What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:
First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.
New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.
Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.
A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.
Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?
Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.
CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?
How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.
Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.
It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.
We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”
Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.
You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.
IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.
The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.
Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.
Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.
Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.
Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.
DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.
TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.
Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.
Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.
The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.
Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.
Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.
Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at Uusiteknologia.fi on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.
USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.
The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.
There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.
Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.
Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.
Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.
Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.
DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.
Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.
4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.
Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.
Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.
PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.
Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.
It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.
Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security Threats. But do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.
Old outdated encryption technologies refuse to die. MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.
Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.
The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.
The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program.
You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.
You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.
Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.
Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
810 Comments
Tomi Engdahl says:
How To Nginx Redirect All HTTP Request To HTTPS Rewrite 301 Rules
https://www.cyberciti.biz/faq/linux-unix-nginx-redirect-all-http-to-https/
Tomi Engdahl says:
Windows 7 Has One Year to Live
https://www.tomshardware.com/news/windows-7-one-year-to-live,38435.html
Microsoft will officially stop releasing any updates for Windows 7 on January 14, 2020. (Technically it stopped updating the base version of the operating system in 2013; users have to install Windows 7 Service Pack 1 to get more recent updates.) Once those releases stop, Windows 7 will have officially been abandoned by its creator, and its users will either have to use the neglected operating system or finally upgrade to Windows 10
Tomi Engdahl says:
A new taxonomy for SCADA attacks
https://www.helpnetsecurity.com/2019/01/15/analyze-scada-attacks/
Attacks aimed at SCADA networks are still much rarer than those targeting IT networks, but the number is slowly rising.
“The current lack of a single taxonomy to analyze security incidents leads to difficulties in understanding the threat landscape in an unbiased way,”
Tomi Engdahl says:
Dropgangs, or the future of darknet markets
https://opaque.link/post/dropgang/
The Internet is full of commercial activity and it should come at no surprise that even illegal commercial activity is widespread as well. In this article we would like to describe the current developments – from where we came, where we are now, and where it might be going – when it comes to technologies used for digital black market activity.
We will refrain from any legal, moral or ethical judgment on these activities but focus on the technical and operational security aspects. What is illegal and unethical trade for one is perfectly legal for another. Judge for yourself.
Tomi Engdahl says:
Massachusetts Amends Law Protecting Consumers From Security Breaches
https://www.bleepingcomputer.com/news/security/massachusetts-amends-law-protecting-consumers-from-security-breaches/
Massachusetts Governor Charlie Baker signed a new law on January 10 that amends the state’s data breach law removing the fees imposed by credit reporting agencies for security disclosures and freezes of consumer credit reports.
The new law, aptly named “An Act relative to consumer protection from security breaches,” also comes with a number of changes to the way companies will have to deal with security breaches involving the personal information of their customers.
The detailed steps businesses must take according to the Massachusets law are detailed on the Commonwealth of Massachusetts’ government website on the “Requirements for Data Breach Notifications” web page.
https://www.mass.gov/service-details/requirements-for-data-breach-notifications
Tomi Engdahl says:
Trumping Physical Security with Software Insecurity
https://medium.com/tenable-techblog/trumping-physical-security-with-software-insecurity-3945a63e1f1a
A few months ago, I decided to take a look at PremiSys IDenticard, an identification and building access management system. This software allows customers to create custom ID cards for personnel, manage access levels for specific rooms or regions of a building, and remotely manage ID readers and similar devices. At the time of this research, the version of the software I had permission to access was 3.1.190. I did not have access to any physical badge equipment or other components, so this research was fairly limited in scope. That being said, my efforts were not fruitless.
Tomi Engdahl says:
Want to get rich from bug bounties? You’re better off exterminating roaches for a living
Before you outsource security to strangers, try boosting internal cybersecurity skills
https://www.theregister.co.uk/2019/01/15/bugs_bounty_salary/
Security researchers looking to earn a living as bug bounty hunters would to do better to pursue actual insects.
Using data from bug bounty biz HackerOne, security shop Trail of Bits observes that the top one per cent of bug hunters found on average 0.87 bugs per month, resulting in bounty earnings equivalent to an average yearly salary of $34,255 (£26,500).
That’s a bit less than the median wage for a pest control worker in
Tomi Engdahl says:
Defense Department Continuously Challenged on Cybersecurity
https://www.securityweek.com/defense-department-continuously-challenged-cybersecurity
A recently published report from the United States Department of Defense (DoD) Inspector General shows that, while the Department has improved its security posture, it still faces challenges in managing cybersecurity.
Tomi Engdahl says:
Tim Cook / TIME:
Tim Cook calls on Congress to pass privacy legislation and on the FTC to create a “data-broker clearinghouse”, enabling users to track and control their data — We all deserve control over our digital lives. That’s why we must rein in the data brokers
You Deserve Privacy Online. Here’s How You Could Actually Get It
http://time.com/collection-post/5502591/tim-cook-data-privacy/
We all deserve control over our digital lives. That’s why we must rein in the data brokers
In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.
Tomi Engdahl says:
‘We Want IoT Security Regulation,’ Say 95% of IT Decision-Makers
https://www.darkreading.com/endpoint/we-want-iot-security-regulation-say-95–of-it-decision-makers/d/d-id/1333667?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.
IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn’t actually want it.
Findings come from a Gemalto survey, released Tuesday, of 950 IT and business decision-makers across the globe. One-third of the respondents say they create IoT devices, 30% create IoT software, 30% are IoT integrators, and half use IoT devices created by a third party. (Multiple responses were allowed.)
Tomi Engdahl says:
Apple CEO Demands Federal Data Privacy Legislation
https://threatpost.com/apple-ceo-demands-federal-data-privacy-legislation/140978/
Apple CEO Tim Cook has called on the government to double down on data privacy regulation in 2019.
Apple CEO Tim Cook is adding his voice to the wave of tech giants, privacy watchdogs, and consumers calling for the government to roll out tightened consumer data privacy regulations.
The Apple executive called on Congress to pass “comprehensive federal privacy legislation” that would effectively regulate the collection of personal data, increases transparency around how and why data is collected, enables the right to access and delete personal data, and amps up data security.
“In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours,”
Tomi Engdahl says:
Are you submitting bugs for free when others are being paid? Welcome to BugBounties!
https://medium.com/@zseano/are-you-submitting-bugs-for-free-when-others-are-being-paid-welcome-to-bugbounties-9e0fdb40a837
All we want to do is work with companies to help them secure their assets and for it to be a fair & fun environment for both parties. Platforms are ruining this and destroying their researchers. We are meant to trust Platforms, but everyday that trust with researchers is getting thinner & thinner when they allow companies to effectively scam researchers out of our time in the hopes of getting paid.
Most people new to bugbounties are told, “Go and work on the public programs to build your rep and then you’ll get private invites!”. You are literally busting your ass off for free when the “oldschoolers” are all in the same program w/ same scope, but getting paid! When I first started I did not have to prove myself by submitting bugs for free.
Tomi Engdahl says:
Win Back Some Privacy With A Cone Of Silence For Your Smart Speaker
https://hackaday.com/2019/01/17/win-back-some-privacy-with-a-cone-of-silence-for-your-smart-speaker/
To quote the greatest philosopher of the 20th century: “The future ain’t what it used to be.” Take personal assistants such as Amazon Echo and Google Home. When first predicted by sci-fi writers, the idea of instant access to the sum total of human knowledge with a few utterances seemed like a no-brainer; who wouldn’t want that? But now that such things are a reality, having something listening to you all the time and potentially reporting everything it hears back to some faceless corporate monolith is unnerving, to say the least.
There’s a fix for that, though, with this cone of silence for your smart speaker. Dubbed “Project Alias” by [BjørnKarmann], the device consists of a Raspberry Pi with a couple of microphones and speakers inside a 3D-printed case. The Pi is programmed to emit white noise from its speakers directly into the microphones of the Echo or Home over which it sits, masking out the sounds in the room while simultaneously listening for a hot-word. It then mutes the white noise, plays a clip of either “Hey Google” or “Alexa” to wake the device up, and then business proceeds as usual.
https://www.instructables.com/id/Project-Alias/
Tomi Engdahl says:
Six Steps to Segmentation in a Perimeterless World
https://www.securityweek.com/six-steps-segmentation-perimeterless-world
Setting Objectives and Having a Clear Roadmap is the Best Path to a Successful Network Segmentation Journey
1. Define Objectives.
2. Identify, Classify and Prioritize Assets
3. Gain Visibility to Support and Augment the Strategy.
You’ve now done the critical work to develop a segmentation strategy that matches your needs.
Tomi Engdahl says:
Facial image matching system risks ‘chilling effect’ on freedoms, rights groups say
https://www.theguardian.com/world/2018/nov/07/facial-image-matching-system-risks-chilling-effect-on-freedoms-rights-groups-say
System dubbed ‘the capability’ processes Australians’ information whether they are crime suspects or not
Tomi Engdahl says:
Will WPA3 End WiFi Hacking?
https://www.youtube.com/watch?v=nC1mV4N-wlw
Tomi Engdahl says:
What can someone do with an IP Address
https://www.youtube.com/watch?v=V3Uz8YwcGZE
What can someone do with an IP Address
Tomi Engdahl says:
Cyber security: This giant blind spot will cost us dear
https://www.zdnet.com/article/cyber-security-this-giant-blind-spot-will-cost-us-dear/
Cyber attacks are one of the biggest risks facing the world. Our inability to address the underlying issues risks disaster.
Tomi Engdahl says:
The Geopolitical Influence on Business Risk Management
https://www.securityweek.com/geopolitical-influence-business-risk-management
Report Maps Out Ten Major Geopolitical Risks That Businesses Will Face in 2019
When cybersecurity first emerged as a discrete profession, it was siloed. It was a black box profession outside of the day-to-day running of the business: its purpose was simply to protect the business. Security is now better integrated with IT. It started with a brief to protect the existing infrastructure, but is now — through SecOps — involved in building security-by design into new applications.
At the business level, security now has the ear of the board, and sometimes has a seat on the board. This is all progress, but it mustn’t stop there. Business is increasingly global in nature. That takes it into different cultures and different jurisdictions and different geopolitical risks. The CISO now needs to be included in the geopolitics of business.
Tomi Engdahl says:
Let’s Encrypt Begins Retirement of TLS-SNI-01 Validation
https://www.securityweek.com/lets-encrypt-begins-retirement-tls-sni-01-validation
Free and open Certificate Authority (CA) Let’s Encrypt today started the process of completely retiring TLS-SNI-01 validation support.
Let’s Encrypt decided last year that it would disable support for the TLS-SNI-01 validation after learning that users could abuse it to obtain certificates for domains they do not own. The problem, the CA revealed at the time, was the use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure.
Although the issue wasn’t related to the certificate authority itself, but instead the result of a combination of factors, Let’s Encrypt decided that disabling support for the validation method was the best way to handle the situation at the time.
Tomi Engdahl says:
French diplomat: Spies gonna spy – there aren’t any magical cyberspace laws that can prevent it
Pragmatic chap looks at reality of international relations
https://www.theregister.co.uk/2019/01/22/countries_spy_regardless_global_cybersecurity_regulation/
FIC2019 A French diplomat has suggested that future global regulation of cyberspace could exempt spying from regulation “as long as some specific sectors are preserved”.
Although he prefaced his comments by saying “I speak on my behalf, not for France,” Jean Heilbronn went on to tell an audience at French infosec conference FIC2019: “I don’t think we need a new global agreement to stabilise cyberspace.”
“We already have rules in international law with the UN Charter which prevents restrictions on the use of force,” said Heilbronn through a translator, though later in the talk he switched to fluent English. “That also applies to cyberspace… let’s be careful with this notion.”
Tomi Engdahl says:
From the NSA to Silicon Valley, a new kind of encryption is going commercial
https://www.cyberscoop.com/homomorphic-encryption-nsa-silicon-valley-commercial/
Encryption as we know it is on the brink of a major advancement: Mathematics teams at IBM, Intel, Microsoft and a range of startup firms are pushing ahead with research that could make it possible for technology companies to encrypt data while it’s in use.
This kind of security, known as homomorphic encryption, would mark a significant upgrade over current forms of encryption, which secure data while it’s stored or while it’s moving through a connection. Homomorphic encryption would better protect users who are using internet searches and accessing stored credit numbers as well as businesses that are sharing proprietary data as part of information sharing programs.
Homomorphic encryption soon will help large companies protect their information at times when they need to share it in a multi-party computing environment, Horvath said.
Tomi Engdahl says:
How Cybercriminals Clean Their Dirty Money
https://www.darkreading.com/attacks-breaches/how-cybercriminals-clean-their-dirty-money-/a/d-id/1333670
By using a combination of new cryptocurrencies and peer-to-peer marketplaces, cybercriminals are laundering up to an estimated $200 billion in ill-gotten gains a year. And that’s just the beginning.
Tomi Engdahl says:
SSDP amplification attacks rose 639%
https://www.helpnetsecurity.com/2019/01/22/ssdp-amplification-attacks/
The Nexusguard Q3 2018 Threat Report has revealed the emergence of an extremely stealthy DDoS attack pattern targeting communications service providers (CSPs).
This new vector exploits the large attack surface of ASN-level (autonomous system number) CSPs by spreading tiny attack traffic across hundreds of IP addresses to evade detection. The ongoing evolution of DDoS methods suggests that CSPs need to enhance their network security posture and find more effective ways to protect their critical infrastructure and tenants.
The continued discovery of new attack patterns should also alert enterprises to the importance of selecting DDoS-proof service providers.
Tomi Engdahl says:
‘The goal is to automate us’: welcome to the age of surveillance capitalism
https://www.theguardian.com/technology/2019/jan/20/shoshana-zuboff-age-of-surveillance-capitalism-google-facebook
Shoshana Zuboff’s new book is a chilling exposé of the business model that underpins the digital world. Observer tech columnist John Naughton explains the importance of Zuboff’s work and asks the author 10 key questions
We’re living through the most profound transformation in our information environment since Johannes Gutenberg’s invention of printing in circa 1439. And the problem with living through a revolution is that it’s impossible to take the long view of what’s happening.
Tomi Engdahl says:
Data Collected from Old Breaches Is Not a New Data Breach
https://www.bleepingcomputer.com/editorial/security/data-collected-from-old-breaches-is-not-a-new-data-breach/
Knowing what I typically write about, my phone has been dinging and ringing lately as people were concerned about the new MONSTER MEGA DATA BREACH that they read about online. Of course they were referring to the numerous stories published this week about a giant data breach with 773 million unique email addresses in it.
The problem, though, is that this was not a new data breach. It was just a collection of old data breaches that was compiled into a a single folder called Collection #1. What is more concerning is that the collection contains decrypted, or dehashed, passwords for many of the accounts, which makes it much easier to use in attacks.
Tomi Engdahl says:
Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure
https://securityintelligence.com/why-cisos-and-boards-should-work-together-to-improve-cybersecurity-disclosure/
Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report.
Business Are Under Pressure to Disclose Cyber Risks
It’s no secret that cybersecurity has become a regular topic of discussion for boards and top leadership. But just because something is discussed every once in a while doesn’t mean that organizations are taking effective steps to deal with it. As the events of past two years have shown, cybersecurity risks are real, and publicly traded organizations that experience a cyber incident — be it a breach, ransomware attack, denial-of-service (DoS) or other digital disruption — will quickly find themselves in the spotlight with ample, but unwanted, news coverage.
The problem for many of these companies isn’t the spotlight from the press or the immediate drop in stock value — it’s the secondary but very significant impacts coming from class-action lawsuits, fines and other regulatory enforcements, and long-lasting scrutiny from regulators such as the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC).
The SEC’s 2011 guidance reminded board directors that cybersecurity — at the time a relatively new issue rising to the board’s level — was a material issue to be addressed.
Top Findings From EY’s Cybersecurity Disclosure Study
EY’s analysis of 10-K filings and proxy statements from Fortune 100 firms found that all organizations — yes, 100 percent — included cybersecurity as a risk factor consideration. Furthermore, 84 percent mentioned cybersecurity in the risk oversight section, and nearly 7 in 8 organizations had charged at least one committee with oversight of cyber risks (though, in 70 percent of those organizations, that committee was the audit committee, whose agenda is already bursting with challenging issues).
Tomi Engdahl says:
”En koskaan oleta, että verkko on puhdas tai vapaa salakuuntelijoista” – Myös EU ja USA harrastavat vakoilua
https://www.kauppalehti.fi/uutiset/en-koskaan-oleta-etta-verkko-on-puhdas-tai-vapaa-salakuuntelijoista-myos-eu-ja-usa-harrastavat-vakoilua/fba7bce7-a294-4ab2-916b-f3846553ed1d
On epäilty, että myös eurooppalaiset tietoliikennevalmistajat ovat syyllistyneet vakoiluun, F-Securen kyberturvallisuudesta vastaava johtaja Erka Koivunen kertoo.
Tomi Engdahl says:
Serious Security: What 2000 years of cryptography can teach us
https://nakedsecurity.sophos.com/2019/01/20/serious-security-what-2000-years-of-cryptography-can-teach-us/
These days, a lot of your data gets encrypted when you save it to disk or send it over the internet.
The data gets decrypted again when you read it back in or after it’s received at the other end.
For that, you need some sort of cryptographic algorithm – what’s known in the jargon as a symmetric cipher or secret-key encryption.
Symmetric ciphers use the digital equivalent of a key, typically a string of characters, to lock and unlock the data.
In this article, we’ll take a journey through the history of symmetric ciphers during the pen-and-paper era, before mechanical and electronic encryption devices came onto the scene.
From Julius Caesar in the first century BC to Joseph Mauborgne at the end of the second millennium AD, we’ll look at:
How each generation of algorithms worked.
Why they fell by the wayside.
What was better – or not! – about what came next.
Tomi Engdahl says:
How to educate your employees about cyberthreats
https://www.kaspersky.com/blog/k-asap/25411/
Security Awareness (corporate cybersecurity training for employees) is perhaps the most in-demand area of the IT market. Companies understand perfectly well that mistakes by employees account for the majority of all incidents, and that the situation can be fixed only with the help of competent, effective training.
However, most awareness programs were made to meet the demands of enterprise customers. They are complicated and inflexible. Smaller business requires something different.
Tomi Engdahl says:
PCI SSC Releases New Security Standards for Payment Software
https://www.securityweek.com/pci-ssc-releases-new-security-standards-payment-software
The new PCI Secure Software Standard and the PCI Secure Lifecycle (SLC) Standard are part of a new Software Security Framework and their goal is to ensure that the development of payment software keeps up with modern practices.
Tomi Engdahl says:
No-deal Brexit – the data dilemma
https://www.bbc.com/news/technology-46896530
Two urgent questions – does your business move data across borders and if so are you prepared for what could happen if the UK leaves the EU at the end of March without a deal?
any company that moves data between the UK and an EU country needs to be aware of what will change if we effectively sign out of the General Data Protection Regulation (GDPR), Europe’s data protection regime.
Tomi Engdahl says:
Who’s Really Behind the World’s Most Popular Free VPNs?
https://hackernoon.com/whos-really-behind-the-world-s-most-popular-free-vpns-d74bafc82178
After big names like Whatsapp, Snapchat, and Facebook, VPNs are the most searched-for applications in the world. “VPN” is the second-highest non-branded search term behind “games”, and free apps completely dominate the search results.
When someone opts to install a VPN on their device, they are essentially choosing to trust their data with that company instead of their ISP or wireless carrier. The VPN provider can inspect your traffic, modify it, log it, and if their policy permits, send or sell it elsewhere.
We found that very few of these hugely popular apps do anywhere near enough to deserve the trust of those looking to protect their privacy online.
Tomi Engdahl says:
Tim Cook demands a way for users to delete their personal data
https://nakedsecurity.sophos.com/2019/01/21/tim-cook-demands-a-way-for-users-to-delete-their-personal-data/
Tomi Engdahl says:
EU-Japan Deal to Protect Data Exchanges Takes Effect
https://www.securityweek.com/eu-japan-deal-protect-data-exchanges-takes-effect
The European Union and Japan on Wednesday launched the “world’s largest areas of safe data flows” after finalizing common rules to protect personal information, the EU said.
Firms can transfer data now that the executive European Commission finds that Japanese law offers “a comparable level of protection of personal data,” the commission said.
Tomi Engdahl says:
The Devil You Know – How Idioms Can Relate to Information Security
https://www.securityweek.com/devil-you-know-how-idioms-can-relate-information-security
How can a security team understand when to take which approach? To examine this question, I offer five guidelines to help security organizations understand when to stay with the known, versus when to move on to the new.
1. Risk: Managing, mitigating, and minimizing risk should be on the mind of the security professional at all times. Understanding how to properly identify, enumerate, and assess risk are important and necessary precursors to managing, mitigating, and minimizing it.
2. Objectivity: Introducing more objectivity into a security program and reducing its subjectivity is always a positive. Paths that lead to more objectivity in security should always be encouraged. If an organization doesn’t succeed at making its security program more objective, or if the security program seems to be getting ever more subjective, it’s a sign that the time has come to shake things up. Out with the too-subjective-old and in with the more-objective-new.
3. Stagnation: Regardless of where along the maturity curve a security team finds itself, it needs to continuously strive to improve. If the security posture of the organization is improving, and if the security team is maturing, the ship is headed in the right direction, regardless of where it set sail from.
4. Drowning: I don’t know too many security teams with idle time and spare resources on their hands. That being said, there are those teams that seem to be able to keep up with the changing threat landscape and the tasks at hand, while there are others that seem to constantly find themselves underwater and falling behind.
5. Fad: We’ve all seen the rise and fall of “bright, shiny objects” in the security market. If something seems too good to be true, it probably is. Or, alternatively, if there doesn’t seem to be any logic behind why everyone is running in a given direction, it probably isn’t a good direction to run in.
Tomi Engdahl says:
How the Secure Development Lifecycle Can Help Protect IIoT Deployments
https://www.securityweek.com/how-secure-development-lifecycle-can-help-protect-iiot-deployments
It’s Not Enough to Assume a Vendor Has Done Its Job When it Comes to Securing IIoT Devices
Tomi Engdahl says:
Here’s Why Foreign Intelligence Agencies Want Your Data
https://blog.radware.com/security/hacks/2019/01/heres-why-foreign-intelligence-agencies-want-your-data/
The implications of the recent Marriott hack go far beyond those of your average data breach. This megabreach of 383M records doesn’t just compromise sensitive data for the sake of fraud or financial gain, it paints a frightening picture of international espionage and personal privacy.
Tomi Engdahl says:
Microsoft’s Cyber Defense Operations Center shares best practices
https://blogs.technet.microsoft.com/msrc/2019/01/23/cdoc-best-practices/
Microsoft’s protect tactics include:
Multifactor authentication like Windows Hello for Business (H4B) is employed across our infrastructure to control identity and access management.
Non-persistent administration using just-in-time (JIT) and just-enough administrator (JEA) privileges to engineering staff managing infrastructure and services. This provides a unique set of credentials for elevated access that automatically expires after a pre-designated duration
Proper hygiene is rigorously maintained through updated, anti-malware software and adherence to strict patching and configuration management.
Microsoft Security Development Lifecycle is used to harden all applications, online services and products, and to routinely validate its effectiveness through penetration testing and vulnerability scanning.
Threat modeling and attack surface analysis ensures that potential threats are assessed, exposed aspects of the service are evaluated, and the attack surface is minimized by restricting services or eliminating unnecessary functions.
Classifying data according to its sensitivity—high, medium or low business impact—and taking the appropriate measures to protect it, including encryption in transit and at rest, and enforcing the principle of least-privilege access provides additional protection.
Awareness training that fosters a trust relationship between the user and the security team to develop an environment where users will report incidents and anomalies without fear of repercussion
Extensive monitoring and controls over the physical environment of our global datacenters, including cameras, personnel screening, fences and barriers, and multi-factor authentication for physical access.
Software-defined networks that protect our cloud infrastructure from intrusions and distributed denial of service attacks.
Secure Admin Workstations are securely controlled, and provisioned workstations designed for both managing valuable production systems and daily activities like email, document editing and development work.
Windows Defender Security Intelligence team of researchers identify, reverse engineer, and develop malware signatures and then deploy them across our infrastructure for advanced detection and defense. These signatures are available to millions of customers using Microsoft anti-malware solutions.
Microsoft Cybersecurity Defense Operations Center
https://docs.microsoft.com/en-us/security/msrc/fy18-strategy-brief
Tomi Engdahl says:
2019 State of Malware report: Trojans and cryptominers dominate threat landscape
https://blog.malwarebytes.com/malwarebytes-news/ctnt-report/2019/01/2019-state-malware-report-trojans-cryptominers-dominate-threat-landscape/
Finally, our Labs team stared into its crystal ball and predicted top trends for 2019. Of particular note are the following:
Attacks designed to avoid detection, like soundloggers, will slip into the wild.
Artificial Intelligence will be used in the creation of malicious executables.
Movements such as Bring Your Own Security (BYOS) to work will grow as trust declines.
IoT botnets will come to a device near you.
https://resources.malwarebytes.com/resource/2019-state-malware-malwarebytes-labs-report/
Tomi Engdahl says:
DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains
https://thehackernews.com/2019/01/dns-hijacking-cyber-attacks.html
The U.S. Department of Homeland Security (DHS) has today issued an “emergency directive” to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days.
The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking, which security researchers with “moderate confidence” believe originated from Iran.
Tomi Engdahl says:
The Intercept:
Snowden documents shed light on how states can compromise hardware supply chains, a practice undertaken by the US, France, Germany, China, and others
Everybody Does It: The Messy Truth About Infiltrating Computer Supply Chains
https://theintercept.com/2019/01/24/computer-supply-chain-attacks/
January 24 2019, 8:55 p.m.
In October, Bloomberg Businessweek published an alarming story: Operatives working for China’s People’s Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. This allegedly gave Chinese spies clandestine access to servers belonging to over 30 American companies
Bloomberg’s report, based on 17 anonymous sources, including “six current and former senior national security officials,” began to crumble soon after publication as key parties issued swift and unequivocal denials.
But while Bloomberg’s story may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents. U.S. spy agencies were warned about the threat in stark terms nearly a decade ago
What’s clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance — and much work remains to be done to secure computing devices from this type of compromise.
“An increasing number of actors are seeking the capability to target … supply chains and other components of the U.S. information infrastructure,” the intelligence community stated in a secret 2009 report.
“The Bloomberg/SuperMicro story was so disturbing because an attack as described would have worked, even if at this point we can safely conclude that the Bloomberg story itself is bovine excrement. And now if I’m China, I’d be thinking, ‘I’m doing the time, might as well do the crime!’”
While the Bloomberg story painted a dramatic picture, the one that emerges from the Snowden documents is fragmented and incomplete
None of the material reflects directly on Bloomberg Businessweek’s specific claims.
U.S. “Critical Infrastructure” Is Vulnerable to Supply Chain Attacks
A classified 2011 Department of Defense “Strategy for Operating in Cyberspace” refers to supply chain vulnerabilities as one of the “central aspects of the cyber threat,” adding that the U.S.’s reliance on foreign factories and suppliers “provides broad opportunities for foreign actors to subvert and interdict U.S. supply chains at points of design, manufacture, service, distribution, and disposal.”
Chinese hardware providers could position themselves in U.S. industry to compromise “critical infrastructure upon which DoD depends,” according to the document.
Beyond mostly vague concerns involving Russia and China, the U.S. intelligence community did not know what to make of the vulnerability of computer supply chains. Conducting such attacks was “difficult and resource-intensive,” according to the NIE, but beyond that, it had little information to understand the scope of the problem: “The unwillingness of victims and investigating agencies to report incidents” and the lack of technology to detect tampering meant that “considerable uncertainty overshadows our assessment of the threat posed by supply chain operations,” the NIE said.
Chinese Telecom Firm Seen as Threat
Beyond broad worries, the U.S. intelligence community had some specific concerns about China’s ability to use the supply chain for espionage.
The U.S. intelligence community appeared concerned that Huawei might help the Chinese government tap into a sensitive transatlantic telecommunications cable known as “TAT-14,” according to a top-secret NSA briefing on Huawei.
Chinese government might use Huawei’s “market penetration for its own SIGINT purposes”
Firmware Attacks Worry U.S. Intelligence
In other documents, spy agencies flagged another specific concern, China’s growing prowess at exploiting the BIOS, or the Basic Input/Output System.
In a paragraph marked top secret, the page stated, “Among currently compromised are AMI and Award based BIOS versions. The threat that BIOS implants pose increases significantly for systems running on compromised versions.”
The word “compromised” could have different meanings
Successful Supply Chain Attacks by France, Germany, and the U.S.
Supply chain “interdiction” attacks like this involve compromising computer hardware while it’s being transported to the customer. They target a different part of the supply chain than the attack described by Bloomberg; Bloomberg’s story said Chinese spies installed malicious microchips into server motherboards while they were being manufactured at the factory, rather than while they were in transit. The NSA document said its interdiction attacks “are some of the most productive operations in TAO,” or Tailored Access Operations, NSA’s offensive hacking unit, “because they pre-position access points into hard target networks around the world.” (TAO is known today as Computer Network Operations.)
Tomi Engdahl says:
Wall Street Journal:
Source: US pressed Chinese tech companies to show their autonomy by giving an example of resisting a data request from the Chinese government, but they couldn’t
U.S. Believes It Doesn’t Need to Show ‘Proof’ Huawei Is a Spy Threat
Chairman of Chinese telecom firm contends Huawei is being unfairly targeted
https://www.wsj.com/articles/u-s-believes-it-doesnt-need-to-show-proof-huawei-is-a-spy-threat-11548288297
The chairman of embattled telecom giant Huawei Technologies Co. is pushing back against claims his company conducts espionage for the Chinese government, contending that Huawei is being unfairly targeted without any proof.
Tomi Engdahl says:
State of Malware: Attacks on Business Grow as Threats Become More Sophisticated
https://www.securityweek.com/state-malware-attacks-business-grow-threats-become-more-sophisticated
The 2019 State of Malware report from Malwarebytes is packed with statistics on when, where and what malware was detected through 2018. One trend and one fact stand out: consumer detections are decreasing while business infections are increasing; and there is a marked difference between western world threats and eastern threats.
The report compares the state of malware in 2018 to that of 2017 using intelligence compiled from researchers and data collected by honeypots, virtual sandboxes, and the company’s business and consumer product telemetry.
Tomi Engdahl says:
Impacts to Enterprise Security: A Look at as-a-service Attacks
https://blog.trendmicro.com/impacts-to-enterprise-security-a-look-at-as-a-service-attacks/
Ever since certain solutions have begun being offered “as-a-service,” the market for this method of delivery has exploded. Now, elements like software-as-a-service, infrastructure-as-a-service and platform-as-a-service are key mainstay components of enterprise IT, with the market values to prove it.
According to MarketWatch, the global SaaS market is on track to expand by a more than 20 percent compound annual growth rate, reaching a value of $185.8 billion by 2024. Allied Market Research reported that the IaaS market will see an even larger CAGR of more than 25 percent through 2023, surpassing $92 million; and Market Research Future forecast that the PaaS sector will reach $12.12 billion through 2022 thanks to a 26 percent CAGR.
The as-a-service model comes with considerable benefits, including lower front-end investments and more consistent uptime and performance of key solutions. Understandably, enterprises of all sizes across industry sectors are now flocking to as-a-service models – and they aren’t the only ones.
Cybercriminals are also jumping on board, with as-a-service threats that make infiltration, data theft and malicious profit more accessible than ever before. Let’s examine the trend of as-a-service threats, and what this means for enterprise data security.
Ransomware-as-a-service
Currently, several different malware samples and threats are being made available in as-a-service capacities through underground marketplaces. However, one of the most formidable of these is ransomware-as-a-service.
Tomi Engdahl says:
En garde! ‘Cyber-war has begun’ – and France will hack first, its defence sec declares
Parly-vous cyber-security? No plan to surrender, military bug bounty coming
https://www.theregister.co.uk/2019/01/22/france_cyber_war/
FIC2019 France’s defence secretary Florence Parly today declared: “Cyber war has begun.”
And she said the Euro nation’s military will use its “cyber arms as all other traditional weapons… to respond and attack,” as well as setting up a military bug bounty program.
Parly made her pledges during a speech to the Forum International de Cybersecurite (FIC) in the northern French town of Lille. Her speech was on a topic that most Western countries shy away from addressing directly in public.
“The cyber weapon is not only for our enemies,” said France’s defence secretary this afternoon, speaking through a translator. “No. It’s also, in France, a tool to defend ourselves. To respond and attack.”
Tomi Engdahl says:
Open Source Software Needs Funding, Not Bug Bounty Programs
https://duo.com/decipher/open-source-software-needs-funding-not-bug-bounty-programs
While the European Union’s latest bug bounty program for widely used open source projects sounds like a step towards improving the security of the overall Internet ecosystem, these programs may wind up complicating efforts to secure these applications.
The European Union has committed to pay €850,000 (nearly $1 million) in bug bounties for vulnerabilities found in 15 open source projects as part of the edition of the Free and Open Source Software Audit (FOSSA) project, said Julia Reda, a member of the European Parliament representing the German Pirate Party. The projects are 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.
Tomi Engdahl says:
Google wants to quiz you on phishing emails
https://www.theverge.com/2019/1/22/18193107/google-phishing-emails-quiz-jigsaw-cyberattack
On Tuesday, Google’s Jigsaw unit published a quiz that tests users’ abilities to identify phishing emails. The quiz tests you on a series of emails to see if you can distinguish telltale signs of phishing.
https://phishingquiz.withgoogle.com/
Tomi Engdahl says:
How to Spot Phishing: the Most Common Cyberattack
https://medium.com/jigsaw/how-to-spot-phishing-the-most-common-cyberattack-fed1360aacc2
Tomi Engdahl says:
Securonix Threat Research: Detecting Persistent Cloud Infrastructure/Hadoop/YARN Attacks Using Security Analytics: Moanacroner, XBash, and Others
https://www.securonix.com/securonix-threat-research-detecting-persistent-cloud-infrastructure-hadoop-yarn-attacks-using-security-analytics-moanacroner-xbash-and-others/?PageSpeed=noscript
In recent months, we have been observing an increase in the number of automated attacks targeting exposed cloud infrastructure/Hadoop/YARN instances. Some of the attacks we have been seeing – for example, Moanacroner (a variant of Sustes [11]) – are fairly trivial, targeted single-vector/single-platform attacks where the focus is mainly on cryptomining.
Some attacks, however, are multi-vector/multi-platform threats where multiple functionalities – including cryptomining, ransomware, and botnet/worms for both Linux and Windows – are combined as part of the same malicious threat (for example, XBash).