This posting is here to collect cyber security news in October 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
238 Comments
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-kb5043145-reboot-loops-usb-and-bluetooth-issues/?fbclid=IwZXh0bgNhZW0CMTEAAR26RqCAagJ_3v6ZY9vvecpQIln8eUXrmFvsmacSnrOHPTL9RC7PhMl8jr0_aem_VkZRC99fZs-6QgCC9CdFlA
Tomi Engdahl says:
https://www.securityweek.com/t-mobile-to-pay-millions-to-settle-with-fcc-over-data-breaches/
Tomi Engdahl says:
Microsoft Unveils Copilot Vision AI Tool, but Highlights Security After Recall Debacle
Microsoft has unveiled a new AI-based web content analysis tool, underscoring safety and security to address potential concerns.
https://www.securityweek.com/microsoft-unveils-copilot-vision-ai-tool-but-highlights-security-after-recall-debacle/
Tomi Engdahl says:
Johtuiko Helsinki-Vantaan kaaos kyberhyökkäyksestä? Näin kommentoi Finavian apulaisjohtaja
Finavian apulaisjohtaja arvelee Helsinki-Vantaan sumpun syyksi tietoteknisen komponentin vikaa.
https://www.iltalehti.fi/kotimaa/a/27d4ed36-7301-46ae-af6d-7ce719bd7372
Torstaiaamu valkeni kaoottisissa tunnelmissa Helsinki-Vantaan lentoasemalla, kun matkatavarajärjestelmän tekninen häiriö aiheutti valtavat ruuhkat lähtöaulaan.
Finavian apulaisjohtaja Jani Elasmaa kertoi Iltalehdelle suorassa lähetyksessä, että vian syy on parhaillaan selvityksen alla.
– Häiriö on edelleen päällä. Teemme kaikkemme, että häiriö ratkeaa mahdollisimman pian.
– Kyseessä on tietotekninen vika, mutta sen juurisyy ei ole selvillä, Elasmaa kommentoi Iltalehden suorassa lähetyksessä.
Elasmaa pitää näin laajaa häiriötä todella harvinaisena. Mahdollisesta kyberhyökkäyksestä ei ole Elasmaan mukaan ole tällä hetkellä viitteitä.
– Uskoisin, että kyse on puhtaasti tietoteknisestä komponentista.
– Teemme kaikkemme, että matkatavarat ehtisivät lennoille, mutta viivästyksiä tulee, Elasmaa kertoi.
Tomi Engdahl says:
https://www.securityweek.com/worldcoin-fighting-deepfakes-and-bots-with-a-global-permissionless-blockchain-identity/
Tomi Engdahl says:
ICS/OT
US, Allies Release Guidance on Securing OT Environments
New guidance provides information on how to create and maintain a secure operational technology (OT) environment.
https://www.securityweek.com/us-allies-release-guidance-on-securing-ot-environments/
New guidance from government agencies in the US and allied countries provides organizations with details on how to design, implement, and manage safe and secure operational technology (OT) environments.
OT is deeply integrated into critical infrastructure organizations’ complex environments, and business decisions such as adding new processes, services, or systems, selecting vendors for support, or developing business continuity and security-related plans may affect the cybersecurity of OT.
The new guidance (PDF) from government agencies in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK, details six principles for secure OT: paramount safety, knowledge of the business, OT data value and protection, OT segmentation, secure supply chain, and the importance of people for OT cybersecurity.
“The authoring agencies recommend an OT decision maker apply the six principles presented in this document to help determine if the decision being made is likely to adversely impact the cyber security of the OT environment,” the guidance reads.
Principles of
operational technology
cyber security
https://www.cyber.gov.au/sites/default/files/2024-10/principles_of_operational_technology_cyber_security.pdf
Tomi Engdahl says:
Zero-Day Breach at Rackspace Sparks Vendor Blame Game
A breach at Rackspace exposes the fragility of the software supply chain, triggering a blame game among vendors over an exploited zero-day.
https://www.securityweek.com/zero-day-breach-at-rackspace-sparks-vendor-blame-game/
Tomi Engdahl says:
Vulnerabilities
After Code Execution, Researchers Show How CUPS Can Be Abused for DDoS Attacks
Over 58,000 internet-exposed CUPS hosts can be abused for significant DDoS attacks, according to Akamai.
https://www.securityweek.com/after-code-execution-researchers-show-how-cups-can-be-abused-for-ddos-attacks/
A few days after a researcher warned that the Common UNIX Printing System (CUPS) could be abused for unauthenticated remote code execution, cybersecurity firm Akamai determined that CUPS could also be abused for significant DDoS attacks.
CUPS is a popular open source printing system that is based on the Internet Printing Protocol (IPP) and designed mainly for Linux and UNIX-like operating systems.
Researcher Simone Margaritelli last week disclosed several unpatched CUPS vulnerabilities that can be chained to achieve remote code execution, which, according to Red Hat, could lead to sensitive data theft or damage to critical systems.
Akamai researchers have analyzed Margaritelli’s report and discovered a new attack vector involving CUPS, one that could be leveraged for DDoS attacks.
https://www.securityweek.com/highly-anticipated-linux-flaw-allows-remote-code-execution-but-less-serious-than-expected/
When CUPS Runneth Over: The Threat of DDoS
https://www.akamai.com/blog/security-research/2024/oct/october-cups-ddos-threat
Tomi Engdahl says:
Network Security
Record-Breaking DDoS Attack Peaked at 3.8 Tbps, 2.14 Billion Pps
Cloudflare recently mitigated another record-breaking DDoS attack, peaking at 3.8 Tbps and 2.14 billion Pps.
https://www.securityweek.com/record-breaking-ddos-attack-peaked-at-3-8-tbps-2-14-billion-pps/
Web performance and security firm Cloudflare recently mitigated another record-breaking DDoS attack.
According to Matthew Prince, the company’s CEO, the attack peaked at 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Pps). The attack was aimed at an unidentified customer of an unnamed hosting provider that uses Cloudflare services.
To put the numbers into context, the previous volumetric DDoS record was set in late 2021, when Microsoft saw an attack that peaked at 3.47 Tbps and a packet rate of 340 million Pps. The biggest attack previously seen by Cloudflare peaked at 2.6 Tbps.
In terms of just network protocol attacks, cloud provider OVHcloud in July 2024 reported seeing a record-breaking attack peaking at 840 million Pps.
In terms of application layer DDoS attacks, HTTP/2 Rapid Reset holds the record, with the method being used to launch an attack that peaked at 398 million requests per second (Rps), according to Google’s measurements. The record previously stood at 71 million Rps.
Cloudflare and AWS also saw HTTP/2 Rapid Reset attacks roughly at the same time as Google, but the ones they observed peaked at only 201 million Rps and 155 million Rps, respectively.
In a blog post published on Tuesday morning, Cloudflare revealed that the record-breaking attack was part of a month-long campaign that began in early September. The company has mitigated over 100 of these “hyper-volumetric L3/4 DDoS attacks”, with many of them exceeding 2 billion Pps and 3 Tbps.
The campaign targeted customers in the financial services, telecoms, and internet sectors. The attacks came from systems around the world, including in Vietnam, Russia, Brazil, Spain and the United States, and they were powered by compromised web servers, DVRs, and routers.
How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack
https://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack/
Since early September, Cloudflare’s DDoS protection systems have been combating a month-long campaign of hyper-volumetric L3/4 DDoS attacks. Cloudflare’s defenses mitigated over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps). The largest attack peaked 3.8 Tbps — the largest ever disclosed publicly by any organization. Detection and mitigation was fully autonomous. The graphs below represent two separate attack events that targeted the same Cloudflare customer and were mitigated autonomously.
Cloudflare customers are protected
Cloudflare customers using Cloudflare’s HTTP reverse proxy services (e.g. Cloudflare WAF and Cloudflare CDN) are automatically protected.
Cloudflare customers using Spectrum and Magic Transit are also automatically protected. Magic Transit customers can further optimize their protection by deploying Magic Firewall rules to enforce a strict positive and negative security model at the packet layer.
Other Internet properties may not be safe
The scale and frequency of these attacks are unprecedented. Due to their sheer size and bits/packets per second rates, these attacks have the ability to take down unprotected Internet properties, as well as Internet properties that are protected by on-premise equipment or by cloud providers that just don’t have sufficient network capacity or global coverage to be able to handle these volumes alongside legitimate traffic without impacting performance.
Cloudflare, however, does have the network capacity, global coverage, and intelligent systems needed to absorb and automatically mitigate these monstrous attacks.
Campaign analysis
We have observed this attack campaign targeting multiple customers in the financial services, Internet, and telecommunication industries, among others. This attack campaign targets bandwidth saturation as well as resource exhaustion of in-line applications and devices.
The attacks predominantly leverage UDP on a fixed port, and originated from across the globe with larger shares coming from Vietnam, Russia, Brazil, Spain, and the US.
The high packet rate attacks appear to originate from multiple types of compromised devices, including MikroTik devices, DVRs, and Web servers, orchestrated to work in tandem and flood the target with exceptionally large volumes of traffic. The high bitrate attacks appear to originate from a large number of compromised ASUS home routers, likely exploited using a CVE 9.8 (Critical) vulnerability that was recently discovered by Censys.
Anatomy of DDoS attacks
Before we discuss how Cloudflare automatically detected and mitigated the largest DDoS attacks ever seen, it‘s important to understand the basics of DDoS attacks.
The goal of a Distributed Denial of Service (DDoS) attack is to deny legitimate users access to a service. This is usually done by exhausting resources needed to provide the service. In the context of these recent Layer 3/4 DDoS attacks, that resource is CPU cycles and network bandwidth.
To defend against high packet rate attacks, you need to be able to inspect and discard the bad packets using as few CPU cycles as possible, leaving enough CPU to process the good packets. You can additionally acquire more, or faster, CPUs to perform the processing — but that can be a very lengthy process that bears high costs.
Exhausting network bandwidth
Network bandwidth is the total amount of data per time that can be delivered to a server. You can think of bandwidth like a pipe to transport water. The amount of water we can deliver through a drinking straw is less than what we could deliver through a garden hose. If an attacker is able to push more garbage data into the pipe than it can deliver, then both the bad data and the good data will be discarded upstream, at the entrance to the pipe, and the DDoS is therefore successful.
Defending against attacks that can saturate network bandwidth can be difficult because there is very little that can be done if you are on the downstream side of the saturated pipe. There are really only a few choices: you can get a bigger pipe, you can potentially find a way to move the good traffic to a new pipe that isn’t saturated, or you can hopefully ask the upstream side of the pipe to stop sending some or all of the data into the pipe.
Generating DDoS attacks
If we think about what this means from the attackers point of view you realize there are similar constraints. Just as it takes CPU cycles to receive a packet, it also takes CPU cycles to create a packet. If, for example, the cost to send and receive a packet were equal, then the attacker would need an equal amount of CPU power to generate the attack as we would need to defend against it. In most cases this is not true — there is a cost asymmetry, as the attacker is able to generate packets using fewer CPU cycles than it takes to receive those packets. However, it is worth noting that generating attacks is not free and can require a large amount of CPU power.
Saturating network bandwidth can be even more difficult for an attacker. Here the attacker needs to be able to output more bandwidth than the target service has allocated. They actually need to be able to exceed the capacity of the receiving service. This is so difficult that the most common way to achieve a network bandwidth attack is to use a reflection/amplification attack method, for example a DNS Amplification attack. These attacks allow the attacker to send a small packet to an intermediate service, and the intermediate service will send a large packet to the victim.
In both scenarios, the attacker needs to acquire or gain access to many devices to generate the attack. These devices can be acquired in a number of different ways. They may be server class machines from cloud providers or hosting services, or they can be compromised devices like DVRs, routers, and webcams that have been infected with the attacker’s malware. These machines together form the botnet.
Spreading the attack surface using global anycast
The first not-so-secret ingredient is that Cloudflare’s network is built on anycast. In brief, anycast allows a single IP address to be advertised by multiple machines around the world. A packet sent to that IP address will be served by the closest machine. This means when an attacker uses their distributed botnet to launch an attack, the attack will be received in a distributed manner across the Cloudflare network. An infected DVR in Dallas, Texas will send packets to a Cloudflare server in Dallas. An infected webcam in London will send packets to a Cloudflare server in London.
Our anycast network additionally allows Cloudflare to allocate compute and bandwidth resources closest to the regions that need them the most.
Additionally, for high bandwidth attacks, Cloudflare’s network has another advantage. A large proportion of traffic on the Cloudflare network does not consume bandwidth in a symmetrical manner. For example, an HTTP request to get a webpage from a site behind Cloudflare will be a relatively small incoming packet, but produce a larger amount of outgoing traffic back to the client. This means that the Cloudflare network tends to egress far more legitimate traffic than we receive. However, the network links and bandwidth allocated are symmetrical, meaning there is an abundance of ingress bandwidth available to receive volumetric attack traffic.
Generating real-time signatures
By the time you’ve reached an individual server inside a datacenter, the bandwidth of the attack has been distributed enough that none of the upstream links are saturated. That doesn’t mean the attack has been fully stopped yet, since we haven’t dropped the bad packets. To do that, we need to sample traffic, qualify an attack, and create rules to block the bad packets.
Sampling traffic and dropping bad packets is the job of our l4drop component, which uses XDP (eXpress Data Path) and leverages an extended version of the Berkeley Packet Filter known as eBPF (extended BPF). This enables us to execute custom code in kernel space and process (drop, forward, or modify) each packet directly at the network interface card (NIC) level. This component helps the system drop packets efficiently without consuming excessive CPU resources on the machine.
We use XDP to sample packets to look for suspicious attributes that indicate an attack. The samples include fields such as the source IP, source port, destination IP, destination port, protocol, TCP flags, sequence number, options, packet rate and more. This analysis is conducted by the denial of service daemon (dosd). Dosd holds our secret sauce. It has many filters which instruct it, based on our curated heuristics, when to initiate mitigation. To our customers, these filters are logically grouped by attack vectors and exposed as the DDoS Managed Rules. Our customers can customize their behavior to some extent, as needed.
As it receives samples from XDP, dosd will generate multiple permutations of fingerprints for suspicious traffic patterns. Then, using a data streaming algorithm, dosd will identify the most optimal fingerprints to mitigate the attack. Once an attack is qualified, dosd will push a mitigation rule inline as an eBPF program to surgically drop the attack traffic.
The detection and mitigation of attacks by dosd is done at the server level, at the data center level and at the global level — and it’s all software defined. This makes our network extremely resilient and leads to almost instant mitigation. There are no out-of-path “scrubbing centers” or “scrubbing devices”.
Strong defenses against strong attacks
Our software-defined, autonomous DDoS detection and mitigation systems run across our entire network. In this post we focused mainly on our dynamic fingerprinting capabilities, but our arsenal of defense systems is much larger. The Advanced TCP Protection system and Advanced DNS Protection system work alongside our dynamic fingerprinting to identify sophisticated and highly randomized TCP-based DDoS attacks and also leverages statistical analysis to thwart complex DNS-based DDoS attacks. Our defenses also incorporate real-time threat intelligence, traffic profiling, and machine learning classification as part of our Adaptive DDoS Protection to mitigate traffic anomalies.
https://developers.cloudflare.com/ddos-protection/about/components/#autonomous-edge
https://www.cloudflare.com/en-gb/learning/cdn/glossary/anycast-network/
Tomi Engdahl says:
Nokia: Kyberrikolliset hyökkäävät mobiiliverkkoihin yhä useammin
https://etn.fi/index.php/13-news/16669-nokia-kyberrikolliset-hyoekkaeaevaet-mobiiliverkkoihin-yhae-useammin
Kyberrikollisten hyökkäykset mobiiliverkkoihin ovat nousussa ja muuttuvat yhä monimutkaisemmiksi, varoittaa Nokia Threat Intelligence Report 2024. Mobiiliverkot, jotka ovat keskeisessä roolissa yhteiskunnan viestintäinfrastruktuurissa, ovat kasvavassa määrin erilaisten kyberhyökkäysten kohteina. Raportti nostaa esiin etenkin palvelunestohyökkäykset (DDoS) sekä tietomurrot, jotka voivat johtaa vakaviin palvelukatkoksiin ja kriittisten tietojen vaarantumiseen.
Yksi suurimmista huolenaiheista on palvelunestohyökkäysten määrän nopea kasvu. Raportin mukaan DDoS-liikenne kasvoi 166 prosenttia vuodesta 2023 vuoteen 2024, mikä heijastaa hyökkäysten laajamittaista yleistymistä. Erityisesti “carpet-bombing”-hyökkäykset, joissa kohteena on useita IP-osoitteita samanaikaisesti, ovat yleistyneet. Vuonna 2024 näitä hyökkäyksiä kohdistettiin useammin kuin koskaan aiemmin, ja joissakin tapauksissa kohteena oli jopa yli 16 000 IP-osoitetta yhdellä iskulla. Tämä tekee hyökkäyksistä entistä laajempia ja vaikeammin torjuttavia.
Nokian raportti korostaa, että tekoäly ja automaatio ovat tehneet hyökkäyksistä entistä kehittyneempiä. Hyökkääjät hyödyntävät yhä enemmän tekoälyä hyökkäysten suunnittelussa ja toteuttamisessa, mikä mahdollistaa suuremmat ja nopeammat iskut. Esimerkiksi tekoälyä käytetään hyökkäysten automatisoimiseen ja kohteiden nopeaan vaihtamiseen kesken hyökkäyksen, mikä tekee niiden torjumisesta haastavampaa. Tämä on asettanut mobiiliverkkojen suojaamisen entistä suuremman paineen alle.
Raportissa nostetaan esille myös kvanttitietokoneiden tuomat uhat, joiden odotetaan yleistyvän tulevina vuosina. Kvanttitietokoneiden mahdollistamat uudet laskentamenetelmät voivat vaarantaa nykyiset salausmenetelmät, mikä tarkoittaa, että mobiiliverkkojen turvamekanismit on päivitettävä kestämään näitä tulevaisuuden uhkia. Kvanttiturvalliset verkot ovat jo kehitteillä, ja niiden käyttöönottoa tullaan kiihdyttämään tulevina vuosina.
Tomi Engdahl says:
Häiriö Helsinki-Vantaalla ohi – Tämä kaaoksesta tiedetään nyt
Helsinki-Vantaan lentokentän matkatavarajärjestelmän vika aiheutti haittaa matkustajille torstaiaamuna. Vika on nyt korjattu.
https://www.iltalehti.fi/kotimaa/a/8e8b50a6-2c54-4f5c-aab8-191f10b190a5
Ruuhkan aiheutti matkatavarajärjestelmän tekninen vika, joka alkoi neljältä aamuyöllä. Eri lentojen matkustajien laukut kasattiin yhteen kasaan, josta kentän henkilökunta kuljetti ne käsin eteenpäin.
Finavian apulaisjohtaja Jani Elasmaa kertoo, että tilanne alkoi hiljalleen normalisoitua yhdeksän aikaan. Puolenpäivän aikaan Elasmaa kertoi Iltalehdelle, että häiriön aiheuttanut vika on korjattu.
– Saimme varajärjestelmän käyttöön ja laukkuja läpi.
Elasmaan mukaan häiriön piirissä oli ”joitain tuhansia” laukkuja. Osa lennoista myöhästyi ja kaikkia laukuista ei ehditty kuormaamaan ajoissa aamun lähteville lennoille.
– Muutama tuhat laukkua jäi jälkeen ja ne odottavat nyt uudelleenreititystä kohteisiin.
Syytä selvitetään
Jani Elasmaan mukaan vian juurisyy ole vielä selvinnyt.
– Tietoteknisestä häiriöstä on kyse. Mikään fyysinen komponentti tai osa ei ole hajonnut, hän sanoo.
Ongelmaa tutkii parhaillaan Finavian asiantuntijaryhmä. Lisäksi lentokentällä on paikalla järjestelmän valmistajan edustaja, kertoo Elasmaa.
– Olen täysin varma, että ongelman juurisyy saadaan selville seuraavan muutaman tunnin aikana.
Elasmaan mukaan ei ole odotettavissa, että vika toistuisi.
– Pyrimme siihen, ettei vastaavaa vikaa toistuisi.
Matkustajat turhautuivat
Häiriö aiheutti ärtymystä ruuhkautuneella lentokentällä.
Tomi Engdahl says:
Nordealla isoja ongelmia
Nordean vakavat ongelmat jatkuvat.
https://www.is.fi/digitoday/art-2000010738494.html
Nordean pankkipalvelut oikuttelevat vakavasti. Torstaina moni on ollut vaikeuksissa yrittäessään kirjautua verkkopankkiin.
Vika vaikuttaa ainakin, kun Nordeaan pyrkii kirjautumaan selaimen kautta. Osoite Nordea.fi vastasi IS:n vieraillessa hyvin hitaasti, ja verkkopankin kirjautumisruutuun ei saatu yhteyttä.
Verkkopalvelujen toimintaa seuraava Downdetector esittää selvän piikin vikailmoituksissa noin kello 11:stä eteenpäin torstaina.
Pankin palvelut ovat oikutelleet toistuvasti useamman viikon ajan. Nordean mukaan syynä ovat olleet paitsi sitä vastaan tehdyt palvelunestohyökkäykset, myös pankin sisäiset huoltotyöt.
Nordea vahvisti torstaina verkkopankkiin kirjautumisen yhteydessä kärsivänsä palvelunestohyökkäyksistä.
Tomi Engdahl says:
Uusi direktiivi lisää painetta yritysten ylimmälle johdolle
Kyberturvallisuudesta pyritään tekemään organisaation johdolle kuuluva velvollisuus. Uusi EU-direktiivi on tulossa voimaan 17. lokakuuta 2024.
https://www.iltalehti.fi/digiuutiset/a/7fc9c105-74ad-4b5a-b73d-536b714ff980
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus muistuttaa lokakuussa voimaan tulevasta NIS 2 -direktiivistä, joka tunnetaan myös Euroopan unionin kyberturvallisuusdirektiivinä. Se korvaa aiemman verkko- ja tietoturvadirektiivin.
Uudessa direktiivissä on osoitettu yhteiskunnan kriittisille sektoreille ja niillä toimiville organisaatioille tietoturvaa vahvistavia vaatimuksia sekä raportointivelvoitteita. Direktiivissä on muun muassa lueteltu vähimmäistoimenpiteet, jotka kaikkien toimijoiden on toteutettava hallitakseen organisaationsa toimintoihin kohdistuvia tietoturvariskejä.
Uuden direktiivin myötä keskeisiksi tai tärkeiksi katsotuille organisaatioille tulee velvoite ilmoittaa merkittävistä tietoturvapoikkeamista.
Ilmoitusvelvollisuus on kolmivaiheinen, eli toimijan on toimitettava valvovalle viranomaiselle ensi-ilmoitus 24 tunnin kuluessa poikkeaman havaitsemisesta, minkä jälkeen jatkoilmoitus on tehtävä 72 tunnin kuluessa. Poikkeamatilanteen päätyttyä valvovalle viranomaiselle on toimitettava loppuraportti.
Kovat seuraamusmaksut
Direktiivissä on linjattu myös velvoitteiden rikkomisesta määrättävistä hallinnollisista seuraamusmaksuista.
Yhteiskunnan keskeiselle toimijalle seuraamusmaksun enimmäismäärä on 10 miljoonaa euroa tai 2 prosenttia maailmanlaajuisesta kokonaisliikevaihdosta riippuen siitä, kumpi on suurempi. Muulle kuin keskeiselle toimijalle seuraamusmaksu on enintään 7 miljoonaa euroa tai 1,4 prosenttia kokonaisliikevaihdosta.
CGI:n kyberturvallisuusyksikön johtava tietoturva-asiantuntija Ilmari Luoma kirjoitti CGI:n blogissa viime keväänä, että erityisintä NIS 2:ssa on vaatimusten suuntaaminen jatkossa hyvin vahvasti yritysten ja organisaatioiden johtoportaisiin. Johtajien vastuuta korostetaan Luoman mukaan poikkeuksellisen kovalla kielellä.
– Direktiivin mukaan johdon velvollisuus on johtaa tietoturvatyötä ja varmistaa, että määrätyt tietoturvamenettelyt toteutuvat. Johto ei myöskään voi ongelmatilanteissa vedota epätietoisuuteen, vaan johtoasemassa toimimisen vaatimukseksi linjataan se, että kouluttautuu tarpeeksi syvällisesti tietoturva-aiheista voidakseen tehdä päätöksiä, Luoma kirjoittaa.
Voit lukea lisää NIS 2 -direktiivin asettamista vaatimuksista Traficomin sivuilta.
https://www.kyberturvallisuuskeskus.fi/fi/toimintamme/saantely-ja-valvonta/tarkeaa-tietoa-euroopan-unionin-kyberturvallisuusdirektiivista#68867-1
Tomi Engdahl says:
https://www.securityweek.com/apple-ios-18-0-1-patches-password-exposure-and-audio-snippet-bugs/
Tomi Engdahl says:
https://www.securityweek.com/ciso-salary-surge-fewer-job-changes-bigger-paychecks-for-experienced-cybersecurity-leaders/
Tomi Engdahl says:
Katrina Manson / Bloomberg:
The US and Microsoft seize 107 websites used by Russian intelligence agents and their proxies in the US operating under Star Blizzard, a group active since 2016 — – Russian group Star Blizzard targeted civil society, US says — Group has conducted election influence operations in UK
https://www.bloomberg.com/news/articles/2024-10-03/us-takes-down-websites-used-by-hackers-linked-to-fsb-doj-says
Tomi Engdahl says:
Suomalaisyritys mokasi – ”Olette lain mukaan vaitiolovelvollinen”
Suomalaisyrityksen mukaan asiakkaiden tietojen paljastumisen syynä oli inhimillinen virhe.
https://www.iltalehti.fi/digiuutiset/a/c52d2cf1-8a10-4a8c-a75b-993684d65861
Mobify Invoice Oy lähetti asiakkailleen torstaina 3. lokakuuta sähköpostitse tiedotteen, jossa kerrottiin yhtiön sulautumisesta Alisa Pankin kanssa.
”Inhimillisestä virheestä” johtuen sähköpostin vastaanottajakentässä näkyi kuitenkin myös muiden samaisen sähköpostin vastaanottajien sähköpostiosoitteita. Iltalehteen yhteyttä ottaneen henkilön mukaan paljastuneita sähköpostiosoitteita oli ainakin useita satoja.
– Pyydämme poistamaan viestin välittömästi, Mobify Invoice kertoo myöhemmin lähetetyssä sähköpostissa, jonka Iltalehti on nähnyt.
Muistuttaa vaitiolovelvollisuudesta
Yhtiö kertoo sähköpostissaan havainneensa tietosuojaloukkauksen välittömästi ja pahoittelevansa asiaa. Sen mukaan paljastuneiden tietojen käyttö, kopiointi, muuttaminen ja hallussapito on kiellettyä.
– Muistutamme samalla, että tällaisen viestin osalta olette lain mukaan vaitiolovelvollinen, eikä tietoja saa myöskään käyttää hyväksi, sähköpostissa kerrotaan.
Tomi Engdahl says:
Traficom muistuttaa uudesta mahdollisuudesta – Vaikeuttaa huijareiden työtä
Traficom kehottaa suomalaisia pysymään valppaana, jotta he eivät astu huijareiden ansaan. Tekstiviestin lähettäjänä voi näkyä viranomaisen tai muun luotettavan tahoa mukaileva nimi.
https://www.iltalehti.fi/digiuutiset/a/878958eb-1220-46d9-93c5-c29c536a5d3c
Liikenne- ja viestintävirasto Traficom varoittaa verkkorikollisten tehtailemista huijauksista, joiden avulla saavutettu rahallinen hyöty lasketaan useissa kymmenissä miljoonissa euroissa. Se kertoo ilmiön kasvaneen voimakkaasti viime vuosina.
Tyypillisimmässä Traficomin nimissä lähetetyssä huijausviestissä väitetään, että vastaanottajalla on erääntyneitä sakkoja tai muita maksuja. Viranomainen muistuttaa, ettei se lähetä tekstiviestitse laskuja tai maksumuistutuksia.
Sähköpostien suhteen saa silti olla tarkkana, koska lähettäjän nimeksi voi laittaa mitä tahansa. Sähköpostien kohdalla kannattaakin aina tarkistaa lähettäjän todellinen sähköpostiosoite klikkaamalla lähettäjän nimeä.
Valppautta vaaditaan myös tekstiviestien vastaanottajilta. Huijarit yrittävät huiputtaa suomalaisia käyttämällä lähettäjätunnuksia, jotka muistuttavat Traficomia tai jotain muuta tunnettua tahoa.
– Traficomin nimissä on jatkuvasti liikkeellä melkein samalta näyttäviä väärennöksiä, kuten Tragicom ja Traficorn, Martikka sanoo.
Traficomin mukaan eri organisaatiota ovat suojanneet yhteensä jo lähes 200 lähettäjätunnusta. Osa niistä odottaa suojauksen voimaantuloa. Joukossa on niin valtionhallinnon organisaatioita, pankkeja kuin vakuutusyhtiöitäkin.
– Kannustamme kaikkia tekstiviestejä lähettäviä organisaatioita tarkistamaan suojaustarpeensa ja rekisteröimään tarvittavat tunnukset Traficomin palvelussa, Martikka sanoo.
SMS Sender ID -tunnuksen suojaaminen tuli mahdolliseksi viime marraskuussa.
Tomi Engdahl says:
Russia Arrests 96 People Tied to US-Disrupted Cryptocurrency Exchanges
Russian authorities have arrested 96 individuals suspected of having ties to US-disrupted UAPS and Cryptex cryptocurrency exchanges.
https://www.securityweek.com/russia-arrests-96-people-tied-to-us-disrupted-cryptocurrency-exchanges/
Tomi Engdahl says:
Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group
The coordinated action resulted in the seizure of more than 100 domains used for spear-phishing targets in the US, UK, and Europe.
https://www.securityweek.com/microsoft-doj-dismantle-domains-used-by-russian-fsb-linked-hacking-group/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/recently-patched-cups-flaw-can-be-used-to-amplify-ddos-attacks/
Tomi Engdahl says:
Droonitörmäys Pasilan linkkitorniin johti vakoiluepäilyyn – nyt tutkinnassa tapahtui käänne
https://yle.fi/a/74-20115859
Henkilö lennätti heinäkuussa droonia, joka törmäsi Pasilan linkkitorniin Helsingissä. Poliisi tutki aluksi tapausta epäiltynä vakoiluna.
Keskusrikospoliisin (KRP) mukaan Pasilan linkkitorniin osuneen droonin lennättämisessä ei ollut kyse vakoilusta.
Yle kertoi toissa viikolla tapauksesta, jossa henkilö lennätti heinäkuussa Ylen toimitilojen ja Helsingin poliisilaitoksen alueella Pasilassa droonia, joka lopulta törmäsi linkkitorniin.
Hän kuvailee, että kesken lennättämisen laitteessa oli Pasilan alueella ilmennyt yhteyshäiriö eikä drooni ollut enää lennättäjän hallittavissa.
Tomi Engdahl says:
We hacked a robot vacuum — and could watch live through its camera
The largest home robotics company in the world has failed to fix security issues with its robot vacuums despite being warned about them last year.
Without even entering the building, we were able to silently take photos of the (consenting) owner of a device made by Chinese giant Ecovacs.
https://www.abc.net.au/news/2024-10-04/robot-vacuum-hacked-photos-camera-audio/104414020?fbclid=IwY2xjawFtw-RleHRuA2FlbQIxMQABHbypyCYtVqpf28VDGE3JCxbBVHH78KYgf_WbE10Nll5uK7NSwW6NxAFhcQ_aem_TGPo8-zZJOiET-XSQ4WQtw
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-network-switch-rce-flaw-impacts-critical-infrastructure/
Tomi Engdahl says:
Security experts claim new ‘Perfctl’ malware could pose a risk to any Linux server
News
By Christopher Harper published 2 days ago
Cryptominer malware bogs down the system and uses rootkits, opens backdoors, and copies itself from memory to various disk locations
https://www.tomshardware.com/tech-industry/cyber-security/security-experts-claim-new-perfctl-malware-could-pose-a-risk-to-any-linux-server
Tomi Engdahl says:
https://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack
Tomi Engdahl says:
Uusi tietovuoto paljasti Venäjän häikäilemättömän vaikutusoperaation, asiantuntijalta tyly huomio
Uusi tietovuoto paljastaa Venäjän laajan vaikutusoperaation viime kesän eurovaaleissa. Nyt venäläisten tähtäimessä ovat Yhdysvaltain presidentinvaalit.
https://yle.fi/a/74-20112682
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-blocks-windows-11-24h2-on-some-intel-pcs-over-bsod-issues/
Tomi Engdahl says:
WP:n tiedot: Israel valmisteli hurjaa hakulaitteiden räjäytysoperaatiota salassa vuosia
Yhdysvaltalaislehden laaja selvitys kertoo, kuinka Israel keksi ”Troijan hevosensa”.
WP:n tiedot: Israel valmisteli hurjaa hakulaitteiden räjäytysoperaatiota salassa vuosia
https://www.is.fi/ulkomaat/art-2000010744701.html
Tomi Engdahl says:
https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16635-usa-kieltaeae-kiinalaiset-ja-venaelaeiset-ohjelmistot-maanteiltaeaen
Tomi Engdahl says:
Wall Street Journal:
Sources: China-linked “Salt Typhoon” hacking campaign potentially accessed US wiretap systems after breaching networks of US ISPs like Verizon, AT&T, and Lumen — AT&T, Verizon are among broadband providers breached in China-linked ‘Salt Typhoon’ hack
U.S. Wiretap Systems Targeted in China-Linked Hack
AT&T and Verizon are among the broadband providers that were breached
https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b?st=4QbXPX&reflink=desktopwebshare_permalink
Tomi Engdahl says:
Wes Davis / The Verge:
Google rolls out Android theft protection features: Theft Detection Lock, which uses AI to detect motion indicating theft, Offline Device Lock, and Remote Lock — Google is rolling out a new set of features aimed at making it less easy for thieves to access your data.
A new Android feature locks your screen if your phone is stolen
/ Android users are reporting they now have a suite of theft protection features Google announced in May.
https://www.theverge.com/2024/10/5/24262810/google-theft-detection-lock-rolling-out-android
Tomi Engdahl says:
Alan Suderman / Associated Press:
A look at the rise and fall of IronNet, a cybersecurity firm led by ex-NSA director Keith Alexander and whose valuation crossed $3B after it went public in 2021
Collapse of national security elites’ cyber firm leaves bitter wake
https://apnews.com/article/keith-alexander-ironnet-cybersecurity-nsa-bankruptcy-eddd67f3a1b312face21c29c59400e05
Tomi Engdahl says:
Philip Heijmans / Bloomberg:
UN report: cyber crime syndicates raked in as much as $37B in 2023 and are growing in Myanmar, Cambodia, Laos, and across Southeast Asia despite police efforts
Southeast Asia Scammers Stole Up to $37 Billion in 2023, UN Says
https://www.bloomberg.com/news/articles/2024-10-07/southeast-asia-s-cyber-gangs-took-37-billion-in-2023-un-says
Tomi Engdahl says:
MITRE Announces AI Incident Sharing Project
MITRE’s AI Incident Sharing initiative helps organizations receive and hand out data on real-world AI incidents.
https://www.securityweek.com/mitre-announces-ai-incident-sharing-project/
Tomi Engdahl says:
Smart TV Surveillance? How Samsung and LG’s ACR Technology Tracks What You Watch
Researchers find Smart TVs from Samsung and LG use a Shazam-like tracker to monitor what you watch. Opting out is complex and time-consuming.
https://www.securityweek.com/smart-tv-surveillance-how-samsung-and-lgs-acr-technology-tracks-what-you-watch/
Tomi Engdahl says:
MFA Isn’t Failing, But It’s Not Succeeding: Why a Trusted Security Tool Still Falls Short
Multi-factor authentication is a necessary safeguard, but its limitations show why organizations can’t rely on it alone to prevent breaches.
https://www.securityweek.com/mfa-isnt-failing-but-its-not-succeeding-why-a-trusted-security-tool-still-falls-short/
To say that multi-factor authentication (MFA) is a failure is too extreme. But we cannot say it is successful – that much is empirically obvious. The important question is: Why?
MFA is universally recommended and often required. CISA says, “Adopting MFA is a simple way to protect your organization and can prevent a significant number of account compromise attacks.” NIST SP 800-63-3 requires MFA for systems at Authentication Assurance Levels (AAL) 2 and 3. Executive Order 14028 mandates all US government agencies to implement MFA. PCI DSS requires MFA for accessing cardholder data environments. SOC 2 requires MFA. The UK ICO has stated, “We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication…”
Yet, despite these recommendations, and even where MFA is implemented, breaches still occur. Why?
What’s the problem?
Think of MFA as a second, but dynamic, set of keys to the front door of a system. This second set is given only to the identity wishing to enter, and only if that identity is authenticated to enter. It is a different second key delivered for each different entry.
The principle is clear, and MFA should be able to prevent access to inauthentic identities. But this principle also relies on the balance between security and usability. If you increase security you decrease usability, and vice versa. You can have very, very strong security but be left with something equally difficult to use. Since the purpose of security is to enable business profitability, this becomes a conundrum.
Strong security can impinge on profitable operations. This is especially relevant at the point of access – if staff are delayed entry, their work is also delayed. And if MFA is not at maximum strength, even the company’s own staff (who simply want to get on with their work as quickly as possible) will find ways around it.
“Simply put,” says Jason Soroko, senior fellow at Sectigo, “MFA raises the difficulty for a malicious actor, but the bar often isn’t high enough to prevent a successful attack.” Discussing and solving the required balance in using MFA to reliably keep bad guys out while quickly and easily letting good guys in – and to question whether MFA is really needed – is the subject of this article.
Weaknesses
The primary problem with any form of authentication is that it authenticates the device being used, not the person attempting access. “It’s often misunderstood,” says Kris Bondi, CEO and co-founder of Mimoto, “that MFA isn’t verifying a person, it’s verifying a device at a point in time. Who is holding that device isn’t guaranteed to be who you expect it to be.”
The most common MFA method is to deliver a use-once-only code to the entry applicant’s mobile phone. But phones get lost and stolen (physically in the wrong hands), phones get compromised with malware (allowing a bad actor access to the MFA code), and electronic delivery messages get diverted (MitM attacks).
To these technological weaknesses we can add the ongoing criminal arsenal of social engineering attacks, including SIM swapping (persuading the carrier to transfer a phone number to a new device), phishing, and MFA fatigue attacks (triggering a flood of delivered but unexpected MFA notifications until the victim eventually approves one out of frustration). The social engineering threat is likely to increase over the next few years with gen-AI adding a new layer of sophistication, automated scale, and introducing deepfake voice into targeted attacks.
These weaknesses apply to all MFA systems that are based on a shared one-time code, which is basically just an additional password. “All shared secrets face the risk of interception or harvesting by an attacker,” says Soroko. “A one-time password generated by an app that has to be typed into an authentication web page is just as vulnerable as a password to key logging or a fake authentication page.”
There are more secure methods than simply sharing a secret code with the user’s mobile phone. You can generate the code locally on the device (but this retains the basic problem of authenticating the device rather than the user), or you can use a separate physical key (which can, like the mobile phone, be lost or stolen).
“Yes, MFA works to raise the level of difficulty of attack, but its success depends on the method and context,” adds Soroko. “However, attackers bypass MFA through social engineering, exploiting ‘MFA fatigue’, man-in-the-middle attacks, and technical flaws like SIM swapping or stealing session cookies.”
Implementing strong MFA just adds layer upon layer of complexity required to get it right, and it’s a moot philosophical question whether it is ultimately possible to solve a technological problem by throwing more technology at it (which could in fact introduce new and different problems). It is this complexity that adds a new problem: this security solution is so complex that many companies don’t bother to implement it or do so with only trivial concern.
“MFA has been in use for more than 20 years,” notes Bondi. “As with any tool, the longer it is in existence, the more time bad actors have had to innovate against it. And, frankly, many MFA approaches haven’t evolved much over time.”
Two examples of attacker innovations will demonstrate: AitM with Evilginx; and the 2023 hack of MGM Resorts.
For and against MFA
So, given that MFA clearly gets defeated, and given that it only authenticates the device not the user, should we abandon it?
The answer is a resounding ‘No’. The problem is that we misunderstand the purpose and role of MFA. All the recommendations and regulations that insist we must implement MFA have seduced us into believing it is the silver bullet that will protect our security. This simply isn’t realistic.
Consider the concept of crime prevention through environmental design (CPTED).
Simplified, the theory suggests that a space built with access control, territorial reinforcement, surveillance, continuous maintenance, and activity support will be less subject to criminal activity. It will not stop a determined burglar; but finding it hard to get in and stay hidden, most burglars will simply move to another less well designed and easier target. So, the purpose of CPTED is not to eliminate criminal activity, but to deflect it.
This principle translates to cyber in two ways. Firstly, it recognizes that the primary purpose of cybersecurity is not to eliminate cybercriminal activity, but to make a space too difficult or too costly to pursue. Most criminals will look for somewhere easier to burgle or breach, and – sadly – they will almost certainly find it. But it won’t be you.
Secondly, note that CPTED talks about the complete environment with multiple focuses. Access control: but not just the front door. Surveillance: pentesting might locate a weak rear entry or a broken window, while internal anomaly detection might uncover a burglar already inside. Maintenance: use the latest and best tools, keep systems up to date and patched. Activity support: adequate budgets, good management, proper recompense, and so on.
These are just the basics, and more could be included. But the primary point is that for both physical and cyber CPTED, it is the whole environment that needs to be considered – not just the front door.
That’s how we should consider MFA: an essential part of security, but only a part. It won’t defeat everyone but will perhaps delay or divert the majority. It is an essential part of cyber CPTED to reinforce the front door with a second lock that requires a second key.
Since the traditional front door username and password no longer delays or diverts attackers (the username is usually the email address and the password is too easily phished, sniffed, shared, or guessed), it is incumbent on us to strengthen the front door authentication and access so this part of our environmental design can play its part in our overall security defense.
The obvious way is to add an additional lock and a one-use key that isn’t created by nor known to the user before its use. This is the approach known as multi-factor authentication. But as we have seen, current implementations are not foolproof. The primary methods are remote key generation sent to a user device (usually via SMS to a mobile device); local app generated code (such as Google Authenticator); and locally held separate key generators (such as Yubikey from Yubico).
Each of these methods solve some, but none solve all, of the threats to MFA. None of them change the fundamental issue of authenticating a device rather than its user, and while some can prevent easy interception, none can withstand persistent, and sophisticated social engineering attacks. Nevertheless, MFA is important: it deflects or diverts all but the most determined attackers.
If one of these attackers succeeds in bypassing or defeating the MFA, they have access to the internal system. The part of environmental design that includes internal surveillance (detecting bad guys) and activity support (assisting the good guys) takes over. Anomaly detection is an existing approach for enterprise networks. Mobile threat detection systems can help prevent bad guys taking over mobile phones and intercepting SMS MFA codes.
Zimperium’s 2024 Mobile Threat Report published on September 25, 2024, notes that 82% of phishing sites specifically target mobile devices, and that unique malware samples increased by 13% over last year. The threat to mobile phones, and therefore any MFA reliant on them is increasing, and will likely worsen as adversarial AI kicks in.
As we’ve seen, MFA will not stop the determined attacker. “You need sensors and alarm systems on the devices,” he continues, “so you can see if anyone is trying to test the boundaries and you can start getting ahead of these bad actors.”
The important takeaway from this discussion is that you cannot rely on MFA to keep your systems safe – but it is an essential part of your overall security environment. Security is not just protecting the front door. It starts there, but must be considered across the whole environment. Security without MFA can no longer be considered security.
Tomi Engdahl says:
American Water Confirms Hack: Customer Portal and Billing Services Suspended
The largest U.S. water utility disconnects customer portal and suspends billing services following a cyberattack.
https://www.securityweek.com/american-water-confirms-hack-customer-portal-and-billing-services-suspended/
Tomi Engdahl says:
Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers
The perfctl malware has been targeting vulnerabilities and misconfigurations in millions of Linux systems, likely infecting thousands.
https://www.securityweek.com/stealthy-perfctl-malware-infects-thousands-of-linux-servers/
Researchers at Aqua Security are raising the alarm for a newly discovered malware family targeting Linux systems to establish persistent access and hijack resources for cryptocurrency mining.
The malware, called perfctl, appears to exploit over 20,000 types of misconfigurations and known vulnerabilities, and has been active for more than three years.
Focused on evasion and persistence, Aqua Security discovered that perfctl uses a rootkit to hide itself on compromised systems, runs on the background as a service, is only active while the machine is idle, relies on a Unix socket and Tor for communication, creates a backdoor on the infected server, and attempts to escalate privileges.
The malware’s operators have been observed deploying additional tools for reconnaissance, deploying proxy-jacking software, and dropping a cryptocurrency miner.
The attack chain begins with the exploitation of a vulnerability or misconfiguration, after which the payload is deployed from a remote HTTP server and executed. Next, it copies itself to the temp directory, kills the original process and removes the initial binary, and executes from the new location.
The payload contains an exploit for CVE-2021-4043, a medium-severity Null pointer dereference bug in the open source multimedia framework Gpac, which it executes in an attempt to gain root privileges. The bug was recently added to CISA’s Known Exploited Vulnerabilities catalog.
perfctl: A Stealthy Malware Targeting Millions of Linux Servers
https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
Tomi Engdahl says:
Vulnerabilities
Jenkins Patches High-Impact Vulnerabilities in Server and Plugins
Jenkins has released patches for multiple high- and medium-severity vulnerabilities impacting the automation tool and several plugins.
https://www.securityweek.com/jenkins-patches-high-impact-vulnerabilities-in-server-and-plugins/
Open source CI/CD automation tool Jenkins has released patches for multiple high- and medium-severity vulnerabilities in the server and several plugins.
Patches were rolled out for two medium-severity flaws in Jenkins, one leading to the exposure of multi-line secrets and another to creation restriction bypass.
The fist issue, tracked as CVE-2024-47803, exists because “Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field,” according to a Jenkins security bulletin.
This could lead to multi-line secrets being exposed on error messages present in system logs and was addressed in Jenkins versions 2.479 and LTS 2.462.3 by redacting those secrets.
Jenkins also announced patches for CVE-2024-47804, a bug affecting the item creation functionality of the software development automation server.
While Jenkins can be configured to prohibit the creation of specific item types, if the creation is attempted using the Jenkins CLI or the REST API and one of two specific checks fails, the item would be created in memory and deleted from the disk.
“This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it,” Jenkins explains, adding that the latest server iterations no longer retail the item in memory.
Tomi Engdahl says:
ICS/OT
Ransomware Hits Critical Infrastructure Hard, Costs Adding Up
Report finds most organizations have suffered financial impact of $500,000 or more from cyberattacks on cyber-physical systems over past year.
https://www.securityweek.com/ransomware-hits-critical-infrastructure-hard-costs-adding-up/
The financial impact of a cyberattack targeting a cyber-physical system (CPS) can reach up to $1 million, as affected organizations struggle with revenue loss, recovery costs, and employee overtime.
According to a new Claroty survey of 1,100 security professionals involved in OT, IoT, BMS, and IoMT (connected medical devices), about 45% of organizations suffered losses of $500,000 or more over the past year, while 27% disclosed losses of $1 million or more.
More than half of the respondents in the chemical manufacturing, power and energy, and mining and materials sectors have reported losses greater than $500,000 caused by cyber incidents over the past 12 months, Claroty’s latest Global State of CPS Security report (PDF) shows.
https://web-assets.claroty.com/resource-downloads/cps-survey-business-disruptions.pdf
Tomi Engdahl says:
Vulnerabilities
Okta Tells Users to Check for Potential Exploitation of Newly Patched Vulnerability
Okta has resolved a vulnerability that could have allowed attackers to bypass sign-on policies and gain access to applications.
https://www.securityweek.com/okta-tells-users-to-check-for-potential-exploitation-of-newly-patched-vulnerability/
Tomi Engdahl says:
Edes Nordealla ei päästä Nordeaan sisään
Nordean verkkopankissa on jälleen ongelmia.
https://www.iltalehti.fi/digiuutiset/a/c5952cb3-b0c0-46df-b158-c6a85967a3b3
Ongelmat Nordean palveluissa ovat jatkuneet tiistaina. Asiakaspalvelun mukaan vika pyritään korjaamaan mahdollisimman pian.
Nordean asiakaspalvelu tiedotti puoli yhdentoista aikaan aamupäivällä, että osassa verkkopankin ja mobiilipankin palveluita on tilapäinen häiriö.
Myöhemmin Nordean asiakaspalvelu kertoi viestipalvelu X:ssä, että se ei pysty kertomaan häiriöstä haluamallaan tavalla.
– Häiriöstä johtuen häiriötiedon lisääminen digitaalisiin kanaviimme ei tällä hetkellä onnistu.
Puoli kahdentoista jälkeen asiakaspalvelu tiedotti, että tekniset häiriöt vaikuttavat mobiili- ja verkkopankin toiminnallisuuksiin, tunnistautumiseen kolmansien osapuolten palveluihin, osaan korttimaksuihin sekä käteisen nostoon automaateilta.
Iltalehden havaintojen sekä lukijoiden tekemien ilmoitusten mukaan ongelmia on ollut erityisesti pankkitilien ja korttien näkymisessä verkko- ja mobiilipankissa.
Osalla asiakkaista ei ole näkynyt lainkaan tilejä tai kortteja, osalla ei kaikkia.
Ongelmia on ollut Iltalehden tietojen mukaan myös laskujen maksamisessa.
”En pysty tarkastamaan”
Ilmeisesti Nordean itsensäkin pääsy tilien ja korttien tietoihin on rajoittunut.
Iltalehteen yhteyttä ottanut Nordean asiakas kertoo, että hän oli halunnut tarkastaa, oliko hänen tekemänsä luottokorttimaksu mennyt läpi.
Nordean verkkopankissa ei kuitenkaan näkynyt hänen tilejään tai korttejaan.
Tomi Engdahl says:
Raivostuttava salasanavaatimus halutaan kieltää
Vaikka standardit eivät ole pakottavaa lainsäädäntöä, niillä on suuri vaikutus esimerkiksi viranomaisten ja säädeltyjen alojen tietoturvakäytäntöihin.
https://www.iltalehti.fi/digiuutiset/a/5769a1e8-305f-4924-902e-a3ea42603bb5
Luultavasti jokainen viime vuosituhannella syntynyt ja atk:ta työssään käyttänyt suomalainen muistaa vielä ajan, jolloin työpaikan tietokoneen salasanaa piti vaihtaa säännöllisin väliajoin. Tyypillinen vaihtoväli oli kolme kuukautta, mutta pahimmillaan uusi salasana piti keksiä jopa kuukausittain.
Joillakin työpaikoilla tämä käytäntö voi vielä olla voimassa, mutta nyt siihen saattaa olla luvassa muutos. Yhdysvaltain standardiviranomainen NIST on viimein laittamassa pisteen asialle, kertoo Ars Technica.
Jatkuvan salasanojen vaihtamisen kun on todettu heikentävän tietoturvaa sen sijaan, että se parantaisi sitä. Heikentävä vaikutus johtuu siitä, että jatkuvasta salasanojen läträämisestä ärsyyntyneet työntekijät päätyvät käyttämään helpommin muistettavia ja näin ollen vähemmän turvallisia salasanoja, mikä heikentää tietoturvaa.
NIST:n uudessa ehdotuksessa ei vain suositella, vaan peräti kielletään salasanojen pakotettu uusiminen työnantajien it-ympäristöissä. Sen lisäksi kieltolistalle joutuu pakote käyttää samassa salasanassa sekä erilaisia kirjaimia, numeroita ja erikoismerkkejä, ja myös monille tutut turvakysymykset kuten “Mikä oli ensimmäisen lemmikkisi nimi?”
Vapautuksen vastapainona it-hallinnolle annetaan standardiehdotuksessa uudenlaisia ohjeita. Jatkossa työntekijöitä pitäisi ohjata keksimään nykyistä pidempiä. Standardin mukaan it-osastojen täytyisi jatkossa vaatia vähintään kahdeksan merkin pituisia salasanoja, mutta suositella vähintään 15 merkin mittaisia merkkipötköjä.
Sen lisäksi standardi sallisi kaikki ASCII-merkit, välilyönnit ja Unicode-merkit salasanoissa. Tämä mahdollistaisi myös emojien käytön osana salasanoja.
On kuitenkin autentikaatiopalvelun kehittäjän tehtävä määritellä, millaisia merkkejä salasanoihin hyväksytään.
NIST proposes barring some of the most nonsensical password rules
Proposed guidelines aim to inject badly needed common sense into password hygiene.
https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/
Tomi Engdahl says:
Qualcomm Alerted to Possible Zero-Day Exploited in Targeted Attacks
https://www.securityweek.com/qualcomm-alerted-to-possible-zero-day-exploited-in-targeted-attacks/
Google and Amnesty have seen evidence that a Qualcomm chipset vulnerability tracked as CVE-2024-43047 may be exploited in the wild.
Android’s October 2024 Update Patches 26 Vulnerabilities
https://www.securityweek.com/androids-october-2024-update-patches-26-vulnerabilities/
Google ships patches for 26 high-severity vulnerabilities as part of Android’s October 2024 security update.
Tomi Engdahl says:
MoneyGram Says Personal Information Stolen in Recent Cyberattack
Hackers stole personal information from MoneyGram’s systems during a three-day attack in September 2024.
https://www.securityweek.com/moneygram-says-personal-information-stolen-in-recent-cyberattack/
Tomi Engdahl says:
CISO Salary Surge: Fewer Job Changes, Bigger Paychecks for Experienced Cybersecurity Leaders
CISO salaries are getting higher and experience counts. Average annual compensation for these cybersecurity leaders is more than $550K.
https://www.securityweek.com/ciso-salary-surge-fewer-job-changes-bigger-paychecks-for-experienced-cybersecurity-leaders/
Tomi Engdahl says:
Haavoittuvuuksien määrä jatkaa kasvuaan: uusi ennätys vuonna 2023
https://etn.fi/index.php/13-news/16685-haavoittuvuuksien-maeaerae-jatkaa-kasvuaan-uusi-ennaetys-vuonna-2023
Kyberturvallisuuden haasteet jatkuvat, kun haavoittuvuuksien määrä saavutti uuden ennätyksen vuonna 2023. FortiGuard Labsin julkaisema “2H 2023 Global Threat Landscape Report” paljastaa, että vuonna 2023 raportoitiin ennätykselliset 30 000 uutta haavoittuvuutta, mikä on 17 % enemmän kuin edellisvuonna.
Tämä nopea kasvu haavoittuvuuksien määrässä asettaa organisaatioiden tietoturvatiimit yhä kovemmalle paineelle, kun niiden on reagoitava entistä nopeammin ja tehokkaammin uusiin uhkiin.
Vaikka vain pieni osa haavoittuvuuksista päätyy aktiiviseen hyödyntämiseen, on merkittävää, että 12,5 % kaikista historiallisista haavoittuvuuksista on edelleen olemassa ja ilman korjauksia organisaatioiden tietojärjestelmissä. Tämä tarkoittaa, että vanhat haavoittuvuudet ovat yhä hyökkääjien kohteina, ja niiden hyväksikäyttö jatkuu vuosia julkaisun jälkeen.
Tomi Engdahl says:
Chris Miller / Financial Times:NEW
Israel compromising Hezbollah pagers shows the West should take hardware security more seriously, especially as most electronics manufacturing shifted to Asia — Unreliable suppliers can modify devices, yet companies devote few resources to verifying the origin of components
https://www.ft.com/content/5c8f5c51-e205-4213-a85a-e6c52963c72c