Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
ESET Threat Report T3 2022
https://www.welivesecurity.com/2023/02/08/eset-threat-report-t3-2022/
In 2022, an unprovoked and unjustified attack on Ukraine shocked the world, bringing devastating effects on the country and its population.
The war continues to impact everything from energy prices and inflation to cyberspace, which ESET researchers and analysts have monitored extensively throughout the year. Among the effects seen in cyberspace, the ransomware scene experienced some of the biggest shifts. From the beginning of the invasion, weve seen a divide among ransomware operators, with some supporting and others opposing this aggression. The attackers have also been using increasingly destructive tactics, such as deploying wipers that mimic ransomware and encrypt the victims data with no intention of providing the decryption key.
Tomi Engdahl says:
Beyond Buzzwords: How Organizations Can Prove Real Cyber Resilience https://www.forbes.com/sites/jameshadley/2023/02/08/beyond-buzzwords-how-organizations-can-prove-real-cyber-resilience/
Attackers continue to make headlines with high profile attacks. Yum!
Brands owner of fast-food restaurants like Taco Bell, KFC, and Pizza Hut was forced to shut down almost 300 restaurants after an attack.
The Royal Mail suspended overseas services after a breach compromised its international export systems. And T-Mobile announced it was breached again, this time by an attack that resulted in exposure of personal data from 37 million customers. As threat actors increasingly target people in their efforts to breach organizations, the conversation around cyber resilience continues to gain momentum. The topic dominated the conversation at Davos, and recent research indicates nearly all executives view building resilience as high priority.
Tomi Engdahl says:
Cybercrime Gang Uses Screenlogger to Identify High-Value Targets in US, Germany
https://www.securityweek.com/cybercrime-gang-uses-screenlogger-to-identify-high-value-targets-in-us-germany/
Russia-linked financially motivated threat actor TA866 targeting companies with custom malware, including a screenlogger, a bot, and an information stealer
A recently identified financially motivated threat actor is targeting companies in the United States and Germany with custom malware, including a screenlogger it uses for reconnaissance, Proofpoint reports.
Tracked as TA866, the adversary appears to have started the infection campaign in October 2022, with the activity continuing into January 2023.
As part of the campaign, which Proofpoint refers to as Screentime, victims are targeted with malicious emails containing an attachment or a URL that leads to the deployment of malware. In some cases, based on the attacker’s assessment of the victim, post-exploitation activity may commence.
Screentime: Sometimes It Feels Like Somebody’s Watching Me
https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me
Key Findings
Proofpoint began tracking a new threat actor, TA866.
Proofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023.
The activity appears to be financially motivated, largely targeting organizations in the United States and Germany.
With its custom toolset including WasabiSeed and Screenshotter, TA866 analyzes victim activity via screenshots before installing a bot and stealer.
Since October 2022 and continuing into January 2023, Proofpoint has observed a cluster of evolving financially motivated activity which we are referring to as “Screentime”. The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter. In some cases, Proofpoint observed post-exploitation activity involving AHK Bot and Rhadamanthys Stealer.
Proofpoint is tracking this activity under threat actor designation TA866. Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes.
Tomi Engdahl says:
https://hackaday.com/2023/02/09/reverse-engineering-british-rail-tickets/
Tomi Engdahl says:
https://eta.st/2023/01/31/rail-tickets.html
Tomi Engdahl says:
Chainalysis:
Analysis: darknet markets made $1.5B in revenue in 2022, down from $3.1B in 2021, led by Hydra Market, despite being shut down by German police in April 2022
How Darknet Markets and Fraud Shops Fought for Users In the Wake of Hydra’s Collapse
https://blog.chainalysis.com/reports/how-darknet-markets-fought-for-users-in-wake-of-hydra-collapse-2022/
2022 saw a decline in revenue from the previous year for darknet markets and fraud shops. Total darknet market revenue for 2022 ended at $1.5 billion, down from $3.1 billion in 2021.
Tomi Engdahl says:
Kolme neljästä sovelluksesta sisältä virheitä
https://etn.fi/index.php/13-news/14581-kolme-neljaestae-sovelluksesta-sisaeltae-virheitae
Sovelluskoodauksen työkaluja kehittävä Veracode on tutkinut koodivirheiden määrää sekä sovelluksissa yleensä että erikielisissä koodeissa. Jonkinlainen virhe löytyy keskimäärin 74 prosentista sovelluksia.
Kaikki bugit eivät tietenkään ole kriittisiä. Veracode on luokitellut virheiden vakavuuden neljään eri ryhmään. Huolestuttavaa on se, että 19,2 prosentissa sovelluksia eli joka viidennessä on mukaan päässyt virhe, joka on korkean tason kriittinen tietoturvaongelma.
Kriittisiksi eli OWASP 10 -rankkauksen saavia virheitä löytyy niitäkin 69,7 prosentista sovelluskoodia. Lukema on kieltämättä huolestuttava.
Veracode myös listasi Javascriptin, Javan ja .NET-koodin bugimääriä ja ehkä hieman ylättäen Javascriptissä ongelmia on vähiten. Kun 82,2 prosenttia .NET_koodista sisältää virheitä, Javscriptin lukema on ”vain” 55,8 prosenttia.
State of Software Security 2023
https://info.veracode.com/report-state-of-software-security-2023.html
Tomi Engdahl says:
How to deploy the Zeek Network Security Monitor on Ubuntu Server 22.04
https://www.techrepublic.com/article/zeek-net/
Looking for a powerful and free network security monitor? Look no further than the open source Zeek.
Zeek is a command-line network security monitoring tool that can be installed on a server in either your local data center or a third-party cloud host. Zeek monitors and records a number of different data points, such as connections, packets received and sent, and TCP session attributes. With this tool, you can trace events across your network to better ensure its security.
Tomi Engdahl says:
Hackers sometimes rely on Google dorking to hunt for sensitive information like usernames, log files, etc. Learn all about it to keep your site safe.
What Is Google Dorking and How Hackers Use It to Hack Websites
https://www.makeuseof.com/google-dorking-how-hackers-use-it/?utm_term=Autofeed&utm_campaign=Echobox-MUO&utm_medium=Social-Distribution&utm_source=Facebook#Echobox=1676068101
Google is the encyclopedia of the internet that carries the answer to all your questions and curiosity. After all, it is just a web index to find images, articles, and videos, right?
Well, if you think so, you are turning a blind eye to the untapped potential of the behemoth search engine’s crawling capabilities. This side of Google is lesser-known to the average user but propelled effectively by bad actors to hijack websites and steal sensitive data from companies.
What Is Google Dorking?
Google dorking or Google hacking is the technique of feeding advanced search queries into the Google search engine to hunt for sensitive data such as username, password, log files, etc., of websites that Google is indexing due to site misconfiguration. This data is publicly visible and, in some cases, downloadable.
A regular Google search involves a seed keyword, sentence, or question. But, in Google dorking, an attacker uses special operators to enhance search and dictate the web crawler to snipe for very specific files or directories on the internet. In most cases, they are log files or website misconfigurations.
How Hackers Use Google Dorking to Hack Websites
Google dorking involves using special parameters and search operators called “dorks” to narrow down search results and hunt for exposed sensitive data and security loopholes in websites.
The parameters and operators direct the crawler to look for specific file types in any specified URL. The search results of the query include but are not limited to:
Open FTP servers.
A company’s internal documents.
Accessible IP cameras.
Government documents.
Server log files containing passwords and other sensitive data that can be leveraged to infiltrate or disrupt an organization.
Is Google Dorking Illegal?
While it may seem intimidating, Google dorking will not land you behind bars, given you are only using it to refine your search results and not infiltrate an organization.
It is a necessary evil and, in fact, an encouraged practice amongst power users. Keep in mind that Google is tracking your searches all the time, so if you access sensitive data or search with malicious intent, Google will flag you as a threat actor.
In case you are carrying out a pen test or hunting for bug bounty, ensure that you are fully authorized and backed by the organization. Otherwise, if you get caught, things can take a turn for the worst, and one can even slap you with a lawsuit.
As a webmaster, you have to set up specific defensive countermeasures to tackle Google Dorking. A very straightforward approach would be to add a robots.txt file and disallow access to all sensitive directories. This will keep search engine crawlers from indexing sensitive files, directories, and URLs as you list them.
Adding a robots.txt file to the root directory is a general good practice and essential for the overall security of your website.
Tomi Engdahl says:
https://www.facebook.com/groups/2600net/permalink/3541342702755496/
Most home routers have a built-in VPN server which you can enable. This allows you to connect to your home network from anywhere and use services like Netflix as if you were at home. This will also bypass the requirement to check in from your home network once a month when it is implemented. Because it’s using a residential IP and not a data center like a commercial VPN, Netflix cannot detect it.
Here are instructions for the most popular router brands:
Netgear: [https://kb.netgear.com/23854/How-do-I-use-the-VPN-service-on-my-Nighthawk-router-with-my-Windows-client](https://kb.netgear.com/23854/How-do-I-use-the-VPN-service-on-my-Nighthawk-router-with-my-Windows-client)
Asus: [https://www.asus.com/support/FAQ/1008713/](https://www.asus.com/support/FAQ/1008713/)
TP-Link: [https://www.tp-link.com/us/support/faq/1544/](https://www.tp-link.com/us/support/faq/1544/)
To connect to the server, you will need to download the OpenVPN client on your phone/laptop:
[https://openvpn.net/vpn-client/](https://openvpn.net/vpn-client/)
One thing to keep in mind is that the speed of the VPN will be limited by the upload speed of your home network. Most cable internet connections have very limited upload speed, but it should be enough to stream video. If you have a fiber connection it will be much faster.
Tomi Engdahl says:
Louise Matsakis / Semafor:
Sources: TikTok’s Internal Audit team that spied on journalists had wide investigative powers with little oversight; ByteDance says it’s restructuring the team
https://www.semafor.com/article/02/09/2023/tiktok-team-accused-of-spying-on-journalists-had-history-of-employee-complaints
Tomi Engdahl says:
Uusi ohje edistää paikallisten matkaviestinverkkojen kyberturvallisuutta https://www.huoltovarmuuskeskus.fi/a/uusi-ohje-edistaa-paikallisten-matkaviestinverkkojen-kyberturvallisuutta
5G-teknologia tarjoaa entistä monipuolisempia ja tehokkaampia ratkaisuja paikallisten verkkojen toteuttamiseen. Samalla se tuo mukanaan uudenlaisia riskejä ja vaatii uudentyyppistä osaamista, joka korostuu muuttuvassa toimintaympäristössä. Mitä organisaatioiden on otettava huomioon paikallisia 5G-matkaviestinverkkoja suunnitellessaan ja rakentaessaan? Millaisia erityispiirteitä, kyberuhkia ja -riskejä verkkoihin liittyy? Millaisia velvoitteita sääntely asettaa verkkoja toteuttaville organisaatiolle? Muun muassa näihin kysymyksiin tarjoaa tietoa Traficomin Kyberturvallisuuskeskuksen (KTK) toteuttama uusi ohje.
Tomi Engdahl says:
Kotkassa edistetään kokonaisturvallisuutta Mikko Kiviharju kyberturvallisuuden työelämäprofessoriksi https://www.epressi.com/tiedotteet/koulutus/kotkassa-edistetaan-kokonaisturvallisuutta-mikko-kiviharju-kyberturvallisuuden-tyoelamaprofessoriksi.html
Sopimuksen mukaisesti työelämäprofessori kohdentaa puolet työajastaan yhteistyöhön Kaakkois-Suomen ammattikorkeakoulun (Xamk) ja Kymenlaakson alueen yritysten kanssa. Työelämäprofessori toteuttaa ja kehittää kyberturvallisuuden opetusta Xamkissa ja on säännöllisesti läsnä ammattikorkeakoulun Kotkan kampuksella. Kiviharju pääsee aloittamaan uudessa tehtävässään toukokuun alusta lähtien. Kiviharju on toiminut vuodesta 2003 lähtien kyberturvallisuuden ja tietoturvallisuuden tekniikoiden parissa Puolustusvoimien tutkimuslaitoksen informaatiotekniikkaosastolla, viimeisimmät vuodet salausjärjestelmien tutkimusalajohtajana. Hän väitteli tohtoriksi vuonna 2016 Aalto-yliopistossa. Kiviharjun pääosaamisalueet ovat informaatioturvallisuus ja salausteknologioiden sovellukset pääsynvalvonnassa ja tietoliikenteen turvaamisessa.
Tomi Engdahl says:
Non-standard smartphone wiretapping
https://www.kaspersky.com/blog/non-standard-smartphone-wiretapping/47113/
In late December 2022, a team of scientists from several US universities published a paper on wiretapping. The eavesdropping method they explore is rather unusual: words spoken by the person youre talking to on your smartphone reproduced through your phones speaker can be picked up by a built-in sensor known as the accelerometer. At first glance, this approach doesnt seem to make
sense: why not just intercept the audio signal itself or the data? The fact is that modern smartphone operating systems do an excellent job of protecting phone conversations, and in any case most apps dont have permission to record sound during calls. But the accelerometer is freely accessible, which opens up new methods of surveillance. This is a type of side-channel attack, one that so far, fortunately, remains completely theoretical. But, over time, such research could make non-standard wiretapping a reality.
Tomi Engdahl says:
Dallas Central Appraisal District paid $170,000 to ransomware attackers https://www.bitdefender.com/blog/hotforsecurity/dallas-central-appraisal-district-paid-170-000-to-ransomware-attackers/
A Dallas state agency has admitted to paying $170,000 to hackers after it suffered a ransomware attack. The Dallas Central Appraisal District
(DCAD) that determines the value of all of the county’s real and personal property for taxation purposes, publicly disclosed that it had been hacked on November 8, 2022. The agency had fallen foul of a ransomware attack that disrupted all of its computer systems and knocked its website offline for over two months. Dallas County Chief Appraiser Ken Nolan told reporters that it was likely that the attack managed to infiltrate the organisation after an employee was tricked by a phishing email.
Tomi Engdahl says:
Good, Perfect, Best: how the analyst can enhance penetration testing results https://securelist.com/how-the-analyst-can-enhance-pentest/108652/
Penetration testing is something that many (of those who know what a pentest is) see as a search for weak spots and well-known vulnerabilities in clients infrastructure, and a bunch of copied-and-pasted recommendations on how to deal with the security holes thus discovered. In truth, it is not so simple, especially if you want a reliable test and useful results. While pentesters search for vulnerabilities and put a lot of effort into finding and demonstrating possible attack vectors, there is one more team member whose role remains unclear: the cybersecurity analyst. This professional takes a helicopter view of the target system to properly assess existing security holes and to offer the client a comprehensive picture of the penetration testing results combined with an action plan on how to mitigate the risks.
Tomi Engdahl says:
Obfuscated Deactivation of Script Block Logging
https://isc.sans.edu/diary/Obfuscated+Deactivation+of+Script+Block+Logging/29538
PowerShell has a great built-in feature called “Script Block Logging”[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That’s the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one. The obfuscation technique uses a “Collections.Generic.Dictionary” object. This type of collection represents a collection of keys and values.
Tomi Engdahl says:
Six Common Ways That Malware Strains Get Their Names https://securityintelligence.com/articles/six-ways-malware-strains-get-names/
Youre likely familiar with the names of common malware strains such as MOUSEISLAND, Agent Tesla and TrickBot. But do you know how new malware threats get their names? As a cybersecurity writer, I quickly add new strains to my vocabulary. But I never knew how they came to have those names in the first place. After writing numerous articles on malware, I decided to dig deep into the naming conventions to shed some light on that question. As it turns out, a name can tell you a lot about the malware itself but it can also sow some confusion.
Tomi Engdahl says:
Using Trend Analysis to Operationalize OT Threat Intelligence with Neighborhood Keeper https://www.dragos.com/blog/using-trend-analysis-to-operationalize-ot-threat-intelligence-with-neighborhood-keeper/
First and foremost, the trends available within Neighborhood Keepers data are useful for contextualizing events observed within your organizations environment. In practice, this means looking at common or trending detections in your own environment and comparing them with the detection data available in Neighborhood Keeper. A potential example of this may be a new detection that is trending within your environment. As an initial investigatory step, you can investigate if the same detection is trending within the Neighborhood Keeper data.
Tomi Engdahl says:
PCAP Data Analysis with Zeek
https://isc.sans.edu/diary/PCAP+Data+Analysis+with+Zeek/29530
Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek can help to simplify network traffic analysis. It can also help save a lot of storage space. I’ll be going through and processing some PCAP data collected from my honeypot. First, we need to install a couple tools to process the PCAP data. I started with a fully updated Ubuntu 22.04.1 LTS desktop.
Tomi Engdahl says:
ICS/OTSiemens Drives Rise in ICS Vulnerabilities Discovered in 2022:
Report
https://www.securityweek.com/siemens-drives-rise-in-ics-vulnerabilities-discovered-in-2022-report/
The number of vulnerabilities discovered in industrial control systems
(ICS) continues to increase, and many of them have a critical or high severity rating, according to a new report from industrial cybersecurity firm SynSaber. The report compares the number of ICS and ICS medical advisories published by CISA between 2020 and 2022. While the number of advisories was roughly the same in 2021 and 2022, at 350, the number of vulnerabilities discovered last year reached 1,342, compared to 1,191 in the previous year. The number of vulnerabilities rated critical has increased even more significantly, from 186 in 2021 to nearly 300 in 2022. In total, nearly 1,000 vulnerabilities are critical or high severity based on their CVSS score.
Tomi Engdahl says:
Android mobile devices from top vendors in China have pre-installed malware https://securityaffairs.com/141989/malware/android-mobile-devices-china-malware.html
China is currently the country with the largest number of Android mobile devices, but a recent study conducted by researchers from the University of Edinburgh and the Trinity College of Dublin revealed that top-of-the-line Android devices sold in the country are shipped with spyware.The boffins used static and dynamic code analysis techniques to study the data transmitted by the preinstalled system .
The experts discovered several system, vendor and third-party apps with dangerous privileges.
Tomi Engdahl says:
Application Security Protection for the Masses
https://www.securityweek.com/application-security-protection-for-the-masses/
While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular.
Tomi Engdahl says:
Application Security Protection for the Masses
https://www.securityweek.com/application-security-protection-for-the-masses/
While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular.
While not an exhaustive list, here are some thoughts:
• App Proxy: Putting a proxy in front of applications is perhaps one of the most basic application security requirements, and for good reason. Having an intermediary allows us to inspect and monitor traffic going to and from the application, as well as to block or filter as necessary for security purposes.
• Rate Limiting and Fast Access Control Lists (ACLs): Flooding a site is an old standby of attackers. It is a primitive, yet effective tactic. Rate limiting is a relatively straightforward way to prevent this type of attack. Similarly, fast-performing Access Control Lists (ACLs) are another effective way to keep unwanted traffic at bay.
• Path Discovery: Applying machine learning (ML) to traffic transiting the environment allows us to track the rate of requests, the identity of clients accessing applications, the size of the payloads being sent, and other important telemetry elements. Using ML allows us to identify and block nefarious traffic before it becomes a more serious issue – often in minutes as opposed to hours.
• Web Application Firewall: WAF has become a required technology for application providers and should be included as a part of any application security bundle.
• L3/L4/L7 DDoS: DDoS protection has also become a requirement for application providers and should also be included as part of any application security bundle.
• Bot Defense: Advanced bots that know how to get around the defenses listed above can cause application providers monetary loss and reputation damage. As such, bot defense should also be included as part of an application security bundle.
• Auto-Certificates: Speed of deploying applications is essential for remaining competitive, as is speed of protecting those applications. The ability to auto-issue certificates and to auto-register DNS for resources saves time, allowing application providers to go from no protection to full protection in a matter of minutes.
• Malicious User Detection: Another great application for machine learning (ML) is quickly understanding which users and patterns appear to be behaving maliciously. This is something that often takes application providers hours or days to identify. With ML, this can be done in minutes, allowing those application providers to quickly take action and block/mitigate.
• Client-Side Defense: Visibility into the end-user environment is something many application providers lack. The ability to inspect how JavaScript is being called, where requests are going, and what third party scripts are being called gives important insight that is extremely helpful for application security purposes.
• URI Routing: The ability to quickly and easily control where certain requests are routing gives application providers the ability to block/control specific endpoints (URIs). No application security solution would be complete without this important feature.
• Service Policies: Quick and easy policy deployment is a must for application security. The ability to chain together service policies as needed based on requirements, along with the ability to generate custom rules for steering traffic or allowing/denying traffic beyond the capabilities of the other defensive capabilities is another essential part of the total application security package.
• Synthetic Monitors: How are applications performing externally? What are my customers experiencing? These are important questions that synthetic monitors allow a business to answer, which can quickly identify any issues that might affect the application.
• TLS Fingerprinting and Device Identification: While IP addresses change frequently, TLS fingerprints and device identifiers change much more rarely. Thus, basing policies and rules on them rather than IP address makes a lot of sense when it comes to application security.
• Cross-Site Request Forgery Protection: Scripts that operate cross-site can cause serious problems for application providers. Thus mitigating the risk they present should be part of any application security bundle as well.
Tomi Engdahl says:
US, South Korea: Ransomware Attacks Fund North Korea’s Cyber Operations
https://www.securityweek.com/us-south-korea-ransomware-attacks-fund-north-koreas-cyber-operations/
The US and South Korea have issued a joint advisory on ransomware attacks on critical infrastructure funding North Korea’s malicious cyber activities.
Tomi Engdahl says:
What’s the Real Difference Between Cyber Deception and Honeypots?
https://www.countercraftsec.com/blog/whats-real-difference-between-cyber-deception-and-honeypots/?utm_campaign=Low%20Scoring%20Leads&utm_medium=email&_hsmi=68082248&_hsenc=p2ANqtz-84qEMKIz-yV2CWDs5UXkL16mtpGdnhKmHptgz9DF15y3mSwDn_SQQSIvDvd3fm09UtR70YoTuI_d4zTQBNe-r4q2fv1lyzdttZbyHMCx-Nqdc8VUg&utm_content=68082248&utm_source=hs_automation
Once, decades ago, honeypots were synonymous with deception techniques in the cyber world. These clever pieces of data or desirable information were used to lure attackers and influence, often in real time, their behavior.
Honeypots were sacrificial dumb computers, or simple emulations of dumb computers, used to gather basic information about an attack. They opened the door to gathering attack data and telemetry, and inspired a generation of cyber defense pioneers. However, the initial enthusiasm for honeypots soon faded when it became obvious that maintaining a credible illusion capable of harvesting telemetry data from real threats was no easy task. In fact, security teams could barely manage and patch their main systems, not to mention worrying about ancillary “fake” systems that also needed care and attention. Honeypots became a tool rarely used outside academia. (If your house is on fire, you aren’t going to have time to create a fake house next door to see if the arsonist strikes there first. You are going to put out the fire.)
Today, honeypots have evolved, and they still remain an important tool in the deception technology kit. However, deception technology has moved beyond the mere honeypot, and now has features that allow it to appear more credible, exfiltrate key data, and perform telemetry, and no longer in the tedious, manual manner of earlier honeypots.
The fact is, however, that deception technology is still in its youth. Many high-level security professionals still mistakenly believe it’s nothing more than a collection of honeypots. Mere numbers disprove this theory, as, the global market for deception technology is projected to reach a staggering $4.6 billion by the year 20271. While it is true that both honeypots and deception are meant to trap, trick and mislead threat actors, the two concepts have some major differences.
What Exactly is a Honeypot?
A honeypot is, by definition, “a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems”2. A honeypot should be enticing, as they are specially designed to attract adversaries.
Speaking in more concrete terms, a honeypot can be anything from data and information to services or some other resource. The name itself clues us into the goal: to attract flies, aka undesired invaders, and trap them in a way that allows us to observe them and even halt their movement.
Honeypots are most often designed to mimic likely targets of cyberattacks.
The Deception Technology Triangle
To work, deception technology must fulfill certain factors. Here at CounterCraft, we think of these three pillars as the deception technology triangle, a theory developed by Rich Munslow, CTO at the National Cyber Deception Lab.
The three pillars necessary for effective deception technology are:
– Credibility: Is it believable?
– Instrumentation / Telemetry: Are you able to gather deep data about what people are doing on the system?
– Data Exfiltration: Are you able to bring that data home without revealing yourself, so you can do something about it?
Far Beyond Honeypots: The Future of Deception Technology
The future of deception lies in a fourth axis on the deception triangle: the dynamic response. The deception triangle becomes three dimensional, as dynamic response capabilities allow you to shift and manipulate the environment to extract more information from your adversaries than they would normally leave.
This is something a honeypot could never do.
Tomi Engdahl says:
https://securityintelligence.com/articles/six-ways-malware-strains-get-names/
Tomi Engdahl says:
Kansallinen riskiarvio kartoittaa mahdollisia riskejä ja tukee varautumista https://www.huoltovarmuuskeskus.fi/a/kansallinen-riskiarvio-kartoittaa-mahdollisia-riskeja-ja-tukee-varautumista
Sisäministeriö (SM) on julkaissut päivitetyn kansallisen riskiarvion.
Edellinen riskiarvio on julkaistu vuonna 2018, jonka jälkeen Suomen toimintaympäristössä on tapahtunut useita muutoksia. Kansallisessa riskiarviossa ennakoidaan Suomeen kohdistuvia äkillisiä tapahtumia, joilla olisi vaikutuksia yhteiskunnan elintärkeisiin toimintoihin ja jotka vaativat viranomaisilta normaalista poikkeavia toimia tai jopa avun pyytämistä muilta mailta. Huoltovarmuuskeskus (HVK) on osallistunut aktiivisesti kansallisen riskiarvion valmistelutyöhön.
Kansallisessa riskiarviossa kuvataan Suomen toimintaympäristön muutoksia ja näiden muutosten vaikutuksia erilaisiin mahdollisiin kansallisiin uhkiin ja häiriötilanteisiin. Tällaisia riskejä ovat esimerkiksi informaatiovaikuttaminen, sotilaallisen voiman käyttö, energiahuollon häiriöt sekä terveysturvallisuuteen liittyvät uhat
Tomi Engdahl says:
Jamk laati käsikirjat tukemaan elintarviketuotannon ja -jakelun kyberturvallisuutta https://www.epressi.com/tiedotteet/hanketiedotteet/jamk-laati-kasikirjat-tukemaan-elintarviketuotannon-ja-jakelun-kyberturvallisuutta.html
Laajavaikutteinen kyberhyökkäys voisi pahimmillaan vaikuttaa Suomen ruokaturvaan. Käsikirjat antavat elintarvikeketjun toimijoille konkreettisia ohjeita kyberpoikkeamien hallintaan. Jyväskylän ammattikorkeakoulu on laatinut kolme kyberhäiriöiden hallinnan käsikirjaa ja sekä tiiviin infopaketin elintarvikeketjun toimijoiden tueksi. Julkaisujen kohderyhminä ovat alkutuotannon, elintarviketeollisuuden sekä kaupan ja jakelun parissa työskentelevät.
Käsikirjojen avulla alan toimijat voivat laajentaa ymmärrystään kyberturvallisuuden merkityksestä omassa toimintaympäristössä.
Toimialaan kohdistuvat ajankohtaiset uhat tulevat tutuiksi ja tarjolla on konkreettisia ohjeita kyberturvallisuuden hallintaan. Jos käsikirjojen avulla voidaan välttää yksikin turha kyberrikos ovat ne täyttäneet tehtävänsä, toteaa projektipäällikkö Elina Suni Jyväskylän ammattikorkeakoulun IT-instituutista
Tomi Engdahl says:
Confident cybersecurity means fewer headaches for SMBs https://www.welivesecurity.com/2023/02/13/confident-cybersecurity-fewer-headaches-smbs/
While tech advancements have enabled small and medium businesses
(SMBs) to grow their business and allowed them to evolve their operational models, cybersecurity risks and threats can cancel any progress that has been made so far. Underlying these is another serious obstacle: SMBs lacking confidence in managing cybersecurity.
The lack of confidence manifests as a strong belief among SMBs that businesses of their sizes are more vulnerable to cyberattacks than are enterprises. They have good reason to be concerned about the loss of data, financial impacts, and a loss of customer confidence and trust
Tomi Engdahl says:
Man-on-the-side peculiar attack
https://www.kaspersky.com/blog/man-on-the-side/47125/
There are attacks that everyones heard of, like distributed denial-of-service (DDoS) attacks; there are those that mostly only professionals know about, such as man-in-the-middle (MitM) attacks; and then there are the rarer, more exotic ones, like man-on-the-side
(MotS) attacks. In this post, we talk about the latter in more detail, and discuss how they differ from man-in-the-middle attacks. So, how does a man-on-the-side attack work? Basically, a client sends a request to a server via a compromised data-transfer channel. This channel isnt controlled by the cybercriminals, but it is listened to by them
OK, but how does a man-on-the-side attack work?
A successful man-on-the-side attack makes it possible to send fake responses to various types of requests to the victim’s computer, and in this way to:
Replace a file the user wanted to download. In 2022, for example, APT group LuoYu delivered WinDealer malware to devices of victims most of whom were diplomats, scientists, or entrepreneurs in China. A request was sent to the server to update legitimate software, but the attackers managed to send their own patch version, complete with malware;
Run a malicious script on the device. According to the Electronic Frontier Foundation this is exactly how in 2015 the Chinese government tried to censor well-known open source community GitHub. The attackers used a man-on-the-side to deliver malicious JavaScript to browsers of unsuspecting users. As a result, these browsers refreshed GitHub pages over and over again. This DDoS attack lasted more than five days and significantly hampered the service;
Redirect the victim to the website.
Tomi Engdahl says:
Ransomware attacks on industrial infrastructure doubled in 2022:
Dragos
https://therecord.media/dragos-ransomware-report-2022-ics-ot-lockbit/
The number of ransomware attacks on industrial infrastructure doubled last year, according to research from the cybersecurity firm Dragos.
The company tracked more than 600 ransomware attacks in 2022 affecting industrial infrastructure up 87% over the year before with nearly three-quarters of them targeting the manufacturing sector. So theyre definitely going after manufacturing. A heck of a lot more than electrical and gas, Rob Lee, CEO of Dragos, told reporters last week.
Cybercriminals increasingly targeted the operational technology (OT) and industrial control systems (ICS) that manage the core functions of factories and other industrial facilities
Tomi Engdahl says:
French law to report cyberincidents within 3 days to become effective soon https://www.malwarebytes.com/blog/news/2023/02/french-law-to-report-cyberincidents-within-3-days-to-become-effective-soon
The pressure on victims of cybercrime to notify authorities in a timely manner is increasing from many sides and for multiple reasons.
On January 24, 2023 France passed a law (Article L12-10-1 of the Insurance Code) that victims of cybercrime are required to report the incident within 72 hours after discovery, if they want to be eligible for compensation by the insurance for losses and damages caused by the attack. In accordance with French law these provisions come into force three months after the announcement of this law. That effective date will be April 24, 2023
Tomi Engdahl says:
Training and CTFs
https://windowsir.blogspot.com/2023/02/training-and-ctfs.html
The military has a couple of adages…one, “you fight like you train”, and another being, “the more you sweat in peace, the less you bleed in war.” The idea behind these adages is that progressive, realistic training prepares you for the job at hand, which is often one performed under “other than optimal” conditions. You start by learning in the classroom, then in the field, and then under austere conditions, so that when you do have to perform the function(s) or
task(s) under similar conditions, you’re prepared and it’s not a surprise. This is also true of law enforcement, as well as other roles and functions
Tomi Engdahl says:
What Will It Take?
https://www.schneier.com/blog/archives/2023/02/what-will-it-take.html
What will it take for policy makers to take cybersecurity seriously?
Not minimal-change seriously. Not here-and-there seriously. But really seriously. What will it take for policy makers to take cybersecurity seriously enough to enact substantive legislative changes that would address the problems? Its not enough for the average person to be afraid of cyberattacks. They need to know that there are engineering fixesand thats something we can provide. For decades, I have been waiting for the big enough incident that would finally do it. In 2015, Chinese military hackers hacked the Office of Personal Management and made off with the highly personal information of about 22 million Americans who had security clearances
Tomi Engdahl says:
Just Released Dragoss Latest ICS/OT Cybersecurity Year in Review Is Now Available https://www.dragos.com/blog/industry-news/2022-dragos-year-in-review-now-available/
In 2022, breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape. As in previous years, the ICS/OT community has managed a growing number of vulnerabilities, many without the right mitigations needed to reduce risk and maintain operations. Meanwhile electric grids, oil and gas pipelines, water systems, and manufacturing plants continued to struggle with more complex regulatory environments that demand marked progress in shoring up defenses
Tomi Engdahl says:
The US Government says companies should take more responsibility for cyberattacks. We agree.
https://security.googleblog.com/2023/02/the-us-government-says-companies-should.html
Should companies be responsible for cyberattacks? The U.S. government thinks so and frankly, we agree. Jen Easterly and Eric Goldstein of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security planted a flag in the sand: The incentives for developing and selling technology have eclipsed customer safety in importance. [] Americanshave unwittingly come to accept that it is normal for new software and devices to be indefensible by design. They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.
Tomi Engdahl says:
Nice Try Tonto Team
https://www.group-ib.com/blog/tonto-team/
In 2023, IT and cybersecurity companies remain one of the most attractive targets for cybercriminals, according to the latest threat report Hi-Tech Crime Trends 2022/2023. The compromise of a vendors infrastructure opens up ample opportunities to penetrate the network further and gain access to a huge pool of data about the victims customers and partners. Remember how the SolarWinds attack put Microsoft, Cisco, FireEye, Mimecast, and 18,000 other companies at risk? In light of the military conflict, nation-state threat actors from around the world, including from countries that are not directly involved in the crisis, are actively carrying out cyber espionage operations.
Tomi Engdahl says:
Honeypot-Factory: The Use of Deception in ICS/OT Environments https://thehackernews.com/2023/02/honeypot-factory-use-of-deception-in.html
There have been a number of reports of attacks on industrial control systems (ICS) in the past few years. Looking a bit closer, most of the attacks seem to have spilt over from traditional IT. That’s to be expected, as production systems are commonly connected to ordinary corporate networks at this point. Though our data does not indicate at this point that a lot of threat actors specifically target industrial systems in fact, most evidence points to purely opportunistic behaviour the tide could turn any time, once the added complexity of compromising OT environments promises to pay off. Criminals will take any chance they get to blackmail victims into extortion schemes, and halting production can cause immense damage. It is likely only a matter of time. So cybersecurity for operational technology (OT) is vitally important.
Tomi Engdahl says:
Avoid Being a Downstream Victim of Service Provider Attacks https://securityintelligence.com/articles/avoid-being-victim-of-service-provider-attacks/
Attacks on service providers are mounting and so are downstream victims. Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadnt actually forgotten their passwords their email addresses had been compromised in a data breach. But the cybersecurity incident didnt start at DigitalOcean. Instead, the attack started from a MailChimp account. Like many companies, DigitalOcean relies on a third-party email platform for email confirmations, password reset notifications and alerts sent to customers. According to DigitalOcean, an attacker compromised MailChimps Internal Tooling and gained unauthorized access to DigitalOceans Mailchimp account.
Tomi Engdahl says:
2022 ICS Attacks: Fewer-Than-Expected on US Energy Sector, But Ransomware Surged
https://www.securityweek.com/2022-ics-attacks-fewer-than-expected-on-us-energy-sector-but-ransomware-surged/
Dragos ICS/OT Cybersecurity Year in Review 2022 report covers state-sponsored attacks, ransomware, and vulnerabilities.
Industrial cybersecurity company Dragos on Tuesday published its ICS/OT Cybersecurity Year in Review report for 2022, sharing details on state-sponsored attacks and malware, as well as ransomware and vulnerabilities.
When it comes to malware designed specifically to target industrial control systems (ICS), the discovery of Pipedream/Incontroller is the most significant event. This ICS attack framework, linked to Russia and aimed at energy facilities, has the capabilities to impact tens of thousands of industrial systems that control critical infrastructure.
In addition, the existence of Industroyer2 came to light last year. The malware, used in an attack aimed at an energy provider in Ukraine, is designed to cause damage by manipulating ICS.
In total, seven pieces of ICS malware have been discovered to date, including Stuxnet, Havex, BlackEnergy2, CrashOverride, and Trisis.
In addition to new malware, 2022 saw two threat actors being added to the list of groups targeting industrial organizations: Chernovite, which is the developer of Pipedream, and Bentonite, an Iran-linked actor that opportunistically targeted maritime oil and gas, government and manufacturing organizations for espionage and disruption.
Dragos has been tracking 20 threat groups that have targeted industrial organizations, eight of which were active in 2022.
Dragos has been keeping track of security advisories containing incorrect data and found that 34% of the ones published in 2022 were in this category. Worryingly, 70% of the vulnerabilities described in these advisories were more severe in reality compared to what the advisory said.
The complete Dragos ICS/OT Cybersecurity Year in Review 2022 report is available in PDF format.
https://hub.dragos.com/hubfs/312-Year-in-Review/2022/Dragos_Year-In-Review-Report-2022.pdf?hsLang=en
Tomi Engdahl says:
CISO Conversations: The Role of the vCISO
https://www.securityweek.com/ciso-conversations-the-role-of-the-vciso/
SecurityWeek examines the role of the virtual CISO in a conversation with Chris Bedel and Greg Schaffer.
All companies benefit from the presence of a CISO. But not all companies can justify the cost of a full time head of security. One option is for another position within the company to include the security role. However, an increasingly popular solution is to employ a part-time virtual CISO (vCISO), combining reduced overheads with access to a dedicated cybersecurity expert.
Today, CISO Conversations examines the role of the vCISO in conversation with Chris Bedel and Greg Schaffer.
Alone or part of a group
Both Bedel and Schaffer are now running their own vCISO organizations, providing vCISOs to other companies. One question is whether vCISOs can operate independently and alone, or whether they need to be part of an umbrella group such as an MSSP or a vCISO company. Both say working alone is possible, but more difficult and with greater risk.
On one hand, working alone means you receive 100% of the fee. Any organizing company needs to withhold a portion to cover the company’s own overheads. But on the other hand, there is less likelihood of being caught ‘between projects’ nor spending periods of time looking for the next client or marketing your services. You work for slightly less, but more consistently.
Bedel points to another advantage of being part of a group. “We’re now a team of ten. Every time we add a new person to the team, we increase our expertise and strengthen our service. If I’m in a meeting with a client and a topic comes up where I’m not an expert, I can say, ‘Let’s set up a meeting with my colleague, who’s an expert in this’.”
And then there’s the soft skills. “Some are very detail and task oriented, and others are very strong in business communication. But we’re not just matching the vCISO –we do a team approach where we’ll also have a risk analyst as part of the team. So, the matching is also which vCISO would work best with which risk analyst – because one of the things we try to do is to continuously mentor each other.”
Tomi Engdahl says:
Cyberwarfare
The Lessons From Cyberwar, Cyber-in-War and Ukraine
https://www.securityweek.com/the-lessons-from-cyberwar-cyber-in-war-and-ukraine/
The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question the nature of modern warfare and the role of cyber in its operation.
Tomi Engdahl says:
Internet Explorerin aika on virallisesti ohi
https://etn.fi/index.php/13-news/14597-internet-explorerin-aika-on-virallisesti-ohi
Eilinen ystävänpäivä merkkasi loppua Microsoftin Internet Explorer -selaimelle. Tiistaina jakeluun tulleen Edge-selaimen päivityksen jälkeen Windows 10 -käyttäjät eivät enää voi avata selainta vaan ainoa vaihtoehto on käyttää Edgeä.
Kaikki jäljellä olevat kuluttaja- ja kaupalliset laitteet, joita ei vielä ollut uudelleenohjattu IE11:stä Microsoft Edgeen, ohjattiin uudelleen Microsoft Edge -päivityksellä. Microsoftin mukaan käyttäjät eivät voi peruuttaa muutosta. Lisäksi uudelleenohjaus IE11:stä Microsoft Edgeen sisällytetään kaikkiin tuleviin Microsoft Edge -päivityksiin.
Windowsissa on vielä IE11-kuvakkeita, esimerkiksi Käynnistä-valikossa ja tehtäväpalkissa, mutta ne poistetaan kesäkuun 2023 Windows-tietoturvapäivityksessä, joka on määrä julkaista 13. kesäkuuta 2023.
Tomi Engdahl says:
The Guardian:
An investigation exposes “Team Jorge”, an Israeli hacking and social media disinformation unit for hire claiming covert involvement in 33 presidential elections — – Group sells hacking services and access to vast army of fake s
Revealed: the hacking and disinformation team meddling in elections
https://www.theguardian.com/world/2023/feb/15/revealed-disinformation-team-jorge-claim-meddling-elections-tal-hanan
‘Team Jorge’ unit exposed by undercover investigation
Group sells hacking services and access to vast army of fake social media profiles
Evidence unit behind disinformation campaigns across world
Mastermind Tal Hanan claims covert involvement in 33 presidential elections
A team of Israeli contractors who claim to have manipulated more than 30 elections around the world using hacking, sabotage and automated disinformation on social media has been exposed in a new investigation.
The unit is run by Tal Hanan, a 50-year-old former Israeli special forces operative who now works privately using the pseudonym “Jorge”, and appears to have been working under the radar in elections in various countries for more than two decades.
He is being unmasked by an international consortium of journalists. Hanan and his unit, which uses the codename “Team Jorge”, have been exposed by undercover footage and documents leaked to the Guardian.
Hanan did not respond to detailed questions about Team Jorge’s activities and methods but said: “I deny any wrongdoing.”
The investigation reveals extraordinary details about how disinformation is being weaponised by Team Jorge, which runs a private service offering to covertly meddle in elections without a trace. The group also works for corporate clients.
Hanan told the undercover reporters that his services, which others describe as “black ops”, were available to intelligence agencies, political campaigns and private companies that wanted to secretly manipulate public opinion. He said they had been used across Africa, South and Central America, the US and Europe.
One of Team Jorge’s key services is a sophisticated software package, Advanced Impact Media Solutions, or Aims. It controls a vast army of thousands of fake social media profiles on Twitter, LinkedIn, Facebook, Telegram, Gmail, Instagram and YouTube. Some avatars even have Amazon accounts with credit cards, bitcoin wallets and Airbnb accounts.
They boasted of planting material in legitimate news outlets, which are then amplified by the Aims bot-management software.
Much of their strategy appeared to revolve around disrupting or sabotaging rival campaigns: the team even claimed to have sent a sex toy delivered via Amazon to the home of a politician, with the aim of giving his wife the false impression he was having an affair.
The Team Jorge revelations could cause embarrassment for Israel, which has come under growing diplomatic pressure in recent years over its export of cyber-weaponry that undermines democracy and human rights.
Hanan appears to have run at least some of his disinformation operations through an Israeli company, Demoman International, which is registered on a website run by the Israeli Ministry of Defense to promote defence exports.
The secretly filmed meetings, which took place between July and December 2022, therefore provide a rare window into the mechanics of disinformation for hire.
Three journalists – from Radio France, Haaretz and TheMarker – approached Team Jorge pretending to be consultants working on behalf of a politically unstable African country that wanted help delaying an election.
Hanan described his team as “graduates of government agencies”, with expertise in finance, social media and campaigns, as well as “psychological warfare”, operating from six offices around the world.
In his initial pitch to the potential clients, Hanan claimed: “We are now involved in one election in Africa … We have a team in Greece and a team in [the] Emirates … You follow the leads. [We have completed] 33 presidential-level campaigns, 27 of which were successful.” Later, he said he was involved in two “major projects” in the US but claimed not to engage directly in US politics.
It was not possible to verify all of Team Jorge’s claims in the undercover meetings
Team Jorge told the reporters they would accept payments in a variety of currencies, including cryptocurrencies such as bitcoin, or cash. He said he would charge between €6m and €15m for interference in elections.
Hanan said in an email that the tool, which enabled users to create up to 5,000 bots to deliver “mass messages” and “propaganda”, had been used in 17 elections.
“It’s our own developed Semi-Auto Avatar creation and network deployment system,” he said, adding that it could be used in any language and was being sold as a service, although the software could be bought “if the price is right”.
Team Jorge’s bot-management software appears to have grown significantly by 2022, according to what Hanan told the undercover reporters. He said it controlled a multinational army of more than 30,000 avatars, complete with digital backstories that stretch back years.
Demonstrating the Aims interface, Hanan scrolled through dozens of avatars, and showed how fake profiles could be created in an instant, using tabs to choose nationality and gender and then matching profile pictures to names.
“Sophia Wilde, I like the name. British. Already she has email, date birth, everything.”
This week Meta, the owner of Facebook, took down Aims-linked bots on its platform after reporters shared a sample of the fake accounts with the company. On Tuesday, a Meta spokesperson connected the Aims bots to others that were linked in 2019 to another, now-defunct Israeli firm which it banned from the platform.
‘I will show you how safe Telegram is’
No less alarming were Hanan’s demonstrations of his team’s hacking capabilities, in which he showed the reporters how he could penetrate Telegram and Gmail accounts. In one case, he brought up on screen the Gmail account of a man described as the “assistant of an important guy” in the general election in Kenya, which was days away.
“Today if someone has a Gmail, it means they have much more than just email,”
Hanan suggested to the undercover reporters that some of his hacking methods exploited vulnerabilities in the global signalling telecoms system, SS7, which for decades has been regarded by experts as a weak spot in the telecoms network.
Google, which runs the Gmail service, declined to comment. Telegram said “the problem of SS7 vulnerabilities” was widely known and “not unique to Telegram”. They added: “Accounts on any massively popular social media network or messaging app can be vulnerable to hacking or impersonation unless users follow security recommendations and take proper precautions to keep their accounts secure.”
Tomi Engdahl says:
Bloomberg:
ASML reported a breach to authorities after a former employee in China misappropriated proprietary data, resulting in possible export controls violations — ASML Holding NV, a critical cog in the global semiconductor industry, said a former employee in China stole data about its technology …
ASML Says Ex-Employee in China Stole Chip Data
https://www.bloomberg.com/news/articles/2023-02-15/asml-says-ex-employee-in-china-misappropriated-chip-data
Theft of technical data occurred in the last couple months
Tensions between US and China high amid espionage claims
ASML Holding NV, a critical cog in the global semiconductor industry, said that it again suffered data theft with both incidents linked to China. It’s the second disclosure in little over a year and threatens to inflame political tensions amid heightened concerns about espionage.
The Dutch technology company, which makes machines needed to produce high-end chips used in everything from electric vehicles to military gear, initiated an internal investigation and tightened security controls after recently discovering the latest data breach. It said on Wednesday that export controls may have been
Tomi Engdahl says:
An investigation into SS7 Exploitation Services on the Dark Web
https://sosintel.co.uk/an-investigation-into-ss7-exploitation-services-on-the-dark-web/
Most SS7 exploit service providers on dark web are scammers
https://www.bleepingcomputer.com/news/security/most-ss7-exploit-service-providers-on-dark-web-are-scammers/#amp_tf=L%C3%A4hde%3A%20%251%24s&aoh=16764660236603&referrer=https%3A%2F%2Fwww.google.com&share=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fmost-ss7-exploit-service-providers-on-dark-web-are-scammers%2F
Tomi Engdahl says:
https://blog.securegroup.com/phone-hacking-through-ss7-is-frighteningly-easy-and-effective#amp_tf=L%C3%A4hde%3A%20%251%24s&aoh=16764653014471&referrer=https%3A%2F%2Fwww.google.com&share=https%3A%2F%2Fblog.securegroup.com%2Fphone-hacking-through-ss7-is-frighteningly-easy-and-effective
Tomi Engdahl says:
Sustained Activity by Threat Actors
https://www.enisa.europa.eu/news/sustained-activity-by-threat-actors
The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular threat actors. The malicious cyber activities of the presented threat actors pose a significant and ongoing threat to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organisations of strategic relevance.
Decision makers and cybersecurity officers are the primary audiences of this joint publication
Tomi Engdahl says:
IoC detection experiments with ChatGPT
https://securelist.com/ioc-detection-experiments-with-chatgpt/108756/
ChatGPT is a groundbreaking chatbot powered by the neural network-based language model text-davinci-003 and trained on a large dataset of text from the Internet. It is capable of generating human-like text in a wide range of styles and formats. ChatGPT can be fine-tuned for specific tasks, such as answering questions, summarizing text, and even solving cybersecurity-related problems, such as generating incident reports or interpreting decompiled code.
Apparently, attempts have been made to generate malicious objects, such as phishing emails, and even polymorphic malware