Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, will be making educated guesses based on what has happened during the last 12 months and several years before that.
The past year has seen a rapid increase in the adoption of up-and-coming technologies. Everyday items are getting
smarter and more connected. Companies are saving millions with new technologies and cities are racing to
implement smart solutions. 5G promises to bring wireless high speed broadband to everywhere. On the other hand those solutions add new kinds of vulnerabilities. Competing in today’s digital marketplace requires that organizations are cyber-savvy. 2020 is when cybersecurity gets even weirder, so get ready.
Here are some trends and predictions for cyber security in 2020:
Cyber Attacks: Cyberattacks grow in volume and complexity.Many countries that are going to emerge as major threats in the 2020s. Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power. Cyberattacks range from targeting your database to steal information that can be sold on the dark web, to hijacking unused CPU cycles on your devices to mine for cryptocurrencies, or trying to infect vulnerable systems so they can be used later as part of a botnet.
IoT security: IoT security is still getting worse until it starts to get better. IoT security is an extremely hot topic right now and will be hot for many years to come. Industrial IoT risk has been discussed a lot. Physics dictates local application deployment, because the control rate of most industrial systems is 10 milliseconds or below. Smart Building Security Awareness Grows. The risks of the IoT in financial services are great. An explosion in IoT devices significantly raises the threat level. Gartner predicted that the world will see nearly 21 billion IoT devices by next year and it would be nice if all of them would be secure, but many of them unfortunately are not secure. Hackers are continually looking for ways to exploit device vulnerabilities. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Why? Because IoT security is complicated and security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry. IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more. You might have to do a little work with your internet of things devices to stay secure. A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack. One in every 172 active RSA certificates are vulnerable to attack. It is a good idea to build a separate network segments for IoT devices so that they are isolated from the normal office network. FBI recommends that you keep your IoT devices on a separate network.
IoT privacy: Silicon Valley Is Listening to Your Most Intimate Moments. The world’s biggest companies got millions of people to let temps analyze some very sensitive recordings made by your “smart” speakers and smart phones. A quarter of Americans have bought “smart speaker” devices such as the Echo, Google Home, and Apple HomePod. Consulting firm Juniper Research Ltd. estimates that by 2023 the global annual market for smart speakers will reach $11 billion, and there will be about 7.4 billion voice-controlled devices in the wild. That’s about one for every person on Earth. The question is, then what? Having microphones that listen all the time is concerning. Also some attackers are terrifying homeowners and making them feel violated in their own homes.
Medical systems security: Cyberattacks on Medical Devices Are on the Rise—and Manufacturers Must Respond. Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction. It’s shocking that a few years after WannaCry and NotPetya, the healthcare industry is still not prepared to deal with ransomware attacks. Many hospitals and healthcare networks that have been hit by ransomware over the past few months.
Surveillance cameras: Surveillance cameras are capturing what we do on the streets, at airports, in stores, and in much of our public space. China’s Orwellian video surveillance gets a bad rap but the US isn’t far behind as US has nearly the same ratio of security cameras to citizens as China.And the numbers are growing all over the world. One billion surveillance cameras will be deployed globally by 2021, according to data compiled by IHS Markit. Russia is building one of the world’s largest facial recognition networks and it may even be bigger than China’s 200 million camera system. China’s installed base is expected to rise to over 560 million cameras by 2021, representing the largest share of surveillance devices installed globally, with the US rising to around 85 million cameras. Now US, like China, has about one surveillance camera for every four people (in 2018 China had 350 million cameras and USA 70 million). Surveillance cameras are getting better, smaller and cheaper and can be installed almost anywhere. It would be very easy to sneak another device onto a hotel’s Wi-Fi network, stream that video over the internet to the computer.
Facial recognition: Private companies and governments worldwide are already experimenting with facial recognition technology. Facial recognition software is touted as making us safer. But mass surveillance has downsides of major proportions. Massive errors found in facial recognition tech. Facial recognition systems can produce wildly inaccurate results, especially for non-whites. Russia is building one of the world’s largest facial recognition networks. Individuals, lawmakers, developers – and everyone in between – should be aware of the rise of facial recognition, and the risks it poses to rights to privacy, freedom, democracy and non-discrimination.
Shut off Internet: Worrying worldwide trend employed by various governments: preventing people from communicating on the web and accessing information. Amid widespread demonstrations over different issues many countries have started cutting Internet connections from people. Some countries, namely China, architected their internet infrastructure from the start with government control in mind. Russia is aiming to this direction. Iran, India, Russia. For better or worse, an internet blackout limits the government’s ability to conduct digital surveillance on citizens.
Security First: Implementing Cyber Best Practices Requires a Security-First Approach. Competing in today’s digital marketplace requires that organizations be cyber-savvy. The best defense is to start with a security-driven development and networking strategy that builds a hardened digital presence from the ground up. This not only ensures that your online services and web applications are protected from compromise, but also enables security to automatically evolve and adapt right alongside the development of your digital presence, rather than it having to be constantly rigged and retrofitted to adapt to digital innovation.
Zero Trust Network Access: Many of the most damaging breaches have been the result of users gaining access to unauthorized levels of network resources and devices. Zero Trust is an enforceable, identity-driven access policy that includes seamless and secure two-factor/OTP authentication across the organization. Zero Trust Network Access ensures that all users and devices are identified, profiled, and provided appropriate network access. It also ensures that new devices are automatically assigned to appropriate network segments based on things like device profiles and owners. When combined with Network Access Control (NAC), organizations can also discover, identify, grant appropriate access, and monitor devices, thereby enhancing your access and segmentation strategy.
Anti-virus software: Only Half of Malware Caught by Signature AV. The percentage of malware that successfully bypassed signature-based antivirus scanners at companies’ network gateways has increased significantly, either by scrambling
code known as “packing” using basic encryption techniques or by the automatic creation of code variants. It seems that new approaches like machine learning and behavioral detection are necessary to catch threats. Meanwhile, network attacks have risen, especially against older vulnerabilities.
Ransomware attacks: Ransomware will remain a major threat in the coming year, as the criminal business model continues to flourish. That’s a move that security professionals have long condemned, warning that paying the ransom in a ransomware attack could end up causing more turmoil for victims – as well as inspire other cybercriminals to launch ransomware attacks. Microsoft never encourage a ransomware victim to pay. What to do with this is question. How much does a large-scale ransomware attack cost, as opposed to just hiring an adequate number of skilled IT personnel, and having disaster recovery plans in place? There is no complete security solution that could stop all attacks, but you should have decent protection. It would seem prudent to have adequate staff and offline BACKUPS to deal with this kind of situation, so decent recovery would be possible. Having no backup system is the gamble many companies and public entities seem to be playing. Good backups helps to recover from ransom attacks. There are new tactics coming to use in ransomware. A new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions. Another new tactic by ransomware developers is to release a victim’s data if they do not pay the ransom – they will publish data that they steal to a competitor if the ransom is not paid.
Public sector: Public Sector Security Is Lagging. The state of cybersecurity and resilience in the public sector needs an
urgent boost in many countries. U.S. citizens rely on state governments and local municipalities to provide a host of services everything from access to public records, law enforcement protection, education and welfare to voting and election services. Cybercriminals have been targeting state and local governments with ransomware tools, which infect an organization’s computer networks and lock up critical files.
Consumer confidence: Winning consumer confidence is crucial to the development of new digital services. In a PwC study, consumers are prepared to share personal information if it is of sufficient value to them. On the other hand, consumer confidence also needs to be earned that you keep the information safe.
API security: APIs now account for 40% of the attack surface for all web-enabled apps. It’s a good time to pay attention to API security, since some recent high-profile breaches have involved API vulnerabilities. OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Skills gap: Security teams are already grappling with serious challenges due to the growing cybersecurity skills gap, are being tasked to secure an ever-expanding network footprint. Security teams are often left to secure virtual and cloud environments, the implementation of SaaS services, DevOps projects, the growing adoption of IoT, mobile workers, and an expanding array of personal connected devices after they have already been implemented. They often do not have enough people and enough knowledge on those new technologies to do their work well. The cybersecurity unemployment rate is zero, with over 1 million jobs currently unfilled, a number that is expected to climb to 3.5 million by 2021. 145% Growth is Needed to Meet Global Demand.
Think Like Your Adversary: Cybersecurity leaders need to access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their company’s needs. Programmers Should Think like Hackers. Security must be taken into account in all programming steps.
Third party security: Most Companies Don’t Properly Manage Third-Party Cyber Risk. It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. Developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.
Privacy and surveillance: Fears Grow on Digital Surveillance. Americans are increasingly fearful of monitoring of their online and offline activities, both by governments and private companies. More than 60 percent of US adults believe it is impossible to go about daily life without having personal information collected by companies or the government. Google and Facebook help connect the world and provide crucial services to billions. But their system can also be used for surveillance. Amnesty International says Facebook and Google’s omnipresent surveillance is inherently incompatible with the right to privacy and is a danger to human rights. The claim is that the companies’ surveillance-based business model is inherently incompatible with the right to privacy and poses a threat to a range of other rights including freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination. Amnesty International has called for a radical transformation of the tech giants’ core business model and said that Google and Facebook should be forced to abandon what it calls their surveillance-based business model because it is “predicated on human rights abuse.”
5G: Forecasting that 2020 will be “the year of 5G” no longer qualifies as a bold prediction. Billions of dollars’ worth of 5G rollouts are scheduled for the coming year, which will bring the emergent technology to countries around the world. The arrival of 5G will fuel an explosion of never-before-seen IoT machines, introducing uncharted vulnerabilities and opening the door for cyber-criminals to compromise our increasingly intertwined cities. Claims that 5G offers “better security” for IoT may not ring true.
5G security: The new 5G mobile networks will be the backbone of future digitalized operations. Therefore, it is also important to ensure the security and immunity of 5G networks.The Council of the European Union has warned member states that the introduction of 5G networks poses increased security risks while also bringing economic and infrastructure benefits. ENISA, the European Union Agency for Cybersecurity has published a ThreatLandscape for 5G Networks, assessing the threats related to the fifth generation of mobile telecommunications networks (5G). Organised cybercrime, rogue insiders and nation-state-backed hackers are among the groups that could soon be targeting 5G networks. Claims that 5G offers “better security” for IoT may not ring true – with the technology remaining vulnerable to SIM-jacking attacks within private Industry 4.0-style deployments. 5G SIM-swap attacks could be even worse for industrial IoT than now. Criminals can convince telcos to port a victim’s number to a new SIM card controlled by the criminal. Trust your hardware or operator? Pah, you oughta trust nobody. Do not put all your security and identification to this SIM card.
DNS Over HTTPS (DoH): DoH encrypted DNS queries are already set to arrive in Chrome and Firefox web browsers. Microsoft Will Bring DNS Over HTTPS (DoH) to Windows 10 in an attempt to keep user traffic as private as possible. DoH support in Windows means encrypted DNS queries. Microsoft says that DoH doesn’t require DNS centralization if adoption is broad among operating systems and Internet service providers alike.
Firewall configuration: Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”. This is a human problem, not a firewall problem.
Bot attacks: Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. Organizations are Failing to Deal With Rising Bot Attacks.
Network security: Networks are continually growing in complexity and the cyberattack surface is constantly expanding. The network perimeter of today is elastic, expanding and contracting with the demands of both users and the business. In a rush to adopt digital business practices, many of these new network expansion projects are often being implemented ad hoc by individual lines of business. Routers sit at the edge of the network and see everything and they can be utilized to Making the Network the First Line of Defense. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. Cybercriminals only need to be successful once in finding a way to access the network – but the security team needs to monitor everything on the network and be right all the time to ensure security. Today’s core network is continually adapting to the introduction of new devices, applications, and workflows, along with shifting network configurations to support business requirements, requiring the use of advanced, intent-based segmentation.
Security-Driven Networking: Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board. It requires the selection and full integration of security tools that not only work together to share and correlate intelligence and coordinate a unified response to threats, but that also work seamlessly across the widest variety of environments possible.
Critical infrastructure: Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems. In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. Expect targeted attacks on critical infrastructure facilities to increase. APT33 has shifted targeting to industrial control systems software. We need to be worried about Cyber-Physical Security of the Power Grid. To protect this infrastructure you need to prioritize strategic risks that affect critical infrastructure: Concern yourself with the most important hacks, Understand the critical pieces of your infrastructure and Know your inter-dependencies.
Payment security: Payment security backslides for second straight year in 2019. Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to36.7% globally, down from 52.5% in 2018. At the same time EU’s PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties. Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use.
Election security: Nowadays, no elections can be held any longer without debate on influencing voters through online services. There are on-going accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. U.S. military cyber experts are plotting strategy in a fight against potential Russian and other cyberattacks ahead of the 2020 American and Montenegrin elections. As the 2020 Presidential election looms closer in the United
States, a key focus will be on securing election infrastructure to prevent tampering. Most of the largest US voting districts are still vulnerable to email spoofing. Also disinformation campaigns for political purposes are deeply rooted in cybercriminal endeavors. It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. Hacking is considered to be the biggest tech threats to 2020 elections in USA. Legislators are working on new laws, but it is not going to be enough in an era when technology is turning out entirely new attack surfaces.
False Flags: The use of false flags has become an important element in the playbook of several APT groups. This can be used to try to deflect attention away from those responsible for the attack or what is really happening.
Common attack tools: Cyber actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult.
Vulnerability disclosure: Most “white hat” cyber engineers seem to be driven by a sense of social responsibility best expressed as, “If you find something, say something.” Across the industry, the ethos is to share information quickly, whether the problem is a newly discovered exploit or an evolving cyber threat. The goal is to impel the affected vendor—hardware or software—to take quick action and produce a fix. There are good and bad ways to make vulnerabilities known. A premature “full disclosure” of a previously unknown issue can unleash the forces of evil, and the “black hats” often move faster than vendors or enterprise IT teams. The preferred path is a “responsible” or “coordinated” disclosure that happens behind the scenes. Public announcements occur after a specified period of time—typically 90 or 120 days. But things don’t work this way always.
Ransomware: Cybercriminals have become more targeted in their use of ransomware. It is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. There is a Ransomware ‘Crisis’ in US Schools and in many cities in USA.
Supply chain: Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations. There is the growth of counterfeit electronics.
Mobile: The main storage for our digital lives has moved from the PC to mobiles over last 10 years. Several countries have started demanding their own software (maybe in some cases also malware) to be installed to all smart phones. Putin signs law making Russian apps mandatory on smartphones, computers.
Android: Today 80% of Android apps are encrypting traffic by default. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. The heterogeneity of the Android versions will continue to be a problem in the coming year.
DDoS attacks: DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic. The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago. DNS amplification attacks accounted for 45% of the attacks, while HTTP
floods and TCP SYN attacks accounted for 14%. Mobile Devices Account for 41% of DDoS Attack Traffic.
Business security: Small and medium-sized businesses (SMBs) increasingly recognize that a reactive security posture is no longer sufficient for protecting their networks. Breaches will happen. Companies should treat cyberattacks “as a matter of when” and not “whether.” Inside threads are still a big issue as Employees are one of your biggest assets, but human beings are the weakest link in the security chain. Data leaks help attackers to craft more convincing social engineering attacks. Plan proper incident management because Quick, reliable, multichannel communication is a vital part of any incident management solution. Cybercriminals often choose very small companies as their targets because small businesses rarely spend significant money on security systems. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations.
Cyber insurance: Cyber Has Emerged as a Risk That is Not Specifically Covered by Other Insurance Policies. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow.
New encryption: The problem with encrypted data is that you must decrypt it in order to work with it. There is a powerful solution to this scenario: homomorphic encryption. Homomorphic encryption makes it possible to analyze or manipulate encrypted data without revealing the data to anyone. Just like many other populr forms of encryption, homomorphic encryption uses a public key to encrypt the data. There are three main types of homomorphic encryption: partially homomorphic encryption (keeps sensitive data secure by only allowing select mathematical functions to be performed on encrypted data); somewhat homomorphic encryption (supports limited operations that can be performed only a set number of times); fully homomorphic encryption (this is the gold standard of homomorphic encryption that keeps information secure and accessible). Cryptographers have known of the concept of homomorphic encryption since 1978 but Gentry established the first homomorphic encryption scheme in 2009.The biggest barrier to widescale adoption of homomorphic encryption is that it is still very slow. Duality, a security startup co-founded by the creator of homomorphic encryption, raises $16M.
Artificial Intelligence (AI): The buzzword for 2019 that we have all heard a thousand times was Artificial Intelligence, AI. The term AI is often interchanged with machine learning. There is a lot of research to examine AI applications on cyber security. As cyberattacks grow in volume and complexity, hopefully artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Cybersecurity tools currently use this data aggregation and pattern analysis in the field of heuristic modeling: THE TRUE FUNCTION OF AI WILL BE TO DETERMINE WITH A LONG ARC OF TIME AND DATA, WHAT “NORMAL” LOOKS LIKE FOR A USER. AI can act as an advisor to analysts, helping them quickly identify and connect the dots between threats. Finnish cyber security company F-Secure is making research on AI agents and on that Mikko Hyppönen says that AI should not used to try to imitate humans and that artificial intelligence-based attacks are expected in the near future. Another Finnish cyber security company Nixu says that Artificial intelligence is going to revolutionize cyber security. According to Orlando Scott-Cowley from Amazon Web Services machine learning is the new normal in cyber security. Advanced Machine Learning layers are to be integrated into the latest Windows cybersecurity products. Leaders in artificial intelligence warn that progress is slowing, big challenges remain, and simply throwing more computers at a problem isn’t sustainable.
2020 problems: Has your business prepared for the ‘2020 problem’? Software updates for Windows 7 will end on January 14, 2020. As of Jan. 14, 2020, Windows 7 and Server 2008 technical support and software updates will no longer be available from Windows Update. There will no longer be updates for Office 2010. Some business users can buy extended security update support with extra money for some time. Python will stop supporting Python version 2 on January 1, 2020. Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. December 2019 Patch Tuesday was the last time Microsoft ever offered security updates for devices running Windows 10 Mobile.
Crypto wars continue: A decades-old debate: Government officials have long argued that encryption makes criminal investigations too hard. Governments all over the world say that Encrypted communication is a huge issue for law enforcement and the balance between the privacy of citizens and effective policing of criminal activity is top of mind for governments, technology companies, citizens and privacy organisations all over the world. The international police organization Interpol plans to condemn the spread of strong encryption. Top law enforcement officials in the United States, United Kingdom and Australia, the larger group will cite difficulties in catching child sexual predators as grounds for companies opening up user communications to authorities wielding court warrants. Congress warns tech companies: Take action on encryption, or we will. US lawmakers are poised to “impose our will” if tech companies don’t weaken encryption so police can access data.
Do not weaken encryption: Companies, they say, should build in special access that law enforcement could use with a court’s permission. Technologists say creating these back doors would weaken digital security for everyone. Unfortunately, every privacy protection mechanism is subject to abuse by the morally challenged. That’s just a truth that must be accepted and overcome. Invading the privacy of the masses in order to catch criminals is unacceptable. Remember three things: One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. If back-doors are added to encryption, they will be abused. If You Think Encryption Back Doors Won’t Be Abused, You May Be a Member of Congress. Bad encryption can have business consequences. Apple and Facebook told the committee that back doors would introduce massive privacy and security threats and would drive users to devices from overseas. In Australia 40% of firms say they have lost sales say they have lost sales or other commercial opportunities as a result of the encryption law being in place.
2FA: The second authentication factor might be a minor inconvenience, but it provides a major security boost. With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. Two factors are much better than one, but can still be hacked. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys. Also some physical security keys can be hacked as they turn to be less secure that what they were told to be in the advertisements.
Myth of sophisticated hacker in news: It’s the latest lexical stretch for an adjective that’s widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.
New security models: Google moved from perimeter-based to cloud-native security. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery. Google’s cloud-native architecture was developed prioritizing security as part of every evolution.
Hacktivists: Hacktivists seek to obtain private information about large companies in order to embarrass or expose the company’s controversial business practices. Many companies are a treasure trove for personal information, whether they realize it or not. Experian is predicting that the emerging cannabis industry will experience an increase in data breaches and cybersecurity threats in 2020.
RCS messaging: RCS, expanded as Rich Communications Services, is a protocol that aims to replace SMS.RCS messaging has rolled out to Android users in the US. The update brings a lot of new features like chat, send hi-res videos and photos and create group chat. One criticism of RCS is that it doesn’t provide end-to-end encryption. RCS could be also better in many other security aspects. Researchers have discovered that the RCS protocol exposes most users to several cyber attacks. These risks are said to be mitigated by implementing the protocol with the security perspective in mind. The standard itself allows for poor security implementation, but GSMA advises its members to deploy rcs with the most secure settings possible.
Data breaches: Billions of Sensitive Files Exposed Online all the time. During the first six months of 2019, more than 4 billion records were exposed by data breaches. That’s a shocking statistic that’s made even more so when you realize that passwords were included in droves. On December 4, a security researcher discovered a treasure trove of more than a billion plain-text passwords in an unsecured online database. Many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores. All organizations are exposed to security breaches: from large multinationals to SMEs and public administrations. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
Phishing: Phishing remains 1 of the most pervasive online threats. Phishing emails are still managing to catch everyone out. Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Google Chrome now offers better protection against it as safe Browsing displays warning messages to users ahead of visiting dangerous websites and before downloading harmful applications. New advanced ways to phish are taken to use.With dynamite phishing, the cyber criminals read the email communication from a system already infected with an information stealer. The infected user’s correspondents then receive malicious emails that quote the last “real” email between the two parties and look like a legitimate response from the infected user. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys.
Windows: Microsoft Doesn’t Back Up the Windows Registry Anymore. It’s still possible to perform Windows Registry backups, but the option is disabled by default. It’s time to disconnect RDP from the internet as brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connection. Microsoft is ready to push a full-screen warning to Windows 7 users
who are still running the OS after January 14.
Linux: Support for 32 bit i386 architecture will be dropped by many Linux distributions. It turns out that there are essentially no upstream development resources dedicated to x86_32 Linux. Perhaps unsurprisingly, it was badly broken.
Drones: Turkey is getting military drones armed with machine guns. Drone hacking happens. There is now Dronesploit – Metasploit for drones. Metasploit-style CLI framework tailored for tinkering with everybody’s favourite unmanned flying objects.
World market war: China tells government offices to remove all foreign computer equipment. China has ordered the replacement of all foreign PC hardware and operating systems in state offices over the next three years. This will mean that China to ditch all Windows PCs by 2022.China has already some of their own Linux distros like Kylin and Deepin. Many western countries are more or less banning Huawei teleocm equipment.
Cloud security: Traditional security tools and methodologies are ill-suited to protect cloud native’s developer-driven and infrastructure-agnostic multicloud patterns. The vision as laid out by these renown analysts is straightforward. The legacy “data center as the center of the universe” network and network security architecture are obsolete and has become an inhibitor to the needs of digital business. They describe the underpinning shift to cloud infrastructure, a digital transformation that has been underway for ten years. They also point out that the corporate network cannot protect end users who consume cloud applications from any location and any device without the contorting, expensive, backhaul of traffic through the corporate data center. Gartner coins a new term for the future of security and networks, SASE (pronounced sassy), Secure Access Service Edge, which is not anything really new. SASE promises to create a ubiquitous, resilient, and agile secure network service—globally. Most of the stolen data incidents in the cloud are related to simple human errors rather than concerted attacks. Expect that through 2020, 95% of cloud security failures will be the customer’s fault. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Autocracy as a service: Now Any Government Can Buy China’s Tools for Censoring the Internet. “Autocracy as a service” lets countries buy or rent the technology and expertise they need, as they need it. China offers a full-stack of options up and down the layers of the internet, including policies and laws, communications service providers with full internet.
Geopolitics: US-China Tech Divide Could Cause Havoc. It is possible that world’s next major conflict can start in cyberspace. USA has ordered to ban certain hardware from China (Huawei and ZTE). China orders ban on US computers and software. Chinese government to replace foreign hardware and software within three years. Who needs who more?
International cyber politics: Lack of international standards for proper behavior in cyberspace prevents the United States and allies from policing adversaries as they wish to. US can’t ‘enforce standards that don’t exist’. We have international norms in the maritime; we don’t have those in cyber. It makes it difficult to enforce standard that don’t exist, and to therefore hold nations accountable for nefarious behavior. NATO did confirm in 2017 that it could invoke Article 5 of its charter should one or more member nations find themselves under a serious cyberattack that threatens critical military and civilian infrastructure.
Sources:
https://pentestmag.com/iot-security-its-complicated/
https://isc.sans.edu/diary/rss/25580
https://www.securityweek.com/case-cyber-insurance
https://www.securityweek.com/tips-help-mssps-choose-threat-intelligence-partner
https://www.zdnet.com/article/microsoft-we-never-encourage-a-ransomware-victim-to-pay/
https://www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636
https://pacit-tech.co.uk/blog/the-2020-problem/
https://www.theregister.co.uk/2019/12/09/dronesploit_framework/
https://www.securityweek.com/blunt-effect-two-edged-sword-vulnerability-disclosures
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020
https://threatpost.com/email-voted-a-weak-link-for-election-security-with-dmarc-lagging/150909/
https://www.theregister.co.uk/2019/12/04/council_of_eu_5g_risks/
https://techcrunch.com/2019/12/05/major-voting-districts-vulnerable-email-security/
https://cacm.acm.org/magazines/2019/12/241053-hack-for-hire/fulltext
http://read.uberflip.com/i/1180978-siliconexpert-growth-of-counterfeit-electronics-3/0?acctid=6759
https://www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/
https://www.theregister.co.uk/2019/12/09/china_orders_ban_on_us_computers_and_software/
https://www.securityweek.com/case-cyber-insurance
https://www.eetimes.eu/ai-will-empower-industry-4-0-when-it-arrives/
https://www.pandasecurity.com/mediacenter/security/2019-the-ransomware-tsunami/
https://blog.paloaltonetworks.com/2019/12/cloud-native-security-platform-age/
https://github.com/dhondta/dronesploit/
https://www.zdnet.com/article/1-in-every-172-active-rsa-certificates-are-vulnerable-to-exploit/
https://nationalcybersecurity.com/hacking-the-biggest-tech-threats-to-2020-elections/
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
https://www.eff.org/wp/behind-the-one-way-mirror
https://www.gdatasoftware.com/blog/2019/12/35671-early-detection-and-repulsion-of-dangerous-attacks
https://www.is.fi/digitoday/tietoturva/art-2000006342803.html
https://techcrunch.com/2019/10/30/duality-cybersecurity-16-million/
https://www.wired.com/story/sobering-message-future-ai-party/
https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html?m=1
https://www.zdnet.com/article/google-all-android-users-in-the-us-just-got-rcs-next-gen-sms/
https://www.schneier.com/blog/archives/2019/12/scaring_people_.html
https://lists.ubuntu.com/archives/ubuntu-devel-announce/2019-June/001261.html
https://lwn.net/ml/oss-security/CALCETrW1z0gCLFJz-1Jwj_wcT3+axXkP_wOCxY8JkbSLzV80GA@mail.gmail.com/
https://www.bbc.com/news/amp/world-australia-46463029
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://hub.packtpub.com/core-python-team-confirms-sunsetting-python-2-on-january-1-2020/
https://www.cnet.com/news/congress-warns-tech-companies-take-action-on-encryption-or-we-will/
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://edri.org/facial-recognition-and-fundamental-rights-101/
https://techcrunch.com/2019/12/10/insider-threats-startups-protect/
https://uk.pcmag.com/windows-10/121518/microsoft-doesnt-back-up-the-windows-registry-anymore
https://threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/
https://chiefexecutive.net/bridge-cybersecurity-skills-gap/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html
https://www.securityweek.com/most-companies-dont-properly-manage-third-party-cyber-risk
https://www.uusiteknologia.fi/2019/11/21/hyoty-panee-jakamaan-tietonsa-luottamus-ratkaisee/
https://pentestmag.com/advice-for-a-cybersecurity-leader-think-like-your-adversary/
https://www.amnesty.org/en/latest/news/2019/11/google-facebook-surveillance-privacy/
https://www.amnesty.org/en/documents/pol30/1404/2019/en/
https://www.securityweek.com/compromised-connection-5g-will-unite-cities-and-also-put-them-risk
https://www.securityweek.com/amnesty-international-calls-facebook-google-rights-abusers
https://www.securityweek.com/microsoft-will-bring-dns-over-https-doh-windows
https://www.securityweek.com/cybersecurity-workforce-gap-145-growth-needed-meet-global-demand
https://www.helpnetsecurity.com/2019/11/19/successful-soc/
https://www.securityweek.com/making-network-first-line-defense
https://techbeacon.com/security/how-prioritize-strategic-risks-affect-critical-infrastructure
https://www.securityweek.com/transitioning-security-driven-networking-strategy
https://www.theregister.co.uk/2019/11/16/5g_iot_report/
https://www.securityweek.com/us-montenegro-plot-cyber-warfare-ahead-2020-elections
https://www.securityweek.com/fears-grow-digital-surveillance-us-survey
https://www.kaspersky.com/blog/attack-on-online-retail/31786/
https://www.securityweek.com/implementing-cyber-best-practices-requires-security-first-approach
https://securelist.com/advanced-threat-predictions-for-2020/95055/
https://www.darkreading.com/cloud/smart-building-security-awareness-grows/d/d-id/1336597
https://www.cisomag.com/the-future-of-ai-in-cybersecurity/
https://www.ibm.com/security/artificial-intelligence
https://www.welivesecurity.com/2019/12/13/2fa-double-down-your-security/
https://cannatechtoday.com/experian-predicts-an-increase-in-global-cannabis-industry-data-breaches/
https://www.uusiteknologia.fi/2019/11/21/f-secure-tutkimaan-tekoalyagentteja/
https://www.securityweek.com/ongoing-research-project-examines-application-ai-cybersecurity
http://www.etn.fi/index.php/13-news/10151-mikko-hypponen-tekoalyn-ei-pida-matkia-ihmista
http://www.etn.fi/index.php/13-news/10124-nixu-selvitti-tekoaly-mullistaa-kyberturvan
http://www.etn.fi/index.php/13-news/10120-kyberturvassa-koneoppiminen-on-uusi-normaali
https://www.is.fi/digitoday/tietoturva/art-2000006316233.html
https://www.cyberscoop.com/apt33-microsoft-iran-ics/
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/
https://www.enisa.europa.eu/news/enisa-news/enisa-draws-threat-landscape-of-5g-networks/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://smartgrid.ieee.org/newsletters/november-2019/the-cyber-physical-security-of-the-power-grid
https://www.wired.com/story/un-secretary-general-antonio-guterres-internet-risks/
https://codastory.com/authoritarian-tech/russia-facial-recognition-networks/
https://www.theverge.com/2019/12/9/21002515/surveillance-cameras-globally-us-china-amount-citizens
https://www.wired.com/story/iran-internet-shutoff/
https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/
https://www.reuters.com/article/us-interpol-encryption-exclusive-idUSKBN1XR0S7
https://www.kcrw.com/news/shows/to-the-point/does-facial-recognition-software-threaten-our-freedom
1,468 Comments
Tomi Engdahl says:
California just passed a major privacy law that will make it harder for Facebook and Google to track people and gather data
https://www.businessinsider.com/prop-24-privacy-california-data-tracking-facebook-google-2020-11
California voters just passed Proposition 24, a ballot measure that expands the state’s existing privacy laws and scales back the amount of data that big tech companies are allowed to collect on people.
The law will make it harder for Facebook and Google to track people’s activity through third parties, which could make much of the tech giants’ advertising business models obsolete, experts told Business Insider.
While Prop 24 is active only in California, it will effectively apply to all of the US because of the state’s huge influence on the tech industry.
Tomi Engdahl says:
Rikoksesta epäillyn kasvot esiin pelkästä DNA-näytteestä – Uusi tekniikka voi mullistaa rikostutkinnan
https://yle.fi/aihe/artikkeli/2020/11/03/rikoksesta-epaillyn-kasvot-esiin-pelkasta-dna-naytteesta-uusi-tekniikka-voi
Tulevaisuudessa poliisin tutkijat pystyvät mahdollisesti jo rikospaikalla analysoimaan DNA-näytteitä ja mallintamaan epäillyn ulkonäön laboratoriossa. Näin tuntomerkit saadaan välitettyä nopeasti eteenpäin. Nykylainsäädäntöä kuitenkin tulkitaan Suomessa niin, ettei poliisi saa tutkia DNA:sta henkilökohtaisia ominaisuuksia.
Tomi Engdahl says:
Data breach at a place such as Stelco could be worth ‘millions,’ cyber security expert says
https://www.thespec.com/news/hamilton-region/2020/11/01/data-breach-at-a-place-such-as-stelco-could-be-worth-millions-cyber-security-expert-says.html
Data stolen from a cyber attack on a large industrial company such as Stelco could be worth millions of dollars to hackers, according to an Oakville-based cyber security expert.
Data breaches could provide hackers with customer lists, employee lists, pricing data, supplier information and contract details that would be valuable for competitors, said Manoj Arora, CEO of Difenda, a cyber security company that deals with mining and manufacturing companies.
“That information is worth millions of dollars when sold to the right buyer,” Arora said.
Tomi Engdahl says:
Mikä on MFA eli Multi-Factor Authentication?
https://www.etevat.fi/blogi/mika-on-mfa-eli-multi-factor-authentication
Tomi Engdahl says:
Warning after 75,000 ‘deleted’ files found on used USB drives
https://www.bbc.com/news/uk-scotland-tayside-central-54779322
Tax returns, contracts and bank statements were among the “deleted” files recovered by Abertay University investigators from used USB drives.
Cybersecurity researchers discovered about 75,000 files after buying 100 of the drives on an internet auction site.
Some USB drives contained files named “passwords” and images with embedded location data.
All but two of the drives appeared empty, but the team said it had been “worryingly easy” to retrieve data.
The researchers used “publicly-available tools” to retrieve the sensitive information.
They said only 32 of the drives had been properly wiped.
Tomi Engdahl says:
https://pentestmag.com/looking-at-active-cyber-threats-with-leakix/
Tomi Engdahl says:
Collection of malware source code for a variety of platforms in an array of different programming languages.
https://github.com/vxunderground/MalwareSourceCode
Tomi Engdahl says:
Investigate Google Accounts with emails.
https://github.com/mxrch/GHunt
Tomi Engdahl says:
“EU: Study demands new ways for Europol to access personal data from private parties…Interestingly, it also highlights that national law enforcement agencies are happy to sidestep legal requirements when requesting personal data from private parties”
EU: Study demands new ways for Europol to access personal data from private parties
https://www.statewatch.org/news/2020/october/eu-study-demands-new-ways-for-europol-to-access-personal-data-from-private-parties/
Current rules are “perceived to be insufficient by both Europol and the OSPs [online service providers].”
Statewatch is publishing the executive summary of a report produced by Milieu Consulting for the European Commission. The study concerns the direct exchange of personal data between Europol and private parties, in particular online service providers.
The study was completed in September this year but has not yet been made public. The executive summary – which is only being made public here – states that it:
“aims to provide a comprehensive overview of the current practice of direct exchanges of personal data between Europol and private parties. The study also provides an overview of how the practice of indirect exchanges of personal data between Europol and private parties works.”
With the Commission planning to publish a proposal to revise Europol’s founding Regulation in the coming months, expanding the agency’s ability to exchange personal data with private parties is a key aim of the Council, the Commission and Europol itself.
More personal data
The study apparently confirms the “growing need for LEAs [law enforcement authorities] to access private data” – which is hardly surprising, given that most of the interviewees appear to have been drawn from law enforcement agencies and home affairs institutions.
Tomi Engdahl says:
Unprecedented, far-reaching EU regulation on preventing terrorist content online endangers freedom of speech and of the media as well as the online community
EU: Unprecedented, far-reaching EU regulation on preventing terrorist content online endangers freedom of speech and of the media as well as the online community
https://www.statewatch.org/news/2020/november/eu-unprecedented-far-reaching-eu-regulation-on-preventing-terrorist-content-online-endangers-freedom-of-speech-and-of-the-media-as-well-as-the-online-community/
Press release from Patrick Breyer MEP (Pirate Party Germany, Greens/European Free Alliance) on the proposed Regulation on preventing the dissemination of terrorist content online. Negotiations between the Council and Parliament are close to being finalised, but many dangerous provisions remain in the text, which is being pushed through in the wake of recent terrorist attacks.
PRESS RELEASE
Brussels, 05/11/2020
Unprecedented, far-reaching EU regulation on preventing terrorist content online endangers freedom of speech and of the media as well as the online community
The EU is set to adopt this unprecedented anti-terror legislation which will heavily impact on everybody operating a website, Internet users, media freedom, freedom of the arts and sciences, and freedom of speech.
- Authorities in all EU Member States (including those with a poor fundamental rights record) will be able to order website operators and service providers to remove allegedly terrorist content within one hour or face penalties. Anti-terror laws have in the past been used by some EU member states against Catalan separatists, social protest, ecologists and immigrants. The timeframe of 1 hour cannot reliably be met by small platforms. Non-commercial or private websites are included in the scope. Small website operators would need to be reachable 24/7 to react to removal orders within 1 hour (even at night). The likely effect is that small websites will be forced to close and be replaced by a Facebook group, where Facebook has to take care of removing content within 1 hour.
- The definition of “terrorist content” is rather vague and open to interpretation.
- Providers could also be obliged to filter content proactively, resulting in overblocking of legal content because algorithms cannot tell propaganda apart from legitimate uses of images/videos e.g. for journalistic purposes.
The European Parliament has already made far-reaching and problematic concessions in the negotiations:
1) Acceptance of the very short 1-hour deadline for removing content after receiving a removal order
2) Acceptance of the voluntary use of the error-prone upload filters by service providers
3) Abandoning the requirement of independence of the competent authorities, even though removals ordered by ministers can be politically motivated
4) Abandoning resistance to cross-border removal orders, meaning that problematic governments such as Hungary’s can order removals of content hosted anywhere in the world
Tomi Engdahl says:
How to Opt Out of the Sites That Sell Your Personal Data
It’s much harder than it should be to get your name off of data broker and people-search sites, but it’s possible.
https://www.wired.com/story/opt-out-data-broker-sites-privacy/?mbid=social_facebook&utm_brand=wired&utm_campaign=falcon&utm_medium=social&utm_social-type=owned&utm_source=facebook
YOUR PERSONAL DATA is valuable to marketers, which is why so many companies have details about you on their books—all of which can be used to target you with advertising, or to find out where you live and work, or even to steal your identity for fraudulent purposes. The good news is that it’s possible to fight back and get yourself delisted from these databases. The bad news? It takes a lot of time and effort.
Still, it’s worth at least giving it a try. These services pull from public records and other online sources to build profiles
Tomi Engdahl says:
If you haven’t downloaded Signal yet, you should. Here’s why: https://wired.trib.al/lRfp5e0
Tomi Engdahl says:
As Trump Threatens Lawsuits In Battleground States, Over 20 Billionaires Have Already Funded Recount Efforts For Both Parties
https://www.forbes.com/sites/denizcam/2020/11/09/as-trump-threatens-lawsuits-in-battleground-states-over-20-billionaires-have-already-funded-recount-efforts-for-both-parties/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Valerie&sh=2d21e10e6fd2
President Donald Trump, who still has not conceded defeat to president-elect Joe Biden, appears to be pursuing multiple legal avenues to challenge the election’s results. On Saturday, shortly after his personal attorney Rudy Giuliani declared in the Four Seasons Total Landscaping parking lot in Pennsylvania that the Trump campaign would sue over that state’s ballot counting process, the campaign also sent out a fundraising email to supporters. It urged them to donate to its recount effort in Wisconsin, where the tally had Trump down by more than 20,000 votes as of Monday morning and the campaign alleged voting “irregularities,” without providing any evidence.
With a 0.6% margin of difference in the vote in Wisconsin, the Trump campaign is within its rights to file for recount, but it will need to foot the bill (the state pays if the margin is below 0.25%). The Wisconsin Elections Commission says it doesn’t have an estimate for recount expenses yet but points out that, in 2016, such efforts cost $2 million. As of June 30, the Republican Party had stashed a little over $29 million in accounts earmarked for recount efforts, while the Democratic Party had raised nearly $24 million, according to the latest report from the Federal Election Commission.
Tomi Engdahl says:
Apple will require apps to add privacy ‘nutrition labels’ starting December 8th
The labels explain what data is collected at a glance
https://www.theverge.com/2020/11/5/21551926/apple-privacy-developers-nutrition-labels-app-store-ios-14
Tomi Engdahl says:
US election security officials reject Trump’s fraud claims
https://www.bbc.com/news/election-us-2020-54926084
US election officials have said the 2020 White House vote was the “most secure in American history”, rejecting President Donald Trump’s fraud claims.
“There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised,” a committee announced.
They spoke out after Mr Trump claimed without proof that 2.7 million votes for him had been “deleted”.
Mr Trump has launched a flurry of legal challenges in key states and levelled unsubstantiated allegations of widespread electoral fraud.
“The November 3rd election was the most secure in American history. Right now, across the country, election officials are reviewing and double checking the entire election process prior to finalizing the result,” the group said.
“While we know there are many unfounded claims and opportunities for misinformation about the process of our elections, we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too,” it added, without naming Mr Trump directly.
The statement was posted to the website of the Cybersecurity and Infrastructure Security Agency (Cisa), which is part of the Department of Homeland Security.
Hours before the statement was released, Mr Trump tweeted that voting software used in 28 states had deleted millions of votes for him, but presented no evidence for the stunning claim, which appeared to originate from the obscure TV network One America News and was flagged by Twitter.
The head of Cisa, Christopher Krebs, has reportedly incurred the White House’s displeasure over a Cisa website called Rumor Control, which debunks election misinformation.
https://www.cisa.gov/news/2020/11/12/joint-statement-elections-infrastructure-government-coordinating-council-election
Tomi Engdahl says:
[Blue Teaming] Detecting known DLL Hijacking and Named PIPE Token Impersonation attacks with Sysmon
https://labs.jumpsec.com/detecting-known-dll-hijacking-and-named-pipe-token-impersonation-attacks-with-sysmon/
Tomi Engdahl says:
Europe is adopting stricter rules on surveillance tech
https://www.technologyreview.com/2020/11/09/1011837/europe-is-adopting-stricter-rules-on-surveillance-tech/
The goal is to make sales of technologies like spyware and facial recognition more transparent in Europe first, and then worldwide.
Tomi Engdahl says:
‘Don’t weaponise the net’ warns former NCSC cyber-chief Ciaran Martin
https://www.bbc.com/news/technology-54903751
In cyber-space, a strong defence should take precedence over arming ourselves with new weapons, the UK’s National Cyber Security Centre (NCSC)’s ex-chief has warned.
Ciaran Martin added that we “weaponise” and “militarise the internet at our peril”.
His remarks follow reports of the use of offensive cyber-techniques by nations, including the UK.
Mr Martin said he was not a digital pacifist, but he urged restraint.
“The case for cyber-restraint is a hard-headed one,” he said in a lecture to the Strand Group, part of King’s College.
“A more secure digital environment is the best guarantor of safety and security for Western countries in the digital age.”
Tomi Engdahl says:
Microsoft urges users to stop using phone-based multi-factor authentication
Microsoft recommends using app-based authenticators and security keys instead.
https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/
Tomi Engdahl says:
https://pentestmag.com/top-cybersecurity-trends-in-2020/
Tomi Engdahl says:
Google warns Google Drive users: Use it, or lose your files
https://mashable.com/article/google-delete-drive-contents-due-to-inactivity/
Google announced a new storage policy Wednesday governing user accounts, and while most of the resulting headlines focused of a new price tag for Google Photos, an important change went mostly overlooked. Notably, going forward, Google says that if you don’t check in on your Google Drive files every now and then, it may delete them.
Google frames this change as a way to tidy up abandoned digital detritus, perhaps left over from long-forgotten accounts. Which, maybe, sure. Or, alternatively, it may be that a Google user simply stored some valuable files away for a while — like one might with physical documents in a fire-proof safe — and simply hasn’t peeked at them in a few years.
Tomi Engdahl says:
Hutera verkko
https://www.veikkaus.fi/fi/x/mita-jos-internet-kaatuisi
Koko ihmiselämä taloudesta terveyteen ja rakkaudesta rikollisuuteen toimii nykyään netin välityksellä, ja koronapandemia on vain kiihdyttänyt kehitystä entisestään. Verkon varaan heittäytymisessä on kuitenkin riskinsä. Internet on hutera rakennelma ja sen valuviat voivat johtaa isoihin ongelmiin, pahimmillaan jopa kuolemiin. X-lehti selvitti, voiko internet kaatua, ja mitä vaaroja nettiriippuvaiseen yhteiskuntaan liittyy.
Verkon jumittuminen voi tappaa. Näin tapahtui syyskuussa 2020, kun kyberrikolliset iskivät kiristyshaittaohjelmalla Düsseldorffin yliopistosairaalan palvelimille. Hakkerit jumittivat sairaalan kriittiset tietojärjestelmät, ja henkilökunta joutui käännyttämään pois hengenvaarallisessa tilassa olleen naispotilaan, joka oltiin tuomassa ambulanssilla tehohoitoon. Nainen kuoli matkalla lähimpään sairaalaan Wuppertaliin.
”Olemme alkaneet luottaa yhä suuremman osan tärkeimmistä toiminnoistamme järjestelmälle, joka on monelta osin haavoittuvainen.”
Tomi Engdahl says:
“Technology is changing much faster than our ability to secure it,” Katie Moussouris, a hacker and a pioneer in vulnerability disclosure, told CyberNews.
Hacker Katie Moussouris: frankly, today’s toys are not very secure
https://cybernews.com/security/hacker-katie-moussouris-frankly-todays-toys-are-not-very-secure/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=katie_moussouris&fbclid=IwAR0wtxkYn–_2zfXnUV6gyrvWDhy4wuZyRrV_LeAHjx0KW_Qx4xd8L-Otvg
“The rule that we have with our customers is no bug bounty botox. We don’t want people doing bug bounty programs if they are not ready,” Katie Moussouris, American computer security researcher, entrepreneur, a pioneer in vulnerability disclosure, and the founder of Luta Security told CyberNews.
Katie is also fighting the misconception that ‘hacker’ means ‘criminal’.
“We, hackers, really love showing off our tricks to other people. So it’s hard to be a criminal if you actually want to tell other people how you did it,” she told CyberNews.
Tomi Engdahl says:
Mysterious Bugs Were Used to Hack iPhones and Android Phones and No One Will Talk About It
https://www.vice.com/en/article/xgzxmk/google-project-zero-bugs-used-to-hack-iphones-and-android-phones
Google found at least seven critical bugs being exploited by hackers in the wild. But after disclosing them days ago, the company has yet to reveal key details about who used them and against whom.
Tomi Engdahl says:
Quantum internet and the future of cybersecurity
https://cybernews.com/security/quantum-internet-and-the-future-of-cybersecurity/
How would a quantum-based internet change the landscape of cybersecurity?
For decades, we have become used to the current state of our internet. We have established norms and common understandings about how things work online. However, our internet is not always the most secure: we fall victim to cyberattacks at an increasingly regular rate, with big payoffs for those criminals who manage to take advantage of lax cybersecurity.
Tomi Engdahl says:
Revealed: How The EU Funds Global iPhone And Facebook Surveillance
https://www.forbes.com/sites/thomasbrewster/2020/11/11/revealed-how-the-eu-funds-global-iphone-and-facebook-surveillance/
Police across the world are getting special training from a little-known European Union agency on how best to snoop on Facebook and Apple iPhones, according to documents obtained by nonprofit Privacy International
Tomi Engdahl says:
EU should withdraw draft resolution that threatens encryption
https://cpj.org/2020/11/eu-should-withdraw-draft-resolution-that-threatens-encryption/
Tomi Engdahl says:
Computer Scientists Achieve ‘Crown Jewel’ of Cryptography
By
ERICA KLARREICH
November 10, 2020
https://www.quantamagazine.org/computer-scientists-achieve-crown-jewel-of-cryptography-20201110/
A cryptographic master tool called indistinguishability obfuscation has for years seemed too good to be true. Three researchers have figured out that it can work.
Tomi Engdahl says:
https://effi.org/avoin-kirje-effilta-sisaministeri-maria-ohisalolle-viestinnan-vahva-salaaminen-on-perusoikeuksien-toteutumisen-edellytys/
Tomi Engdahl says:
Computer Scientists Achieve the ‘Crown Jewel’ of Cryptography
https://www.wired.com/story/computer-scientists-achieve-the-crown-jewel-of-cryptography/?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm
For years, a master tool called indistinguishability obfuscation seemed too good to be true. Three researchers have figured out that it can work.
Computer scientists set forth candidate versions of iO starting in 2013. But the intense excitement these constructions generated gradually fizzled out, as other researchers figured out how to break their security.
Now, Jain—together with Huijia Lin of the University of Washington and Amit Sahai, Jain’s adviser at UCLA—has planted a flag for the makers. In a paper posted online on August 18, the three researchers show for the first time how to build indistinguishability obfuscation using only “standard” security assumptions.
All cryptographic protocols rest on assumptions—some, such as the famous RSA algorithm, depend on the widely held belief that standard computers will never be able to quickly factor the product of two large prime numbers. A cryptographic protocol is only as secure as its assumptions, and previous attempts at iO were built on untested and ultimately shaky foundations. The new protocol, by contrast, depends on security assumptions that have been widely used and studied in the past.
“Barring a really surprising development, these assumptions will stand,”
The new result should definitively silence the iO skeptics, Ishai said. “Now there will no longer be any doubts about the existence of indistinguishability obfuscation,” he said. “It seems like a happy end.”
The Crown Jewel
For decades, computer scientists wondered if there is any secure, all-encompassing way to obfuscate computer programs, allowing people to use them without figuring out their internal secrets. Program obfuscation would enable a host of useful applications
On the face of it, iO doesn’t seem like an especially useful concept. Instead of requiring that a program’s secrets be hidden, it simply requires that the program be obfuscated enough that if you have two different programs that perform the same task, you can’t distinguish which obfuscated version came from which original version.
But iO is stronger than it sounds.
as long as there is some program out there that could perform the same task while keeping your password hidden—an indistinguishability obfuscator will be strong enough to successfully mask the password.
Cryptology ePrint Archive: Report 2020/1003
Indistinguishability Obfuscation from Well-Founded Assumptions
https://eprint.iacr.org/2020/1003
Tomi Engdahl says:
Employee Surveillance Software Demand Increase By 108%: Webcam Access, Click Tracking For WFH Staff
https://trak.in/tags/business/2020/11/20/employee-surveillance-software-demand-increase-by-108-webcam-access-click-tracking-for-wfh-staff/
As per a new study, employers have started using employee surveillance software to keep a track of their employees’ activities while they work from their homes.
The use of such surveillance software has gone up by 55% in June 2020 as compared to the time before the COVID-19 pandemic.
Tomi Engdahl says:
Breakthrough in terahertz remote sensing: Unique THz ‘fingerprints’ will identify hidden explosives from a distance
https://www.sciencedaily.com/releases/2010/07/100711155911.htm
Tomi Engdahl says:
How Banking Sector is Using Cyber Security to Protect Your Data
https://pentestmag.com/how-banking-sector-is-using-cyber-security-to-protect-your-data/
Tomi Engdahl says:
Securing Endpoints in 2020: Proactive Security with XDR
https://pentestmag.com/securing-endpoints-in-2020-proactive-security-with-xdr/
What is XDR?
In the past, endpoints were the preferred entry point for attackers. As attacks increase in number and complexity, organizations must go beyond antivirus software to protect their endpoints. Endpoint Detection and Response (EDR), is a viable solution to this problem. EDRs deploy endpoint agents to monitor, collect, and send data to the cloud to enable threat detection and mitigation.
The EDR method is simple and effective. However, if you need to log and analyze data collected from thousands of endpoints to isolate malicious behavior, the effort can be overwhelming.
EDR solutions are an essential part of corporate security and have helped improve corporate security systems.
Extended detection and response (XDR) is a comprehensive solution that extends EDR through better context and data from many more enterprise systems. The X in XDR represents more data sources, enabling better detection and response. XDR provides a holistic view of the network and provides insight into endpoints together with network security data. Analyzing this data together provides a bigger picture of security incidents, enabling security analysts to conduct investigations more effectively.
XDR solutions provide microsegmentation at the infrastructure, application, and user levels, and security and access control policies can be implemented across multiple data centers, including cloud providers. This significantly reduces the attack surface and prevents lateral movement of threats between applications and environments.
Tomi Engdahl says:
Microsoft teams with chip makers on new super secure processor
https://techxplore.com/news/2020-11-microsoft-teams-chip-makers-super.html
Partnering with chip manufacturing giants Intel, AMD and Qualcomm, Microsoft says a new security component, Pluton, will be constructed directly into the CPU instead of residing on its own in the current Trusted Platform Module. The TPM has long been used to store hardware and cryptographic keys.
The technology is based upon a security approach that Microsoft launched nearly a decade ago in Xbox gaming consoles. The popular gaming system is a rare example of popular product that has been extraordinarily successful in fending off hackers. The same principles were applied to Microsoft’s internet-of-things service Azure Sphere, which along with Xbox helped the company refine its defense line against intruders.
Tomi Engdahl says:
Why ransomware is still so successful: Over a quarter of victims pay the ransom
https://www.zdnet.com/article/why-ransomware-is-still-so-successful-over-a-quarter-of-victims-pay-the-ransom/
Organisations are paying an average of $1m to cyber criminals to restore their networks after falling victim to ransomware.
Tomi Engdahl says:
Microsoft Defender for Linux adds new security feature
https://www.zdnet.com/article/microsoft-defender-for-linux-adds-new-security-feature/
Microsoft’s server-based Linux protection program is now offering a public preview of improved endpoint detection and response features.
Tomi Engdahl says:
Majority of APAC firms pay up in ransomware attacks
https://www.zdnet.com/article/majority-of-apac-firms-pay-up-in-ransomware-attacks/
Despite expert advice against paying up, most victims of ransomware attacks in the region, including 88% in Australia and 78% in Singapore, have paid the ransom in full or in part, and the number of such attacks is only going to keep climbing amidst accelerated digital transformation efforts and remote work.
Tomi Engdahl says:
Trump Fires Cybersecurity Chief Who Debunked Unfounded Voter Fraud Allegations
https://www.forbes.com/sites/rachelsandler/2020/11/17/trump-fires-cybersecurity-chief-who-debunked-unfounded-voter-fraud-allegations/
Tomi Engdahl says:
WireGuard for Windows 0.3.1 is the release you’ve been waiting for
https://arstechnica.com/gadgets/2020/11/wireguard-for-windows-0-3-1-is-the-release-youve-been-waiting-for/
Tomi Engdahl says:
https://pentestmag.com/increasing-your-security-posture/
Increasing your security posture in an enterprise environment begins with identifying and closing visibility gaps. The following steps will help your team understand adversary techniques and methods to defend against them.
Increasing your Security Posture requires understanding the Attack & Exploitation Lifecycle adversaries use to attack your network.
Tomi Engdahl says:
CyberAlarm: An independent security review… and why you should avoid it.
https://paul.reviews/cyberalarm-an-independent-security-review-and-why-you-should-avoid-it/
Police CyberAlarm helps small businesses, charities, academia and local authorities get upp-to-date knowledge of cyber attack types and trends which is an absolute key to having a robust defence.
Their installation guide suggests running it inside a DMZ (de-militarized zone, an isolated segment from other network assets) or “on your internal network”.
For many firms, especially SME, the concept of running a DMZ is alien; with many network assets all joined together with no logical/physical segmentation whatsoever. This is crucial, as isolating potentially dangerous assets (IoT, BYOD devices etc) from your core infrastructure is vital to help prevent attacks travelling across your network.
Unfortunately, it’s likely to be those smaller SMEs without a DMZ who deploy CyberAlarm; in the mistaken belief it’s a safe & secure way to mitigate cyber threats.
If you’re going to run anything on your internal network, you must be able to ensure the product is reasonably secure. Faith-based security rarely ends well, so let’s dive in.
Disable SELinux?!
SELinux or “Security-Enhanced Linux” is a mandatory access control (MAC), a vital security tool built into CentOS (based on RedHat Linux). It’s designed to protect system administrators from themselves; enforcing strict security policies and ensuring isolation between processes. If it’s disabled, poorly-configured or malicious apps/services have root access (aka – total control) over the device.
NCSC quite rightly state “rooted/jailbroken devices are a threat to sensitive data” (https://www.ncsc.gov.uk/guidance/application-development-guidance-introduction), but NPCC are actively pushing a product which requires you to effectively root your device!
If you take NCSC’s advice (and you really should!), this alone is a deal-breaker. The only reason you’d disable a vital security control is because you’re too idle/inept to overcome the issue which prompted you to disable it in the first place.
Opening Pandora’s box…
There’s a lot to get through, so I’ll summarise as much as possible.
PHP 5.4 was end of life in September 2015. No more security patches or updates, it’s dead and should never be used in a production app.
Remote Network Access via RCE
This one beggars belief. The app has a file called “getmon.php” which literally serves as an RCE (remote command execution) endpoint.
we use the SMB protocol to connect to another PC inside the network and grab sensitive data from it.
If you have sensitive data, trade secrets or anything else important on your network, it’s now remotely accessible to anyone, anywhere when you view a web page. We haven’t placed anything on the network/virtual machine to achieve this either… the attacker is just carrying out commands as if they’re sat inside your network.
Let me be really clear about this. This vulnerability allows a remote attacker to entirely bypass your firewall and exfiltrate any data accessible over your network; you only need to visit a vulnerable web page once.
Cross Site Scripting
Looking through the code, there’s no attempt to sanitize (or make safe) any user inputs, so an attacker can remotely inject malicious code into any page on the box.
TLS certificate expiry
It should go without saying, but if your security certificate expires, it’s no longer secure.
Broken Encryption
The strongest of door locks is rendered insecure if you leave the key somewhere vulnerable. The same applies in cryptography. It’s absolutely vital to generate a cryptographically random key and handle it securely.
Sadly, CyberAlarm does neither.
The “key” is static and hard-coded: “P3rv4d3S0ftw4r3″
Reading between the character substitution, you’ll see “Pervade Software” – the developers behind CyberAlarm.
Broken Encryption – Part Deux
One sure-fire way to ensure your product is entirely insecure is to disable all security checks on your certificate, which of course, CyberAlarm does.
This means all updates are insecure – allowing an attacker to put anything on the device remotely.
Embedding server passwords in code!
Seriously.
When the app needs to grab a list of “jobs” or tasks to carry out locally, it logs in with a password of “3jscove”.
In light of all these failings, I notified Leicestershire Police and awaited their response.
When it came, I was stunned.
The link I’d “found” (from their installation guide) was a 2yr old “test” version never intended for public use! Great, it’s 2 years old… now your dependencies are only 3 years out of date instead
The “actual” live version…
Following my criticisms over the “old” version, I was given an access code to allow me to download the “live” one.
Suffice to say, little has changed.
The code is still woefully insecure, as is the implementation of several core features and in all honesty, I just haven’t the time nor motivation to explain why disabling security controls is a bad idea. Sorry Jon.
Obscurity hides a thousand sins…
Tomi Engdahl says:
Obsolete provisions of aging UK legislation risk criminalizing pen testers
https://portswigger.net/daily-swig/computer-misuse-act-most-uk-cybersecurity-pros-fear-breaking-the-law-by-simply-doing-their-jobs
Tomi Engdahl says:
Cross-site Scripting via WHOIS and DNS Records
https://medium.com/tenable-techblog/cross-site-scripting-via-whois-and-dns-records-a25c33667fff
Tomi Engdahl says:
Threats to Digital Identity from Within
https://pentestmag.com/threats-to-digital-identity-from-within/
Expectations appear to be rising for blockchain technologies that support the schemes of ‘Self-Sovereign Identity’ and ‘Bring Your Own Identity’.
The blockchain is often compared to an unbreakable vault. Obviously a good vault needs not only a tough gate panel but a reliable lock system.
Tomi Engdahl says:
Computer Misuse Act: Most UK cybersecurity pros fear breaking the law by simply doing their jobs
https://portswigger.net/daily-swig/computer-misuse-act-most-uk-cybersecurity-pros-fear-breaking-the-law-by-simply-doing-their-jobs
Tomi Engdahl says:
Making sure your trade secrets are safe in our new, distributed normal
https://cybernews.com/security/making-sure-your-trade-secrets-are-safe-in-our-new-distributed-normal/
The widespread transition to remote working during the Covid-19 pandemic has been well documented, as has the change this situation forces upon us in terms of our cybersecurity. Physical meetings have moved online, with this decentralization resulting in an acceptance of cloud-based technologies that is unprecedented. Indeed, many organizations are actively exploring how to migrate many of their physical operations online.
For tech-savvy companies, this transition has been pretty straightforward, if indeed it hadn’t already happened prior to the pandemic. More traditional companies have been somewhat slower, however, and the extreme time pressures placed upon people has caused information security to take a back seat. And the threats aren’t merely restricted to customer data.
Tomi Engdahl says:
Overview of OSINT use for KYC/AML and Crime Investigations
https://pentestmag.com/overview-of-osint-use-for-kyc-aml-and-crime-investigations/
Tomi Engdahl says:
https://pentestmag.com/iot-security-its-complicated/
Tomi Engdahl says:
Open-source AI enhances IoT device security
https://www.edn.com/open-source-ai-enhances-iot-device-security/
One major challenge to cyber-security in Internet of Things (IoT) devices is the constantly evolving nature of threats. New vulnerabilities are continually being found and exploited and new methods of attack are evolving, turning IoT security into an ongoing battle for developers. Now, however, an emerging approach to IoT security using artificial intelligence (AI) promises to provide protection against both known and new, unknown threats.