Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,204 Comments
Tomi Engdahl says:
Today’s Security Trap: Increasing Spending but Not Efficacy
https://www.securityweek.com/todays-security-trap-increasing-spending-not-efficacy
Many organizations assume that once security controls are put in place, they will be effective indefinitely
Tomi Engdahl says:
NSA Issues Guidance on Securing IT-OT Connectivity
https://www.securityweek.com/nsa-issues-guidance-securing-it-ot-connectivity
The U.S. National Security Agency (NSA) last week released a cybersecurity advisory focusing on the security of operational technology (OT) systems, particularly in terms of connectivity to IT systems.
The NSA’s advisory, titled “Stop Malicious Cyber Activity Against Connected Operational Technology,” is specifically addressed to the Department of Defense, national security system (NSS) and defense industrial base organizations, but the recommendations can be useful to any industrial company.
The advisory shares recommendations for evaluating risks and improving the securing of connections between IT systems — these can often serve as an entry point into industrial networks — and OT systems.
“Each IT-OT connection increases the potential attack surface,” the NSA said. “To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible.”
https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
Tomi Engdahl says:
The Anti-Fraud Lifecycle
https://www.securityweek.com/anti-fraud-lifecycle
It is a known fact that cybercriminals choose the path of least resistance. Naturally, easy cashout methods with good returns are much more favorable than methods that are high risk, complicated or yield small profits. While this is not the only factor in determining how much fraud is committed through a certain vector (for example, it takes time for cashout methods to become public knowledge in cybercriminal circles and thus become widely adopted), it is a major aspect.
If a certain financial institution is dramatically more targeted than its counterparts by cybercriminals, it is usually because it is the easiest prey. If fraudsters find a way to reliably circumvent anti-fraud measures (i.e. the bank automatically approves all transactions under a certain sum), or in more rare instances, a vulnerability in the processing parameters, criminals will set their sights on that particular bank.
The dynamic digital world provides criminals with more vectors than ever to commit fraud. The rise of fintech, digital currency and e-commerce solutions have opened up new cashout methods and enabled fraudsters to diversify fraud, extending their work to more than carding and online banking.
While it makes sense that P2P payments and e-commerce solutions would attract fraud, innovative fraudsters find opportunities in new industries and vectors. The major benefit of targeting such industries is that while financial and e-commerce services are built with fraud prevention in mind, the targeted industries are less prepared.
Tomi Engdahl says:
Kyle Wiggers / VentureBeat:
Microsoft open sources Counterfit, an AI security risk assessment tool that comes preloaded with algorithms that can be used to evade and steal AI models — — Microsoft today open-sourced Counterfit …
Microsoft open-sources Counterfit, an AI security risk assessment tool
https://venturebeat.com/2021/05/04/microsoft-open-sources-counterfit-an-ai-security-risk-assessment-tool/
Microsoft today open-sourced Counterfit, a tool designed to help developers test the security of AI and machine learning systems. The company says that Counterfit can enable organizations to conduct assessments to ensure that the algorithms used in their businesses are robust, reliable, and trustworthy.
AI is being increasingly deployed in regulated industries like health care, finance, and defense. But organizations are lagging behind in their adoption of risk mitigation strategies. A Microsoft survey found that 25 out of 28 businesses indicated they don’t have the right resources in place to secure their AI systems, and that security professionals are looking for specific guidance in this space.
AI security risk assessment using Counterfit
https://www.microsoft.com/security/blog/2021/05/03/ai-security-risk-assessment-using-counterfit/
Today, we are releasing Counterfit, an automation tool for security testing AI systems as an open-source project. Counterfit helps organizations conduct AI security risk assessments to ensure that the algorithms used in their businesses are robust, reliable, and trustworthy.
AI systems are increasingly used in critical areas such as healthcare, finance, and defense. Consumers must have confidence that the AI systems powering these important domains are secure from adversarial manipulation. For instance, one of the recommendations from Gartner’s Top 5 Priorities for Managing AI Risk Within Gartner’s MOST Framework published in Jan 20211 is that organizations “Adopt specific AI security measures against adversarial attacks to ensure resistance and resilience,” noting that “By 2024, organizations that implement dedicated AI risk management controls will successfully avoid negative AI outcomes twice as often as those that do not.”
However, performing security assessments of production AI systems is nontrivial. Microsoft surveyed 28 organizations, spanning Fortune 500 companies, governments, non-profits, and small and medium sized businesses (SMBs), to understand the current processes in place to secure AI systems. We found that 25 out of 28 businesses indicated they don’t have the right tools in place to secure their AI systems and that security professionals are looking for specific guidance in this space.
Tomi Engdahl says:
Speech protection systems
https://www.endoacustica.com/speech-protection-system.php
Protect your private meeting against unauthorized listening devices, keep your conversations confidential with devices designed to Protect Private Conversations against unauthorized wiretapping in your meeting room and conference room.
Tomi Engdahl says:
Goodbye again, Flash—Microsoft makes removal from Windows 10 mandatory
Windows “Update for Removal of Adobe Flash Player” becomes mandatory this July.
https://arstechnica.com/gadgets/2021/05/microsoft-will-remove-adobe-flash-from-windows-10-this-summer/
Tomi Engdahl says:
Enisa: How to Secure the Connected & Automated Mobility (CAM) Ecosystem https://www.enisa.europa.eu/news/enisa-news/how-to-secure-the-connected-automated-mobility-cam-ecosystem
The recommendations issued contribute to the improvement and harmonisation of cybersecurity in the CAM ecosystem in the European Union.
Tomi Engdahl says:
Red Hat Open-Sourcing StackRox Security Technology
https://www.securityweek.com/red-hat-open-sourcing-stackrox-security-technology
Red Hat this week announced that it’s taking the first steps towards open-sourcing the StackRox container security product for Kubernetes.
Announced only months after Red Hat bought StackRox, the new StackRox community project follows the organization’s business model of providing open source enterprise solutions.
The upstream project will “work to open source and manage the code that powers Red Hat Advanced Cluster Security for Kubernetes,” which offers Kubernetes-native security for all those using Red Hat OpenShift, and to various public cloud Kubernetes services.
Open-sourcing StackRox is expected to provide a wider set of choices to users looking to keep Kubernetes environments protected, and should also drive further product developments.
“Once up and running, the StackRox project will enable users to address major security use cases across the application lifecycle, including visibility, vulnerability management, configuration management, network segmentation, compliance, threat detection and incident response, as well as risk profiling,” Red Hat says.
https://www.redhat.com/en/blog/introducing-open-source-stackrox-community
Tomi Engdahl says:
States Push Back Against Use of Facial Recognition by Police
https://www.securityweek.com/states-push-back-against-use-facial-recognition-police
Law enforcement agencies across the U.S. have used facial recognition technology to solve homicides and bust human traffickers, but concern about its accuracy and the growing pervasiveness of video surveillance is leading some state lawmakers to hit the pause button.
At least seven states and nearly two dozen cities have limited government use of the technology amid fears over civil rights violations, racial bias and invasion of privacy. Debate over additional bans, limits and reporting requirements has been underway in about 20 state capitals this legislative session, according to data compiled by the Electronic Privacy Information Center.
Lawmakers say they want to give themselves time to evaluate how and why the technology is being used.
“I think people are just freaked out, and rightfully so, about this technology,” said Freddy Martinez, director of Lucy Parson, s Labs, a Chicago nonprofit that specializes in citizens’ digital rights. “It’s one of those rare issues that’s seen bipartisan support, in that nobody wants to be tracked everywhere they go, especially when you don’t have a choice.”
Tomi Engdahl says:
U.S. Organizations Targeted by New Cybercrime Group With Sophisticated Malware
https://www.securityweek.com/us-organizations-targeted-new-cybercrime-group-sophisticated-malware
A new threat actor that appears to be financially motivated has targeted many organizations in the United States and other countries using several new pieces of malware, FireEye reported on Tuesday.
The threat actor, which does not appear to be linked to other known groups, is tracked by the cybersecurity firm as UNC2529 (UNC stands for uncategorized). The phishing campaign conducted by UNC2529 targeted a wide range of organizations, and involved the use of a sizable command and control (C&C) infrastructure, three sophisticated malware families, and custom lures.
FireEye, whose incident response unit Mandiant observed two attack waves in December 2020, described the group as “experienced and well resourced.” The company spotted 28 targeted organizations in the first wave and believes there were at least 22 in the second wave.
Tomi Engdahl says:
The VC View: Cloud Security and Compliance
https://www.securityweek.com/vc-view-cloud-security-and-compliance
Before talking about innovation and startups though, let’s talk about a brief history of cloud security… especially public cloud. Securing the public cloud is still one of the biggest unanswered questions that folks are working to figure out. Leveraging the public cloud just makes sense: few companies are in the business of running their own data centers, they’re in the business of creating value and solving customer problems. While using (multiple, diverse) public clouds is clear, securing it is another question entirely.
Now, if you take out the datacenter/virtualization-centric vendors calling themselves public cloud solutions, this category was really created a couple of years ago. I give a lot of credit to Palo Alto Networks for calling the space early and showing their interest by acquiring both Redlock & Evident.io in the CSPM space. Then they followed those acquisitions with PureSec, Twistlock, Aporeto and most recently Bridgecrew. A lot of activity since 2018!
Back in 2018, a lot of folks were (and still are) figuring out how to properly configure their public cloud usage. Since public cloud is “public”, configuration matters because everything is inherently internet facing. The layers of controls built in the datacenter world don’t exist in the public cloud so misconfiguration issues (i.e. open S3 buckets) are immediate issues.
At the same time, practitioners were hesitant to move high-risk workloads to public cloud; they had no attestation data from the public cloud vendors. When customers managed their own infrastructure, they could easily grab the context they needed from the servers. In the public cloud world, getting that data for compliance is an unscalable task when servers are shared among multiple customers.
We’re now in 2021, just three years later, and in that time we’ve seen the amount of public cloud compute spend grow from ~$250 billion in 2018 to ~$400 billion this year and continuing to grow linearly to ~$650 billion in 2024 per Gartner.
When we start talking about spending hundreds of billions and at that growth rate, it’s natural to say there is going to be opportunity to help make sure that spend is secure. Hence this category and this column.
In many ways, public cloud problems look similar to legacy data center problems. The biggest causes of security incidents are still the same: misconfiguration, vulnerabilities/missing patches, bad passwords, phishing and insecure code. The biggest difference today is the increased exposure from public cloud and the speed at which organizations seek to move their infrastructure and business software there.
Tomi Engdahl says:
3 Steps to Disrupt Threat Actors Selling Access to Your Environment
https://www.securityweek.com/3-steps-disrupt-threat-actors-selling-access-your-environment
Unmasking a threat actor at an individual level could help you to gain more context, determine why the attack occurred, and quantify future risk
Imagine law enforcement reaches out to a security team to tell them a threat actor is selling employee credentials or private access keys to a sensitive business application. Even though there is no confirmation that these threat actors accessed or stole data, it is very troubling. This type of threat is growing increasingly common in today’s threat landscape. To make sure these types of events don’t become full-blown breaches and damage the company’s reputation, sophisticated enterprises know that they need to take timely action and have visibility outside their perimeter. That action typically consists of external threat hunting, forensics, and the unmasking of the actors using open-source intelligence (OSINT). Successfully attributing the actor goes a long way to determining if the company is the victim of a targeted attack or just a target of opportunity.
However, there are three steps that organizations can follow to ensure confidentiality, integrity, and availability of data systems.
Step 1: Initial Internal and External Triage
Step 2: Remove Unauthorized Access and Identify Damages
Step 3: The Case for Unmasking Attribution
The intelligence, forensics, and execution cycle of an event determined in the previous steps will indicate whether a security incident rises to the level of a breach. If the investigation determines one of the following, then unmasking may be warranted:
1. Sold credentials from an insider
2. Default credentials left in place
3. Account created by the former employee remains active
4. Account not rotated for more than 6 months intentionally or accidentally shared
Over the past decade, attribution was largely focused at a nation-state or actor level, but depending on attack context, it is becoming increasingly important to do attribution at an individual level. Remember, you can only secure what you see.
Tomi Engdahl says:
Kids in Hong Kong and other highly surveilled states worry infosec careers are just asking for trouble
Asia is already short millions of trainees; expert warns talent pipeline will dry up in response to government snooping
https://www.theregister.com/2021/05/07/asia_ethical_hacking/
Tomi Engdahl says:
Cloud-Native Businesses Struggle with Security
https://www.darkreading.com/cloud/cloud-native-businesses-struggle-with-security/d/d-id/1340940
Almost 60% of companies said they are more worried about security since moving to cloud-native technologies four times greater than those that said they worry less, according to a survey published last week by security firm Snyk.
Tomi Engdahl says:
Cybersecurity: Don’t blame employees—make them feel like part of the solution
https://www.techrepublic.com/article/cybersecurity-dont-blame-employees-make-them-feel-like-part-of-the-solution/
Scientists find that blaming employees is counterproductive and suggest creating a safe environment for people to admit their mistakes and learn from them. One company already puts that into practice.
Tomi Engdahl says:
Connected Places: new NCSC security principles for ‘Smart Cities’
https://www.ncsc.gov.uk/blog-post/connected-places-new-ncsc-security-principles-for-smart-cities
NCSC Technical Director warns that ‘Connected Places’ will likely be a target for malicious actors. It wasnt a teenager accidentally taking control of nuclear command and control, or a magic box that can decrypt anything stolen and used by shady Bond villains intent on taking over the world. It was an attack against a citys centralised traffic management system in the 1969 film ‘The Italian Job’. As part of an elaborate heist, a dodgy computer professor (played by Benny
Hill) switches magnetic storage tapes for the Turin traffic control to create a gridlock. Chaos ensues, they blow the bloody doors off, and the thieves escape with the gold.
Tomi Engdahl says:
Joint advisory: Further TTPs associated with SVR cyber actors https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors
The NCSC, CISA, FBI and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise. The NCSC, alongside the US Department for Homeland Securitys Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA), has today published a report to provide further details of Tactics, Techniques and Procedures (TTPs) associated with SVR cyber actors. SVR cyber actors are known and tracked in open source as APT29, Cozy Bear, and The Dukes.. Also:
https://www.bleepingcomputer.com/news/security/russian-state-hackers-switch-targets-after-us-joint-advisories/.
https://www.zdnet.com/article/cybersecurity-warning-russian-hackers-are-targeting-these-vulnerabilities-so-patch-now/
Tomi Engdahl says:
Exposed Azure Storage Containers
https://isc.sans.edu/forums/diary/Exposed+Azure+Storage+Containers/27396/
A couple months ago, we already covered the topic of exposed Azure Blob Storage in two separate ISC diaries, “Exposed Blob Storage in Azure” and “Preventing Exposed Blob Storage in Azure”. The information therein is still relevant and valid, so if you are using Azure Storage, and haven’t read these two diaries yet, please do.
Tomi Engdahl says:
Google will make you use two-step verification to login https://www.theregister.com/2021/05/07/google_password_purge/
Google has marked World Password Day by declaring “passwords are the single biggest threat to your online security,” and announcing plans to automatically add multi-step authentication to its users’ accounts.
A mere eight years after Intel began promoting World Password Day as a way to raise awareness about the importance of strong passwords, Google is ready to wipe them from memory.
Tomi Engdahl says:
New Techniques Emerge for Abusing Windows Services to Gain System Control
https://www.darkreading.com/threat-intelligence/new-techniques-emerge-for-abusing-windows-services-to-gain-system-control/d/d-id/1340948
Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it. The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne.
Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.
Tomi Engdahl says:
How China turned a prize-winning iPhone hack against the Uyghurs https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/
An attack that targeted Apple devices was used to spy on Chinas Muslim minorityand US officials claim it was developed at the countrys top hacking competition.. In March 2017, a group of hackers from China arrived in Vancouver with one goal: Find hidden weak spots inside the worlds most popular technologies. Googles Chrome browser, Microsofts Windows operating system, and Apples iPhones were all in the crosshairs. But no one was breaking the law. These were just some of the people taking part in Pwn2Own, one of the worlds most prestigious hacking competitions.
Tomi Engdahl says:
ISPs Funded 8.5 Million Fake Comments Opposing Net Neutrality https://www.wired.com/story/isps-funded-85-million-fake-comments-opposing-net-neutrality/
The secret campaign, backed by major broadband companies, used real peoples names without their consent. THE LARGEST INTERNET providers in the US funded a campaign that generated “8.5 million fake comments” to the Federal Communications Commission as part of the ISPs’ fight against net neutrality rules during the Trump administration, according to a report issued Thursday by New York state attorney general Letitia James.
Tomi Engdahl says:
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
Truesec has documented how Russian ransomware gangs profit from being left alone by Russian law enforcement, but connections seem to go even deeper. In October 2020, the Russian-based threat actor known as Evil Corp conducted a ransomware attack against a major corporation. The attack vector to gain initial access was a drive-by compromise: a legitimate website was compromised and visitors to the website were prompted to download a fake Chrome update; a ZIP file, containing a JavaScript file.
Tomi Engdahl says:
Who is Probing the Internet for Research Purposes?
https://isc.sans.edu/forums/diary/Who+is+Probing+the+Internet+for+Research+Purposes/27400/
Shodan is one of the most familiar site for research on what is on the internet. In Oct 2020 I did a diary on Censys, another site collecting similar information like Shodan. The next two sites are regularly scanning the internet for data which isn’t shared with the security community at large. Net Systems Research probe the internet for research, but none of the data is accesible or published on the site.
This is part of the message About Us: “Net Systems Research was founded in 2015 by a group of security data researchers who wanted to utilize a global view of the internet to study these difficult and emerging internet security challenges and understand the resulting implications.”
Tomi Engdahl says:
Cybersecurity Ignorance Is Dangerous
https://foreignpolicy.com/2021/05/03/cybersecurity-ignorance-is-dangerous/
A new book gets the policy recommendations right while making technical errors that could undermine trust in its conclusions. In one of the biggest tech book launches of 2021, Nicole Perlroth, a cybersecurity reporter at the New York Times, published This Is How They Tell Me The World Ends to cheers from the general public, plaudits from fellow journalists, and a notable wave of criticism from many in the cybersecurity community.. Perlroths book about the global market in cyberweapons is a riveting read that mixes profound truth on policy with occasional factual errors, and it ultimately achieves its goal of scaring the shit out of anyone who doesnt know much about the topic.
Tomi Engdahl says:
Do You Suddenly Need To Stop Using Facebook?
https://www.forbes.com/sites/zakdoffman/2021/05/09/this-is-why-you-should-delete-facebook-on-your-iphone-ipad-android-pc-or-mac/
A serious new warning this week for Facebooks more than 2.5 billion users. Its easy to dismiss the dangers of data harvesting and tracking, until you realize how dangerous and invasive it can be to you personally. As weve just seen, Facebook likely knows some of your darkest secrets and you should take action to protect your privacy. In a devilishly clever attack, as first reported on Forbes, Signal weaponized Facebooks data harvesting this week to attack the tech giant, using targeting criteria in a series of proposed ads. Yes, the story made headlinesbut almost all the coverage missed the most serious point. Behind the detail is a warning and a reason to delete Facebook.
Tomi Engdahl says:
Under the Microscope: ISACA Survey on Cybersecurity Workforce, Resources and Budgets
https://www.securityweek.com/under-microscope-isaca-survey-cybersecurity-workforce-resources-and-budgets
A major survey that like all surveys needs to be examined carefully rather than accepted blindly.
ISACA’s 2021 report on the cybersecurity workforce sees little adverse effect from the pandemic on cybersecurity during 2020, but notes a continued downward pressure on budgets and a correlation between the number of unfilled positions and staff retention, and the number of cyberattacks experienced.
There is no differentiation between an attack (which may be unsuccessful) and a breach or compromise (which is a successful attack).
The problem with all surveys is that they deliver a subjective interpretation of subjective replies to frequently ambiguous questions that may not even be the right questions. This is not a criticism of anybody involved, but merely an observation that surveys raise at least as many questions as they answer.
One area where there is little ambiguity is the conclusion that the COVID-19 pandemic has had little overall effect on cybersecurity staffing and budgets – although, says the report, “survey data indicate it mitigated retention woes during 2020.” Respondents indicating difficulty retaining talent dropped to ‘just’ 53% – a reduction of 4% over the previous year’s figure – and likely a recognition that an economic recession and period of great uncertainty is perhaps not the best time to move on and seek alternative employment.
Heather Paunet, senior VP at Untangle, highlighted a recruitment gain from the pandemic. “We hired a few positions remotely that we wouldn’t have considered doing before, allowing us to find and retain the right talent for our teams,” she told SecurityWeek. The pandemic work-from-home paradigm allows companies to fish in the global talent pool rather than being limited to just those people within easy commute range.
However, one example of potential ambiguity within this survey relates to the demand for cybersecurity candidates to have a university degree. It isn’t specified in the report whether this is always any degree or always a cyber-related degree. If it was similarly unspecified in the questions, it is possible that some respondents took it to always mean cyber-related, while others took it to always mean any university degree. The report doesn’t tell us.
Being more specific, one question asks if “graduates in cybersecurity are well prepared for the cybersecurity challenges.” Only 4% of replies strongly agreed with this. But at the same time, 58% of respondents say their organization typically requires a university degree (type of degree unspecified).
Elsewhere, responding to the question on what is important in determining if a candidate is qualified, 68% say a university degree is somewhat or very important; 79% want prior hands-on training; 89% want credentials; and a colossal 95% want prior hands-on cybersecurity experience.
There is an inbuilt bias towards the need for certification because 93% of the respondents have paid to join ISACA. Many will have gone on to study for, pay for, and qualify for one or more of the many certifications offered by ISACA. Anecdotally, CISOs have often told SecurityWeek that certifications may be nice, but are hardly ever critical to employment.
Turning to what is lacking rather than what is required in new candidates, the biggest problem by far is seen to be a lack of soft skills, at 56%. Second, at 36%, is a lack of expertise in “Security controls (e.g., endpoint, network, application, implementation)”. Interestingly, all gaps other than soft skills could be filled by on-the-job training. Soft skills are probably better taught and learned at school or college.
It is tempting to suggest that this is an argument for eliminating the requirement for previous experience and to concentrate recruitment on aptitude, with an Arts degree supplemented by in-house training. Arts graduates are inclined to be better at soft skills (because of their constant use of communication skills in presenting arguments) than science students who can largely get away with just presenting facts. This is not exclusive, but opening to non-cybersecurity degrees might improve the level of soft skills in cybersecurity while simultaneously reducing the skills gap.
Tomi Engdahl says:
Capture-The-Flag Competitions: all you ever wanted to know!
https://www.enisa.europa.eu/news/enisa-news/capture-the-flag-competitions-all-you-ever-wanted-to-know
The European Union Agency for Cybersecurity releases a report addressing the contemporary use of Capture-The-Flag (CTF) competitions around the world. It explores how these competitions work and provides a high-level analysis of the dataset of the most recent major public events. Based on the results of the findings, the report suggests recommendations for consideration in the design phase of these types of competitions.
Tomi Engdahl says:
Pipeline cyberattack comes after years of government warnings https://therecord.media/pipeline-cyberattack-comes-after-years-of-government-warnings/
Government authorities and watchdogs have warned for years that U.S.
pipelines are vulnerable to cyberattacks that could potentially disrupt operationsand an attack against a major U.S. gasoline and jet fuel pipeline on Friday threatens to show how bad these incidents can be. Colonial Pipeline Company said yesterday that it had shut down
5,500 miles of pipeline supplying the East Coast with fuel in an effort to contain a breach of its computer networks. Earlier in the day the company said network issues were causing disruptions in its pipeline system, which were later blamed on ransomware.
Tomi Engdahl says:
Correctly Validating IP Addresses: Why encoding matters for input validation https://isc.sans.edu/forums/diary/Correctly+Validating+IP+Addresses+Why+encoding+matters+for+input+validation/27404/
Recently, a number of libraries suffered from a very similar security
flaw: IP addresses expressed in octal were not correctly interpreted.
The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets.. All of these vulnerabilities were caused by a similar problem: These libraries attempted to parse IP addresses as a string. Later, standard-based “socket” libraries were used to establish the actual connection. The socket libraries have their own “inet_aton” function to convert an IP address string to a long unsigned integer.
Tomi Engdahl says:
This security project has taken down 1.5 million scam, phishing and malware URLs in just one year https://www.zdnet.com/article/this-security-project-has-taken-down-1-5-million-scam-phishing-and-malware-urls-in-just-a-year/
Active Cyber Defence takes action against scammers attempting to take advantage of Covid-19 pandemic – and did so with some help from the general public. More websites hosting phishing domains and other online scams have been taken down during the last year than during the previous three years combined. The UK’s National Cyber Security Centre’s (NCSC) fourth annual Active Cyber Defence report details how it helped remove many more scams from the internet: in total, more than 1.4 million URLs responsible for 700,000 online scams have been removed by the NCSC’s takedown service during the last 12 months.
Tomi Engdahl says:
Threat Explainer: Supply Chain Attacks
https://blogs.cisco.com/security/threat-explainer-supply-chain-attacks
Lets say that youre confident in your security posture. You have endpoint protection in place, firewalls defending the perimeter, and phishing filters on incoming email. Youve leveraged tools to check for anomalies in your network traffic, rolled out an SSO solution, and implemented processes to securely connect to the network remotely.
These defenses make it harder for bad actors to compromise your organization. Strong security posture is more likely to push all bad actors to move on to other, less secure targets.
4 Beckoning Cyber-Threat Challenges
https://www.forbes.com/sites/chuckbrooks/2021/05/09/4-beckoning-cyber-threat-challenges/
My most recent FORBES article focused on 3 big trends impacting the cybersecurity ecosystem. They included, the expanding cyber-attack surface, the use of ransomware as a cyber weapon of choice by hackers, and the growing ICS, OT/IT Cyber-Threat convergence. All the elements of that article apply to this analysis of the myriad of cyber-threat trends & challenges we are currently or will be soon facing. The following observations on 4 beckoning cyber-threat challenges are another affirmation that mitigating cyber-threats is a societal imperative and cybersecurity has become indispensable to securing our digital future.
Tomi Engdahl says:
Google Releases Open Source Tool for Verifying Containers
https://www.securityweek.com/google-releases-open-source-tool-verifying-containers
Google has released a new open-source tool called cosign to make it easier to manage the process of signing and verifying container images.
Developed in collaboration with Linux Foundation’s sigstore project, the company said the motivation for cosign is “to make signatures invisible infrastructure.”
Google says all of its distroless images have been signed using the open source tool and that all users of distroless (images that only contain the required application and its dependencies) can easily check whether they are using the base image they are looking for.
The Internet giant says it has integrated cosign into the distroless CI system, thus transforming the signing of distroless into just another step in the Cloud Build job responsible for building images.
“This additional step uses the cosign container image and a key pair stored in GCP KMS to sign every distroless image. With this additional signing step, users can now verify that the distroless image they’re running was built in the correct CI environment,” Google explains.
Tomi Engdahl says:
The Benefits of Cloud Services Far Outweigh On-Premises in 2021
https://www.securityweek.com/benefits-cloud-services-far-outweigh-premises-2021
The pandemic, among other variables, has greatly accelerated cloud adoption for many organizations in 2021.
It’s time. If they weren’t already invested, the events of the last year have clearly forced the hands of organizations to embrace the world of cloud-delivered services. The global rise in remote work is a big driver; it has forced organizations to think more progressively about everything from their office space to their infrastructure.
It’s becoming increasingly evident that things may never truly get back to normal. For many companies, having a distributed workforce – work from anywhere, work from home, etc. – is simply a way of life now. A recent Gartner survey suggests that at least 30-40% of the workforce in the U.S. will continue to work from home post COVID-19.
According to Gartner’s 2021 CIO Agenda survey, this will require a shift that includes a total reboot of policies and security tools suitable for the modern remote workspace. Endpoint protection services, if they’re not already, will need to move to cloud-delivered services to ensure data is protected across the enterprise. The shift will also force security leaders to revisit policies for data protection, disaster recovery, and backup to ensure they’re still useful for a remote environment.
2021 has seen a rise in cloud-native apps that have enabled companies to have workers perform duties remotely, keep supply chains running, and adapt to change.
Tomi Engdahl says:
U.S. Intelligence Agencies Warn About 5G Network Weaknesses https://thehackernews.com/2021/05/us-intelligence-agencies-warn-about-5g.html
Inadequate implementation of telecom standards, supply chain threats, and weaknesses in systems architecture could pose major cybersecurity risks to 5G networks, potentially making them a lucrative target for cybercriminals and nation-state adversaries to exploit for valuable intelligence. The analysis, which aims to identify and assess risks and vulnerabilities introduced by 5G adoption, was published on Monday by the U.S. National Security Agency (NSA), in partnership with the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
Tomi Engdahl says:
15% of 2020 ransomware payments carried a sanctions violations risk https://therecord.media/15-of-2020-ransomware-payments-carried-a-sanctions-violations-risk/
Around one in six ransomware payments in 2020 were made to ransomware gangs that had some sort of connection to a US-sanctioned entity.
Payments to ransomware gangs such as Bitpaymer, DopplePaymer, WastedLocker, and Clop carried a sanction violations risk in 2020, said Chainalysis, a company specialized in analyzing blockchain transactions. Security researchers believe these four ransomware strains have been created or have worked together with a cybercrime cartel known as EvilCorp, sanctioned by the US Treasury Department in December 2019.
Tomi Engdahl says:
Cybersecurity 101: Protect your privacy from hackers, spies, and the government
https://www.zdnet.com/article/online-security-101-how-to-protect-your-privacy-from-hackers-spies-and-the-government/
Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.
Tomi Engdahl says:
Ransomware is now a national security risk. This group thinks it knows how to defeat it
https://www.zdnet.com/article/ransomware-is-now-a-national-security-risk-this-group-thinks-it-knows-how-to-defeat-it/
Recommendations ranging from additional support for victims to regulating Bitcoin to prevent it being used to extort payment aim to help protect society as a whole from being plagued by ransomware attacks.
Tomi Engdahl says:
Todd Feathers / The Markup:
A look at the fight over using differential privacy techniques in the US Census, which anonymizes datasets but some argue lowers the quality of the datasets
Will New Privacy Changes Protect Census Data or Make Things Worse?
https://themarkup.org/ask-the-markup/2021/05/11/will-new-privacy-changes-protect-census-data-or-make-things-worse
Several years ago, as the U.S. Census Bureau began to prepare for its 2020 count, it was confronted with an existential problem.
A growing body of academic research was providing evidence that machine learning systems, combined with the availability of large commercial datasets about Americans, were making it possible to personally identify people from information in confidential datasets—like the Census.
The bureau, which relies on Americans willingly sharing their private information under the assurance they won’t be personally identifiable, decided to conduct its own test. In 2016, it found that by combining a relatively small fraction of the statistics it published after the 2010 Census with commercial datasets available at the time, anyone could undermine the Census’s current privacy system and reconstruct the name, location, and key demographic characteristics of about 52 million people.
“If they’d used more statistics, it could have been worse. If they’d used more rich commercial datasets, it could have been worse,” said Cynthia Dwork, a computer science professor at Harvard University.
Tomi Engdahl says:
https://pentestmag.com/mandalorequest-an-offensive-journey/
Tomi Engdahl says:
85% of Data Breaches Involve Human Interaction: Verizon DBIR >
https://www.darkreading.com/operations/85–of-data-breaches-involve-human-interaction-verizon-dbir/d/d-id/1341012
Tomi Engdahl says:
Europe Flip Flops on Privacy; ICANN CEO abdicates
https://www.internetgovernance.org/2021/04/30/europe-flip-flops-on-privacy-icann-ceo-abdicates/
Ever since the GDPR thwacked it on the side of its head, ICANN has been trying to bring its registry of domain names into compliance with basic privacy principles. The good news is that ICANN has largely succeeded in doing that. Go to this URL, enter our domain name, internetgovernance.org, and see what you get. The PII is all redacted (even though it doesn’t need to be: you can get our email, address and office phone from our website).
Contrary to the expectations of some alarmists, the Internet has not collapsed. There is no noticeable increase in cybercrime. There are lots of cybersecurity incidents, like SolarWinds and Hafnium, but they were neither caused by the absence of open access to whois records, nor would open access have helped to solve them. There may even be a decline in certain forms of DNS abuse.
In the name of “cybersecurity,” the EC’s December 2020 proposal to amend the Network and Information Security Directive (NIS2), asserts EU jurisdiction over domain name registration in ways that threaten the global nature of DNS. In the words of Roberto Viola. Director-General of EC’s Communications Networks, Content and Technology Department, the NIS2 proposal:
“introduces new obligations for TLD registries and registrars providing services in the European Union, namely to: i) collect and maintain accurate and complete domain name registration data; ii) publish non-personal domain name registration data (i.e. concerning legal entities), iii) provide access to specific personal domain name registration data upon lawful and duly justified requests of legitimate access seekers, and iv) reply without undue delay to all requests for access.”
Tomi Engdahl says:
The IRS Wants Help Hacking Cryptocurrency Hardware Wallets
As more investors and criminals move to hardware wallets to secure their funds, the IRS is looking for new methods to access those wallets in criminal investigations.
https://www.vice.com/en/article/k78a53/the-irs-wants-help-hacking-cryptocurrency-hardware-wallets
Tomi Engdahl says:
Best secure email providers of 2021
https://www.techradar.com/sg/best/best-secure-email-providers
Tomi Engdahl says:
Emotet Malware Destroys Itself From All Infected Computers
https://thehackernews.com/2021/04/emotet-malware-destroys-itself-today.html
Tomi Engdahl says:
AZURE APPLICATION PROXY C2
https://www.trustedsec.com/blog/azure-application-proxy-c2/
Tomi Engdahl says:
RSA attack tool (mainly for ctf) – retreive private key from weak public key and/or uncipher data
https://github.com/Ganapati/RsaCtfTool
Tomi Engdahl says:
Important Failures to Watch out for in DevSecOps
Security
•
Apr 25, 2021
Companies are adopting development security operations (DevSecOps) for several important reasons: to deliver value faster, to gain an advantage, to low the cost of security for clients, and more. Despite people rushing to adoption, companies will sometimes fail with their DevSecOps initiatives – and the sad part is that a lot of those reasons are easily avoidable. So, allow me to give an idea of the ones which I have seen the most from people
https://sudosecurity.org/devsecops-important-failures/
Tomi Engdahl says:
Momentum Builds to Fend Off GNSS Jamming, Spoofing
https://www.freethink.com/articles/farming-robot
Tomi Engdahl says:
Morpheus Turns a CPU Into a Rubik’s Cube to Defeat Hackers
https://spectrum.ieee.org/tech-talk/semiconductors/processors/morpheus-turns-a-cpu-into-a-rubiks-cube-to-defeat-hackers
Last summer, 580 cybersecurity researchers spent 13,000 hours trying to break into a new kind of processor. They all failed.
The hack attack was the first big test in a U.S. Defense Advanced Research Program Agency (DARPA) program called Security Integrated Through Hardware and firmware (SSITH). It’s aimed at developing processors that are inherently immune to whole classes of hardware vulnerabilities that can be exploited by malware. (Spectre and Meltdown are among those.)
A Hacker’s Nightmare: Programmable Chips Secured by Chaos
https://spectrum.ieee.org/tech-talk/computing/hardware/chaos-programmable-chips-secure