Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,204 Comments
Tomi Engdahl says:
DARPA takes step toward ‘holy grail of encryption’
https://www.livescience.com/darpa-holy-grail-encryption.html
DARPA is trying to spur breakthroughs in something called fully homomorphic encryption (FHE). The technique makes it possible to analyze compute data while it’s still in encrypted form. That could allow financial crimes investigators to scour sensitive bank records without exposing customer details, for instance, or let health researchers analyze private health data while preserving patients’ privacy, Rondeau said. The technique could also help the military keep their battlefield data more secure and make it easier to let allies work with classified intelligence data.
FHE relies on something far more complicated called lattice cryptography, which encodes data as coordinates on a lattice. Lattices can be thought of as grids of regularly spaced dots, but, unlike the 2D grids we’re used to, the FHE lattices are multidimensional.
The big problem is that processing this data is very slow on current computers — roughly a million times slower than processing times for unencrypted data. That’s why DARPA has launched a research program called Data Protection in Virtual Environments (DPRIVE), which Rondeau is managing, to speed things up.
The overall problem with this process is that moving precisely-placed data points around in a high-dimensional space is far more complicated than doing calculations on simple binary data — the typical 1s and 0s of today’s computers.
There are two main approaches the DARPA-funded companies can use to simplify things, Rondeau said. One tactic is to improve the computer’s ability to deal with high-precision numbers, by changing the way numbers are represented in binary code and altering chips circuits to process them more efficiently. The other is to translate the data into a lower dimensional space where the calculations are simpler, which also requires new hardware and software approaches.
Tomi Engdahl says:
Kyberrikollisuus on poliisiasia uusi opas neuvoo yrityksiä
kyberrikostilanteissa
https://www.epressi.com/tiedotteet/turvallisuus/kyberrikollisuus-on-poliisiasia-uusi-opas-neuvoo-yrityksia-kyberrikostilanteissa.html
Kyberrikokset voivat aiheuttaa yrityksen toimintaan vakavia häiriöitä
ja merkittävää taloudellista vahinkoa. Kyberrikoksen uhriksi
joutuminen ei ole häpeä
Tomi Engdahl says:
Google’s top security teams unilaterally shut down a counterterrorism
operation
https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/
Google’s Project Zero and Threat Analysis Group teams found the
hacking group exploiting 11 zero-day vulnerabilities in just nine
months, a high number of exploits over a short period. Software that
was attacked included the Safari browser on iPhones but also many
Google products, including the Chrome browser on Android phones and
Windows computers. MIT Technology Review has learned that the hackers
in question were actually Western government operatives actively
conducting a counterterrorism operation. Google’s notes -
https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html
Tomi Engdahl says:
Webshells Observed in Post-Compromised Exchange Servers
https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observed-post-compromised-exchange-servers
CISA has added two new Malware Analysis Reports (MARs) identifying
webshells observed in post-compromised Microsoft Exchange Servers.
Tomi Engdahl says:
A Ransomware Gang Is Asking Victims’ Customers To Aid In Extortion
Efforts
https://www.forbes.com/sites/leemathews/2021/03/28/a-ransomware-gang-is-asking-victims-customers-to-aid-in-extortion-efforts/
The hackers used the data stolen in the attack to contact customers
and urge them to make the company pay. Emails sent to the store’s
customers look a bit like a breach notification. – the note mentions
that the recipient’s personal data was stolen and that it will soon be
leaked on a Dark Web site. “Call or write this store and ask to
protect your privacy!” the note urges.
Tomi Engdahl says:
InfoSec Handlers Diary Blog – Office macro execution evidence
https://isc.sans.edu/diary.html?n&storyid=27244
Microsoft Office Macros continue to be the security nightmare that
they have been for the past 3 decades. System and security admins
everywhere continue to try to protect their users from prevalent macro
malware, but they find Microsoft’s tooling often less than helpful.
Tomi Engdahl says:
Natasha Bertrand / Politico:
National cyber director position, which Congress mandated in a defense bill last year, remains unfilled two months into Biden’s admin due to political turf wars
White House
‘Time is not on our side’ — Biden navigates cyber attacks without a cyber czar
Turf wars and political battles are keeping open a role that Congress created and is demanding be filled.
https://www.politico.com/news/2021/03/28/white-house-cyber-czar-478242
The Biden White House is facing multiple cyber attacks and cyber espionage campaigns targeting U.S. companies and government agencies, without the services of a cybersecurity czar to coordinate a response and keep lawmakers in the loop.
The role, known officially as the national cyber director, remains unfilled two months into Joe Biden’s presidency despite a legal mandate that it be occupied. Congress had ordered the creation of the post in a defense bill it enacted late last year over then-President Donald Trump’s veto. And they expected the Biden White House to act quickly on it.
But nearly a dozen current and former officials familiar with the deliberations say that it has been the casualty of classic Washington dramas: executive branch officials wary of legislators meddling in their business and government bureaucrats trying to fend off potential colleagues from encroaching on their perceived portfolios.
The failure to fill the role, which would be responsible for coordinating the entire U.S. government’s defensive cyber operations, comes as the new administration grapples with how to kick suspected Russian and Chinese hackers out of federal cyber infrastructure following two major breaches. And it lays bare the challenges in setting up a brand new agency that could encroach upon some power centers in the White House, particularly the National Security Council.
“It’s like we are in conflict and they are not appointing the secretary of defense,” he said. “I would hate to have another attack occur in the next 30-60 days and still not have anyone in that position.”
“They’re taking way too long, and while conducting this review they have not nominated someone,” said Mark Montgomery, a senior adviser to the Cyberspace Solarium Commission and senior fellow at Foundation for the Defense of Democracies. “So they are very much slowing down the development of the NCD office.”
Montgomery said he believes one reason for the delay is that the administration is “underwater” with responding to Russia’s recent hack on SolarWinds — a company whose software is used by multiple federal agencies — and China’s breach of Microsoft Exchange servers, used by many local and state governments and private companies. “Things really are very bad,” he said.
“The NCD is needed to work the day-to-day deconfliction and institutionalize plans for preventing and, when that fails, responding to the next crisis,” Spaudling said. “And the next crisis could be tomorrow, so time is not on our side.”
Tomi Engdahl says:
Alan Suderman / Associated Press:
Sources: SolarWinds hackers gained access to emails of Trump administration’s top DHS officials, including acting Secretary Chad Wolf and cybersecurity staff — Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department …
AP sources: SolarWinds hack got emails of top DHS officials
https://apnews.com/article/rob-portman-hacking-email-russia-8bcd4a4eb3be1f8f98244766bae70395
Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries, The Associated Press has learned.
The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff is not publicly known, but the symbolism is stark. Their accounts were accessed as part of what’s known as the SolarWinds intrusion, and it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can’t protect itself.
The short answer for many security experts and federal officials is that it can’t — at least not without some significant changes.
“The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,” said Sen. Rob Portman of Ohio, top Republican on the Senate’s Homeland Security and Governmental Affairs Committee. “We are talking about DHS’s crown jewels.”
Tomi Engdahl says:
Älä ole hiljaa: 7 syytä, joiden vuoksi verkkorötöksistä kannattaa
tehdä rikosilmoitus
https://www.is.fi/digitoday/tietoturva/art-2000007889042.html
Kyberrikokset tulisi ilmoittaa poliisille, uusi Kyberrikollisuus on
poliisiasia -opas kertoo. Suuri osa kyberrikoksista jää ilmoittamatta
poliisille. Tähän tärkeimmät syyt ovat epäröinti käynnistää prosessi
esimerkiksi negatiivisen julkisuuden pelossa, pelko omien virheiden
paljastumisesta, sekä hyötyjen ja haittojen punnitseminen, johon
kuuluu muun muassa uskomus rikollisen kiinni saamisen
epätodennäköisyydestä.
Tomi Engdahl says:
Attack landscape update: Ransomware 2.0, automated recon, and supply
chain attacks
https://blog.f-secure.com/attack-landscape-update-h1-2021/
Data-stealing ransomware attacks, information harvesting malware, and
supply chain attacks are some of the critical threats facing
organizations highlighted in F-Secure’s latest attack landscape
update.
Tomi Engdahl says:
Fileless Malware Attacks Surge by 900% and Cryptominers Make a
Comeback
https://www.pandasecurity.com/en/mediacenter/news/internet-security-report-q4-watchguard/
Among its most notable findings, the report reveals that fileless
malware and cryptominer attack rates grew by nearly 900% and 25%
respectively, while unique ransomware payloads plummeted by 48% in
2020 compared to 2019.
Tomi Engdahl says:
New Security Signals study shows firmware attacks on the rise; here’s
how Microsoft is working to help eliminate this entire class of
threats
https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-study-shows-firmware-attacks-on-the-rise-heres-how-microsoft-is-working-to-help-eliminate-this-entire-class-of-threats/
Recently, Microsoft commissioned a study that showed how attacks
against firmware are outpacing investments targeted at stopping them.
The March 2021 Security Signals report showed that more than 80% of
enterprises have experienced at least one firmware attack in the past
two years, but only 29% of security budgets are allocated to protect
firmware.
Tomi Engdahl says:
Microsoft: Firmware Attacks Outpacing Security Investments
https://www.securityweek.com/microsoft-firmware-attacks-outpacing-security-investments
Microsoft is confirming a surge in malicious attacks targeting firmware and the software giant wants to play a role in reducing the attack surface below the operating system.
According to a new Security Signals report released Tuesday by Microsoft, a whopping 80 percent of businesses reported “at least one firmware attack” in the past two years but only 30 percent allocated any budget spend on firmware protection.
Businesses aren’t paying close enough attention to securing this critical layer, says David Weston, Microsoft partner director of OS security.
Tomi Engdahl says:
Biden Extends Executive Order on Cyberattack Sanctions
https://www.securityweek.com/biden-extends-executive-order-cyberattack-sanctions
President Joe Biden on Monday sent a letter to the House of Representatives and the Senate to extend an executive order regarding sanctions issued in response to cyberattacks.
Executive Order 13694, issued in 2015 by president Barack Obama, enables authorities to block the property of entities engaging in “significant malicious cyber-enabled activities.”
Former president Donald Trump, who took office in January 2017, also extended this executive order in 2017, 2018, 2019 and 2020.
“Significant malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities,”
Tomi Engdahl says:
What’s Behind the Surge in Cybersecurity Unicorns?
https://www.securityweek.com/whats-behind-surge-cybersecurity-unicorns
Security Industry Experts Share Thoughts on Why Cybersecurity Unicorns Are No Longer Rare Sightings
Several industry professionals have shared thoughts on why we are seeing a surge in cybersecurity unicorns. Some believe the trend is a result of speculative strategies while others believe it reflects the growing importance of cybersecurity.
In March 2020, shortly after COVID-19 was officially declared a pandemic, SecurityWeek reached out to several experts for their thoughts on the effects of the pandemic on early-stage venture investment in cybersecurity. While most agreed that there would be some negative impact, investors were optimistic.
Since then, tens of companies have announced raising millions, tens of millions and even hundreds of millions of dollars, and many have become “unicorns” after being valued at more than $1 billion as a private company.
SecurityWeek has identified more than 30 cybersecurity unicorns, with 13 of them announced in the past four months alone. The 13 companies to achieve billion-dollar valuation since December 2020 are Aqua, Axonius, BigID, Coalition, Feedzai, Forter, ID.me, Lacework, Orca, OwnBackup, Socure, Venafi and Wiz.
Tomi Engdahl says:
Inside the Ransomware Economy
https://www.securityweek.com/inside-ransomware-economy
From Egregor to Doppelpaymer to Ryuk, it continues to command headlines. Pandemic-fueled phishing scams, the lack of visibility across remote endpoints, and lax attitudes have been a boon for ransomware groups over the last year. Worst of all, ransomware no longer discriminates. It dominates small towns and municipal offices, video game makers, and shamelessly, healthcare organizations and school systems already pushed to the brink by the COVID-19 pandemic.
The threat could still become more pervasive over the next two to three years, not because ransomware is effective in and of itself but because of other players in the game – insurance companies, brokers, and even attorneys – that continue to fan the flames.
Tomi Engdahl says:
Enough Is Enough: What Happens When Law Enforcement Bends Laws to Access Data
https://www.internetsociety.org/blog/2021/03/enough-is-enough-what-happens-when-law-enforcement-bends-laws-to-access-data/
Tutanota co-founder Matthias Pfau explains how a recent court order is a wake-up call to end the encryption debate once and for all
In a world increasingly reliant on the Internet in our day-to-day lives, there’s no turning back on encryption.
Encryption is a critical security tool for citizens, businesses, and governments to communicate confidentially and reliably. In some professions, such as the health and legal sectors, encryption is a requirement to protect sensitive client information. Journalists also rely on encryption to securely communicate with sources, which is critical to guarantee the freedom of the press and free speech.
In fact, the right to privacy is enshrined in many democratic countries’ constitutions and is highly valued across societies. Strong encryption helps enable citizens to exercise that right.
But time and again, the user trust guaranteed by encryption finds itself under attack.
Law enforcement agencies and governments are increasingly asking for access to data to catch criminals, they say, including when the data is encrypted. Some are even trying to force companies to create so-called backdoors to encryption so that the authorities can gain access to encrypted communications upon request. While we all want to prevent crime online, there simply isn’t a magic key that would give access to the “good guys” without also making sensitive user data available to anyone else that wants it – including criminals. Strong encryption is binary: it’s either on or off. It either works for everyone or for no one. Weakening encryption only for criminals is technically impossible.
For this single account, we were ordered to copy unencrypted incoming and outgoing emails before they were encrypted.
Fortunately, the court order does not affect or undermine the security of the end-to-end encrypted emails in Tutanota. However, this approach to accessing unencrypted emails is disturbing on many levels. Two stand out in particular:
Forcing a company to hand over data before it is encrypted significantly breaches the privacy and confidentiality that users expect.
Granting access to data meant to be encrypted could set a dangerous precedent be used to force companies to compromise end-to-end encryption.
The Right to Privacy Includes the Right to Encryption
Preventing companies from offering the highest levels of security and privacy online puts businesses and users at incredible risk of harm. That’s why Tutanota is challenging the court’s decisions. We want to make sure that the ruling is not used as a precedent for German law enforcement agencies to force companies to undermine the security and privacy of their services.
What we need in today’s Internet is not less encryption, but more. We must remain vigilant to make sure that law enforcement agencies cannot bend the laws the way they want to get access to data.
The European GDPR specifically mentions end-to-end encryption as the best tool to protect citizens’ data from various threats online. Germany as well as the European Union must make sure that neither service providers nor criminals can abuse citizens’ data stored online.
European citizens and businesses rely on unbreakable end-to-end encryption.
Tomi Engdahl says:
FBI Paid Anti-Child Predator Charity $250,000 for Hacking Tools
https://www.vice.com/en/article/qjp7eq/fbi-paid-charity-for-hacking-tools-ni
The records viewed by Motherboard provide more insight into how the FBI obtains at least some of its hacking tools, or network investigative techniques.
The news provides more insight into how the FBI obtains some of its hacking tools, or so-called network investigative techniques (NITs). The contract also highlights the close relationship between private parties and the FBI when hacking suspects. Facebook, for example, previously bought a hacking tool for the FBI to use to unmask one of the social network’s users who was aggressively targeting minors on the platform.
The procurement record says the FBI’s Child Exploitation Operational Unit (CEOU) is “purchasing a set of NITs.” The contract dates from June 2020.
The NITs “have been demonstrated for OTD and CEOU and which have the capability, if activated, of providing the true internet address of the subject,”
Tomi Engdahl says:
“As an engineer I’ve always laughed when actors bypass locks like that in movies. I never imagined anybody could design something that wrong.”
[1045] Swiss Army Knife Bypass of Keypad Lock
https://www.youtube.com/watch?v=ANsipsS7IK8
[1064] First No Touch Open! (Retekess Keypad)
https://www.youtube.com/watch?v=KHvfwpnPwwU
[1060] Opened in ONE Second: HFeng Fingerprint Lock
https://www.youtube.com/watch?v=XXW27KKHtc8
[1176] Open in Seconds: Honeywell “Steel Security Safe” (Model 5101 DOJ)
https://www.youtube.com/watch?v=JmMo73yIv1A
[1120] Fingerprint Lock That Forgot The Fundamentals – DatoHome L-B400
https://www.youtube.com/watch?v=pTys_WYBOLE
[1141] Hong Huan’s Terrible, Horrible, No Good, Very Bad Bike Lock
https://www.youtube.com/watch?v=XyyMSfXPBNw
Tomi Engdahl says:
North Korean hackers target security researchers again
https://www.bleepingcomputer.com/news/security/google-north-korean-hackers-target-security-researchers-again/
Google’s Threat Analysis Group (TAG) says that North Korean
government-sponsored hackers are once again targeting security
researchers using fake Twitter and LinkedIn social media accounts.
Tomi Engdahl says:
Risk Management, C-Suite Shifts & Next-Gen Text Scams: Your March 2021
Security Intelligence Roundup
https://securityintelligence.com/articles/march-2021-security-intelligence-roundup/
Tomi Engdahl says:
Android sends 20x more data to Google than iOS sends to Apple, study
says
https://arstechnica.com/gadgets/2021/03/android-sends-20x-more-data-to-google-than-ios-sends-to-apple-study-says/
Tomi Engdahl says:
Back in a Bit: Attacker Use of the Windows Background Intelligent
Transfer Service
https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-windows-background-intelligent-transfer-service.html
Applications interact with the Background Intelligent Transfer Service
by creating jobs with one or more files to download or upload. The
BITS service runs in a service host process and can schedule transfers
to occur at any time. As is the case with many technologies, BITS can
be used both by legitimate applications and by attackers.
Tomi Engdahl says:
Fransom is an open-source tool that will emulate common ransomware
functions for the purpose of testing endpoint detection and response
tools
https://github.com/fraktalcyber/Fransom
Tomi Engdahl says:
Websites of EU Mobile Providers Fail to Properly Secure User Data: Report
https://www.securityweek.com/websites-eu-mobile-providers-fail-properly-secure-user-data-report
Sensitive data pertaining to the customers of top mobile services providers in the European Union is at risk of compromise due to improperly secured websites, data security and privacy firm Tala reveals.
An analysis of the websites of 13 of the top mobile telecom companies in the EU has revealed that none of them has in place even the minimum necessary protections to be considered secure.
“With over 235 million customers between them, none of the mobile providers scored a passing grade for website security. Where a score of 80+ is considered reasonable and 50 is barely a passing grade, none of the mobile providers analyzed comes close,” Tala says in a new report.
Despite the lack of proper website protections, however, during online sign-up, the telcos collect a significant amount of sensitive data from their customers, including names, emails, addresses, dates of birth, passport numbers, payslips, and even banking details in some cases.
All of the gathered data, Tala claims, might be at risk of compromise through vulnerabilities and the use of third-party code: the average number of JavaScript integrations was found to be 162, while forms were found exposed to an average of 19 third parties.
All of the websites, the report reveals, use dangerous JavaScript functions that open the door to cross-site scripting (XSS), the most common type of website vulnerability. The highest number of JavaScript integrations on a single site was 735.
Tomi Engdahl says:
North Korean .Gov Hackers Back With Fake Pen-Test Company
https://www.securityweek.com/north-korean-gov-hackers-back-fake-pen-test-company
A North Korean government-backed APT group has been caught using a fake pen-testing company and a range of sock puppet social media accounts in an escalation of a hacking campaign targeting security research professionals.
The notorious hacking group, first exposed by Google earlier this year, returned on March 17th with a website for a fake penetration testing company.
“The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits,” according to Adam Weidemann, a researcher in Google’s TAG (Threat Analysis Group).
“In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered,” Weidemann explained.
In addition to the fake “SecuriElite” security assessment company, the campaign also included a batch of carefully crafted social media profiles used to lend credibility to the fake outfit.
Weidemann said the group has already used exploits for zero-days in Microsoft’s Internet Explorer browser and warns that the threat actor has advanced capabilities.
“Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days. We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process,” Weidemann added.
Tomi Engdahl says:
Analyzing the UK’s Nuclear Deterrence Theory for Cyberspace
https://www.securityweek.com/analyzing-uks-nuclear-deterrence-theory-cyberspace
The UK Introduces Nuclear Deterrence Theory to Cyberspace, Raising More Questions Than Answers
Britain’s 2021 Defence Review states that the nation will not use nuclear weapons against any non-nuclear state party to the Treaty on the Non-Proliferation of Nuclear Weapons 1968 (NPT). But it then adds, “we reserve the right to review this assurance if the future threat of weapons of mass destruction, such as chemical and biological capabilities, or emerging technologies that could have a comparable impact, makes it necessary.”
Elsewhere, the Review makes it clear that ‘cyber’ is considered an ‘emerging technology’. Does this mean that the UK will consider a nuclear response to a serious cyber-attack?
Back in 2018, Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence), said the UK’s position “should be to understand first, to decide first, and then if necessary, to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities.”
Around the same time, the UK Attorney General, Jeremy Wright QC MP, said, “The UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the UN Charter.”
These two statements make it clear that the UK believes that it has the right to respond kinetically to cyber-attack, and that the response can be pre-emptive. The latest statement in the Defence Review expands this position to include the potential for a nuclear kinetic response.
Tomi Engdahl says:
For Microsoft, Security is a $10 Billion Business
https://www.securityweek.com/microsoft-security-10-billion-business
NEWS ANALYSIS: Microsoft generated a whopping $10 billion in security-related revenues in just the last 12 months and is now positioned as an enterprise cybersecurity powerhouse.
Microsoft Wins $22 Billion Deal Making Headsets for US Army
https://www.securityweek.com/microsoft-wins-22-billion-deal-making-headsets-us-army
Microsoft won a nearly $22 billion contract to supply U.S. Army combat troops with its augmented reality headsets.
Microsoft and the Army separately announced the deal Wednesday.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11963-joko-sinua-on-kiristetty-datasi-avulla
Vuoden 2020 jälkipuoliskon kehityksen perusteella raportti nostaa esiin useita merkittäviä kyberturvallisuussuuntauksia:
Vuoden 2020 jälkimmäisen puoliskon aikana haitallisen koodin levittäminen Excel-kaavan avulla kolminkertaistui.
Outlook oli suosituin huijaussähköposteissa väärennetty tuotemerkki, jota seurasivat Facebook Inc. ja Office365.
Melkein kolme neljäsosaa käytetyistä osoitteista on ollut kaupallisen verkkosivustojen ylläpitäjän palvelussa.
Sähköposti hallitsi yli puolta osaa kaikista vuonna 2020 tehdyistä haittaohjelmien levitysyrityksistä tehden siitä ylivoimaisesti suosituimman tavan levittää haittaohjelmaa.
Haittaohjelma, joka kerää automaattisesti tietoja uhreilta (engl. infostealer), on edelleen merkittävä uhka. Kaksi yleisintä haittaohjelmaryhmää vuoden 2020 jälkipuoliskolla olivat molemmat tiedonkeruu-haittaohjelmia (Lokibot ja Formbook).
61% yritysverkoissa havaituista haavoittuvuuksista on julkistettu vuonna 2016 tai aikaisemmin, joten iso osa löydetyistä ongelmista on jo 5 vuotta vanhoja
Tomi Engdahl says:
Bloomberg:
Sources: draft Biden executive order would require companies doing business with the federal government to report hacks of their networks within a few days
Companies Must Quickly Report Hacks to U.S. Under Proposed Order
https://www.bloomberg.com/news/articles/2021-03-31/companies-must-report-hacks-to-u-s-within-days-in-draft-order
Biden using cyber crisis to mandate tighter security practices
Order would require basic security practices for U.S. agencies
Companies doing business with the federal government would be required to report hacks of their computer networks within a few days, according to a draft executive order that the Biden administration is urgently trying to complete, people familiar with the matter said.
President Joe Biden hasn’t yet signed off on the executive actions, which are likely to reach his desk in the next two weeks, one of the people said.
The executive order, when signed, would mandate important cybersecurity improvements, but it also would push basic changes that could deter cyber-attacks in both the government and private sector, according to people familiar with it. They requested anonymity to speak about actions the administration hasn’t yet announced.
The order is part of a number of new initiatives pursued by the administration’s new cybersecurity team, which is hoping to take advantage of the crisis created by what is known as the SolarWinds hack to institute a broad security overhaul. The administration is seeking stronger protections of the electrical grid and wider government visibility into some private-sector networks.
The order would also require companies that work with the U.S. government to meet certain software standards, as well require improvements for federal agencies’ basic security practices, including mandating data encryption and two-factor authentication.
Tomi Engdahl says:
Hacked companies had backup plans. But they didn’t print them out before the attack.
New NCSC chief says businesses need to take cybersecurity more seriously.
https://www.zdnet.com/article/hacked-companies-had-backup-plans-but-didnt-print-them-out-why-cybersecurity-still-isnt-being-taken-seriously/
Boardrooms still aren’t taking cybersecurity seriously, leaving organisations vulnerable to cyberattacks – with executives only paying attention after things have gone bad, according to the new National Cyber Security Centre (NCSC) boss Lindy Cameron.
“I think in terms of what we want organisations to learn, it is that this is the kind of threat they need to think about. This is the kind of thing that should be as much a regular feature in risk conversations in board rooms as legal risk or financial risk – the CEO see the CISO as often as they see the financial director,” Cameron said. She said it should not be a simply a technical conversation with the IT department, but the kind of conversation that’s held in the boardroom itself.
Meanwhile, boardrooms should be involved when it comes to contingency planning against cyberattacks – they’re more likely to understand the potential threats if they’re discussed not as a technical problem, but a problem with risk, in a similar way to how they’d consider financial risk or legal risk.
“Ideally, more and more instances are handled well and handled without additional help,” said Cameron.
Tomi Engdahl says:
Boards still aren’t taking cybersecurity seriously, warns new NCSC boss. That means everyone is at risk
https://www.zdnet.com/article/boardrooms-still-arent-taking-cybersecurity-seriously-and-thats-putting-everyone-at-risk-from-attacks-warns-new-ncsc-boss/
Organisations aren’t in a position to be complacent about cybersecurity, says NCSC CEO Lindy Cameron, who warns of threats from ransomware to attacks against critical infrastructure.
Tomi Engdahl says:
Latest web hacking tools – Q1 2021
https://portswigger.net/daily-swig/latest-web-hacking-tools-q1-2021
We take a look back at some of the best offensive security tools that were launched over the past three months
Tomi Engdahl says:
https://www.immuniweb.com/resources/domain-squatting-and-phishing/
Tomi Engdahl says:
Hackers Tried To Backdoor Code Used by 80% of All Websites
https://www.vice.com/en/article/xgzne4/hackers-backdoor-php-source-code?utm_content=1617049803&utm_medium=social&utm_source=MOTHERBOARD_facebook
Unknown attackers tried to compromise the source code of the PHP programming language in what would have been a dangerous supply chain hack.
Tomi Engdahl says:
This channel never gets old!!!!
[1209] This Tiny WiFi Camera Owns Kwikset SmartKey (LockTech LTKSD)
https://www.youtube.com/watch?v=DGdsIrAjp3k
Tomi Engdahl says:
Ransom Gangs Emailing Victim Customers for Leverage
https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/
Some of the top ransomware gangs are deploying a new pressure tactic
to push more victim organizations into paying an extortion demand:
Emailing the victim’s customers and partners directly, warning that
their data will be leaked to the dark web unless they can convince the
victim firm to pay up. “Sadly, regardless of whether a ransom is paid,
consumers whose data has been stolen are still at risk as there is no
way of knowing if ransomware gangs delete the data as they promise”
Tomi Engdahl says:
Industries critical to COVID-19 response suffer surge in cloud
cyberattacks
https://www.zdnet.com/article/industries-critical-to-covid-19-response-suffer-surge-in-cloud-cyberattacks
Industries and organizations critical to the fight against COVID-19
have faced a surge in cyberattacks due to their rapid transition to
cloud platforms in light of the pandemic. Industries critical to
COVID-19 management have suffered a particular uptick in cloud
security incidents. According to the report, retail, manufacturing,
and government entities have been struck hardest with attack attempts
increasing by 402%, 230%, and 205% respectively during the pandemic.
Tomi Engdahl says:
Voiko it-osasto lukea Teams-keskustelujasi? Näin se on mahdollista
https://www.tivi.fi/uutiset/tv/6fdb55a2-d815-4f47-9893-7d86544be9d3
Microsoft Teamsista on tullut olennainen osa monen organisaation
toimintaa etätyösuositusten myötä. it-osastot ovat hiljattain alkaneet
heräillä siihen, että joissain tapauksissa Teamsin chatteja olisi
syytä valvoa. Tech Target on ohjeistanut asiasta kiinnostuneita siitä,
miten yrityksen Teams-keskusteluja voi teknisesti valvoa. Microsoft
365:stä löytyy tarvittava työkalu, mutta sen käyttöönotto vaatii
hieman säätämistä.
Tomi Engdahl says:
The Opportunitiesand Obstaclesfor Women at NSA and Cyber Command
https://www.wired.com/story/women-cybersecurity-nsa-cyber-command/
WIRED spoke with three women working in cybersecurity in the US
intelligence committee about the progress of recent years and the work
that remains. Working in cybersecurity within the United States
intelligence community means navigating a warren of male-dominated
fields. Inequalities persist, but three senior-level women at the
National Security Agency and Cyber Command offered WIRED rare insights
into how those organizations have evolvedand the hard work that
remains to be done.
Tomi Engdahl says:
Aamir Siddiqui / XDA Developers:
Google announces the Android Open Source Project now supports Rust for developing the OS itself, providing more memory safety guarantees than C and C++ — Android as a complete OS solution involves a lot of moving parts. Very broadly speaking, these parts are the app ecosystem and then the OS itself.
Google is developing parts of Android in Rust to improve security
https://www.xda-developers.com/google-developing-android-rust/
For app developers, Java and Kotlin are popular options. For developers working on the OS and the lower levels within it, C and C++ have been popular choices so far. Today, Google is adding a third option for OS developers, as the Android Open Source Project now supports the Rust programming language for developing the OS itself.
Limitations of C and C++
Lower levels of the Android OS require systems programming languages like C and C++. These languages provide developers with control and predictability, which is important when accessing low-level system resources and hardware.
Unfortunately, C and C++ fail to provide memory safety guarantees, making them prone to bugs and security vulnerabilities. The developer is responsible for managing memory lifetime on these languages, but in complex and multi-threaded codebases, that is easier said than done.
C and C++ together constitute tens of millions of lines of code on the Android platform. These memory safety bugs become the most difficult-to-address source of incorrectness of code, representing ~70% of Android’s high severity security vulnerabilities. Merely fixing these bugs becomes insufficient to deal with the issue, and a better approach would be to prevent them in the first place.
The lack of memory safety guarantees forces developers to run Android processes within tightly constrained and unprivileged sandboxes. But sandboxes are expensive on resources, consuming additional overhead and introducing latency. Sandboxing also doesn’t eliminate the code’s vulnerabilities entirely, and its efficacy is reduced because of high bug density, further allowing attackers to chain multiple vulnerabilities.
Another limitation, though not unique to C and C++ but applicable to all memory safety issues, is that the erroneous state must actually be triggered in instrumented code in order to be detected. So even if your code has excellent testing, the actual bug may stay undetected. And when bugs are found, getting them fixed is another task, involving a long and costly process that may not always lead to a correct fix. Thus, bug detection becomes unreliable, and bug prevention is the better approach to take in light of these limitations.
This is where the switch to a memory-safe language like Rust comes into the picture.
Rust and its benefits
Rust provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership, and runtime checks to ensure that memory accesses are valid. This safety is achieved while providing equivalent performance to C and C++. Rust also reduces the need for sandboxing, allowing developers more overhead room to introduce new features that are safer and lighter on resources.
While Rust does indeed have its benefits, it’s not feasible to switch the entire Android OS to Rust overnight. And that might not even be needed, as most of Android’s memory bugs occur in new or recently modified code, with about 50% being less than a year old. Google believes that its memory-safe language efforts are best focused on new developments rather than rewriting mature C and C++ code.
Rust also focuses on preventing bugs rather than leaning heavily on the detection of bugs, resulting in improved correctness of code. It has several key features, such as memory safety, data concurrency, more expressive type systems, immutable references and variables by default, safer integer handling, better error handling in standard libraries, and much more.
Google says that it has been adding Rust support to the Android Open Source Project for the past 18 months. But adding a new language to the Android platform is an enormous undertaking. Some toolchains and dependencies need to be maintained, test infrastructure and tooling must be updated, and developers need to be trained.
Tomi Engdahl says:
SolarWinds Fallout: Breach Reporting Is a Mess
https://www.eetimes.com/solarwinds-fallout-breach-reporting-is-a-mess/
The widespread, massive SolarWinds hacking revelations have unwound to become the biggest U.S. security breach since 9/11. In their wake, many have called for unified, national, mandatory cyber breach reporting laws. Currently, all 50 states have some kind of reporting laws governing personal data, but they differ widely.
SolarWinds said in its December SEC filing that fewer than 18,000 customers of its Orion IT monitoring software had the trojanized version installed, and a much smaller number was targeted by the hackers. But at least nine government agencies were affected, including the Department of Justice, and at least 100 commercial enterprises. Among those were several companies and organizations defined as critical infrastructure. Most affected companies have not publicized their breaches.
Both Congress and the White House are working on reporting legislation. A planned executive order from President Biden would require software vendors to disclose cybersecurity breaches to their federal government customers, according to Reuters. A law requiring broader public disclosure may also be in the works.
Different state and international laws make confusing mix
All states have laws governing companies’ obligations to notify affected individuals and sometimes government regulators about a data breach, Nancy Libin, chair of Davis Wright Tremaine’s privacy & data security practice, told EE Times. But each defines the event triggering this differently. These laws also have different definitions for a breach, and different thresholds for when to notify, making it difficult for businesses to respond.
Europe’s General Data Protection Regulation (GDPR), and a separate, post-Brexit law for the UK, cover the release of personally identifiable information (PII), such as customer information. The EU’s NIS Directive aims to strengthen the security of network and information systems, and improve resilience and incident response of critical infrastructure companies, including some measures for reporting incidents. Brazil has adopted a law almost identical to Europe’s, and there are others as well, said Libin.
The urgency of timely reporting is demonstrated by the unrelated cyberattack on a zero-day vulnerability in Accellion’s file transfer appliance (FTA). Some affected companies using the FTA say the attack could have been less damaging if Accellion had informed its customers earlier, such as might be required under a mandatory federal reporting law. Critical infrastructure organizations breached via the Accellion vulnerability include Shell and Washington State’s government.
Different, possibly contradictory state or national reporting laws can produce problems for companies doing business nationally or globally during a breach. “It’s a real challenge for companies when they experience a security incident to — in a short period of time — understand what’s happened, staunch the bleeding, mitigate the breach and remediate further damage, and determine their legal obligations to affected individuals and government authorities,” said Libin.
A single national law?
“It’s interesting that the SolarWinds breach is sparking debate at the national level,” Inga Goddijn, executive vice president of Risk Based Security, told EE Times. “Because it impacted so many federal agencies, perhaps it’s made shared reporting more real, and more real at a more serious level than it’s received in the past.” Although SolarWinds did provide information about the breach quickly, a national mechanism for distributing that information to affected organizations would have been very helpful, even if limited to confidential channels, she said.
A single notification standard would also help consumers. “Congress has been working for over 15 years to draft a single standard for data breach notification,” said Libin.
Two things have held up passage of a federal law: “preemption,” ensuring that the strongest state law isn’t watered down by a weaker federal law, and setting a standard for triggering the notification obligation, said Libin.
Other possible barriers include the risk of exposing companies to potential lawsuits, or disclosing sensitive information about their vulnerabilities. “There would be incentive to [notify regulators in the event of a security incident] now if companies could share information with regulators in exchange for assistance from them without risking liability,” said Libin.
Other information sharing mechanisms
Two existing voluntary mechanisms for sharing cybersecurity information are CISA’s Automated Indicator Sharing program for cyber threat indicators and defensive measures among private and public entities, and its Cyber Information Sharing and Collaboration Program (CISCP), aimed specifically at critical infrastructure, for threat and vulnerability information.
“There’s no really good way right now for security-minded organizations to see the security indicators that other organizations have experienced,” said Goddijn. “Better understanding would be helped enormously by taking the sector-based, completely voluntary concept of information sharing and analysis centers, and shifting it to mandatory reporting by organizations in all industries. This would ask organizations to take on more work, especially in a chaotic time when they’re already trying to do incident response. But it would be less burdensome if capturing incidents and process as much as they can just becomes a standardized part of operations.”
Tomi Engdahl says:
3 minutes ago I didn’t know this existed and now I can defeat them
[1212] Lockout Keys And How To Defeat Them
https://www.youtube.com/watch?v=XfCv7_hQr7M
Tomi Engdahl says:
Industrial control system cybersecurity breaches will happen
https://www.controleng.com/articles/industrial-control-system-cybersecurity-breaches-will-happen/?oly_enc_id=0462E3054934E2U
Industrial control system (ICS) security attacks are a given, but they are relatively rare and should be dealt with.
The industrial control system (ICS) security community and asset owners need to grow up in 2021. There is near hysteria whenever there is an actual, potential or mythical breach of an ICS, regardless of the impact. This is in an environment where the number and consequences of successful attacks on ICS is very small compared to other production outage or degradation causes. The outgrowth of this hysteria are recommendations to deploy more and more security controls, without regard to actual risk reduction achieved for the required resources. 2021 is the year where we learn to live with the reality that cyber attacks on ICS will sometimes succeed and focus or recovery and resilience after the breach.
An attacker only needs to succeed once
This trope is depressing to the defender. It is also almost always used loosely or wrong in ICS because “success” is undefined. Is success taking control of a server in the ICS? Is success causing a manufacturing plant to have a two-day unplanned outage? Is success causing a six hour power outage? Is success causing a city to not have water coming out of the tap for four months?
As an asset owner, I would prefer, and aim for, my operations to be running safely and efficiently producing high quality products and services 100% of the time without unplanned outages. Almost all asset owners fall short of this goal every year for reasons unrelated to cyber security.
The asset owners have learned to live with weather disturbances, supply chain issues, labor issues, supporting system issues and failures in the cyber and physical systems that produce the product or service. We need to learn to live with the fact that there will be cyber or cyber/physical attack events that will affect the ICS’s ability to produce products and services. Planning and expecting a zero cyber event world is a fool’s errand.
For the past two decades, the impact of cyber attacks on ICS has been incredibly small as compared to the impact due to other causes. In the risk equation, the likelihood has been tiny. Much of this is due to lack of motivation and effort on the attacker side, and this could change at any time, but from a pure statistical analysis it would be foolhardy for asset owners to put significantly more resources on reducing likelihood.
High-impact, low-frequency events
High-impact, low-frequency (HILF) events are also discussed as long tail or black swan events. Richard Clarke calls this the “it never happened before problem”. Sometimes it truly has never happened before, but often it is an event that hasn’t happened in our lifetime, such as a pandemic prior to 2020.
The HILF risk is difficult for people to deal with due to our makeup. First, there is a hesitancy to believe it is real in our times. And second, if it is believed to be real the common reaction is “we can never let that happen” so the effort is placed on likelihood reduction even though it is tiny to begin with and will never reach zero.
The path forward
Many organizations are still lacking the basics of effective segmentation, application whitelisting endpoint protection, and two-factor authentication for remote access. And we need to get past the insecure-by-design nature of programmable logic controllers (PLCs) and other level 1 devices and related protocols so other protection security controls can achieve more than trivial risk reduction. There needs to be a plan to replace insecure-by-design.
For asset owners who have implemented basic ICS protection security controls, and those advising them, 2021 should be the year to focus on reducing the consequence if a cyber attack caused breach of the ICS happens. If you want a specific goal, reduce the business consequences of an incident where an attack team with domain engineering and automation skills has full access and control of an engineering workstation. The business consequences are the consequence categories in your risk matrix such as health & safety, financial impact, customer impact, reputation, etc.
Three broad categories of consequence reduction measures to look at are:
Non-hackable, non-cyber measures that reduce the worst-case situation
Recovery or alternate supply without recovering the ICS
Faster recovery of the ICS.
Safety and protection heritage
This resilience and recovery approach should be a natural for asset owners. The safety and protection systems were put in place for consequence reduction when things go wrong.
Tomi Engdahl says:
Evaluating 2021 cyber threat landscape trends
https://www.controleng.com/articles/evaluating-cyber-threat-landscape-trends-for-2021/?oly_enc_id=0462E3054934E2U
The new normal due to COVID-19 has made the cyber threat landscape very different and challenging in new ways for operators and consumers. Learn about new trends people should be aware for in 2021.
As companies continue to adjust to the ever-evolving new normal in 2021, there will undoubtedly be additional shifts in work environments, internet usage, and the general status quo. With this in mind, Fortinet’s FortiGuard Labs’ Derek Manky and Aamir Lakhani provided insights into what types of attacks security researchers are seeing now and what they expect from the cyber threat landscape this coming year.
Question: How have cybercriminals benefitted from the increase in online shopping over the past year, and what techniques are they using to exploit credit card information online?
Tomi Engdahl says:
Kyberiskut aiheuttavat jopa päivien katkoksia älytehtaissa
https://etn.fi/index.php/13-news/11983-kyberiskut-aiheuttavat-jopa-paivien-katkoksia-alytehtaissa
Kun tehtaaseen lisätään antureita ja ohjausta eli siitä tulee niin sanotusti älykäs, se altistuu väistämättä myös internetin uhkille. Trend Micron tutkimus osoittaa, että iso osa älytekniikkaa käytävistä tehtaista on jo joutunut tietoturvaiskujen uhriksi.
Tutkimuksen mukaan peräti 61 prosenttia teollisuusyrityksistä on kärsinyt tietoturvaongelmista älyteknologiaa käyttävissä tehtaissaan. Hälyttävää on se, että 43 prosenttia kertoo, että iskuista johtuvat tuotantoseisokit ovat kestäneet jopa yli neljä vuorokautta.
- Valmistavan teollisuuden organisaatiot kaikkialla maailmassa kiihdyttävät digitalisaatiotaan älykkäitä tuotantoympäristöjä kehittäessään. Mutta samalla kehitys avaa verkkorikollisille uusia hyökkäysmahdollisuuksia, kertoo Kalle Salminen, Trend Micron kyberturva-asiantuntija.
Tutkimus osoittaa, että tekniikka (78 %) nähtiin suurimpana turvallisuushaasteena. Monet vastaajat mainitsivat tärkeimmiksi haasteiksi myös ihmiset (68 %) ja prosessit (67 %). Kuitenkin alle puolet osallistujista kertoo toteuttavansa teknisiä toimenpiteitä kyberturvallisuuttaan parantaakseen. Resurssien visualisointi (40 %) ja niiden segmentointi (39 %) olivat käyttöön otettavien kyberturvallisuustoimenpiteiden häntäpäässä, mikä viittaa siihen, että ne ovat organisaatioille teknisesti haastavimpia toteuttaa.
Standardeja ja ohjeita pidetään parhaimpina välineinä yhteistyön tehostamiseksi Yhdysvalloissa (64 %), Saksassa (58 %) ja Japanissa (57 %). Suosituimpia ohjeita olivat NIST:n (National Institute of Standards and Technology) kyberturvamääritys eli Cyber Security Framework ja ISO27001-standardi.
Tomi Engdahl says:
The State of Industrial Cybersecurity
Explore the challenges smart factories faced in 2020
according to IT and OT teams surveyed in the US, Germany, and Japan.
https://resources.trendmicro.com/Industrial-Cybersecurity-WP.html
Tomi Engdahl says:
https://www.securityweek.com/what-cybersecurity-policy-changes-should-we-expect-biden-administration
1. Issue an Updated National Cyber Strategy
The Commission accurately assessed that the U.S. Strategy on Cybersecurity is both out of date and plagued by the lack of a single executive owner. The new policy is expected to focus on layered deterrence, resilience, public-private collaboration, and “defend forward.” Those last two items are the ones I would watch carefully.
Public-private collaboration – Increased emphasis on public-private collaboration we will likely ramp up rhetoric of nationalization and accusations of civil rights violations (much like we witnessed with the Patriot Act) and corruption related to how private companies are awarded opportunities for (and profit from) collaboration.
“Defend Forward” – The Commission posited that the U.S. “has not created a credible and sufficient costs” for malicious cyber operations. The new policy is expected to prioritize “proactively observing, pursuing, and countering adversary operations and imposing costs to change adversary behavior” over simply responding to malicious behavior.
If codified in new U.S. policy, this significant change in position and will be simultaneously championed as both a bold move to create meaningful deterrence and harshly maligned as a risky move that could turn cyberspace into a hot battlefield – with real civilian casualties – despite the lack of agreed upon international norms for acceptable behavior.
2. Establish a Senate-Confirmed National Cyber Director
3. Implement policies designed to better recruit, develop, and retain cyber talent
Many cybersecurity wizards capable of contributing significantly to the nation have lifestyles that should not be judged by rigid and outdated policies.
Tomi Engdahl says:
Report: Supplier Impersonation Attacks a Major Risk
https://www.securityweek.com/report-supplier-impersonation-attacks-major-risk
Threat actors are leveraging the supply chain to deliver various types of threats to organizations, and few of them are spared from such attacks, according to a new report from enterprise security company Proofpoint.
During a seven-day window in February 2021, out of a total of 3,000 monitored organizations, Proofpoint reports that a whopping 98 percent were hit with a form of assault leveraging compromised supplier accounts and supplier impersonation.
Such attacks, Proofpoint explains, leverage compromised supplier domains to deliver a broad range of threats, including invoicing fraud, phishing messages aimed at credential harvesting, malware, and business email compromise (BEC).
Of the observed attacks relying on impersonated and compromised suppliers, 74% leveraged social engineering for phishing or BEC and less than 30% of them were malware related. This shows that attackers continue to exploit the human element rather than vulnerabilities in an organization’s infrastructure.
“As well, attackers are following suppliers to the cloud and are exploiting popular collaboration platforms such as Microsoft 365, Google G-Suite, and Dropbox to host or send threats at an alarming rate,” according to the Proofpoint report.
98% of Organizations Received Email Threats from Suppliers: What You Should Know
https://www.proofpoint.com/us/blog/email-and-cloud-threats/98-organizations-received-email-threats-suppliers-what-you-should-know
Attackers have turned the supply chain and partner ecosystem into another threat vector. Proofpoint has observed attackers leveraging compromised supplier accounts and supplier impersonation to send malware, steal credentials and perpetrate invoicing fraud.
Proofpoint’s recent research indicates that 98% of nearly 3,000 monitored organizations across the U.S., UK, and Australia, received a threat from a supplier domain over a 7-day window in February 2021. And this is consistent across company size, industry, and country, suggesting that companies of all sizes and industries are exposed to supplier risk and that it’s a universal concern.
Tomi Engdahl says:
Windows XP makes ransomware gangs work harder for their money
https://www.bleepingcomputer.com/news/security/windows-xp-makes-ransomware-gangs-work-harder-for-their-money/
A recently created ransomware decryptor illustrates how threat actors
have to support Windows XP, even when Microsoft dropped supporting it
seven years ago. If an organization uses Windows XP and a ransomware
attack encrypts the device, it now falls on the threat actors to
support the operating system if they want to get paid.