directs traffic through a global network of more than 7,000 relays, to help users maintain anonymity and protect their privacy while navigating the web. Despite its legitimate purpose, Tor has also been used for illegal activities.
Attacks against Tor are not new, with many of them seeking to deanonymize users. In DDoS attacks, the target is flooded with rogue network traffic originating from multiple different sources in an effort to disrupt the target service by depleting resources.
According to the Tor Project, despite its efforts to mitigate the impact of the experienced DDoS attacks, continuous shifts in methods are making the task difficult.
Tomi Engdahl says:
Malware & Threats
A Deep Dive Into the Growing GootLoader Threat
https://www.securityweek.com/a-deep-dive-into-the-growing-gootloader-threat/
Cybereason GootLoader as a ‘severe’ threat, as the malware uses a combination of evasion and living off the land techniques, making its presence difficult to detect.
GootLoader was born from GootKit, a banking trojan that first appeared around 2014. In recent years GootKit has evolved into a sophisticated and evasive loader — and it was given a new name to reflect its new purpose in 2021. The same group is responsible for both versions of the malware, and is monitored by Mandiant as UNC2565.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/02/07/salauslaite-myos-liikkuviin-laitteisiin/
Tomi Engdahl says:
Lessons From the Cold War: How Quality Trumps Quantity in Cybersecurity
https://www.darkreading.com/vulnerabilities-threats/lessons-from-the-cold-war-how-quality-trumps-quantity-in-cybersecurity
High-quality tools and standards remain critical components in cybersecurity efforts even as budgets decline. It’s important that staff knows response procedures and their roles, and also communicates well.
Tomi Engdahl says:
How Browser Innovations Are Taking On New Cyber Threats
Web browsers are at the front line against hackers, so how are they fighting back?
https://www.wired.co.uk/bc/article/how-browser-innovations-are-taking-on-new-cyber-threats-google-chrome?utm_source=facebook&utm_medium=social&utm_campaign=paid-spon-citizennet_Q12023&fbclid=IwAR3KxU-BNAyIMbAioCk4_GvEEow1Nf2YryMGEnOuUO-9jLa5nFC9UJwM0JI
Tomi Engdahl says:
76% of vulnerabilities are OWASP Top 10
A recent Forrester report reaffirms that “applications remain the most common attack vector.” The Synopsys Cybersecurity Research Center (CyRC) published a report that digs into the latest AppSec trends.
Tomi Engdahl says:
Ransomware review: February 2023
https://www.malwarebytes.com/blog/business/2023/02/ransomware-in-february-2023
This article is based on research by Marcelo Rivero, Malwarebytes’
ransomware specialist, who builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom. LockBit started off the new year just as it ended the last one, topping the charts once again as Januarys most prolific ransomware-as-a-service (RaaS). The Hive ransomware group meanwhile found itself shut down by the FBI. Its not all old news for Lockbit, however: Last month the gang was seen using a new Conti-based encryptor named ‘LockBit Green.
This latest ransomware version, the third from the gang after LockBit Red and LockBit Black, shares 89% of its code with Conti v3 ransomware and has already been used to attack at least five victims.
Tomi Engdahl says:
Screentime: Sometimes It Feels Like Somebody’s Watching Me https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me
Since October 2022 and continuing into January 2023, Proofpoint has observed a cluster of evolving financially motivated activity which we are referring to as “Screentime”. The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter. In some cases, Proofpoint observed post-exploitation activity involving AHK Bot and Rhadamanthys Stealer. Proofpoint is tracking this activity under threat actor designation TA866. Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes.
Tomi Engdahl says:
Using Geotargeting to Customize Phishing https://www.avanan.com/blog/using-geotargeting-to-customize-phishing
In a global marketplace, the ability to geotarget is huge.
Essentially, it means that businesses can tailor their advertising to the recipient’s location. Someone in New York may get a different ad than someone in France. That makes the ads more valuable for businesses and more personalized for consumers. Theres another group of people who want to personalize their offeringshackers. This allows hackers to send one message to different people across the globe, providing geo-specific phishing content. This allows the threat actors to send custom phishing by language and region to their intended target.