Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,204 Comments
Tomi Engdahl says:
Android to Support Rust Programming Language to Prevent Memory Flaws
https://thehackernews.com/2021/04/android-to-support-rust-programming.html
Google on Tuesday announced that its open source version of the
Android operating system will add support for Rust programming
language in a bid to prevent memory safety bugs. To that end, the
company has been building parts of the Android Open Source Project
(AOSP) with Rust for the past 18 months, with plans in the pipeline to
scale this initiative to cover more aspects of the operating system.
Tomi Engdahl says:
Microsoft releases a cyberattack simulator – Shall we play a game?
https://www.bleepingcomputer.com/news/security/microsoft-releases-a-cyberattack-simulator-shall-we-play-a-game/
Microsoft has released an open-source cyberattack simulator that
allows security researchers and data scientists to create simulated
network environments and see how they fare against AI-controlled cyber
agents.
Tomi Engdahl says:
How Vulnerability Management Can Stop a Data Breach
https://securityintelligence.com/posts/vulnerability-management-stop-data-breach/
Vulnerability management may not be the sexiest topic. But, while
buzzier topics are certainly important, vulnerability management may
just be the key to an effective data security strategy. According to a
Ponemon Institute report, 42% of nearly 2, 000 surveyed IT and
security workers indicated that they had suffered a data breach in the
last two years that could be blamed squarely on unpatched
vulnerabilities.
Tomi Engdahl says:
Vulnerability in ‘Domain Time II’ Could Lead to Server, Network Compromise
https://www.securityweek.com/vulnerability-domain-time-ii-could-lead-server-network-compromise
A vulnerability residing in the “Domain Time II” network time solution can be exploited in Man-on-the-Side (MotS) attacks, cyber-security firm GRIMM warned on Tuesday.
Developed by Greyware Automation Products, Inc., Domain Time II is a time synchronization software designed to help enterprises ensure accurate time across their networks. The suite of tools provides testing, administration, and auditing capabilities.
Domain Time II consists of client and server programs, and both use the same executable to check for updates, namely dttray.exe. The programs can be set to check for updates at startup, but also allow for manual checks.
What GRIMM’s researchers discovered was that, regardless of the update method used, dttray.exe checks the update server by sending a UDP query. If the server response is a URL, the software notifies the user of an update’s availability.
Tomi Engdahl says:
https://www.securityweek.com/cring-ransomware-targets-industrial-organizations
Cring ransomware operators are exploiting an old path traversal vulnerability in the FortiOS SSL VPN web portal to gain access to enterprise networks, Kaspersky warns.
Tomi Engdahl says:
Library Dependencies and the Open Source Supply Chain Nightmare
https://www.securityweek.com/library-dependencies-and-open-source-supply-chain-nightmare
It’s a bigger problem than is immediately apparent, and has the potential for hacks as big as Equifax and as widespread as SolarWinds.
The universal need for speed and lack of resource in commercial app development requires developers to use free open-source software libraries. The difficulty is that there is no easy way to manage the open-source vulnerabilities that get included via the libraries into the finished commercial app.
The size of this problem has been analyzed in the new Contrast Labs 2021 Open-Source Security Report. The study looked at tens of thousands of real-world applications and APIs from Contrast’s own telemetry – and found a potentially serious problem.
First of all, the average application contains 118 open-source libraries. Many of these contain vulnerabilities, but many of the vulnerabilities afford no risk since only 38 percent of the libraries included in an app are actually used by the app.
Inside the library, the vulnerability may be found in just one class. However, in Java libraries, for instance, only 32 percent of the classes contained are invoked by the application. It is more than possible, then, that the finished app uses a library containing a known vulnerability that is of zero risk.
This is complicated by ‘transitive dependencies’, where a function consciously required from one library might actually rely on different additional libraries – which may inadvertently, and possibly unknowingly, be called and included in the shipped app.
Tomi Engdahl says:
Cost of Sandboxing Prompts Shift to Memory-Safe Languages. A Little Too Late?
https://www.securityweek.com/cost-sandboxing-prompts-shift-memory-safe-languages-little-too-late
NEWS ANALYSIS: Google’s decision to promote Rust for low-level Android programming is another sign that the shelf-life for memory corruption mitigations are no match for the speed of in-the-wild exploit development.
Just 13 years after Google introduced the sandbox in Chrome touting “a new approach in browser security,” the company is now blaming the limitations — and high processing cost — of sandboxing for a new decision to promote Rust as the low-level programming language of choice for the Android operating system.
The decision to promote Rust over C and C++ isn’t exactly a surprise but the language used in Google’s announcement signals a sad end to the sandbox as an effective anti-exploit mitigation for a vexing problem haunting software engineering since the mid-1990s.
“Sandboxing is expensive,” says Jeff Vander Stoep, a member of Google’s Android team. “Sandboxing doesn’t eliminate vulnerabilities from the code and its efficacy is reduced by high bug density, allowing attackers to chain multiple vulnerabilities together,” he adde
He said Google is turning to memory-safe languages like Rust to help overcome these “limitations” by lowering the density of bugs in the Android code and increasing the effectiveness of the existing sandbox.
More importantly, Vander Stoep says the move reduces Google’s sandboxing needs entirely and enables the creation and introduction of new software features that are both safer and lighter on resources.
HIGH SEVERITY
He said memory safety problems in C and C++ continue to be the “most-difficult-to-address” issue in modern software engineering and noted that the Android team — like the rest of the tech industry — spent heavily to mitigate a class of vulnerabilities without much success.
Tomi Engdahl says:
Armed Conflict Draws Closer as State-Backed Cyber-Attacks Intensify
https://www.oodaloop.com/briefs/2021/04/08/armed-conflict-draws-closer-as-state-backed-cyber-attacks-intensify/
A new HP report details how the world is coming increasingly close to armed conflict sparked by cyberattacks. The study was compiled by University of Surrey senior lecturer in criminology, Mike McGuire. The study claims that there has been a 100% increase in significant state-backed attacks between 2017 and 2020. The largest number of these types of attacks featured the delivery of surveillance tools, at 50%. However, 14% of significant state-backed attacks sought to do damage to the targeted nation. The study reports that 40% had both a physical and digital component.
McGuire also consulted with several different experts within the field, 64% of whom were worried about the escalation in cyber tensions over the past year. The study also reports that factors such as weaponization and readiness of governments to define network attacks as acts of war are creating an unstable field between different nations engaging in such attacks. The research also revealed that the lines between nation-state and cybercrime attacks are increasingly blurring.
Tomi Engdahl says:
Android-PIN-Bruteforce
https://github.com/urbanadventurer/Android-PIN-Bruteforce
Unlock an Android phone (or device) by bruteforcing the lockscreen PIN. Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices! (no root, no adb)
Tomi Engdahl says:
Use Android as Rubber Ducky against another Android device
https://github.com/androidmalware/android_hid
Using Android as Rubber Ducky against Android or Windows. This is not a new technique, just a demo how to perform HID attack using Android instead of rubber ducky. For targeted Android device it is not necessary to be rooted, have ADB/USB debugging enabled and device authorized, since attacker’s smartphone behaves as connected keyboard.
hid_attack – script contains customized commands that are executed (typed) against targeted Android device hid_pc – script contains customized commands that are executed (typed) against targeted Windows 10
Tomi Engdahl says:
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
The Cyber Kill Chain and MITRE ATT&CK are popular reference frameworks to analyze breaches, but amid the rise of XDR, we may need a new one.
https://www.darkreading.com/attacks-breaches/beyond-mitre-attandck-the-case-for-a-new-cyber-kill-chain/a/d-id/1340539
Tomi Engdahl says:
https://pentestmag.com/stitch-python-written-cross-platform-rat/
Tomi Engdahl says:
https://pjarvinen.blogspot.com/2021/02/nain-microsoft-huijaripuhelu-tyhjensi.html
Tomi Engdahl says:
https://nexetic.com/fi/miksi-office-365-tiedot-kannattaa-varmuuskopioida/
Tomi Engdahl says:
https://www.helsinki.fi/fi/ajankohtaista/podcastit/podcast-utelias-mieli
Utelias mieli, jakso 16: Voiko tekoäly olla hyvä tai paha?
Tomi Engdahl says:
https://www.darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal/a/d-id/1340487
Tomi Engdahl says:
Microsoft Open-Sources ‘CyberBattleSim’ Enterprise Environment Simulator
https://www.securityweek.com/microsoft-open-sources-cyberbattlesim-enterprise-environment-simulator
Microsoft this week announced the open source availability of Python code for “CyberBattleSim,” a research toolkit that supports simulating complex computer systems.
Designed to help advance artificial intelligence and machine learning, the experimental research project was designed to aid in the analysis of how “autonomous agents operate in a simulated enterprise environment using high-level abstraction of computer networks and cybersecurity concepts.”
CyberBattleSim allows for the training of automated agents, and provides a Python-based OpenAI Gym interface for that. In the simulated environments, defenders can leverage reinforcement learning algorithms and set up various cybersecurity challenges.
Reinforcement learning, Microsoft explains, is a type of machine learning that teaches autonomous agents to make decisions based on the interaction with the environment: agents improve strategies through repeated experience, similarly to playing a video game over and over to become better at it.
CyberBattleSim employs OpenAI Gym for building interactive environments, and focuses on the lateral movement phase of a cyber-attack. The project simulates a fixed network with predefined vulnerabilities that the attacker model can exploit for lateral movement, while a defender agent seeks to detect the attacker and contain the intrusion.
“The simulation Gym environment is parameterized by the definition of the network layout, the list of supported vulnerabilities, and the nodes where they are planted. The simulation does not support machine code execution, and thus no security exploit actually takes place in it,” Microsoft explains.
CyberBattleSim allows for the training of automated agents, and provides a Python-based OpenAI Gym interface for that. In the simulated environments, defenders can leverage reinforcement learning algorithms and set up various cybersecurity challenges.
https://github.com/microsoft/CyberBattleSim
Tomi Engdahl says:
Kyle Wiggers / VentureBeat:
Nvidia announces Morpheus, an AI-powered cloud-native app framework to help cybersecurity providers detect and prevent breaches in real-time, now in preview
Nvidia announces Morpheus, an AI-powered app framework for cybersecurity
https://venturebeat.com/2021/04/12/nvidia-announces-morpheus-an-ai-powered-app-framework-for-cybersecurity/
During its GTC 2021 virtual keynote this morning, Nvidia announced Morpheus, a “cloud-native” app framework aimed at providing cybersecurity partners with AI skills that can be used to detect and mitigate cybersecurity attacks. Using machine learning, Morpheus identifies, captures, and acts on threats and anomalies, including leaks of sensitive data, phishing attempts, and malware.
Morpheus is available in preview from today, and developers can apply for early access on Nvidia’s landing page.
Reflecting the pace of adoption, the AI in cybersecurity market will reach $38.2 billion in value by 2026, Markets and Markets projects. That’s up from $8.8 billion in 2019, representing a compound annual growth rate of around 23.3%. Just last week, a study from MIT Technology Review Insights and Darktrace found that 96% of execs at large enterprises are considering adopting “defensive AI” against cyberattacks.
Tomi Engdahl says:
The VC View: Data Security – Deciphering a Misunderstood Category
https://www.securityweek.com/vc-view-data-security-deciphering-misunderstood-category
I’m both excited and concerned to write about data security as one of the hot trends to monitor in 2021. Data security is a tough topic to summarize and I’d argue it may be the most misunderstood category in security right now. We’re a raw industry that has been shaken up multiple times for years. We’ve gotten micro-services, Agile software development, public cloud, GDPR, multi-cloud, work-from-home, federal regulations and SaaS applications all disrupting how we lived and worked.
It’s gotten to the point now that if you were to ask a CISO what they’re doing to protect their data, you’d get different answers; there is no consistency. Yet, if you were to ask those same folks who the leading data storage, analytics, processes and vendors were, clear market leaders would quickly emerge.
Yet the idea of protecting data is still ubiquitous with cybersecurity. Data continues to be a top-3 security topic within the board. “What are we doing to protect our customers’ and the organization’s data?” If the many, many public breaches have told us anything over the years, it’s that losing data escalates a “security incident” into a “data breach”. Lawyers get involved when we lose control of our data. How else would we figure out our liability to our suppliers and customers?
There is a reason we’re in this situation: for the longest time, security was architected with “defense in depth”. Data was the soft, shishy middle of a hardened perimeter. We protected data by first making sure our endpoints weren’t compromised, then by making sure threats weren’t moving around in our networks undetected, then by making sure our applications weren’t vulnerable to data leaks. Now that we’re all moving towards the multi-cloud, SaaS world, the castle walls we’ve built over the years no longer works. It’s impossible to monitor data flowing across clouds, microservices, internal, external applications, geographies, data centers and technologies.
Considering all of this complexity, it’s clear to me that most projects will adopt a “back to the basics” theme. Even though each company doesn’t have the same crown jewels, business models or customers, I envision most data security projects this year will align to the first two parts of NIST’s Cybersecurity Framework: Identify and Protect. The remaining three (Detect, Respond and Recover) will come later as the industry starts to train the people, mature the processes and develop the technologies to begin to reasonably protect disparate data via the 80/20 rule.
Aligned to Identify and Protect, I expect to see two camps of data security projects: Visibility & Control. One set of folks interested in visibility: How much data do I have? Where is it stored? Who has access to it? What is our current risk profile due to accessible data and our threat model? How can I protect the data? Are there any quick wins that we can do to significantly reduce risk? Perhaps we can delete sensitive data in our staging environment?
Another set of folks will be interested in control. How can we protect our data by design? Are there ways for us to segment data by groups & roles? What technology is out there that allows us to enforce policy as data is being generated, moving across the network and in production?
In the end, I envision a “data firewall” being created to merge those two paths and as an important milestone in this category.
Tomi Engdahl says:
How ransomware gangs are connected, sharing resources and tactics
https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12001-yli-600-000-uutta-haittaohjelmaa-joka-paiva
Tomi Engdahl says:
Breaches Detected Faster, But Ransomware Surge a Major Factor: FireEye
https://www.securityweek.com/breaches-detected-faster-ransomware-surge-major-factor-fireeye
Data from FireEye’s Mandiant incident response division shows that the time it takes organizations to detect a malicious hacker attack continues to drop, but it’s not only due to better threat detection capabilities.
According to Mandiant, the surge in ransomware attacks, which are meant to be noisy and detected, is partially the reason for shorter dwell times observed in live attacks over the last year.
The data show that organizations are getting better at detecting intrusions on their own but Mandiant says that while “continued development and improvement of organizational detection capabilities” is one factor, a “major factor” was the surge in ransomware attacks, which increased from 14% in 2019 to 25% in 2020.
In the case of ransomware attacks, they are typically detected quickly since the attackers often make their presence known when they demand a ransom, after they have encrypted the victim’s files and/or have stolen the victim’s data.
In the ransomware attacks investigated by Mandiant, 78% had a dwell time of 30 days or less, and only 1% of these incidents had a dwell time of 700 days or more.
Interestingly, the median global dwell time was just 5 days for ransomware, and 45 days for non-ranswomare investigations conducted by Mandiant.
Overall, the global median dwell time has decreased constantly over the past decade, from 416 days in 2011 to 24 in 2020.
However, the report (PDF) also shows some significant regional differences when it comes to dwell time. For instance, dwell times in the Americas dropped from 60 days in 2019 to 17 days in 2020, but more than 27 percent of incidents investigated in this region involved ransomware.
Tomi Engdahl says:
Cybersecurity VC Funding Hit Record in 2020 With $7.8 Billion Invested
https://www.securityweek.com/cybersecurity-vc-funding-hit-record-2020-78-billion-invested
Despite the coronavirus pandemic, 2020 was a record year in terms of venture capital funding for cybersecurity companies, with more than $7.8 billion invested, according to a new report from business information platform Crunchbase.
Data from Crunchbase shows that cybersecurity venture funding has been on an upwards trend over the past decade, with roughly 1,500 companies receiving funding since 2017, 58% of which were seed-stage and 32% were early-stage firms.
Tomi Engdahl says:
NVIDIA Unveils ‘Morpheus’ Cybersecurity Framework
https://www.securityweek.com/nvidia-unveils-morpheus-cybersecurity-framework
NVIDIA this week unveiled Morpheus, a cloud-native application framework designed to help cybersecurity providers analyze more data without sacrificing performance.
According to NVIDIA, Morpheus leverages machine learning to identify anomalies and threats — such as phishing, data leaks and malware — through real-time inspection of all IP traffic in an organization’s data centers.
NVIDIA Morpheus framework uses BlueField DPUMorpheus works with NVIDIA’s BlueField data processing units (DPUs), a powerful processor designed specifically for data centers.
“Morpheus, when combined with BlueField DPUs, enables every compute node in the network to serve as a cyber-defense sensor at the edge, letting organizations analyze every packet with line-rate speed without data replication,” NVIDIA said. “In contrast, traditional AI security tools typically sample around five percent of network traffic data, leading to threat-detection algorithms based on incomplete models.”
Tomi Engdahl says:
TL;DR: Microsoft wants Pluton hardware chip in all CPUs to prevent piracy. Golden age of piracy over, or marketing gimmick?
https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/
https://www.extremetech.com/computing/317512-microsoft-pluton-chip-will-bring-xbox-like-security-to-windows-pcs
Tomi Engdahl says:
Lähes jokaisen yrityksen mobiililaitteisiin hyökättiin
https://etn.fi/index.php/13-news/12018-lahes-jokaisen-yrityksen-mobiililaitteisiin-hyokattiin
Tietoturvayhtiö Check Point Research on julkaissut vuoden 2021 mobiilitietoturvaraporttinsa. Sen tulokset ovat häyttäviä. Tilastojen mukaan lähes jokaisen yrityksen mobiililaitteisiin yritettiin hyökätä viime vuoden aikana.
Mobiilihyökkäyspinta laajeni dramaattisesti koronaviruspandemian aikana yritysten siirtyessä laajasti etätyöhön, ja 97 prosenttia organisaatioista kohtaisi useita hyökkäysvektoreita käyttäviä mobiilihaittaohjelmia. Ennusteen mukaan vuoteen 2024 mennessä 60 prosenttia työntekijöistä työskentelee mobiililaitteilla, joten mobiililaitteiden tietoturvan tulisi olla prioriteetti kaikille organisaatioille.
Mobiililaitteisiin kohdistuneista hyökkäyksistä 93 prosenttia yritti huijata käyttäjiä klikkaamaan linkkiä ja asentamaan haittaohjelman verkkosivuston tai URL-osoitteen kautta. Toinen suosittu keino on käyttäjien tunnistetietojen varastaminen.
Haitallisia mobiilisovelluksia löytyi lähes joka toisesta organisaatiosta: 46 prosentissa organisaatioista ainakin yksi työntekijä oli ladannut haitallisen mobiilisovelluksen, joka vaaransi organisaation verkkoja ja tietoja vuonna 2020.
Neljässä kymmenestä mobiililaitteesta oli haavoittuvuus: Check Pointin Achilles-tutkimusosoitti, että vähintään 40 prosenttia maailman mobiililaitteista oli alunperinkin alttiita kyberhyökkäyksille piirisarjojensa puutteiden vuoksi, joten ne olivat pikaisen korjauksen tarpeessa.
Tomi Engdahl says:
https://pages.checkpoint.com/mobile_security_report_2021.html
Tomi Engdahl says:
Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack
https://www.securityweek.com/codecov-bash-uploader-dev-tool-compromised-supply-chain-hack
Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.
“On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Codecov said.
https://docs.codecov.io/docs/about-the-codecov-bash-uploader
Tomi Engdahl says:
Domain Name Security Neglected by U.S. Energy Companies: Report
https://www.securityweek.com/domain-name-security-neglected-us-energy-companies-report
A majority of the largest energy companies in the United States appear to have neglected the security of their domain names, according to CSC, a firm that specializes in securing online assets.
The Biden administration is concerned about potentially damaging cyberattacks aimed at the country’s critical infrastructure, and it’s taking steps to help electric utilities, water treatment plants and other industries protect their systems.
Data collected by CSC last week shows that nearly 80 percent of the top U.S. energy organizations are at risk of cyberattacks targeting their DNS and internet domain names. The data covers the 30 biggest U.S. companies (by market capitalization) that produce and deliver energy.
Specifically, CSC found that nearly 80% of energy firms don’t use registry locks, which can prevent domain name hijacking and unauthorized changes to DNS. More than two-thirds of the analyzed domains are registered with consumer-grade registrars instead of enterprise-grade registrars, which typically provide better security.
Tomi Engdahl says:
Huge upsurge in DDoS attacks during pandemic
https://blog.malwarebytes.com/reports/2021/04/huge-upsurge-in-ddos-attacks-during-pandemic/
Tomi Engdahl says:
Broken trust: Lessons from Sunburst
https://www.atlanticcouncil.org/in-depth-research-reports/report/broken-trust-lessons-from-sunburst/
The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace. The compromise of SolarWinds, part of the wider Sunburst campaign, has had enormous consequences, but, as supply-chain attacks go, it was not unprecedented, as demonstrated by seven other events from the last decade.
Sunburst was also a significant moment for cloud computing security. The adversary inflicted the campaign’s most dramatic harm by silently moving through Microsoft’s identity software products, including those supporting Office 365 and Azure cloud services, and vacuuming up emails and files from dozens of organizations. The campaign raises concerns about the existing threat model that major cloud service providers Amazon, Microsoft, and Google, utilize for their linchpin services, and the ease with which users can manage and defend these products. For cloud’s “shared responsibility” to work, cloud providers must build technology users can actually defend.
Studying the Sunburst campaign, three overarching lessons become clear.
First, states have compromised sensitive software supply chains before. The role of cloud computing as a target is what takes Sunburst from another in a string of supply-chain compromises to a significant intelligence-gathering coup.
Second, the United States could have done more to limit the harm of this event, especially by better prioritizing risk in federal technology systems, by making the targeted cloud services more easily defensible and capable by default, and by giving federal cybersecurity leaders better tools to adapt and govern their shared enterprise.
Third, Sunburst was a failure of strategy much more than it was just an IT risk-management foul-up or the success of a clever adversary.
The United States government continues to labor under a regulatory model for software security that does not match the ways in which software are built, bought, or deployed. Adding vague new secure development standards to an already overbuilt system of unmet controls and overlapping committees is not a recipe for success.
Meanwhile, industry is struggling to architect its services to simultaneously and effectively defend against the latest threats, account for overlapping government requirements, and remain competitive—especially in the market for cloud services.
Observers should recognize Sunburst as part of a disturbing trend: an ongoing intelligence contest between the United States and its adversaries in which the United States is giving up leverage due to technical insecurity, deficient policy response, and a shortfall in strategy. The response to Sunburst must lead to meaningful action from both industry and the policymaking community to improve the defensibility of the technology ecosystem and position the United States and its allies to compete more effectively in this intelligence contest.
Tomi Engdahl says:
The EU is considering a ban on AI for mass surveillance and social credit scores
Leaked regulation suggests strong new laws on AI uses
https://www.theverge.com/2021/4/14/22383301/eu-ai-regulation-draft-leak-surveillance-social-credit
The European Union is considering banning the use of artificial intelligence for a number of purposes, including mass surveillance and social credit scores. This is according to a leaked proposal that is circulating online, first reported by Politico, ahead of an official announcement expected next week.
Tomi Engdahl says:
https://www.usni.org/magazines/proceedings/2021/april/navy-needs-real-cyber-warfare-community
Tomi Engdahl says:
Robots, worms and satellites: How do you fight a cyberwar?
Total meltdown or death by a thousand hacks – how bad could a cyberwar get? And where is the line between espionage and all-out attack?
https://www.smh.com.au/national/robots-worms-and-satellites-how-do-you-fight-a-cyberwar-20210407-p57ha5.html
On the morning of June 27, 2017, it seemed as if Ukraine had slipped back in time and into the wrong century – almost nothing worked. Not the ATMs, the trains, the airports, the television stations. Even the radiation monitors at the old Chernobyl nuclear plant were down.
Ukraine, in the midst of a long and undeclared war with Russia, had been hit by mysterious blackouts before but this was eating through computer networks at a terrifying pace, turning screens dark across the country.
And it seemed to be spreading further than intended, out through Europe and around the globe, paralysing hospitals and companies from London to Denver, even the Cadbury chocolate factory in Tasmania, and bringing swathes of the world’s shipping to a halt. By the time the culprit – a wild variant of malicious computer code (or worm) known as NotPetya – was stopped hours later, it had looped back into Russia, where it originated, and racked up about $US10 billion ($12.9 billion) in damage worldwide, making it the most expensive cyber attack to date.
No one died but the world had been given a glimpse of a new reality, beyond cyber espionage or sabotage. This was cyberwar.
Today, cyber weapons feature in the opening moments of most countries’ war plans, but they are deployed in peacetime, too, and the line between espionage, vandalism and outright attack is far from clear.
So what would happen if the skirmishes of cyberspace did break out into real-world death and destruction? When is a hack a declaration of war? How vulnerable is Australia to the kind of attack that knocked the lights out in Ukraine? And is there a way to keep the great cyber powers in check?
What is cyberwarfare anyway?
In 1993, just two years after the worldwide web first sparked to life, a US think tank warned “Cyberwar is coming!” It was right, in a sense, but exactly what that means can be hard to pin down.
In 2009, the world’s first such digital weapon was unleashed on a foreign state – a “worm” built by the US and Israel that became known as Stuxnet. Its target was Iran. At 15,000 lines of code, Stuxnet was designed to do more than steal data or crash computers. Like any good spy, it learnt and it lay in wait, feeding false information into the safety sensors at an Iranian uranium enrichment plant until one day it sent the site’s centrifuges into an unstoppable, destructive spin. The plant was so damaged it set back Iran’s nuclear program by months, likely years.
Only Stuxnet didn’t disappear as planned; it got out, infecting thousands of machines across the world. While the worm is now dormant, programmed to come to life only in specific conditions (such as arriving on software at an Iranian nuclear facility), this military-grade weapon has been out in the open, in the hands of security experts, rival states and criminals ever since. And experts say the game has only become more dangerous.
Stuxnet itself likely prevented real war, blunting Israel’s perceived need for a military strike against Iran. (And, a decade later, the Trump administration called off a planned strike on Iran in favour of a cyber attack.)
NotPetya hit during an actual physical invasion too – Russian troops (and bikie gangs) had already been sent into Ukraine without military insignia to seize Crimea and sow violence. Likewise in the former Soviet republic of Georgia in 2008, cyber attacks seemed to hit towns just ahead of Russian soldiers arriving to back pro-Russian separatists.
The year before, when Estonia, one of the most wired nations in the world, was unplugged, it went to NATO for help.
But the world did not see a direct military retaliation to a cyber attack until Israel bombed a building linked to Hamas hackers in Gaza in 2019.
Ukraine has become Russia’s testing ground for cyber weapons, as Taiwan is now for China
Indeed, unlike regular weapons, cyber has become a tempting way for smaller nations to show their teeth without invoking devastating counterstrikes. Just nine countries have nuclear weapons but most have state-sponsored hackers. That means attacks can come from almost anywhere and, as many experts warn, could steer dangerously out of control.
“We are where we were with aeroplanes at the end of the First World War,” Sanger says. “It’s still mostly used for [surveillance] but the weapon is there.”
And, once that line is crossed and countries are at war, then cyberspace, just like air, land, sea and space, becomes another domain in which to take out the enemy.
When do shots fired online count as acts of war?
After the cyber attacks on Estonia, dubbed Web War I, the question of what constitutes an armed attack in the digital age became live. Through NATO, academics drafted the Tallinn Manual, named for Estonia’s capital, to lay out how international laws of war might apply to cyberspace.
In cyberspace, he says, countries are still very much feeling out those boundaries. Under the laws set out in the Geneva Conventions and other treaties, blowing up a rival nation’s battleship is clearly warfare. “But suppose I take my ones and my zeroes [of computer code] and I manipulate your battleship’s systems until it’s damaged, or it blows up,” Stephens says. “At what point then am I crossing the line?”
Is the malicious code that both Russia and the US now implant in each other’s power grids, for example, just routine surveillance or the first act of a devastating strike? What if the pacemaker of a foreign leader was hacked or the medical records of soldiers mixed up? Even social media itself can be weaponised to gain a military advantage.
During the 2014 Islamic State campaign in Iraq, a carefully orchestrated jihadist storm online
“Most people can agree on the big stuff that’s crossing the line. But then there’s the stuff just below, where they’re using our systems against us in a kind of information war that [fractures] a state; that can be as threatening as destroying those systems entirely. Some of what’s going on may already be a use of force [under international law]. But what’s a proportional response? … Even the Tallinn Manual is still just recommendations.”
“There are some things below an armed attack [in the law] which are still nasty,”
Years on from the Estonia hack, NATO now says it will invoke Article 5 in the event of a serious cyber assault against an ally (the mode of retaliation depending on the severity). In 2019, Australia solidified its own position: when a cyber attack poses an imminent risk of damage equivalent to a traditional armed attack, such as significant loss of life or critical infrastructure, then a country should be able to defend itself. France and Denmark have spoken of their right to sovereignty, not just safety, in cyberspace.
While Western democracies remain unlikely to retaliate in a way that would risk civilian lives, the US has left the door open to taking some extraordinary steps, even nuclear ones, against a serious cyber attack
It’s part of a modern “defend forward” strategy on cyber, which Australia, as a member of the Five Eyes intelligence alliance, is also following to some degree.
Austin explains: “That means if China or Russia are persistently trying to penetrate our systems we’re going to stop them even if it means going into theirs.”
America is still considered to have the most advanced cyber capabilities in the world. But China, Russia, Israel, Britain, even Iran and North Korea, also have formidable cyber armies
Still, some countries are noisier than they are effective, Uren says. “Often a really great, well-executed operation you don’t know about.”
Russia, North Korea and Iran are conspicuous in cyberspace for the same reasons they are on the world stage: shows of force. Here they use digital weapons not just for espionage and war but political point-scoring, even harassment.
Remember North Korea’s attack on US movie studio Sony Pictures in 2014
“Look at what our adversaries are doing,” Austin says. “You see our big government departments starting to uplift their security and still only put in a moderate performance. And they’re only transparent [about attacks] when it suits them.”
Overall, Austin says, the West (specifically the US) is winning the cyber battle. “The broad narrative that China is winning is really a gross exaggeration; their cyber defences are weak,” he says. “And we never hear of all the times the West successfully hits them or Russia.”
How likely is a cyberwar and how bad could it get?
To get a full-scale cyberwar, where nations are actively unplugging their enemies, experts say the world would have to be either already on the brink – or an attack would have to spiral rapidly out of control, into something interpreted as a clear act of war. Uren imagines it would take a big attack “something with the impact of [almost a] 9/11 where you had mass casualties, not just mass destruction of IT systems.”
We haven’t seen that yet.
“Even calling an attack warfare means you have to respond,” Uren says.
Stephens says the greatest threat may come from attacks above, with cyberspace increasingly connected to satellites. GPS doesn’t just help you find where you’re driving
“We’ve just woken up to this vulnerability.”
Austin agrees the marriage of AI with weaponry could ratchet up the stakes in the coming years.
Could we have cyber peace? What about mutually assured destruction?
In his 2018 book The Perfect Weapon, Sanger warns that the current cyber arms race is running without the same level of public debate or oversight of the Cold War nuclear age, where mutually assured destruction kept weapons locked away.
“Everything that worked in the nuclear age won’t work for cyber,” he says now. “Deterrence won’t hold.”
The problem is that, in regular warfare, to deter an attack you must either be prepared to retaliate with a worse blow or make your attacker believe their assault was pointless, as your defences are too strong.
Neither is happening in cyberspace. Not only is cyber security weak across the board but nations are reluctant to strike back for fear of tipping cyber conflict closer to real war. They are also, despite the urging of experts, often unwilling to name and shame nations behind attacks.
“Imagine if we got it wrong and [blamed] the wrong country,” says Coyle.
In the shadows of cyberspace, states do not attack with national flags raised. To cover their tracks, they might even outsource hacks to criminals or cowboy civilians. Or an attack could be staged to look like ransomware
Sanger and others argue that the world now needs a digital Geneva Convention to rein in this Wild West– keeping civilian targets such as hospitals and power grids off limits in a kind of “cyber no fly zone”.
Austin says existing international law covers cyberspace in a sense but he agrees there are still critical questions to answer about how it can be applied.
“So you can’t bomb a hospital but you could disable its computer systems so people will die. For most people, that should break [rules of war] too.”
“The problem is people are not deadly terrified of the consequences of cyber. We either have to get better at defending ourselves or make the consequences worse for attackers.”
What worries Coyle most is what she can’t see coming. “What’s out there that we’re not tracking? Has something been laid already?
“On the whole, technology has made our lives better. There hasn’t been some existential hit to our society, there hasn’t been a catastrophe. At least, not yet.”
Tomi Engdahl says:
IBM: 44 Organizations Targeted in Attacks Aimed at COVID-19 Vaccine Cold Chain
https://www.securityweek.com/ibm-44-organizations-targeted-attacks-aimed-covid-19-vaccine-cold-chain
More than 40 organizations have been targeted in a global campaign focused on the COVID-19 vaccine cold chain infrastructure, which handles the distribution of vaccines and their storage at the required temperatures.
Following an initial report in December 2020, IBM Security X-Force now reveals that the number of affected organizations is higher compared to the previous assessment. A total of 44 organizations in 14 countries were targeted.
Operating in Europe, North America, South America, Africa, and Asia, the targeted entities are key organizations involved in the transportation, warehousing, storage, and distribution of COVID-19 vaccines.
The attacks involved the use of spear-phishing emails impersonating an executive from Chinese biomedical company Haier Biomedical. According to IBM, which has identified 50 files associated with the attacks, the threat actor has exceptional knowledge of the cold chain.
“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” IBM says.
Tomi Engdahl says:
Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy
https://www.securityweek.com/google-project-zero-announces-2021-updates-vulnerability-disclosure-policy
Google’s Project Zero cybersecurity research unit on Thursday announced that it’s making some changes to its vulnerability disclosure policies, giving users 30 days to install patches before disclosing the technical details of a flaw.
Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020. Until now, if Project Zero researchers found a security hole in a product, it was disclosed after exactly 90 days, regardless of when a patch was released or whether a patch was available at all. The impacted vendor could request a 14-day grace period and disclosure could happen earlier based on a mutual agreement.
For 2021, the disclosure deadline of 90 days remains unchanged, but if the vulnerability is patched within that 90-day timeframe, technical details will only be made public 30 days after the release of a fix, to give users time to install the patch. The 14-day grace period can still be requested by the vendor.
In the case of actively exploited vulnerabilities, technical details have been disclosed 7 days after the initial report, even if the bug hasn’t been fixed, and vendors could not request a grace period before disclosure.
Starting now, if the vendor manages to patch the vulnerability within 7 days, technical details will only be disclosed 30 days after the fix is released. The goal is to give users more time to install the patch and avoid scenarios where other threat actors could use the disclosed information for their attacks. In addition, vendors will be able to request a 3-day grace period for vulnerabilities exploited in the wild.
Tomi Engdahl says:
How the Kremlin Provides a Safe Harbor for Ransomware
https://www.securityweek.com/how-kremlin-provides-safe-harbor-ransomware
A global epidemic of digital extortion known as ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up. Law enforcement has been largely powerless to stop it.
One big reason: Ransomware rackets are dominated by Russian-speaking cybercriminals who are shielded — and sometimes employed — by Russian intelligence agencies, according to security researchers, U.S. law enforcement, and now the Biden administration.
On Thursday, as the U.S. slapped sanctions on Russia for malign activities including state-backed hacking, the Treasury Department said Russian intelligence has enabled ransomware attacks by cultivating and co-opting criminal hackers and giving them safe harbor. With ransomware damages now well into the tens of billions of dollars, former British intelligence cyber chief Marcus Willett recently deemed the scourge “arguably more strategically damaging than state cyber-spying.”
Tomi Engdahl says:
Five signs ransomware is becoming an industry
https://www.kaspersky.com/blog/darkside-ransomware-industry/39377/
With a website that looks like it could represent an online service
provider, DarkSide Leaks makes us wonder what cybercriminals’ other PR
tricks might be. Not content with its innovative victim-pressuring
tactics, the DarkSide ransomware gang has forged ahead with DarkSide
Leaks, a professional-looking website that could well be that of an
online service provider, and is using traditional marketing
techniques. What follows are the five most illustrative examples of
one gang’s transformation from an underground criminal group to an
enterprise.
Tomi Engdahl says:
Google backs new security standard for smartphone VPN apps
https://www.zdnet.com/article/google-backs-new-security-standard-for-smartphone-vpn-apps/
The Internet of Secure Things Alliance, an IoT security certification
body (a.k.a. ioXt), has launched a new security certification for
mobile apps and VPNs. The new ioXt compliance program includes a
‘mobile application profile’ a set of security-related criteria
against which apps can be certified. The profile or mobile app
assessment includes additional requirements for virtual private
network (VPN) applications.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12030-microsoft-jatkaa-kyberrikollisten-suosikkisyottina
Tomi Engdahl says:
https://www.securityweek.com/vc-view-data-security-deciphering-misunderstood-category
Tomi Engdahl says:
https://www.securityweek.com/fcc-focus-efforts-5g-software-and-cloud-service-vulnerabilities
Tomi Engdahl says:
Europol Report Highlights Pandemic’s Effect on Cybercrime
https://www.securityweek.com/europol-report-highlights-pandemics-effect-cybercrime
Tomi Engdahl says:
The VC View: Data Security – Deciphering a Misunderstood Category
https://www.securityweek.com/vc-view-data-security-deciphering-misunderstood-category
Tomi Engdahl says:
Creating Cyber Resilience Through Training
https://www.securityweek.com/creating-cyber-resilience-through-training
Understanding Cyber Security Effectiveness
Boards wants to know, the CEO wants to know, the compliance team wants to know, and you want to know – is the security team capable of responding to a cyberattack that can result in a massive data breach or shut down business operations. This question is typically answered in the days and weeks following an attack.
Addressing Staffing Shortages
Given the shortage of experienced cybersecurity professionals, hiring staff is extremely difficult and competitive, and is not an option for some organizations. Nevertheless, CISOs must still find a way to protect their organizations from security threats. One way to address staffing and skills shortages is to build a flexible team through roles based cross-training. Following a military developed model where each member of a team is trained on and can do the jobs of another member, CISOs can identify proficient cyber-pros in their ranks and cross-train them in other security areas.
Cross-training decisions can be based on weaknesses, process models, role timing, and technology used. The goal is to optimize the roles covered by each team member at each stage in the process, so no one is left without a function to perform at any time during an incident.
Improving Hiring Processes
When recruiting external resources is the only option, organizations should look for ways to improve the hiring process. With the current skills shortage in cybersecurity, most available candidates are likely to be recent graduates or individuals that have completed a basic security certification program. Both types of candidates are likely to lack the operational skills required to effectively perform the functions of the role for which they are hired. Some may even lack the aptitude to be trained for a cybersecurity position.
Building Cyber-Team Collaboration
A targeted cyberattack is typically deceptive, sophisticated and multistage. Even the most savvy security organizations with advanced security tools will often have difficulty defending against these. A study by the U.S. Army Research Laboratory’s Cyber and Networked Systems Branch3 found that without active collaboration and leadership, even a large security team will fail. The study concluded that human collaboration and leadership of cybersecurity teams are essential when responding during a realistic cyber-attack.
Tomi Engdahl says:
SolarWinds Fallout: The Feds Have Problems We Don’t Have
https://www.eetimes.com/solarwinds-fallout-the-feds-have-problems-we-dont-have/
All the cybersecurity providers and researchers I’ve spoken to on this beat tell me every single time, no matter the subject of our conversation, “You can’t defend what you can’t see,” “It’s not a question of if you’ll get hacked but when,” and increasingly “Zero-trust is the [only] way to go: never trust, always verify.”
They also always tell me, as do their reports, that the operational technology (OT) systems and even some IT systems of many commercial organizations — including critical infrastructure — are still unprotected or poorly protected, whether from lack of adequate cybersecurity products and services, or inadequate cybersecurity practices. SolarWinds’ less than even basic cybersecurity hygiene, for example — delegating password management to an intern?! — made it easy for attackers to compromise its Orion IT monitoring software.
Unfortunately, much of this is also true for U.S. government agencies, as we all were made painfully aware of in the wake of the SolarWinds epic hack, with nine federal agencies compromised, including the U.S. Department of Justice. With a new administration taking charge, it looks like changes are coming to the federal government’s cybersecurity tools and practices, for its own use as well as for how it helps protect U.S companies. As it turns out, the feds have problems in implementing cybersecurity that the private sector doesn’t have.
The feds have to multitask
The fact that the Federal Government is expected to protect U.S. companies, as well as its own agencies, and also regulate various sectors makes its task more complicated.
“Federal agencies have a huge set of OT and IT issues similar to commercial operations, but in some ways magnified,” Duncan Greatwood, CEO of cybersecurity provider Xage, told EE Times. “For example, the feds are responsible for regulation issues in organizations like NERC and NIST.” A big part of their own OT and IT systems consists of military installations: a single base can contain thousands of PLCs and other OT systems.
Historically, both public and private sectors traditionally focused on defending their networks’ edge, not securing access via the cloud, and assumed that anyone already in the network probably had the right to be there — the opposite of the emerging zero-trust paradigm. This has been especially true for OT networks, and increasingly for expanding Internet of Things (IoT) and Industrial IoT networks.
Although the feds have invested lots of money in cybersecurity, just last month the United States Government Accountability Office’s biannual report listed “ensuring the cybersecurity of the nation” as a high-risk area that’s regressed since 2019, especially for federal agencies. Why? Because risks have increased in both kind and amount, while the capacity to deal with them, action plans, and monitoring of risks have been met only partially.
The report identifies four major cybersecurity challenges on its to-do list:
a comprehensive cybersecurity strategy and effective oversight
securing federal systems
protecting critical infrastructure; and
protecting privacy and sensitive data
Tomi Engdahl says:
Passwordless: More Mirage Than Reality
https://thehackernews.com/2021/04/passwordless-more-mirage-than-reality.html
The concept of “passwordless” authentication has been gaining
significant industry and media attention. And for a good reason. Our
digital lives are demanding an ever-increasing number of online
accounts and services, with security best practices dictating that
each requires a strong, unique password in order to ensure data stays
safe. Who wouldn’t want an easier way?
Tomi Engdahl says:
Zero trust, basic cyber hygiene best defence against third-party
attacks
https://www.zdnet.com/article/zero-trust-basic-cyber-hygiene-best-defence-against-third-party-attacks/
Rather than entrust third-party suppliers to keep their supply chain
secured, organisations should adopt a zero trust security strategy and
establish basic cyber hygiene to safeguard their data. Adopting a zero
trust security strategy can better safeguard organisations against
third-party attacks, where suppliers should not simply be entrusted to
do the right thing. In this second piece of a two-part feature, ZDNet
looks at how businesses in Asia-Pacific can establish basic cyber
hygiene as well as better data management to combat attacks from
across their supply chain.
Tomi Engdahl says:
Zero trust, basic cyber hygiene best defence against third-party attacks
Rather than entrust third-party suppliers to keep their supply chain secured, organisations should adopt a zero trust security strategy and establish basic cyber hygiene to safeguard their data.
https://www.zdnet.com/article/zero-trust-basic-cyber-hygiene-best-defence-against-third-party-attacks/
Tomi Engdahl says:
They Hacked McDonald’s Ice Cream Machines—and Started a Cold War
Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.
melting ice cream cone
https://www.wired.com/story/they-hacked-mcdonalds-ice-cream-makers-started-cold-war/#intcid=_wired-right-rail_863859d3-a10e-4489-94ab-e5698c746d05_popular4-1-reranked-by-vidi
Press the cone icon on the screen of the Taylor C602 digital ice cream machine, he explains, then tap the buttons that show a snowflake and a milkshake to set the digits on the screen to 5, then 2, then 3, then 1. After that precise series of no fewer than 16 button presses, a menu magically unlocks. Only with this cheat code can you access the machine’s vital signs: everything from the viscosity setting for its milk and sugar ingredients to the temperature of the glycol flowing through its heating element to the meanings of its many sphinxlike error messages.
“No one at McDonald’s or Taylor will explain why there’s a secret, undisclosed menu,” O’Sullivan wrote in one of the first, cryptic text messages I received from him earlier this year.
As O’Sullivan says, this menu isn’t documented in any owner’s manual for the Taylor digital ice cream machines that are standard equipment in more than 13,000 McDonald’s restaurants across the US and tens of thousands more worldwide. And this opaque user-unfriendliness is far from the only problem with the machines, which have gained a reputation for being absurdly fickle and fragile. Thanks to a multitude of questionable engineering decisions, they’re so often out of order in McDonald’s restaurants around the world that they’ve become a full-blown social media meme. (Take a moment now to search Twitter for “broken McDonald’s ice cream machine” and witness thousands of voices crying out in despair.)